Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What's on the internal audit horizon?

1,085 views

Published on

Standards, Guidance and Leading Internal Audit Practices - slide deck from a Protiviti webinar given on March 30, 2016. Includes a summary of the revisions to the International Professional Practices Framework (IPPF)

Published in: Business
  • Be the first to comment

What's on the internal audit horizon?

  1. 1. © 2016 Protiviti Inc. WHAT IS ON THE INTERNAL AUDIT HORIZON? STANDARDS, GUIDANCE AND LEADING INTERNAL AUDIT PRACTICES
  2. 2. © 2016 Protiviti Inc. A REMINDER… You can download a copy of this presentation via the Resources Area on your screen. Following the webinar, all attendees will receive a link to a copy of the presentation and recording. There will be a Q&A session at the end of the webinar. Please submit your questions by clicking on the Questions Area on your screen. 2 If you are having trouble hearing the audio through your computer, a separate phone line is available for your use: • US/Canada Line (855) 707-0664 • International Line (734) 385-2579 • Conference ID 50789777
  3. 3. © 2016 Protiviti Inc. CPE CREDITS AND SUPPLEMENTAL INFORMATION We are offering 1.0 CPE credit for this webinar. To be eligible to receive this credit, please ensure you answer at least three (3) out of the four (4) polling questions. You will receive the CPE certificate via e-mail approximately two (2) weeks after the webinar date. In the Resources Area, you can: − Save/Print a copy of today’s presentation − View updates from The IIA − Register for an upcoming CPE webinar 3 If you are having trouble hearing the audio through your computer, a separate phone line is available for your use: • US/Canada Line (855) 707-0664 • International Line (734) 385-2579 • Conference ID 50789777
  4. 4. © 2016 Protiviti Inc. TODAY’S SPEAKERS 4 Basil Woller – Basil Woller & Associates LLC Basil Woller is one of the leading and most recognized quality assurance review (QAR) specialists in the internal auditing profession. Basil has more than 35 years of experience in internal auditing and risk management, including risk identification, assessment, and mitigation, corporate governance, and ethics and compliance. Basil led the global external quality assessment services practice for Protiviti from 2006 to 2009 and played an active role in monitoring and executing external quality assessment services on a firm-wide basis. Basil was also responsible for Protiviti’s peer review program related to its internal audit practice. Basil.Woller@gmail.com If you are having trouble hearing the audio through your computer, a separate phone line is available for your use: • US/Canada Line (855) 707-0664 • International Line (734) 385-2579 • Conference ID 50789777
  5. 5. © 2016 Protiviti Inc. TODAY’S SPEAKERS 5 Kyle Furtis – Protiviti Kyle Furtis is a Managing Director in Protiviti’s Internal Audit and Financial Advisory practice with more than 30 years of internal audit experience. Prior to joining Protiviti in 2003, Kyle served as senior vice president and director of financial audit services for Summit Bancorp responsible for both financial and IT Audit. Kyle is currently on the board of directors of the IIA North Jersey chapter. He is a Certified Information Systems Auditor (CISA), Certified Financial Services Auditor (CFSA), and has the Certification of Risk Management Assurance (CRMA). Kyle is the global Quality Assessment Review practice leader at Protiviti and has performed more than 70 QARs. Kyle.Furtis@protiviti.com If you are having trouble hearing the audio through your computer, a separate phone line is available for your use: • US/Canada Line (855) 707-0664 • International Line (734) 385-2579 • Conference ID 50789777
  6. 6. © 2016 Protiviti Inc. • Revisions to the International Professional Practices Framework (IPPF) • Proposed changes to the International Standards for the Professional Practice of Internal Auditing (Standards) • Other recently released guidance from The IIA • Leading internal audit practices TODAY’S AGENDA WHAT’S ON THE INTERNAL AUDIT HORIZON? 6
  7. 7. © 2016 Protiviti Inc. STANDARDS, GUIDANCE AND THE IPPF 7
  8. 8. © 2016 Protiviti Inc. INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK 8 EFFECTIVE JULY 1, 2015 Source: The IIA
  9. 9. © 2016 Protiviti Inc. MISSION OF INTERNAL AUDIT 9 To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
  10. 10. © 2016 Protiviti Inc. CORE PRINCIPLES FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING 10 Demonstrates integrity Demonstrates quality and continuous improvement Demonstrates competence and due professional care Is objective and free from undue influence (independent) Aligns with the strategies, objectives, and risks of the organization Is appropriately positioned and adequately resourced Communicates effectively Provides risk-based assurance Is insightful, proactive, and future-focused Promotes organizational improvement CORE PRINCIPLES
  11. 11. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS 11 UpdateIntroduction of the Standards INTRODUCTION AND ATTRIBUTE STANDARDS UpdateStandard 1000: Purpose, Authority, and Responsibility Update Standard 1010: Recognition of the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter UpdateStandard 1110.A1: Organizational Independence New Standard 1112: Chief Audit Executive Roles Beyond Internal Auditing N*
  12. 12. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS 12 INTRODUCTION AND ATTRIBUTE STANDARDS NewStandard 1130. A3: Impairment to Independence or Objectivity UpdateStandard 1210: Proficiency UpdateStandard 1300: Quality Assurance and Improvement Program UpdateStandard 1311: Internal Assessments N*
  13. 13. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS 13 INTRODUCTION AND ATTRIBUTE STANDARDS UpdateStandard 1312: External Assessments Update Standard 1320: Reporting on the Quality Assurance and Improvement Program UpdateStandard 1321: Use of "Conforms with the International Standards for the Professional Practice of Internal Auditing" UpdateStandard 1322: Disclosure of Nonconformance
  14. 14. © 2016 Protiviti Inc. KEY TAKEAWAYS 14 ATTRIBUTE STANDARDS Standard 1000: Update charter to incorporate core principles.1 Standard 1010: Must reflect mandatory elements in charter.2 Standard 1112: Must ensure safeguards in place for non-audit responsibilities.3 Standard 1130.A3: Provide assurance where consulting previously performed.4 Standard 1312: Involvement of the audit committee in the quality assurance and improvement program (QAIP). 5 Standard 1320: Disclosures when reporting results of the quality assurance and improvement program (QAIP). 6
  15. 15. © 2016 Protiviti Inc. A. Yes B. I am planning to respond by the 4/30 deadline C. I do not plan to respond Have you responded to the proposed changes to The IIA’s International Standards for the Professional Practice of Auditing (Standards)? Reminder: Answer 3 out of 4 questions to qualify for CPE credit. POLL QUESTION #1 15
  16. 16. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS 16 PERFORMANCE STANDARDS UpdateStandard 2000: Managing the Internal Audit Activity UpdateStandard 2010: Planning UpdateStandard 2050: Coordination and Reliance Update Standard 2060: Reporting to Senior Management and the Board Update Standard 2070: External Service Provider and Organizational Responsibility for Internal Auditing UpdateStandard 2100: Nature of Work
  17. 17. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS 17 PERFORMANCE STANDARDS UpdateStandard 2110: Governance UpdateStandard 2200: Engagement Planning UpdateStandard 2201: Planning Considerations UpdateStandard 2210.A3: Engagement Objectives UpdateStandard 2230: Engagement Resource Allocation
  18. 18. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS 18 PERFORMANCE STANDARDS UpdateStandard 2330: Documenting Information Update Standard 2410 and Standard 2410.A1: Criteria for Communicating Update Standard 2430: Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing” UpdateStandard 2431: Engagement Disclosure of Nonconformance UpdateStandard 2450: Overall Opinions
  19. 19. © 2016 Protiviti Inc. KEY TAKEAWAYS 19 PERFORMANCE STANDARDS Standard 2050: Reliance of work performed by other providers of assurance.1 Standard 2060: Required communications.2 Standard 2100: Focus on aligning with strategy and future impact.3 Standard 2210.A3: Leveraging criteria.4 Standard 2410.A1: Conclusions in reports.5
  20. 20. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS GLOSSARY 20 Board Update Definition Chief Audit Executive Update Definition Core Principles for the Professional Practice of Internal Auditing New Definition Professional Practices Framework Update Definition N*
  21. 21. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS 21 2016 Apr 2017 May Jun Jul Aug Sep Oct Jan APRIL 30, 2016 EXPOSURE DRAFT OPEN OCT 1, 2016 NEW STANDARDS ANNOUNCED JANUARY 1, 2017 NEW STANDARDS EFFECTIVE Nov Dec TIMELINE FOR CHANGES
  22. 22. © 2016 Protiviti Inc. PROPOSED CHANGES TO THE STANDARDS 22 Modify internal audit infrastructure and methodology upon announcement of modified Standards – October 1, 2016. Evaluate potential impact upon internal audit infrastructure and methodology for proposed changes. Read and provide commentary to changes by April 30, 2016. Go live with changes, effective January 1, 2017. 1 2 3 4 ACTION STEPS TO CONSIDER
  23. 23. © 2016 Protiviti Inc. RECENT CHANGES TO PROFESSIONAL GUIDANCE Implementation Guidance Supplemental Guidance IG1000 Purpose, Authority, and Responsibility IG2110 Governance Practice Guide Talent Management (12-2015) Practice Guide Internal Audit and the Second Line of Defense (01-2016) 23 Replaces Practice Advisory and provides guidance related to internal audit charter. Replaces Practice Advisory and provides guidance related to governance aspects of nature of work standard. Provides ideas supporting proficiency, due professional care, professional development, and resource management. Provides clarification about roles between internal audit and other providers of assurance within organizations. Expands upon Three Lines of Defense Framework.
  24. 24. © 2016 Protiviti Inc. A. Yes B. No C. I don’t know Do all internal audit staff members in your organization complete an annual Independence and Objectivity Form to assert their independence? POLL QUESTION #2 Reminder: Answer 3 out of 4 questions to qualify for CPE credit. 24
  25. 25. © 2016 Protiviti Inc. LEADING INTERNAL AUDIT PRACTICES 25
  26. 26. © 2016 Protiviti Inc. RISK ASSESSMENT 26 LEADING INTERNAL AUDIT PRACTICE The internal audit risk assessment is linked to the entity-wide view of risk through the enterprise risk management function, and includes qualitative and quantitative risk criteria to prioritize and determine the audit plan. The IT security risk assessment is used as input to the internal audit risk assessment to ensure audit coverage of the higher IT security risks to the organization. The annual audit planning and risk assessment process factors in the Corruption Perception Index score, in addition to financial and operational factors. Use of the corruption index is valuable for global organizations. Internal audit covers the higher risks in the organization. Interesting Approach Benefits
  27. 27. © 2016 Protiviti Inc. TRAINING 27 LEADING INTERNAL AUDIT PRACTICE At quarterly internal audit staff meetings, guest speakers from the business discuss their business operations to educate auditors on processes, risks, controls, etc. so that internal audit can plan for a more effective and efficient audit. A training plan is developed based on a skills assessment to determine if there are any knowledge gaps between staff skill sets and the audit plan. Internal audit staff receives relevant training that is also linked to the audit plan. Internal audit has an onboarding process and training program that provides staff with critical information on the audit process that facilitates a quicker transition, enabling auditors to be productive sooner. Competent staff and quality, value added audits. Benefits Interesting Approach
  28. 28. © 2016 Protiviti Inc. MANAGEMENT’S ACCEPTANCE OF RISK 28 LEADING INTERNAL AUDIT PRACTICE In cases of acceptance of a risk by management, approval of this acceptance must be provided by an executive vice president or higher and is formally disclosed in writing to, and discussed with, the audit committee. Most organizations do not have a formal policy or process for management’s acceptance of risk. Instances of management’s acceptance of risk are reviewed/analyzed quarterly to determine if the risk has changed, and the results of that analysis are reported to, and discussed with, the audit committee. Facilitates discussion of risks and risk transparency. Benefits Interesting Approach
  29. 29. © 2016 Protiviti Inc. ADDING VALUE 29 LEADING INTERNAL AUDIT PRACTICE Internal audit prepares and delivers a newsletter to management regarding risks and control issues. This communication provides internal audit with the opportunity to educate business units on risks and internal controls outside of the standard audit process. Internal audit prepares and delivers an internal audit awareness presentation to management throughout the organization to explain the risk assessment process and audit process. The internal audit methodology includes four types of audits performed : 1) risk assessment, 2) design effectiveness, 3) control effectiveness and 4) full audit. Internal audit provides management and the audit committee with a quarterly report on new systems being implemented in the organization, and provides internal audit’s opinion on each of the phases, milestones, and associated control objectives for those systems. Internal audit is viewed as a partner by audit stakeholders. Benefits Interesting Approach
  30. 30. © 2016 Protiviti Inc. PLAN EFFECTIVELY 30 LEADING INTERNAL AUDIT PRACTICE An engagement risk assessment is performed and includes a comprehensive list of areas that an auditor assesses for that specific audit including: financial data, history of audit issues, changes in management/staff, input from management and use of technology. For each audit, internal audit prepares test plans that include Association of Certified Fraud Examiners (ACFE) risks and fraud scenarios embedded within the test procedures to force auditors to consider the potential for fraud during testing. Project budgets are developed, within a risk and controls matrix, that detail estimated hours required by each team member. Most internal audit functions do not take the step of aligning the project budget with risks. Efficiency and quality. Interesting Approach Benefits
  31. 31. © 2016 Protiviti Inc. DATA ANALYTICS 31 LEADING INTERNAL AUDIT PRACTICE Internal audit has a formal data analytics program in place that is well defined as to identifying and acquiring data that can be analyzed to determine potential breakdowns of selected controls. All audit programs include a step for auditors to explain why data analysis is not being used on the audit. Start with areas where internal audit is comfortable with the data – account reconciliations, journal entries, accounts payable, fixed assets, time and expense, thresholds/limit controls, human resources/payroll. Risk focused – efficiently increase testing of transactions. Interesting Approach Benefits
  32. 32. © 2016 Protiviti Inc. INTEGRATING ANALYTICS ACROSS THE BUSINESS 32 UseFunctionLine 1st Line 2nd Line 3rd Line Business Function • Monitor operational risk • Control rationalization • Monitor performance and efficiency Risk Function • Assess entity-level risk • Manage compliance activities • Complete risk assessments • Monitor risk activities Audit Function • Independent assurance • Control testing • Risk assessments • Control monitoring • Continuous risk monitoring • Continuous monitoring • Key control execution • Performance reporting E.g., security event monitoring • Oversight risk, control, and compliance • Monitoring of risk performance E.g., data driven ERM • Risk assessments • Continuous auditing • Data enabled audits • Investigations E.g., fraud risk review CAPTURE, MANAGE AND ANALYZE DATA TO DRIVE BUSINESS STRATEGY AND PERFORMANCE
  33. 33. © 2016 Protiviti Inc. ANALYTICS ROADMAP…IT’S A JOURNEY 33 Year 3+ Integrate Analysts Year 2 Expand Coverage Year 1 Foundation Advanced Analysis Full Integration • Define objectives and strategy • Access and normalize data • Identify enabling tools • Establish champions • Integrate ad-hoc analysis • Establish KPI’s • Broaden organizational use • Fully embed analytics • Move towards data governance • Continuous analytics • Fully integrated analytics program • Standardized reporting packages • Enterprise access to analytics reports • Established data governance • Continuous improvement • Predictive analytics • Train staff and develop capability • Prove value (e.g., pilots, PoCs) • Define data access model • Identify opportunities to embed
  34. 34. © 2016 Protiviti Inc. A. An engagement planning and completion checklist is utilized to enable engagement quality B. Other members of internal department provide insights into engagement risk assessments and scoping to share knowledge across the team C. Internal audit has a dedicated professional practices lead/group or committee that administers the QAIP, and administers training and methodology improvement D. Internal audit has developed a quality assurance scorecard as part of their periodic review of a sample of work papers with quality scores being calculated for each audit reviewed E. Internal audit staff training is designed to address general themes, deviations from internal audit policies and procedures, conformance to the Standards, etc. Does your internal audit department utilize any of the following quality assurance and improvement program (QAIP) techniques? Select as many as apply to your organization. POLL QUESTION #3 Reminder: Answer 3 out of 4 questions to qualify for CPE credit. 34
  35. 35. © 2016 Protiviti Inc. QUALITY ASSURANCE AND IMPROVEMENT PROGRAM 35 LEADING INTERNAL AUDIT PRACTICE Conduct peer reviews. Internal audit developed quality assurance standards for each stage of an audit engagement. At the completion of the audit, internal audit management performs a full file quality assurance review using the Quality Assurance Template. Built a multi-layered quality assurance and improvement program designed to proactively monitor quality during the audit, in addition to monitoring metrics and reviewing work papers after the audit. Internal audit assesses its conformance with the Standards annually. The internal audit policy and procedures manual is mapped to the Standards to ensure the audit process conforms to the Standards. Audit staff understand the relationship between the Standards and the audit process. Improved focus and prioritization of continuous improvement efforts. Benefits Interesting Approach
  36. 36. © 2016 Protiviti Inc. TALENT MANAGEMENT 36 LEADING INTERNAL AUDIT PRACTICE Internal audit strategically manages the balance of resources based on years of experience, business/industry experience, technical skills, and alignment with the business. Implement a rotational staff program: a company driven management development program that rotates participates in and out of internal audit. Design a guest auditor program that used to acquire technical skills as needed. Periodically perform analysis of staff skills (process, IT, fraud, certifications, etc.) to determine if internal audit has the necessary skill sets needed to complete the audit plan, determine the level of co-sourcing (if needed) and balancing the experience in the department (career auditors vs. rotational etc.). Increased audit effectiveness. Benefits Interesting Approach
  37. 37. © 2016 Protiviti Inc. INTERNAL AUDIT COMMUNICATIONS 37 LEADING INTERNAL AUDIT PRACTICE Internal audit provides trends of reported issues for a period of time by geography, rating types, COSO objective, or other suitable categories to provide perspective to management and the audit committee on areas needing attention. Internal audit reports on the status of the top ten risks as identified by the board/audit committee. Audit staff meet audit committee chair annually to hear his/her perspective and for the chairperson to get internal audit staff perspectives on risk and control. Internal audit communicates internal control best practices to the organization through a newsletter. Improved understanding of risks and controls. Benefits Interesting Approach
  38. 38. © 2016 Protiviti Inc. BENCHMARKING 38 LEADING INTERNAL AUDIT PRACTICE Improve internal audit effectiveness and efficiency. Benefits Types of Benchmarking Understand the maturity and effectiveness of internal audit processes IIA GAIN Thought Leadership and whitepapers Industry peer group Six Elements of Infrastructure Corporate Executive Board External peer group Capability Maturity Model
  39. 39. © 2016 Protiviti Inc. SIX ELEMENTS OF INFRASTRUCTURE 39 • The six elements of infrastructure (six elements) is a useful tool for categorizing issues, understanding where problems are occurring within an organization or business unit, and drawing conclusions to form the basis for recommendations. • In Protiviti’s view, the elements of infrastructure should be considered when designing a new process or assessing an existing process. Also, the six elements are common to each process or function. • These elements represent the capabilities that each process or function should possess; and they provide a comprehensive and consistent framework to communicate the requirements for the appropriate operation of a process or function. • While these elements are not necessarily intended to be a strictly linear process, the components of the framework are generally designed from left to right. The use of this structure helps organize the otherwise complex network of risk management activities into a comprehensive and consistent framework. In particular, it ensures that all key components are appropriately considered. About the Six Elements Methodology Business Policies Business Processes Systems and Data Reporting People KEY ELEMENTS OF INFRASTRUCTURE MUST BE LINKED BY DESIGN
  40. 40. © 2016 Protiviti Inc. CAPABILITY MATURITY MODEL AND THE SIX ELEMENTS OF INFRASTRUCTURE 40 Reliability and Integrity of Processes and Data Risk of Failure OptimizedManagedDefinedRepeatableInitial BUSINESS POLICIES MANAGEMENT REPORTING METHODOLOGY AND TOOLS PROCESSES SYSTEMS AND DATA PEOPLE AND ORGANIZATION Audit department resources are highly capable and their training/experience levels are closely monitored. Resources are available with all skill sets needed to execute internal audits across the broad spectrum of activities. For highly specialized audit areas, external service providers are welcomed for the expertise they can provide and the new ideas they bring to the organization. A best-in-class training and competency program is in place with personnel actively groomed for positions of increased responsibility. Audit department resources are capable and their training/experience levels are monitored. Resources are generally available with the skill sets needed to execute internal audits. For specialized audit areas, external service providers are sought (although knowledge-sharing in these circumstances may not be fully realized). A training and competency program is in place. Qualified personnel are recruited and developed within the internal audit department. A basic training and development program has been established. Skills/experience requirements are defined. Internal audit leadership recognizes when external service providers are necessary to assist with performing specialized audits. Great reliance is placed on utilizing experienced personnel. Training is generally on-the-job-training with little in the way of formalized training programs. Internal audit independence is maintained through the reporting process. Resourcing determined by audit requirements. Internal audit department is insufficiently staffed with knowledgeable personnel and often resource needs for audits are not met. Audit efforts reflect a "best possible attempt given the circumstances". No clear resource competency requirements are established, and work product quality is inconsistent.
  41. 41. © 2016 Protiviti Inc. 2100 NATURE OF WORK 1000 PURPOSE, AUTHORITY, AND RESPONSIBILITY 2000 MANAGING THE INTERNAL AUDIT ACTIVITY 1100 INDEPENDENCE AND OBJECTIVITY 1200 PROFICIENCY AND DUE PROFESSIONAL CARE CONFORMANCE WITH THE IIA STANDARDS – CAPABILITY MATURITY MODEL 41 Protiviti’s Capability Maturity Model (CMM) is derived from the Carnegie Mellon capability maturity model and is intended to delineate characteristics of a business process (from new to mature) and is used to convey the developmental level of business processes. Below is Protiviti’s application of IIA Standards in the context of the CMM. The red outlines below indicate a subjective assessment of internal audit against these characteristics. OptimizedManagedDefinedRepeatableAdHoc Reliability and Integrity of Processes and Data Risk of Failure Quality assurance program focuses on improvement, effectively uses performance metrics. Quality assurance program encompasses all significant aspects of internal audit activity. Quality assurance program and communication formalized in policy and procedures manual, including internal and external quality assurance requirement. Quality assurance program checklists used on individual audits to ensure consistent application of internal audit methodology. No formal quality assurance program in place although some quality assurance activities might occur on individual audits. 1300 QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
  42. 42. © 2016 Protiviti Inc. A. Internal audit adds any findings, recommendations or other items reported to the company as part of regulatory examinations to its issue tracking system, and tracks and monitors the status of management action plans to address these findings. B. A periodic report is prepared, and sent to management, to identify items that are past due. C. Follow-up testing is performed quarterly to verify that audit findings have been addressed and the associated risks were mitigated. Does your internal audit department perform any of the following follow-up techniques? Select as many that apply to your organization. POLL QUESTION #4 Reminder: Answer 3 out of 4 questions to qualify for CPE credit. 42
  43. 43. © 2016 Protiviti Inc. Q & A Let us know how we did on this webinar. Click on the Survey icon in your attendee console to give us feedback.
  44. 44. © 2016 Protiviti Inc. REGISTER FOR OUR NEXT WEBINAR 44 60 minutes | 1.0 CPE Wednesday, April 6th 9:00 AM Pacific 10:00 AM Mountain 11:00 AM Central 12:00 PM Eastern Relationships and Risk: Initial Insights From North American Stakeholders Hosted in partnership with: Register for this webinar through: • The link in the Resources Area of your attendee console • Protiviti’s webinar page: http://www.protiviti.com/en- US/Pages/Webinars.aspx Download the publication at: www.protiviti.com/cbokrelationshipsandrisk

×