320 likes | 506 Views
Operational Auditing. Spring 2014 Professor Bill O’Brien. Managing the Internal Audit Activity. Effective management Establish a risk-based plan Communicate the plan Ensure adequate resources Coordinate services Report on a regular basis Monitor implementation of recommendations.
E N D
Operational Auditing Spring 2014 Professor Bill O’Brien Operational Auditing--Spring 2014
Managing the Internal Audit Activity • Effective management • Establish a risk-based plan • Communicate the plan • Ensure adequate resources • Coordinate services • Report on a regular basis • Monitor implementation of recommendations Operational Auditing--Spring 2014
Reporting Structure • Solid to Audit Committee • Dotted line to functional and committed executive Operational Auditing--Spring 2014
Planning Activities • Operating plan and financial plan (budget) • Establish goals and objectives • Determine overall resources Operational Auditing--Spring 2014
Resource Management • Staffing approaches • Flat versus hierarchical • Futures’ files • Commitment to training • Pathways for career development • Co-sourcing and outsourcing Operational Auditing--Spring 2014
Working with External Auditors • Coordinated coverage • Cross access to workpapers • Exchange of reports • Expansion of expertise • Facilitation of relationship w/senior mgt. Operational Auditing--Spring 2014
Dealing with the External Auditors • Different objectives • Different accountability • Different qualifications • Different activities Operational Auditing--Spring 2014
Cooperation • Economy • Efficiency • Effectiveness • Advantages for the external auditor • Increases external auditor client insight • Improves client relations • Rotates emphasis • Advantages for the internal auditor • Improves training • Source of additional work • Increases professional knowledge • Independent appraisal source • Compliance with SAS 65 and SAS 99 Operational Auditing--Spring 2014
Hints for Starting or Taking Over a Dept. • Report to the Audit Committee or the highest level possible • Avoids conflict of interest • Have an administrative manager as well • Establish an agreed upon review approach • For example, operations v. compliance • Prepare a set of achievable objectives • Commit to IIA standards • Establish a team approach with BPOs • Invest in continuing education Operational Auditing--Spring 2014
Corporate Governance • Strategic direction • Governance oversight • Enterprise risk management • Assurance that processes are working Operational Auditing--Spring 2014
Ops. Audit & Governance • Process of overseeing the achievement of objectives • Some elements of good governance • Assessing the control environment • Serving as an ethics advocate Operational Auditing--Spring 2014
Control Objectives • Staying under control as evidenced by • Safeguarding of assets • Compliance with laws and regulations • Organizational goal & obj. achievement • Reliability & integrity of information • Economical & efficient use of assets • Expansion of material on 9-19 —20 Operational Auditing--Spring 2014
Control Environment • Integrity and ethical values • Management philosophy and operating style • Organizational structure • Assignment of authority and responsibility • H/R policies and practices • Sustained competency of personnel Operational Auditing--Spring 2014
Other Management Issues • Performance metrics • Control self assessment • We will cover these in the next class Operational Auditing--Spring 2014
COSO • Committee of Sponsoring Organizations • AICPA, IIA, IMA, FEI, AAA • Treadway Commission • 1992 I/C; 2004 ERM • Control Objectives • Compliance with laws and regulations • Reliability of financial reporting • Effectiveness & efficiency of operations Operational Auditing--Spring 2014
Frameworks • Internal control • IC-Integrated Framework (COSO) • Guidance on Controls (CoCo) • Internal Control Guidance (Turnbull) • Enterprise risk management • Australian/New Zealand Std. Risk Mgt. • ERM-Integrated Framework (COSO) Operational Auditing--Spring 2014
-Control Environment-Risk Assessment Processes-Operational Control Activities-Information Flow Systems-Monitoring Activities -Internal Environment-Objective Setting -Event Identification-Risk Assessment-Risk Response-Control Activities-Information & Communication-Monitoring COSO APPROACH TO CONTROL ACHIEVEMENT COSO-ERMCOMPONENTS Integrating COSO-ERM with COSO-I/C The COSO-ERM Model incorporates rather than replaces the COSO-I/C Model. Operational Auditing--Spring 2014
Components of I/C • Control environment • Risk assessment • Control activities • Information and communication • Monitoring Operational Auditing--Spring 2014
Threats to Control • Management override • Open access to assets • Form over substance approach • Conflict of interest Operational Auditing--Spring 2014
Balancing Risk and Control • Too much risk • Loss of assets • Poor decision making • Potential non-compliance • Potential for fraud • Too much control • Increased bureaucracy • Excess costs • Excess cycle-time • Increase in non-value added effort Operational Auditing--Spring 2014
Control Activities • Segregation of duties • Performance reviews • Approvals • IT access • Documentation • Physical access • IT applications • Independent verifications & reconciliations Operational Auditing--Spring 2014
IIA and Control • IIA control objectives: S-C-O-R-E • Safeguarding of assets • Compliance with laws and regulations • Objective and goal achievement • Reliability & integrity of information • Economical & efficient use of assets Operational Auditing--Spring 2014
Risk Management • Strategy formulation • Range of activities • Risk = barriers to objective achievement Operational Auditing--Spring 2014
COSO and ERM • COSO 2 cube • ERM defined: • “A process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” Operational Auditing--Spring 2014
Remember this Key Point • Risk is BOTH positive and negative Operational Auditing--Spring 2014
COSO ERM Objectives: S-C-O-R • Strategic • Compliance • Operations • Reporting Operational Auditing--Spring 2014
COSO-ERM Components • Internal Environment • Objective Setting • Event Identification • Risk Assessment • Risk Response • Control Activities • Information and Communication • Monitoring Operational Auditing--Spring 2014
ERM and Ops. Audit • Provide assurance on risk mgt. • Provide assurance of risk evaluation • Evaluate risk mgt. processes • Evaluate risk reporting • Review the mgt. of key risks. • See Exhibit 4-4 Operational Auditing--Spring 2014
IIA ERM Advisory • Audit plan should be based on risk assessment • Audit plan may include the strategic planning process • Audit plan should be updated for significant changes • Audit plan should be prioritized based on risk likelihood and exposure • Audit reporting should convey risk related conclusions Operational Auditing--Spring 2014
O’Brien’s Suggestions Ops audit should be involved in active conceptual support. Ops audit should be an implementation driver. Ops audit should provide on-going assessment of the process. Ops audit should add insight to ERM and vice-versa. Ops audit should assume the role of process coordinator. Operational Auditing--Spring 2014
Where Do We Go from Here? • Increased demand • Increased respect • Increased contribution • Increased advancement opportunities… • IT’S A GREAT TIME TO BE FOCUSED ON OPERATIONAL AUDIT OPPORTUNITIES!!! Operational Auditing--Spring 2014
Systematic Approach • Planning: • Selecting the BPO • Pre-site planning • Evaluating: • Conducting the preliminary survey • Review internal controls • Expanding tests as necessary • Generating findings • Communicating: • Reporting the results • Conducting follow-up • Assessing the process • Note Exh. 2-6 and Exh. 13-4 Operational Auditing--Spring 2014