330 likes | 626 Views
Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007. Agenda. Requirement Benefits Attributes of a “World-Class” Internal Audit Quality and Quality Assessment Keys to an Effective QA Common Observations Leading Practices. Requirement.
E N D
Quality AssessmentsLessons Learned/Best PracticesThomas A. Johnson, CIANovember 13, 2007
Agenda • Requirement • Benefits • Attributes of a “World-Class” Internal Audit • Quality and Quality Assessment • Keys to an Effective QA • Common Observations • Leading Practices
Requirement • IIA Standard 1312- Requires an external assessment be performed by a competent and independent firm at least every 5 years. • Good ‘business practice” to provide an independent evaluation of internal audit as well as identifying potential ways to improve the process. • With Sarbanes-Oxley and other demands placed on Audit Committees and Internal Audit, a Quality Assurance Review serves to provide an assessment that the various Internal Audit responsibilities are being discharged effectively and efficiently.
Benefits • Current State of “Conformance to the Standards”. • Builds stakeholder confidence by showing management’s commitment to quality and leading practices. • Demonstrates that the Audit Committee and Internal Audit are concerned about the success of the organization’s internal controls, governance and risk management processes.
Benefits • PCAOB Audit Standard 2 states “The external auditor may use the work of internal auditors particularly when internal auditors are in compliance with the Standards.” • Observations on benchmarking & identification of successful practices • Recommendations for improvement aimed at adding value to the organization.
Benefits • Identify Expectation Gaps • Among key stakeholder expectations • Current state & desired state of performance • Recommendations aimed at adding value to the organization • Internal marketing tool strengthening credibility and promoting integrity
Attributes of a “World-Class Internal Audit Activity • Empowered & Respected by Management and Board • Objective and Independent • Highly Talented • Risk Focused • Proactive • Technology Driven
Empowered and Respected • Best Reporting Structure • Functionally – Audit Committee • Administratively- CEO • Respected at All Levels • Value-Added Business Advisors • “Out of the box” thinking • Provides effective resources and solutions to business challenges
Objective and Independent • Seen as providing unbiased views of the organization. • Have no real or apparent conflicts of interest • Independent of the activities they audit • “No-No’s” • Designing and installing systems • Drafting of procedures
Highly Talented • Highly talented professionals (certified) with unique combinations of skills & experiences • Hiring and Retention • Rotation in and out • Constantly adding value • Collectively possess the essential skills • Consideration for co-sourcing • Must commit to a program of continuous development
Risk Focused • Allocates Time & Resources Based on Risk • Annual and Long Term Plans • Individual Engagements • Identifies critical risks & exposures before they become significant issues • Shares “lessons learned” across common business units and processes
Proactive • Proactive, not only reactive • Right balance between protecting and enhancing shareholder value • Level of consultative support correlates with the organizations fluidity • E.g., a flat, decentralized organization likely requires significant support in analyzing business risks and transferring company-wide best practices then a highly centralized organization
Technology & Process Driven • Utilizes “state-of-the-art” technology to: • Reduce Risks • Identify potential problems in nearly real time • Increase productivity • Continuously improve the control environment and communications • Be committed to a program of continuous improvement
Foundation of World-Class Audit Departments • The International Standards for the Professional Practice of Internal Auditing and the Code of Ethics are the foundation for all world-class functions.
Quality Components • Adherence to the Code of Ethics • Practicing in accordance with the Standards • Continued Professional Development • Audit Practice is continuous improvement oriented
Quality Assurance • To Evaluate Quality- Objectively measure internal audit process • To maintain Quality- Fully commit to professional growth and development • To ensure Quality- Maintain quality assurance and improvement program
Quality Standards • Internal audit must establish a quality assurance program that includes both: • Ongoing and periodic internal QA’s • External QA a minimum of once every 5 years • Failure precludes IA from using the statement “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.”
Keys to an Effective QA • Understanding the Professional Practices Framework • Awareness and Implementation of the Standards • Internal audit quality programs and initiatives • Leading practices in applying the Standards
Professional Practices Framework • Definition of Internal Auditing • The Code of Ethics • The Standards • Practice Advisories • Topical Index to the Practice Advisories
Purpose of a Quality Assessment • Assess conformance to the Standards • Assess the effectiveness and efficiency of the internal audit activity • Identify opportunities for improvement • Improving performance • Image of the department
Scope of External Assessments • Conformance with the Standards & the Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements • The expectations of the IA as expressed by the board, executive management and operational management • The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process
Scope (Cont’d) • Tools and techniques • Mix of knowledge, experience and disciplines within the staff, including the focus on process improvement • Determination that the internal audit activity adds value and improves the organization’s operations
Areas of Focus • The Mandate of the IA Activity • The Relationship between IA & the Audit Committee • IA Reporting Lines • Staffing of Internal Audit • Obtaining & Maintaining Competency • Coordination with External Audit • Developing the Internal Audit Plan • Reporting Findings & Recommendations
Areas of Focus • Follow-Up of Corrective Action • Fraud • Internal Quality Program • Sufficiency of IA Resources • Support from Senior Management • Evaluation by the Audit Committee
Common Findings • Charters not current, inadequate and/or misaligned • Lacking support or sponsorship by top management • Department structure issues • Reporting lines • Alignment with the organization • Insufficient business knowledge and/or technology capabilities • Lack of a defined and documented risk assessment
Common Findings • Linkage of risk assessment to plan • Impact of Sar-Box • Lack of external input to risk assessment • Audit Universe Deficiencies • Ineffective resource planning, including training • Inadequate IT Coverage • Limited use of technology • Infrequent management interaction
Common Findings • Lack of Performance Measurements • Failure to Track Auditors’ Time • Inconsistent/Incomplete Work Papers • Lack of a defined and documented Quality Assurance and Improvement Program • Insufficient reporting to the Audit Committee
Leading Practices • Enterprise Risk Assessment • Rigorous and coordinated approach • Assessing all risks that affect the organizations strategic & financial objectives • Risk & Control Self Assessment • Using Control Frameworks (COSO) • Effectiveness & Efficiency of Operations • Reliability of Financial Reporting • Compliance with Laws & Regulations
Leading Practices • Partnering with Management • Risk Assessment & Annual Audit Planning • Long Term Audit Plans • Usually three years • Higher risk areas should be reviewed more frequently within the 3 year plan • Frequent modifications to long term plan • Developing Staff • Goal of 80 hours of training • Stretch Objectives & Performance Measures • Certification
Leading Practices • Communicating More Effectively • User friendly format • Executive summary, with clear concise information and opinion • Regular reporting of issues to the Audit committee • “Marketing” IA function • Brochure • Intranet
Leading Practices • Using Technology • Data extraction and analysis • Fraud detection/prevention • Network security assessment • Automated work-papers • Audit administration tools • Benchmarking • Performance measurements
Questions • ? • ? • ? • ? • ? • ? • ?
Follow-Up Tom Johnson tomjohnson11@msn.com 330-759-0046