module 4 internal audit

8/10/2019 MODULE 4 Internal Audit

1/22

School Board Audit Committee Training

Module 4

Internal Audit

1


2/22

2

Session objectives

After completing this session you will:

Understand how the IA function will operate.

Walkthrough the audit planning and approval process.

Explain the independence requirements of the IA function.

Understand the Audit Committees effective monitoring, oversight and assessment role for

Internal Audit

Comfortably interact with the IA function.

Understand the Audit Committees responsibilities related to Internal Audit (IA).


3/22

Audit Committee Duties related to the Internal Auditor

[ON Regulation 361/10 9(3)]

To review the Internal Auditors mandate, activities, staffing and organizationalstructure.

To make recommendations on the content of the Internal Audit plan and on all

proposed major changes to the plan.

To ensure there are no unjustified restrictions or limitations on the scope of the

activities performed by Internal Audit.

To review, at least once in each fiscal year, the performance of the Internal Auditorand provide comments regarding his or her performance.

To review the effectiveness of the Internal Auditor, including the Internal Auditors

compliance with standards for internal auditing.

To meet on a regular basis with the Internal Auditor.

To review findings, recommendations and any difficulties encountered in the course

of the Internal Auditors work.

3


4/22

International Standards for the Professional Practice of

Internal Auditing

The IIA Standards are principle-focused and provide a framework for

performing internal auditing. The Standards are mandatory requirements

consisting of:

Statements of basic requirements for the professional practice of Internal

Auditing and for evaluating the effectiveness of its performance. The

requirements are internationally applicable at organizational and individuallevels.

Interpretations, which clarify terms or concepts within the statements.

It is necessary to consider both the statements and their interpretations to

understand and apply the Standards correctly.

Current standards can be found online at

http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/

The website provides access to numerous tools, such as quality

assessments, discussion groups, etc.

4
http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/


5/22

Objectives of an Internal Audit function

Objectively monitor and report on the health of financial, operational, and

compliance controls.

Provide insight into the effectiveness of the DSBs risk management.

Offer guidance regarding effective governance

Become a catalyst for positive change in processes and controls. Deliver value to the audit committee, executives, and management in the

areas of controls, risk management, and governance to assist in the audit

committees assessment of the efficiency of programs and procedures.

Coordinate activities and share perspectives with the external auditor.

5


6/22

Ontario DSB Internal Audit Mandate

Mission: to provide independent, objective assurance and consultingservices designed to add value and improve the DSB operations.

Scope of work: to determine whether the network of risk management,

control, and governance processes, as designed and implemented by the

DSBs, is adequate and functioning in a manner to ensure:

Risks are appropriately identified and managed.

Significant financial, managerial, and operating information is accurate, reliableand timely.

Employees actions comply with policies, standards, procedures, laws and

regulations.

Resources are acquired economically, used efficiently, and adequately

protected.

Programs, plans, and objectives are defined, communicated and achieved.

Significant legislative or regulatory issues impacting the DSBs are recognized

and addressed.

(Source: Sample Internal Audit Mandate Ministry of Education Website)

6


7/22

Ontario School Board Internal Audit service model

Regional model

This model will be replicated in each of the eight regions in the province.

Regional Internal Audit

Manager (RIAM)

Audit Staff Audit Staff Audit Staff Audit Staff

DSB audit committees

7


8/22

Roles and responsibilities of the Internal Auditor

Develop and implement annual and multi-year Internal Audit Plans.

Maintain a professional/competent audit staff.

Perform consulting services (as requested and appropriate).

Issue periodic reports.

Inform audit committee of emerging trends and leading practices in risk

management and internal auditing.

Assist in the investigation of suspected fraudulent activities.

Consider the scope of work of external auditors.

Assist the Audit Committee in complying with Regulation 361/10.

8


9/22

Audit planning

Annually, the RIAM shall submit to the director of education, senior business official

and audit committee of each DSB a summary of the audit plan (current year workschedule and multi-year plan), staffing plan, and budget for the following fiscal year.

The audit plan is to be developed based on a prioritization of the audit universe using a

risk-based methodology.

Multi-Year Plan

Annual Internal

Audit Plan

Plan is driven by two key factors: risk assessment results and Internal

Audit resources. It describes the Internal Audit objectives, audit goals,

a forecast of available audit hours, the planned allocation of audit

hours to each type of audit and school board for a five year period

given the identified risk areas and the available resources. Changes inrisk or audit resources may lead to a change in the plan.

Describes in further detail audit responsibilities, audit focus and audit

direction for the fiscal year. The plan will be uniquely prepared from a

regional perspective.

(Source: Sample Internal Audit Mandate and Guidelineon Establishing the IA Plan- Ministry of Education Website)

9


10/22

Role of Audit Committee vis--vis Audit Plans

Approve multi-year and annual audit plan for YOUR school

boardpart of a larger plan

1. Presentation of allocation of resources by RIAM for

ALL boards that are part of your region

2. Fair and equitable based on risk assessment

results of ALL boards.Yes? RecommendApproval

. No? Regional Conflict

Resolution Committee

Regional Conflict Resolution Committee (RCRC) designed

by the Ministry of Education in conjunction with the hostboard workgroup to resolve audit committee conflicts

How ?

10


11/22

Regional Conflict Resolution Committee

Background:

To be created in each of the 8 regions only whenthe need arises

Purpose:

To ensure that the conflict resolution process is fair and unbiased for all of the

school boards in the region

Composition:

Odd number of school boards in region = One trustee member from each Audit

Committee in the region

Even number of school boards in region = Same as above + one additional

trustee member of the Audit Committee of the host board

11


12/22

Regional Conflict Resolution Committee(contd)

RCRC Structure

The chair of the RCRC will be the trustee member of the host board

Meetings will be called by the chair as-needed

75% of the members must be present for quorum

Each member is entitled to one vote

Conflict Resolution Process

Discussion of matter

Vote by each member

Majority decision binding to all boards

A conflict should be fully resolved within six weeks from the date the issue

is submitted to the chair of the RCRC.

12


13/22

Relationship between the Internal Audit Function and

the External Auditor

External auditors can, in certain circumstances, use the work of the Internal

Audit function External auditors must determine:

1. If the work of the internal auditor is likely to be adequate for the external audit.

Consider points:

objectivity

technical competence due professional care

effective communication

2. The impact on the nature, timing and extent of the external auditors

procedures

Consider points: nature and scope of specific internal audit work

risks of material misstatements

degree of subjectivity involved in evaluating evidence

13


14/22

Independence of the Internal Audit function

When the Internal Audit functions direct reporting line is to the Audit

Committee, it allows the Internal Auditors to remain structurally separate

from management and enhances objectivity.

It also encourages the free flow of communication on issues and promotes

direct feedback from the Audit Committee on the performance of the Chief

Audit Executive (CAE). In relation to the school board environment, this

would refer to the Regional Internal Audit Manager (RIAM).

14


15/22

Independence of the Internal Audit function (contd)

The Institute of Internal Auditors (IIAs) Standards for Professional Practiceof Internal Auditing mandate that the Internal Auditors maintain a certain

level of independence from the work they audit.

An Internal Auditor should have no personal or professional involvement with

the area being audited

The Internal Auditor should maintain an impartial perspective on all

engagements Internal Auditors should have access to records and personnel when

necessary, and they should be allowed to employ appropriate investigative

techniques without impediment

15


16/22

Interaction with the Audit Committee

Hold regular private sessions with the Internal Auditors

Be available when contacted by the RIAM

Engage in a substantial and communicative reporting relationship

Actively participate in discussing goals and evaluating the performance

of the RIAM; these responsibilities should not be delegated solely to

the host board management

Challenge the RIAM and the Internal Audit function by setting

expectations, communicating those expectations clearly, and holding

the function accountable for meeting them

See that the Internal Auditors have appropriate stature and respect

and are visibly supported by senior management throughout the

organization

Support the RIAM providing guidance and assistance, if needed

Audit Committees should take several steps to facilitate a mutually beneficial relationship with the

Internal Auditors. An effective relationship here is fundamental to the success of the IA function.

Communication

Goal Setting

Support

16


17/22

Practical tools to guide interaction between Internal

Auditors and the Audit Committee

Quarterly report:

Should highlight activities performed and status of each audit on plan

Provide timelines indicating if audits are ahead or behind schedule (metrics)

Highlight the number of high priority findings from completed audits

Identify the status of outstanding action plans for prior audit observations

Include a quality assessment score based on audit and stakeholder feedback Executive summary for completed audits:

Review the scope and objectives of the review

Summarize key findings and action steps

Provide an overall conclusion of the effectiveness of risk management

procedures in the areas reviewed

Planning Memo

Introduce the upcoming audits and key risks to be addressed

Outline the scope, approach and timelines for the review

17


18/22

Questions for Audit Committees to consider

Are the Internal Auditors responsive to the needs of todays rapidlychanging environment?

Are the Internal Auditors monitoring critical controls and identifying and

addressing emerging risks? Is the function proactively evaluating DSB

internal controls and risk management as conditions change?

Are the Internal Auditors cognizant of new laws, regulations, and leadingpractices?

Are Internal Audit personnel appropriately qualified and pursuing

appropriate professional development?

Does the Internal Audit function have the necessary and appropriate skills

sets and experience to evaluate risk and carry-out the Internal Audit plan?

Is the Internal Audit Plan aligned with the DSBs critical risks and focusing

on what is important rather than reviewing those processes easiest to

review?

18


19/22

An Example of the Audit Committees Evaluation of the

Internal Auditors

Question Expectations for the IA function

Are the Internal Auditors responsive to the

needs of todays rapidly changing

environment?

Awareness of the Ontario Equity and

Inclusive Education Strategy.

Are the Internal Auditors monitoring critical

controls and identifying and addressingemerging risks?

Monitoring and reporting on

Administrators action on policydevelopment and implementation for

equity and inclusive education.

Are the Internal Auditors cognizant of new

laws, regulations, and best practices?

Understanding of the Policy/Program

Memorandum No. 119 on Developing and

implementing equity and inclusive

education policies in Ontario schoolsDoes Internal Audit have the necessary

and appropriate skills sets and experience

to evaluate risk and carry-out the Internal

Audit plan?

The risk-based Internal Audit plan has

been designed considering policy

documents, regulations, and best practice.

19


20/22

Questions for Audit Committees to consider (contd)

Have key DSB stakeholders including the Audit Committee, Trustees,Directors and Superintendents, reconciled their expectations for the

Internal Audit function with the RIAM?

How does the Internal Audit function relate to other risk management

related functions, such as legal, security, and health and safety? Are there

duplications of effort or gaps between these functions?

Has the audit committee reached a supportable conclusion as to whether

the Internal Auditors are operating in compliance with Institute of Internal

Auditors standards?

Is the Internal Audit function viewed as objective and competent by the

external auditor?

How is the internal audit function perceived by its stakeholders?

How has Internal Audit's performance been assessed by those that have

been audited?

20


21/22

Audit Committee leading practices

Audit Committee leading practices for interacting with the Internal Auditors

include the following:

Assess whether the Internal Auditors have a direct functional reporting line

to the Audit Committee and an indirect line to management for

administrative activities.

Be involved in Internal Audit Planning Process through the review and

approval of the risk assessment and Internal Audit Plan.

Constructively challenge the Internal Audit function.

Conduct annual performance evaluations.

Understand Internal Audit staffing and succession planning.

21


22/22

Audit Committee Evaluation of Internal Audit

Audit Committees must complete annual evaluation of the RegionalInternal Audit Manager (RIAM) and the Internal Auditor (senior auditors and

audit staff) performance.

Sample Areas of evaluation

Regional IA Manager Internal Auditors

Management of the Regional

Internal Audit Team

Professional Behaviour

Audit Committee Meetings Written Communication

Communication TimelinessGeneral Skills Initiative

Overall Evaluation Overall Evaluation

22

module 4 internal audit

Documents