Developing a Successful Integrated Audit ApproachSeptember 14, 2010

• Introduction and Perspectives• An Integrated Audit Methodology

Topics

INTRODUCTION AND PERSPECTIVESDeveloping a Successful Integrated Audit Approach

• An audit approach that takes into consideration key areas of risk regardless of type, such as:

– Operations– Finance and accounting, including fraud– Information technology and security– Regulatory/compliance– Other, tailored to the business

Defining Integrated Auditing

• Audit efficiencies• Comprehensive view of an auditable entity• Consolidated report covering key areas – fewer audits per entity• Enhanced stakeholder perceptions of audit coverage • Improved auditor morale • Accelerated auditor talent• Focused leverage of business knowledge and collaboration

across the audit team

Benefits

• People– Expanding auditor skill sets to cover all areas while retaining

benefits of subject matter expertise – Helping auditors with different skills communicate and find

better ways to work together • Ensuring coverage is “just right”

– Broad enough to cover the key risk areas – Deep enough where necessary– Organized sufficiently to avoid “spin-off” audits

Challenges

• Perspective – Management: operational understanding– Auditor: process, risk and controls

• Core audit skills – the raw materials translate easily!– Understand/document any process– Recognize risk where it exists – Translate across multiple disciplines

• IIA body of knowledge– CIA’s are well positioned to help drive an integrated

approach

Prerequisites to an Integrated Approach

• Solid enterprise-level and engagement-level risk assessment processes

• Scope– Top-down, bottom-up, aligned with the business– Includes

•Material financial exposure•Possible reputational harm•Emerging risks and changes •Management’s operational concerns

– Helps us say “yes, we looked at that”

Critical Success Factors

AN INTEGRATED AUDIT METHODOLOGY

Developing a Successful Integrated Audit Approach

• There are diverse schools of thought, methodologies, and approaches to integrated auditing – why so many?

– Diversity in business – a desire for a tailored approach and a search for the “one best way”

– Variability in what one believes should be integrated – people, process, technology or parts thereof

– Differences in viewpoint taken: auditor or management– Inherent need for subject matter expertise – Timing and logistics for getting audits done

Integrated Audit Methodology(ies!)

Integrated Auditing

People

• Diverse team has an operational center surrounded by relevant subject matter experts

• Auditors with different skills are on the same team AND are actively engaged in evaluating and testing business processes together

Process

• Process view of the operations – key

• Understanding of the business operations – key

• Use risk assessment to drive top-down approach

Technology

• Build a reliable process first, then look to technology to make it more efficient (always)

• Ensure the integrated audit team is working together – not just sitting in the same room

• Offer tools to help– Formally documented methodology– A layered, multi-disciplined perspective with a common

language• Recognize auditor common ground

– Risk, control, and process orientation– Control assertions

Integrating People

Integrating Process

ProcessInput

Authorization

Database

Reconciliation

$Custody

System

OccurrenceAuthorization

OccurrenceCompleteness

Accuracy

Output

All

Other Areas to Overlay:Operational efficiencies, including technology aspectsRegulatory/compliance considerationsFraud risk considerations

Recording ConfidentialityAvailability

Integrity

Aligning Control Assertions

IT Auditors:

• Information security components

– Confidentiality– Availability – Integrity

Financial Auditors:• Financial statement assertions

on transactions– Occurrence– Completeness– Accuracy– Authorization– Cutoff– Classification

• Training for everyone• Get everyone talking and involved in planning/risk assessment• Drive efficiencies

– Map in-scope risks to key controls in common across all areas

– Drive efficiencies with audit coverage (SOX, SAS 70)• During fieldwork

– Assign testing based on expertise– Establish periodic checkpoints within the team and an end-

to-end quality review process

Integrating People and Process

Question: When is the right time to get subject matter experts involved?

a) During fieldwork when the team gets in a bindb) During the report writing phase when a question leads to an

area that should have been looked at more closelyc) Engagement-level planning and risk assessment

Subject Matter Experts

INTEGRATING THE AUDIT APPROACH AND RISK ASSESSMENT

Developing a Successful Integrated Audit Approach

Risk Assessment

Identify

Enterprise

Level Risks

Identify the Audit Unive

rse

Assess Risk

Top-

Down

Asses Risk

Bottom-Up

Prioritize the Quarterly

Audit Plan

Enterprise-Level Risk Assessment

• Process to determine the audit plan

Engagement-Level Risk Assessment

• Process to determine the scope of a specific audit

Understand the Auditable

Entity

Identify Key Risk Areas

Map Key Risks to Other Audit

Coverage

Finalize Audit Scope

Integrated Audit Considerations

Integrated Audit Considerations

Integrated Audit Considerations

Best Practice: Align coverage with

corporate strategy

Enterprise-Level Risk Assessment

Identify

Enterprise

Level Risks

Identify the Audit Unive

rse

Assess Risk

Top-

Down

Asses Risk

Bottom-Up

Prioritize

Audit Plan

Enterprise-Level Risk Assessment

Corporate Strategy

Objectives

Enterprise Risk

Best Practice

Identify the Audit Universe

• Auditable Entity:– A discrete unit or process– Horizontal coverage is more

efficient– Level of aggregation is key

Entity

Segment

Sub-Segment

Lines of Business

Process

Layers Where Controls Reside:

Assess Risk Top-Down

Corporate Operating Segment 1 Operating Segment 2 Operating Segment 3 Operating Segment 4 Shared Service Segment

Tier 1

($x+)

Auditable entity 1Auditable entity 2Auditable entity 3

Auditable entity 13Auditable entity 14Auditable entity 15

Auditable entity 28 Auditable entity 35 Auditable entity 42Auditable entity 43

Tier 2

($x-$x)

Auditable entity 4Auditable entity 5Auditable entity 6

Auditable entity 16Auditable entity 17Auditable entity 18

Auditable entity 36Auditable entity 37Auditable entity 38

Auditable entity 44Auditable entity 45

Tier 3

($x-$x)

Auditable entity 7Auditable entity 8Auditable entity 9

Auditable entity 19Auditable entity 20Auditable entity 21

Auditable entity 22Auditable entity 23Auditable entity 24

Auditable entity 39Auditable entity 40Auditable entity 41

Auditable entity 46

Tier 4

(<$x)

Auditable entity 10Auditable entity 11Auditable entity 12

Auditable entity 25Auditable entity 26Auditable entity 27

Auditable entity 29Auditable entity 30Auditable entity 31Auditable entity 32Auditable entity 33Auditable entity 34

Auditable entity 47

Assess Risk – Bottom Up

SegmentAuditable

Entity $

Financial Risk

Compliance and

Regulations

Changes in Audit

Universe

IT Risk

Average

Average

Availa-bility Integrity

Confiden-tiality

Inherent Risk

Residual Risk

Inherent

Risk

Residual Risk

Inherent

Risk

Residual

Risk

Inherent Risk

Residual Risk

Inherent Risk

Residual

Risk

Inherent

Risk

Residual Risk

Inherent

Risk

Residual

Risk

Operating Segment1

Auditable entity 1 $10 4 3 3 3 3 5 3 3 3 4 5 3 3.5 3.5 3.5

Traditional Quantitative Approach

Assess Risk – Bottom Up

Qualitative Map to ERM

Segment Auditable EntityYear Last Audited

Top ERM Risk

#1

Top ERM Risk

#2

Top ERM Risk

#3

Top ERM Risk

#4

Top ERM Risk

#5

Top ERM Risk

#6

Top ERM Risk

#7

Top ERM Risk

#8

Top ERM Risk

#9

Top ERM Risk #10

Operating Segment1 Auditable Entity 1 2010

Operating Segment1 Auditable Entity 2 2010

Prioritize Audit PlanTier 1 Auditable Entity Prior Coverage Q1 2011 Q2 2011 Q3 2011 Q4 2011

Corporate

Auditable entity 1Auditable entity 2Auditable entity 3

200920082007

Audit 1 Audit 3 Audit 7

Operating Segment 1

Auditable entity 13Auditable entity 14Auditable entity 15

200920092009

Audit 2 Audit 4 Audit 10

Operating Segment 3

Auditable entity 28 2010 Audit 5

Operating Segment 4

Auditable entity 35 2008 Audit 6

Shared Service Segmen

t

Auditable entity 42Auditable entity 43

20092009

Audit 8 Audit 9

• Aggregation of cumulative knowledge about the entity• Integrated view• Links to ERM• Don’t forget consideration of fraud risk

Engagement Level Risk Assessment

Risk

Relevance/ Significance at this Line of Business

Areas to Test

Covered via other audits?

Test? Budget-Testing Time

Top 10 ERM High-Level

Risk Category

Specific Risk

Areas

I R

12

I=Inherent Risk: Risk before consideration of controls.R=Residual Risk: Risk after consideration of controls, e.g. prior audit results and remediation or other issues identified.

26

Source: The ACFE’s 2010 Report on Fraud to the Nations

• Ground integrated auditing in solid risk assessment from the beginning

• Resolve the auditor SME communication barrier once and for all• Expect efficiencies• Leverage existing core auditor skills as place to start• Align with operations to drive the most value

Takeaways

QUESTIONS?Developing a Successful Integrated Audit Approach

– Kim Furlin– 904 357 1611– kim.furlin@fisglobal.com

Contact Information