The challenges for the internal auditor
-
Upload
rodoljub-kajganic -
Category
Documents
-
view
350 -
download
16
Transcript of The challenges for the internal auditor
![Page 1: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/1.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
The challenges for the internal auditor
Rodoljub Kajganić, Wiener Osiguranje Vienna Insurance Group VIG Internal Audit Group Workshop November 2015
![Page 2: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/2.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Agenda
IntroductionSuccessful internal auditorCompliance Case study: How to audit compliance with group policiesInformation system audit Case study: How to do a project auditFraud Case study: How to do fraud investigationObservationsQ&A
![Page 3: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/3.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Introduction
Experienced Insurance/Banking Internal Auditor, Information Systems Auditor, Compliance Specialist, Fraud Investigator, AML ProfessionalHead of Security&Compliance&AML departmentProfessional Certificate of Competency in the field of Compliance ALCO, IFBL: L'Institut, ATTF LuxembourgManagement Program, IEDC Bled School of ManagementAudit Committee, IT Steering Committee, Outsourcing Committee member, FATCA, ISMS project team member... ISACA memberEnjoy road and mountain biking, traveling, reading, practice Krav maga
Presenter biography:
![Page 4: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/4.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
“Success always comes when preparation meets opportunity” Henry Hartman
Introduction - personal mission statement
Change. Adapt. Grow. Learn. Repeat process.
![Page 5: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/5.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
How to become a successful internal auditor?
![Page 6: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/6.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Successful internal auditor
Skill
s
Knowledge
Attitudes
Triangle of Success
Analytic
Critical
Integrity
Confidence
Passion
Co-operative
Commitment
It AuditComplianceFraud
Accounting
CommunicationTeamwork
Time management
Lifelong Learning, Regulatives, Market Rules
![Page 7: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/7.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Company Strategy
Legal Framework
Audit Resources
Internal audit
Successful internal auditor
Value and risk based auditingFind balance between control and productivityFrom compliance to risk managementLearn to speak the language of business
![Page 8: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/8.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Have you got what is takes to be a successful internal auditor?
![Page 9: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/9.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
COMPLIANCE
![Page 10: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/10.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance-definition
Compliance means adherence to, or conformance with, rules, laws, standards, and policies. It also implies a sense of accountability and an obligation to uphold pertinent codes of conduct. Corporate compliance entails devising a formal internal system of policies, procedures, controls, and actions to detect and prevent violations of laws, regulations, rules, standards, and policies.
![Page 11: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/11.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit legality, propriety,
expediency
Internal Audit
Forecast,plans,
measure risk
Controlling,
Actuary
Evaluating insurance portfolio
Enterprise R
isk M
anagement
Manage regulatory obligations
Com
pliance
Third line of defence
External Audit
BoardRisk Management
![Page 12: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/12.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance with laws and regulations-policies and proceduresStructuring the compliance deptment- independence, reporting linesCompliance program- risk assessment, mitigating risk, monitoring, reporting, trainingTone at the top and whistle-blowing (hot line)Dealing with ethical challenges - compliance with laws/local regulations, non-discrimination, corruption and bribery, data privacy, insider trading, AML, protection of the environment
Compliance
![Page 13: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/13.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance audit – compliance audit deals with the degree to which the audited entity follows rules, laws and regulation, policies, established codes, standards.
Compliance
Potential threats:Legal impact: regulatory or legal action brought against the organization or its employees that could result in fines, penalties, litigation...Financial impact: negative impacts with regard to share price, potential future earnings, or loss of investor confidence.Reputational impact: damage to the organization’s reputation or brand (bad press or social media discussion, loss of customer trust, decreased employee morale).
To succeed you must know what success looks like, to succeed you must measure success, to succeed you must verify you measures.
![Page 14: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/14.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
How to audit compliance with group policiesApplicable for all types of auditsRisk based approach
Compliance - case study issue
![Page 15: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/15.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
The up-to-date version of all Group guidelines is available in the VIG Intranet:https://intranet.vig.com/en/infos-guidelines/guidelines.html
Upon request the guidelines can be provided in paper form or via email.
Contact: Sabine Stiller ([email protected])
![Page 16: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/16.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
Prepare an audit planMake a compliance risk assessmentsCollect evidence by using interviews, questionnaires,review of documentsObtain copies of departmental procedures for each area you intend to auditCross-reference internal procedures with group regulationsVerify compliance with local regulations, best practice and relevant standardsCheck reports from regulators, inspections, external auditor
![Page 17: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/17.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
Possibilities for improving efficiency and effectiveness in implementation of regulations.The effectiveness of internal controls.Is there a system for monitoring new regulations?Is information communicated on a timely basis in the organisation?Deviation from Group guidelines need a reasonable legal ground. If activities are outsourced, how is compliance and performance monitored?Consider materiality for reporting purpose (amount of potential fines).
The final goal is to determine whether the internal procedures compliant and properly implemented in the processes
![Page 18: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/18.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
INFORMATION SYSTEM AUDIT
![Page 19: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/19.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.
Information system audit - definition
![Page 20: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/20.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Information system audit:
General control examination or facility auditApplication auditSystem development auditTechnical or special topic audit
Information system audit
![Page 21: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/21.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance with legal and regulatory requirements
Confidentiality
Integrity
Reliability
Availability
Information system audit - goals
![Page 22: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/22.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Governance: Responsibility and accountability for risk Risk appetite and tolerance Awareness and communication Risk cultureRisk Evaluation: Risk scenarios Business impact descriptionsRisk Response Key risk indicators (KRIs) Risk response definition and prioritisation
Information system audit - IT risk
IT risk:The business risk
associated with the use, ownership, operation,
involvement, influence and adoption of IT within an
enterprise.
![Page 23: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/23.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Information system audit - Internal controls
Preventive
ManualAutomatic
Detective
Deterrent
Corrective
Compensating
Recovery
Adm
inis
trat
ive
Tech
nica
l
Phys
ical
![Page 24: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/24.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Understanding of the audit areaRisk assessment/audit planEvaluating audit areaVerifying and evaluating controlsCompliance testing/substantive testingReporting/follow-up
Information system audit - audit procedures
![Page 25: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/25.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Auditing security checklist
Microsoft Excel Worksheet
IS audit - resources
Auditing systems development
Adobe Acrobat Document
![Page 26: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/26.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study issue
How to do a project auditProjects related to information systemPurchase or own development New service or new products
![Page 27: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/27.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit project areas:IntergationScope,time&costQuality, procurementRisk managementHuman resources, communication
IS audit - case study analysis
Project risk:Never be delivered or be delivered lateExceed budgetNot deliver the required functionalityContain errors, fail frequentlyBe unfriendly, difficult and costly to operate
![Page 28: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/28.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Success criterion Relative importanceUser involvement 19%Executive management support 16%Clear statement of requirements 15%Proper planning 11%Realistic expectations 10%Smaller project milestones 9%Competent staff 8%Ownership 6%Clear visions and objectives 3%Hardworking, focused staff 3%Total 100%
IS audit - case study analysis
![Page 29: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/29.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit plan:Identify the audit scope, determine audit objectives, gather basic information about project, determine materiality, assess risk, and evaluate internal controls.
IS audit - case study analysis
Check: IT strategies, plans and budgetsFeasibility study, requirements, RFP Security policy Organization charts, job descriptions Steering committee reports Program change procedures Operations procedures, quality assurance procedures
![Page 30: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/30.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study analysisFeasibility study
Well documented and clear?Have departments recommendations been included?Has the feasibility analysis report been submitted to the management steeringcommittee for action?
User Requirement AnalysisEfficiency/EffectivenessHave the user executives approved the requirements?Is the new system compatible with other applications/systems?Could the new system recover after failure?Do user requirements include security, controls and privacy measures?Is there clear segregation of duties among those who build, test and operate the system?
![Page 31: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/31.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Purchased software
IS audit - case study analysis
Are there vendor evaluation criteria/selection procedures?
Contract – remedy, backup and recovery controls, user manuals, audit trail Does the contract provide how the user will request changes to software?Can the organisation terminate the contract at any time?Does vendor have a high probability of being in business during the duration of the contract?
Is the level of internal controls satisfactory?Has all data been transferred to the new system in a controlled manner?
![Page 32: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/32.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
The optimal way to ensure a successful IT project is to do an effective analysis of the risks associated with that particular project and develop a plan to manage the identified and substantial risks.
IT risks are managed, IT delivers value to the business
Postimplementation phase
IS audit - case study analysis
Review of the project successFinancial review of the feasibility study vs. resultsLessons learned and improvements for the future
![Page 33: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/33.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study analysis
![Page 34: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/34.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
FRAUD
![Page 35: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/35.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - definition
Fraud is generally defined in the law as an intentional misrepresentation of material existing fact made by one person to another with knowledge of its falsity andfor inducing the other person to act, and upon which the other person relies with resulting injury or damage.
Which is the biger risk?External attacker vs. employee frauds
![Page 36: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/36.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - statistics
![Page 37: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/37.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud – cyber attacks
![Page 38: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/38.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
General red flagsOften first in and last out of the officeLots of unused holidayChanges in lifestyle –spending, socializing, married statusResigned,working out redundancyPassed over for promotion or pay reviewPending HR disciplinary
Fraud - statistics
![Page 39: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/39.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - resources
Red flags of insurance fraud
Microsoft Word 97 - 2003 Document
![Page 40: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/40.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Anti-fraud policy is most effective when applied with a clear methodology and implementation plan as opposed to random reviews which seek to rely primarily on a chance discovery of fraud or wrongdoing.
Anti-fraud policy proactively look for fraud (rather than focussing on specific known types or incidents).
Anti-fraud policyRoles&responsibilitiesFraud risk assessmentPrevention, detection, investigation
Fraud - anti fraud framework
![Page 41: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/41.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - case study issue
How to do fraud investigationFraud risk assessmentsChecking transaction accounts of employeesInvestigation
![Page 42: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/42.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Do we have internal controls?Are they are sufficient and effective?
Fraud – internal controls
![Page 43: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/43.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Risk based audit-follow the moneyAppoint a fraud protection officerRegular fraud risk assessmentsEnforce separation of dutiesFour eyes controls, use red flags, black listAutomatic preventive controls in the information system
Fraud - case study analysis
![Page 44: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/44.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Perform background checksInstitute a policy of job rotation, mandatory vacation policyHave employees bonded with the proper insurance policiesCreate annual financial disclosure policies for the people in the organizational process
Separate the authorization of the transactions from their recordingRequire multiple signatures-formal signatures!Define the trust levels with the appropriate checksWhistle-blowing — make sure you hear the bad news first
Fraud - case study analysis
![Page 45: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/45.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
ObservationsWork on attitude, knowledge and skillsChange, adapt, grow, learn, repeat process.
Consider whether IT risks are managed, IT delivers value to
the business. Analyze project
risks, ensure you have a plan to manage the
identified and significant risks.
Ensure you have a Anti-fraud policy, fraud protection officer and
fraud risk assessments, follow the money.
Determine whether the internal procedures compliant and properly implemented in the processes.
![Page 46: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/46.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
QUESTIONS & ANSWERS
+387 (0)65 422 242
https://ba.linkedin.com/in/rodoljubkajganic
![Page 47: The challenges for the internal auditor](https://reader031.fdocuments.net/reader031/viewer/2022013113/58d1c4f81a28ab705c8b4ed3/html5/thumbnails/47.jpg)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Thank you for your attention