Institute of Internal Auditors

advertisement
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Internal Auditing Overview
(1)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
I.
Definition of Internal Auditing
II.
Evolution of Internal Auditing
III.
Role of the Auditor
IV.
Standards and Guidelines
V.
Types of Audits
VI.
Skills and Knowledge
VII.
Audit Principals
VIII. Audit Process
(2)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
I. Definition of Internal Auditing
Internal auditing is an independent, objective assurance
and consulting activity designed to add value and
improve an organization’s operations.
It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management,
control, and governance processes.
-Institute of Internal Auditors
(3)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
II. Evolution of Internal Auditing
Significant changes to the business, risk and
control environments
– Technology advancements
– Sarbanes-Oxley and related legislation and other
requirements
Impact on internal auditing
Changes in:
– Expectations
– Focus
– Perceptions
(4)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
III. Internal Audit’s Role in Corporate
Governance
Sarbanes-Oxley Act (July 2002) Compliance
Internal Audit involvement in:
• Section 301: Audit Committee Provisions
• Section 302: Quarterly CEO/CFO certification of financial
statements and disclosure controls
• Section 404: Annual control over financial reporting
Significance of the Committee of Sponsoring
Organizations (COSO)
Control environment becomes the most important
component of internal control
(5)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
The Internal Auditor’s Role and Services
For the Auditee
Produce a Product
Serve as a Beat Cop
Act as an Adversary
Find errors
Be a Second-Guesser
Be Efficient
Time-Limited
Assignment
For the Customer







Provide a Service
Serve as a Consultant
Act as a House Guest
Improve Operations
Serve as a Counselor
Be Effective
Ongoing Relationship
(6)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
The Audit Shop’s Primary Asset:
CREDIBILITY
(7)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
IV. Auditing Standards
Standards pertain to auditors’ professional
qualifications and the quality of their work, the
performance of field work, and the characteristics of
meaningful reports.
The International Standards for the Professional
Practice of Internal Auditing (Professional Practices
Framework) – Institute for International Auditors
Government Auditing Standards (Yellow Book) –
U.S. Government Accountability Office
(8)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
(9)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
IIA’s Professional Practices Framework
Definition of Internal Auditing
Code of Ethics
Internal Standards for the Professional Practice of
Internal Auditing
Quality Assurance Standards
Practice Advisories (Guidance)
Development and Practice Aids
(10)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
IIA’s Definition of Internal Auditing
Key Words and Concepts—
Assurance and Consulting
Add value
Systematic, disciplined approach
Risk management
Control
Governance
(11)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Flexibility of the New Definition
Internal auditing is an
independent, objective
assurance and consulting
activity designed to add value
and improve an organization's
operations. It helps an
organization accomplish its
objectives by bringing a
systematic, disciplined
approach to evaluate and
improve the effectiveness of
risk management, control,
and governance processes.
Fostering Enterprise
Risk Management
Re-engaging on Internal
Controls
Facilitating more
effective corporate
governance
(12)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
V. Types of Audits
Financial Auditing
focus on balance sheet and income statement
Operational Auditing
focus on resource utilization, accomplishment of operational goals
Compliance Auditing
focus on adherence to laws and regulations
IT Auditing
focus on integrity and security of computer systems
Performance Auditing
focus on effectiveness, economy, and efficient use of resources
Program Auditing
focus on achieving program goals
(13)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Operational Auditing
Ensure reliability and integrity of information.
Ensure compliance with policies, plans, procedures, laws,
and regulations.
Ensure safeguarding of assets.
Ensure the economical and efficient use of resources.
Ensure the accomplishment of established objectives and
goals for operations or programs.
(14)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
VI. Skills and Knowledge
Data Gathering
–
–
–
–
–
–
–
–
–
–
Questionnaires
Unobtrusive Measures
Interviews
Focus Groups
External Evidence / Confirmations
Data Analysis
Flowcharting
Mathematics
Statistics and Sampling
Control Self–Assessment
(15)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Skills and Knowledge, Cont’d.
Oral Communication
– Interviewing
– Presenting
– Facilitating
Written Communication
Computer Skills
– Word processing
– Spreadsheets and data bases
– Organization-specific (Peoplesoft, ACL)
(16)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Skills and Knowledge, Cont’d.
Finance
Budgeting
Information Technology
Accounting
Regulatory Environment
Fraud
Control Concepts
Audit Process
(17)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
VII. Audit Principles
Rules of Evidence—
Elements of A Finding
Rules of Reporting
Rules of Performing Audits
(18)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Audit Principles, Cont’d.
Independence
Nature of work
Objectivity
Engagement Planning
Proficiency
Performing the
Engagement
Due Professional Care
Quality Assurance and
Improvement Program
Communicating Results
Monitoring Progress
Managing the Internal
Audit Activity
(19)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Terms, Acronyms & References to Know
•
•
•
•
•
•
•
•
•
•
•
•
Audit
Assurance Services
Control (internal control)
Engagement
Survey
Governance
Risk (risk management)
Residual Risk
Control Environment
COSO (CRIME)
COCO
SOX – Sarbanes-Oxley
•
•
•
•
•
•
•
•
•
•
•
•
AICPA
CIA, CMA, CCSA
CPE
GAAP
GAAS
SAS
SSAE
404
CARES
Attestation
SPPIA
Confirmations
(20)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
VIII. Audit Process
Masterjob Checklist
(21)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Introductory Exercise
1.
Form groups of six members.
2.
Find out from each other the following information:





the organizations you work for
the audit sections you represent
the types of audits you work on and have experience with
the length of time you’ve each been auditing
why each of you’ve has chosen the audit profession—is it a career
or a stepping stone?
 what you each hope to get out of the course
3.
Pick one person to summarize the information and
introduce the group.
(22)
The Institute of Internal Auditors—Puget Sound Chapter
Comprehensive Entry Level Training For Auditors
October 12-14, 2004 Seattle, Washington
Teamwork Exercise
1. What are important topics to consider when preparing for an audit
of employee use of rental cars?
2. What are five skills that would be valuable in auditing employee
use of rental cars? A skill is an ability or proficiency in an area;
for example, accounting.
1. What are five techniques that would be valuable in auditing this?
A technique is a method or procedure for accomplishing a task;
for example, flowcharting.
(23)
Internal auditors in the Canadian Government are to utilise the IIA
‘Standards for the Professional Practice of Internal Auditing’ in carrying
out their internal auditing responsibilities
(TB Policy on Internal Audit, Appendix B)
(24)
‘Assurance services are objective examinations of evidence for the
purpose of providing an independent assessment of…
– risk management strategies and practices
– management control frameworks and practices
– information used for decision-making and reporting’
(TB Policy, Section 2 and Appendix A)
(25)
‘Assurance services – An objective examination of evidence for the
purpose of providing an independent assessment on risk management,
control, or governance processes for the organization. Examples may
include financial, performance, compliance, system security, and due
diligence engagements.’
(IIA Standards for the Professional Practice of Internal Auditing)
(26)
Key principles of the definition:
objective
examination
evidence based
independent
assessment
(27)
ASSURANCE
ADVISORY
INTERNAL AUDIT SERVICES
(28)
THE ‘WHAT’
29
‘Assurance provided by the internal auditor, through audit engagements,
provide management confidence on the soundness of management
processes within the organization. They will also guide management in
determining where the organization is most exposed to risk,…
(TB Policy, Section 2)
(30)
2100 – Nature of Work – The IA activity evaluates and contributes to
the improvement of risk management, control and governance systems.
2110 – Risk Management – The IA activity should assist the
organization by identifying and evaluating significant exposures to risk
and contributing to the improvement of risk management and control
systems.
(IIA Performance Standards)
(31)
2120.A1 – Based on the results of the risk assessment, the IA activity
should evaluate the adequacy and effectiveness of controls
encompassing the organization’s governance, operations, and
information systems. This should include:
– reliability and integrity of financial and operational information;
– effectiveness and efficiency of operations;
– safeguarding of assets; and
– compliance with laws, regulations, and contracts.
(IIA Performance Standards)
(32)
A caution:
1220.A2 – The internal auditor should be alert to the significant risks
that might affect objectives, operations, or resources. However,
assurance procedures alone, even when performed with due professional
care, do not guarantee that all significant risks will be identified.
(IIA Attribute Standards)
(33)
THE ‘HOW’
34
The IA function:
 conducts individual audits in an effective and efficient manner with
risk-based plans that address the scope of the engagement, work
programs that meet the objectives of the engagement, and sufficient
appropriate evidence that supports the findings and conclusions.
(TB Policy, Appendix B)
(35)
2200 – Engagement Planning – Internal auditors should develop and
record a plan for each engagement.
(IIA Performance Standards)
(36)
2201 – Planning Consideration – In planning the engagement, internal
auditors should consider:
– the objectives of the activity being reviewed and the means by which
the activity controls its performance;
– the significant risks to the activity , its objectives, resources, and
operations and the means by which the potential impact of risk is kept
to an acceptable level;
– the adequacy and effectiveness of the activity’s risk management and
control systems compared to a relevant control framework or model;
and
– the opportunities for making significant improvements to the
activity’s risk management and control systems.
(IIA Performance Standards)
(37)
2210 – Engagement Objectives – The engagement’s objectives should
address the risks, controls, and governance processes associated with
the activities under review.
2220 – Engagement Scope – The established scope should be sufficient
to satisfy the objectives of the engagement.
(IIA Performance Standards)
(38)
2240 – Engagement Work Program – Internal auditors should develop
work programs that achieve the engagement objectives. These work
programs should be recorded.
2240.A1 – Work programs should establish the procedures for
identifying, analyzing, evaluating, and recording information during the
engagement. The work program should be approved prior to the
commencement of work, and any adjustments approved accordingly.
(IIA Performance Standards)
(39)
2120.A4 – Adequate criteria are needed to evaluate controls. Internal
auditors should ascertain the extent to which management has
established adequate criteria to determine whether objectives and goals
have been accomplished. If adequate, internal auditors should use such
criteria in their evaluation. If inadequate, internal auditors should work
with management to develop appropriate evaluation criteria.
(IIA Performance Standards)
(40)
Criteria
‘In an audit engagement, in order for meaningful conclusions to be
reached, they need to be made in relation to a set of suitable criteria.’
‘Criteria are benchmarks against which the subject matter can be
assessed.’
(TB Policy, Appendix A)
(41)
‘The internal auditor should always attempt to identify criteria that yield
useful information to departmental or agency management.’
‘Preference is to be given to the use of generally accepted criteria when
they are consistent with the objective of the audit engagement.’
(TB Policy, Appendix A)
(42)
‘In the federal government environment, generally accepted criteria
could be those established by:
– acts and regulations;
– government policy, guidelines or standards;
– risk management, management control framework, performance
information, and other guidance provided by the Government of
Canada; and
– recognized bodies of experts
(TB Policy, Appendix A)
(43)
‘When there are no generally accepted criteria consistent with the
objective of the audit engagement, and criteria from other sources are
identified, then the internal auditor should obtain from departmental or
agency management an acknowledgement that the criteria are suitable
for the engagement.’
(TB Policy, Appendix A)
(44)
2300 – Performing the
Engagement – Internal auditors
should identify, analyze,
evaluate, and record sufficient
information to achieve the
engagement’s objectives.
(IIA Performance Standards)
(45)
2310 – Identifying Information – Internal auditors should identify
sufficient, reliable, relevant, and useful information to achieve the
engagement’s objectives.
2320 – Analysis and Evaluation – Internal auditors should base
conclusions and engagement results on appropriate analyses and
evaluations.
2330 – Recording Information – Internal auditors should record relevant
information to support the conclusions and engagement results.
(IIA Performance Standards)
(46)
audit plan / management request
audit objective (s)
criteria
audit program / tests
evidence
conclusions
report
(47)
THE ‘WHY’
48
‘…assurance is provided by designing procedures so that in the internal
auditor’s professional judgement, the risk of an inappropriate conclusion
is…low…through procedures such as inspection, observation, enquiry,
confirmation, computation, analysis and discussion.’
(adaptation from TB Policy on Internal Audit, Appendix B)
(49)
assurance
= not absolute
= low risk of inappropriate conclusion
= judgement
(50)
Key Principle = Replicability
ie. consistency that
others would arrive
at the same
conclusion(s) based
on the criteria,
testing methods and
evidence
(51)
THE ‘CAPACITY’
52
The IA function has the capacity to accomplish its responsibilities, by
having sufficient resources and being staffed with competent people,
effectively deployed, who work to professional standards, utilize good
communication practices, and adhere to public service and professional
ethics, values and codes of conduct.
The IA function has the breadth of knowledge to accomplish its
responsibilities, by utilizing work teams that collectively possess or
have access to sufficient expertise the subject matter being audited.
(TB Policy, Appendix B)
(53)
1200 – Proficiency and Due Professional Care – Engagements should
be performed with proficiency and due professional care.
(IIA Attribute Standards)
(54)
1210 – Proficiency – Internal auditors should possess the knowledge,
skills and other competencies needed to perform their individual
responsibilities. The IA activity collectively should possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities.
1210.A1 – The chief audit executive should obtain competent advice
and assistance if the internal audit staff lacks the knowledge, skills, or
other competencies needed to perform all or part of the engagement.
(IIA Attribute Standards)
(55)
1220 – Due Professional Care – Internal auditors should apply the care and skill
expected of a reasonably prudent and competent internal auditor. Due
professional care does not imply infallibility.
1220.A1 – The internal auditor should exercise due professional care by
considering the:
– extent of work needed to achieve the engagement’s objectives;
– relative complexity, materiality, or significance of matters to which assurance
services are applied;
– adequacy and effectiveness of risk management, control, and governance
processes;
– probability of significant errors; and
– cost of assurance in relation to potential benefits.
(IIA Attribute Standards)
(56)
THE ‘PRODUCT’
57
Reporting Standards:
 are written so that the important issues are easily understood; and only
include information needed to properly understand the conclusion and
any significant problems identified;
 identify to whom the recommendations are directed;
 describe what was examined, how it fits into overall operations of the
organization, and its importance;
 describe the objective(s), scope and timing of the engagement;
 identify criteria used in the engagement;
(58)
Reporting Standards (continued):
 describe compliance with relevant laws, regulations, policies and standards;
 provide relevant analysis and explanation of the exposure to risks;
 state a conclusion that conveys a clear understanding of what is being assessed,
the criteria assessed, the level of assurance provided, and any reservations
(see Appendix A)
 integrate an action plan that identifies the actions to be taken and their timing.
(TB Policy, Appendix B)
(59)
2400 – Communicating Results – Internal auditors should communicate
the engagement results promptly.
2410 – Criteria for Communicating – Communications should include
the engagement’s objectives and scope as well as applicable
conclusions, recommendations, and action plans.
2410.A1 – The final communication of results should, where
appropriate, contain the internal auditor’s overall opinion.
(IIA Performance Standards)
(60)
2500 – Monitoring Progress – The chief audit executive should establish
and maintain a system to monitor the disposition of results
communicated to management.
2500.A1 – The chief audit executive should establish a follow-up
process to monitor and ensure that management actions have been
effectively implemented or that senior management has accepted the
risk of not taking action.
(IIA Performance Standards)
(61)
2600 – Management’s Acceptance of Risks – When the chief audit
executive believes that senior management has accepted a level of
residual risk that is unacceptable to the organization, the chief audit
executive should discuss the matter with senior management. If the
decision regarding residual risk is not resolved, the chief audit executive
and senior management should report the matter to the board for
resolution.
(IIA Performance Standards)
(62)
Audit Management
Audit Management
 Resource allocation/prioritazion/planning/execution/








reassignments
Evaluating audit quality/peer reviews
Best practices identification
Computer Information System (CIS) audit career
development
Career path planning
Performance assessment
Performance counseling and feedback
Training (internal/external)
Professional development
Resource
 Allocation
 Prioritazion
 Planning
 Execution
 Reassignments
Evaluating audit quality/peer
reviews
 Audit Quality
 Scope and objectives of IT audit
 Term of evaluating
Best practices identification
 Why is it Important to Learn about Best
Practices ?
Computer Information System (CIS)
audit career development
 To commits resources training and
development
 If a clear career path and development
program do not exist, the chances of poor
performance and turnover of personnel are
high.
 Define career path within which options,
training, expected knowledge, skills, and
abilities are specified for each level
advancesment
Career path planning
 IS Auditor Trainee
 Assistant IS Auditor
 IS Auditor
 Senior IS Auditor
 Manager of IS Auditor
 Director of IS Auditor
Performance assessment
 Performance assessment is the process by which
criteria for individual career paths are matched to
organizational goals and objectives.
 Employees need to understand how the
measurement of their performance relates to their
progress both within the IS audit function and
within the organization as a whole.
 IS Auditor must demonstrated effectively –
through strong performance, as well as the
successful attainment of knowledge, skills, and
abilities.
 Term of assessment
Performance counseling and
feedback
 Management feedback is another important
component of the career development
process.
Training (internal/external)
 Training Levels:
– A general curriculum should be prepared that
covers training and education that must be
administered to give all IS auditor an
opportunity to become fully qualified in their
profession.
– Individualized plans should be prepared that are
tailored to chosen career paths, as well as to
individual strengths and weaknesses.
Professional development
 Professional Community
 Certification
– Certified Public Accountant (CPA) – American
Institute of Certified Public Accountants
– Certified Internal Auditor (CIA) – Institute of Internal
Auditors
– Certified Information System Auditor (CISA) –
Information System Audit and Control Association
– Certified Information Security Manager (CISM) Information System Audit and Control Association
Download