CREATING VALUE DDED W - Chapters Site · points (this is where real value is added!) Risk...

[email protected]

(C) GoldCal LLC 2015 1

CREATING VALUE-ADDED WORKPROGRAMS

Danny M. Goldberg, Founder

INTRODUCTION

[email protected]


Danny M. Goldberg •  Founder, GOLDSRD

(www.goldsrd.com)

•  Former Director of Corporate Audit/SOX at Dr Pepper Snapple Group

•  Former CAE - Tyler Technologies

•  Published Author (Book/Articles)

•  Texas A&M University – 97/98

•  Chairman of the Leadership Council of the American Lung Association - North Texas – Calendar Year 2012

•  Served on the Audit Committee of the Dallas Independent School District (CY 2008)

•  Current Dallas and Fort Worth IIA Programs Co-Chair

•  Fort Worth IIA Board Member •  IIA North America Learning

Committee Member Certifications: •  CPA – Since 2000 •  CIA – Since 2008 •  CISA – Since 2008 •  CGEIT - Since 2009 •  CRISC - Since 2011 •  CRMA – Since 2011 •  CCSA – Since 2007 •  CGMA – Since 2012

Danny M. Goldberg •  Highly-Rated, Internationally Recognized Speaker

–  Asked to Speak @ 2015 IIA All-Star Conference (October, 2015) –  One of the Top Rated Sessions, 2015 GAM Conference –  8th Rated Speaker, 2015 MISTI AuditWorld –  10th Rated Speaker, 2015 ISACA CACS –  One of the Top Rated Speakers, 2014 IIA All-Star Conference –  7th Rated Speaker, 2014 ISACA ISRM Conference –  One of the Top Rated Speakers, 2014 IIA Mid-Atlantic

Conference –  3rd Rated Speaker, 2014 ISACA CACS –  One of the Top Rated Speakers, 2014 IIA Gaming Conference –  6th Highest Rated Speaker (out of 116), 2013 IIA International

Conference –  3rd and 5th Rated Sessions, 2013 IIA Central Regional

Conference –  8th Rated Speaker (out of 120), 2012 IIA International

Conference

[email protected]


People-Centric Skills •  Added to IIA and ISACA Bookstores, Summer 2015 •  Published August 2014 (Wiley Publications) •  Coauthored with Manny Rosenfeld

–  Chief Audit Executive with four global F500 Cos. and a global Financial Services organization.

•  First book specific to internal audit communications and personal interactions

•  This is not a reference book! –  Story book format –  Character development –  Fictional Internal Audit Department –  Fictional Professional Coach/Trainer –  Situational

GoldSRD Snapshot

Staff Augmentation:

§  Market leader in locating cost-effective, recognized resources in accounting, finance, audit and IT

§  All requests filled within 72 hours

Professional Development:

§  Nationally-Recognized Leader in Audit and People-Centric Skill Training

§  Over 100 Full-Day Courses on Audit, Accounting, Finance and People-Centric Skills

§  Registered with NASBA to offer CPE’s for all courses in course catalog

§  Competitive Pricing

§  Interactive and Educational Courses for all levels

Executive Recruiting:

§  Unique approach to filling positions, including personality assessment for candidate and organization

§  Expansive network of qualified candidates actively looking

[email protected]


PPT Business Card

Danny M. Goldberg Founder – GoldSRD [email protected] P: (214) 514-8883

www.linkedin.com/in/dannymgoldberg ‎

https://twitter.com/DannyMGoldberg

Course Overview/Agenda •  Importance of the Audit Workprogram •  Preliminary Engagement-Level Risk

Assessment (Inherent Risk) •  Audit Planning Process –  10 Point Plan to Effectively Planning an Audit

•  Updated Engagement-Level Risk Assessment (Residual Risk)

•  Building an Effective Audit Workprogram

[email protected]


IMPORTANCE OF THE AUDIT WORKPROGRAM

What is a Workprogram? •  Sets forth the procedures necessary to complete an efficient and

effective audit. •  Consists of a detailed plan of the work to be performed and includes

the steps required to achieve audit objectives. •  In most instances, a well-structured audit program:

–  Provides an outline of the work to be performed and encourages a thorough understanding of the audited unit

–  Assists in controlling work and assigning responsibility –  Aids in reviewing the audit –  Furnishes evidence that the work is adequately planned –  Provides a record that can be reviewed and approved by

management before performance of work, thereby contributing to assignment supervision

–  Provides assurances that all appropriate risk areas have received adequate consideration and that important aspects of the audit have not been omitted

–  Gives order and coherence to the audit and provides a record of work completed

[email protected]


Is Work-Program One or Two Words?

PRELIMINARY ENGAGEMENT-LEVEL RISK ASSESSMENT (INHERENT RISK)

[email protected]


Preliminary Risk Analysis (PRA) •  Risk - Function of probability and potential impact

–  Each business function or entity has approved tolerance levels for risk exposure

–  Risk exposure tolerance must be monitored to determine whether it is increasing, decreasing, or remaining stable

•  Key to an effective PRA is understanding the goals and objectives of an audit –  The objective of an audit is not to perform the audit –  Why is this audit being performed? –  How can we narrow the focus of the audit to the greatest risks? –  Why was it identified as a risk? –  Why was it deemed important enough to appear in the audit plan?

•  Information collected alters audit scope •  Higher risk = More testing •  Lower risk = Less/possibly no testing •  A good risk analysis refocuses the audit to the most relevant

points (this is where real value is added!)

Risk Categories - Standard •  Reputational - Potential that negative publicity regarding

an the company’s business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions

•  Regulatory and Compliance - Risk of rating adjustments and reputational impact that stems from regulatory oversight of the Company’s conformance with regulations and guidelines

•  Strategic and Emerging - Related to the current and future impact on earnings, capital or potential growth that may arise from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. Strategic risks are closely related to identifying and monitoring emerging risks

[email protected]


Risk Categories – Standard (cont) •  Operational/Fraud - Risk of direct or indirect loss

resulting from inadequate or failed internal processes, people, strategies or external events; Includes fraud risk

•  Technology - Risk of loss due to inadequate security, confidentiality, integrity, capability or availability of systems affecting an organization’s operations, assets, customers, shareholders or employees

•  Financial Reporting – Risk of unreliable or misleading financial reporting and disclosures, including to the U.S. Treasury, SEC, FDIC, FFIEC and other external reporting

Assess Inherent Risk – What is IR? Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls) •  Tempting to equate Inherent Risk to Cost, since both

terms refer to the importance of a process or asset to a business before controls (“vulnerabilities”) are taken into account

•  Alternatively, Inherent Risk could equated to the Probability that records are incorrect

•  Inherent Risk is not always HIGH!

[email protected]


Preliminary Analytical Procedures •  Five general types of procedures for analysis of

current year account balance are as follows: –  Compare to balances for one or more comparable

periods –  Compare to anticipated results (budget and

forecasts) –  Evaluate relationships to other current-year balances

for conformity with predictable patterns –  Compare with similar industry information –  Study relationships with relevant non–financial

information

CASE STUDY

[email protected]


Case Study - Payroll •  Assess Inherent Risk for the Case Study •  Include All Risk Categories

–  Reputational –  Regulatory and Compliance –  Strategic and Emerging –  Operational/Fraud –  Technology –  Financial Reporting

•  Rank 1-3 (1=Low, 2=Medium, 3=High) •  Explain rankings for each •  What Ratios could be helpful in assessing risk?

AUDIT PLANNING PROCESS

[email protected]


Quotes on Planning •  “Everyone has a plan -

until they get punched in the face.” –  Mike Tyson, Boxer.

•  “People often complain about lack of time when the lack of direction is the real problem.” –  Zig Ziglar

Quotes on Planning •  “Have a plan. Follow the plan,

and you'll be surprised how successful you can be. Most people don't have a plan. That's why it's easy to beat most folks.” –  Paul "Bear" Bryant, football coach, University of

Alabama's Crimson Tide.”

•  “Those who plan do better than those who do not plan even though they rarely stick to their plan.” –  Winston Churchill, British Prime Minister

[email protected]


Elements of Preliminary Work 1.  Define Objectives

a)  Define Business Objectives for Area Under Review (verified in Interviewing)

b)  Define Business Risks to Meeting Those Objectives (verified in Interviewing)

c)  Define Preliminary Audit Objectives (Risk-Based) 2.  Define Scope (Sufficient) 3.  Knowledge Gathering (Readily Available) 4.  Authoritative Research 5.  Interview Management (Who/What/Why/When) 6.  Identify Internal Controls (Key vs. Non-Key) 7.  Walkthroughs/Narratives/Documentation 8.  Assess Key Control Design 9.  Resource Allocation (Appropriate) 10. What Else Can we Provide?

1. Define Preliminary Audit Objectives •  General idea (initial perspective) as to what

we should be auditing and why we are auditing it

•  Define Preliminary Audit Objectives –  Why are you performing this audit? –  What is the point of this audit? –  What are the expected outcomes? –  What are the expected benefits?

NOTE: Audit Objectives cannot be developed without understanding the (a) business objectives and (b) risks to those objectives!

[email protected]


Audit Engagement – Planning Objectives =

pecific easurable chievable esults-Orientated ime-Based

Define Audit Objectives – Common Pitfalls

•  Objectives are not SMART! •  Too General to Try to Cover Everything •  Too Specific – Limits Possible Scope •  Do Not Make Sense to Auditee

[email protected]


CASE STUDY

Case Study - Payroll •  Identify business objectives for case study •  Identify key risks that could impede the

company form meeting those objectives •  Identify preliminary audit objectives (refined

after planning is complete)

[email protected]


2. Define Scope

•  What are we auditing? •  What period? •  What depth? •  What area?

3. KNOWLEDGE GATHERING

[email protected]


3. Knowledge Gathering •  Narratives •  Policies & Procedures •  Organizational Chart •  Intranet •  Previous Audit Reports •  Organizational Files, etc.

DISCUSSION

[email protected]


Utilizing Public Information

•  Should you Google the names of key auditees during planning?

•  What if the key auditee has a bankruptcy? – Would you want to know? – Does it matter?

4. Authoritative Research •  Audit Director’s

Roundtable •  Knowledgeleader.com •  www.aicpa.org •  www.auditnet.org •  www.theiia.org •  www.isaca.org •  www.acuia.org •  www.sec.org •  Peer Groups

[email protected]


5. INTERVIEW MANAGEMENT

Interview Management

•  Gain Valuable Insight into the Auditee

•  Get Buy-In •  Access to

Knowledge and Skills

•  Access to Undocumented Knowledge

•  We are here to help; we are not the enemy!

•  Access to Leads & Rumors

•  Understand Wants/Needs, & Expectations

•  Coordinate Timing

[email protected]


Interviewing Techniques •  Never be Late •  Stay within the Allotted Time •  Stick to Relevant Questions •  Move from Simple to Complex •  Establish Rapport –  Professionalism –  Commonalities –  Familiarity

Documenting Interviews •  Three Ways –  Transcript –  Narrative (BEST!) –  Q&A

•  Downfalls –  Missed follow-up questions –  Unchallenged contradictory statements –  Record and create Minutes? –  Obtain Sign-offs? –  Corroborate when possible

[email protected]


6. Internal Controls •  Controls are relevant for any type of

audit and any process •  All controls should be identified (not

necessarily by internal audit) and key controls (defined later in section) should be identified

•  Throughout the process, review for: – Controls that make sense – Controls that are efficient – Are there better ways to do things?

Control Assertions •  Validity - Ensure that recorded transactions are the ones that

should have been recorded. •  Completeness - Ensure that valid transactions are not omitted

entirely from the accounting records. •  Authorization - Ensure that transactions are approved before

they are recorded. •  Accuracy - Ensure that dollar amounts are figured correctly. •  Classification - Ensure that transactions are recorded in the

right accounts. •  Accounting and Posting - Ensure that the accounting process

for a transaction is completely performed and in conformity with GAAP.

•  Proper period - Ensure that transactions are accounted for in the period in which they occur.

[email protected]


Control Specifics Each control should describe the actions taken by management to mitigate the related risk, including: •  WHO (or what system) performs the control activity •  WHAT is used to perform the activity (reports/

systems) •  WHEN (how often/relational timing) the activity is

performed •  WHERE is the activity is performed, if relevant to

mitigating the risk •  WHY the activity is performed •  HOW (specific action) the activity is performed

Control Types •  Control: Activity conducted by management to mitigate

risks to an acceptable level and increase the likelihood that objectives will be achieved

•  Key Control: Strongest control designed to mitigate a risk; usually addresses three control assertions or more

•  Compensating Control: Control designed to supplement key controls that are either ineffective or cannot fully mitigate the risk themselves to an acceptable level.

•  Complementary Control: Control that must be combined with one or more other controls to mitigate the risk to an acceptable level

•  Monitoring Control: Control that provides management timely and accurate feedback on compliance and effectiveness of other controls; must have a strong level of precision

[email protected]


7. Walkthroughs/Narratives/Documentation Walkthrough - Procedure used during an audit of a process to gauge its reliability •  Walkthough tests trace the transaction step-

by-step through the process from its inception to the final disposition/recording

Other Benefits: •  Validate Documentation •  Reliability of Information •  Get to know and understand personnel •  Verify control design effectiveness

Planning Documentation – Process Narratives •  Best Practices in Process Narrative Development:

–  Documentation should include Who, What, Where, When & How: Indicate who is performing what action where (systems) and how the action occurs.

–  Indicate whether each action is automated or manual –  Indicate the frequency of action where appropriate. Avoid

vague terms such as periodically, often, sometimes, or occasionally.

–  Indicate all specific GL and Journal Entry Account Names and Numbers where applicable.

–  Indicate each system, its module, and version used in the process.

–  Identify reports and supporting documents within the step description. Use the specific name of each document. If a document is called by more than one name, use only the actual name of the document

[email protected]


Planning Documentation – Process Narratives •  Document the current state only

–  Avoid ideal, future, or past state. If a process is in the middle of a change, please consult jointly with the PMO and your Manager to identify how best to document that process. If it is a new process, indicate the date the process was put into effect and document only the new process

–  Use complete job titles to indicate who is performing the action. Avoid using a person’s name or using only a Department or Business Unit name.

–  Be specific enough to suggest a means of testing

8. Assess Key Control Design •  Determine whether each key control is designed

adequately to mitigate the associated risk(s) •  Primary focus of testing - Determine whether the key

controls are designed adequately to provide reasonable assurance that the risks are adequately

•  When assessing control design, focus on: –  Alignment between controls and the business and audit risks

identified –  Whether controls satisfy the information processing objectives

(Completeness, Accuracy, Validity, Restricted Access) and relevant financial statement assertions

–  Knowledge and experience of the people involved in performing the controls

–  Segregation of duties relevant to the process being controlled

[email protected]


9. Resource Allocation

•  Identify necessary resources •  Estimate total number of hours •  Build project plan (project

management – separate course)

10. What Else Can We Provide? •  Always ask the auditee “how else can we

help you?” (last question) –  Shows trust –  Builds confidence –  We are not on the other team –  We want to help –  We are consultants, not auditors

[email protected]


UPDATED ENGAGEMENT-LEVEL RISK ASSESSMENT (RESIDUAL RISK)

Updating the Risk Hypothesis •  No steadfast template…but be consistent! •  Numerical Ratings or H/M/L •  Show Starting Point (prior to planning), Planning and

End Point (prior to fieldwork) – walk auditee through the logic

[email protected]


Residual Risk

•  Residual Risk: The risk that remains after controls are taken into account (the net risk or risk after controls)

•  Commonly known as Risk (generalized)

CASE STUDY

[email protected]


Case Study - Payroll •  Update the Inherent Risk Rating based

on the additional information that has been uncovered during planning – People Rating: Based on the experience

and know-how of the personnel, will this increase or decrease the current inherent risk rating?

– Process/Control Design Rating: Based on the design of the controls (see Planning) and the risks the controls should mitigate, rank the risk

BUILDING AN EFFECTIVE AUDIT WORKPROGRAM

[email protected]


Discussion – What Should be in a Workprogram?

Workprogram Contents •  Basic criteria for audit programs include:

–  Carefully stated objectives, agreed to by the client. –  Programs should be tailor-made to the audit assignment. –  Each step of the program should include the reason for the step. –  Step priority should be indicated. –  Programs should be flexible and permit use of initiative and

judgment. –  Audit work requested by the client should be identified.

•  One of the objectives of the audit is to ensure that the client is effectively managing risks. During the audit, the auditor should maintain a record of the accomplishment of this element of the audit.

[email protected]


Workprogram Contents •  Key Business

–  Purpose –  Objectives –  Activities

•  Control Objectives –  Key Risks & Suggested Controls –  Key Performance Indicators

•  Planning –  Suggested Documentation Requests –  Suggested Electronic Data Files –  Select Samples: Summarize criteria for selection –  Summarize Key Operational and Financial Metrics –  Sample Documentation Requests for Each Sample

•  Fieldwork –  List test, describe test objective, and identify applicable risk areas –  List test steps for each sample

Writing Workprograms – Leading Practices •  Tailor the program to fit the specific audit as to the type of

organization, personnel involved, systems and procedures in effect, degree of sophistication, etc.

•  Each work program step should clearly set forth the work to be completed and the reason (objective) for performing –  Each audit team member must fully understand and comprehend

why each audit step is being completed (e.g. succession planning) –  Minimizes the inclusion of possible unnecessary work steps. –  Efficient and effective review of audit work papers

•  Program should be flexible and permit application of initiative in deviating from prescribed procedures

•  Provide for the development of individual findings: –  Performance is analyzed and reported –  Evidence to support conclusions –  Evaluate performance and evidence in comparison with relevant

standards

[email protected]


Key Aspects to an Audit Workprogram? 1.  Identification of the critical operational

areas and related controls and risk areas.

2.  Development of key questions and work steps to validate and quantify the perceived risk areas.

3.  Identification of the work steps needed to provide answers to the perceived risk areas and key questions.

4.  Development of work program steps for each area under review.

Common Operational Audit W/P Steps •  Review and evaluation of existing documentation, including:

–  Policies and procedures –  Narratives –  Organizational Charts –  Job Descriptions

•  Analysis of personnel policies and procedures related to hiring, orientation, training, evaluation, promotion, and firing.

•  Analysis of organizational policies and related systems and procedures, both administrative and operational.

•  Interviews with management and operations personnel. •  Flowchart review/preparation/assistance •  Ratio, change and trend analysis •  Questionnaires, for use by the auditor or client personnel •  Surveys for relevant parties

[email protected]


STEPS TO BUILDING AN EFFECTIVE AUDIT WORKPROGRAM

Steps to Building an Effective Audit Workprogram

1.  Identify Specific Audit Risks 2.  Define Audit Scope 3.  Define Audit Objectives 4.  Define Audit Criteria 5.  Define Overall Steps to Testing

Objectives 6.  Define Specific Work Sub-Steps for Each

Overall Step 7.  Verify Specific Audit Risks are covered

through Work Steps

[email protected]


Define Audit Objectives – Common Pitfalls •  Objectives are not SMART! •  Too General to Try to Cover Everything •  Too Specific – Limits Possible Scope •  Do Not Make Sense to Auditee

Define Audit Criteria •  Make all Audit Objectives Measurable! •  Efficiency and effectiveness is defined as:

–  Key Performance Indicators that will be defined by Management and the business and measured against

–  Leading industry practices –  Balance of controls and efficiency

•  Tools and materials are defined as: –  Guidance on current role and responsibilities –  Access, both physical and logical –  Role of hiring manager in process

•  Messaging is defined as: –  Documents/Presentations that highlight the strengths of the

organization –  Document/Presentations that outline the benefits of working at

the organization –  Analysis of role and key stakeholders each new employee should

meet and be introduced to

[email protected]


Keys to Building an Effective Workprogram •  Remember – testing should correlate

to risk – Higher Risk: need more/reliable evidence – Lesser Risk: do we test at all? Can we just

walkthrough? •  Writing for ANY PRUDENT AUDITOR •  Need lots of detail but cannot

eliminate (nor do you want to) professional judgment.

[email protected]


Do Not Forget! •  How will testing be performed? •  How will samples be selected? •  What is the source(s) of information? •  What types of information are needed? •  Must evaluate sufficiency, reliability, relevance? •  How will the objectives be tested? •  How reliable does the testing method need to

be? •  Can we integrate other audits?

–  IT General Controls/Application Controls –  Fraud Risk Assessment/Red Flags

Evidence Requirements •  Sufficient – Measure of quantity of the evidence; should be

collected and evaluated sufficient information so that the reasonably informed unbiased person agreed with the auditor’s conclusions.

•  Reliable – Comprises the measure of reliability and adequacy of the source of evidence and the method of seeking thereof; generally, information received from a third party that is independent is more reliable; the evidence is reliable where it is gained via direct physical examination, observations and inspection and where it is received in the documentary form, rather than verbally. Degree of information reliability increases where it is received from several sources;

•  Adequate – Measure of adequacy of the evidence. Audit evidence may be physical, testimonial, documentary and analytical.

[email protected]


Build Workprogram Steps - Example

•  Audit Objective - Employees are not provided applicable tools and materials to begin tenures successfully

•  Audit Criteria - Tools and materials are defined as: – Guidance on current role and

responsibilities – Access, both physical and logical – Role of hiring manager in process

Workprogram Steps - Example Based on the IA Sampling Policy, select a sample of 30 new hires during calendar year 2013: 1.  Verify Human Resources coordinates with the hiring manager

and applicable department to obtain the new employee’s role guidance summary and presentation of detail of job description (this is verified through the new employee coordination checklist).

2.  Obtain the new employee building access form and verify it has been completed by the hiring manager and approved by facilities at least three days prior to start date

3.  Obtain the new employee equipment forms and verify they have been completed by the hiring manager and approved by IT and Facilities in regards to office equipment, smart phone and laptop

4.  Obtain the new employee system access forms and verify they have been completed by the hiring manager and approved by IT Security at least five days prior to start date

[email protected]


Course Summary •  Audit Workprograms are the foundation for

an efficient and effective audit fieldwork •  If the time to build and adjust year to year is

spent, then the audit will be operationally effective

•  Workprograms should be written for any prudent auditor

CREATING VALUE DDED W - Chapters Site · points (this is where real value is added!) Risk...

Documents

Transcript of CREATING VALUE DDED W - Chapters Site · points (this is where real value is added!) Risk...