Transcript Document
Quality Assessments
Lessons Learned/Best Practices
Thomas A. Johnson, CIA
November 13, 2007
CBIZ Risk & Advisory Services, LLC
1
Agenda
Requirement
Benefits
Attributes of a “World-Class”
Internal Audit
Quality and Quality Assessment
Keys to an Effective QA
Common Observations
Leading Practices
CBIZ Risk & Advisory Services, LLP
2
Requirement
IIA Standard 1312- Requires an external assessment be
performed by a competent and independent firm at least
every 5 years.
Good ‘business practice” to provide an independent
evaluation of internal audit as well as identifying
potential ways to improve the process.
With Sarbanes-Oxley and other demands placed on Audit
Committees and Internal Audit, a Quality Assurance
Review serves to provide an assessment that the various
Internal Audit responsibilities are being discharged
effectively and efficiently.
CBIZ Risk & Advisory Services, LLP
3
Benefits
Current State of “Conformance to the
Standards”.
Builds stakeholder confidence by showing
management’s commitment to quality and
leading practices.
Demonstrates that the Audit Committee and
Internal Audit are concerned about the
success of the organization’s internal
controls, governance and risk management
processes.
CBIZ Risk & Advisory Services, LLP
4
Benefits
PCAOB Audit Standard 2 states “The
external auditor may use the work of
internal auditors particularly when
internal auditors are in compliance
with the Standards.”
Observations on benchmarking &
identification of successful practices
Recommendations for improvement
aimed at adding value to the
organization.
CBIZ Risk & Advisory Services, LLP
5
Benefits
Identify Expectation Gaps
Among key stakeholder
expectations
Current state & desired state of
performance
Recommendations aimed at adding
value to the organization
Internal marketing tool strengthening
credibility and promoting integrity
CBIZ Risk & Advisory Services, LLP
6
Attributes of a “World-Class Internal
Audit Activity
Empowered & Respected by
Management and Board
Objective and Independent
Highly Talented
Risk Focused
Proactive
Technology Driven
CBIZ Risk & Advisory Services, LLP
7
Empowered and Respected
Best Reporting Structure
Functionally – Audit Committee
Administratively- CEO
Respected at All Levels
Value-Added Business Advisors
“Out of the box” thinking
Provides effective resources and
solutions to business challenges
CBIZ Risk & Advisory Services, LLP
8
Objective and Independent
Seen as providing unbiased views
of the organization.
Have no real or apparent conflicts
of interest
Independent of the activities they
audit
“No-No’s”
Designing and installing systems
Drafting of procedures
CBIZ Risk & Advisory Services, LLP
9
Highly Talented
Highly talented professionals
(certified) with unique combinations
of skills & experiences
Hiring and Retention
Rotation in and out
Constantly adding value
Collectively possess the essential
skills
Consideration for co-sourcing
Must commit to a program of
continuous development
CBIZ Risk & Advisory Services, LLP
10
Risk Focused
Allocates Time & Resources Based
on Risk
Annual and Long Term Plans
Individual Engagements
Identifies critical risks & exposures
before they become significant
issues
Shares “lessons learned” across
common business units and
processes
CBIZ Risk & Advisory Services, LLP
11
Proactive
Proactive, not only reactive
Right balance between protecting and
enhancing shareholder value
Level of consultative support
correlates with the organizations
fluidity
E.g., a flat, decentralized
organization likely requires
significant support in analyzing
business risks and transferring
company-wide best practices then a
highly centralized organization
CBIZ Risk & Advisory Services, LLP
12
Technology & Process Driven
Utilizes “state-of-the-art”
technology to:
Reduce Risks
Identify potential problems in nearly
real time
Increase productivity
Continuously improve the control
environment and communications
Be committed to a program of
continuous improvement
CBIZ Risk & Advisory Services, LLP
13
Foundation of World-Class Audit
Departments
The International Standards for the
Professional Practice of Internal
Auditing and the Code of Ethics
are the foundation for all worldclass functions.
CBIZ Risk & Advisory Services, LLP
14
Quality Components
Adherence to the Code of Ethics
Practicing in accordance with the
Standards
Continued Professional Development
Audit Practice is continuous
improvement oriented
CBIZ Risk & Advisory Services, LLP
15
Quality Assurance
To Evaluate Quality- Objectively
measure internal audit process
To maintain Quality- Fully commit
to professional growth and
development
To ensure Quality- Maintain quality
assurance and improvement
program
CBIZ Risk & Advisory Services, LLP
16
Quality Standards
Internal audit must establish a quality
assurance program that includes
both:
Ongoing and periodic internal QA’s
External QA a minimum of once
every 5 years
Failure precludes IA from using the
statement “conducted in accordance
with the International Standards for
the Professional Practice of Internal
Auditing.”
CBIZ Risk & Advisory Services, LLP
17
Keys to an Effective QA
Understanding the Professional
Practices Framework
Awareness and Implementation of
the Standards
Internal audit quality programs and
initiatives
Leading practices in applying the
Standards
CBIZ Risk & Advisory Services, LLP
18
Professional Practices Framework
Definition of Internal Auditing
The Code of Ethics
The Standards
Practice Advisories
Topical Index to the Practice
Advisories
CBIZ Risk & Advisory Services, LLP
19
Purpose of a Quality Assessment
Assess conformance to the
Standards
Assess the effectiveness and
efficiency of the internal audit
activity
Identify opportunities for
improvement
Improving performance
Image of the department
CBIZ Risk & Advisory Services, LLP
20
Scope of External Assessments
Conformance with the Standards & the
Code of Ethics & the IA’s charter, plan,
policies, procedures and applicable
laws & regulatory requirements
The expectations of the IA as
expressed by the board, executive
management and operational
management
The integration of the IA into the
governance process, including the
relationships between and among the
key groups involved in the process
CBIZ Risk & Advisory Services, LLP
21
Scope (Cont’d)
Tools and techniques
Mix of knowledge, experience and
disciplines within the staff,
including the focus on process
improvement
Determination that the internal
audit activity adds value and
improves the organization’s
operations
CBIZ Risk & Advisory Services, LLP
22
Areas of Focus
The Mandate of the IA Activity
The Relationship between IA & the
Audit Committee
IA Reporting Lines
Staffing of Internal Audit
Obtaining & Maintaining Competency
Coordination with External Audit
Developing the Internal Audit Plan
Reporting Findings & Recommendations
CBIZ Risk & Advisory Services, LLP
23
Areas of Focus
Follow-Up of Corrective Action
Fraud
Internal Quality Program
Sufficiency of IA Resources
Support from Senior Management
Evaluation by the Audit Committee
CBIZ Risk & Advisory Services, LLP
24
Common Findings
Charters not current, inadequate
and/or misaligned
Lacking support or sponsorship by top
management
Department structure issues
Reporting lines
Alignment with the organization
Insufficient business knowledge
and/or technology capabilities
Lack of a defined and documented
risk assessment
CBIZ Risk & Advisory Services, LLP
25
Common Findings
Linkage of risk assessment to plan
Impact of Sar-Box
Lack of external input to risk
assessment
Audit Universe Deficiencies
Ineffective resource planning,
including training
Inadequate IT Coverage
Limited use of technology
Infrequent management interaction
CBIZ Risk & Advisory Services, LLP
26
Common Findings
Lack of Performance
Measurements
Failure to Track Auditors’ Time
Inconsistent/Incomplete Work
Papers
Lack of a defined and documented
Quality Assurance and
Improvement Program
Insufficient reporting to the Audit
Committee
CBIZ Risk & Advisory Services, LLP
27
Leading Practices
Enterprise Risk Assessment
Rigorous and coordinated approach
Assessing all risks that affect the
organizations strategic & financial
objectives
Risk & Control Self Assessment
Using Control Frameworks (COSO)
Effectiveness & Efficiency of Operations
Reliability of Financial Reporting
Compliance with Laws & Regulations
CBIZ Risk & Advisory Services, LLP
28
Leading Practices
Partnering with Management
Risk Assessment & Annual Audit Planning
Long Term Audit Plans
Usually three years
Higher risk areas should be reviewed
more frequently within the 3 year plan
Frequent modifications to long term plan
Developing Staff
Goal of 80 hours of training
Stretch Objectives & Performance
Measures
Certification
CBIZ Risk & Advisory Services, LLP
29
Leading Practices
Communicating More Effectively
User friendly format
Executive summary, with clear concise
information and opinion
Regular reporting of issues to the Audit
committee
“Marketing” IA function
• Brochure
• Intranet
CBIZ Risk & Advisory Services, LLP
30
Leading Practices
Using Technology
Data extraction and analysis
Fraud detection/prevention
Network security assessment
Automated work-papers
Audit administration tools
Benchmarking
Performance measurements
CBIZ Risk & Advisory Services, LLP
31
Questions
?
?
?
?
?
?
?
CBIZ Risk & Advisory Services, LLP
32
Follow-Up
Tom Johnson
[email protected]
330-759-0046
CBIZ Risk & Advisory Services, LLP
33