CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A....

CBIZ Risk & Advisory Services, LLC

1

Quality Assessments

Lessons Learned/Best Practices

Thomas A. Johnson, CIA

November 13, 2007

CBIZ Risk & Advisory Services, LLP

2

Agenda

Requirement Benefits Attributes of a “World-Class”

Internal Audit Quality and Quality Assessment Keys to an Effective QA Common Observations Leading Practices


3

Requirement

IIA Standard 1312- Requires an external assessment

be performed by a competent and independent firm at

least every 5 years.

Good ‘business practice” to provide an independent

evaluation of internal audit as well as identifying

potential ways to improve the process.

With Sarbanes-Oxley and other demands placed on

Audit Committees and Internal Audit, a Quality

Assurance Review serves to provide an assessment

that the various Internal Audit responsibilities are

being discharged effectively and efficiently.


4

Benefits Current State of “Conformance to the

Standards”.

Builds stakeholder confidence by showing management’s commitment to quality and leading practices.

Demonstrates that the Audit Committee and Internal Audit are concerned about the success of the organization’s internal controls, governance and risk management processes.


Benefits PCAOB Audit Standard 2 states “The

external auditor may use the work of internal auditors particularly when internal auditors are in compliance with the Standards.”

Observations on benchmarking & identification of successful practices

Recommendations for improvement aimed at adding value to the organization.

5


Benefits Identify Expectation Gaps

Among key stakeholder expectations

Current state & desired state of performance

Recommendations aimed at adding value to the organization

Internal marketing tool strengthening credibility and promoting integrity

6


Attributes of a “World-Class Internal Audit Activity

Empowered & Respected by Management and Board

Objective and Independent

Highly Talented

Risk Focused

Proactive

Technology Driven

7


Empowered and Respected

Best Reporting StructureFunctionally – Audit CommitteeAdministratively- CEO

Respected at All LevelsValue-Added Business Advisors“Out of the box” thinkingProvides effective resources and solutions to business challenges

8


Objective and Independent

Seen as providing unbiased views of the organization.

Have no real or apparent conflicts of interest

Independent of the activities they audit

“No-No’s” Designing and installing systems Drafting of procedures

9


Highly Talented

Highly talented professionals (certified) with unique combinations of skills & experiences Hiring and Retention Rotation in and out

Constantly adding value

Collectively possess the essential skills Consideration for co-sourcing

Must commit to a program of continuous development

10


Risk Focused

Allocates Time & Resources Based on RiskAnnual and Long Term Plans Individual Engagements Identifies critical risks & exposures before they become significant issues

Shares “lessons learned” across common business units and processes

11


Proactive

Proactive, not only reactive

Right balance between protecting and enhancing shareholder value

Level of consultative support correlates with the organizations fluidityE.g., a flat, decentralized organization likely requires significant support in analyzing business risks and transferring company-wide best practices then a highly centralized organization

12


Technology & Process Driven

Utilizes “state-of-the-art” technology to:Reduce Risks Identify potential problems in nearly real time

Increase productivityContinuously improve the control environment and communications

Be committed to a program of continuous improvement

13


Foundation of World-Class Audit Departments

The International Standards for the Professional Practice of Internal Auditing and the Code of Ethics are the foundation for all world-class functions.

14


Quality Components

Adherence to the Code of Ethics

Practicing in accordance with the

Standards

Continued Professional Development

Audit Practice is continuous

improvement oriented

15


Quality Assurance

To Evaluate Quality- Objectively measure internal audit process

To maintain Quality- Fully commit to professional growth and development

To ensure Quality- Maintain quality assurance and improvement program

16


Quality Standards

Internal audit must establish a quality assurance program that includes both:Ongoing and periodic internal QA’sExternal QA a minimum of once every 5 years

Failure precludes IA from using the statement “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.”

17


Keys to an Effective QA

Understanding the Professional Practices Framework

Awareness and Implementation of the Standards

Internal audit quality programs and initiatives

Leading practices in applying the Standards

18


Professional Practices Framework

Definition of Internal Auditing

The Code of Ethics

The Standards

Practice Advisories

Topical Index to the Practice Advisories

19


Purpose of a Quality Assessment

Assess conformance to the Standards

Assess the effectiveness and efficiency of the internal audit activity

Identify opportunities for improvementImproving performanceImage of the department

20


Scope of External Assessments

Conformance with the Standards & the Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements

The expectations of the IA as expressed by the board, executive management and operational management

The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process

21


Scope (Cont’d)

Tools and techniques

Mix of knowledge, experience and disciplines within the staff, including the focus on process improvement

Determination that the internal audit activity adds value and improves the organization’s operations

22


Areas of Focus

The Mandate of the IA Activity

The Relationship between IA & the Audit Committee

IA Reporting Lines

Staffing of Internal Audit

Obtaining & Maintaining Competency

Coordination with External Audit

Developing the Internal Audit Plan

Reporting Findings & Recommendations

23


Areas of Focus

Follow-Up of Corrective Action

Fraud

Internal Quality Program

Sufficiency of IA Resources

Support from Senior Management

Evaluation by the Audit Committee

24


Common Findings

Charters not current, inadequate and/or misaligned

Lacking support or sponsorship by top management

Department structure issuesReporting linesAlignment with the organization

Insufficient business knowledge and/or technology capabilities

Lack of a defined and documented risk assessment

25


Common Findings

Linkage of risk assessment to plan Impact of Sar-Box

Lack of external input to risk assessment

Audit Universe Deficiencies

Ineffective resource planning, including training

Inadequate IT Coverage

Limited use of technology

Infrequent management interaction

26


Common Findings

Lack of Performance Measurements

Failure to Track Auditors’ Time

Inconsistent/Incomplete Work Papers

Lack of a defined and documented Quality Assurance and Improvement Program

Insufficient reporting to the Audit Committee

27


Leading Practices

Enterprise Risk Assessment Rigorous and coordinated approach Assessing all risks that affect the

organizations strategic & financial objectives

Risk & Control Self Assessment

Using Control Frameworks (COSO) Effectiveness & Efficiency of Operations Reliability of Financial Reporting Compliance with Laws & Regulations

28


Leading Practices

Partnering with Management Risk Assessment & Annual Audit Planning

Long Term Audit Plans Usually three years Higher risk areas should be reviewed

more frequently within the 3 year plan Frequent modifications to long term plan

Developing Staff Goal of 80 hours of training Stretch Objectives & Performance

Measures Certification

29


Leading Practices

Communicating More Effectively User friendly format Executive summary, with clear concise

information and opinion Regular reporting of issues to the Audit

committee “Marketing” IA function

• Brochure• Intranet

30


Leading Practices

Using Technology Data extraction and analysis Fraud detection/prevention Network security assessment Automated work-papers Audit administration tools

Benchmarking Performance measurements

31


Questions

?

?

?

?

?

?

?

32


Follow-Up

Tom Johnson

[email protected]

330-759-0046

33

CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A....

Documents

Transcript of CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A....