CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A....
-
Upload
erick-watson -
Category
Documents
-
view
218 -
download
4
Transcript of CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A....
CBIZ Risk & Advisory Services, LLC
1
Quality Assessments
Lessons Learned/Best Practices
Thomas A. Johnson, CIA
November 13, 2007
CBIZ Risk & Advisory Services, LLP
2
Agenda
Requirement Benefits Attributes of a “World-Class”
Internal Audit Quality and Quality Assessment Keys to an Effective QA Common Observations Leading Practices
CBIZ Risk & Advisory Services, LLP
3
Requirement
IIA Standard 1312- Requires an external assessment
be performed by a competent and independent firm at
least every 5 years.
Good ‘business practice” to provide an independent
evaluation of internal audit as well as identifying
potential ways to improve the process.
With Sarbanes-Oxley and other demands placed on
Audit Committees and Internal Audit, a Quality
Assurance Review serves to provide an assessment
that the various Internal Audit responsibilities are
being discharged effectively and efficiently.
CBIZ Risk & Advisory Services, LLP
4
Benefits Current State of “Conformance to the
Standards”.
Builds stakeholder confidence by showing management’s commitment to quality and leading practices.
Demonstrates that the Audit Committee and Internal Audit are concerned about the success of the organization’s internal controls, governance and risk management processes.
CBIZ Risk & Advisory Services, LLP
Benefits PCAOB Audit Standard 2 states “The
external auditor may use the work of internal auditors particularly when internal auditors are in compliance with the Standards.”
Observations on benchmarking & identification of successful practices
Recommendations for improvement aimed at adding value to the organization.
5
CBIZ Risk & Advisory Services, LLP
Benefits Identify Expectation Gaps
Among key stakeholder expectations
Current state & desired state of performance
Recommendations aimed at adding value to the organization
Internal marketing tool strengthening credibility and promoting integrity
6
CBIZ Risk & Advisory Services, LLP
Attributes of a “World-Class Internal Audit Activity
Empowered & Respected by Management and Board
Objective and Independent
Highly Talented
Risk Focused
Proactive
Technology Driven
7
CBIZ Risk & Advisory Services, LLP
Empowered and Respected
Best Reporting StructureFunctionally – Audit CommitteeAdministratively- CEO
Respected at All LevelsValue-Added Business Advisors“Out of the box” thinkingProvides effective resources and solutions to business challenges
8
CBIZ Risk & Advisory Services, LLP
Objective and Independent
Seen as providing unbiased views of the organization.
Have no real or apparent conflicts of interest
Independent of the activities they audit
“No-No’s” Designing and installing systems Drafting of procedures
9
CBIZ Risk & Advisory Services, LLP
Highly Talented
Highly talented professionals (certified) with unique combinations of skills & experiences Hiring and Retention Rotation in and out
Constantly adding value
Collectively possess the essential skills Consideration for co-sourcing
Must commit to a program of continuous development
10
CBIZ Risk & Advisory Services, LLP
Risk Focused
Allocates Time & Resources Based on RiskAnnual and Long Term Plans Individual Engagements Identifies critical risks & exposures before they become significant issues
Shares “lessons learned” across common business units and processes
11
CBIZ Risk & Advisory Services, LLP
Proactive
Proactive, not only reactive
Right balance between protecting and enhancing shareholder value
Level of consultative support correlates with the organizations fluidityE.g., a flat, decentralized organization likely requires significant support in analyzing business risks and transferring company-wide best practices then a highly centralized organization
12
CBIZ Risk & Advisory Services, LLP
Technology & Process Driven
Utilizes “state-of-the-art” technology to:Reduce Risks Identify potential problems in nearly real time
Increase productivityContinuously improve the control environment and communications
Be committed to a program of continuous improvement
13
CBIZ Risk & Advisory Services, LLP
Foundation of World-Class Audit Departments
The International Standards for the Professional Practice of Internal Auditing and the Code of Ethics are the foundation for all world-class functions.
14
CBIZ Risk & Advisory Services, LLP
Quality Components
Adherence to the Code of Ethics
Practicing in accordance with the
Standards
Continued Professional Development
Audit Practice is continuous
improvement oriented
15
CBIZ Risk & Advisory Services, LLP
Quality Assurance
To Evaluate Quality- Objectively measure internal audit process
To maintain Quality- Fully commit to professional growth and development
To ensure Quality- Maintain quality assurance and improvement program
16
CBIZ Risk & Advisory Services, LLP
Quality Standards
Internal audit must establish a quality assurance program that includes both:Ongoing and periodic internal QA’sExternal QA a minimum of once every 5 years
Failure precludes IA from using the statement “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.”
17
CBIZ Risk & Advisory Services, LLP
Keys to an Effective QA
Understanding the Professional Practices Framework
Awareness and Implementation of the Standards
Internal audit quality programs and initiatives
Leading practices in applying the Standards
18
CBIZ Risk & Advisory Services, LLP
Professional Practices Framework
Definition of Internal Auditing
The Code of Ethics
The Standards
Practice Advisories
Topical Index to the Practice Advisories
19
CBIZ Risk & Advisory Services, LLP
Purpose of a Quality Assessment
Assess conformance to the Standards
Assess the effectiveness and efficiency of the internal audit activity
Identify opportunities for improvementImproving performanceImage of the department
20
CBIZ Risk & Advisory Services, LLP
Scope of External Assessments
Conformance with the Standards & the Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements
The expectations of the IA as expressed by the board, executive management and operational management
The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process
21
CBIZ Risk & Advisory Services, LLP
Scope (Cont’d)
Tools and techniques
Mix of knowledge, experience and disciplines within the staff, including the focus on process improvement
Determination that the internal audit activity adds value and improves the organization’s operations
22
CBIZ Risk & Advisory Services, LLP
Areas of Focus
The Mandate of the IA Activity
The Relationship between IA & the Audit Committee
IA Reporting Lines
Staffing of Internal Audit
Obtaining & Maintaining Competency
Coordination with External Audit
Developing the Internal Audit Plan
Reporting Findings & Recommendations
23
CBIZ Risk & Advisory Services, LLP
Areas of Focus
Follow-Up of Corrective Action
Fraud
Internal Quality Program
Sufficiency of IA Resources
Support from Senior Management
Evaluation by the Audit Committee
24
CBIZ Risk & Advisory Services, LLP
Common Findings
Charters not current, inadequate and/or misaligned
Lacking support or sponsorship by top management
Department structure issuesReporting linesAlignment with the organization
Insufficient business knowledge and/or technology capabilities
Lack of a defined and documented risk assessment
25
CBIZ Risk & Advisory Services, LLP
Common Findings
Linkage of risk assessment to plan Impact of Sar-Box
Lack of external input to risk assessment
Audit Universe Deficiencies
Ineffective resource planning, including training
Inadequate IT Coverage
Limited use of technology
Infrequent management interaction
26
CBIZ Risk & Advisory Services, LLP
Common Findings
Lack of Performance Measurements
Failure to Track Auditors’ Time
Inconsistent/Incomplete Work Papers
Lack of a defined and documented Quality Assurance and Improvement Program
Insufficient reporting to the Audit Committee
27
CBIZ Risk & Advisory Services, LLP
Leading Practices
Enterprise Risk Assessment Rigorous and coordinated approach Assessing all risks that affect the
organizations strategic & financial objectives
Risk & Control Self Assessment
Using Control Frameworks (COSO) Effectiveness & Efficiency of Operations Reliability of Financial Reporting Compliance with Laws & Regulations
28
CBIZ Risk & Advisory Services, LLP
Leading Practices
Partnering with Management Risk Assessment & Annual Audit Planning
Long Term Audit Plans Usually three years Higher risk areas should be reviewed
more frequently within the 3 year plan Frequent modifications to long term plan
Developing Staff Goal of 80 hours of training Stretch Objectives & Performance
Measures Certification
29
CBIZ Risk & Advisory Services, LLP
Leading Practices
Communicating More Effectively User friendly format Executive summary, with clear concise
information and opinion Regular reporting of issues to the Audit
committee “Marketing” IA function
• Brochure• Intranet
30
CBIZ Risk & Advisory Services, LLP
Leading Practices
Using Technology Data extraction and analysis Fraud detection/prevention Network security assessment Automated work-papers Audit administration tools
Benchmarking Performance measurements
31
CBIZ Risk & Advisory Services, LLP
Questions
?
?
?
?
?
?
?
32