The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Internal Auditing Overview (1) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington I. Definition of Internal Auditing II. Evolution of Internal Auditing III. Role of the Auditor IV. Standards and Guidelines V. Types of Audits VI. Skills and Knowledge VII. Audit Principals VIII. Audit Process (2) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington I. Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. -Institute of Internal Auditors (3) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington II. Evolution of Internal Auditing Significant changes to the business, risk and control environments – Technology advancements – Sarbanes-Oxley and related legislation and other requirements Impact on internal auditing Changes in: – Expectations – Focus – Perceptions (4) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington III. Internal Audit’s Role in Corporate Governance Sarbanes-Oxley Act (July 2002) Compliance Internal Audit involvement in: • Section 301: Audit Committee Provisions • Section 302: Quarterly CEO/CFO certification of financial statements and disclosure controls • Section 404: Annual control over financial reporting Significance of the Committee of Sponsoring Organizations (COSO) Control environment becomes the most important component of internal control (5) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington The Internal Auditor’s Role and Services For the Auditee Produce a Product Serve as a Beat Cop Act as an Adversary Find errors Be a Second-Guesser Be Efficient Time-Limited Assignment For the Customer Provide a Service Serve as a Consultant Act as a House Guest Improve Operations Serve as a Counselor Be Effective Ongoing Relationship (6) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington The Audit Shop’s Primary Asset: CREDIBILITY (7) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington IV. Auditing Standards Standards pertain to auditors’ professional qualifications and the quality of their work, the performance of field work, and the characteristics of meaningful reports. The International Standards for the Professional Practice of Internal Auditing (Professional Practices Framework) – Institute for International Auditors Government Auditing Standards (Yellow Book) – U.S. Government Accountability Office (8) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington (9) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington IIA’s Professional Practices Framework Definition of Internal Auditing Code of Ethics Internal Standards for the Professional Practice of Internal Auditing Quality Assurance Standards Practice Advisories (Guidance) Development and Practice Aids (10) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington IIA’s Definition of Internal Auditing Key Words and Concepts— Assurance and Consulting Add value Systematic, disciplined approach Risk management Control Governance (11) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Flexibility of the New Definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Fostering Enterprise Risk Management Re-engaging on Internal Controls Facilitating more effective corporate governance (12) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington V. Types of Audits Financial Auditing focus on balance sheet and income statement Operational Auditing focus on resource utilization, accomplishment of operational goals Compliance Auditing focus on adherence to laws and regulations IT Auditing focus on integrity and security of computer systems Performance Auditing focus on effectiveness, economy, and efficient use of resources Program Auditing focus on achieving program goals (13) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Operational Auditing Ensure reliability and integrity of information. Ensure compliance with policies, plans, procedures, laws, and regulations. Ensure safeguarding of assets. Ensure the economical and efficient use of resources. Ensure the accomplishment of established objectives and goals for operations or programs. (14) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington VI. Skills and Knowledge Data Gathering – – – – – – – – – – Questionnaires Unobtrusive Measures Interviews Focus Groups External Evidence / Confirmations Data Analysis Flowcharting Mathematics Statistics and Sampling Control Self–Assessment (15) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Skills and Knowledge, Cont’d. Oral Communication – Interviewing – Presenting – Facilitating Written Communication Computer Skills – Word processing – Spreadsheets and data bases – Organization-specific (Peoplesoft, ACL) (16) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Skills and Knowledge, Cont’d. Finance Budgeting Information Technology Accounting Regulatory Environment Fraud Control Concepts Audit Process (17) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington VII. Audit Principles Rules of Evidence— Elements of A Finding Rules of Reporting Rules of Performing Audits (18) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Audit Principles, Cont’d. Independence Nature of work Objectivity Engagement Planning Proficiency Performing the Engagement Due Professional Care Quality Assurance and Improvement Program Communicating Results Monitoring Progress Managing the Internal Audit Activity (19) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Terms, Acronyms & References to Know • • • • • • • • • • • • Audit Assurance Services Control (internal control) Engagement Survey Governance Risk (risk management) Residual Risk Control Environment COSO (CRIME) COCO SOX – Sarbanes-Oxley • • • • • • • • • • • • AICPA CIA, CMA, CCSA CPE GAAP GAAS SAS SSAE 404 CARES Attestation SPPIA Confirmations (20) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington VIII. Audit Process Masterjob Checklist (21) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Introductory Exercise 1. Form groups of six members. 2. Find out from each other the following information: the organizations you work for the audit sections you represent the types of audits you work on and have experience with the length of time you’ve each been auditing why each of you’ve has chosen the audit profession—is it a career or a stepping stone? what you each hope to get out of the course 3. Pick one person to summarize the information and introduce the group. (22) The Institute of Internal Auditors—Puget Sound Chapter Comprehensive Entry Level Training For Auditors October 12-14, 2004 Seattle, Washington Teamwork Exercise 1. What are important topics to consider when preparing for an audit of employee use of rental cars? 2. What are five skills that would be valuable in auditing employee use of rental cars? A skill is an ability or proficiency in an area; for example, accounting. 1. What are five techniques that would be valuable in auditing this? A technique is a method or procedure for accomplishing a task; for example, flowcharting. (23) Internal auditors in the Canadian Government are to utilise the IIA ‘Standards for the Professional Practice of Internal Auditing’ in carrying out their internal auditing responsibilities (TB Policy on Internal Audit, Appendix B) (24) ‘Assurance services are objective examinations of evidence for the purpose of providing an independent assessment of… – risk management strategies and practices – management control frameworks and practices – information used for decision-making and reporting’ (TB Policy, Section 2 and Appendix A) (25) ‘Assurance services – An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.’ (IIA Standards for the Professional Practice of Internal Auditing) (26) Key principles of the definition: objective examination evidence based independent assessment (27) ASSURANCE ADVISORY INTERNAL AUDIT SERVICES (28) THE ‘WHAT’ 29 ‘Assurance provided by the internal auditor, through audit engagements, provide management confidence on the soundness of management processes within the organization. They will also guide management in determining where the organization is most exposed to risk,… (TB Policy, Section 2) (30) 2100 – Nature of Work – The IA activity evaluates and contributes to the improvement of risk management, control and governance systems. 2110 – Risk Management – The IA activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. (IIA Performance Standards) (31) 2120.A1 – Based on the results of the risk assessment, the IA activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. This should include: – reliability and integrity of financial and operational information; – effectiveness and efficiency of operations; – safeguarding of assets; and – compliance with laws, regulations, and contracts. (IIA Performance Standards) (32) A caution: 1220.A2 – The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified. (IIA Attribute Standards) (33) THE ‘HOW’ 34 The IA function: conducts individual audits in an effective and efficient manner with risk-based plans that address the scope of the engagement, work programs that meet the objectives of the engagement, and sufficient appropriate evidence that supports the findings and conclusions. (TB Policy, Appendix B) (35) 2200 – Engagement Planning – Internal auditors should develop and record a plan for each engagement. (IIA Performance Standards) (36) 2201 – Planning Consideration – In planning the engagement, internal auditors should consider: – the objectives of the activity being reviewed and the means by which the activity controls its performance; – the significant risks to the activity , its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level; – the adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model; and – the opportunities for making significant improvements to the activity’s risk management and control systems. (IIA Performance Standards) (37) 2210 – Engagement Objectives – The engagement’s objectives should address the risks, controls, and governance processes associated with the activities under review. 2220 – Engagement Scope – The established scope should be sufficient to satisfy the objectives of the engagement. (IIA Performance Standards) (38) 2240 – Engagement Work Program – Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded. 2240.A1 – Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to the commencement of work, and any adjustments approved accordingly. (IIA Performance Standards) (39) 2120.A4 – Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria. (IIA Performance Standards) (40) Criteria ‘In an audit engagement, in order for meaningful conclusions to be reached, they need to be made in relation to a set of suitable criteria.’ ‘Criteria are benchmarks against which the subject matter can be assessed.’ (TB Policy, Appendix A) (41) ‘The internal auditor should always attempt to identify criteria that yield useful information to departmental or agency management.’ ‘Preference is to be given to the use of generally accepted criteria when they are consistent with the objective of the audit engagement.’ (TB Policy, Appendix A) (42) ‘In the federal government environment, generally accepted criteria could be those established by: – acts and regulations; – government policy, guidelines or standards; – risk management, management control framework, performance information, and other guidance provided by the Government of Canada; and – recognized bodies of experts (TB Policy, Appendix A) (43) ‘When there are no generally accepted criteria consistent with the objective of the audit engagement, and criteria from other sources are identified, then the internal auditor should obtain from departmental or agency management an acknowledgement that the criteria are suitable for the engagement.’ (TB Policy, Appendix A) (44) 2300 – Performing the Engagement – Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement’s objectives. (IIA Performance Standards) (45) 2310 – Identifying Information – Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives. 2320 – Analysis and Evaluation – Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations. 2330 – Recording Information – Internal auditors should record relevant information to support the conclusions and engagement results. (IIA Performance Standards) (46) audit plan / management request audit objective (s) criteria audit program / tests evidence conclusions report (47) THE ‘WHY’ 48 ‘…assurance is provided by designing procedures so that in the internal auditor’s professional judgement, the risk of an inappropriate conclusion is…low…through procedures such as inspection, observation, enquiry, confirmation, computation, analysis and discussion.’ (adaptation from TB Policy on Internal Audit, Appendix B) (49) assurance = not absolute = low risk of inappropriate conclusion = judgement (50) Key Principle = Replicability ie. consistency that others would arrive at the same conclusion(s) based on the criteria, testing methods and evidence (51) THE ‘CAPACITY’ 52 The IA function has the capacity to accomplish its responsibilities, by having sufficient resources and being staffed with competent people, effectively deployed, who work to professional standards, utilize good communication practices, and adhere to public service and professional ethics, values and codes of conduct. The IA function has the breadth of knowledge to accomplish its responsibilities, by utilizing work teams that collectively possess or have access to sufficient expertise the subject matter being audited. (TB Policy, Appendix B) (53) 1200 – Proficiency and Due Professional Care – Engagements should be performed with proficiency and due professional care. (IIA Attribute Standards) (54) 1210 – Proficiency – Internal auditors should possess the knowledge, skills and other competencies needed to perform their individual responsibilities. The IA activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. 1210.A1 – The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement. (IIA Attribute Standards) (55) 1220 – Due Professional Care – Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. 1220.A1 – The internal auditor should exercise due professional care by considering the: – extent of work needed to achieve the engagement’s objectives; – relative complexity, materiality, or significance of matters to which assurance services are applied; – adequacy and effectiveness of risk management, control, and governance processes; – probability of significant errors; and – cost of assurance in relation to potential benefits. (IIA Attribute Standards) (56) THE ‘PRODUCT’ 57 Reporting Standards: are written so that the important issues are easily understood; and only include information needed to properly understand the conclusion and any significant problems identified; identify to whom the recommendations are directed; describe what was examined, how it fits into overall operations of the organization, and its importance; describe the objective(s), scope and timing of the engagement; identify criteria used in the engagement; (58) Reporting Standards (continued): describe compliance with relevant laws, regulations, policies and standards; provide relevant analysis and explanation of the exposure to risks; state a conclusion that conveys a clear understanding of what is being assessed, the criteria assessed, the level of assurance provided, and any reservations (see Appendix A) integrate an action plan that identifies the actions to be taken and their timing. (TB Policy, Appendix B) (59) 2400 – Communicating Results – Internal auditors should communicate the engagement results promptly. 2410 – Criteria for Communicating – Communications should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. 2410.A1 – The final communication of results should, where appropriate, contain the internal auditor’s overall opinion. (IIA Performance Standards) (60) 2500 – Monitoring Progress – The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management. 2500.A1 – The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. (IIA Performance Standards) (61) 2600 – Management’s Acceptance of Risks – When the chief audit executive believes that senior management has accepted a level of residual risk that is unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution. (IIA Performance Standards) (62) Audit Management Audit Management Resource allocation/prioritazion/planning/execution/ reassignments Evaluating audit quality/peer reviews Best practices identification Computer Information System (CIS) audit career development Career path planning Performance assessment Performance counseling and feedback Training (internal/external) Professional development Resource Allocation Prioritazion Planning Execution Reassignments Evaluating audit quality/peer reviews Audit Quality Scope and objectives of IT audit Term of evaluating Best practices identification Why is it Important to Learn about Best Practices ? Computer Information System (CIS) audit career development To commits resources training and development If a clear career path and development program do not exist, the chances of poor performance and turnover of personnel are high. Define career path within which options, training, expected knowledge, skills, and abilities are specified for each level advancesment Career path planning IS Auditor Trainee Assistant IS Auditor IS Auditor Senior IS Auditor Manager of IS Auditor Director of IS Auditor Performance assessment Performance assessment is the process by which criteria for individual career paths are matched to organizational goals and objectives. Employees need to understand how the measurement of their performance relates to their progress both within the IS audit function and within the organization as a whole. IS Auditor must demonstrated effectively – through strong performance, as well as the successful attainment of knowledge, skills, and abilities. Term of assessment Performance counseling and feedback Management feedback is another important component of the career development process. Training (internal/external) Training Levels: – A general curriculum should be prepared that covers training and education that must be administered to give all IS auditor an opportunity to become fully qualified in their profession. – Individualized plans should be prepared that are tailored to chosen career paths, as well as to individual strengths and weaknesses. Professional development Professional Community Certification – Certified Public Accountant (CPA) – American Institute of Certified Public Accountants – Certified Internal Auditor (CIA) – Institute of Internal Auditors – Certified Information System Auditor (CISA) – Information System Audit and Control Association – Certified Information Security Manager (CISM) Information System Audit and Control Association