© 2016 Protiviti Inc. WHAT IS ON THE INTERNAL AUDIT HORIZON? STANDARDS, GUIDANCE AND LEADING INTERNAL AUDIT PRACTICES
© 2016 Protiviti Inc.
WHAT IS ON THE INTERNAL AUDIT HORIZON?
STANDARDS, GUIDANCE AND LEADING INTERNAL AUDIT PRACTICES
© 2016 Protiviti Inc.
A REMINDER…
You can download a copy of this presentation via the Resources Area on your screen.
Following the webinar, all attendees will receive a link to a copy of the presentation and recording.
There will be a Q&A session at the end of the webinar. Please submit your questions by clicking on the Questions Area on your screen.
2
If you are having trouble hearing the audio through your computer, a separate phone line is available for your use:
• US/Canada Line (855) 707-0664• International Line (734) 385-2579• Conference ID 50789777
© 2016 Protiviti Inc.
CPE CREDITS AND SUPPLEMENTAL INFORMATION
We are offering 1.0 CPE credit for this webinar.
To be eligible to receive this credit, please ensure you answer at least three (3) out of the four (4) polling questions.
You will receive the CPE certificate via e-mail approximately two (2) weeks after the webinar date.
In the Resources Area, you can:
− Save/Print a copy of today’s presentation
− View updates from The IIA
− Register for an upcoming CPE webinar
3
If you are having trouble hearing the audio through your computer, a separate phone line is available for your use:
• US/Canada Line (855) 707-0664• International Line (734) 385-2579• Conference ID 50789777
© 2016 Protiviti Inc.
TODAY’S SPEAKERS
4
Basil Woller – Basil Woller & Associates LLC
Basil Woller is one of the leading and most recognized quality assurance review (QAR) specialists in the internal auditing profession. Basil has more than 35 years of experience in internal auditing and risk management, including risk identification, assessment, and mitigation, corporate governance, and ethics and compliance. Basil led the global external quality assessment services practice for Protiviti from 2006 to 2009 and played an active role in monitoring and executing external quality assessment services on a firm-wide basis. Basil was also responsible for Protiviti’s peer review program related to its internal audit practice.
If you are having trouble hearing the audio through your computer, a separate phone line is available for your use:
• US/Canada Line (855) 707-0664• International Line (734) 385-2579• Conference ID 50789777
© 2016 Protiviti Inc.
TODAY’S SPEAKERS
5
Kyle Furtis – Protiviti
Kyle Furtis is a Managing Director in Protiviti’s Internal Audit and Financial Advisory practice with more than 30 years of internal audit experience. Prior to joining Protiviti in 2003, Kyle served as senior vice president and director of financial audit services for Summit Bancorp responsible for both financial and IT Audit. Kyle is currently on the board of directors of the IIA North Jersey chapter. He is a Certified Information Systems Auditor (CISA), Certified Financial Services Auditor (CFSA), and has the Certification of Risk Management Assurance (CRMA). Kyle is the global Quality Assessment Review practice leader at Protiviti and has performed more than 70 QARs.
If you are having trouble hearing the audio through your computer, a separate phone line is available for your use:
• US/Canada Line (855) 707-0664• International Line (734) 385-2579• Conference ID 50789777
© 2016 Protiviti Inc.
• Revisions to the International Professional Practices Framework (IPPF)
• Proposed changes to the International Standards for the Professional Practice of Internal Auditing (Standards)
• Other recently released guidance from The IIA
• Leading internal audit practices
TODAY’S AGENDA
WHAT’S ON THE INTERNAL AUDIT HORIZON?
6
© 2016 Protiviti Inc.
STANDARDS, GUIDANCE AND THE IPPF
7
© 2016 Protiviti Inc.
INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK
8
EFFECTIVE JULY 1, 2015
Source: The IIA
© 2016 Protiviti Inc.
MISSION OF INTERNAL AUDIT
9
To enhance and protect organizational value by
providing risk-based and objective assurance, advice,
and insight.
© 2016 Protiviti Inc.
CORE PRINCIPLES FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING
10
Demonstrates integrity
Demonstrates quality and continuous improvement
Demonstrates competence and due professional care
Is objective and free from undue influence (independent)
Aligns with the strategies, objectives, and risks of the
organization
Is appropriately positioned and adequately resourcedCommunicates effectively
Provides risk-based assurance
Is insightful, proactive, and future-focused
Promotes organizational improvement
CORE PRINCIPLES
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS
11
UpdateIntroduction of the Standards
INTRODUCTION AND ATTRIBUTE STANDARDS
UpdateStandard 1000: Purpose, Authority, and Responsibility
UpdateStandard 1010: Recognition of the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter
UpdateStandard 1110.A1: Organizational Independence
NewStandard 1112: Chief Audit Executive Roles Beyond Internal Auditing
N*
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS
12
INTRODUCTION AND ATTRIBUTE STANDARDS
NewStandard 1130. A3: Impairment to Independence or Objectivity
UpdateStandard 1210: Proficiency
UpdateStandard 1300: Quality Assurance and Improvement Program
UpdateStandard 1311: Internal Assessments
N*
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS
13
INTRODUCTION AND ATTRIBUTE STANDARDS
UpdateStandard 1312: External Assessments
UpdateStandard 1320: Reporting on the Quality Assurance and Improvement Program
UpdateStandard 1321: Use of "Conforms with the International Standards for the Professional Practice of Internal Auditing"
UpdateStandard 1322: Disclosure of Nonconformance
© 2016 Protiviti Inc.
KEY TAKEAWAYS
14
ATTRIBUTE STANDARDS
Standard 1000: Update charter to incorporate core principles.1
Standard 1010: Must reflect mandatory elements in charter.2
Standard 1112: Must ensure safeguards in place for non-audit responsibilities.3
Standard 1130.A3: Provide assurance where consulting previously performed.4
Standard 1312: Involvement of the audit committee in the quality assurance and improvement program (QAIP).
5
Standard 1320: Disclosures when reporting results of the quality assurance and improvement program (QAIP).
6
© 2016 Protiviti Inc.
A. YesB. I am planning to respond by the 4/30 deadlineC. I do not plan to respond
Have you responded to the proposed changes to The IIA’s International Standards for the Professional Practice of Auditing (Standards)?
Reminder: Answer 3 out of 4 questions to qualify for CPE credit.
POLL QUESTION #1
15
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS
16
PERFORMANCE STANDARDS
UpdateStandard 2000: Managing the Internal Audit Activity
UpdateStandard 2010: Planning
UpdateStandard 2050: Coordination and Reliance
UpdateStandard 2060: Reporting to Senior Management and the Board
UpdateStandard 2070: External Service Provider and Organizational Responsibility for Internal Auditing
UpdateStandard 2100: Nature of Work
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS
17
PERFORMANCE STANDARDS
UpdateStandard 2110: Governance
UpdateStandard 2200: Engagement Planning
UpdateStandard 2201: Planning Considerations
UpdateStandard 2210.A3: Engagement Objectives
UpdateStandard 2230: Engagement Resource Allocation
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS
18
PERFORMANCE STANDARDS
UpdateStandard 2330: Documenting Information
UpdateStandard 2410 and Standard 2410.A1: Criteria for Communicating
UpdateStandard 2430: Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”
UpdateStandard 2431: Engagement Disclosure of Nonconformance
UpdateStandard 2450: Overall Opinions
© 2016 Protiviti Inc.
KEY TAKEAWAYS
19
PERFORMANCE STANDARDS
Standard 2050: Reliance of work performed by other providers of assurance.1
Standard 2060: Required communications.2
Standard 2100: Focus on aligning with strategy and future impact.3
Standard 2210.A3: Leveraging criteria.4
Standard 2410.A1: Conclusions in reports.5
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS GLOSSARY
20
Board Update Definition
Chief Audit Executive Update Definition
Core Principles for the Professional Practice of Internal Auditing New Definition
Professional Practices Framework Update Definition
N*
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS
21
2016
Apr
2017
May Jun Jul Aug Sep Oct Jan
APRIL 30, 2016EXPOSURE
DRAFT OPEN
OCT 1, 2016NEW STANDARDS
ANNOUNCED
JANUARY 1, 2017NEW STANDARDS
EFFECTIVE
Nov Dec
TIMELINE FOR CHANGES
© 2016 Protiviti Inc.
PROPOSED CHANGES TO THE STANDARDS
22
Modify internal audit infrastructure and methodology upon announcement of modified Standards – October 1, 2016.
Evaluate potential impact upon internal audit infrastructure and methodology for proposed changes.
Read and provide commentary to changes by April 30, 2016.
Go live with changes, effective January 1, 2017.
1
2
3
4
ACTION STEPS TO CONSIDER
© 2016 Protiviti Inc.
RECENT CHANGES TO PROFESSIONAL GUIDANCE
Implementation Guidance Supplemental Guidance
IG1000 Purpose, Authority, and Responsibility
IG2110Governance
Practice GuideTalent Management
(12-2015)
Practice GuideInternal Audit and the Second Line of Defense (01-2016)
23
Replaces Practice Advisory and provides guidance related to internal audit charter.
Replaces Practice Advisory and provides guidance related to governance aspects of nature of work standard.
Provides ideas supporting proficiency, due professional care, professional development, and resource management.
Provides clarification about roles between internal audit and other providers of assurance within organizations. Expands upon Three Lines of Defense Framework.
© 2016 Protiviti Inc.
A. YesB. NoC. I don’t know
Do all internal audit staff members in your organization complete an annual Independence and Objectivity Form to assert their independence?
POLL QUESTION #2
Reminder: Answer 3 out of 4 questions to qualify for CPE credit.
24
© 2016 Protiviti Inc.
LEADING INTERNAL AUDIT PRACTICES
25
© 2016 Protiviti Inc.
RISK ASSESSMENT
26
LEADING INTERNAL AUDIT PRACTICE
The internal audit risk assessment is linked to the entity-wide view of risk through the enterprise risk management function, and includes qualitative and quantitative risk criteria to prioritize and determine the audit plan.
The IT security risk assessment is used as input to the internal audit risk assessment to ensure audit coverage of the higher IT security risks to the organization.
The annual audit planning and risk assessment process factors in the Corruption Perception Index score, in addition to financial and operational factors. Use of the corruption index is valuable for global organizations.
Internal audit covers the higher risks in the organization.
Interesting Approach
Benefits
© 2016 Protiviti Inc.
TRAINING
27
LEADING INTERNAL AUDIT PRACTICE
At quarterly internal audit staff meetings, guest speakers from the business discuss their business operations to educate auditors on processes, risks, controls, etc. so that internal audit can plan for a more effective and efficient audit.
A training plan is developed based on a skills assessment to determine if there are any knowledge gaps between staff skill sets and the audit plan.
Internal audit staff receives relevant training that is also linked to the audit plan.
Internal audit has an onboarding process and training program that provides staff with critical information on the audit process that facilitates a quicker transition, enabling auditors to be productive sooner.
Competent staff and quality, value added audits.
Benefits
Interesting Approach
© 2016 Protiviti Inc.
MANAGEMENT’S ACCEPTANCE OF RISK
28
LEADING INTERNAL AUDIT PRACTICE
In cases of acceptance of a risk by management, approval of this acceptance must be provided by an executive vice president or higher and is formally disclosed in writing to, and discussed with, the audit committee. Most organizations do not have a formal policy or process for management’s acceptance of risk.
Instances of management’s acceptance of risk are reviewed/analyzed quarterly to determine if the risk has changed, and the results of that analysis are reported to, and discussed with, the audit committee.
Facilitates discussion of risks and risk transparency.
Benefits
Interesting Approach
© 2016 Protiviti Inc.
ADDING VALUE
29
LEADING INTERNAL AUDIT PRACTICE
Internal audit prepares and delivers a newsletter to management regarding risks and control issues. This communication provides internal audit with the opportunity to educate business units on risks and internal controls outside of the standard audit process.
Internal audit prepares and delivers an internal audit awareness presentation to management throughout the organization to explain the risk assessment process and audit process.
The internal audit methodology includes four types of audits performed : 1) risk assessment, 2) design effectiveness, 3) control effectiveness and 4) full audit.
Internal audit provides management and the audit committee with a quarterly report on new systems being implemented in the organization, and provides internal audit’s opinion on each of the phases, milestones, and associated control objectives for those systems.
Internal audit is viewed as a partner by audit stakeholders.
Benefits
Interesting Approach
© 2016 Protiviti Inc.
PLAN EFFECTIVELY
30
LEADING INTERNAL AUDIT PRACTICE
An engagement risk assessment is performed and includes a comprehensive list of areas that an auditor assesses for that specific audit including: financial data, history of audit issues, changes in management/staff, input from management and use of technology.
For each audit, internal audit prepares test plans that include Association of Certified Fraud Examiners (ACFE) risks and fraud scenarios embedded within the test procedures to force auditors to consider the potential for fraud during testing.
Project budgets are developed, within a risk and controls matrix, that detail estimated hours required by each team member. Most internal audit functions do not take the step of aligning the project budget with risks.
Efficiency and quality.
Interesting Approach
Benefits
© 2016 Protiviti Inc.
DATA ANALYTICS
31
LEADING INTERNAL AUDIT PRACTICE
Internal audit has a formal data analytics program in place that is well defined as to identifying and acquiring data that can be analyzed to determine potential breakdowns of selected controls.
All audit programs include a step for auditors to explain why data analysis is not being used on the audit.
Start with areas where internal audit is comfortable with the data – account reconciliations, journal entries, accounts payable, fixed assets, time and expense, thresholds/limit controls, human resources/payroll.
Risk focused – efficiently increase testing of transactions.
Interesting Approach
Benefits
© 2016 Protiviti Inc.
INTEGRATING ANALYTICS ACROSS THE BUSINESS
32
Use
Func
tion
Line
1st Line 2nd Line 3rd Line
Business Function• Monitor operational risk • Control rationalization • Monitor performance
and efficiency
Risk Function• Assess entity-level risk• Manage compliance
activities• Complete risk
assessments• Monitor risk activities
Audit Function• Independent assurance• Control testing• Risk assessments• Control monitoring• Continuous risk
monitoring
• Continuous monitoring• Key control execution• Performance reportingE.g., security event monitoring
• Oversight risk, control, and compliance
• Monitoring of risk performance
E.g., data driven ERM
• Risk assessments• Continuous auditing• Data enabled audits• InvestigationsE.g., fraud risk review
CAPTURE, MANAGE AND ANALYZE DATA TO DRIVE BUSINESS STRATEGY AND PERFORMANCE
© 2016 Protiviti Inc.
ANALYTICS ROADMAP…IT’S A JOURNEY
33
Year 3+Integrate Analysts
Year 2Expand Coverage
Year 1Foundation
Advanced Analysis
Full Integration
• Define objectives and strategy• Access and normalize data• Identify enabling tools
• Establish champions• Integrate ad-hoc analysis• Establish KPI’s
• Broaden organizational use• Fully embed analytics• Move towards data governance
• Continuous analytics• Fully integrated analytics program• Standardized reporting packages• Enterprise access to analytics reports• Established data governance
• Continuous improvement• Predictive analytics
• Train staff and develop capability• Prove value (e.g., pilots, PoCs)
• Define data access model• Identify opportunities to embed
© 2016 Protiviti Inc.
A. An engagement planning and completion checklist is utilized to enable engagement qualityB. Other members of internal department provide insights into engagement risk assessments and
scoping to share knowledge across the teamC. Internal audit has a dedicated professional practices lead/group or committee that administers
the QAIP, and administers training and methodology improvementD. Internal audit has developed a quality assurance scorecard as part of their periodic review of a
sample of work papers with quality scores being calculated for each audit reviewedE. Internal audit staff training is designed to address general themes, deviations from internal audit
policies and procedures, conformance to the Standards, etc.
Does your internal audit department utilize any of the following quality assurance and improvement program (QAIP) techniques? Select as many as apply to your organization.
POLL QUESTION #3
Reminder: Answer 3 out of 4 questions to qualify for CPE credit.
34
© 2016 Protiviti Inc.
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
35
LEADING INTERNAL AUDIT PRACTICE
Conduct peer reviews.
Internal audit developed quality assurance standards for each stage of an audit engagement. At the completion of the audit, internal audit management performs a full file quality assurance review using the Quality Assurance Template.
Built a multi-layered quality assurance and improvement program designed to proactively monitor quality during the audit, in addition to monitoring metrics and reviewing work papers after the audit.
Internal audit assesses its conformance with the Standards annually. The internal audit policy and procedures manual is mapped to the Standards to ensure the audit process conforms to the Standards. Audit staff understand the relationship between the Standards and the audit process.
Improved focus and prioritization of continuous improvement efforts.
Benefits
Interesting Approach
© 2016 Protiviti Inc.
TALENT MANAGEMENT
36
LEADING INTERNAL AUDIT PRACTICE
Internal audit strategically manages the balance of resources based on years of experience, business/industry experience, technical skills, and alignment with the business.
Implement a rotational staff program: a company driven management development program that rotates participates in and out of internal audit.
Design a guest auditor program that used to acquire technical skills as needed.
Periodically perform analysis of staff skills (process, IT, fraud, certifications, etc.) to determine if internal audit has the necessary skill sets needed to complete the audit plan, determine the level of co-sourcing (if needed) and balancing the experience in the department (career auditors vs. rotational etc.).
Increased audit effectiveness.
Benefits
Interesting Approach
© 2016 Protiviti Inc.
INTERNAL AUDIT COMMUNICATIONS
37
LEADING INTERNAL AUDIT PRACTICE
Internal audit provides trends of reported issues for a period of time by geography, rating types, COSO objective, or other suitable categories to provide perspective to management and the audit committee on areas needing attention.
Internal audit reports on the status of the top ten risks as identified by the board/audit committee.
Audit staff meet audit committee chair annually to hear his/her perspective and for the chairperson to get internal audit staff perspectives on risk and control.
Internal audit communicates internal control best practices to the organization through a newsletter.
Improved understanding of risks and controls.
Benefits
Interesting Approach
© 2016 Protiviti Inc.
BENCHMARKING
38
LEADING INTERNAL AUDIT PRACTICE
Improve internal audit effectiveness and efficiency.
Benefits
Types of Benchmarking
Understand the maturity and effectiveness of internal audit processes
IIA GAIN
Thought Leadership and whitepapers
Industry peer group
Six Elements of Infrastructure
Corporate Executive Board
External peer group
Capability Maturity Model
© 2016 Protiviti Inc.
SIX ELEMENTS OF INFRASTRUCTURE
39
• The six elements of infrastructure (six elements) is a useful tool for categorizing issues, understanding where problems are occurring within an organization or business unit, and drawing conclusions to form the basis for recommendations.
• In Protiviti’s view, the elements of infrastructure should be considered when designing a new process or assessing an existing process. Also, the six elements are common to each process or function.
• These elements represent the capabilities that each process or function should possess; and they provide a comprehensive and consistent framework to communicate the requirements for the appropriate operation of a process or function.
• While these elements are not necessarily intended to be a strictly linear process, the components of the framework are generally designed from left to right. The use of this structure helps organize the otherwise complex network of risk management activities into a comprehensive and consistent framework. In particular, it ensures that all key components are appropriately considered.
About the Six Elements
Methodology Business Policies
Business Processes
Systems and Data
Reporting People
KEY ELEMENTS OF INFRASTRUCTURE MUST BE LINKED BY DESIGN
© 2016 Protiviti Inc.
CAPABILITY MATURITY MODEL AND THE SIX ELEMENTS OF INFRASTRUCTURE
40
ReliabilityandIntegrity ofProcessesand Data
Risk of Failure
Opt
imiz
edM
anag
edD
efin
edR
epea
tabl
eIn
itial
BUSINESS POLICIES
MANAGEMENTREPORTING
METHODOLOGYAND TOOLS PROCESSES SYSTEMS
AND DATAPEOPLE AND
ORGANIZATION
Audit department resources are highly capable and their training/experience levels are closely monitored. Resources are available with all skill sets needed to execute internal audits across the broad spectrum of activities. For highly specialized audit areas, external service providers are welcomed for the expertise they can provide and the new ideas they bring to the organization. A best-in-class training and competency program is in place with personnel actively groomed for positions of increased responsibility.
Audit department resources are capable and their training/experience levels are monitored. Resources are generally available with the skill sets needed to execute internal audits. For specialized audit areas, external service providers are sought (although knowledge-sharing in these circumstances may not be fully realized). A training and competency program is in place.
Qualified personnel are recruited and developed within the internal audit department. A basic training and development program has been established. Skills/experience requirements are defined. Internal audit leadership recognizes when external service providers are necessary to assist with performing specialized audits.
Great reliance is placed on utilizing experienced personnel. Training is generally on-the-job-training with little in the way of formalized training programs. Internal audit independence is maintained through the reporting process. Resourcing determined by audit requirements.
Internal audit department is insufficiently staffed with knowledgeable personnel and often resource needs for audits are not met. Audit efforts reflect a "best possible attempt given the circumstances". No clear resource competency requirements are established, and work product quality is inconsistent.
© 2016 Protiviti Inc.
2100NATURE OF
WORK
1000PURPOSE,
AUTHORITY, ANDRESPONSIBILITY
2000MANAGING THE INTERNAL AUDIT
ACTIVITY
1100INDEPENDENCE
AND OBJECTIVITY
1200PROFICIENCY
AND DUE PROFESSIONAL
CARE
CONFORMANCE WITH THE IIA STANDARDS – CAPABILITY MATURITY MODEL
41
Protiviti’s Capability Maturity Model (CMM) is derived from the Carnegie Mellon capability maturity model and is intended to delineate characteristics of a business process (from new to mature) and is used to convey the developmental level of business processes. Below is Protiviti’s application of IIA Standards in the context of the CMM. The red outlines below indicate a subjective assessment of internal audit against these characteristics.
Opt
imiz
edM
anag
edD
efin
edR
epea
tabl
eA
d H
oc
ReliabilityandIntegrity ofProcessesand Data
Risk of Failure
Quality assurance program focuses on improvement, effectively uses performance metrics.
Quality assurance program encompasses all significant aspects of internal audit activity.
Quality assurance program and communication formalized in policy and procedures manual, including internal and external quality assurance requirement.
Quality assurance program checklists used on individual audits to ensure consistent application of internal audit methodology.
No formal quality assurance program in place although some quality assurance activities might occur on individual audits.
1300QUALITY
ASSURANCE AND IMPROVEMENT
PROGRAM
© 2016 Protiviti Inc.
A. Internal audit adds any findings, recommendations or other items reported to the company as part of regulatory examinations to its issue tracking system, and tracks and monitors the status of management action plans to address these findings.
B. A periodic report is prepared, and sent to management, to identify items that are past due.
C. Follow-up testing is performed quarterly to verify that audit findings have been addressed and the associated risks were mitigated.
Does your internal audit department perform any of the following follow-up techniques? Select as many that apply to your organization.
POLL QUESTION #4
Reminder: Answer 3 out of 4 questions to qualify for CPE credit.
42
© 2016 Protiviti Inc.
Q & A
Let us know how we did on this webinar. Click on the Survey icon in your attendee console to give us feedback.
© 2016 Protiviti Inc.
REGISTER FOR OUR NEXT WEBINAR
44
60 minutes | 1.0 CPE
Wednesday, April 6th9:00 AM Pacific10:00 AM Mountain11:00 AM Central12:00 PM Eastern
Relationships and Risk: Initial Insights From North American Stakeholders
Hosted in partnership with:
Register for this webinar through:• The link in the Resources Area of your attendee
console• Protiviti’s webinar page: http://
www.protiviti.com/en-US/Pages/Webinars.aspx
Download the publication at: www.protiviti.com/cbokrelationshipsandrisk