CREATING VALUE DDED W - Chapters Site · points (this is where real value is added!) Risk...
Transcript of CREATING VALUE DDED W - Chapters Site · points (this is where real value is added!) Risk...
(C) GoldCal LLC 2015 1
CREATING VALUE-ADDED WORKPROGRAMS
Danny M. Goldberg, Founder
INTRODUCTION
(C) GoldCal LLC 2015 2
Danny M. Goldberg • Founder, GOLDSRD
(www.goldsrd.com)
• Former Director of Corporate Audit/SOX at Dr Pepper Snapple Group
• Former CAE - Tyler Technologies
• Published Author (Book/Articles)
• Texas A&M University – 97/98
• Chairman of the Leadership Council of the American Lung Association - North Texas – Calendar Year 2012
• Served on the Audit Committee of the Dallas Independent School District (CY 2008)
• Current Dallas and Fort Worth IIA Programs Co-Chair
• Fort Worth IIA Board Member • IIA North America Learning
Committee Member Certifications: • CPA – Since 2000 • CIA – Since 2008 • CISA – Since 2008 • CGEIT - Since 2009 • CRISC - Since 2011 • CRMA – Since 2011 • CCSA – Since 2007 • CGMA – Since 2012
Danny M. Goldberg • Highly-Rated, Internationally Recognized Speaker
– Asked to Speak @ 2015 IIA All-Star Conference (October, 2015) – One of the Top Rated Sessions, 2015 GAM Conference – 8th Rated Speaker, 2015 MISTI AuditWorld – 10th Rated Speaker, 2015 ISACA CACS – One of the Top Rated Speakers, 2014 IIA All-Star Conference – 7th Rated Speaker, 2014 ISACA ISRM Conference – One of the Top Rated Speakers, 2014 IIA Mid-Atlantic
Conference – 3rd Rated Speaker, 2014 ISACA CACS – One of the Top Rated Speakers, 2014 IIA Gaming Conference – 6th Highest Rated Speaker (out of 116), 2013 IIA International
Conference – 3rd and 5th Rated Sessions, 2013 IIA Central Regional
Conference – 8th Rated Speaker (out of 120), 2012 IIA International
Conference
(C) GoldCal LLC 2015 3
People-Centric Skills • Added to IIA and ISACA Bookstores, Summer 2015 • Published August 2014 (Wiley Publications) • Coauthored with Manny Rosenfeld
– Chief Audit Executive with four global F500 Cos. and a global Financial Services organization.
• First book specific to internal audit communications and personal interactions
• This is not a reference book! – Story book format – Character development – Fictional Internal Audit Department – Fictional Professional Coach/Trainer – Situational
GoldSRD Snapshot
Staff Augmentation:
§ Market leader in locating cost-effective, recognized resources in accounting, finance, audit and IT
§ All requests filled within 72 hours
Professional Development:
§ Nationally-Recognized Leader in Audit and People-Centric Skill Training
§ Over 100 Full-Day Courses on Audit, Accounting, Finance and People-Centric Skills
§ Registered with NASBA to offer CPE’s for all courses in course catalog
§ Competitive Pricing
§ Interactive and Educational Courses for all levels
Executive Recruiting:
§ Unique approach to filling positions, including personality assessment for candidate and organization
§ Expansive network of qualified candidates actively looking
(C) GoldCal LLC 2015 4
PPT Business Card
Danny M. Goldberg Founder – GoldSRD [email protected] P: (214) 514-8883
www.linkedin.com/in/dannymgoldberg
https://twitter.com/DannyMGoldberg
Course Overview/Agenda • Importance of the Audit Workprogram • Preliminary Engagement-Level Risk
Assessment (Inherent Risk) • Audit Planning Process – 10 Point Plan to Effectively Planning an Audit
• Updated Engagement-Level Risk Assessment (Residual Risk)
• Building an Effective Audit Workprogram
(C) GoldCal LLC 2015 5
IMPORTANCE OF THE AUDIT WORKPROGRAM
What is a Workprogram? • Sets forth the procedures necessary to complete an efficient and
effective audit. • Consists of a detailed plan of the work to be performed and includes
the steps required to achieve audit objectives. • In most instances, a well-structured audit program:
– Provides an outline of the work to be performed and encourages a thorough understanding of the audited unit
– Assists in controlling work and assigning responsibility – Aids in reviewing the audit – Furnishes evidence that the work is adequately planned – Provides a record that can be reviewed and approved by
management before performance of work, thereby contributing to assignment supervision
– Provides assurances that all appropriate risk areas have received adequate consideration and that important aspects of the audit have not been omitted
– Gives order and coherence to the audit and provides a record of work completed
(C) GoldCal LLC 2015 6
Is Work-Program One or Two Words?
PRELIMINARY ENGAGEMENT-LEVEL RISK ASSESSMENT (INHERENT RISK)
(C) GoldCal LLC 2015 7
Preliminary Risk Analysis (PRA) • Risk - Function of probability and potential impact
– Each business function or entity has approved tolerance levels for risk exposure
– Risk exposure tolerance must be monitored to determine whether it is increasing, decreasing, or remaining stable
• Key to an effective PRA is understanding the goals and objectives of an audit – The objective of an audit is not to perform the audit – Why is this audit being performed? – How can we narrow the focus of the audit to the greatest risks? – Why was it identified as a risk? – Why was it deemed important enough to appear in the audit plan?
• Information collected alters audit scope • Higher risk = More testing • Lower risk = Less/possibly no testing • A good risk analysis refocuses the audit to the most relevant
points (this is where real value is added!)
Risk Categories - Standard • Reputational - Potential that negative publicity regarding
an the company’s business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions
• Regulatory and Compliance - Risk of rating adjustments and reputational impact that stems from regulatory oversight of the Company’s conformance with regulations and guidelines
• Strategic and Emerging - Related to the current and future impact on earnings, capital or potential growth that may arise from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. Strategic risks are closely related to identifying and monitoring emerging risks
(C) GoldCal LLC 2015 8
Risk Categories – Standard (cont) • Operational/Fraud - Risk of direct or indirect loss
resulting from inadequate or failed internal processes, people, strategies or external events; Includes fraud risk
• Technology - Risk of loss due to inadequate security, confidentiality, integrity, capability or availability of systems affecting an organization’s operations, assets, customers, shareholders or employees
• Financial Reporting – Risk of unreliable or misleading financial reporting and disclosures, including to the U.S. Treasury, SEC, FDIC, FFIEC and other external reporting
Assess Inherent Risk – What is IR? Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls) • Tempting to equate Inherent Risk to Cost, since both
terms refer to the importance of a process or asset to a business before controls (“vulnerabilities”) are taken into account
• Alternatively, Inherent Risk could equated to the Probability that records are incorrect
• Inherent Risk is not always HIGH!
(C) GoldCal LLC 2015 9
Preliminary Analytical Procedures • Five general types of procedures for analysis of
current year account balance are as follows: – Compare to balances for one or more comparable
periods – Compare to anticipated results (budget and
forecasts) – Evaluate relationships to other current-year balances
for conformity with predictable patterns – Compare with similar industry information – Study relationships with relevant non–financial
information
CASE STUDY
(C) GoldCal LLC 2015 10
Case Study - Payroll • Assess Inherent Risk for the Case Study • Include All Risk Categories
– Reputational – Regulatory and Compliance – Strategic and Emerging – Operational/Fraud – Technology – Financial Reporting
• Rank 1-3 (1=Low, 2=Medium, 3=High) • Explain rankings for each • What Ratios could be helpful in assessing risk?
AUDIT PLANNING PROCESS
(C) GoldCal LLC 2015 11
Quotes on Planning • “Everyone has a plan -
until they get punched in the face.” – Mike Tyson, Boxer.
• “People often complain about lack of time when the lack of direction is the real problem.” – Zig Ziglar
Quotes on Planning • “Have a plan. Follow the plan,
and you'll be surprised how successful you can be. Most people don't have a plan. That's why it's easy to beat most folks.” – Paul "Bear" Bryant, football coach, University of
Alabama's Crimson Tide.”
• “Those who plan do better than those who do not plan even though they rarely stick to their plan.” – Winston Churchill, British Prime Minister
(C) GoldCal LLC 2015 12
Elements of Preliminary Work 1. Define Objectives
a) Define Business Objectives for Area Under Review (verified in Interviewing)
b) Define Business Risks to Meeting Those Objectives (verified in Interviewing)
c) Define Preliminary Audit Objectives (Risk-Based) 2. Define Scope (Sufficient) 3. Knowledge Gathering (Readily Available) 4. Authoritative Research 5. Interview Management (Who/What/Why/When) 6. Identify Internal Controls (Key vs. Non-Key) 7. Walkthroughs/Narratives/Documentation 8. Assess Key Control Design 9. Resource Allocation (Appropriate) 10. What Else Can we Provide?
1. Define Preliminary Audit Objectives • General idea (initial perspective) as to what
we should be auditing and why we are auditing it
• Define Preliminary Audit Objectives – Why are you performing this audit? – What is the point of this audit? – What are the expected outcomes? – What are the expected benefits?
NOTE: Audit Objectives cannot be developed without understanding the (a) business objectives and (b) risks to those objectives!
(C) GoldCal LLC 2015 13
Audit Engagement – Planning Objectives =
pecific easurable chievable esults-Orientated ime-Based
Define Audit Objectives – Common Pitfalls
• Objectives are not SMART! • Too General to Try to Cover Everything • Too Specific – Limits Possible Scope • Do Not Make Sense to Auditee
(C) GoldCal LLC 2015 14
CASE STUDY
Case Study - Payroll • Identify business objectives for case study • Identify key risks that could impede the
company form meeting those objectives • Identify preliminary audit objectives (refined
after planning is complete)
(C) GoldCal LLC 2015 15
2. Define Scope
• What are we auditing? • What period? • What depth? • What area?
3. KNOWLEDGE GATHERING
(C) GoldCal LLC 2015 16
3. Knowledge Gathering • Narratives • Policies & Procedures • Organizational Chart • Intranet • Previous Audit Reports • Organizational Files, etc.
DISCUSSION
(C) GoldCal LLC 2015 17
Utilizing Public Information
• Should you Google the names of key auditees during planning?
• What if the key auditee has a bankruptcy? – Would you want to know? – Does it matter?
4. Authoritative Research • Audit Director’s
Roundtable • Knowledgeleader.com • www.aicpa.org • www.auditnet.org • www.theiia.org • www.isaca.org • www.acuia.org • www.sec.org • Peer Groups
(C) GoldCal LLC 2015 18
5. INTERVIEW MANAGEMENT
Interview Management
• Gain Valuable Insight into the Auditee
• Get Buy-In • Access to
Knowledge and Skills
• Access to Undocumented Knowledge
• We are here to help; we are not the enemy!
• Access to Leads & Rumors
• Understand Wants/Needs, & Expectations
• Coordinate Timing
(C) GoldCal LLC 2015 19
Interviewing Techniques • Never be Late • Stay within the Allotted Time • Stick to Relevant Questions • Move from Simple to Complex • Establish Rapport – Professionalism – Commonalities – Familiarity
Documenting Interviews • Three Ways – Transcript – Narrative (BEST!) – Q&A
• Downfalls – Missed follow-up questions – Unchallenged contradictory statements – Record and create Minutes? – Obtain Sign-offs? – Corroborate when possible
(C) GoldCal LLC 2015 20
6. Internal Controls • Controls are relevant for any type of
audit and any process • All controls should be identified (not
necessarily by internal audit) and key controls (defined later in section) should be identified
• Throughout the process, review for: – Controls that make sense – Controls that are efficient – Are there better ways to do things?
Control Assertions • Validity - Ensure that recorded transactions are the ones that
should have been recorded. • Completeness - Ensure that valid transactions are not omitted
entirely from the accounting records. • Authorization - Ensure that transactions are approved before
they are recorded. • Accuracy - Ensure that dollar amounts are figured correctly. • Classification - Ensure that transactions are recorded in the
right accounts. • Accounting and Posting - Ensure that the accounting process
for a transaction is completely performed and in conformity with GAAP.
• Proper period - Ensure that transactions are accounted for in the period in which they occur.
(C) GoldCal LLC 2015 21
Control Specifics Each control should describe the actions taken by management to mitigate the related risk, including: • WHO (or what system) performs the control activity • WHAT is used to perform the activity (reports/
systems) • WHEN (how often/relational timing) the activity is
performed • WHERE is the activity is performed, if relevant to
mitigating the risk • WHY the activity is performed • HOW (specific action) the activity is performed
Control Types • Control: Activity conducted by management to mitigate
risks to an acceptable level and increase the likelihood that objectives will be achieved
• Key Control: Strongest control designed to mitigate a risk; usually addresses three control assertions or more
• Compensating Control: Control designed to supplement key controls that are either ineffective or cannot fully mitigate the risk themselves to an acceptable level.
• Complementary Control: Control that must be combined with one or more other controls to mitigate the risk to an acceptable level
• Monitoring Control: Control that provides management timely and accurate feedback on compliance and effectiveness of other controls; must have a strong level of precision
(C) GoldCal LLC 2015 22
7. Walkthroughs/Narratives/Documentation Walkthrough - Procedure used during an audit of a process to gauge its reliability • Walkthough tests trace the transaction step-
by-step through the process from its inception to the final disposition/recording
Other Benefits: • Validate Documentation • Reliability of Information • Get to know and understand personnel • Verify control design effectiveness
Planning Documentation – Process Narratives • Best Practices in Process Narrative Development:
– Documentation should include Who, What, Where, When & How: Indicate who is performing what action where (systems) and how the action occurs.
– Indicate whether each action is automated or manual – Indicate the frequency of action where appropriate. Avoid
vague terms such as periodically, often, sometimes, or occasionally.
– Indicate all specific GL and Journal Entry Account Names and Numbers where applicable.
– Indicate each system, its module, and version used in the process.
– Identify reports and supporting documents within the step description. Use the specific name of each document. If a document is called by more than one name, use only the actual name of the document
(C) GoldCal LLC 2015 23
Planning Documentation – Process Narratives • Document the current state only
– Avoid ideal, future, or past state. If a process is in the middle of a change, please consult jointly with the PMO and your Manager to identify how best to document that process. If it is a new process, indicate the date the process was put into effect and document only the new process
– Use complete job titles to indicate who is performing the action. Avoid using a person’s name or using only a Department or Business Unit name.
– Be specific enough to suggest a means of testing
8. Assess Key Control Design • Determine whether each key control is designed
adequately to mitigate the associated risk(s) • Primary focus of testing - Determine whether the key
controls are designed adequately to provide reasonable assurance that the risks are adequately
• When assessing control design, focus on: – Alignment between controls and the business and audit risks
identified – Whether controls satisfy the information processing objectives
(Completeness, Accuracy, Validity, Restricted Access) and relevant financial statement assertions
– Knowledge and experience of the people involved in performing the controls
– Segregation of duties relevant to the process being controlled
(C) GoldCal LLC 2015 24
9. Resource Allocation
• Identify necessary resources • Estimate total number of hours • Build project plan (project
management – separate course)
10. What Else Can We Provide? • Always ask the auditee “how else can we
help you?” (last question) – Shows trust – Builds confidence – We are not on the other team – We want to help – We are consultants, not auditors
(C) GoldCal LLC 2015 25
UPDATED ENGAGEMENT-LEVEL RISK ASSESSMENT (RESIDUAL RISK)
Updating the Risk Hypothesis • No steadfast template…but be consistent! • Numerical Ratings or H/M/L • Show Starting Point (prior to planning), Planning and
End Point (prior to fieldwork) – walk auditee through the logic
(C) GoldCal LLC 2015 26
Residual Risk
• Residual Risk: The risk that remains after controls are taken into account (the net risk or risk after controls)
• Commonly known as Risk (generalized)
CASE STUDY
(C) GoldCal LLC 2015 27
Case Study - Payroll • Update the Inherent Risk Rating based
on the additional information that has been uncovered during planning – People Rating: Based on the experience
and know-how of the personnel, will this increase or decrease the current inherent risk rating?
– Process/Control Design Rating: Based on the design of the controls (see Planning) and the risks the controls should mitigate, rank the risk
BUILDING AN EFFECTIVE AUDIT WORKPROGRAM
(C) GoldCal LLC 2015 28
Discussion – What Should be in a Workprogram?
Workprogram Contents • Basic criteria for audit programs include:
– Carefully stated objectives, agreed to by the client. – Programs should be tailor-made to the audit assignment. – Each step of the program should include the reason for the step. – Step priority should be indicated. – Programs should be flexible and permit use of initiative and
judgment. – Audit work requested by the client should be identified.
• One of the objectives of the audit is to ensure that the client is effectively managing risks. During the audit, the auditor should maintain a record of the accomplishment of this element of the audit.
(C) GoldCal LLC 2015 29
Workprogram Contents • Key Business
– Purpose – Objectives – Activities
• Control Objectives – Key Risks & Suggested Controls – Key Performance Indicators
• Planning – Suggested Documentation Requests – Suggested Electronic Data Files – Select Samples: Summarize criteria for selection – Summarize Key Operational and Financial Metrics – Sample Documentation Requests for Each Sample
• Fieldwork – List test, describe test objective, and identify applicable risk areas – List test steps for each sample
Writing Workprograms – Leading Practices • Tailor the program to fit the specific audit as to the type of
organization, personnel involved, systems and procedures in effect, degree of sophistication, etc.
• Each work program step should clearly set forth the work to be completed and the reason (objective) for performing – Each audit team member must fully understand and comprehend
why each audit step is being completed (e.g. succession planning) – Minimizes the inclusion of possible unnecessary work steps. – Efficient and effective review of audit work papers
• Program should be flexible and permit application of initiative in deviating from prescribed procedures
• Provide for the development of individual findings: – Performance is analyzed and reported – Evidence to support conclusions – Evaluate performance and evidence in comparison with relevant
standards
(C) GoldCal LLC 2015 30
Key Aspects to an Audit Workprogram? 1. Identification of the critical operational
areas and related controls and risk areas.
2. Development of key questions and work steps to validate and quantify the perceived risk areas.
3. Identification of the work steps needed to provide answers to the perceived risk areas and key questions.
4. Development of work program steps for each area under review.
Common Operational Audit W/P Steps • Review and evaluation of existing documentation, including:
– Policies and procedures – Narratives – Organizational Charts – Job Descriptions
• Analysis of personnel policies and procedures related to hiring, orientation, training, evaluation, promotion, and firing.
• Analysis of organizational policies and related systems and procedures, both administrative and operational.
• Interviews with management and operations personnel. • Flowchart review/preparation/assistance • Ratio, change and trend analysis • Questionnaires, for use by the auditor or client personnel • Surveys for relevant parties
(C) GoldCal LLC 2015 31
STEPS TO BUILDING AN EFFECTIVE AUDIT WORKPROGRAM
Steps to Building an Effective Audit Workprogram
1. Identify Specific Audit Risks 2. Define Audit Scope 3. Define Audit Objectives 4. Define Audit Criteria 5. Define Overall Steps to Testing
Objectives 6. Define Specific Work Sub-Steps for Each
Overall Step 7. Verify Specific Audit Risks are covered
through Work Steps
(C) GoldCal LLC 2015 32
Define Audit Objectives – Common Pitfalls • Objectives are not SMART! • Too General to Try to Cover Everything • Too Specific – Limits Possible Scope • Do Not Make Sense to Auditee
Define Audit Criteria • Make all Audit Objectives Measurable! • Efficiency and effectiveness is defined as:
– Key Performance Indicators that will be defined by Management and the business and measured against
– Leading industry practices – Balance of controls and efficiency
• Tools and materials are defined as: – Guidance on current role and responsibilities – Access, both physical and logical – Role of hiring manager in process
• Messaging is defined as: – Documents/Presentations that highlight the strengths of the
organization – Document/Presentations that outline the benefits of working at
the organization – Analysis of role and key stakeholders each new employee should
meet and be introduced to
(C) GoldCal LLC 2015 33
Keys to Building an Effective Workprogram • Remember – testing should correlate
to risk – Higher Risk: need more/reliable evidence – Lesser Risk: do we test at all? Can we just
walkthrough? • Writing for ANY PRUDENT AUDITOR • Need lots of detail but cannot
eliminate (nor do you want to) professional judgment.
(C) GoldCal LLC 2015 34
Do Not Forget! • How will testing be performed? • How will samples be selected? • What is the source(s) of information? • What types of information are needed? • Must evaluate sufficiency, reliability, relevance? • How will the objectives be tested? • How reliable does the testing method need to
be? • Can we integrate other audits?
– IT General Controls/Application Controls – Fraud Risk Assessment/Red Flags
Evidence Requirements • Sufficient – Measure of quantity of the evidence; should be
collected and evaluated sufficient information so that the reasonably informed unbiased person agreed with the auditor’s conclusions.
• Reliable – Comprises the measure of reliability and adequacy of the source of evidence and the method of seeking thereof; generally, information received from a third party that is independent is more reliable; the evidence is reliable where it is gained via direct physical examination, observations and inspection and where it is received in the documentary form, rather than verbally. Degree of information reliability increases where it is received from several sources;
• Adequate – Measure of adequacy of the evidence. Audit evidence may be physical, testimonial, documentary and analytical.
(C) GoldCal LLC 2015 35
Build Workprogram Steps - Example
• Audit Objective - Employees are not provided applicable tools and materials to begin tenures successfully
• Audit Criteria - Tools and materials are defined as: – Guidance on current role and
responsibilities – Access, both physical and logical – Role of hiring manager in process
Workprogram Steps - Example Based on the IA Sampling Policy, select a sample of 30 new hires during calendar year 2013: 1. Verify Human Resources coordinates with the hiring manager
and applicable department to obtain the new employee’s role guidance summary and presentation of detail of job description (this is verified through the new employee coordination checklist).
2. Obtain the new employee building access form and verify it has been completed by the hiring manager and approved by facilities at least three days prior to start date
3. Obtain the new employee equipment forms and verify they have been completed by the hiring manager and approved by IT and Facilities in regards to office equipment, smart phone and laptop
4. Obtain the new employee system access forms and verify they have been completed by the hiring manager and approved by IT Security at least five days prior to start date
(C) GoldCal LLC 2015 36
Course Summary • Audit Workprograms are the foundation for
an efficient and effective audit fieldwork • If the time to build and adjust year to year is
spent, then the audit will be operationally effective
• Workprograms should be written for any prudent auditor