(1) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For...

(1)

The Institute of Internal Auditors—Puget Sound ChapterComprehensive Entry Level Training For AuditorsOctober 12-14, 2004 Seattle, Washington

Internal Auditing Overview

(2)


I. Definition of Internal Auditing

II. Evolution of Internal Auditing

III. Role of the Auditor

IV. Standards and Guidelines

V. Types of Audits

VI. Skills and Knowledge

VII. Audit Principals

VIII. Audit Process

(3)


Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

-Institute of Internal Auditors

I. Definition of Internal Auditing

(4)


Significant changes to the business, risk and control environments– Technology advancements– Sarbanes-Oxley and related legislation and other

requirements

Impact on internal auditingChanges in:– Expectations– Focus– Perceptions

II. Evolution of Internal Auditing

(5)


Sarbanes-Oxley Act (July 2002) ComplianceInternal Audit involvement in:• Section 301: Audit Committee Provisions• Section 302: Quarterly CEO/CFO certification of financial

statements and disclosure controls • Section 404: Annual control over financial reporting

III. Internal Audit’s Role in Corporate Governance

Significance of the Committee of Sponsoring Organizations (COSO)Control environment becomes the most important component of internal control

(6)


For the CustomerCustomer Provide a Service Serve as a Consultant Act as a House Guest Improve Operations Serve as a Counselor Be Effective Ongoing Relationship

For the AuditeeAuditeeProduce a Product Serve as a Beat Cop Act as an Adversary Find errors Be a Second-GuesserBe Efficient Time-Limited Assignment

The Internal Auditor’s Role and Services

(7)


The Audit Shop’s Primary Asset:

CREDIBILITY

(8)


The International Standards for the Professional Practice of Internal Auditing (Professional Practices Framework) – Institute for International Auditors

Government Auditing Standards (Yellow Book) – U.S. Government Accountability Office

IV. Auditing StandardsStandards pertain to auditors’ professional qualifications and the quality of their work, the performance of field work, and the characteristics of meaningful reports.

(9)


(10)


Definition of Internal Auditing

Code of Ethics

Internal Standards for the Professional Practice of Internal Auditing

Quality Assurance Standards

Practice Advisories (Guidance)

Development and Practice Aids

IIA’s Professional Practices Framework

(11)


Key Words and Concepts—

Assurance and Consulting

Add value

Systematic, disciplined approach

Risk management

Control

Governance

IIA’s Definition of Internal Auditing

(12)


Internal auditing is an independent, objective

assurance and consulting activity designed to add value and improve an organization's

operations. It helps an organization accomplish its

objectives by bringing a systematic, disciplined

approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Re-engaging on Internal Controls

Fostering Enterprise Risk Management

Facilitating more effective corporate governance

Flexibility of the New Definition

(13)


Financial Auditingfocus on balance sheet and income statement

Operational Auditingfocus on resource utilization, accomplishment of operational goals

Compliance Auditingfocus on adherence to laws and regulations

IT Auditingfocus on integrity and security of computer systems

Performance Auditingfocus on effectiveness, economy, and efficient use of resources

Program Auditingfocus on achieving program goals

V. Types of Audits

(14)


Ensure reliability and integrity of information.

Ensure compliance with policies, plans, procedures, laws, and regulations.

Ensure safeguarding of assets.

Ensure the economical and efficient use of resources.

Ensure the accomplishment of established objectives and goals for operations or programs.

Operational Auditing

(15)

VI. Skills and KnowledgeData Gathering– Questionnaires

– Unobtrusive Measures

– Interviews

– Focus Groups

– External Evidence / Confirmations

– Data Analysis

– Flowcharting

– Mathematics

– Statistics and Sampling

– Control Self–Assessment


(16)


Oral Communication– Interviewing – Presenting – Facilitating

Written Communication Computer Skills – Word processing– Spreadsheets and data bases – Organization-specific (Peoplesoft, ACL)

Skills and Knowledge, Cont’d.

(17)


Finance

Budgeting

Information Technology

Accounting

Regulatory Environment

Fraud

Control Concepts

Audit ProcessAudit Process

Skills and Knowledge, Cont’d.

(18)


Rules of Evidence— Elements of A Finding

Rules of Reporting

Rules of Performing Audits

VII. Audit Principles

(19)


Independence

Objectivity

Proficiency

Due Professional Care

Quality Assurance and Improvement Program

Managing the Internal Audit Activity

Nature of work

Engagement Planning

Performing the Engagement

Communicating Results

Monitoring Progress

Audit Principles, Cont’d.

(20)


• Audit• Assurance Services • Control (internal control)• Engagement• Survey • Governance • Risk (risk management)• Residual Risk • Control Environment • COSO (CRIME)• COCO • SOX – Sarbanes-Oxley

• AICPA• CIA, CMA, CCSA • CPE • GAAP • GAAS • SAS • SSAE• 404• CARES• Attestation• SPPIA• Confirmations

Terms, Acronyms & References to Know

(21)


Masterjob Checklist

VIII. Audit Process

(22)


the organizations you work for the audit sections you represent the types of audits you work on and have experience with the length of time you’ve each been auditing why each of you’ve has chosen the audit profession—is it a career

or a stepping stone? what you each hope to get out of the course

Introductory Exercise1. Form groups of six members.

2. Find out from each other the following information:

3. Pick one person to summarize the information and introduce the group.

(23)


1. What are important topics to consider when preparing for an audit of employee use of rental cars?

2. What are five skills that would be valuable in auditing employee use of rental cars? A skill is an ability or proficiency in an area; for example, accounting.

1. What are five techniques that would be valuable in auditing this? A technique is a method or procedure for accomplishing a task; for example, flowcharting.

Teamwork Exercise

(24)

Internal auditors in the Canadian Government are to utilise the IIA ‘Standards for the Professional Practice of Internal Auditing’ in carrying out their internal auditing responsibilities

(TB Policy on Internal Audit, Appendix B)

(25)

‘Assurance services are objective examinations of evidence for the purpose of providing an independent assessment of…

– risk management strategies and practices

– management control frameworks and practices

– information used for decision-making and reporting’

(TB Policy, Section 2 and Appendix A)

(26)

‘Assurance services – An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.’

(IIA Standards for the Professional Practice of Internal Auditing)

(27)

Key principles of the definition:

objective examination

evidence basedindependent

assessment

(28)

ASSURANCE ADVISORY

INTERNAL AUDIT SERVICES

FOR

EN

SIC

IN

VE

STIG

AT

ION

S

ASS

UR

AN

CE

AU

DIT

S

CO

MPL

IAN

CE

AU

DIT

S

CO

NT

RO

L S

EL

F-A

SSE

SSM

EN

TS

BE

NC

HM

AR

KIN

G

CO

NSU

LT

ING

ST

UD

IES

29

THE ‘WHAT’

(30)

‘Assurance provided by the internal auditor, through audit engagements, provide management confidence on the soundness of management processes within the organization. They will also guide management in determining where the organization is most exposed to risk,…

(TB Policy, Section 2)

(31)

2100 – Nature of Work – The IA activity evaluates and contributes to the improvement of risk management, control and governance systems.

2110 – Risk Management – The IA activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.

(IIA Performance Standards)

(32)

2120.A1 – Based on the results of the risk assessment, the IA activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. This should include:– reliability and integrity of financial and operational information;– effectiveness and efficiency of operations;– safeguarding of assets; and – compliance with laws, regulations, and contracts.(IIA Performance Standards)

(33)

A caution:

1220.A2 – The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

(IIA Attribute Standards)

34

THE ‘HOW’

(35)

The IA function:

conducts individual audits in an effective and efficient manner with risk-based plans that address the scope of the engagement, work programs that meet the objectives of the engagement, and sufficient appropriate evidence that supports the findings and conclusions.

(TB Policy, Appendix B)

(36)

2200 – Engagement Planning – Internal auditors should develop and record a plan for each engagement.


(37)

2201 – Planning Consideration – In planning the engagement, internal auditors should consider:– the objectives of the activity being reviewed and the means by which the activity

controls its performance;– the significant risks to the activity , its objectives, resources, and operations and

the means by which the potential impact of risk is kept to an acceptable level;– the adequacy and effectiveness of the activity’s risk management and control

systems compared to a relevant control framework or model; and – the opportunities for making significant improvements to the activity’s risk

management and control systems.(IIA Performance Standards)

(38)

2210 – Engagement Objectives – The engagement’s objectives should address the risks, controls, and governance processes associated with the activities under review.

2220 – Engagement Scope – The established scope should be sufficient to satisfy the objectives of the engagement.


(39)

2240 – Engagement Work Program – Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded.

2240.A1 – Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to the commencement of work, and any adjustments approved accordingly.(IIA Performance Standards)

(40)

2120.A4 – Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria.


(41)

Criteria

‘In an audit engagement, in order for meaningful conclusions to be reached, they need to be made in relation to a set of suitable criteria.’

‘Criteria are benchmarks against which the subject matter can be assessed.’

(TB Policy, Appendix A)

(42)

‘The internal auditor should always attempt to identify criteria that yield useful information to departmental or agency management.’

‘Preference is to be given to the use of generally accepted criteria when they are consistent with the objective of the audit engagement.’


(43)

‘In the federal government environment, generally accepted criteria could be those established by:– acts and regulations;– government policy, guidelines or standards;– risk management, management control framework, performance

information, and other guidance provided by the Government of Canada; and

– recognized bodies of experts


(44)

‘When there are no generally accepted criteria consistent with the objective of the audit engagement, and criteria from other sources are identified, then the internal auditor should obtain from departmental or agency management an acknowledgement that the criteria are suitable for the engagement.’


(45)

2300 – Performing the Engagement – Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement’s objectives.


(46)

2310 – Identifying Information – Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.

2320 – Analysis and Evaluation – Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.

2330 – Recording Information – Internal auditors should record relevant information to support the conclusions and engagement results.(IIA Performance Standards)

(47)

audit plan / management request

audit objective (s)

criteria

audit program / tests

evidence

conclusions

report

48

THE ‘WHY’

(49)

‘…assurance is provided by designing procedures so that in the internal auditor’s professional judgement, the risk of an inappropriate conclusion is…low…through procedures such as inspection, observation, enquiry, confirmation, computation, analysis and discussion.’

(adaptation from TB Policy on Internal Audit, Appendix B)

(50)

assurance = not absolute

= low risk of inappropriate conclusion

= judgement

(51)

Key Principle = Replicability

ie. consistency that others would arrive at the same conclusion(s) based on the criteria, testing methods and evidence

52

THE ‘CAPACITY’

(53)

The IA function has the capacity to accomplish its responsibilities, by having sufficient resources and being staffed with competent people, effectively deployed, who work to professional standards, utilize good communication practices, and adhere to public service and professional ethics, values and codes of conduct.

The IA function has the breadth of knowledge to accomplish its responsibilities, by utilizing work teams that collectively possess or have access to sufficient expertise the subject matter being audited.


(54)

1200 – Proficiency and Due Professional Care – Engagements should be performed with proficiency and due professional care.


(55)

1210 – Proficiency – Internal auditors should possess the knowledge, skills and other competencies needed to perform their individual responsibilities. The IA activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

1210.A1 – The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.


(56)

1220 – Due Professional Care – Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A1 – The internal auditor should exercise due professional care by considering the:– extent of work needed to achieve the engagement’s objectives;– relative complexity, materiality, or significance of matters to which assurance services are

applied;– adequacy and effectiveness of risk management, control, and governance processes;– probability of significant errors; and– cost of assurance in relation to potential benefits.


57

THE ‘PRODUCT’

(58)

Reporting Standards:

are written so that the important issues are easily understood; and only include information needed to properly understand the conclusion and any significant problems identified;

identify to whom the recommendations are directed; describe what was examined, how it fits into overall operations of the

organization, and its importance; describe the objective(s), scope and timing of the engagement; identify criteria used in the engagement;

(59)

Reporting Standards (continued):

describe compliance with relevant laws, regulations, policies and standards; provide relevant analysis and explanation of the exposure to risks; state a conclusion that conveys a clear understanding of what is being assessed,

the criteria assessed, the level of assurance provided, and any reservations (see Appendix A)

integrate an action plan that identifies the actions to be taken and their timing.


(60)

2400 – Communicating Results – Internal auditors should communicate the engagement results promptly.

2410 – Criteria for Communicating – Communications should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans.

2410.A1 – The final communication of results should, where appropriate, contain the internal auditor’s overall opinion.


(61)

2500 – Monitoring Progress – The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 – The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.


(62)

2600 – Management’s Acceptance of Risks – When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.


Audit Management

Audit Management

Resource allocation/prioritazion/planning/execution/reassignments

Evaluating audit quality/peer reviews Best practices identification Computer Information System (CIS) audit career

development Career path planning Performance assessment Performance counseling and feedback Training (internal/external) Professional development

Resource

Allocation Prioritazion Planning Execution Reassignments

Evaluating audit quality/peer reviews Audit Quality Scope and objectives of IT audit Term of evaluating

Best practices identification

Why is it Important to Learn about Best Practices ?

Computer Information System (CIS) audit career development

To commits resources training and development

If a clear career path and development program do not exist, the chances of poor performance and turnover of personnel are high.

Define career path within which options, training, expected knowledge, skills, and abilities are specified for each level advancesment

Career path planning

IS Auditor Trainee Assistant IS Auditor IS Auditor Senior IS Auditor Manager of IS Auditor Director of IS Auditor

Performance assessment

Performance assessment is the process by which criteria for individual career paths are matched to organizational goals and objectives.

Employees need to understand how the measurement of their performance relates to their progress both within the IS audit function and within the organization as a whole.

IS Auditor must demonstrated effectively – through strong performance, as well as the successful attainment of knowledge, skills, and abilities.

Term of assessment

Performance counseling and feedback Management feedback is another important

component of the career development process.

Training (internal/external)

Training Levels:– A general curriculum should be prepared that

covers training and education that must be administered to give all IS auditor an opportunity to become fully qualified in their profession.

– Individualized plans should be prepared that are tailored to chosen career paths, as well as to individual strengths and weaknesses.

Professional development

Professional Community Certification

– Certified Public Accountant (CPA) – American Institute of Certified Public Accountants

– Certified Internal Auditor (CIA) – Institute of Internal Auditors

– Certified Information System Auditor (CISA) – Information System Audit and Control Association

– Certified Information Security Manager (CISM) - Information System Audit and Control Association

(1) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For...

Documents

Transcript of (1) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For...