quality assessments lessons learned/best practices thomas a. johnson, cia november 13, 2007
DESCRIPTION
Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007. Agenda. Requirement Benefits Attributes of a “World-Class” Internal Audit Quality and Quality Assessment Keys to an Effective QA Common Observations Leading Practices. Requirement. - PowerPoint PPT PresentationTRANSCRIPT
CBIZ Risk & Advisory Services, LLC1
Quality AssessmentsLessons Learned/Best Practices
Thomas A. Johnson, CIANovember 13, 2007
CBIZ Risk & Advisory Services, LLP
2
Agenda
Requirement Benefits Attributes of a “World-Class”
Internal Audit Quality and Quality Assessment Keys to an Effective QA Common Observations Leading Practices
CBIZ Risk & Advisory Services, LLP
3
Requirement
IIA Standard 1312- Requires an external assessment be performed by a competent and independent firm at least every 5 years.
Good ‘business practice” to provide an independent evaluation of internal audit as well as identifying potential ways to improve the process.
With Sarbanes-Oxley and other demands placed on Audit Committees and Internal Audit, a Quality Assurance Review serves to provide an assessment that the various Internal Audit responsibilities are being discharged effectively and efficiently.
CBIZ Risk & Advisory Services, LLP
4
Benefits Current State of “Conformance to the
Standards”.
Builds stakeholder confidence by showing management’s commitment to quality and leading practices.
Demonstrates that the Audit Committee and Internal Audit are concerned about the success of the organization’s internal controls, governance and risk management processes.
CBIZ Risk & Advisory Services, LLP
Benefits PCAOB Audit Standard 2 states “The
external auditor may use the work of internal auditors particularly when internal auditors are in compliance with the Standards.”
Observations on benchmarking & identification of successful practices
Recommendations for improvement aimed at adding value to the organization.
5
CBIZ Risk & Advisory Services, LLP
Benefits Identify Expectation Gaps
Among key stakeholder expectations
Current state & desired state of performance
Recommendations aimed at adding value to the organization
Internal marketing tool strengthening credibility and promoting integrity
6
CBIZ Risk & Advisory Services, LLP
Attributes of a “World-Class Internal Audit Activity
Empowered & Respected by Management and BoardObjective and IndependentHighly TalentedRisk FocusedProactiveTechnology Driven
7
CBIZ Risk & Advisory Services, LLP
Empowered and Respected
Best Reporting StructureFunctionally – Audit CommitteeAdministratively- CEO
Respected at All LevelsValue-Added Business Advisors“Out of the box” thinkingProvides effective resources and solutions to business challenges
8
CBIZ Risk & Advisory Services, LLP
Objective and Independent Seen as providing unbiased views
of the organization. Have no real or apparent conflicts
of interest Independent of the activities they
audit “No-No’s”
Designing and installing systems Drafting of procedures
9
CBIZ Risk & Advisory Services, LLP
Highly Talented Highly talented professionals
(certified) with unique combinations of skills & experiences Hiring and Retention Rotation in and out
Constantly adding value Collectively possess the essential
skills Consideration for co-sourcing
Must commit to a program of continuous development
10
CBIZ Risk & Advisory Services, LLP
Risk Focused Allocates Time & Resources
Based on RiskAnnual and Long Term Plans Individual Engagements Identifies critical risks & exposures before they become significant issues
Shares “lessons learned” across common business units and processes
11
CBIZ Risk & Advisory Services, LLP
Proactive Proactive, not only reactive Right balance between protecting
and enhancing shareholder value Level of consultative support
correlates with the organizations fluidityE.g., a flat, decentralized organization likely requires significant support in analyzing business risks and transferring company-wide best practices then a highly centralized organization
12
CBIZ Risk & Advisory Services, LLP
Technology & Process Driven Utilizes “state-of-the-art”
technology to:Reduce Risks Identify potential problems in nearly real time
Increase productivityContinuously improve the control environment and communications
Be committed to a program of continuous improvement
13
CBIZ Risk & Advisory Services, LLP
Foundation of World-Class Audit Departments
The International Standards for the Professional Practice of Internal Auditing and the Code of Ethics are the foundation for all world-class functions.
14
CBIZ Risk & Advisory Services, LLP
Quality Components
Adherence to the Code of Ethics
Practicing in accordance with the Standards
Continued Professional Development
Audit Practice is continuous improvement oriented
15
CBIZ Risk & Advisory Services, LLP
Quality Assurance To Evaluate Quality- Objectively
measure internal audit process To maintain Quality- Fully commit
to professional growth and development
To ensure Quality- Maintain quality assurance and improvement program
16
CBIZ Risk & Advisory Services, LLP
Quality Standards Internal audit must establish a
quality assurance program that includes both:Ongoing and periodic internal QA’sExternal QA a minimum of once every 5 years
Failure precludes IA from using the statement “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.”
17
CBIZ Risk & Advisory Services, LLP
Keys to an Effective QA Understanding the Professional
Practices Framework Awareness and Implementation of
the Standards Internal audit quality programs
and initiatives Leading practices in applying the
Standards
18
CBIZ Risk & Advisory Services, LLP
Professional Practices Framework Definition of Internal Auditing The Code of Ethics The Standards Practice Advisories Topical Index to the Practice
Advisories
19
CBIZ Risk & Advisory Services, LLP
Purpose of a Quality Assessment Assess conformance to the
Standards Assess the effectiveness and
efficiency of the internal audit activity
Identify opportunities for improvementImproving performanceImage of the department
20
CBIZ Risk & Advisory Services, LLP
Scope of External Assessments Conformance with the Standards & the
Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements
The expectations of the IA as expressed by the board, executive management and operational management
The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process
21
CBIZ Risk & Advisory Services, LLP
Scope (Cont’d) Tools and techniques Mix of knowledge, experience and
disciplines within the staff, including the focus on process improvement
Determination that the internal audit activity adds value and improves the organization’s operations
22
CBIZ Risk & Advisory Services, LLP
Areas of Focus The Mandate of the IA Activity The Relationship between IA & the
Audit Committee IA Reporting Lines Staffing of Internal Audit Obtaining & Maintaining Competency Coordination with External Audit Developing the Internal Audit Plan Reporting Findings &
Recommendations
23
CBIZ Risk & Advisory Services, LLP
Areas of Focus Follow-Up of Corrective Action Fraud Internal Quality Program Sufficiency of IA Resources Support from Senior Management Evaluation by the Audit
Committee
24
CBIZ Risk & Advisory Services, LLP
Common Findings Charters not current, inadequate
and/or misaligned Lacking support or sponsorship by
top management Department structure issues
Reporting linesAlignment with the organization
Insufficient business knowledge and/or technology capabilities
Lack of a defined and documented risk assessment
25
CBIZ Risk & Advisory Services, LLP
Common Findings Linkage of risk assessment to plan
Impact of Sar-Box Lack of external input to risk
assessment Audit Universe Deficiencies Ineffective resource planning,
including training Inadequate IT Coverage Limited use of technology Infrequent management interaction
26
CBIZ Risk & Advisory Services, LLP
Common Findings Lack of Performance
Measurements Failure to Track Auditors’ Time Inconsistent/Incomplete Work
Papers Lack of a defined and
documented Quality Assurance and Improvement Program
Insufficient reporting to the Audit Committee
27
CBIZ Risk & Advisory Services, LLP
Leading Practices Enterprise Risk Assessment Rigorous and coordinated approach Assessing all risks that affect the
organizations strategic & financial objectives
Risk & Control Self Assessment Using Control Frameworks (COSO) Effectiveness & Efficiency of Operations Reliability of Financial Reporting Compliance with Laws & Regulations
28
CBIZ Risk & Advisory Services, LLP
Leading Practices Partnering with Management Risk Assessment & Annual Audit Planning
Long Term Audit Plans Usually three years Higher risk areas should be reviewed
more frequently within the 3 year plan Frequent modifications to long term plan
Developing Staff Goal of 80 hours of training Stretch Objectives & Performance
Measures Certification
29
CBIZ Risk & Advisory Services, LLP
Leading Practices Communicating More Effectively User friendly format Executive summary, with clear concise
information and opinion Regular reporting of issues to the Audit
committee “Marketing” IA function
• Brochure• Intranet
30
CBIZ Risk & Advisory Services, LLP
Leading Practices Using Technology Data extraction and analysis Fraud detection/prevention Network security assessment Automated work-papers Audit administration tools
Benchmarking Performance measurements
31
CBIZ Risk & Advisory Services, LLP
Questions ? ? ? ? ? ? ?
32