Internal Audit, IS Audit, Risk Assessment & Internal...

Internal Audit, IS Audit, Risk Assessment & Internal Controls Review

Approach note

Olives & Berries Consulting | December 2018

2

Internal Audit

3

Internal Audit – Strategic Foundation

Internal Audit can deliver the greatest value to an organization when its mission, vision and

strategies are aligned with expectation of its stakeholders. Potential areas of values

provided by Internal Audit are:

Consulting Services

Risk and Performance metric assessments

Strategic Initiative Reviews

IT Pre-Implementation Reviews

Governance, Risk and compliance Initiatives

Assurance Services

Governance, Risk Management

Internal Controls

Systems & Processes, Compliance Programs

Enterprise Talent Development

Leadership

Management

Staff

4

Risk Based Audit Approach & ScopeWhile Internal Audit often has to support non negotiable areas like SOX and other regulatory compliance it has an

opportunity to increase risk coverage and performing audits across company’s value chain. The risk sensitive cockpit chart

depicts risk by functional area of business and our scope of audit engagement to provide assurance over these emerging

risks related to function

Fraud &

Corruption

Tax

Sustainability

Accounting

Finance

Procurement,

Facilities &

Library

SOD/Access

Mgt./Policy

Implementation

IT Risk

Management

Student

Registration,

Academics,

Student

Engagement

Human

Resources

Information

Security

Social Media &

reputation

Mgt.

5

What do we deliver making Audit Impactful

Accounting• Accounting Policy Review

• Statutory Risk Assessment

• Compliance to Accounting Standards

Global Benchmark Perspectives

of Impactful Audit

Scope O&B Internal Audit Evaluates

• Defined accounting policies of Entity

• Changes required for accounting policies to

incorporate IFRS updates

• Order to Cash Cycle (Billing, AR)

• Assurance on revenue recognition

• Process on Expenses booking

• Inherent risks of Statutory

reporting requirements

• Lease Accounting

• Approval matrix compliance

• GL Reconciliations

• Disclosures in Financial

Finance

• Analysis of FP&A process

• Capital Allocation Review

• Costing Review

• Treasury Process Review

• Finance process Benchmarking

• Accuracy of Budgeting Process

• Controls for accuracy and completeness of

budgeting process

• Capital allocation process, investment

appraisals

• Controls related to Margin analysis

• Opportunities for automation of finance

process. Benchmarking with peers in

industry

• Profitability of courses, project,

recipe

• Accuracy of cash forecasting

• Controls in place to assess

treasury process

• Process of MIS and control in

place for accurate Mgt.

reporting & MIS review

effectiveness

Tax

• Transfer Pricing Audit

• Tax Data Assessment

• Tax Compliance Audit

• Indirect Taxes

• Data needed for transfer price profitability

is accurate and complete

• Are controls in place within the business to

monitor TP compliance

• Is MOF valuation rules for TP is in

consistent with Entity way of arriving at TP

• Process efficiency to compile data for direct

taxes for effective compliance

• Process to compile tax deduction at source

for foreign service vendors

• Data needed for indirect taxes

is captured accurately

• Controls to check if indirect

taxes are being calculated

accurately on transaction basis

• Gaps in efficiency of controls

for both direct and indirect

taxes in assessments and

accounting

6


Sustainability• Energy Management Review

• Corporate Responsibility Review

• Conflicts of Interest Review


of Impactful Audit


• Key performance and indicators for

corporate social responsibility

• Is CSR in line with company mission and

compliance guidelines

• Does entity have defined usage/reduction

goals and key metrics to measure

• Role of individuals in energy conservation

• Organization’s Quality metrics,

KPI review

• Process in place for conflicts of

Interest disclosures by

employees, Directors, vendors.

Customer,

Student

Registrations

• Product, Courses, Programmes Innovation

• Marketing Effectiveness

• Sales Performance Mgt.

• Pricing Compliance and Strategy

• Marketing activities in line with company

policies and process

• Are advertising, promotional vendors

delivering based on contractual terms

• Effectiveness of discounts, commissions to

sales network partners and associates

• ROI on marketing spends

• Accuracy of calculation of Incentives,

commissions to staff, dealers, network

partners

• Success of failures of products,

Projects, recipes is measured

continuously

• Information availability for

pricing decisions

• Controls in place for pricing

approvals, rebates, discounts

and incentives

• Course profitability &

sustenance on new courses

Fraud &

Corruption

• Supplier Management Review

• Whistleblower Audit

• Fraud Prevention Assessment

• Process of accepting new vendors

• Controls in place in evaluation of new

vendors

• Regulatory requirements in terms of Anti

corruption and Bribery

• Fraud control and Prevention Assessments

• Process of whistle blower to provide

feedback to entity

• Review of Conflicts of Interest and

opportunities for Quid pro Quo

• Process of following up on

complaints received from

whistleblowers

• Persons responsible for Entity’s

compliance program

• Protection and sensitivity of

data and person reporting as

whistleblower.

7


Procurement,

Facilities &

Library

• Contract Management

• Operations Planning

• Supplier Risk Management Review

• Wastages Review


of Impactful Audit


Human

Resources

• Incentives & Compensation Audit

• Employee Mobility review

• Talent Management & Succession Planning

• Who all participate in purchasing other

than procurement?

• Basis of selection of a vendor, competency,

price, previous experience

• Process and controls to ensure contracts

are reviewed and approved

• Is procurement buying optimal as per the

sales and academics program and Plan?

• Is Food wastages are as per normal yield?

• Is organization getting

benefits of volume discounts

• How are conditions in contract

complied and monitored?

• Process for continuous

negotiation for better prices

from vendors and service

providers

• Procure to Pay Audit Cycle

SOD/Access

Mgt. & Policy

Implementation

• Segregation of Duties (SOD) Review

• Role Based Access

• Policy and Approval Matrix Audit

• Hiring to Payroll Audit Cycle

• Process of Performance rating & Employee

evaluation

• Objectiveness of KRA setting for employees

• Entity in compliance with immigration laws

• Employee Attendance

Management reviews

• Process of employee

background check

• Succession strategy for

addressing skill shortages

• Whether organization design roles that

creates inherent SOD issues?

• Actions taken when SOD conflicts are

identified?

• Does IT has implemented role based access

to SIS, Navision, Banking and other IT

applications?

• Compliance to Authority and

approval matrix

• Compliance to Academic and

commercial policies

8


IT Risk

Management

• IT Governance Audit

• IT risk management & Assessment


of Impactful Audit


Information

Security

• Vulnerability assessment

• Threat and Vulnerability Mgt.

• Information Security assessment

• BCP & Disaster Recover Audit

• Process of Identification of IT Risks

• Risks identified being remediated or

accepted

• Maturity of Entity for using GRC software

• How often IS Audit is conducted?

• Roles of data administrator, data architect

,data programmer & data analyst are

clearly defined and all have need to know

access to Information

• Formalized Process to Govern

IT exists

• Review of IT policies and

procedures

• Opportunities to increase

business confidence on IT

Governance and process

• IT contract management

Review

Social Media &

Brand

Reputation Mgt.

• Social Media Risk Assessment

• Social Media Governance Audit

• Organization's response time in terms of

intrusion detection

• Assessment of vulnerabilities and how the

same are exploited

• Methods to diffuse Info. Security attack on

organization

• Comprehensive Threat and Vulnerability

management Program

• How well Entity assess and mitigate

threats?

• Software codes and programs in

production and testing environment

• Disaster Recovery Plans (DRP)

are aligned with BCP and

tested

• Is Critical systems defined and

included in BCP and DRP?

• Is Business Continuity Plan

(BCP) in place and tested?

• Does BCP, DRP and crisis

mgmt. involved right functions

and people?

• IT security policies known to

employees

• Risks related to social media and

management of the same

• Social media activities are aligned to

Entity’s policy

• Risk Gaps resulting in existing activities

affecting brand and reputation

• Governance process exists

within organization for Social

Media

• Policies known to employees

9

O&B – How to do we deliver it rightInternal Audit Methodology

Standards & Frameworks

• International Professional Practices

Framework by IIA

• COBIT 5.0 by ISACA

• COSO

Infrastructure

• ACL, Excel, Visio, R , Python, SQL

• Computer Assisted Audit

Techniques (CAAT’s)

Audit Programs,

controls testing

templates, peer

reviews

Internal Audit

Structure,

Organization &

People

Internal Audit

Charters &

Policies

CAAT’s, Data

Analytics,

Technology

enabled Audit

Performing the Audit

• Risk Based Audit Plan

• Best of standard Audit program,

SOX controls testing templates,

Actionable Reports

Establish

Planned Scope

of Audit

Assess Risk

Maturity of

Entity

Update Audit

Planning &

Program

Process Walk

through, Testing

of controls

Analytical

procedures &

verification of

evidences

Assess and

evaluate

residual risks

Conclusions on

Mgt. responses

Audit Report to

Mgt. and Audit

committee

10

O&B – How to do we deliver it rightHow are we different

• Our Audits are concentrated over entire processes and value chain of our clients and is

Quality, Efficiency , Value and Effectiveness focused

• We use Industry standard control frameworks, methodologies and follow Knowledge

leaders like IIA and ISACA and base our professional practices

• Extensive use of Data analytics and technology in our Audits which enables synthesizing of

data and thereby interpreting trend and risk patterns & behaviors

• Highly skilled, Professional and Ethical Team of Practice leads and Associates

11

Illustrative outputs

12

Illustrative outputs

13

OnB

14

Our team has worked on these clients

ABBAgni

PropertiesAircel -Maxis

American Express

ANZ Ascendas Axa Axiata

Bharti Airtel Blue DartDelphi Diesel

SystemsDLF DST

EconetZimbabwe

Etisalat Fidelity

Financial Training Institute

FlipKartGATI

KintetsuGeneral Motors

Hewlett Packard

IBM IMI MobileIndian

School of Business

KennametalLN Bangur

GroupMarutiSuzuki

Microsoft MTN GroupMTS

(Systema)Neotel

South AfricaNestle

NetAppNokia

Siemens Networks

NowFloats OpenText Ola Rane Group Reliance JioRockwell Collins

Saudi Telecom Company

SLK SnapDeal SonySri

ChaitanyaVarsity

TanlaMobile

Solutions

Tata (TTSL & Tata Sky)

Tata Motors

Telkom South Africa

Toyota TVS groupUninor

(Telenor)Vedanta Vodafone Xiaomi Yatra

15

Vikram R Sreedhar: Partner

EXPERTISE SUMMARY

Designed, implemented & Managed Financial Planning and Analysis and MIS

across Manufacturing, Health Care, Retail, IT & Engineering sectors

Designed ,implemented & Managed Activity Based costing & Standard Costing

Systems in Manufacturing, Engineering & Health care sectors.

Conceptualized, Implemented & Managed new Enterprise Resource Systems in

manufacturing, retail and health care Sectors in India.

Developed Business Valuation models in Retail, Engineering & health care sectors.

Designed and developed statistical data analytics to seek optimizations in factors

underlying price, cost considerations & efficiency in operations across

manufacturing, retail & health care sectors.

Designed and developed Fraud investigative tools to address inherent business

and transactional risks. Experience of Investigating more than 60 fraud across

manufacturing, Engineering, Retail and Health care sectors

Conceptualized and implemented GST Solutions for health care sector.

Managed Tax Audits and Indirect Taxation Compliance

Optimized lead times in production & operational parameters in Manufacturing &

Engineering sectors through Value Chain Analysis, Transportation algorithms 6

Sigma tools & Linear Programming.

Managed Internal Audit & IS Audit Assignments across industries

Developed Data Visualization applications for Educational Services organization.

Developed and Managed Predictive Analysis and Machine learning Algorithms to

solve operational issues in disease prediction, customer churn & Maintenance

management. Developed credit score for credit card customers in Banking &

Financial Sector

AREAS OF EXPERTISE

Financial planning & MIS

Direct, Indirect Taxation

Financial & Business Modelling

Financial & Corporate Valuations

Internal Audit , IS Audit and Risk Management

Forensic Services and Fraud Risk Management

Data Analytics, Machine Learning, Predictive Analytics

INDUSTRY EXPERTISE

Manufacturing, IT / ITES, Engineering, Retail,

Healthcare, Educational Services, F&B

EDUCATION & PROFESSIONAL QUALIFICATIONS

Certified Chartered Accountant (ACCA)

Associate Cost & Mgt. Accountant (ACMA)

Certified Internal Auditor

Certified Information Systems Auditor

Certified Fraud Examiner

PG Diploma in Data Analytics (IIIT-B)

PG Diploma in Business Administration

16

Ritesh Agrawal: Partner

EXPERTISE SUMMARY

Managed Budgeting and Financial Planning for one of the largest corporate groups

in Africa in the communications sector

Delivered compliance management for one of the largest agri based business

houses in India. Engagement involved reviewing business processes and operations

and streamlining related compliances

Managed an Analytics based Revenue Stream review (end-to-end) for the largest

telecom services operator in Africa. This worked on offshore data handling

capabilities, and required root cause analysis for every exception noted, on a

continuous basis.

Managed Business Unit wise separation of financials of the largest telecom operator

in Middle-East. This involved bifurcation of revenues into Business Units using

Analytics and formulation of a tool to enable accounting separation by the Company.

Leader for analytics solution at a Big4 accounting firm in India – for Internal Audit

and Risk reviews. During this, Ritesh formulated, designed, set-up and

operationalized the analytics tool and function for Internal Audit

Managed review of deferred revenue accounting process for prepaid business in

South Africa’s largest fixedline operator. The scope of this engagement included

forensic investigation of the perpetrators that have effected change in voucher

status

Managed a analytical review of telecom MIS for one of the largest telecom operators

in Africa and middle-east. The assignment involved understanding the key MIS

parameters, identifying relevant sources for MIS compilation, understanding the

systems used by the operator and ensuring accuracy of the MIS prepared. It also

involved data analysis and trend analysis of the MIS data and its source data to

facilitate in concluding upon the accuracy and relevance of the various KPIs

reported

AREAS OF EXPERTISE

Financial planning & MIS

Compliance Management

Analytics, Automation and IoT

Internal Audit and Risk Management

Cyber Security and Information Risk Management

Forensic Services and Fraud Risk Management

INDUSTRY EXPERTISE

Manufacturing, E-commerce and Agri-based sectors

Technology , IT / ITeS

EDUCATION & PROFESSIONAL QUALIFICATIONS

Chartered Accountant (ICAI)

Certified Internal Auditor

Certified Information Systems Auditor

ISO27001: Lead Auditor

17

Thank You

Ritesh AgrawalPartnerOlives & Berries Consulting

+91 [email protected]

Vikram R SreedharPartnerOlives & Berries Consulting

+91 [email protected]

Office:

Olives & Berries ConsultingLorven Co Works#756, 2nd Floor, 10th Main, Jayanagar, 4th BlockBangalore 560011

Internal Audit, IS Audit, Risk Assessment & Internal...

Documents

Transcript of Internal Audit, IS Audit, Risk Assessment & Internal...