1

Risk Assessment and the Development of the Internal Audit Plan the Illinois Office of Internal

Audit Approach

Stephen Kirk, Chief Internal Auditor, CIA, CGAPPresented: July 18, 2012

Gather information regarding best practices. Learn as much as you can from other Internal

Audit shops. Steal the wheel and modify it to your needs

don’t reinvent it. Take the ideas you like from everyone’s process and adapt them to your own process and be open to helping each other.

I am going to present the Illinois process today, hopefully you can take something with you that is useful. I also hope that you will share your ideas with me so I can improve upon my process.

2

Where do I Start?

Illinois has a State Internal Audit Advisory Board (SIAAB) that is responsible for the following:

1. Promulgating uniform standards and code of ethics and providing guidance to State Internal Auditors. The standards and interpretations predominantly followed by Illinois are those of the Institute of Internal Auditors (IIA) although some GAO standards have been adopted as well as some State specific requirements and adaptations.

2. Provide and coordinate training, including setting standards for training.

3. Coordinate Peer or Quality Assurance Reviews.

3

Illinois Governance of Internal Audit

4

The Board is comprised of the Chief Internal Auditor of each Illinois Constitutional Officer, the General Services agency for the State, and six Chief Internal Auditors appointed by the Governor. I am the current Chair. If you are interested, SIAAB maintains a website managed by the University of Illinois that can be found at http://siaab.audits.uillinois.edu/ . Free on-line training regarding the Standards of the Institute of Internal Auditor (IIA) and Illinois specific requirements is available on the website. If you have any questions, please feel free to contact me.

5

Illinois State Internal Audit Advisory Board Information

IIA Standard 2010- Planning “The chief audit executive must establish

risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.”

In order to link the Internal Audit Plan to the risks of the Department, Internal Audit created an “Audit Universe” or “Auditable Units” for IDOT based upon the primary owner of the process.

6

Developing the Internal Audit Plan

It is a vital component of the risk assessment process and consists of dividing the entire Department into various control areas that cover all responsibilities and functions of the Department. These areas are listed by the primary owner of the process.

7

“Auditable Units” or “Audit Universe”

The key to a good Auditable Units schedule is periodically verifying that there have been no changes or additions to the universe.

IIA Practice Advisory 2010-1 (4) states, “The audit universe and related audit plan are updated to reflect changes in management direction, objectives, emphasis, and focus. It is advisable to assess the audit universe on at least an annual basis to reflect the most current strategies and direction of the organization.”

8

Auditable Unit Updates

Provides the framework for monitoring the internal control structure of the Department by operational area and provides the foundation for the risk assessment process.

Allows Internal Audit to communicate with each Division or Office of IDOT in a standardized manner to monitor the Department’s internal controls.

Provides a mechanism for confirming whether all processes have been captured.

Provides a means for monitoring historic audit coverage for all functions and activities of the Department.

Demonstrates compliance with the Standards and the law that governs the internal audit function.

Considered a best practice under the IIA Standards.

9

Benefits of Auditable Units

Create and regularly update Permanent Files regarding your Auditable Units. This helps provide you with a starting point not only for your Internal Audit Plan Risk Assessment but also your audit specific Risk Assessment. Files should include the following:

1. Applicable Statutes, Rules & Regulations;2. Policies and Procedures, Manuals, Guidelines;3. Prior Audits- External, Internal, Federal;4. Management Control Certifications;5. List of Information Technology Systems Used;6. Interview Notes;7. System Narrative.

10

Permanent Files

I learned a lesson early in my career that you should never assume that you and management are working from the same playbook. All people have different experiences and understandings of processes and management techniques. Make sure you and management have a common understanding of definitions. Internal Auditors are the internal control and risk management experts and educators for their agency. Take audit planning as an opportunity to get on the same page. I do that by providing an Internal Audit Plan Framework.

11

Work from the Same Playbook

Each Director is provided a copy of the framework to be followed during the planning process. It is a framework for how they should make their assessment of their areas. This ensures the Chief Auditor that he and all Directors are working from the same page. The areas covered are as follows:

1. Risk, inherent risk, residual risk;2. Internal Control;3. Types of Internal Control;4. Methods of Internal Control;5. Risk Considerations;6. Risk Management;7. Major Threats to Internal Control

12

Internal Audit Plan Framework

Risk- The probability that an event or activity will occur that adversely impacts the achievement of an organization’s objectives.

Inherent Risk- The risk that exists in an environment without the benefit of internal controls.

Residual Risk- The risk that exists after consideration of the controls management has implemented to mitigate or transfer risk. (This is where we want to focus our efforts).

13

Risk

“Control is the employment of all means devised in an enterprise to promote, direct, restrain, govern, and check upon the various activities for the purpose of seeing that enterprise objectives are met. These means of control include but are not limited to form of organization, policies, systems, procedures, instructions, standards, committees, charts of account, forecasts, budgets, schedules, reports, records, checklists, methods, devices and internal auditing.”

***Source: “Sawyer’s Internal Auditing”, Sawyer

14

Internal Controls Defined

In order to work through the risk assessment process, you have to make sure that management understands internal controls, the control structure, and the environment in which they are operating. Again, if they are not working from the same page, they can not communicate to you the information that you need to make your risk assessment and provide a risk based plan. Never miss an opportunity to educate (teaching moment), that’s a preventative control.

15

Controls and the Risk Process

To achieve the objectives of the agency, management must place assets at risk. It is management's responsibility to decide how much and what risk it is willing to accept to achieving the objectives of the agency. Management mitigates risks and ensures that management’s objectives are met, through the use of internal controls.

16

Purpose of Internal Controls

Preventative- Segregation of Duties; Authorization & Approval; Edit Checks; Reasonableness Checks; Completeness Checks; Accuracy Checks; Dual Controls; Data Input Controls within IT System.

Detective- Detect errors & often come in the form of monitoring devices. Computer system scans for exceptions to certain parameters & generates exception reports for managerial review; comparative actions such as reconciling vendor billings to payments; physical checks such as annual inventory; management review of reports of actions taken by personnel.

Corrective-Correct problems identified by detective controls. Computer program that prompts personnel to correct problems; exception reports.

Directive- Produce positive results. Strategic plan and its specific goals & objectives, organizational charts which assign responsibility to ensure tasks are completed to meet the agency mission. Written procedures which instruct how management wants various tasks accomplished providing the exact steps & chronological sequence and required documentation to ensure uniform execution; important reference & training tool ensuring continuity of operations.

Compensating- Compensate for shortcomings in the system thus offsetting the need to correct another control weakness. It may also be part of a redundant system.

***Source: “Internal Auditing Principles & Techniques”, Ratliff

17

Types of Internal Controls

Organizational Controls- Establish the framework in which the agency operates. Define purpose and general focus of operations; mission, goals & objectives; structure & division responsibilities; establish decision making hierarchy; job descriptions for detailed outline of duties & responsibilities; outline reporting responsibilities.

Operational Controls- Functional activities that include planning; budgeting; accounting; program activities; documentation; authorization; policies & procedures; manuals & guides; information systems.

Personnel Controls- Recruiting & selection of suitable personnel; orientation, training, development of personnel; supervision & direction of personnel.

Periodic Review Controls- Appropriate monitoring of agency operations. Performance reviews of individual employees; internal reviews of operations & programs through management reports; quality management & assurance reviews; internal & external audits; peer reviews.

Facilities & Equipment Controls- Ensure facilities & equipment are properly acquired, tracked & maintained. Lease management; building & property management; maintenance; tracking & monitoring of equipment.

***Source: “Internal Auditing Principles & Techniques”, Ratliff

18

Methods of Internal Control

Congress established the Committee of Sponsoring Organizations (COSO) & they developed a risk management framework in 1992. This was updated in 2004 & became the Enterprise Risk Management Integrated Framework (ERM). It is the recognized standard for risk management. ERM consists of 8 components that are key to management managing risk within the organization:

1. Internal Control Environment- Formulates a risk management philosophy & sets the tone of the organization.

2. Objective Setting- Sets what the entity strives to achieve.3. Event Identification- What has to be done to implement the agency’s strategy & achieve

established objectives.4. Risk Assessment- Consideration of how potential events may affect the achievement of the

strategy & objectives.5. Risk Response- Identify actions to reduce risk.6. Control Activities- Implement action through policies & procedures and other activities to

control risk.7. Information & Communication- Dissemination of information to all personnel regarding the

process & its importance.8. Monitoring- Monitor and check for the appropriateness and effectiveness of controls & the

management of risk.

***Source: Institute of Internal Auditors

19

Risk Management

These 8 COSO core components provide the framework for how management and Internal Audit needs to think during the Risk Assessment process. Is management doing well in these core areas? Even if they have appropriate internal controls in place, are they effective and are they working properly.

20

COSO Core Components

Provide management with a list of risk considerations that should be utilized by management in assessing the risk within a process. All of these factors should be considered during management’s determination of whether they have an effect on the environment in which the area is operating or have caused a change to that environment. Through an assessment of these factors, management should arrive at a list of areas or programs for which they believe there is a higher risk or level of importance. The end result of this process is a ranking of activities that helps Internal Audit identify areas to which limited resources should be allocated first in order to provide useful input to management.

21

Risk Considerations

Priority of Agency Head or Management and reasons; Cause-Suspicion of fraud, improper conduct, blatant disregard

for procedures, suspected misuse or improper use of assets; Financial Exposure-Size of auditee or amount of agency assets

at risk, liquidity of assets (easy theft), transaction volume; Significance of area to agency operations; Changes to laws, rules and regulations; Adequacy, effectiveness & quality of internal controls; Major changes in technology, operations, programs, systems

or controls; New programs or initiatives; Complexity of operations; Rapid growth of the Division;

22

Common Risk Considerations

Competence, experience or time in position of management for the area or recent key management personnel changes;

Competence, experience or time in position of staff, recent key personnel changes or high staff turnover;

Significance and number of previous internal and/or external audit findings;

Time since last audit; Political or press exposure or general public impact considerations; Extent or changes to the computerization of the area; Ethical climate such as pressure by management on area to meet

objectives; Low employee morale or problematic personnel; Changes in capabilities or experience of audit staff; Audit plans of external auditors; Opportunities to achieve operating benefits.

23

Risk Considerations Cont.

This helps management to think about what causes things to go wrong with the Internal Control System.

Management Override- Controls that are readily set aside at the option of management or personnel. This is equivalent to no controls at all.

Optional or Incomplete Controls- Controls that say “may” or those that give options without guidance for making decisions about how to proceed are not effective. They must include clear direction regarding the choice that should be made.

Form Over Substance- Controls appear to be well designed but there is no substance to them or they are ineffective or miss their intended mark.

Conflicts of Interest- Causes personnel to place their interest above that of the organization.

Access to Assets- Having improper access to assets can result in theft, misuse or abuse. Inadequately Trained or Uninformed Personnel- Results in personnel not being able

to properly perform required tasks. Personnel not understanding the reason for a particular control and the desired result may not properly execute the necessary steps. It does not matter how well the procedures are written if personnel cannot execute them properly. The end result is the same as if no controls were in place.

***Source: “Internal Auditing Principles & Techniques”, Ratliff

24

Major Threats to Control

The process becomes routine and this familiarity causes steps in the process to be overlooked;

Information concerning a law, rule or procedure was never given to an employee;

Employees not properly trained or instructed; Personnel do not recognize the importance of a step or process or its

impact on another area; Personnel miss the handoff to another area or there is confusion over

which area is responsible (each area incorrectly thinks the other is handling the process);

Time constraints; Inadequate resources devoted to the process; Employees unknowingly overlooked something; Personnel too close to the process to think of improvements (married to

the existing process); It is hard to proofread your own work.

25

Reasons non-fraud related issues occur:

The Internal Auditor is not meant to be an adversary but rather a partner. According to the Institute of Internal Auditors, Internal Auditing provides:

Assurance that the organization is operating as management intends (Governance, Risk, Control).

Insight for improving controls, processes, procedures, performance, and risk management; and for reducing expenses and managing & controlling revenues (Catalysts, Analyses, Assessments.)

Objective assessments of operations (Integrity, Accountability, Independence.)

***Source: Institute of Internal Auditors, “Value of Internal Auditing Presentation to Stakeholders”

26

Internal Audit’s Role

IIA Standard 2130: Control“The Internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.”

27

Internal Control IIA Standard 2130 the Role of Internal Audit

IIA Standard 2130.A1“The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:1.Reliability and integrity of financial and operational information.2. Effectiveness and efficiency of operations and programs.3. Safeguarding of assets; and4. Compliance with laws, regulations, policies, procedures and contracts.”

28

Control Role of Internal Audit Continued: IIA Standard 2130.A1

Base your risk assessment and Audit Plan around the Auditable Units or Audit Universe.

29

APPROACH to RISK ASSESSMENT

Each Director is sent a Risk Assessment Questionnaire. Items covered include the following: 1. Any changes to the Auditable Units;

2. New Programs or Initiatives; 3. Rapid growth or significant increases funding or expenditures; 4. Turnover of Key Management or Key Personnel; 5. Reviews or audits by a Federal Agency: e.g. FHWA, FTA, FRA, FAA, NHTSA, FMCSA,

GAO; 6. Press exposure; 7. Law changes; 8. Administrative Rule changes; 9. Information technology that was developed or had major modifications in the last

year or any that are currently in process or planned; 10. Any fraudulent activity, improper conduct, blatant disregard for procedures,

suspected or improper use of assets or State resources; 11. Any processes or programs they believe would be helpful for internal audit to

review; 12. Rank what they consider to be the five most significant areas for which the are

responsible.

30

Risk Assessment Process Questionnaire

The responses to the Risk Questionnaire are reviewed and analyzed prior to the meeting with each Director. One critical area is ensuring the accuracy of the Auditable Units. Each Director is asked to provide any updates or changes to the “Auditable Units”. In many cases, Internal Audit may also have knowledge about new programs. It is important to note these as they are discovered to make sure they are not overlooked during the Questionnaire process.

31

Analyzing Questionnaire Responses

Illinois requires each Chief Internal Auditor to prepare a two year Audit Plan. However, the second year of the Internal Audit Plan is always given reconsideration at the time of the development of the next year’s two year plan. This is because of changes in circumstances and risks that occur over the one year period, since the plan was last developed. If you only create a one year plan you may wish to consider this option. It at least allows you to anticipate the next year.

32

Analyzing the Previous Audit Plan

Chief Internal Auditor conducts a meeting with the Director of each of the Offices and Divisions. The meetings are designed to discuss the information gathered from the Questionnaires in more detail. It is also a chance to discuss the top five areas and why the Director believes they are important. The various Auditable Units are discussed in terms of the risk factors and how they relate to the area as well as the effectiveness of the controls and any issues or concerns they may be aware of. The end result is a collection of notes including the development of the areas proposed for audit during the next two fiscal years. This is verified with each Director.

33

Risk Assessment Meetings

Assess all of the information you gathered and determine which areas should receive audit coverage. Start with making the assessment at the individual Division or Office level.

Take the results of each individual Division or Office level assessment and weigh them against each other to develop a proposed Internal Audit Plan with resource hours listed. Weigh those areas that are most important against the available resources. Take into account other desirable activities such as providing coverage across your whole organizational structure.

34

Analyze All that Data and Create a Ranking for Each Area

In Illinois the Internal Audit Plan must be approved by the Secretary of Transportation. A meeting is held to discuss the proposed Audit Plan with the Secretary. We look at the priorities listed from the assessment and together formulate the final Internal Audit Plan priorities.

The Final Internal Audit Plan is presented and signed by the Chief Internal Auditor and the Secretary of Transportation.

35

Compile the Internal Audit Plan

Now go forth and audit and remember what Confucius said, “No matter where you go, there you are.” So I say, why not make the best of it!

Any Questions????????

36

Thank You

37

Stephen Kirk, CIA, CGAPChief Internal Auditor

Illinois Department of Transportation2300 S. Dirksen Parkway

Springfield, IL 62764

(217)557-1258Stephen.Kirk@Illinois.Gov