Kickstart Internal Audit in 2014 January 2014 41875

•

Kickstart Internal

Audit in 2014

© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 2

Following the webinar, all attendees will receive a link to a

copy of the recorded webinar. You can download a PDF

version of the slides through the Attachments link.

If you are experiencing technical difficulties during the

webinar, let us know by clicking on the Questions link at the

top of your screen. Please provide your e-mail address for a

swift reply.

We will have a formal Q&A at the end of this webinar, we

encourage you to submit your questions throughout the

webcast. We will address your content questions at the end

of the webinar.

If you are having trouble hearing the audio through the

computer, separate phone lines are available.

International +44 (0) 1452 552 630

United States +1 877 894 4122

Conference ID 31151469

A Reminder…



CPE and Supplemental Information

We are issuing 1.5 CPE credit for this webinar

• To be eligible for CPE credit, you must answer four (4)

out of the five (5) polling questions throughout the

duration of this webinar.

• You will receive your CPE certificate within 4-6 weeks

of the webinar.

• You can download the the CPE Course Evaluation Form

through the Attachments link.

– Return this evaluation form to Lark Scheierman at

Protiviti via e-mail: [email protected]

• Download the PDF version of today’s presentation and

related publications through the Attachments link.

Trouble hearing the audio through the computer? Dial in! Phone: + 1 877 894 4122, Conference ID: 31151469

mailto:[email protected]



Today’s Presenters

[email protected]

Brian Christensen is a member of Protiviti’s executive leadership team and is

the global leader of the firm’s Internal Audit and Financial Advisory Solution. In

this role, he is responsible for the development and execution of Protiviti’s

internal audit products. He has more than 25 years of experience in helping

clients increase the value of their internal audit function. He holds a bachelor’s

degree in accounting from the University of Wisconsin. He is a frequent

speaker on auditing and risk topics at national conferences.

Dave Brand is a Managing Director in Protiviti’s Chicago office. He leads the

global IT Audit practice for Protiviti. He has over 15 years experience working

with companies across multiple industries in the areas of IT Auditing, Computer

Aided Auditing Techniques, audit formation, risk assessments and audit

committee reporting.

[email protected]






Today’s Presenters

[email protected]

Keith Keller is a Managing Director in Protiviti’s Atlanta office. He is a member

of the Financial Services team and serves as the market lead for the Internal

Audit and Financial Advisory Solution. Keith is a seasoned executive with more

than 30 years of business experience working with a variety of organizations to

enhance their business performance through risk management, operational

effectiveness and enhanced governance.





Definition of Internal Auditing

“Internal auditing is an independent, objective assurance and consulting activity designed to

add value and improve an organization’s operations. It helps an organization accomplish

its objectives by bringing a systematic, disciplined approach to evaluate and improve the

effectiveness of risk management, control, and governance processes.” – Source: The IIA

Supports Current Internal Auditing Practice Environment.

Fosters Enterprise Risk Management

Addresses Role of Internal Auditing in Governance




And new and emerging risks are arising that need to be addressed

Management

Audit Committees

Standard Setters

• IIA Standards and Practice Advisories

• Regulatory Bodies

• New COSO Framework

Regulators

The demands and expectations placed on internal audit are growing constantly:

Increased Demands



Assessing Success in 2013

Tone at the Top Process Issues

IT Matters Risk

Management

Corruption Risk Sustainability

Regulatory

Matters

Financial

Reporting

Matters

Kickstart 2014



Planning Ahead

As we enter 2014, what can we expect in the year ahead? No one knows for

sure, but change will be a big part of what is on the horizon.

• The challenges and opportunities highlighted

in this presentation are based on our

experiences and input from audit leaders and

their departments

• We spent 2013 in partnership with

organizations from around the world, through

benchmarking surveys, client projects, and

interviews, to gain insight into the key areas

of concern for their organizations

• We are happy to share our insight with you

today to help kickstart 2014

Different industries face different

issues and priorities. The

applicability and prioritization of

the challenges included in this

presentation will vary by industry.



Establish Open Dialogue

The complexity and velocity of

change in an increasingly

interdependent world are

altering the dynamics of doing

business.

• Provide observations and ideas for

consideration by management, the board

and audit committees as they:

– Continue to navigate uncertainty

– Make and execute appropriate plans for

the future

• Discuss major challenges the organization

currently faces and will likely face in the

near term

• Summarize top-of-mind issues facing your

organization and key stakeholders

As a result of this presentation, we hope it will help internal audit:



Road Map for 2014 and Beyond

Flash

Reports

and

Bulletins

IT Audit

Survey

IT Security

and Privacy

Survey

2013

SOX

Survey

IA

Capabilities

and Needs

Survey

Internal

Auditing

Around

the World

Regulations and

Standard Setters



Poll Question #1

Do you believe you are well informed on

COSO’s updated Internal Control – Integrated

Framework 2013?

• Yes

• No

• Unsure



• In March 2013, the NASDAQ proposed a new rule to require listed companies to have

an internal audit function

• In light of the breadth and nature of the comments from its issuer community and

other stake holders, the NASDAQ determined in May 2013 to withdraw its proposal so

that it may adequately consider these comments

• It also stated, its intent to revise the proposed rule, taking into account the comments

received, and resubmit it

• NYSE currently requires all listed companies to have an internal audit function

– The exchange recently approved a one-year transition period for newly listed

companies to establish this function

• We expect the NASDAQ to offer this same flexibility to listed companies when it

resubmits is proposal

NASDAQ and NYSE



• Mandatory Auditor Rotation – The House of Representatives approved a bill that prohibits the PCAOB

from forcing public companies to change or rotate their independent auditing firms

• Updates to IIA Standards – Standards 1110, 2010.A2 and 2410.A1, 2450.

• New Practice Advisories – 2320-4, 2120-3, 2320-3

• On December 10, 2012, the PCAOB issued the report “Observations from 2010 Inspections of

Domestic Annually Inspected Firms regarding Deficiencies in Audits of Internal Control over Financial

Reporting”

– Summarizes inspection observations related to deficiencies in registered public accounting firms’

audits of ICFR for public companies

– Describes the most pervasive deficiencies

• On October 24, 2013, the PCAOB issued Practice Alert #11,which highlights areas in which significant

auditing deficiencies have been cited frequently in PCAOB inspection reports over the last three years

Auditor Rotation, Standards, and PCAOB

Inspection Reports



PCAOB Reproposes Auditing

Standard, Related Parties, and

Related Amendments, Including

Amendments Regarding

Significant Unusual Transactions

PCAOB Auditing Standard No. 16, Communications with Audit Committees,

and Amendments to other PCAOB Standards Approved by SEC



SEC Action Against Fraud

Examples from 2013

Source: http://www.sec.gov/spotlight/fcpa/fcpa-cases.shtml

Archer-Daniels-Midland Co. - SEC charged the Illinois-based global food processor for failing to

prevent illicit payments made by foreign subsidiaries to Ukrainian government officials in violation of

the FCPA. ADM agreed to pay more than $36 million to settle the SEC's charges. (12/20/13)

Weatherford International - SEC charged the Swiss-based oilfield services company with

authorizing bribes and improper travel and entertainment for foreign officials in the Middle East and

Africa to win business. Weatherford agreed to pay more than $250 million to settle cases with the

SEC and other agencies. (11/26/13)

Stryker Corporation - SEC charged the Michigan-based medical technology company with violating

the FCPA by bribing doctors and other government officials in five countries to obtain or retain

business and make $7.5 million in illicit profits. Stryker agreed to pay more than $13.2 million to settle

the SEC's charges. (10/24/13)

Diebold - SEC charged the Ohio-based manufacturer of ATMs and bank security systems with

violating the FCPA by bribing officials at government-owned banks with pleasure trips to popular

tourist destinations in order to illicitly win business. Diebold agreed to pay $48 million to settle SEC

and Justice Department cases. (10/22/13)

http://www.sec.gov/spotlight/fcpa/fcpa-cases.shtml





Financial Services Hot Topics

Consumer Financial Lending and Deposits Product

Mortgage Lending and Services

Remittance Transfers

Third-Party Risk Management

Complaints, Issue Management and Responsible Business Conduct

Fair Lending

Unfair, Deceptive and Abusive Acts or Practices

Specialized DFA Consumer Protections

Anti-Money Laundering and Sanctions

Common Issues

The Role of Technology

Broker-Dealer Investment Advisors

New Data Collection and Reporting Requirements

Disclosure and Reporting of Representative Compensation for Recruits

Expansion of FINRA’s Minor Rule Violation Plan

Hedge Fund Examinations

Due Diligence and Supervision of Third-Party Service Providers

Identify Theft Prevention/”Red Flags”

Impact on Compliance Functions and Compliance Governance



COSO – Why Change

Environment changes… •…have driven Framework updates

Expectations for governance oversight

Globalization of markets and operations

Increased complexity of business and organizational

structures

Demands and complexity in laws, rules, regulations

and standards

Expectations for competencies and accountabilities

Use of, and reliance on, evolving technologies

Expectations relating to preventing and detecting fraud

COSO Cube (2013 Edition)*

Large-scale governance and internal control

breakdowns

Risk and risk-based approaches receive greater

attention

Source: Chapter 2 of COSO Internal Control: Integrated

Framework (2013). *

Source: Updated COSO Internal Control Framework FAQs-Second Edition



COSO – What’s Changed

Codifies 17 principles that support the five components of internal control 1

Clarifies role of objective-settling as a precursor to internal control 2

Reflects increased relevance of technology 3

Incorporates an enhanced discussion of governance concepts (the oversight role of the board

and its committees) 4

Expands the reporting category of objectives to include non-financial and internal 5

Enhances consideration of anti-fraud expectations in its own principle 6

Increases the focus on non-financial reporting objectives to broaden use 7

Additional approaches and examples for operations, compliance and non-financial reporting

objectives 8

Source: Updated COSO Internal Control Framework FAQs-Second Edition



COSO’s IT Implications

Connecting IT to the COSO Principles

Impacts to Existing IT SOX Documentation

Linkage of COSO to Other Frameworks

Impact of PCAOB Inspection Reports on IT Documentation

Register via the Attachments Link for our January 15, 2014 webinar where we will discuss the IT

implications associated with the 2013 COSO Framework.

Technology Considerations



Poll Question #2

Does your organization conduct an IT audit risk assessment?

• Yes, it is conducted separately from the overall risk assessment

• Yes, it is conducted as part of the overall risk assessment

process

• No, an IT audit risk assessment is not conducted



Audit Process Knowledge Overall Results

"Need to

Improve" Rank Areas Evaluated by Respondents

Competency

(5-pt. scale)

1

(tie)

Data Analysis Tools: Data Manipulation 3.3

Fraud: Monitoring 3.4

2

(tie)

Auditing IT: New Technologies 2.9

Fraud: Fraud Risk Assessment 3.4

3

(tie)

Data Analysis Tools: Statistical Analysis 3.3

Fraud: Fraud Detection/Investigation 3.4

4

(tie)

Fraud: Management/Prevention 3.5

Computer-Assisted Audit Tools (CAATs) 3.1

5 Data Analysis Tools: Sampling 3.4

Source: 2013 Internal Audit Capabilities and Needs Survey



Audit Process Knowledge CAE Results

"Need to

Improve" Rank Areas Evaluated by Respondents

Competency

(5-pt. scale)

1 Data Analysis Tools: Data Manipulation 3.2

2 Auditing IT: New Technologies 3.1

3 Data Analysis Tools: Sampling 3.4

4

Computer-Assisted Audit Tools (CAATs) 3.3

Data Analysis Tools: Statistical Analysis 3.3

5 Fraud: Fraud Risk Assessment 3.7




PCAOB Inspection Reports

Placed unwarranted reliance on certain important system generated data and reports

after underlying ITGCs failed testing; failed to identify/test manually generated

reports

Failed to test controls over completeness and accuracy of delivery data received

electronically from vendors. Further failed to evaluate the implications of the

significant differences between the delivery and invoice date in testing unbilled

revenue

The following are representative of the IT-specific findings from 2010 PCAOB

Inspection Reports.

Failed to identify that the issuer used spreadsheets, not the inventory application, as

the primary system for maintaining pricing and quantities, and failed to test any

controls

Failed to select and test controls over user-definable settings in the issuer’s general

ledger system



Information management as strategic priority – CIOs are more active in

governance oversight and execution, along with crisis communications. More CIOs are

in place today within companies, reflecting a recognition that data is a critically

important asset that must be managed differently and even more effectively than other

assets.

Lack of key data policies – One in four companies do not have a written information

security policy (WISP) and one in three lack a data encryption policy.

Less-than-ideal data retention and storage practices – Few address data with a

detailed and comprehensive classification system. Many, in fact, treat all of their data

the same, rather than classifying it appropriately.

Unprepared for a crisis – In light of the many well-publicized data breach incidents

and numerous data breach and privacy laws, a surprisingly high number of companies

are not adequately prepared to respond to such a crisis.

Source: 2013 IT Security and Privacy Survey

IT Security and Privacy is a Priority



Social Media Risk and the Audit Process












Top Technology Challenges

2013 2012

IT security: data security, cyber security

and mobile security

Information security (including data privacy,

storage and management)

IT governance Cloud computing

Lack of ERP implementations,

development and knowledge Social media

Social media Risk management and governance

Vendor management Regulatory compliance

Cloud computing Technology integration and up gradation

Emerging technology and infrastructure

changes Resource management

Big data and analytics Infrastructure management

PCI compliance Fraud monitoring

Business continuity/disaster recovery

Source: Protiviti’s 3rd Annual IT Audit Benchmarking Survey

Sarbanes-Oxley Compliance



Poll Question #3

Does your organization have plans to continue

automating controls to gain efficiencies within the

SOX compliance process?

• Yes

• No

• Unsure



Poll Question #4

In the last year, has your organization experienced

an increased level of reliance by the external

auditor on the work of internal audit?

• Yes

• No

• Unsure



PCAOB Practice Alert #11

• Identify and sufficiently test controls that are intended to address the risks of material

misstatement

• Sufficiently test the design and operating effectiveness of management review

controls that are used to monitor the results of operations

• Obtain sufficient evidence to update the results of testing of controls from an interim

date to the company's year end (i.e., the roll-forward period)

• Sufficiently test controls over the system-generated data and reports that support

important controls

• Sufficiently perform procedures regarding the use of the work of others; and

• Sufficiently evaluate identified control deficiencies

Highlights areas in which significant auditing deficiencies have been cited

frequently in PCAOB inspection reports over the last three years. These include

failures to:

Source: Public Company Accounting Oversight Board Alert # 11



PCAOB Practice Alert #11

Risk assessment and the audit of internal control

Selecting controls to test

Testing management review controls

Source: Public Company Accounting Oversight Board Alert # 11

Information technology ("IT") considerations

Roll-forward of controls tested at an interim date

Using the work of others

Evaluating identified control deficiencies



Sarbanes-Oxley Key Findings

SOX compliance costs are rising, as are external audit fees. However, for most

organizations, the cost of SOX compliance remains at a manageable level

Organizations continue to report significant improvements in their internal control

structures since Section 404(b) became a requirement

The automation of controls remains an enticing option and perhaps the “final

frontier” for achieving significant improvements and efficiencies

More companies are adjusting compliance efforts to focus on high-risk processes

and walkthroughs

External auditor reliance on these efforts, continues to evolve, due in part to

guidance from the PCAOB

SOX compliance oversight responsibilities are shifting away from project

management to internal audit functions

Source: 2013 Sarbanes-Oxley Survey



Changes in Sarbanes-Oxley Compliance

Processes Over Past Year




Companies Are…


Managing Risk through

Collaboration



Poll Question #5

Do The IIA Standards support internal audit’s role in

managing risk?

• Yes

• No

• Unsure



• Practice Advisory 2120-3: Internal Audit Coverage of Risks to Achieving

Strategic Objectives - The internal audit activity must evaluate risk exposures

relating to the organization’s governance, operations, and information systems

• IIA Performance Standard 2010.A1 - The internal audit activity’s plan of

engagements should be based on a risk assessment, undertaken at least annually.

The input of senior management and the board should be considered in this process.

• IIA Performance Standard 2120.A1 - Based on the results of the risk assessment,

the internal audit activity should evaluate the adequacy and effectiveness of controls

encompassing the organization’s governance, operations, and information systems.

This should include: (a) reliability and integrity of financial and operational

information, (b) effectiveness and efficiency of operations, (c) safeguarding of assets,

and (d) compliance with laws, regulations, and contracts.

Internal Audit’s Role in Managing Risk



Three Lines of Defense…

• The IIA’s Position Paper, The Three Lines of Defense in

Effective Risk Management and Control, addresses how

organizations can holistically mitigate risks in a business

environment that is continuously growing in complexity

• The paper is designed to provide guidance to

organizations regardless of their size or the level of

formality to their risk management approach

• It discusses the uses for risk management frameworks,

But more importantly it highlights a critical

component that most frameworks do not

adequately address; how specific duties should be

assigned and coordinated within the organization

https://na.theiia.org/training/templates/Pages/The-Three-Lines-of-Defense-in-Effective-Risk-Management-and-Control.aspx

https://na.theiia.org/training/templates/Pages/The-Three-Lines-of-Defense-in-Effective-Risk-Management-and-Control.aspx



Key Obstacles to Integration

and Alignment of Risk Management

• Poor alignment of strategy and risk management

• Growth of silos and/or lack of cooperation amongst

silo leaders

• Mismatches with stakeholder expectations

• Gaps and overlaps in ownership of risk/control

responsibilities

• Lack of engagement from risk and process owners

• Vague objectives and incoherent control

requirements

• Fragmented, diffused reporting of risk and control

data

• Conflicting points of view and duplicative efforts

(e.g., risk assessment, documentation, testing, etc.)



Understanding and

responding to a

changing risk profile

Have we articulated a statement of risk appetite?

How do we determine if we are doing the right thing in accepting, reducing, sharing or avoiding risk?

What are our emerging risks? How do we identify these and how often?

What are our top 10 risks?

Understanding Risk: Getting Started



“Many organizations want to lower their

risk profile by fostering a collaborative

culture where everyone in the

organization understands risk and their

role in helping the business to manage

and mitigate them.”

“The call for both greater collaboration,

and an enterprise focus on risk, is

accelerating internal audit’s path to the

‘top table’ in the organisation, where it

can be a true partner to management

and the board.”

Source: Internal Auditing Around the World Volume IX

Managing Risk through Collaboration



Seeking Alignment

Executive

Management Board of Directors Audit Committee

External

Audit

Process Owners

Internal

Audit Control

Repositories

Systems

Models

Issue

Management

Risk

Assessment

Methodologies

Policies

Procedures

Quantification

Legal

Security

Risk

Manage-

ment

Compliance



Ten Major Challenges Facing Businesses

1 Regulatory changes and increased regulatory scrutiny may affect operations

2 Economic conditions in current markets may not present significant growth

opportunities

3 Uncertainty surrounding political leadership may limit growth opportunities

4 Succession challenges and the ability to attract and retain top talent may constrain

efforts to achieve operational targets

5 Organic growth through existing customers presents a significant challenge

Source: Setting the 2014 Audit Committee Agenda – The Bulletin Volume 5, Issue 5



Ten Major Challenges Facing Businesses

6 Ensuring privacy/identity management and information security protection could

require resources the organization may not have; cyber threats could significantly

disrupt core operations

7 Resistance to change could restrict the organization from making necessary

adjustments to the business model and core operations

8 Uncertainty surrounding costs of complying with healthcare reform legislation will

limit growth

9 Anticipated volatility in global financial markets and currencies may create

challenges

10 Other challenges such as the inability of the organization’s operations to meet

performance expectations as well as competitors; disruption of the organization’s

business model; and an unexpected crisis that could impact the organization

Source: Setting the 2014 Audit Committee Agenda – The Bulletin Volume 5, Issue 5



Questions and Answers

Register via the Attachments Link for our January 15, 2014 webinar where we

will discuss the IT implications associated with the 2013 COSO Framework.



Powerful Insights. Proven Delivery.®

Phone: +1 312 476 6401

[email protected]

Chicago, IL

David Brand Managing Director


Phone: +1 602 273 8020

[email protected]

Phoenix, AZ

Brian Christensen Executive Vice President – Global Internal Audit


Phone: +1 404 443 8224

[email protected]

Atlanta, GA

Keith Keller Managing Director

Kickstart Internal Audit in 2014 January 2014 41875

Documents

questions link

recorded webinar

audit formation

firms internal audit

audit practice

internal audit function

kickstart internal audit

attachments link