the red (book) rocks… the latest and greatest...
TRANSCRIPT
9/12/2017
1
The Red (Book) Rocks…The Latest and Greatest Audit Standards
Presenter
Toni StephensChief Audit Executive
The University of Texas at Dallas
Insert Logo Here
Course Objectives• Explain the development of internal auditing standards
and related guidance.
• Identify the latest and greatest enhancements to the framework for the professional practice of internal auditing.
• Apply the Standards and related guidance to your internal audits and your departmental operations to enhance the value of the internal audit process at your organization.
Insert Logo Here
9/12/2017
2
Internal Audit History 101
9/12/2017
3
To enhance and protect organizational value
by providing risk-based and objective assurance,
advice, and insight.
Mission
A. The Core PrinciplesB. The Definition of Internal AuditingC. The Code of EthicsD. The Standards
Mandatory Guidance
9/12/2017
4
1. Demonstrates integrity.2. Demonstrates competence and due professional care.3. Is objective and free from undue influence -
independent.4. Aligns with the strategies, objectives, and risks of the
organization.5. Is appropriately positioned and adequately resourced.6. Demonstrates quality and continuous improvement.7. Communicates effectively.8. Provides risk-based assurance services.9. Is insightful, proactive, and future-focused.10. Promotes organizational improvement.
A. Core Principles
B. Definition of Internal AuditingInternal Auditing is an
independent,
objective
assurance and consulting activity
designed to add value
and improve
an organization’s operations.
It helps an organization accomplish its
objectives by bringing a systematic,
disciplined approach to evaluate and improve
the effectiveness of risk management, control,
and governance processes.
9/12/2017
5
Assurance vs. Consulting
C. Code of Ethics
Code of Ethics
Integrity
Objectivity
Confidentiality
Competency
9/12/2017
6
D. Standards
Attribute
Performance
Recommended Guidance ‐ UPDATED
Implementation
Guidance
Implementation Guides –updated for 2017
Standards
Supplemental
Guidance
Practice Guides
•GTAGs
•GAITs
9/12/2017
7
IIA Attribute Standards
1000 Purpose, Authority, and Responsibility
1100 Independence and Objectivity
1200 Proficiency and Due Professional Care
1300 Quality Assurance and Improvement Program
Attribute
1000Purpose, Authority, Responsibility
1100Independence & Objectivity
New!
9/12/2017
8
New Standards!1112: CAE Roles Beyond Internal Auditing
1130.A3: Impairment to Independence and Objectivity
1200: Proficiency & Due Professional Care
9/12/2017
9
1300: Quality Assurance and Improvement Program ‐ UPDATED
CAE Must Report on QAIP and current level of conformance
Updated!
9/12/2017
10
• Charter, P&P
• CAE establishes & maintains; Reports Program to Management & BoardPolicy
• Based on Standards
• QAIP documented in IA P&PMethodology & Process
• Staff aware, trained
• Periodic internal and external assessmentsPeople
• Standardized audit management system documents work
• Key performance indicators monitored & usedSystems & Information
• Results of internal assessments – action plans to improve, reported to management and audit committee
• Client feedback received
• External reviews reported to management and audit committee
Communication & Reporting
5 Key Characteristics of Effective
QAIPs
9/12/2017
11
Example ‐Monitoring QualityEffectiveness &
EfficiencySustainability Management
Audit Plan Actual hours completed Staffing levels are adequate to complete annual plan
Recommendations for Priority Findings are implemented by due date
Audit Plan projects completed Staff have professional certifications
Audit recommendations are implemented timely
Audit reports issued within standard timeframe
Management responsesreceived timely after draft report
Direct audit hours meets standard Key Accomplishments (Quarterly)
• Worked with six student interns Fall 2015 on three different audit projects.• Professional participation included CAE speaking at national conference.• IT Staff Auditor achieved CISA status.
Annual• Performance
Appraisals• External QAR• Annual goals on
data analytics, consulting, management requests, special projects
• Client satisfaction
Annual• Performance
Appraisals• External QAR• Annual goals on
data analytics, consulting, management requests, special projects
• Client satisfaction
IIA Performance Standards 2000 Managing the Internal Auditing Activity
2100 Nature of Work
2200 Engagement Planning
2300 Performing the Engagement
2400 Communicating Results
2500 Monitoring Progress
2600 Communicating the Acceptance of Risks
9/12/2017
12
2000: Managing the Internal Auditing Activity
The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.
IIA Internal Audit Capability Model
9/12/2017
13
2010: Planning
The chief audit executive must establish a risk-based plan to determine the priorities
of the internal audit activity, consistent with the organization’s goals.
Risk-Based Plan
9/12/2017
14
2040: Policies and ProceduresPoliciesProceduresQAIPAdministrative Matters Staff Meetings Emails Signed Acknowledgements
2050: Coordination and Reliance
9/12/2017
15
2060: Reporting to Senior Management and the Board UPDATED
The CAE must report periodically to senior management and the
board…
Charter
Independence
Audit Plan & Progress
Resources Needed
Results of Audit Activities
Conformance with Code of Ethics & Standards
Significant Risk & Control Issues
Value Proposition of
Internal Auditing for
Key Stakeholders
Help the organization achieve its strategic, operational, financial, and compliance objectives.
Catalyst for improving effectiveness and efficiency by providing insight and recommendations based on analyses
and assessments of data and business processes.
Provide value as an objective source of independent advice and counsel.
Governing bodies and senior management rely on Internal Auditing for objective assurance and insight on the effectiveness and efficiency of governance, risk management and internal control processes.
9/12/2017
16
2100: Nature of WorkThe internal audit activity must evaluate and contribute to the improvement of
using a systematic and disciplined approach.
Risk Management
(2120)
Risk exposures and adequacy and effectiveness of controls over:
Achievement of organization’s strategic objectives
Reliability and integrity of financial and operations information.
Effectiveness and efficiency of operations and programs
Safeguarding of assets Compliance with laws, regulations, policies,
procedures, and contracts
2110: Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance process…
9/12/2017
17
2200: Engagement PlanningInternal auditors must
develop and
document a plan
for each engagement,
including the
engagement’s objectives,
scope, timing, and resource allocations.
Planning Considerations
Objectives
Engagement Scope
Resource Allocation
Work Program
Defining Objectives and Scope2210: Engagement Objectives
Objectives must be established for each engagement.
2220: Engagement Scope
The established scope must be sufficient to achieve the objectives of the engagement.
Initial Assignment & Objectives
Gain an understanding
Risk Assessment
Final Objectives & Procedures
Scope
(Nature, Timing, Extent)
9/12/2017
18
What about IT?
What about FRAUD?2210.A2 ‐ Internal auditors must consider the probability of significant errors, FRAUD, noncompliance, and other exposures when developing the engagement objectives.
9/12/2017
19
2300: Performing the Engagement
Identifying Information
2310
Analysis & Evaluation
2320
Documenting Information
2330
Engagement Supervision
2340
Engagement SupervisionEngagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.
• Performance Appraisals
• Review/Coaching Notes
9/12/2017
20
2400: Communicating Results
Audit Results
• 2410 ‐ Criteria for Communicating• 2420 ‐ Quality of Communications• 2421 – Errors & Omissions• 2430 – Use of Conducted in Conformance with Standards• 2431 – Engagement Disclosure of Nonconformance• 2440 ‐ Disseminating Results• 2450 – Overall Opinions
Risk Rating Category
Open at 8/31/17 New
Closed1st Quarter
Open at 11/30/17
PastDue with
no Response
Priority 1 0 1
High 6 4 0 10
Medium 68 9 23 54
Low 5 5 4 6
Total 80 18 27 71
Type CIO CISO Provost VP Admin Etc.
Priority 1
High 2 1 2*
Medium 11 9 8 5 8
Low 3 2
Total 13 11 11 7 10
The CAE should maintain a system to monitor the disposition of results communicated to management.
2500: Monitoring Progress
9/12/2017
21
2600: Communicating the Acceptance of Risks
Generally Accepted Governmental Auditing Standards (GAGAS)
9/12/2017
22
Yellow Book Red Book
Auditors conducting financial audits of government and non‐profit organizations receiving federal funds.
Internal auditors and internal audit activities.
Foundation and Ethical Principles Definition of Internal Auditing & Code of Ethics
General Standards• Independence• Professional Judgment• Competence• QC & Assurance
Attribute Standards
Fieldwork Standards• Reasonable Assurance• Significance• Audit Risk• Planning• Supervision• Evidence• Audit DocumentationReporting Standards for Performance Audits• Reporting• Report Contents • Distributing Reports
Performance Standards
IPPF
A. ConsultingB. IndependenceC. Performing Nonaudit WorkD. Reviewing the Organization’s Ethics
ProgramE. Risk Assessment for Overall Audit
PlanningF. External QARG. Quality Assurance SystemsH. Reporting Compliance with the
Standards I. Referencing the StandardsJ. FraudK. Follow‐up on Previous AuditsL. CPE
GAGAS 2017 Exposure Draft Major Proposed Changes• Independence requirements guidance
• CPE requirement for GAGAS
• Standards for Review
• Added a definition of waste and requirements for reporting (2011 version defines fraud, non‐compliance, internal control weakness, and abuse)
• More emphasis on Internal Controls – alignment with green book
9/12/2017
23
Green Book!
Speaking of internal controls…
9/12/2017
24
We’ve Rocked the Red Book!• We now understand the development of internal auditing standards and guidance!
• We have identified the latest and greatest enhancements to the framework for the professional practice of internal auditing!
• We are going to apply the standards and guidance to our internal audits and our departmental operations to enhance the value of our internal audits!
[email protected]‐883‐4876
utdallas.edu/audit