Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007 CBIZ Risk & Advisory Services, LLC 1 Agenda Requirement Benefits Attributes of a “World-Class” Internal Audit Quality and Quality Assessment Keys to an Effective QA Common Observations Leading Practices CBIZ Risk & Advisory Services, LLP 2 Requirement IIA Standard 1312- Requires an external assessment be performed by a competent and independent firm at least every 5 years. Good ‘business practice” to provide an independent evaluation of internal audit as well as identifying potential ways to improve the process. With Sarbanes-Oxley and other demands placed on Audit Committees and Internal Audit, a Quality Assurance Review serves to provide an assessment that the various Internal Audit responsibilities are being discharged effectively and efficiently. CBIZ Risk & Advisory Services, LLP 3 Benefits Current State of “Conformance to the Standards”. Builds stakeholder confidence by showing management’s commitment to quality and leading practices. Demonstrates that the Audit Committee and Internal Audit are concerned about the success of the organization’s internal controls, governance and risk management processes. CBIZ Risk & Advisory Services, LLP 4 Benefits PCAOB Audit Standard 2 states “The external auditor may use the work of internal auditors particularly when internal auditors are in compliance with the Standards.” Observations on benchmarking & identification of successful practices Recommendations for improvement aimed at adding value to the organization. CBIZ Risk & Advisory Services, LLP 5 Benefits Identify Expectation Gaps Among key stakeholder expectations Current state & desired state of performance Recommendations aimed at adding value to the organization Internal marketing tool strengthening credibility and promoting integrity CBIZ Risk & Advisory Services, LLP 6 Attributes of a “World-Class Internal Audit Activity Empowered & Respected by Management and Board Objective and Independent Highly Talented Risk Focused Proactive Technology Driven CBIZ Risk & Advisory Services, LLP 7 Empowered and Respected Best Reporting Structure Functionally – Audit Committee Administratively- CEO Respected at All Levels Value-Added Business Advisors “Out of the box” thinking Provides effective resources and solutions to business challenges CBIZ Risk & Advisory Services, LLP 8 Objective and Independent Seen as providing unbiased views of the organization. Have no real or apparent conflicts of interest Independent of the activities they audit “No-No’s” Designing and installing systems Drafting of procedures CBIZ Risk & Advisory Services, LLP 9 Highly Talented Highly talented professionals (certified) with unique combinations of skills & experiences Hiring and Retention Rotation in and out Constantly adding value Collectively possess the essential skills Consideration for co-sourcing Must commit to a program of continuous development CBIZ Risk & Advisory Services, LLP 10 Risk Focused Allocates Time & Resources Based on Risk Annual and Long Term Plans Individual Engagements Identifies critical risks & exposures before they become significant issues Shares “lessons learned” across common business units and processes CBIZ Risk & Advisory Services, LLP 11 Proactive Proactive, not only reactive Right balance between protecting and enhancing shareholder value Level of consultative support correlates with the organizations fluidity E.g., a flat, decentralized organization likely requires significant support in analyzing business risks and transferring company-wide best practices then a highly centralized organization CBIZ Risk & Advisory Services, LLP 12 Technology & Process Driven Utilizes “state-of-the-art” technology to: Reduce Risks Identify potential problems in nearly real time Increase productivity Continuously improve the control environment and communications Be committed to a program of continuous improvement CBIZ Risk & Advisory Services, LLP 13 Foundation of World-Class Audit Departments The International Standards for the Professional Practice of Internal Auditing and the Code of Ethics are the foundation for all worldclass functions. CBIZ Risk & Advisory Services, LLP 14 Quality Components Adherence to the Code of Ethics Practicing in accordance with the Standards Continued Professional Development Audit Practice is continuous improvement oriented CBIZ Risk & Advisory Services, LLP 15 Quality Assurance To Evaluate Quality- Objectively measure internal audit process To maintain Quality- Fully commit to professional growth and development To ensure Quality- Maintain quality assurance and improvement program CBIZ Risk & Advisory Services, LLP 16 Quality Standards Internal audit must establish a quality assurance program that includes both: Ongoing and periodic internal QA’s External QA a minimum of once every 5 years Failure precludes IA from using the statement “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.” CBIZ Risk & Advisory Services, LLP 17 Keys to an Effective QA Understanding the Professional Practices Framework Awareness and Implementation of the Standards Internal audit quality programs and initiatives Leading practices in applying the Standards CBIZ Risk & Advisory Services, LLP 18 Professional Practices Framework Definition of Internal Auditing The Code of Ethics The Standards Practice Advisories Topical Index to the Practice Advisories CBIZ Risk & Advisory Services, LLP 19 Purpose of a Quality Assessment Assess conformance to the Standards Assess the effectiveness and efficiency of the internal audit activity Identify opportunities for improvement Improving performance Image of the department CBIZ Risk & Advisory Services, LLP 20 Scope of External Assessments Conformance with the Standards & the Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements The expectations of the IA as expressed by the board, executive management and operational management The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process CBIZ Risk & Advisory Services, LLP 21 Scope (Cont’d) Tools and techniques Mix of knowledge, experience and disciplines within the staff, including the focus on process improvement Determination that the internal audit activity adds value and improves the organization’s operations CBIZ Risk & Advisory Services, LLP 22 Areas of Focus The Mandate of the IA Activity The Relationship between IA & the Audit Committee IA Reporting Lines Staffing of Internal Audit Obtaining & Maintaining Competency Coordination with External Audit Developing the Internal Audit Plan Reporting Findings & Recommendations CBIZ Risk & Advisory Services, LLP 23 Areas of Focus Follow-Up of Corrective Action Fraud Internal Quality Program Sufficiency of IA Resources Support from Senior Management Evaluation by the Audit Committee CBIZ Risk & Advisory Services, LLP 24 Common Findings Charters not current, inadequate and/or misaligned Lacking support or sponsorship by top management Department structure issues Reporting lines Alignment with the organization Insufficient business knowledge and/or technology capabilities Lack of a defined and documented risk assessment CBIZ Risk & Advisory Services, LLP 25 Common Findings Linkage of risk assessment to plan Impact of Sar-Box Lack of external input to risk assessment Audit Universe Deficiencies Ineffective resource planning, including training Inadequate IT Coverage Limited use of technology Infrequent management interaction CBIZ Risk & Advisory Services, LLP 26 Common Findings Lack of Performance Measurements Failure to Track Auditors’ Time Inconsistent/Incomplete Work Papers Lack of a defined and documented Quality Assurance and Improvement Program Insufficient reporting to the Audit Committee CBIZ Risk & Advisory Services, LLP 27 Leading Practices Enterprise Risk Assessment Rigorous and coordinated approach Assessing all risks that affect the organizations strategic & financial objectives Risk & Control Self Assessment Using Control Frameworks (COSO) Effectiveness & Efficiency of Operations Reliability of Financial Reporting Compliance with Laws & Regulations CBIZ Risk & Advisory Services, LLP 28 Leading Practices Partnering with Management Risk Assessment & Annual Audit Planning Long Term Audit Plans Usually three years Higher risk areas should be reviewed more frequently within the 3 year plan Frequent modifications to long term plan Developing Staff Goal of 80 hours of training Stretch Objectives & Performance Measures Certification CBIZ Risk & Advisory Services, LLP 29 Leading Practices Communicating More Effectively User friendly format Executive summary, with clear concise information and opinion Regular reporting of issues to the Audit committee “Marketing” IA function • Brochure • Intranet CBIZ Risk & Advisory Services, LLP 30 Leading Practices Using Technology Data extraction and analysis Fraud detection/prevention Network security assessment Automated work-papers Audit administration tools Benchmarking Performance measurements CBIZ Risk & Advisory Services, LLP 31 Questions ? ? ? ? ? ? ? CBIZ Risk & Advisory Services, LLP 32 Follow-Up Tom Johnson tomjohnson11@msn.com 330-759-0046 CBIZ Risk & Advisory Services, LLP 33