Module 4 – Internal Audit

advertisement
School Board Audit Committee Training
Module 4
Internal Audit
1
Session objectives
After completing this session you will:
Understand the Audit Committee’s responsibilities related to Internal Audit (IA).
Understand how the IA function will operate.
Walkthrough the audit planning and approval process.
Explain the independence requirements of the IA function.
Understand the Audit Committee’s effective monitoring, oversight and assessment role for
Internal Audit
Comfortably interact with the IA function.
2
Audit Committee Duties related to the Internal Auditor
[ON Regulation 361/10 9(3)]
•
•
•
•
•
•
•
To review the Internal Auditor’s mandate, activities, staffing and organizational
structure.
To make recommendations on the content of the Internal Audit plan and on all
proposed major changes to the plan.
To ensure there are no unjustified restrictions or limitations on the scope of the
activities performed by Internal Audit.
To review, at least once in each fiscal year, the performance of the Internal Auditor
and provide comments regarding his or her performance.
To review the effectiveness of the Internal Auditor, including the Internal Auditor’s
compliance with standards for internal auditing.
To meet on a regular basis with the Internal Auditor.
To review findings, recommendations and any difficulties encountered in the course
of the Internal Auditor’s work.
3
International Standards for the Professional Practice of
Internal Auditing
•
The IIA Standards are principle-focused and provide a framework for
performing internal auditing. The Standards are mandatory requirements
consisting of:
– Statements of basic requirements for the professional practice of Internal
Auditing and for evaluating the effectiveness of its performance. The
requirements are internationally applicable at organizational and individual
levels.
– Interpretations, which clarify terms or concepts within the statements.
•
•
•
It is necessary to consider both the statements and their interpretations to
understand and apply the Standards correctly.
Current standards can be found online at
http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/
The website provides access to numerous tools, such as quality
assessments, discussion groups, etc.
4
Objectives of an Internal Audit function
•
•
•
•
•
•
Objectively monitor and report on the health of financial, operational, and
compliance controls.
Provide insight into the effectiveness of the DSB’s risk management.
Offer guidance regarding effective governance
Become a catalyst for positive change in processes and controls.
Deliver value to the audit committee, executives, and management in the
areas of controls, risk management, and governance to assist in the audit
committee’s assessment of the efficiency of programs and procedures.
Coordinate activities and share perspectives with the external auditor.
5
Ontario DSB Internal Audit Mandate
•
•
Mission: to provide independent, objective assurance and consulting
services designed to add value and improve the DSB’ operations.
Scope of work: to determine whether the network of risk management,
control, and governance processes, as designed and implemented by the
DSBs, is adequate and functioning in a manner to ensure:
– Risks are appropriately identified and managed.
– Significant financial, managerial, and operating information is accurate, reliable
and timely.
– Employees’ actions comply with policies, standards, procedures, laws and
regulations.
– Resources are acquired economically, used efficiently, and adequately
protected.
– Programs, plans, and objectives are defined, communicated and achieved.
– Significant legislative or regulatory issues impacting the DSBs are recognized
and addressed.
(Source: Sample Internal Audit Mandate Ministry of Education Website)
6
Ontario School Board Internal Audit service model
Regional model
This model will be replicated in each of the eight regions in the province.
DSB audit committees
Regional Internal Audit
Manager (RIAM)
Audit Staff
Audit Staff
Audit Staff
Audit Staff
7
Roles and responsibilities of the Internal Auditor
•
•
•
•
•
•
•
•
Develop and implement annual and multi-year Internal Audit Plans.
Maintain a professional/competent audit staff.
Perform consulting services (as requested and appropriate).
Issue periodic reports.
Inform audit committee of emerging trends and leading practices in risk
management and internal auditing.
Assist in the investigation of suspected fraudulent activities.
Consider the scope of work of external auditors.
Assist the Audit Committee in complying with Regulation 361/10.
8
Audit planning
•
Annually, the RIAM shall submit to the director of education, senior business official
and audit committee of each DSB a summary of the audit plan (current year work
schedule and multi-year plan), staffing plan, and budget for the following fiscal year.
Plan is driven by two key factors: risk assessment results and Internal
Multi-Year Plan Audit resources. It describes the Internal Audit objectives, audit goals,
a forecast of available audit hours, the planned allocation of audit
hours to each type of audit and school board for a five year period
given the identified risk areas and the available resources. Changes in
risk or audit resources may lead to a change in the plan.
Describes in further detail audit responsibilities, audit focus and audit
Annual Internal
direction for the fiscal year. The plan will be uniquely prepared from a
Audit Plan
regional perspective.
•
The audit plan is to be developed based on a prioritization of the audit universe using a
risk-based methodology.
(Source: Sample Internal Audit Mandate and Guideline on Establishing the IA Plan- Ministry of Education Website)
9
Role of Audit Committee vis-à-vis Audit Plans
• Approve multi-year and annual audit plan for YOUR school
board  part of a larger plan
How ?
1. Presentation of allocation of resources by RIAM for
ALL boards that are part of your region
2. Fair and equitable based on risk assessment
results of ALL boards….Yes? Recommend Approval
…. No? Regional Conflict
Resolution Committee
• Regional Conflict Resolution Committee (RCRC) designed
by the Ministry of Education in conjunction with the host
board workgroup to resolve audit committee conflicts
10
Regional Conflict Resolution Committee
Background:
To be created in each of the 8 regions only when the need arises
Purpose:
To ensure that the conflict resolution process is fair and unbiased for all of the
school boards in the region
Composition:
Odd number of school boards in region = One trustee member from each Audit
Committee in the region
Even number of school boards in region = Same as above + one additional
trustee member of the Audit Committee of the host board
11
Regional Conflict Resolution Committee(cont’d)
RCRC Structure
• The chair of the RCRC will be the trustee member of the host board
• Meetings will be called by the chair as-needed
• 75% of the members must be present for quorum
• Each member is entitled to one vote
Conflict Resolution Process
• Discussion of matter
• Vote by each member
• Majority decision binding to all boards
•
A conflict should be fully resolved within six weeks from the date the issue
is submitted to the chair of the RCRC.
12
Relationship between the Internal Audit Function and
the External Auditor
•
•
External auditors can, in certain circumstances, use the work of the Internal
Audit function
External auditors must determine:
1.
If the work of the internal auditor is likely to be adequate for the external audit.
Consider points:
•
objectivity
•
technical competence
•
due professional care
•
effective communication
2.
The impact on the nature, timing and extent of the external auditor’s
procedures
Consider points:
•
nature and scope of specific internal audit work
•
risks of material misstatements
•
degree of subjectivity involved in evaluating evidence
13
Independence of the Internal Audit function
•
When the Internal Audit function’s direct reporting line is to the Audit
Committee, it allows the Internal Auditors to remain structurally separate
from management and enhances objectivity.
•
It also encourages the free flow of communication on issues and promotes
direct feedback from the Audit Committee on the performance of the Chief
Audit Executive (CAE). In relation to the school board environment, this
would refer to the Regional Internal Audit Manager (RIAM).
14
Independence of the Internal Audit function (cont’d)
•
The Institute of Internal Auditor’s (IIA’s) Standards for Professional Practice
of Internal Auditing mandate that the Internal Auditors maintain a certain
level of independence from the work they audit.
– An Internal Auditor should have no personal or professional involvement with
the area being audited
– The Internal Auditor should maintain an impartial perspective on all
engagements
– Internal Auditors should have access to records and personnel when
necessary, and they should be allowed to employ appropriate investigative
techniques without impediment
15
Interaction with the Audit Committee
Audit Committees should take several steps to facilitate a mutually beneficial relationship with the
Internal Auditors. An effective relationship here is fundamental to the success of the IA function.
Communication
• Hold regular private sessions with the Internal Auditors
• Be available when contacted by the RIAM
• Engage in a substantial and communicative reporting relationship
Goal Setting
• Actively participate in discussing goals and evaluating the performance
of the RIAM; these responsibilities should not be delegated solely to
the host board management
• Challenge the RIAM and the Internal Audit function by setting
expectations, communicating those expectations clearly, and holding
the function accountable for meeting them
Support
• See that the Internal Auditors have appropriate stature and respect
and are visibly supported by senior management throughout the
organization
• Support the RIAM providing guidance and assistance, if needed
16
Practical tools to guide interaction between Internal
Auditors and the Audit Committee
•
Quarterly report:
–
–
–
–
–
•
Should highlight activities performed and status of each audit on plan
Provide timelines indicating if audits are ahead or behind schedule (metrics)
Highlight the number of high priority findings from completed audits
Identify the status of outstanding action plans for prior audit observations
Include a quality assessment score based on audit and stakeholder feedback
Executive summary for completed audits:
– Review the scope and objectives of the review
– Summarize key findings and action steps
– Provide an overall conclusion of the effectiveness of risk management
procedures in the areas reviewed
•
Planning Memo
– Introduce the upcoming audits and key risks to be addressed
– Outline the scope, approach and timelines for the review
17
Questions for Audit Committees to consider
•
•
•
•
•
•
Are the Internal Auditors responsive to the needs of today’s rapidly
changing environment?
Are the Internal Auditors monitoring critical controls and identifying and
addressing emerging risks? Is the function proactively evaluating DSB
internal controls and risk management as conditions change?
Are the Internal Auditors cognizant of new laws, regulations, and leading
practices?
Are Internal Audit personnel appropriately qualified and pursuing
appropriate professional development?
Does the Internal Audit function have the necessary and appropriate skills
sets and experience to evaluate risk and carry-out the Internal Audit plan?
Is the Internal Audit Plan aligned with the DSB’s critical risks and focusing
on what is important rather than reviewing those processes easiest to
review?
18
An Example of the Audit Committee’s Evaluation of the
Internal Auditors
Question
Expectations for the IA function
Are the Internal Auditors responsive to the
needs of today’s rapidly changing
environment?
Awareness of the “Ontario Equity and
Inclusive Education Strategy”.
Are the Internal Auditors monitoring critical
controls and identifying and addressing
emerging risks?
Monitoring and reporting on
Administrator’s action on policy
development and implementation for
equity and inclusive education.
Are the Internal Auditors cognizant of new
laws, regulations, and best practices?
Understanding of the Policy/Program
Memorandum No. 119 on Developing and
implementing equity and inclusive
education policies in Ontario schools
Does Internal Audit have the necessary
and appropriate skills sets and experience
to evaluate risk and carry-out the Internal
Audit plan?
The risk-based Internal Audit plan has
been designed considering policy
documents, regulations, and best practice.
19
Questions for Audit Committees to consider (cont’d)
•
•
•
•
•
•
Have key DSB stakeholders including the Audit Committee, Trustees,
Directors and Superintendents, reconciled their expectations for the
Internal Audit function with the RIAM?
How does the Internal Audit function relate to other risk management
related functions, such as legal, security, and health and safety? Are there
duplications of effort or gaps between these functions?
Has the audit committee reached a supportable conclusion as to whether
the Internal Auditors are operating in compliance with Institute of Internal
Auditors standards?
Is the Internal Audit function viewed as objective and competent by the
external auditor?
How is the internal audit function perceived by its stakeholders?
How has Internal Audit's performance been assessed by those that have
been audited?
20
Audit Committee leading practices
Audit Committee leading practices for interacting with the Internal Auditors
include the following:
• Assess whether the Internal Auditors have a direct functional reporting line
to the Audit Committee and an indirect line to management for
administrative activities.
• Be involved in Internal Audit Planning Process through the review and
approval of the risk assessment and Internal Audit Plan.
• Constructively challenge the Internal Audit function.
• Conduct annual performance evaluations.
• Understand Internal Audit staffing and succession planning.
21
Audit Committee Evaluation of Internal Audit
•
Audit Committees must complete annual evaluation of the Regional
Internal Audit Manager (RIAM) and the Internal Auditor (senior auditors and
audit staff) performance.
•
Sample Areas of evaluation
Regional IA Manager
Internal Auditors
Management of the Regional
Internal Audit Team
Professional Behaviour
Audit Committee Meetings
Written Communication
Communication
Timeliness
General Skills
Initiative
Overall Evaluation
Overall Evaluation
22
Source: Ministry Evaluation Worksheet
Download