z 3h 2 - application of ppf in practice

IIA Madras M Rajeshwaron Dec 2005

Application

of Professional Practices

Framework in Practice


“Internal Audit Standards” in my opinion are

Values & Beliefs / Way of life in Internal Audit

and not just Rules / Prescriptions!


“Effectiveness of Implementation”

Role of…..

Internal Auditor

CEO / CFO

Audit Committee

IIA Leaders

…… is

vital


Application – Different Scenario!

Corporates

A. Senior level Professional responsible for Internal Audit

Status

No / Little awareness !

PrescriptionSelf conviction / Determination / Thorough understandingPresentations to Audit Stake HoldersGaining AcceptanceDrafting an “Audit Charter”Implementation & Monitoring



Corporates

B. Internal Audit co-ordinated by a by Junior level Auditors

Status

No / little awareness Interested in PPF implementation – Require guidance! Organisation not informed of the importance of PPF, New

Definition etc.

Prescription Seek IIA – Leaders’ support & do all the activities as in ‘A’



Corporates

C. Group of Companies

Status

Different companies with different status!Different Audit Committees / CEOsWith or without a Group level Internal Audit co-ordinator!



Corporates

C. Group of Companies….

PrescriptionGroup level Head should be a seasoned career internal

auditorHe / She should convince ACs / CEOs of different

CompaniesGain acceptance / put a system in place with Negotiables /

Non-negotiablesCreate a strong ‘Group Audit Forum’ / Develop Activities

relating to ‘Standards’



D. SMEs

Status

No Internal AuditBlissfully unaware of IIA / PPF etc. !

Prescription

IIA leaders to identify such SMEs & have programs for educating, guiding and making things happen!

SMEs could seek the help of IA Practitioners for installing the system.


Top 10! Standards that require attention!

• Independence & Objectivity

• Competent Advice / Assistance

• Continuing Professional Education

• Quality Assurance & Improvement

• Establishing Measures

• Planning

• Reporting to Board & Senior Management

• Relationship with Audit Committee

• Role in Risk Management

• Ethical culture


Requirements of the Standard

FocusRelevant

practical issues to be addressed


1110 – Independence & Objectivity

Focus:

Organisational Status / Objectivity

The Internal audit activity should be independent and internal auditors should be objective in performing their work

The Chief Audit Executive should report to a level within the organisation that allows the internal audit activity to accomplish its responsibilities

The CAE administratively reports to the CEO of the company and functionally to the Chairman of Audit Committee


1110 – Independence & Objectivity

Issues

Present level of Internal Auditor in our organisations ?

Responsible for two functions (Resource Utilisation Objective!)

Conflict of interest?

Priority shift between those functions?

Budget constraints coming in the way?

CEO’s time for supervision a constraint? – Delegation to CFOs?

Audit Committee’s time allocation for Internal Audit?

Why does the status of Internal Audit often seem to be a direct

consequence of organisational ledership attitudes? (Long standing IA

functions : JC Penny & Ford Motor)


1130 A2 – Impairments to Independence or Objectivity

Focus

Assurance engagements for functions over which the Chief Audit Executive has responsibility should be overseen by a party outside the internal audit activity.

Issues

Who will be the party outside the Internal Audit Activity?Level of his intervention? If Field Auditors who report to the CAE were to do the audit? Escalation of issues to Audit Committee from his (CAE) own

areas?


1210 A1 – Competent Advice / Assistance

Focus

CAE should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement

CAE should assess the competency, independence & objectivity of the outside providers.


1210 A1 – Competent Advice / Assistance

Issues

Normal approach to ‘oursourcing’ Internal Audit vs the above approach

External Auditors doing internal audit assignments Internal processes for effective evaluation of outside service

providersGAP – Guest Audit Pool as a strong Resource!Strong Business Knowledge


1230 - 1- Continuing Professional Development

Focus

Internal Auditors should enhance their knowledge, skills and other competencies through continuing professional development


1230 - 1- Continuing Professional Development

Issues

Normal Training Plan in an organisation vis-à-vis – IA!Training in Internal Audit:

* Continuous Involvement in Professional Associations

* Knowledge on Standards / its interpretation /

Application

* Technology Adoption (Audit Tools, Risk Assessment

Models)

* Research Projects on various aspects of IA

* Certification for Audit Staff (CIA / CISA etc)


1300 - Quality Assurance and Improvement Programme (QA & IP)

Focus

The Chief Audit Executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitor its effectiveness


1310 -1 – Quality Programme Assessment

Focus

This programme includes periodic internal and external quality assessments (once in 5 years) and on-going internal monitoring. Each part of the programme should be designed to help the internal auditing activity add value and improve the organisation’s operations and to provide assurance that the internal audit activity is confirming with the standards.


1300 -1 – Quality Assurance and Improvement Programme (QA & IP)

1310 – 1 – Quality Programme Assessment

Issues

Do we have a structured system?

What is the system? ISO – 9000?

How are we evidencing the continuous improvement in the Internal Audit Division? (Kaizen etc)

How do we communicate the results of such Quality System to Top Management?

Who will do the review (Internal / External)?

Do we have a manual on this?


1311 -2 – Establishing Measures

Quantitative Metrics and Qualitative Assessments to support reviews of Internal Audit Activity performance

Focus

Identifying critical performance categories:

* Audit stake holders satisfaction

* Audit Processes

* Innovation & capabilities of internal audit

(See chart in next slide)


Performance CategoriesInternal Customers

• Board / Audit Committee

•Senior Management

•Operating Management

Internal Audit Process

•Risk Assessment / Audit Planning

•Planning & Performing the Audit Engagement

•Reporting

Innovation and Capabilities

•Training

•Technology

•Industry Knowledge

External Customers

•Regulators

•External Audit

•Community

•Corporate Customer

Professional Practices Framework

Corporate and Internal Audit Strategies

Laws and Regulations


1311 -2 – Establishing Measures…

Issues

Are we trying to use GAIN – Parameters? Level of contribution to the improvement of Risk

Management and controls & Governance processes factored?

Customer Feed back obtained? Matrix prepared? Achievement of key goals and objectives depicted? Evaluation of progress against Audit Activity Plan done? Improved staff productivity substantiated? A Balance Score Card Frame Work in place? (See chart

next slide)


Balance Score Card for Internal AuditBoard / Audit Committee

• Audit Committee satisfaction survey

• Role of internal auditing viewed by audit committee

• Audit committee risk concerns

Internal Audit Process

•Importance of audit issue

•Completed vs. planned audits

•Number of major audit findings

•Amount of audit savings

•Quality assurance techniques developed

•Number of repeat findings

•Days from end of field work to report issurance

Innovation and Capabilities

•Staff experience

•Training hours per internal auditor

•CAE reporting relationship – functional

•Percent of certified staff

Management and Auditees

•Auditee satisfaction survey results

•Percent of audit recommendations implemented

•Number of management requests

•Management expectations of internal auditing

•Number of complaints about audit

Professional Practices Framework

Corporate and Internal Audit Strategies

Laws and Regulations


1311 -2 – Establishing Measures…

Issues…

Increased cost efficiency of the audit process highlighted?

Increased number of action plans for process (IA) improvements captured?

Adequacy of engagement planning / supervision documented?

Effectiveness in meeting the needs of stake holders measured?

(Next year by this time IAs have to report these to ACs – Clause 49)


2010 –A1 – Planning

Focus

The Chief Audit Executive should establish risk based plans to determine the priorities of the internal audit activity consistent with the organisation’s goals.

Issues

Have we adopted the required Technology to do this Risk Ranking?

Do we have access to the organisation’s strategy, Goals, Business Plan etc.,?

Does the organisation have a risk management system in place or not? Has it been factored in our risk prioritation?

Do we consider Auditee Management, a partner in this exercise?


2060 – Reporting to Board & Senior Management

Focus

The Chief Audit Executive should report periodically to the Board and Senior Management on the Internal Audit activity’s purpose, authority, responsibility & performance relaltive to its plan.

Reporting should also include significant risk exposures and control issues, Corporate Governance issues, and other matters needed or requested by the Board / Senior Management


2060 – Reporting to Board & Senior Management..

Issues

AC’s dual role – IA oversight responsibility & Internal Control System

Isolated ‘control’ issues reported often? (Risks vs. Risk Management Process)

Overall assurance statements not made (data inadequacy with audit)?

‘Materiality concept’ defined, discussed & agreed?


2060 – Reporting to Board & Senior Management..

Issues…

Significant Material issues

* Conditions dealing with irregularities

* Illegal Acts

* Errors

* Inefficiency

* Waste

* Ineffectiveness

* Conflicts of interest

* Control weaknesses


2060 -2 – Relationship with Audit Committee

FocusInter-locking goals of Internal Auditor & Audit CommitteeEffective & strong working relationship only will achieve this * Internal Auditor as an ‘Advisor’ to Audit committee * Audit Committee who has an ‘oversight responsibility’ for internal AuditIssues20 Questions Directors should ask about Internal Audit (IIA

Research) - clickThis should form part of the ‘Internal Auditor’s initial

presentation to the Board / Audit committee / Senior Management in the organisation

Belief is that when IA Stds. are followed , AC can discharge its responsibility more effectively.


2100 -3 – Internal Auditors’ role in Risk Management Process

Focus

The Internal Audit activity should evaluate and contribute to the improvement of risk management, control and governance processes using a systematic and disciplined approach

Issues Primary responsibility – Management Support / Facilitating Role – Internal Audit Risks - Strategic direction – Board - Ownership – Senior Management - Residual Risk Acceptance – Executive Management - Monitoring Activities – operating management - Periodical Assessment / Assurance – Internal Audit


2100 -3 – Internal Auditors’ role in Risk Management Process…

Issues….

Factors to be considered while adopting the standard

* Culture of organisation / Entity’s size * Ability of Internal Audit * Local Conditions / Customs of the Country


2100 -4 – Role in Organisation without a Risk Management Process

Focus

Consulting Role – Internal Audit Improving fundamental processes

Issues

What adds value to ‘Risk Services’ by IA? - Measurement - Completeness - Process Assurance - Second look - Objectivity


2100 -7 – Environmental Risks

Focus

SHE Audits

Issues

Do we have a Technical Audit system?Normally Safety Audits are with the Safety DepartmentNo reports placed at the Board by themShould be an integral part of Internal Audit to effectively

communicate risks to Top Management / BoardCompetency building efforts within Internal Audit?


2100 – 5 - Regulatory Compliance

2100 – 6 - e-commerce activities

2100 – 8 - Privacy Framework

2100 - 9 - Application System Reviews

2100 - 10 – Audit Sampling

2100 - 1,2, 11-- Risk Elements

(Definition, Information Security, IT Controls etc.)

Other Risk related Standards


2130 – Ethical Culture

Focus

Governance RelatedInternal Audit as an “Ethics Advocate”

Issues

Do we look at this at present?Do we see the connectivity & shift in focus? * Fraud – Investigation role * Ethics – Advocacy role



Key Organisational Ethics Activities

Set an ethical tone at the top

Promote strong and effective internal controls

Establish a whistle blower policy

Prevent reprisals

Provide ethics & fraud training for staff

Implement a confidential tips hotline

Create a culture of doing the right thing

IA’s effective Role

-

-

-



IA can play a ‘Change Agent’ role :

- Establishing a ‘whistle-friendly’ accountable Corporate Culture?

- Educating the Corporation about the ‘risk of not knowing what is going wrong!’

Have we built the required credibility and got the competency to address this area?


2600 – Management’s Acceptance of Risks

Focus

When the Chief Audit Executive believes that senior management has accepted a level of residual risk that is unacceptable to the organisation, the Chief Audit Executive should discuss the matter with Senior Management

If the decisions regarding residual risk is not resolved, the Chief Audit Executive and senior management should report the matter to the board for resolution.


2600 – Management’s Acceptance of Risks…

Issues

Are we doing this?Are issues getting dropped at the Executive Management

level?Level of Support / Freedom provided by Audit Committee

in this regard?Residual Risk – Assessment – How scientific is it ?


All these mean……

Passion and thirst for excellence!

Strong belief in IIA Standards

High level of Professionalism

Effectiveness in energising,educating, convincing

and gaining acceptance from all stake holders

Ruthless Execution of a robust audit system

Sustaining the Best Practices adopted

- A WILL TO DO !


“Will to do”

±ñ½¢Â ±ñ½¢Â¡íÌ ±öÐÀ ±ñ½¢Â¡÷¾¢ñ½¢Â÷ ¬¸ô ¦ÀÈ¢ý -¾¢ÕìÌÈû

The will to do achieves the deed

When mind that wills is strong in deed

-Thirukkural


Thank You

&

Any Questions Please?


20 Questions Directors ask about Internal Audit

1. Should we have an Internal Audit Function?

2. What should our Internal Audit function do?

3. What should be the mandate of the Internal Audit Function?

4. What is the relationship between Internal Audit and the Audit Committee?

5. To whom does Internal Audit report administratively?

6. How is the Internal Audit function staffed?

7. How does Internal Audit get and maintain the expertise it needs to conduct its assignments?

8. Are the activities of Internal Audit appropriately co-ordinated with those of external auditors?



9. How is the Internal Audit Plan developed?

10. What does the Internal Audit Plan not cover?

11. How are internal audit findings reported?

12.How are Corporate Managers required to respond to Internal Audit findings and recommendations?

13. What services does Internal Audit provide in connection with fraud?

14. How do you assess the effectiveness of your internal audit function?

15. Does Internal Audit have sufficient resources?

16. Does Internal Audit function get appropriate support from the CEO and Senior Management Team?



17. Are you satisfied that this organisation has adequate internal controls over its major risks?

18. Are there any other matters that you wish to bring to the Audit Committee’s attention?

19. Are there other ways in which internal audit and the audit committee could support each other?

20. Are we (the Audit Committee) satisfied with our Internal Audit Function?

back

z 3h 2 - application of ppf in practice

Education

internal audit status

status of internal audit

internal audit activity

internal audit standards

internal audit coordinated

internal audit staff

oursourcing internal

audit committee role