Operational Auditing--Spring 2011 1 Operational Auditing Spring 2011 Professor Bill O’Brien.

Operational Auditing--Spring 2011 1

Operational Auditing

Spring 2011

Professor Bill O’Brien

Operational Auditing--Spring 20112-2

Managing the Internal Audit Activity

Effective management Establish a risk-based plan Communicate the plan Ensure adequate resources Coordinate services Report on a regular basis Monitor implementation of recommendations

Operational Auditing--Spring 20112-3

Reporting Structure

Solid to Audit Committee

Dotted line to functional and committed executive

Operational Auditing--Spring 20112-4

Planning Activities

Operating plan and financial plan (budget)

Establish goals and objectives Determine overall resources

Operational Auditing--Spring 20112-5

Resource Management

Staffing approaches Flat versus hierarchical Futures’ files

Commitment to training Pathways for career development Co-sourcing and outsourcing

Operational Auditing--Spring 20112-6

Working with External Auditors

Coordinated coverage Cross access to workpapers Exchange of reports Expansion of expertise Facilitation of relationship w/senior mgt.

Operational Auditing--Spring 20112-7

Dealing with the External Auditors

Different objectives Different accountability Different qualifications Different activities

Operational Auditing--Spring 20112-8

Cooperation

Economy Efficiency Effectiveness Advantages for the external auditor

Increases external auditor client insight Improves client relations Rotates emphasis

Advantages for the internal auditor Improves training Source of additional work Increases professional knowledge Independent appraisal source

Compliance with SAS 65 and SAS 99

Operational Auditing--Spring 20112-9

Hints for Starting or Taking Over a Dept.

Report to the Audit Committee or the highest level possible

Avoids conflict of interest Have an administrative manager as well

Establish an agreed upon review approach For example, operations v. compliance

Prepare a set of achievable objectives Commit to IIA standards Establish a team approach with BPOs Invest in continuing education

Operational Auditing--Spring 20112-10

Corporate Governance

Strategic direction Governance oversight

Enterprise risk management Assurance that processes are working

Operational Auditing--Spring 20112-11

Ops. Audit & Governance

Process of overseeing the achievement of objectives

Some elements of good governance Assessing the control environment Serving as an ethics advocate

Operational Auditing--Spring 20112-12

Control Objectives

Staying under control as evidenced by Safeguarding of assets Compliance with laws and regulations Organizational goal & obj. achievement Reliability & integrity of information Economical & efficient use of assets

Expansion of material on 9-19 —20

Operational Auditing--Spring 20112-13

Control Environment

Integrity and ethical values Management philosophy and operating

style Organizational structure Assignment of authority and

responsibility H/R policies and practices Sustained competency of personnel

Operational Auditing--Spring 20112-14

Other Management Issues

Performance metrics Control self assessment

We will cover these in the next class

Operational Auditing--Spring 20112-15

COSO

Committee of Sponsoring Organizations AICPA, IIA, IMA, FEI, AAA Treadway Commission 1992 I/C; 2004 ERM

Control Objectives Compliance with laws and regulations Reliability of financial reporting Effectiveness & efficiency of operations

Operational Auditing--Spring 20112-16

Frameworks

Internal control IC-Integrated Framework (COSO) Guidance on Controls (CoCo) Internal Control Guidance (Turnbull)

Enterprise risk management Australian/New Zealand Std. Risk Mgt. ERM-Integrated Framework (COSO)

Operational Auditing--Spring 20112-17

Integrating COSO-ERM with COSO-I/C

The COSO-ERM Model incorporates rather than replaces the COSO-I/C Model.

-Control Environment-Risk Assessment

Processes-Operational Control

Activities-Information Flow

Systems-Monitoring Activities

COSO APPROACH TO CONTROL

ACHIEVEMENT

-Internal Environment-Objective Setting

-Event Identification-Risk Assessment-Risk Response

-Control Activities-Information & Communication

-Monitoring

COSO-ERMCOMPONENTS

Operational Auditing--Spring 20112-18

Components of I/C

Control environment Risk assessment Control activities Information and communication Monitoring

Operational Auditing--Spring 20112-19

Threats to Control

Management override Open access to assets Form over substance approach Conflict of interest

Operational Auditing--Spring 20112-20

Balancing Risk and Control

Too much risk Loss of assets Poor decision making Potential non-compliance Potential for fraud

Too much control Increased bureaucracy Excess costs Excess cycle-time Increase in non-value added effort

Operational Auditing--Spring 20112-21

Control Activities Segregation of duties Performance reviews Approvals IT access Documentation Physical access IT applications Independent verifications & reconciliations

Operational Auditing--Spring 20112-22

IIA and Control

IIA control objectives: S-C-O-R-E Safeguarding of assets Compliance with laws and regulations Objective and goal achievement Reliability & integrity of information Economical & efficient use of assets

Operational Auditing--Spring 20112-23

Risk Management

Strategy formulation Range of activities Risk = barriers to objective achievement

Operational Auditing--Spring 20112-24

COSO and ERM

COSO 2 cube ERM defined:

“A process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”

Operational Auditing--Spring 20112-25

Remember this Key Point

Risk is BOTH BOTH positive and negative

Operational Auditing--Spring 20112-26

COSO ERM Objectives: S-C-O-R

SStrategic

CCompliance

OOperations

RReporting

Operational Auditing--Spring 20112-27

COSO-ERM Components

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring

Operational Auditing--Spring 20112-28

ERM and Ops. Audit

Provide assurance on risk mgt. Provide assurance of risk evaluation Evaluate risk mgt. processes Evaluate risk reporting Review the mgt. of key risks. See Exhibit 4-4

Operational Auditing--Spring 20112-29

IIA ERM Advisory

Audit plan should be based on risk assessment Audit plan may include the strategic planning

process Audit plan should be updated for significant

changes Audit plan should be prioritized based on risk

likelihood and exposure Audit reporting should convey risk related

conclusions

Operational Auditing--Spring 20112-30

O’Brien’s Suggestions Finance should be involved in active

conceptualconceptual support. Finance should be an implementation

driverdriver. Finance should provide on-going

assessmentassessment of the process. Finance should add insightinsight to ERM and

vice-versa. Finance should assume the role of process

coordinatorcoordinator.

Operational Auditing--Spring 20112-31

Where Do We Go from Here?

Increased demand Increased respect Increased contribution Increased advancement opportunities…

IT’S A GREAT TIME TO BE FOCUSED IT’S A GREAT TIME TO BE FOCUSED ON OPERATIONAL AUDIT ON OPERATIONAL AUDIT OPPORTUNITIES!!!OPPORTUNITIES!!!

Operational Auditing--Spring 20112-32

Systematic Approach

Planning: Selecting the BPO Pre-site planning

Evaluating: Conducting the preliminary survey Review internal controls Expanding tests as necessary Generating findings

Communicating: Reporting the results Conducting follow-up Assessing the process

Note Exh. 2-6 and Exh. 13-4