What's on the internal audit horizon?

© 2016 Protiviti Inc.

WHAT IS ON THE INTERNAL AUDIT HORIZON?

STANDARDS, GUIDANCE AND LEADING INTERNAL AUDIT PRACTICES


A REMINDER…

You can download a copy of this presentation via the Resources Area on your screen.

Following the webinar, all attendees will receive a link to a copy of the presentation and recording.

There will be a Q&A session at the end of the webinar. Please submit your questions by clicking on the Questions Area on your screen.

2

If you are having trouble hearing the audio through your computer, a separate phone line is available for your use:

• US/Canada Line (855) 707-0664• International Line (734) 385-2579• Conference ID 50789777


CPE CREDITS AND SUPPLEMENTAL INFORMATION

We are offering 1.0 CPE credit for this webinar.

To be eligible to receive this credit, please ensure you answer at least three (3) out of the four (4) polling questions.

You will receive the CPE certificate via e-mail approximately two (2) weeks after the webinar date.

In the Resources Area, you can:

− Save/Print a copy of today’s presentation

− View updates from The IIA

− Register for an upcoming CPE webinar

3




TODAY’S SPEAKERS

4

Basil Woller – Basil Woller & Associates LLC

Basil Woller is one of the leading and most recognized quality assurance review (QAR) specialists in the internal auditing profession. Basil has more than 35 years of experience in internal auditing and risk management, including risk identification, assessment, and mitigation, corporate governance, and ethics and compliance. Basil led the global external quality assessment services practice for Protiviti from 2006 to 2009 and played an active role in monitoring and executing external quality assessment services on a firm-wide basis. Basil was also responsible for Protiviti’s peer review program related to its internal audit practice.

[email protected]



mailto:[email protected]


TODAY’S SPEAKERS

5

Kyle Furtis – Protiviti

Kyle Furtis is a Managing Director in Protiviti’s Internal Audit and Financial Advisory practice with more than 30 years of internal audit experience. Prior to joining Protiviti in 2003, Kyle served as senior vice president and director of financial audit services for Summit Bancorp responsible for both financial and IT Audit. Kyle is currently on the board of directors of the IIA North Jersey chapter. He is a Certified Information Systems Auditor (CISA), Certified Financial Services Auditor (CFSA), and has the Certification of Risk Management Assurance (CRMA). Kyle is the global Quality Assessment Review practice leader at Protiviti and has performed more than 70 QARs.

[email protected]



mailto:[email protected]


• Revisions to the International Professional Practices Framework (IPPF)

• Proposed changes to the International Standards for the Professional Practice of Internal Auditing (Standards)

• Other recently released guidance from The IIA

• Leading internal audit practices

TODAY’S AGENDA

WHAT’S ON THE INTERNAL AUDIT HORIZON?

6


STANDARDS, GUIDANCE AND THE IPPF

7


INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK

8

EFFECTIVE JULY 1, 2015

Source: The IIA


MISSION OF INTERNAL AUDIT

9

To enhance and protect organizational value by

providing risk-based and objective assurance, advice,

and insight.


CORE PRINCIPLES FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

10

Demonstrates integrity

Demonstrates quality and continuous improvement

Demonstrates competence and due professional care

Is objective and free from undue influence (independent)

Aligns with the strategies, objectives, and risks of the

organization

Is appropriately positioned and adequately resourcedCommunicates effectively

Provides risk-based assurance

Is insightful, proactive, and future-focused

Promotes organizational improvement

CORE PRINCIPLES


PROPOSED CHANGES TO THE STANDARDS

11

UpdateIntroduction of the Standards

INTRODUCTION AND ATTRIBUTE STANDARDS

UpdateStandard 1000: Purpose, Authority, and Responsibility

UpdateStandard 1010: Recognition of the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter

UpdateStandard 1110.A1: Organizational Independence

NewStandard 1112: Chief Audit Executive Roles Beyond Internal Auditing

N*



12


NewStandard 1130. A3: Impairment to Independence or Objectivity

UpdateStandard 1210: Proficiency

UpdateStandard 1300: Quality Assurance and Improvement Program

UpdateStandard 1311: Internal Assessments

N*



13


UpdateStandard 1312: External Assessments

UpdateStandard 1320: Reporting on the Quality Assurance and Improvement Program

UpdateStandard 1321: Use of "Conforms with the International Standards for the Professional Practice of Internal Auditing"

UpdateStandard 1322: Disclosure of Nonconformance


KEY TAKEAWAYS

14

ATTRIBUTE STANDARDS

Standard 1000: Update charter to incorporate core principles.1

Standard 1010: Must reflect mandatory elements in charter.2

Standard 1112: Must ensure safeguards in place for non-audit responsibilities.3

Standard 1130.A3: Provide assurance where consulting previously performed.4

Standard 1312: Involvement of the audit committee in the quality assurance and improvement program (QAIP).

5

Standard 1320: Disclosures when reporting results of the quality assurance and improvement program (QAIP).

6


A. YesB. I am planning to respond by the 4/30 deadlineC. I do not plan to respond

Have you responded to the proposed changes to The IIA’s International Standards for the Professional Practice of Auditing (Standards)?

Reminder: Answer 3 out of 4 questions to qualify for CPE credit.

POLL QUESTION #1

15



16

PERFORMANCE STANDARDS

UpdateStandard 2000: Managing the Internal Audit Activity

UpdateStandard 2010: Planning

UpdateStandard 2050: Coordination and Reliance

UpdateStandard 2060: Reporting to Senior Management and the Board

UpdateStandard 2070: External Service Provider and Organizational Responsibility for Internal Auditing

UpdateStandard 2100: Nature of Work



17


UpdateStandard 2110: Governance

UpdateStandard 2200: Engagement Planning

UpdateStandard 2201: Planning Considerations

UpdateStandard 2210.A3: Engagement Objectives

UpdateStandard 2230: Engagement Resource Allocation



18


UpdateStandard 2330: Documenting Information

UpdateStandard 2410 and Standard 2410.A1: Criteria for Communicating

UpdateStandard 2430: Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”

UpdateStandard 2431: Engagement Disclosure of Nonconformance

UpdateStandard 2450: Overall Opinions


KEY TAKEAWAYS

19


Standard 2050: Reliance of work performed by other providers of assurance.1

Standard 2060: Required communications.2

Standard 2100: Focus on aligning with strategy and future impact.3

Standard 2210.A3: Leveraging criteria.4

Standard 2410.A1: Conclusions in reports.5


PROPOSED CHANGES TO THE STANDARDS GLOSSARY

20

Board Update Definition

Chief Audit Executive Update Definition

Core Principles for the Professional Practice of Internal Auditing New Definition

Professional Practices Framework Update Definition

N*



21

2016

Apr

2017

May Jun Jul Aug Sep Oct Jan

APRIL 30, 2016EXPOSURE

DRAFT OPEN

OCT 1, 2016NEW STANDARDS

ANNOUNCED

JANUARY 1, 2017NEW STANDARDS

EFFECTIVE

Nov Dec

TIMELINE FOR CHANGES



22

Modify internal audit infrastructure and methodology upon announcement of modified Standards – October 1, 2016.

Evaluate potential impact upon internal audit infrastructure and methodology for proposed changes.

Read and provide commentary to changes by April 30, 2016.

Go live with changes, effective January 1, 2017.

1

2

3

4

ACTION STEPS TO CONSIDER


RECENT CHANGES TO PROFESSIONAL GUIDANCE

Implementation Guidance Supplemental Guidance

IG1000 Purpose, Authority, and Responsibility

IG2110Governance

Practice GuideTalent Management

(12-2015)

Practice GuideInternal Audit and the Second Line of Defense (01-2016)

23

Replaces Practice Advisory and provides guidance related to internal audit charter.

Replaces Practice Advisory and provides guidance related to governance aspects of nature of work standard.

Provides ideas supporting proficiency, due professional care, professional development, and resource management.

Provides clarification about roles between internal audit and other providers of assurance within organizations. Expands upon Three Lines of Defense Framework.


A. YesB. NoC. I don’t know

Do all internal audit staff members in your organization complete an annual Independence and Objectivity Form to assert their independence?

POLL QUESTION #2


24


LEADING INTERNAL AUDIT PRACTICES

25


RISK ASSESSMENT

26

LEADING INTERNAL AUDIT PRACTICE

The internal audit risk assessment is linked to the entity-wide view of risk through the enterprise risk management function, and includes qualitative and quantitative risk criteria to prioritize and determine the audit plan.

The IT security risk assessment is used as input to the internal audit risk assessment to ensure audit coverage of the higher IT security risks to the organization.

The annual audit planning and risk assessment process factors in the Corruption Perception Index score, in addition to financial and operational factors. Use of the corruption index is valuable for global organizations.

Internal audit covers the higher risks in the organization.

Interesting Approach

Benefits


TRAINING

27


At quarterly internal audit staff meetings, guest speakers from the business discuss their business operations to educate auditors on processes, risks, controls, etc. so that internal audit can plan for a more effective and efficient audit.

A training plan is developed based on a skills assessment to determine if there are any knowledge gaps between staff skill sets and the audit plan.

Internal audit staff receives relevant training that is also linked to the audit plan.

Internal audit has an onboarding process and training program that provides staff with critical information on the audit process that facilitates a quicker transition, enabling auditors to be productive sooner.

Competent staff and quality, value added audits.

Benefits



MANAGEMENT’S ACCEPTANCE OF RISK

28


In cases of acceptance of a risk by management, approval of this acceptance must be provided by an executive vice president or higher and is formally disclosed in writing to, and discussed with, the audit committee. Most organizations do not have a formal policy or process for management’s acceptance of risk.

Instances of management’s acceptance of risk are reviewed/analyzed quarterly to determine if the risk has changed, and the results of that analysis are reported to, and discussed with, the audit committee.

Facilitates discussion of risks and risk transparency.

Benefits



ADDING VALUE

29


Internal audit prepares and delivers a newsletter to management regarding risks and control issues. This communication provides internal audit with the opportunity to educate business units on risks and internal controls outside of the standard audit process.

Internal audit prepares and delivers an internal audit awareness presentation to management throughout the organization to explain the risk assessment process and audit process.

The internal audit methodology includes four types of audits performed : 1) risk assessment, 2) design effectiveness, 3) control effectiveness and 4) full audit.

Internal audit provides management and the audit committee with a quarterly report on new systems being implemented in the organization, and provides internal audit’s opinion on each of the phases, milestones, and associated control objectives for those systems.

Internal audit is viewed as a partner by audit stakeholders.

Benefits



PLAN EFFECTIVELY

30


An engagement risk assessment is performed and includes a comprehensive list of areas that an auditor assesses for that specific audit including: financial data, history of audit issues, changes in management/staff, input from management and use of technology.

For each audit, internal audit prepares test plans that include Association of Certified Fraud Examiners (ACFE) risks and fraud scenarios embedded within the test procedures to force auditors to consider the potential for fraud during testing.

Project budgets are developed, within a risk and controls matrix, that detail estimated hours required by each team member. Most internal audit functions do not take the step of aligning the project budget with risks.

Efficiency and quality.


Benefits


DATA ANALYTICS

31


Internal audit has a formal data analytics program in place that is well defined as to identifying and acquiring data that can be analyzed to determine potential breakdowns of selected controls.

All audit programs include a step for auditors to explain why data analysis is not being used on the audit.

Start with areas where internal audit is comfortable with the data – account reconciliations, journal entries, accounts payable, fixed assets, time and expense, thresholds/limit controls, human resources/payroll.

Risk focused – efficiently increase testing of transactions.


Benefits


INTEGRATING ANALYTICS ACROSS THE BUSINESS

32

Use

Func

tion

Line

1st Line 2nd Line 3rd Line

Business Function• Monitor operational risk • Control rationalization • Monitor performance

and efficiency

Risk Function• Assess entity-level risk• Manage compliance

activities• Complete risk

assessments• Monitor risk activities

Audit Function• Independent assurance• Control testing• Risk assessments• Control monitoring• Continuous risk

monitoring

• Continuous monitoring• Key control execution• Performance reportingE.g., security event monitoring

• Oversight risk, control, and compliance

• Monitoring of risk performance

E.g., data driven ERM

• Risk assessments• Continuous auditing• Data enabled audits• InvestigationsE.g., fraud risk review

CAPTURE, MANAGE AND ANALYZE DATA TO DRIVE BUSINESS STRATEGY AND PERFORMANCE


ANALYTICS ROADMAP…IT’S A JOURNEY

33

Year 3+Integrate Analysts

Year 2Expand Coverage

Year 1Foundation

Advanced Analysis

Full Integration

• Define objectives and strategy• Access and normalize data• Identify enabling tools

• Establish champions• Integrate ad-hoc analysis• Establish KPI’s

• Broaden organizational use• Fully embed analytics• Move towards data governance

• Continuous analytics• Fully integrated analytics program• Standardized reporting packages• Enterprise access to analytics reports• Established data governance

• Continuous improvement• Predictive analytics

• Train staff and develop capability• Prove value (e.g., pilots, PoCs)

• Define data access model• Identify opportunities to embed


A. An engagement planning and completion checklist is utilized to enable engagement qualityB. Other members of internal department provide insights into engagement risk assessments and

scoping to share knowledge across the teamC. Internal audit has a dedicated professional practices lead/group or committee that administers

the QAIP, and administers training and methodology improvementD. Internal audit has developed a quality assurance scorecard as part of their periodic review of a

sample of work papers with quality scores being calculated for each audit reviewedE. Internal audit staff training is designed to address general themes, deviations from internal audit

policies and procedures, conformance to the Standards, etc.

Does your internal audit department utilize any of the following quality assurance and improvement program (QAIP) techniques? Select as many as apply to your organization.

POLL QUESTION #3


34


QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

35


Conduct peer reviews.

Internal audit developed quality assurance standards for each stage of an audit engagement. At the completion of the audit, internal audit management performs a full file quality assurance review using the Quality Assurance Template.

Built a multi-layered quality assurance and improvement program designed to proactively monitor quality during the audit, in addition to monitoring metrics and reviewing work papers after the audit.

Internal audit assesses its conformance with the Standards annually. The internal audit policy and procedures manual is mapped to the Standards to ensure the audit process conforms to the Standards. Audit staff understand the relationship between the Standards and the audit process.

Improved focus and prioritization of continuous improvement efforts.

Benefits



TALENT MANAGEMENT

36


Internal audit strategically manages the balance of resources based on years of experience, business/industry experience, technical skills, and alignment with the business.

Implement a rotational staff program: a company driven management development program that rotates participates in and out of internal audit.

Design a guest auditor program that used to acquire technical skills as needed.

Periodically perform analysis of staff skills (process, IT, fraud, certifications, etc.) to determine if internal audit has the necessary skill sets needed to complete the audit plan, determine the level of co-sourcing (if needed) and balancing the experience in the department (career auditors vs. rotational etc.).

Increased audit effectiveness.

Benefits



INTERNAL AUDIT COMMUNICATIONS

37


Internal audit provides trends of reported issues for a period of time by geography, rating types, COSO objective, or other suitable categories to provide perspective to management and the audit committee on areas needing attention.

Internal audit reports on the status of the top ten risks as identified by the board/audit committee.

Audit staff meet audit committee chair annually to hear his/her perspective and for the chairperson to get internal audit staff perspectives on risk and control.

Internal audit communicates internal control best practices to the organization through a newsletter.

Improved understanding of risks and controls.

Benefits



BENCHMARKING

38


Improve internal audit effectiveness and efficiency.

Benefits

Types of Benchmarking

Understand the maturity and effectiveness of internal audit processes

IIA GAIN

Thought Leadership and whitepapers

Industry peer group

Six Elements of Infrastructure

Corporate Executive Board

External peer group

Capability Maturity Model


SIX ELEMENTS OF INFRASTRUCTURE

39

• The six elements of infrastructure (six elements) is a useful tool for categorizing issues, understanding where problems are occurring within an organization or business unit, and drawing conclusions to form the basis for recommendations.

• In Protiviti’s view, the elements of infrastructure should be considered when designing a new process or assessing an existing process. Also, the six elements are common to each process or function.

• These elements represent the capabilities that each process or function should possess; and they provide a comprehensive and consistent framework to communicate the requirements for the appropriate operation of a process or function.

• While these elements are not necessarily intended to be a strictly linear process, the components of the framework are generally designed from left to right. The use of this structure helps organize the otherwise complex network of risk management activities into a comprehensive and consistent framework. In particular, it ensures that all key components are appropriately considered.

About the Six Elements

Methodology Business Policies

Business Processes

Systems and Data

Reporting People

KEY ELEMENTS OF INFRASTRUCTURE MUST BE LINKED BY DESIGN


CAPABILITY MATURITY MODEL AND THE SIX ELEMENTS OF INFRASTRUCTURE

40

ReliabilityandIntegrity ofProcessesand Data

Risk of Failure

Opt

imiz

edM

anag

edD

efin

edR

epea

tabl

eIn

itial

BUSINESS POLICIES

MANAGEMENTREPORTING

METHODOLOGYAND TOOLS PROCESSES SYSTEMS

AND DATAPEOPLE AND

ORGANIZATION

Audit department resources are highly capable and their training/experience levels are closely monitored. Resources are available with all skill sets needed to execute internal audits across the broad spectrum of activities. For highly specialized audit areas, external service providers are welcomed for the expertise they can provide and the new ideas they bring to the organization. A best-in-class training and competency program is in place with personnel actively groomed for positions of increased responsibility.

Audit department resources are capable and their training/experience levels are monitored. Resources are generally available with the skill sets needed to execute internal audits. For specialized audit areas, external service providers are sought (although knowledge-sharing in these circumstances may not be fully realized). A training and competency program is in place.

Qualified personnel are recruited and developed within the internal audit department. A basic training and development program has been established. Skills/experience requirements are defined. Internal audit leadership recognizes when external service providers are necessary to assist with performing specialized audits.

Great reliance is placed on utilizing experienced personnel. Training is generally on-the-job-training with little in the way of formalized training programs. Internal audit independence is maintained through the reporting process. Resourcing determined by audit requirements.

Internal audit department is insufficiently staffed with knowledgeable personnel and often resource needs for audits are not met. Audit efforts reflect a "best possible attempt given the circumstances". No clear resource competency requirements are established, and work product quality is inconsistent.


2100NATURE OF

WORK

1000PURPOSE,

AUTHORITY, ANDRESPONSIBILITY

2000MANAGING THE INTERNAL AUDIT

ACTIVITY

1100INDEPENDENCE

AND OBJECTIVITY

1200PROFICIENCY

AND DUE PROFESSIONAL

CARE

CONFORMANCE WITH THE IIA STANDARDS – CAPABILITY MATURITY MODEL

41

Protiviti’s Capability Maturity Model (CMM) is derived from the Carnegie Mellon capability maturity model and is intended to delineate characteristics of a business process (from new to mature) and is used to convey the developmental level of business processes. Below is Protiviti’s application of IIA Standards in the context of the CMM. The red outlines below indicate a subjective assessment of internal audit against these characteristics.

Opt

imiz

edM

anag

edD

efin

edR

epea

tabl

eA

d H

oc

ReliabilityandIntegrity ofProcessesand Data

Risk of Failure

Quality assurance program focuses on improvement, effectively uses performance metrics.

Quality assurance program encompasses all significant aspects of internal audit activity.

Quality assurance program and communication formalized in policy and procedures manual, including internal and external quality assurance requirement.

Quality assurance program checklists used on individual audits to ensure consistent application of internal audit methodology.

No formal quality assurance program in place although some quality assurance activities might occur on individual audits.

1300QUALITY

ASSURANCE AND IMPROVEMENT

PROGRAM


A. Internal audit adds any findings, recommendations or other items reported to the company as part of regulatory examinations to its issue tracking system, and tracks and monitors the status of management action plans to address these findings.

B. A periodic report is prepared, and sent to management, to identify items that are past due.

C. Follow-up testing is performed quarterly to verify that audit findings have been addressed and the associated risks were mitigated.

Does your internal audit department perform any of the following follow-up techniques? Select as many that apply to your organization.

POLL QUESTION #4


42


Q & A

Let us know how we did on this webinar. Click on the Survey icon in your attendee console to give us feedback.


REGISTER FOR OUR NEXT WEBINAR

44

60 minutes | 1.0 CPE

Wednesday, April 6th9:00 AM Pacific10:00 AM Mountain11:00 AM Central12:00 PM Eastern

Relationships and Risk: Initial Insights From North American Stakeholders

Hosted in partnership with:

Register for this webinar through:• The link in the Resources Area of your attendee

console• Protiviti’s webinar page: http://

www.protiviti.com/en-US/Pages/Webinars.aspx

Download the publication at: www.protiviti.com/cbokrelationshipsandrisk

http://www.protiviti.com/en-US/Pages/Webinars.aspx

http://www.protiviti.com/en-US/Pages/Webinars.aspx

http://www.protiviti.com/cbokrelationshipsandrisk