CAE Communications with the Audit Committee

State of Oregon CAE Training Salem, Oregon

November 3, 2010

2

Training Objectives

Assess the power of face-to-face meetings with the Audit Committee and its Chair

Determine what the Audit Committee wants and needs

Consider approaches on reporting to the Audit Committee regarding Audit Plan Audit Engagements Investigations Issue tracking Internal Audit operations Organizational strategy

3

Agenda

1. Power of face-to-face meetings2. What the Audit Committee wants and needs3. Reporting on the Audit Plan4. Reporting on Audit Engagements 5. Reporting on Investigations6. Reporting on Issue Tracking7. Reporting on Internal Audit Operations8. Reporting that contributes to Organizational

Strategy

Power of Face-to-Face Meetings

Unit 1

5

Credibility

The quality, capability, or power to elicit belief

The quality of being believable or trustworthy

Given credibility: derives from external validation

Acquired credibility: earned through interaction

6

Credibility Builders

Deliver on commitments Present information that is meaningful,

accurate, and timely Be responsive Be honest and transparent about

capabilities

7

Trust

Firm reliance on the integrity, ability, or character of a person or thing

Built over time by evidence and through contact

Build relationships when issues are not pressing, e.g. over lunch

What the Audit Committee Wants and Needs

Unit 2

9

Audit Committee Reporting

Internal audit planning Internal audit results Issue tracking Internal audit operations Audit Committee education Organizational strategy

10

International Professional Practices Framework

Require board communications 1000 Purpose, Authority, and Responsibility 1110 Organizational Independence 1111 Direct Interaction with the Board 1320 Reporting on the Quality Assurance and

Improvement Program 2020 Communication and Approval 2110 Governance 2440 Disseminating Results

11

Audit Charters

Samples of both audit committee and internal audit charters available from the IIA

Both include mandates requiring communications with the Audit Committee

12

Communications Plan Example

Topic Audit observations Mode High risk – full report

Medium risk – summary

Low risk – simple list

Frequency Quarterly Dates Jan 8, Apr 8, Jul 8, Oct 8

13

Two Questions for the AC

What do you want less of? What do you more of?

Reporting on the Audit Plan

Unit 3

15

Objectives for Reporting on Audit Planning

Informs audit committee (AC) of the risk universe as you define it

Informs the AC what you will cover Informs the AC what you will not cover Demonstrates how your audit plan is aligned with

your risk-assessment methodology Explains how your plan does or does not support

your ability to render an opinion Informs the AC how you will deploy resources Measures productivity of the internal audit

16

High Performance Business Model

Monitoring

Risks/Controls

Objectives/Metrics

Governance/Organization/Processes

Strategy/Risks

Vision/Values/Culture

17

Governance Model

Strategy

Monitoring &Communication

Enterprise RiskManagement

Transparency& Reporting

Ethics &BusinessConduct

Legal,Regulatory,Standards

Roles andResponsibilities

18

Other Considerations

Focus Lists Dynamic audit plans Including other assurance coverage

External Auditor Regulators Compliance groups Management self-assessments

19

Small-Group Activity

What are the opportunities to make the risk assessment and planning processes more robust and add more value to the enterprise? What are the underserved needs of the audit committee

and executive management? Does your process comply with standards, e.g.

Governance and Risk Management? Do you have a definable, repeatable risk-assessment

process that has been reviewed with the audit committee and executive management?

Do you develop both an unconstrained and constrained plan for audit committee review?

What other organizations are providing risk assurance work? Are they included in your plan? Should they be?

Reporting on Audit Engagements

Unit 4

21

Different Approaches

All reports in full Only significant reports Only executive summaries Summary of observations

22

Considerations

What do you want the AC to focus on? What do they want: more detail, less detail? How much time do you have for the

presentation? How skilled are you and your writers? How effective is the staff at writing reports

that convey the messages you want to get across?

Do you rate observations or reports?

Reporting on Investigations

Unit 5

24

Investigations by IA or Others

Internal audit usually gets the “Big Three” Big people Big money Big issue

May be in conjunction with legal, security, procurement, IT, others

25

Considerations

How will you separate noise from issues?

How will you report on trends that emerge?

What level of detail is the AC seeking?

26

Typical Summaries

Number of allegations by time period or business unit

Nature of allegations, e.g. theft, conflicts of interest, ethical violations

Number open, in progress, closed Recommended actions, e.g. letter to

file, pay cut, termination, referral to police

Reporting on Issue Tracking

Unit 6

28

Tracking Parameters

Aging of open issues Reset resolution dates Risk-rating Risk category: strategic, reporting,

operational, compliance Processes Business units Geographies

29

Audit Process Definition

The audit process begins with the timely identification of risks to an entity's strategic, reporting, operational, or compliance objectives…The audit process ends when the audit committee has accepted management actions to manage observed residual risks to within the risk appetitive of the entity.

30

Repeat Audit Observations

Defect in the audit process Inability to focus audit committee on

management’s inattention Residual risk in excess of the entity’s

risk appetite

31

Considerations

Invite managers with overdue open issues to the audit committee to explain delays

Reporting on Internal Audit Operations

Unit 7

33

General Reporting Topics

Risk Assessment Methodology Staffing and Staff Development Budget

Salaries Co-sourced resources Training and development Technology investment Travel

Quality Assurance and Improvement Process

Reporting that Contributes to Organizational Strategy

Unit 8

35

Audit Committee Training

Audit Committee best practices Regulatory environment Risk and control models Governance and ERM

36

Becoming More Strategic

Ensure risk assessment is aligned with the entity’s strategy

Seek ways to add value that are not focused on compliance and financial reporting

Focus on the foundation of the business model

37

High Performance Business Model

Monitoring

Risks/Controls

Objectives/Metrics

Governance/Organization/Processes

Strategy/Risks

Vision/Values/Culture

38

Are you focused on the right risks?

How value is destroyed in companies

Where are your audit resources focused?

PwC Advisory, An Opportunity for Transformation, 2008

Strategic

60%

Operational

20%

Financial

15%

Compliance

5%

39

Small-Group Activity

Where are your audit resources focused? In your group, reach consensus on the

percentage of your resources assigned to strategic, operational, financial, and compliance risk?

Identify 3 risk areas where you could be more strategic.

40

Questions for your Chief Audit Executive

What is the criteria for establishing the annual and long-range audit plan?

What assurance do you have that you are in compliance with Standards?

Does your risk assessment include all known risks to the organization?

How do you prioritize IA efforts? Are there areas of high priority where IA

work has been deferred?

41

Questions for your Chief Audit Executive

What is the level of respect internally for IA? What are management’s practices for

responding to IA reports? Who in management has reviewed the risk

assessment? What risk factors do you consider in

developing the audit plan? How will you provide assurance for

governance processes?

42

Questions for your Chief Audit Executive

Has IA identified areas of serious concern relative to the corporate internal control environment?

Are there other matters that you believe should be of concern to the committee?

Putting yourself in the audit committee’s position, are there questions you believe we should ask?

43

Questions for your Chief Audit Executive

What processes are not being assured this year due to resource constraints?

What processes have never been assured? What are your risk-assessment and risk-

based auditing methodologies? What professional certifications do you and

the staff hold, e.g. CPA, CIA, CISA? What are the metrics to ensure the audit

processes meet objectives?

44

Questions for your Chief Audit Executive

How much resource and time does it take to publish a final audit report?

What is the process to follow with management to complete actions to resolve residual risk?

How do you track and report aged open actions?

Do you believe that management is taking risk beyond their delegation levels or in excess of the organization’s risk appetite?

45

Implications

Audit committees are concerned about risk management and governance

Internal audit improve their standing in the enterprise with assurance and consulting activities in these areas

Developing a strategy is essential To include communications plan for the

audit committee

46

Contact Information

Jim Key, PartnerShenandoah Group, L.L.P.PO Box 1323Beaufort, SC 29901U.S.Ajckey@hargray.com1.843.812.6647