1 An Integrated An Integrated Approach Approach to the Internal to the Internal Control System Control System - - New New Methodology Methodology for for Evaluating Evaluating Design and Design and Effectiveness Effectiveness - - Carolyn Dittmeier President, IIA Italy Vice President, Head of Internal Auditing Poste Italiane
28
Embed
An Integrated Approach Approach to the Internal Control System€¦ · Communication . Communication by . by meetingsmeetings and presentations Providing . Providing Directives. Optimizing
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
An Integrated An Integrated ApproachApproach to the Internal to the Internal Control SystemControl System
-- New New MethodologyMethodology forfor EvaluatingEvaluating Design and Design and EffectivenessEffectiveness --
Carolyn Dittmeier
President, IIA ItalyVice President, Head of Internal Auditing Poste Italiane
2
Corporate Governance Paper
IIA Italy
Corporate Governance Paper
IIA Italy
New Corporate Governance playersNew Corporate Governance New Corporate Governance playersplayers
Anti Anti corruptioncorruption ((LawLaw 231) 231) SarbanesSarbanes ((LawLaw 262)262)
BankBank RegulationsRegulations
Increasing legislation and regulation of governance IncreasingIncreasing legislationlegislation and and regulationregulation of governanceof governance
3
Numerous corporate governance players
Audit Committee
Board of Statutory Auditors
Compliance Officer
Other Control Bodies
Internal Audit
Compliance Function
SecurityQuality
CFO
Human Resource & Organization
OperationalManagementSafety Privacy
Board of Directors
Inspectorate
4
Cost Cost efficiencyefficiency
EffectivenessEffectiveness
Cost of governance exceeds benefits in risk reduction
Integrated methodology for business control identification and evaluation
Focusing separately on:
A Unified Internal Control System
Control DesignControl Design
Control Operating EffectivenessControl Operating Effectiveness
19
How to evaluate the Integrated Internal Control System
Control ObjectivesControl
Objectives
Risk Tolerance
Risk Tolerance
Risk Acceptance
Risk Acceptance
ReactivityReactivityCoverageCoverage
StrengthStrength
ControlDesignControlDesign
Operating effectivenessOperating
effectiveness
Adequacy
Relevance Red-flag analysis
Resourcesavailability
Effectiveness, Efficiency and cost effectiveness
Complianceverification
20
Definition of a ‘control’?
Input Standard
Input Capture/ Measurement
Output
Comparisoninput / standard
Correction
A set of activities whose purpose is to identify and correct errors and anomalies in order to reach defined control objectives, risk based
21
Control Objectives, risk based(examples)
Quality and timeliness of operations
Reliability and integrity of Company information (financial and operational)
Proper and effective contractual relations with customers and suppliers
Compliance to Regulations
Prevention of fraud
Business continuity
22
How to evaluate the Integrated Internal Control System
Control ObjectivesControl
Objectives
Risk Tolerance
Risk Tolerance
Risk Acceptance
Risk Acceptance
ReactivityReactivityCoverageCoverage
StrengthStrength
ControlDesignControlDesign
Operating effectivenessOperating
effectiveness
Adequacy
Relevance Red-flag analysis
Resourcesavailability
Effectiveness, Efficiency and Cost effectiveness
Complianceverification
Production of fresh cheese according to quality standards
For every fresh cheese lot, the Production Dept requests, up to 5 days before the fermentation process, requests from the Purchasing Dept quantities of milk supplies on the basis of approved monthly sales forecasts.
Upon supply of milk (<3 days) the Production Dept proceeds:•Pasteurisation (2 hours) •Coagulation of casein (2 hours)•Drainage of whey (1 hour); •Pressing and salting (1 hour)(time frame automatically recorded in 3 of 4 phases)
The Quality Dept verifies respect of production time standards. If non compliant, it blocks the packaging process, requesting the lot to be destroyed and re-produced.
Following authorization given by Quality Dept, the Production Dept proceeds to package the fresh cheese within 24 hours for delivery by the Distribution Dept by the next day.
Process
Activity 1Supply request
Activity 3Packaging
Case study: quality cheese production
Activity 2Production
Control overProduction Time
Standards
23
Control components
Lot destruction when out of time
standard
Check
Control objectives: Ensure fresh cheese according to quality standards
Information System
Ensure the absence of pathogens in the milkEnsure production-time for avoiding pathogenic generationEnsure temperature-preservation for avoiding pathogenic generation
Replacement of Production lot
Authorization for packaging
Actual time frame(automatic)
Time Limitation Standards
Control overProduction Time
Standards
Case study: quality cheese production
24
ReactivityReactivity
RelevanceRelevance StrengthStrength
ControlDesignControlDesign
Operating effectivenessOperating
effectiveness
Adequacy
CoverageCompliance
test
Red-flag analysis
Resourcesavailability
Control ObjectiveControl
Objective
25
1
2 2
Control evaluation:scale of 1-5 (1-2 positive, 3-4-5 negative).
2
3
4
Discre
tion
Inte
grat
ion
Inde
pend
ent Se
greg
atio
n
Autom
atio
n
Adapt
abilit
y Trac
eabi
lit
y
2 - 3 - 32
Case study: quality cheese production
4
Discre
tion
Inte
grat
ion
Inde
pend
ence
Segr
egat
ion
Autom
atio
nAda
ptab
ility
Trac
eabi
lity
2 - 3 - 32
3StrengthStrength
ScenarioScenario
scenario 1^scenario 1^ Known and positive designKnown and positive design
scenario 2^scenario 2^
scenario 3^scenario 3^
Known; design non positiveKnown; design non positive
Unknown designUnknown design
Risk Tolerance
Risk Tolerance
Risk Acceptance
Risk Acceptance
ReactivityReactivity
CoverageCoverage StrengthStrength
ControlDesign
ControlDesign
Operating effectivenessOperating
effectiveness
Adequacy
RelevanceCompliance
test
Red-flag analysis
Resourcesavailability
Control ObjectivesControl
Objectives
Effectiveness, Efficiency and cost effectiveness
Audit ProgramAudit Program
Audit Exception Level Audit Exception Level
Control operating effectiveness evaluation: good (3)
Test 1: 20% - Test 2: 5%
Control design evaluation: positive (2)
Test 1
Verify Information system utilized for standard check
Test 2Examine Sample of production lots checked by Quality Dept
Case study: quality cheese production
27
28
Corporate Governance PaperAssociazione Italiana Internal Auditors
I.I. Global business risk assessmentGlobal business risk assessment
Key points to an Integrated Corporate Governance Model:Key points to an Integrated Corporate Governance Model:
• Three Control Levels• Optimizing Relationships• Single Evaluation Criteria
II. Unified Internal Control SystemII. Unified Internal Control System
III. Mechanisms of AssuranceIII. Mechanisms of Assurance