Corporate Responsibility and Internal Audit Programs

HCCA 2004 Compliance Institute

Corporate Responsibility and Internal Audit

Programs

Urton Anderson, CIA, CGAP, CCSA


Objectives

l Learn how an effective IA function adds value to the organization

l Understand the three fundamental processes underlying corporate responsibility and IA’s role in each

l Learn how to use IA effectively and efficiently in the design and oversight of compliance control systems


Session Plan

l What is IA? A ”New “ Definitionl Adding Value with IAl The Role of IA in the Governance Processl The Role of IA in the Risk Management

Processl The Role of IA in the Control Process – The

effective and efficient use of IA in compliance control systems


Definition of Internal Auditing

Internal auditing is an independent , objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.


Adding Value

l Who is IA’s customersl What does the customer want?


IA Customers

Auditee

Audit Committee

Senior Management

Financial Management

External Auditors

Regulators

Vendors

Suppliers


Add- Value

Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services

Glossary to IIA Standards


What does the customer want?

Audit Committee/Boardl Safeguarding Assetsl Compliance with Laws and

Regulationsl Reliability of Data

QUALITY OF INFORMATION

Operating Managementl Effectiveness and

Efficiency of Operations l Achievement of

Organizational Objectives

CHANGE AGENT


IA’s Role in the Governance Process


Corporate Governance Problem

• Corporate form of business organization is very fragile

• Adam Smith – very skeptical of corporate concept– East India Company– Never able to solve contracting problem– Throughout its history shareholders never

made money but agents made fortunes


What is corporate governance?

The process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved.


Parties in the Governance Process

l Oversight group – board and committees of the board

l Stewardship group – executive management• Dual role of stewardship of resources allocated by board

and accountability of results of operations

l Performance group – operating and support management and staff

l Assurance group – internal and external auditing functions.


NYSE Corporate Governance Rules 303A.07(d)

(d) Each listed company must have an internal audit function.Commentary: Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control. A company may choose to outsource this function to a third party service provider other than its independent auditor.


IA’s Role

The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:• Promoting appropriate ethics and values within the

organization.• Ensuring effective organizational performance

management and accountability.• Effectively communicating risk and control information

to appropriate areas of the organization.• Effectively coordinating the activities of and

communicating information among the board, external and internal auditors and management.

IIA 2130


The Role of IA in the Risk Management Process


IA’s RoleTwo aspects:

1.Assistance in the risk assessment process

2.Evaluation of the risk management process


5 Key Objectives of Risk Management Process

1. Risks arising from business strategies and activities are identified and prioritized.

2. Management and the board have determined the level of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization’s strategic plans.

3. Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined to be acceptable to management and the board.

4. Ongoing monitoring activities are conducted to periodically reassess risk and the effectiveness of controls to manage risk.

5. The board and management receive periodic reports of the results of the risk management processes. The corporate governance processes of the organization should provide periodic communication of risks, risk strategies, and controls to stakeholders.


The Role of IA in the Control Process – The effective and efficient use of IA in compliance control systems


Monitoring

1. The Role of Monitoring and Oversight Controls

2. Examples of Monitoring and Oversight Controls in Compliance Systems

3. Designing Monitoring/Oversight Controls for Effective and Efficient Assurance

4. Providing Assurance of Compliance


Monitoring in Internal Control

l Monitoring Function - Actions taken by management and others to assess the quality of internal control system performance over time


The Monitoring Function

l Monitoring Controls• Investigation of unusual items

l Oversight Controls• Customer surveys and complaint analysis

l Internal Auditing Controls• Traditional internal audit


Compliance Examples

l Monitoring – UT Southwestern• Patient Satisfaction Survey – reviewed daily

and any potential issues distributed to appropriate parties for prompt attention

l Oversight - UT El Paso• NCAA Eligibility – faculty representatives

have begun to spot-check individual records.


Compliance Examples

l Internal Auditing Control – UT Tyler• Peer review of health and safety program

l Internal Auditing Control – UT Houston• Office of Institutional Compliance conducted

review of Medical School’s monitoring plan for physician billing process. Review included verifying and validating chart abstraction process


Compliance Examples - UTHPATIENT DOS POS CPT PHYSICIAN R

EC

OR

D LE

GIB

LE

TP/ A

TTEN

DIN

G N

OTE

IN C

HA

RT

TP / A

TTEN

DIN

G S

IGN

ATU

RE IN

CH

AR

T

TP / A

TTEN

DIN

G P

AR

TICIP

ATIO

N D

OC

UM

EN

TED

IN C

HA

RT

SUM

MARY O

F KEY C

OM

PO

NENTS

DO

CUM

ENTE

D

RESID

EN

T NO

TE IN

CH

AR

T

PR

OC

ED

UR

ES D

OC

UM

EN

TED

AC

CO

RD

ING

LY

MED

ICA

L NEC

ESSITY

DO

CU

MEN

TED

ICD

.9 CO

DED

TO

HIG

HEST L

EVEL O

F S

PEC

IFIC

ITY /

SU

PPO

RTE

D IN

DO

CU

MEN

TATIO

N

AG

REE W

ITH A

UD

ITOR

'S FIN

DIN

GS

CO

MM

EN

TS


Designing Effective Monitoring Functionsl Monitoring is a way to evaluate effectiveness, efficiency

and consistency of operational controlsl Benefits of monitoring is process improvement,

identification of new risk, assurancel Monitoring (especially internal audit control) should not be

the operating control


Effective Monitoring


Providing Assurance

l Monitoring Controls need to be auditable• Responsibility for monitoring assigned• Plan in place• verifiable (documented)

l Goal is to do internal audit of monitoring and oversight controls with little time on operational


Providing Assurance – Audit Criterial Documented evidence of actions taken when monitoring

controls identify failurel Instances of non-compliance documented and dealt with

appropriatelyl Instances of non-compliance reported to Compliance

committee or Chief Administrative Officerl Documented training related to risk been provided to all

employeesl Documented training provided in each case of failure of

operating controls or non-compliancel Periodic reporting to compliance officer and committee


Effective Assurance of Monitoring Plan

l Compliance Officer reviews monitoring plan

l External Review• Peer• Commercial

l IA performs inspection of monitoring plan (determines if it can be audited)

l IA performs audit of plan


Questions?

Urton AndersonRed McCombs School of BusinessThe University of Texas at Austin(512)[email protected]

Corporate Responsibility and Internal Audit Programs

Documents

Transcript of Corporate Responsibility and Internal Audit Programs