Post on 05-Feb-2016
description
CAE Communications with the Audit Committee
State of Oregon CAE Training Salem, Oregon
November 3, 2010
2
Training Objectives
Assess the power of face-to-face meetings with the Audit Committee and its Chair
Determine what the Audit Committee wants and needs
Consider approaches on reporting to the Audit Committee regarding Audit Plan Audit Engagements Investigations Issue tracking Internal Audit operations Organizational strategy
3
Agenda
1. Power of face-to-face meetings2. What the Audit Committee wants and needs3. Reporting on the Audit Plan4. Reporting on Audit Engagements 5. Reporting on Investigations6. Reporting on Issue Tracking7. Reporting on Internal Audit Operations8. Reporting that contributes to Organizational
Strategy
Power of Face-to-Face Meetings
Unit 1
5
Credibility
The quality, capability, or power to elicit belief
The quality of being believable or trustworthy
Given credibility: derives from external validation
Acquired credibility: earned through interaction
6
Credibility Builders
Deliver on commitments Present information that is meaningful,
accurate, and timely Be responsive Be honest and transparent about
capabilities
7
Trust
Firm reliance on the integrity, ability, or character of a person or thing
Built over time by evidence and through contact
Build relationships when issues are not pressing, e.g. over lunch
What the Audit Committee Wants and Needs
Unit 2
9
Audit Committee Reporting
Internal audit planning Internal audit results Issue tracking Internal audit operations Audit Committee education Organizational strategy
10
International Professional Practices Framework
Require board communications 1000 Purpose, Authority, and Responsibility 1110 Organizational Independence 1111 Direct Interaction with the Board 1320 Reporting on the Quality Assurance and
Improvement Program 2020 Communication and Approval 2110 Governance 2440 Disseminating Results
11
Audit Charters
Samples of both audit committee and internal audit charters available from the IIA
Both include mandates requiring communications with the Audit Committee
12
Communications Plan Example
Topic Audit observations Mode High risk – full report
Medium risk – summary
Low risk – simple list
Frequency Quarterly Dates Jan 8, Apr 8, Jul 8, Oct 8
13
Two Questions for the AC
What do you want less of? What do you more of?
Reporting on the Audit Plan
Unit 3
15
Objectives for Reporting on Audit Planning
Informs audit committee (AC) of the risk universe as you define it
Informs the AC what you will cover Informs the AC what you will not cover Demonstrates how your audit plan is aligned with
your risk-assessment methodology Explains how your plan does or does not support
your ability to render an opinion Informs the AC how you will deploy resources Measures productivity of the internal audit
16
High Performance Business Model
Monitoring
Risks/Controls
Objectives/Metrics
Governance/Organization/Processes
Strategy/Risks
Vision/Values/Culture
17
Governance Model
Strategy
Monitoring &Communication
Enterprise RiskManagement
Transparency& Reporting
Ethics &BusinessConduct
Legal,Regulatory,Standards
Roles andResponsibilities
18
Other Considerations
Focus Lists Dynamic audit plans Including other assurance coverage
External Auditor Regulators Compliance groups Management self-assessments
19
Small-Group Activity
What are the opportunities to make the risk assessment and planning processes more robust and add more value to the enterprise? What are the underserved needs of the audit committee
and executive management? Does your process comply with standards, e.g.
Governance and Risk Management? Do you have a definable, repeatable risk-assessment
process that has been reviewed with the audit committee and executive management?
Do you develop both an unconstrained and constrained plan for audit committee review?
What other organizations are providing risk assurance work? Are they included in your plan? Should they be?
Reporting on Audit Engagements
Unit 4
21
Different Approaches
All reports in full Only significant reports Only executive summaries Summary of observations
22
Considerations
What do you want the AC to focus on? What do they want: more detail, less detail? How much time do you have for the
presentation? How skilled are you and your writers? How effective is the staff at writing reports
that convey the messages you want to get across?
Do you rate observations or reports?
Reporting on Investigations
Unit 5
24
Investigations by IA or Others
Internal audit usually gets the “Big Three” Big people Big money Big issue
May be in conjunction with legal, security, procurement, IT, others
25
Considerations
How will you separate noise from issues?
How will you report on trends that emerge?
What level of detail is the AC seeking?
26
Typical Summaries
Number of allegations by time period or business unit
Nature of allegations, e.g. theft, conflicts of interest, ethical violations
Number open, in progress, closed Recommended actions, e.g. letter to
file, pay cut, termination, referral to police
Reporting on Issue Tracking
Unit 6
28
Tracking Parameters
Aging of open issues Reset resolution dates Risk-rating Risk category: strategic, reporting,
operational, compliance Processes Business units Geographies
29
Audit Process Definition
The audit process begins with the timely identification of risks to an entity's strategic, reporting, operational, or compliance objectives…The audit process ends when the audit committee has accepted management actions to manage observed residual risks to within the risk appetitive of the entity.
30
Repeat Audit Observations
Defect in the audit process Inability to focus audit committee on
management’s inattention Residual risk in excess of the entity’s
risk appetite
31
Considerations
Invite managers with overdue open issues to the audit committee to explain delays
Reporting on Internal Audit Operations
Unit 7
33
General Reporting Topics
Risk Assessment Methodology Staffing and Staff Development Budget
Salaries Co-sourced resources Training and development Technology investment Travel
Quality Assurance and Improvement Process
Reporting that Contributes to Organizational Strategy
Unit 8
35
Audit Committee Training
Audit Committee best practices Regulatory environment Risk and control models Governance and ERM
36
Becoming More Strategic
Ensure risk assessment is aligned with the entity’s strategy
Seek ways to add value that are not focused on compliance and financial reporting
Focus on the foundation of the business model
37
High Performance Business Model
Monitoring
Risks/Controls
Objectives/Metrics
Governance/Organization/Processes
Strategy/Risks
Vision/Values/Culture
38
Are you focused on the right risks?
How value is destroyed in companies
Where are your audit resources focused?
PwC Advisory, An Opportunity for Transformation, 2008
Strategic
60%
Operational
20%
Financial
15%
Compliance
5%
39
Small-Group Activity
Where are your audit resources focused? In your group, reach consensus on the
percentage of your resources assigned to strategic, operational, financial, and compliance risk?
Identify 3 risk areas where you could be more strategic.
40
Questions for your Chief Audit Executive
What is the criteria for establishing the annual and long-range audit plan?
What assurance do you have that you are in compliance with Standards?
Does your risk assessment include all known risks to the organization?
How do you prioritize IA efforts? Are there areas of high priority where IA
work has been deferred?
41
Questions for your Chief Audit Executive
What is the level of respect internally for IA? What are management’s practices for
responding to IA reports? Who in management has reviewed the risk
assessment? What risk factors do you consider in
developing the audit plan? How will you provide assurance for
governance processes?
42
Questions for your Chief Audit Executive
Has IA identified areas of serious concern relative to the corporate internal control environment?
Are there other matters that you believe should be of concern to the committee?
Putting yourself in the audit committee’s position, are there questions you believe we should ask?
43
Questions for your Chief Audit Executive
What processes are not being assured this year due to resource constraints?
What processes have never been assured? What are your risk-assessment and risk-
based auditing methodologies? What professional certifications do you and
the staff hold, e.g. CPA, CIA, CISA? What are the metrics to ensure the audit
processes meet objectives?
44
Questions for your Chief Audit Executive
How much resource and time does it take to publish a final audit report?
What is the process to follow with management to complete actions to resolve residual risk?
How do you track and report aged open actions?
Do you believe that management is taking risk beyond their delegation levels or in excess of the organization’s risk appetite?
45
Implications
Audit committees are concerned about risk management and governance
Internal audit improve their standing in the enterprise with assurance and consulting activities in these areas
Developing a strategy is essential To include communications plan for the
audit committee
46
Contact Information
Jim Key, PartnerShenandoah Group, L.L.P.PO Box 1323Beaufort, SC 29901U.S.Ajckey@hargray.com1.843.812.6647