The ABC’s of the Internal Auditing Standardsold.northcarolina.edu/conferences/oia/2016/Session 3 -...
Transcript of The ABC’s of the Internal Auditing Standardsold.northcarolina.edu/conferences/oia/2016/Session 3 -...
The ABC’s of the Internal Auditing Standards
Ericka F. Kranitz, CPAAndrew RectorMarch 23, 2016
1
Think about…
• What is your biggest challenge?• Given additional resources, what would you
ask for?
2
Today’s Focus
• How do you APPLY the standards to your organization?A
• What are the BASIC activities you should be doing?B
• Are you COMMUNICATING the right information to your board?C
3
Applying the Standards
4
International Professional Practices Framework (IPPF)
5
Mission Statement
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
6
Mandatory Guidance
• Required and essential– Core Principles July 2015– International Standards for the Professional
Practice of Internal Auditing (Standards) 2013– Definition of Internal Auditing– Code of Ethics
7
Core Principles
Demonstrates integrity
Demonstrates competence and due professional care
Is objective and free from undue influence (independent)
Aligns with the strategies, objectives, and risks of the organization
Is appropriately positioned and adequately resourced
8
Core Principles
Demonstrates quality and continuous improvement
Communicates effectively
Provides risk-based assurance
Is insightful, proactive, and future-focused
Promotes organizational improvement
9
Definition of IA
• Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
10
Code of Ethics
Promote an ethical culture in the profession
Expectations on behavior
Principles and Rules of Conduct
• Integrity• Objectivity• Confidentiality• Competence
11
Recommended Guidance
• Implementation Guidance– Previously known as “Practice Advisories”– Revisions - next 18 months
• What’s required for Standards• Suggestions on how to show conformance
• Supplemental Guidance • Global Technology Audit Guides (GTAGs)• Guide to the Assessment of IT Risk (GAITs)
12
The Basic Activities
13
Purpose, Authority, and Responsibility
• Defines role• Assurance and consulting• Position and reporting• Functionally and administratively• Unrestricted access to people,
places, information• Clearly state what will and will NOT
do
IA Charter
14
Purpose, Authority, and Responsibility
• Board approves, document in minutes• Revisit regularlyIA Charter
• Role and responsibility for internal audit• Hire and review top audit executive
Audit Committee Charter
• Standard 1010, Model IA and Audit Committee Charters on IIA websiteReference
15
Independence (STD 1110, 1111)
• Functional reporting line for auditOrganization chart
• No interference as to people and audits
Ability to do the job
• Opportunity to meet directly Access to board
• Scope restrictions, access limitationsImpairment
16
Individual Objectivity (STD 1120)
• Impartial and unbiased• Conflicts of interests
– Fact and appearance
• Code of conduct - does one exist– Process to disclose and manage conflicts
• Examples:– Recent employment – Family member
17
Proficiency (STD 1210)
• Evaluate as a group for competency to do job
Knowledge, skills
• CIA, CPA, CISA, CFE, industry specificCertifications
• IIA opportunity• Network with others – leverage resources
Professional associations
• Fraud and ITBasic
knowledge
18
Due Professional Care (STD 1220)
• Prudent person test• Skills needed for audits
– Extent of detail work – Understand risks and complexity– Brainstorm about potential issues– Consider assistance from other state agencies
• Training and development– Profession and industry
19
Quality Assurance and Improvement Program (STDS 1300)
• Internal assessments– Ongoing monitoring of routine practices
• Proper supervision/review • Adhering to checklists, guidelines, internal processes• Monitoring of audit plan
– Are you following your own practices?– Periodic self-assessments
• Measure conformance with Standards• How to document
20
Quality Assurance and Improvement Program
• External Assessment– Once every 5 years– Leverage self-assessment– Independence of review team– Relevant knowledge of your operations– See questionnaire on OSBM site under QAR– Report results to board
21
Annual Audit Plan (STDS 2010, 2020)
Audit Universe – define
Risk based criteria
Audit what’s important
Be realistic – expect the unexpected
Evaluate resources and skills
Communicate to organization
22
Engagement Planning (STD 2200)
Clear scope and objective • Audit Plan – revisit• What you are and are not reviewing• Reasonable timeframe
Consider errors and fraud
Match work with competencies of staff
Review and oversight
Questionnaires – background information
23
Performing the Engagement (STDS 2300)
• Documentation – Ability to reproduce– Standardize - checklists and templates
• Sufficient, relevant, reliable information• Confirm all facts• Adequate review and supervision• Retention - reports and support
– Final copies only
24
Monitoring Progress (STD 2500)
Timely follow-up
Formal closure of audit
Process if don’t pass?
Discuss concerns with management
Include in audit plan if significant
25
• Doing the wrong audits• Mismatch of staff competencies to work• Communication issues – question and confirm
Audit failure
• Clarify what is/not in scope of work• IA role may be vague
False assurance
• Strong IA processes• Continual training and developmentReputational
Risk of IA Activity
26
Communicating the Right Information
27
Communicating Results (STD 2400)
Clearly state objective and scope
Accurate – verify facts with client
Easily understood – basic terms
Concise and complete – relevant, to the point
Acknowledge good work
Distribute to appropriate individuals
28
Communicating Results
• Condition – “what is”• Requirements – “should be”• Cause – how did this happen• Effect – impact and risk
Audit Reports
• What must be provided• Process for requesting and providing
Public records request
29
Board Communications (STDS 1111, 2060, 2600)
Regular communication – each meeting
What do they want?
Status of audit plan vs. actual
Resource requirements or deficiencies
Unacceptable levels of risk
Opportunity to meet 1:1
NO SURPRISES
30
Board Approvals (STD 1110)
• Audit Plan – Significant changes and why
• Charter – revisit regularly • Budget and resource needs
– Training– Staffing– External assistance
31
Think about…
• What is your biggest challenge?• Given additional resources, what would you
ask for?
32
Resources• IIA: https://www.theiia.org
– Template for IA and Audit Committee Charter– Magazine “Internal Auditor”– Members only webinar
• OSBM– Information on IIA membership
• http://www.osbm.nc.gov/management/internal-audit/iia
– Peer review program http://www.osbm.nc.gov/management/internal-audit/qar
33
IIA Webinars
34
Contact Information
• Ericka F. Kranitz, CPA– Director of Compliance Monitoring– [email protected]
• Andrew Rector– Principal Auditor– [email protected]
35