Report to the Risk Management Committee - Metropolitan … · · 2015-12-08Report to the Risk...

Report to the Risk

Management Committee

Recommendation to Approve

Office of Audit Policies and Procedures

December 2015

Recommendation

The Risk Management Committee is requested to approve and

recommend the Board of Directors approve the following proposed

Policies and Procedures:

• Quality Assurance and Improvement Program

• Procedure for Issuing Office of Audit Policies

• Professional Certificates and Continuing Professional Education

• Documenting and Controlling Engagement Work Paper Files

• Independence

• Supervisory Responsibilities in Engagement Planning and

Execution

• Communicating Results of Engagements

• Risk Assessment and Engagement Planning

Background

• Proposed Policies and Procedures reviewed by:

– CEO,

– Office of the General Counsel,

– Internal Controls and Compliance,

– The Interim Secretary, and

– The Accountability Officer.

• Meet the Institute of Internal Auditors (IIA) Standards.

• Remediate deficiencies highlighted by the March 2015 DOT

OIG Report.

• Undergoing a final review by the DOT OIG.

• The Committee will be kept apprised of the status of OIG

review.

Quality Assurance and

Improvement Program

Purpose: To ensure that the Office of Audit maintains an

effective quality assurance and improvement program.

Key requirements include:

• Ongoing monitoring.

• Annual self-assessment.

• External assessment every five years.

Procedure for Issuing

Office of Audit Policies

Purpose: To document the processes for developing and issuing

Office of Audit policies and procedures.

Key requirement: Policies and Procedures must be approved

by the Chief Audit Executive, the CEO and the Risk

Management Committee.

Professional Certificates and

Continuing Professional Education

Purpose: To ensure that the Office of Audit maintains sufficient

knowledge and proficiency.


• 40 hours of continuing professional education annually.

• Documenting and monitoring status of professional

certificates and education.

Documenting and Controlling

Engagement Work Paper Files

Purpose: To ensure documentation of sufficient, relevant

information to support conclusions and engagement results.


• Documentation of planning, sources of information,

methodology, supervisory review and support findings and

conclusion.

• Ensure existence and accessibility of supporting work papers.

• Restrict inappropriate access to work papers.

Independence

Purpose: To ensure the Office of Audit is independent and

internal auditors are objective in performing their work.


• Dual reporting to the CEO and the Risk Management

Committee of the Board.

• Financial disclosure forms submitted annually to the Airports

Authority Ethics Officer.

• Annual certification of independence by each staff member.

• Engagement staffing considers actual or apparent conflicts of

interest.

Supervisory Responsibilities in

Engagement Planning and Execution

Purpose: To ensure adequate supervision and review of

engagements.


• Chief Audit Executive or his designee must approve the

engagement work program and any changes promptly.

• Supervisors must document their review of all work papers.

Communicating Results of Engagements

Purpose: To ensure engagement results are communicated

appropriately.


• Objectives, scope, conclusions, recommendations, and action

plans of each engagement must be communicated.

• Results communicated to appropriate parties.

• Engagement reports may only state “conformance” once a

quality assurance and improvement program support the

statement.

• Only the Chief Audit Executive has the authority to release

work product, including engagement reports or work papers.

Risk Assessment and

Engagement Planning

Purpose: To organize the work of the office using an annual risk-

based audit plan.


• Must consider input of senior management, the Risk

Management Committee, and the Board.

• Plan must be approved by the CEO and the Board.

• Plan must be updated at least annually.

Topic: Policies and Procedures – Office of Audit Quality Assurance and Improvement Program

Topic No: 2

Function: Office of Audit Updated: October 2015 Section: Office of Audit Owner: Office of Audit Applicability: All Status: DRAFT 11/23/2015

Metropolitan Washington Airports Authority, Policies and Procedures, Office of Audit 1

1.0 Table of

Contents

1.0 Table of Contents .......................................................................................... 1

2.0 Background and Purpose ............................................................................. 1

3.0 Definitions ..................................................................................................... 1

4.0 Policy............................................................................................................. 2

5.0 Procedures .................................................................................................... 2

6.0 Approvals ...................................................................................................... 5

7.0 Attachment .................................................................................................... 6

2.0 Background

and Purpose

International Professional Practices Framework for internal auditing (IPPF or Standards) requires the Chief Audit Executive (CAE) to establish a quality improvement and assurance program. A quality assurance and improvement program is designed to enable an evaluation of the Office of Audit’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors comply with the Institute of Internal Auditor’s and the Airports Authority Codes of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement (Reference: IPPF Standards 1300).

The purpose of this policy is to ensure that the Airports Authority Office of Audit establishes and maintains an effective quality assurance and improvement program that conforms to the Standards.

A fully functioning quality assurance and improvement plan includes ongoing monitoring to ensure quality on an audit-by-audit basis, periodic self-assessments, and external assessment to ensure and validate conformance with the Standards and other rules and regulations. In addition to validated conformance with the Standards, the external assessment provides an opportunity to obtain new ideas on ways to improve overall internal audit quality, efficiency, and effectiveness.

3.0 Definitions Board – Metropolitan Washington Airports Authority (Airports Authority) Board of Directors.

Chief Audit Executive (CAE) – Vice President for the Office of Audit.

CEO – President and Chief Executive Officer of the Airports Authority.

Code of Ethics – The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both entities and individuals that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing.

Engagement – Any work product performed by the Office of Audit, can include audits or internal auditing, but also can include advisory, internal consulting services, or investigations. Although the eventual work products look similar, advisory or consulting services as defined by Standards 2210.C1 and 2210.C2 may or may not be distributed to the CEO or the Board. Audits are a subset of engagements and audits require independence and usually additional report recipients.

Internal Auditing – Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.


Topic No: 2



It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal Audit – The report and work product of Internal Auditing.

International Professional Practice Framework (Standards) – Standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards are mandatory requirements consisting of:

(1) Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at organizational and individual levels; and

(2) Interpretations that clarify terms or concepts within the statements.

4.0 Policy 4.1. The CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the Office of Audit activity. The quality assurance and improvement program must include both internal and external assessments.

4.2. Internal assessments must include:

Ongoing monitoring of the performance of the Office of Audit; and

Annual self-assessment or assessment by other persons within the Airports Authority with sufficient knowledge of internal audit practices.

4.3. External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the Airports Authority. The CAE must discuss with the CEO and the Risk Management Committee, and the Board:

The form and frequency of the external assessment; and

The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.

4.4. The CAE must communicate the results of the external quality assurance and improvement program assessments, and if necessary, an action plan for addressing recommendations in the assessment to the CEO and the Board.

4.5. The CAE may state that the Office of Audit conforms to the Standards only if the results of the quality assurance and improvement program support this statement through an overall opinion of “Generally Conforms”. The results of the quality assurance and improvement program include the results of both internal and external assessments.

4.6. When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the Office of Audit activity, the CAE must disclose the nonconformance and the impact to the CEO and the Board.

(Reference IPPF Standards 1300 – 1322)

5.0 Procedures 5.1. The CAE must maintain the following structure within the Office of Audit to support maintaining quality of the performance of the audit staff and adding value to the Airports Authority through various assurance and consulting engagements:

A clear set of policies, procedures, and standards based on applicable


Topic No: 2



industry and best practices;

Staff that is adequately trained, and resourced to perform to these

standards;

A culture in place promoting compliance with quality standards and

procedures;

Supervision by management that the above is firmly in place; and

Documentary demonstration that the above are in place.

5.2. Ongoing Monitoring

The following procedures are performed for each assurance and consulting engagement, to ensure conformance with relevant Standards and facilitate continuous improvement.

5.2.1. The CAE must approve the scope, objectives, and plan for each engagement prior to the start of fieldwork. This approval is accomplished and evidenced by the CAE’s signature on the engagement work program and/or risk matrix.

5.2.2. The CAE must approve an engagement work program and/or risk matrix, before fieldwork begins, and approve changes timely.

5.2.3. The manager or engagement supervisor must review and approve the work papers for each engagement and evidence their approval on the work papers.

5.2.3.1. The review includes: 1) Ensuring that the work papers comply with the Standards, and that the engagement report is free from material defect and is prepared in accordance with Office of Audit policies; 2) Verifying that engagement conclusions were properly supported by the work papers; 3) Ensuring that the work papers are properly indexed, cross-referenced, initialed, and dated by the assigned staff and appropriate reviewers.

5.2.3.2. The engagement supervisors and CAE must ensure deficiencies noted in the reviews are remediated before issuing the report.

5.2.4. The CAE must review and approve every engagement report.

5.2.5. The CAE must distribute a customer survey within 10 days after each report is issued to obtain feedback for the engagement. (See Attachment A for a sample customer survey.)

5.2.6. The CAE must communicate the results of customer surveys at least annually to the CEO.

5.2.7. The CAE must develop performance metrics to be reported at least quarterly to the CEO and the Risk Management Committee, and if necessary present an action plan to address deficient areas. Examples of performance metrics include internal audit plan accomplishments, cycle time, and percentage of recommendations accepted.

5.2.8. Annually, the CAE or designee must evaluate and conclude on the quality of the Office of Audit activity. The CAE must report the results of this evaluation to the CEO and the Risk Management Committee,


Topic No: 2



and if necessary present action plans to address deficiencies. Areas to be evaluated include:

Conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, including timely corrective actions to remedy any significant instances of nonconformance;

Adequacy of the Office of Audit’s charter, policies, and procedures;

Contribution to the Airports Authority’s governance, risk management, and control processes;

Contribution to Airports Authority’s compliance with applicable laws, regulations, and government or industry standards;

Effectiveness of continuous improvement activities and adoption of best practices; and

The extent to which the Office of Audit adds value and improves the Airports Authority operations.

5.3. Periodic Self-Assessments

5.3.1. The CAE must ensure that the Office of Audit undergoes a periodic self-assessment, at least annually.

5.3.2. Self-assessments should be conducted by certified internal auditors or other competent audit professionals from outside of the Office of Audit, or senior members of the Office of Audit. The term self-assessment is used because all assessors are usually within the Airports Authority; the CAE has the discretion to determine who should conduct internal assessments.

5.3.3. The CEO must approve the internal assessor or assessment team.

5.3.4. The report of the internal assessor should be addressed to the CAE, CEO, and the Risk Management Committee.

5.3.5. The CAE must discuss the results of the internal assessment and, if necessary, present an action plan for addressing recommendations to the CEO and the Risk Management Committee.

5.4. External Assessments

5.4.1. The CAE must ensure that the Office of Audit undergoes an independent external assessment at least once every five years by an independent assessor or assessment team from outside the Airports Authority that is qualified in the practice of internal auditing as well as the quality assessment process.

5.4.2. The CEO and the Risk Management Committee must participate in the selection and MWAA procurement process and approve the independent external assessor selected.

5.4.3. The independent assessor’s report should be addressed to the CAE, the CEO, and the Board.

5.4.4. The CAE must discuss the results of the independent assessment and, if necessary, present an action plan to the CEO and the Board.


Topic No: 2



6.0 Approvals By my signature below, I certify that I have read and approve this policy and procedure.

Name and Title Signature Date

Lee Wyckoff

Vice President, Office of Audit

John E. Potter

President and Chief Executive Officer

Warner H. Session

Co-Chair, Risk Management Committee of the Board of Directors

Nina Mitchell Wells



Topic No: 2



7.0 Attachment 7.1 Attachment A: Sample Engagement Customer Survey

Engagement Report Title: ___________________________________

Business Owner: ___________________________________

Strongly Agree

Agree Disagree Strongly Disagree

Don’t Know

1. Opening conference was held and all questions/comments were adequately addressed.

2. The final engagement objectives and scope were agreed to.

3. The engagement team was knowledgeable about your business.

4. The engagement was completed within the timeframe communicated.

5. The engagement was conducted efficiently and effectively with minimal disruption to your business.

6. The engagement was conducted in a professional and courteous manner.

7. The engagement team kept you informed of key issues throughout the engagement.

8. All of your key business concerns/risks were addressed during the engagement.

9. The closing conference allowed both sides to adequately discuss and address all comments.

10. The engagement report was accurate and findings were clearly communicated.

11. The engagement report fairly reflected your team's comments and corrective action.

12. The overall engagement provided value to your area.

Please provide comment(s) and/or suggestions to improve future engagement quality.

Topic: Policies and Procedures – Office of Audit Process of Issuing Office Policies

Topic No: 4



1.0 Table of

Contents

1.0 Table of Contents ......................................................................................... 1


3.0 Definitions ..................................................................................................... 1

4.0 Policy ............................................................................................................ 1

5.0 Procedure ..................................................................................................... 1

6.0 Approvals ..................................................................................................... 2

2.0 Background

and Purpose

The purpose of this procedure is to document the processes for developing and issuing Office of Audit policies and procedures.

3.0 Definitions Board of Directors – Board of Directors (Board) of the Metropolitan Washington Airports Authority (Airports Authority).


CEO – President and Chief Executive Officer.

Risk Management Committee – A committee of the Board of Directors.

4.0 Policy 4.1. The CAE is responsible for recommending, preparing, and revising Office of Audit policies and procedures.

4.2. Office of Audit policies and procedures must be approved by the CEO and the Risk Management Committee.

5.0 Procedure 5.1. During ongoing reviews of policies or procedures, deficiencies noted should be addressed by the CAE. The CAE should propose new or revised policies or procedures when appropriate.

5.2. The CEO reviews the draft policy or procedure.

5.3. If approved by the CEO, the Risk Management Committee Chairman or Co-Chairs review the draft policy or procedure.

5.4. If approved by the CEO or the Risk Management Committee Chair(s), the CAE presents the draft policy or procedure and seeks the approval of the Risk Management Committee.

5.5. The policy or procedure becomes effective on the date it is approved by the Risk Management Committee, unless a different date is specified in the document.

Topic: Policies and Procedures – Office of Audit Process of Issuing Office Policies

Topic No: 4





Lee Wyckoff


John E. Potter


Warner H. Session


Nina Mitchell Wells


Topic: Policies and Procedures – Office of Audit Professional Certificates and Continuing Professional Education Policy

Topic No: 5a



1.0 Table of

Contents



3.0 Definitions ..................................................................................................... 1

4.0 Policy ............................................................................................................ 2

5.0 Procedures ................................................................................................... 2

6.0 Approvals ..................................................................................................... 3

2.0 Background

and Purpose

The goal of the Professional Certificates and Continuing Professional Education policy is to ensure that all Office of Audit staff maintains an adequate level of current knowledge and proficiency in the field of internal audit in order to enhance and maintain proficiency, to stay informed about improvements and current developments in internal audit standards, procedures, and techniques, including The Institute of Internal Auditors’ International Professional Practices Framework (IPPF) guidance. International Standards for the Professional Practice of Internal Auditing (Standards) require that internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The Office of Audit collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities (Standard 1210). Standard 1230 state that the internal auditors must enhance their knowledge,

skills, and other competencies through continuing professional development.

3.0 Definitions Certifying Organization – An organization that issues any of the Professional Certificates. Examples of certifying organizations include AICPA, IIA, ISACA, ACFE, AGA, and states Board of Accountancy etc.



IIA - The Institute of Internal Auditors.

Professional Certificate – Auditing related certificate, which includes but is not limited to Certified Public Accountant (CPA), Certified Internal Auditor (CIA), Certified Government Financial Manager (CGFM), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified Fraud Examiner (CFE), and Chartered Global Management Accountant (CGMA).

4.0 Policy 4.1. The Office of Audit’s policy is to provide and maintain a minimum of 40 hours of continuing professional education annually for each staff member engaged in planning, directing, performing engagement procedures, or reporting on an engagement. The administrative staff is not required to achieve this continuing professional education requirement.

4.2. The internal auditors who perform specialized audit and consulting work, such as information technology, construction, actuarial, or systems design, etc. will undertake specialized continuing professional education when


Topic No: 5a



needed to allow them to perform their internal engagement work with proficiency.

5.0 Procedures 5.1. The CAE must ensure that the Office of Audit staff possesses the knowledge, skills, and other competencies needed to perform their individual responsibilities and the Office of Audit collectively possesses or obtains the knowledge, skills, and other competencies needed to perform its responsibilities assigned in the Office of Audit Charter.

5.2. The CAE must obtain competent advice and assistance from external sources when the Office of Audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of an engagement.

5.3. At least annually, the CAE should assess the development/training needs of each staff member to determine the current status of each team member's skills, knowledge, experience, and abilities. Based on this assessment, staff members should prepare and submit individual continuing professional education plans to obtain a minimum of 40 hours of education.

5.4. The CAE approves continuing professional education plans for each staff member and those plans should be communicated to the continuing professional education coordinator (Coordinator).

5.5. The CAE should designate one of the Office of Audit staff as a continuing professional education coordinator.

5.6. It is the responsibility of each Office of Audit staff member to report his/her continuing professional education status to IIA or any other Certifying Organization as required. A change in status, including the revocation or suspension of a professional certification, must be reported to the CAE immediately.

5.7. Office of Audit staff must report the following to the Coordinator bi-annually, in the middle of June and middle of December:

a. Which Professional Certificates he/she actively holds;

b. His/her continuing professional education requirements for each Professional Certificate held;

c. Plan to comply with continuing professional education requirements for the current year and, in December, plan to comply with continuing professional education requirements for the following year;

d. The number of continuing professional education units accomplished for the year and the number of remaining continuing professional education units needed before year end.

5.8. The Coordinator must verify staff’s Professional Certificates active status, monitor all staff’s continuing professional education compliance plan and status, and report the results to the CAE bi-annually, in June and December. The Coordinator should retain the documentation pertaining to compliance with this policy based on the retention policy of the Office of Audit.

5.9. Any violation or non-compliance of this policy should be immediately


Topic No: 5a



reported to the CAE.

5.10 All continuing professional education records should be maintained for an appropriate period of time to satisfy any legal and administrative requirements, including peer review under Section 5.8.



Lee Wyckoff


John E. Potter


Warner H. Session


Nina Mitchell Wells


Topic: Policies and Procedures – Office of Audit Documenting and Controlling Engagement Work Paper Files

Topic No: 5b


Metropolitan Washington Airports Authority, Office of Audit 1

1.0 Table of

Contents



3.0 Definitions ..................................................................................................... 1

4.0 Policy ............................................................................................................ 1

5.0 Procedure ..................................................................................................... 2

6.0 Approvals ..................................................................................................... 3

2.0 Background

and Purpose

This document sets forth the Office of Audit policy and procedures for documenting and controlling engagement work paper files.

Engagement work papers are necessary to: (1) provide a record of work performed; 2) assist the Office of Audit staff or others in summarizing audit results and preparing the audit report; and 3) provide evidence supporting the findings, conclusions, and recommendations contained in a report issued by the Chief Audit Executive.

3.0 Definitions Chief Audit Executive (CAE) – Vice President for the Office of Audit.





Work Papers – Any documentation that records evidence, which is used to form an opinion, finding, observation, or conclusion or to otherwise achieve the objectives of an engagement.

4.0 Policy Applicable Standards: 2300 to 2330.C1

4.1. Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.

4.2. Engagement work papers must (1) include planning documents, (2) identify the sources of information used, (3) explain the methodology for conducting the review, (4) document supervisory reviews, and (5) support the findings, opinions, conclusions, and engagement results through sufficient, relevant evidence and based on appropriate, documented analyses and evaluations.

4.3. Engagement work papers should be prepared in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to


Topic No: 5b



understand from the documentation the nature, the results, and the conclusions of procedures performed.

4.4. The CAE must control access to engagement work papers and other records. Engagement records will be retained and stored securely for the longer of seven years or a statutorily required extended period after the date of the report.

4.5. This policy applies to all Office of Audit engagements.

5.0 Procedure 5.1. Work papers must include a planning memo or other documentation of planning for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. (Standard 2200)

5.2. Work papers must include a written work program or risk matrix for each engagement, setting forth the procedures to achieve the engagement objectives. The work program must be approved by the CAE or designee prior to implementation, and any adjustments approved promptly. (Standard 2240)

5.3. Work papers must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives. (Standard 2300)

5.4. Work papers must document sufficient, relevant information to support the conclusion and engagement result.

5.5. Auditors and reviewers must initial and date each work paper, or evidence of preparation and review by alternate means; e.g., documented by management software.

5.6. Work paper reviewers must initial and date each work paper, or evidence review by alternate means; e.g., documented by audit management software.

5.7. Auditors must include the following elements in each work paper:

5.7.1. Heading including the name of the engagement, the name of the work paper, and the period of the engagement

5.7.2. Source of the data used in the work paper analysis

5.7.3. Purpose or objective of the work paper

5.7.4. Description of the test procedure and appropriate analyses and evaluations

5.7.5. Conclusion

5.8. A single set of work papers for each engagement must be retained and stored securely for the longer of seven years or a statutorily required extended period after the date of the report. Current procedures will include the storage of hardcopy, physically printed workpapers in the CAE’s office. There will be sign-out procedures to access or review the workpaper binders. Within 10 business days of the release of the report, the workpaper contents will be scanned into an Adobe PDF format. Although, this would serve as only a rudimentary backup, it would capture evidence of the work performed, conclusions reached, and contemporaneous review by preparer and reviewer.

5.9. Engagement work papers are the property of the Office of Audit.


Topic No: 5b



5.9.1. Access to engagement work papers and other records is restricted to employees of the Office of Audit, and external providers of audit services engaged by the Office of Audit, at the discretion of the CAE.

5.9.2. The CAE must approve in writing the release of engagement work papers or other records to any persons external to the Office of Audit.

5.9.3. When appropriate, the CAE should seek the approval of senior management and/or legal counsel prior to releasing engagement work papers or other records to any persons external to the Office of Audit.

5.9.4. If an investigation or audit is conducted at the request of the Office of General Counsel, the work product including all workpapers will be considered privileged information.

6.0 Approvals

By my signature below, I certify that I have read and approve this policy and procedure.


Lee Wyckoff


John E. Potter


Warner H. Session


Nina Mitchell Wells


Topic: Policies and Procedures – Office of Audit Independence Policy

Topic No: 5c


Metropolitan Washington Airports Authority, Office of Audit, Policies and Procedures 1

1.0 Table of

Contents



3.0 Definitions ..................................................................................................... 1

4.0 Policy ............................................................................................................ 2

5.0 Procedures ................................................................................................... 4

6.0 Approvals ..................................................................................................... 5

7.0 Attachments ................................................................................................. 6

2.0 Background

and Purpose

The purpose of this Independence policy is to ensure that all Office of Audit staff act with integrity and exercise objectivity and professional skepticism when performing audit engagements.

The Office of Audit Charter (Charter) approved by the Airports Authority Board of Directors states that the Office of Audit's objectivity and independence depend largely on having no responsibility for or authority over any of the activities or operations subject to its review. As such, the Office of Audit staff shall not have direct operational responsibility or authority over any activities outside of the Office of Audit. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment and independence. The Charter also states that the Office of Audit will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. The Office of Audit's staff will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.

3.0 Definitions Airports Authority – Metropolitan Washington Airports Authority.

Board – The Board of Directors of the Airports Authority.


CEO – President and Chief Executive Officer of the Airports Authority.

Conflict of interests – Situation in which an Office of Audit staff has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interests can create an appearance of impropriety that can undermine confidence in the internal auditor, the Office of Audit, and the profession. A conflict of interests could impair an individual's ability to perform his or her duties and responsibilities objectively.


Independence – Freedom from conditions that threaten the ability of the Office of Audit to carry out internal audit responsibilities in an unbiased manner. Threats to independence must be managed at the individual auditor, engagement, functional,


Topic No: 5c



and organizational levels.

Internal Auditors – Auditors that work on any Office of Audit internal audit project, include the CAE, audit manager, (senior) auditor, and auditors from CPA firms or temporary agencies.

Objectivity – Unbiased mental attitude that allows internal auditors to perform audits in such a manner that they believe in their work product and that no quality compromises are made.

Office of Audit Staff – Include the CAE, audit manager, senior auditor, any other Office of Audit employee, and non-career employees (special Airports Authority category of employment).

4.0 Policy 4.1. The Office of Audit staff, including outside auditors, are required to (i) be independent; (ii) be objective in performing their work; and, (iii) be impartial and have unbiased attitude and avoid any conflict of interest.

Organizational Independence:

4.2. The CAE must report administratively to the CEO and functionally to the Board and must have direct and unrestricted access to the CEO and the Board. The CAE must confirm to the Board, at least annually, the organizational Independence of the Office of Audit (as defined above and in Standard 1110).

4.3. The Office of Audit must be free from interference in determining the scope of internal auditing, performing work, and communicating results.

Individual Independence:

4.4. Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

4.5. Individual objectivity means the internal auditors perform engagements in such a manner that they have an honest belief in their work product and that no quality compromises are made. Internal auditors are not to be placed or place themselves in situations that could impair their ability to make objective professional judgements.

4.6. To ensure individual objectivity, the CAE organizes internal auditors’ assignments in order to prevent potential and actual conflict of interest and bias, periodically obtaining information from the internal auditors concerning potential conflict of interest and bias (annual questionnaire), and, when practicable, rotating internal auditors’ assignments periodically.

4.7. The CAE or their designee review the internal audit work results before the related communications are distributed to reasonably assure that the work was performed objectively.

4.8. An internal auditor’s objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented (partnering with the business via a pre-implementation review). The auditor’s objectivity is considered impaired if the auditor designs, installs, drafts procedures for, or operates such systems.

4.9. The occasional performance of non-audit work by the internal auditor, with full disclosure, would not necessarily impair objectivity. However, it would require careful consideration by management and the internal auditor to ensure it


Topic No: 5c



does not adversely affect the internal auditor’s objectivity.

Impairment to Independence or Objectivity:

4.10. If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. The internal auditor must report any impairment to his/her supervisor and the CAE; the CAE then uses professional judgment to decide whether to disclose the impairment to the CEO and the Board. If there is any impairment in fact or appearance that involves the CAE, the CAE must report the impairment to the CEO and the Board.

4.11. The determination of appropriate parties to which the details of impairment to independence or objectivity must be disclosed is dependent upon the expectations of the Office of Audit's and the CAE's responsibilities to senior management and the Board as described in the Office of Audit charter, as well as the nature of the impairment.

4.12. If the CAE identifies an impairment of the Office of Audit’s independence, they must document the potential or apparent conflict and its impact which can include: change in assigned personnel; scope limitations; restrictions on access to records, personnel, and properties.

4.13. Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had direct responsibility within the previous year.

4.14. Assurance engagements for functions over which the CAE has responsibility must be overseen by a party outside the Office of Audit.

4.15. Because independence is not required for advisory services, internal auditors may provide consulting services relating to operations for which they had previous responsibilities.

4.16. If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

4.17. Internal auditors are to report to the CAE any situations in which an actual or potential impairment to independence or objectivity may reasonably be inferred, or if they have questions about whether a situation constitutes an impairment to objectivity or independence. If the CAE determines that impairment exists or may be inferred, the CAE needs to reassign the internal auditors.

4.18. A scope limitation is a restriction placed on the Office of Audit that precludes the Office of Audit from accomplishing its objectives and plans. Among other things, a scope limitation may restrict the:

a) Scope defined in the Office of Audit Charter; b) Office of Audit’s access to records, personnel, and physical properties

relevant to the performance of engagements; c) Approved engagement work schedule; d) Performance of necessary engagement procedures; e) Approved staffing plan and financial budget.


Topic No: 5c



4.19. A scope limitation, along with its potential effect, needs to be communicated, preferably in writing, to the Board and the CEO, as appropriate. The CAE needs to consider whether it is appropriate to inform the Board and CEO regarding scope limitations that were previously communicated to and accepted by the Board. This may be necessary particularly when there have been organizational changes to the Board or senior management.

4.20. Consistent with the MWAA Code of Ethics, internal auditors are not to accept fees, gifts, or entertainment from an employee, client, customer, supplier, or business associate that may create the appearance that the internal auditors’ objectivity has been impaired. The appearance that objectivity has been impaired may apply to current and future engagements conducted by the internal auditors. The status of engagements is not to be considered as justification for receiving fees, gifts, or entertainment. The receipt of promotional items (such as pens, calendars, or samples) that are available to employees and the general public and have minimal value do not hinder internal auditors’ professional judgements are allowed. Internal auditors are to report immediately the offer of all material fees or gifts to their supervisors.

5.0 Procedures 5.1. All Office of Audit staff must file annual Airports Authority Employee Financial Disclosure Form as required.

5.2. All Office of Audit staff must follow the Airports Authority Code of Ethics for Employees, Directive GC-001C and any subsequent amendments, and complete the annual training on the Code of Ethics.

5.3. In the first month of every year, internal auditors are required to sign and submit to the CAE the Office of Audit Staff Independence Statement in Attachment 7.1. The signed Independence Statement must be retained in accordance with the Office of Audit retention policy, in this case, seven (7) years.

5.4. The CAE must report functionally to the Risk Management Committee of the Board and administratively to the CEO of the Airports Authority as provided for in the Office of Audit Charter, which is hereby incorporated by reference.

5.5. The CAE must confirm to the Risk Management Committee and the Board, at least annually, the independence of the Office of Audit.

5.6. When CPA firms and other outside auditors are hired to conduct audits approved by the CAE, the in-charge audit manager or senior auditor of the Office of Audit designated by the CAE must verify and document that these firms and auditors are independent and can conduct the project with objectivity.

5.7. If independence or objectivity of any of the Office of Audit staff or outside auditors is impaired in fact or appearance, the details of the impairment must be disclosed to the CAE immediately. Any impairment of the CAE must be reported by the CAE to the CEO and the Risk Management Committee of the Board immediately.

5.8. The Office of Audit staff assignment should be rotated periodically whenever it is practicable.

6.0 Approvals By my signature below, I certify that I have read and approve this policy and


Topic No: 5c



procedure.


Lee Wyckoff


John E. Potter


Warner H. Session


Nina Mitchell Wells



Topic No: 5c



7.0 Attachments 7.1 – Office of Audit Staff Independence Statement

Office of Audit Staff Independence Statement

Year ______

International Standards for the Professional Practice of Internal Auditing Standards 1120 Individual Objectivity states:

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

By my signature below, I acknowledge that I know of nothing that might impair my independence and impartiality on any possible assignments from the Office of Audit. I also acknowledge that I will notify my supervisor and the Vice President of Audit immediately should my independence and impartiality status has changed. Staff: _____________________________________ Date: ___________

Supervisor: _____________________________________ Date: ___________

Vice President’s Verification of Staff’s Independence:

I am not aware of anything that might impair the above staff’s independence and impartiality on any possible Office of Audit projects.

Vice President Signature ___________________________ Date: ___________

https://compass.mwaa.com/Corporate Branding/LOGO/MWAA_Horizontal_COLOR.jpg

Topic: Policies and Procedures – Office of Audit Supervisory Responsibilities in Engagement Planning and Execution

Topic No: 5d



1.0 Table of

Contents



3.0 Definitions ..................................................................................................... 1

4.0 Policy ............................................................................................................ 1

5.0 Procedure ..................................................................................................... 1

6.0 Approvals ..................................................................................................... 2

2.0 Background

and Purpose

This document sets forth the Office of Audit policy and procedures for Supervisory Responsibilities in engagement planning and execution, including review of engagement work papers and sufficient staff development.

3.0 Definitions Board of Directors – Airports Authority Board of Directors.



Engagement Work Program – A document that lists the procedures to be followed during an engagement, designed to achieve the engagement objectives.

Work Papers – Any documentation that records evidence, which is used to form an opinion, finding, observation, or conclusion or to otherwise achieve the objectives of an engagement.

4.0 Policy 4.1. Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. (Standard 2340)

4.2. The CAE has overall responsibility for supervising the engagement, whether performed by or for the Office of Audit, but may designate appropriately experienced members of the Office of Audit for supervising the engagement.

4.3. Appropriate evidence of supervision for each engagement must be documented, retained, and stored securely for the longer of seven years or a statutorily required extended period after the date of the report.

5.0 Procedure 5.1. The CAE must designate in an engagement assignment memo the supervisor and audit staff assigned to each engagement.

5.1.1. The CAE and the supervisor must ensure that the auditors assigned to the engagement are competent and possess individually or in combination the requisite knowledge and skills for the audit or consulting engagement.

5.1.2. This determination must be documented as part of audit or consulting engagement planning.

5.2. The CAE or his designee must approve the engagement work program or

Topic: Policies and Procedures – Office of Audit Supervisory Responsibilities in Engagement Planning and Execution

Topic No: 5d



Risk Matrix and related engagement timing, scope, resource allocations before fieldwork begins, and any changes promptly.

5.3. The supervisor must supervise each engagement to ensure that engagement

objectives are achieved, quality is assured, and staff is developed. Supervisor should ensure working papers adequately support engagement observations, conclusions, and recommendations.

5.4. The CAE or his designee must review all work papers and document the review with the date of the review, including all work from planning to reporting.

5.5. The CAE must approve the engagement report and determine that the results are supported by the engagement work papers.

5.6. The supervisor must notify the CAE promptly of any of the following:

1) Revision to the engagement objective, scope, or work program; 2) The nature of engagement observations requires immediate remediation

and/or management action; 3) Scope or resource limitations; 4) Misconducts or impairments of the auditors; and 5) Any other situations the supervisor believed that the CAE should be made

aware of.

5.7. In order to meet the requirements of Standard 2340, highlighted in Section 4.1 of this document, please reference Section 5.3 of Policies and Procedure Document 5a – Office of Audit Professional Certificates and Continuing Professional Education Policy.



Lee Wyckoff


John E. Potter


Warner H. Session


Nina Mitchell Wells


Topic: Policies and Procedures – Office of Audit Communicating Results of Engagements

Topic No: 6



1.0 Table of

Contents

1.0 Table of Contents .......................................................................................... 1


3.0 Definitions ..................................................................................................... 1

4.0 Policy............................................................................................................. 1

5.0 Procedure ..................................................................................................... 2

6.0 Approvals ...................................................................................................... 2

2.0 Background

and Purpose

The purpose of this document is to describe policies and procedures to conform to the International Professional Practices Framework for internal auditing (IPPF or Standards) in communicating the results of engagements.

3.0 Definitions Chief Audit Executive (CAE) – Vice President for the Office of Audit.

IIA Code of Ethics - The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing.


IIA – The Institute of Internal Auditors




Overall Opinion – For each engagement and its defined scope, the assessment and overall conclusion provided by the CAE regarding the controls or performance of the entity.


Topic No: 6



4.0 Policy Applicable Standards: 2400 to 2450

4.1. Internal auditors must communicate the results of engagements, including the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans

4.2. Audit reports may state that engagements are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing” only if the results of the Office of Audit’s quality assurance and improvement program support the statement.

4.3. The CAE must communicate engagement results to appropriate parties, including to parties who can ensure that the results are given due consideration.

5.0 Procedures 5.1. Communications of engagement results must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. Conclusions must be supported by sufficient, reliable, relevant, and useful information.

5.1.1. The CAE should establish report template(s) for audit reports and consulting engagements as appropriate. Engagement report, should clearly state objectives, scope, and any conclusions or recommendations that may have been reached based on documented testing and analyses.

5.1.2. Findings or observations, along with conclusions, should be based on a logical approach inclusive of criteria, condition, cause, and effect (impact or risk statement). Although the report template and reports will likely deviate from those specific headings, the necessary information to document that logical approach should be included in the report.

5.2. Communications must be accurate, objective, clear, concise, constructive, complete, and timely. The Office of Audit will:

5.2.1. Utilize a review process to ensure that engagement reports consistently meet high quality standards, utilize strong grammar and punctuation, and are clear.

5.2.2. Ensure reportable observations have been discussed with the client prior to the conclusion of the report and, if necessary, provide interim updates on time sensitive issues. Usually an exit or closing meeting fulfills this purpose, but communication of potential issues should occur prior to the exit meeting if possible.

5.3. When an overall opinion is necessary, the CAE must be supported by sufficient, reliable, relevant, and useful information. The CAE reports on any lack of oversight or assurance by the Office of Audit or other assurance providers. If the CAE believes that the assurance coverage is inadequate or ineffective, senior management and the Board need to be advised accordingly.

5.4. If a final communication contains a significant error or omission, the CAE must communicate corrected information to all parties who received the original communication.

5.5. When nonconformance with the Definition of Internal Auditing, the IIA’s Code


Topic No: 6



of Ethics, or the Standards impacts a specific engagement, communication of the results must disclose the principle or rule of conduct with which full conformance was not achieved, the reasons for nonconformance, and the impact of nonconformance on the engagement and the communicated results

5.6. The CAE must ensure that disclosure of certain information not appropriate for disclosure to all report recipients (privileged, proprietary, or related to improper or illegal acts) is disclosed in a separate report.

5.7. If not mandated by statutory or regulatory requirements, prior to releasing results to parties outside the Airports Authority, the CAE must consult with senior management and/or legal counsel as appropriate.

5.8. When releasing engagement results to parties outside the Airports Authority, the CAE must assess the risk to the Airports Authority and the communication must include limitations on the distribution and use of the results.



Lee Wyckoff


John E. Potter


Warner H. Session


Nina Mitchell Wells


Topic: Policies and Procedures – Office of Audit Risk Assessment and Engagement Planning

Topic No: 7



1.0 Table of

Contents



3.0 Definitions ..................................................................................................... 2

4.0 Policy ............................................................................................................ 2

5.0 Procedure ..................................................................................................... 2

6.0 Approvals ..................................................................................................... 4

2.0 Background

and Purpose The Institute of Internal Auditors promulgates professional standards and

guidelines for the development of the annual engagement plan. These guidelines

recognize that an annual engagement plan and work schedule benefit the Airports

Authority by:

Ensuring the input of senior management, the Risk Management

Committee and the Board of Directors (Board) of the Airports Authority are

considered

Aligning the plan with the goals and objectives of the Airports Authority

Establishing which business units, programs, processes, or contracts will

be prioritized for engagements on an annual basis

Permitting an efficient allocation of limited resources of the Office of Audit

Eliminating the potential for overlapping the Office of Audit’s assurance

and consulting engagements with other engagements conducted by

internal or external assurance providers

The purpose of this policy is to ensure that the Airports Authority Office of Audit establishes a risk-based engagement plan with input from the Board, the Risk Management Committee, and senior management consistent with Airports Authority goals.


Topic No: 7



3.0 Definitions Audit Universe – A risk-rated comprehensive list of all possible auditable activities within the Airports Authority identified by the Chief Audit Executive. Board – Metropolitan Washington Airports Authority (Airports Authority) Board of Directors.

Chief Audit Executive (CAE) – Vice President for the Office of Audit




Risk – The possibility of an event occurring that will have an impact on the achievement of Airport Authority objectives. Risk is measured in terms of impact and likelihood.

Risks Assessment – A process to identify and assess Risk. The output of the Risk Assessment is a prioritization of potential audits mapped against available resources commonly known as the engagement plan.

4.0 Policy 4.1. The CAE must conduct a Risk Assessment to determine the priorities of the

Office of Audit, consistent with the Airports Authority goals (Standard 2010).

4.2. The Office of Audit’s plan of engagements must be based on a documented risk assessment undertaken at least annually. The input of senior management and the Board must be considered in this process (Standard 2010.A1)

4.3. The plan must be approved by senior management and the Board.

4.4. The engagement plan must be updated annually or more often if conditions (risks, operations, programs, systems or controls) warrant.

4.5. The CAE should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve Airports Authority operations. Accepted engagements must be included in the engagement plan. (Standard 2010.C1)

5.0 Procedure 5.1. The Office of Audit must compile an audit universe, a list of auditable

activities within the Airports Authority. The list will be determined by the CAE, the Airports Authority’s strategic plan and discussions with responsible management personnel. The risk rating for each auditable activity will be evaluated or adjusted annually or as needed based on CAE judgement and organizational changes that may occur.

5.2. The CAE must consult with the senior management when preparing the annual Risk Assessment and Engagement Plan, and solicit input from the Board. Information gathered through the sub-steps below will be considered by the CAE when developing and updating the audit plan.


Topic No: 7



5.2.1. The CAE should send a questionnaire to senior management and business unit leaders. The objective of the questionnaire is to provide a structured way to obtain or confirm information about risk factors in each function and business unit.

5.2.2. The CAE should review and analyze the responses to the questionnaire, and adjust the audit universe based on the data collected.

5.2.3. The CAE must conduct and document meetings with senior management, and business unit managers and members of the Board to discuss areas of risk within the organization.

5.2.4. The CAE should be able to document or support the occurrence of meetings based on calendar invites, meeting notes, or received questionnaires, etc.

5.3. The CAE must assess and rank the risk of each auditable activity in the audit universe and develop an engagement plan based on the risk ranking. Risk should be evaluated using a risk rating to quantify the assessed risk of each auditable activity.

5.4. The CAE must present a summary of the annual Risk Assessment and the annual Engagement Plan to the Risk Management Committee for approval.

5.5. The CAE must regularly monitor, review, and re-evaluate the engagement plan through ongoing monitoring and discussions with senior management, Risk Management Committee, and the Board.

5.6. The CAE must coordinate activities with other internal and external providers of relevant assurance services to ensure proper coverage and minimize duplication of efforts. Ongoing discussions and a review of prior work or planned work performed by these groups serve as helpful sources of coordination information. Examples of assurance providers include the Internal Controls and Compliance Department and the independent audit firms who audit the Airport Authority’s financial statements.


Topic No: 7





Lee Wyckoff


John E. Potter


Warner H. Session


Nina Mitchell Wells


Report to the Risk Management Committee - Metropolitan … · · 2015-12-08Report to the Risk...

Documents

Transcript of Report to the Risk Management Committee - Metropolitan … · · 2015-12-08Report to the Risk...