developing a successful integrated audit approach september 14, 2010
TRANSCRIPT
Developing a Successful Integrated Audit ApproachSeptember 14, 2010
• Introduction and Perspectives• An Integrated Audit Methodology
Topics
INTRODUCTION AND PERSPECTIVESDeveloping a Successful Integrated Audit Approach
• An audit approach that takes into consideration key areas of risk regardless of type, such as:
– Operations– Finance and accounting, including fraud– Information technology and security– Regulatory/compliance– Other, tailored to the business
Defining Integrated Auditing
• Audit efficiencies• Comprehensive view of an auditable entity• Consolidated report covering key areas – fewer audits per entity• Enhanced stakeholder perceptions of audit coverage • Improved auditor morale • Accelerated auditor talent• Focused leverage of business knowledge and collaboration
across the audit team
Benefits
• People– Expanding auditor skill sets to cover all areas while retaining
benefits of subject matter expertise – Helping auditors with different skills communicate and find
better ways to work together • Ensuring coverage is “just right”
– Broad enough to cover the key risk areas – Deep enough where necessary– Organized sufficiently to avoid “spin-off” audits
Challenges
• Perspective – Management: operational understanding– Auditor: process, risk and controls
• Core audit skills – the raw materials translate easily!– Understand/document any process– Recognize risk where it exists – Translate across multiple disciplines
• IIA body of knowledge– CIA’s are well positioned to help drive an integrated
approach
Prerequisites to an Integrated Approach
• Solid enterprise-level and engagement-level risk assessment processes
• Scope– Top-down, bottom-up, aligned with the business– Includes
•Material financial exposure•Possible reputational harm•Emerging risks and changes •Management’s operational concerns
– Helps us say “yes, we looked at that”
Critical Success Factors
AN INTEGRATED AUDIT METHODOLOGY
Developing a Successful Integrated Audit Approach
• There are diverse schools of thought, methodologies, and approaches to integrated auditing – why so many?
– Diversity in business – a desire for a tailored approach and a search for the “one best way”
– Variability in what one believes should be integrated – people, process, technology or parts thereof
– Differences in viewpoint taken: auditor or management– Inherent need for subject matter expertise – Timing and logistics for getting audits done
Integrated Audit Methodology(ies!)
Integrated Auditing
People
• Diverse team has an operational center surrounded by relevant subject matter experts
• Auditors with different skills are on the same team AND are actively engaged in evaluating and testing business processes together
Process
• Process view of the operations – key
• Understanding of the business operations – key
• Use risk assessment to drive top-down approach
Technology
• Build a reliable process first, then look to technology to make it more efficient (always)
• Ensure the integrated audit team is working together – not just sitting in the same room
• Offer tools to help– Formally documented methodology– A layered, multi-disciplined perspective with a common
language• Recognize auditor common ground
– Risk, control, and process orientation– Control assertions
Integrating People
Integrating Process
ProcessInput
Authorization
Database
Reconciliation
$Custody
System
OccurrenceAuthorization
OccurrenceCompleteness
Accuracy
Output
All
Other Areas to Overlay:Operational efficiencies, including technology aspectsRegulatory/compliance considerationsFraud risk considerations
Recording ConfidentialityAvailability
Integrity
Aligning Control Assertions
IT Auditors:
• Information security components
– Confidentiality– Availability – Integrity
Financial Auditors:• Financial statement assertions
on transactions– Occurrence– Completeness– Accuracy– Authorization– Cutoff– Classification
• Training for everyone• Get everyone talking and involved in planning/risk assessment• Drive efficiencies
– Map in-scope risks to key controls in common across all areas
– Drive efficiencies with audit coverage (SOX, SAS 70)• During fieldwork
– Assign testing based on expertise– Establish periodic checkpoints within the team and an end-
to-end quality review process
Integrating People and Process
Question: When is the right time to get subject matter experts involved?
a) During fieldwork when the team gets in a bindb) During the report writing phase when a question leads to an
area that should have been looked at more closelyc) Engagement-level planning and risk assessment
Subject Matter Experts
INTEGRATING THE AUDIT APPROACH AND RISK ASSESSMENT
Developing a Successful Integrated Audit Approach
Risk Assessment
Identify
Enterprise
Level Risks
Identify the Audit Unive
rse
Assess Risk
Top-
Down
Asses Risk
Bottom-Up
Prioritize the Quarterly
Audit Plan
Enterprise-Level Risk Assessment
• Process to determine the audit plan
Engagement-Level Risk Assessment
• Process to determine the scope of a specific audit
Understand the Auditable
Entity
Identify Key Risk Areas
Map Key Risks to Other Audit
Coverage
Finalize Audit Scope
Integrated Audit Considerations
Integrated Audit Considerations
Integrated Audit Considerations
Best Practice: Align coverage with
corporate strategy
Enterprise-Level Risk Assessment
Identify
Enterprise
Level Risks
Identify the Audit Unive
rse
Assess Risk
Top-
Down
Asses Risk
Bottom-Up
Prioritize
Audit Plan
Enterprise-Level Risk Assessment
Corporate Strategy
Objectives
Enterprise Risk
Best Practice
Identify the Audit Universe
• Auditable Entity:– A discrete unit or process– Horizontal coverage is more
efficient– Level of aggregation is key
Entity
Segment
Sub-Segment
Lines of Business
Process
Layers Where Controls Reside:
Assess Risk Top-Down
Corporate Operating Segment 1 Operating Segment 2 Operating Segment 3 Operating Segment 4 Shared Service Segment
Tier 1
($x+)
Auditable entity 1Auditable entity 2Auditable entity 3
Auditable entity 13Auditable entity 14Auditable entity 15
Auditable entity 28 Auditable entity 35 Auditable entity 42Auditable entity 43
Tier 2
($x-$x)
Auditable entity 4Auditable entity 5Auditable entity 6
Auditable entity 16Auditable entity 17Auditable entity 18
Auditable entity 36Auditable entity 37Auditable entity 38
Auditable entity 44Auditable entity 45
Tier 3
($x-$x)
Auditable entity 7Auditable entity 8Auditable entity 9
Auditable entity 19Auditable entity 20Auditable entity 21
Auditable entity 22Auditable entity 23Auditable entity 24
Auditable entity 39Auditable entity 40Auditable entity 41
Auditable entity 46
Tier 4
(<$x)
Auditable entity 10Auditable entity 11Auditable entity 12
Auditable entity 25Auditable entity 26Auditable entity 27
Auditable entity 29Auditable entity 30Auditable entity 31Auditable entity 32Auditable entity 33Auditable entity 34
Auditable entity 47
Assess Risk – Bottom Up
SegmentAuditable
Entity $
Financial Risk
Compliance and
Regulations
Changes in Audit
Universe
IT Risk
Average
Average
Availa-bility Integrity
Confiden-tiality
Inherent Risk
Residual Risk
Inherent
Risk
Residual Risk
Inherent
Risk
Residual
Risk
Inherent Risk
Residual Risk
Inherent Risk
Residual
Risk
Inherent
Risk
Residual Risk
Inherent
Risk
Residual
Risk
Operating Segment1
Auditable entity 1 $10 4 3 3 3 3 5 3 3 3 4 5 3 3.5 3.5 3.5
Traditional Quantitative Approach
Assess Risk – Bottom Up
Qualitative Map to ERM
Segment Auditable EntityYear Last Audited
Top ERM Risk
#1
Top ERM Risk
#2
Top ERM Risk
#3
Top ERM Risk
#4
Top ERM Risk
#5
Top ERM Risk
#6
Top ERM Risk
#7
Top ERM Risk
#8
Top ERM Risk
#9
Top ERM Risk #10
Operating Segment1 Auditable Entity 1 2010
Operating Segment1 Auditable Entity 2 2010
Prioritize Audit PlanTier 1 Auditable Entity Prior Coverage Q1 2011 Q2 2011 Q3 2011 Q4 2011
Corporate
Auditable entity 1Auditable entity 2Auditable entity 3
200920082007
Audit 1 Audit 3 Audit 7
Operating Segment 1
Auditable entity 13Auditable entity 14Auditable entity 15
200920092009
Audit 2 Audit 4 Audit 10
Operating Segment 3
Auditable entity 28 2010 Audit 5
Operating Segment 4
Auditable entity 35 2008 Audit 6
Shared Service Segmen
t
Auditable entity 42Auditable entity 43
20092009
Audit 8 Audit 9
• Aggregation of cumulative knowledge about the entity• Integrated view• Links to ERM• Don’t forget consideration of fraud risk
Engagement Level Risk Assessment
Risk
Relevance/ Significance at this Line of Business
Areas to Test
Covered via other audits?
Test? Budget-Testing Time
Top 10 ERM High-Level
Risk Category
Specific Risk
Areas
I R
12
I=Inherent Risk: Risk before consideration of controls.R=Residual Risk: Risk after consideration of controls, e.g. prior audit results and remediation or other issues identified.
26
Source: The ACFE’s 2010 Report on Fraud to the Nations
• Ground integrated auditing in solid risk assessment from the beginning
• Resolve the auditor SME communication barrier once and for all• Expect efficiencies• Leverage existing core auditor skills as place to start• Align with operations to drive the most value
Takeaways
QUESTIONS?Developing a Successful Integrated Audit Approach
– Kim Furlin– 904 357 1611– [email protected]
Contact Information