SJ State Operational Auditing BT 852 October 12, 2006 Page 1 San Jose State University October 12, 2006 Internal Audit: A 2006 Perspective Lynn Falbo [email protected].

SJ StateOperational Auditing BT 852October 12, 2006Page 1

San Jose State University

October 12, 2006

Internal Audit: A 2006 Perspective

Lynn Falbo [email protected]


Agenda

“Audit” Evolution

Working for Multi-national companies

Career Opportunities

Questions


“Audit” Evolution”

“Audit Generations”

1. Control-Based Auditing

2. Process-Based Auditing

3. Risk-Based Auditing

4. Risk-Management Based Auditing

Merging / integration of Financial, Operational, IT focus


Audit "Generation": One Two Three Four

Control-Based Process-Based Risk-Based Risk Mgmt-Based

Objective:Compliance with

underlying guidelines

Effectiveness and efficiency of

a process

Effectiveness of controls and

procedures to mitigate key risks

Effectiveness of risk management activities to achieve objectives and optimize/mitigate risks

Approach:

Understand guidelines and

audit for compliance

Compare current process to best

practices

Identify key business risks and evaluate controls to mitigate

the risks

Understand objectives, identify related risks,

understand tolerance levels, identify performance and risk measures, and assess risk management effectiveness

Focus:

Identify compliance

exceptions and errors

Identify gaps between the

current process and best practices

Identify controls and procedures that are

not operating as needed to mitigate the

key risks

Identify gaps between current and desired risk management

effectiveness

Testing Approach:

Statistical based predictive and

substantive tests, with some

compliance tests

Consulting focused

evaluation of current and best practices, with

some compliance tests

Combination of substantive and

compliance tests, focusing only on key

risks

Combination of substantive and compliance tests, focusing only on key

objectives and the related risks

Recommendations:Relate exceptions

or errors to the relevant guidelines

Relate gaps to specific

operational objectives

Relate exceptions or errors to key risks

Relate gaps in risk management effectiveness to

underlying risks and key business objectives

Audit Generations


Knowledge about ideal situations

ComparisonAnalysis of Documents

InterviewsQuestionnaires

Actual

Key DataStructure

ProcessesInterfaces

etc.

Recommendationsconstructive

future-orientedfeasible

improving processes and profits

Ideal (Better)

StrategyBusiness PolicyLaw, guidelinesState of the Art

Customer Surveysetc.

Audit Process Methodology

are the keys for improvements

Understanding the actual status

Introduction


“Audit” Evolution” – Questions

Introduction

What Generation is represented by previous slide “Audit Process Methodology” model?

What Generation best represents the focus of SOX (COSO Internal Control Framework)?

What Generation best describes the methodology you were taught?

What Generation is predominant in industry today?


COSO Internal Control Framework


COSO / Cobit Internal Control Framework


COSO ERM (Enterprise Risk Management) Framework



Agenda




Questions



Unique challenges

Culture

Management style

Philosophy

“Global” business model

Diversity

Organization


Agenda




Questions



Audit

Accounting / Finance

SOX Compliance

Other…..



Auditor for a Day

– Exposure to the audit profession

– Site visit at local companies

– Attendance at the IIA meeting


Agenda




Questions

SJ State Operational Auditing BT 852 October 12, 2006 Page 1 San Jose State University October 12, 2006 Internal Audit: A 2006 Perspective Lynn Falbo [email protected].

Documents

riskbased auditing

processbased auditing

key business risks

controlbased auditing

guidelines state

key objectives

internal audit

current process