School Board Audit Committee Training Module 4 Internal Audit 1 Session objectives After completing this session you will: Understand the Audit Committee’s responsibilities related to Internal Audit (IA). Understand how the IA function will operate. Walkthrough the audit planning and approval process. Explain the independence requirements of the IA function. Understand the Audit Committee’s effective monitoring, oversight and assessment role for Internal Audit Comfortably interact with the IA function. 2 Audit Committee Duties related to the Internal Auditor [ON Regulation 361/10 9(3)] • • • • • • • To review the Internal Auditor’s mandate, activities, staffing and organizational structure. To make recommendations on the content of the Internal Audit plan and on all proposed major changes to the plan. To ensure there are no unjustified restrictions or limitations on the scope of the activities performed by Internal Audit. To review, at least once in each fiscal year, the performance of the Internal Auditor and provide comments regarding his or her performance. To review the effectiveness of the Internal Auditor, including the Internal Auditor’s compliance with standards for internal auditing. To meet on a regular basis with the Internal Auditor. To review findings, recommendations and any difficulties encountered in the course of the Internal Auditor’s work. 3 International Standards for the Professional Practice of Internal Auditing • The IIA Standards are principle-focused and provide a framework for performing internal auditing. The Standards are mandatory requirements consisting of: – Statements of basic requirements for the professional practice of Internal Auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at organizational and individual levels. – Interpretations, which clarify terms or concepts within the statements. • • • It is necessary to consider both the statements and their interpretations to understand and apply the Standards correctly. Current standards can be found online at http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/ The website provides access to numerous tools, such as quality assessments, discussion groups, etc. 4 Objectives of an Internal Audit function • • • • • • Objectively monitor and report on the health of financial, operational, and compliance controls. Provide insight into the effectiveness of the DSB’s risk management. Offer guidance regarding effective governance Become a catalyst for positive change in processes and controls. Deliver value to the audit committee, executives, and management in the areas of controls, risk management, and governance to assist in the audit committee’s assessment of the efficiency of programs and procedures. Coordinate activities and share perspectives with the external auditor. 5 Ontario DSB Internal Audit Mandate • • Mission: to provide independent, objective assurance and consulting services designed to add value and improve the DSB’ operations. Scope of work: to determine whether the network of risk management, control, and governance processes, as designed and implemented by the DSBs, is adequate and functioning in a manner to ensure: – Risks are appropriately identified and managed. – Significant financial, managerial, and operating information is accurate, reliable and timely. – Employees’ actions comply with policies, standards, procedures, laws and regulations. – Resources are acquired economically, used efficiently, and adequately protected. – Programs, plans, and objectives are defined, communicated and achieved. – Significant legislative or regulatory issues impacting the DSBs are recognized and addressed. (Source: Sample Internal Audit Mandate Ministry of Education Website) 6 Ontario School Board Internal Audit service model Regional model This model will be replicated in each of the eight regions in the province. DSB audit committees Regional Internal Audit Manager (RIAM) Audit Staff Audit Staff Audit Staff Audit Staff 7 Roles and responsibilities of the Internal Auditor • • • • • • • • Develop and implement annual and multi-year Internal Audit Plans. Maintain a professional/competent audit staff. Perform consulting services (as requested and appropriate). Issue periodic reports. Inform audit committee of emerging trends and leading practices in risk management and internal auditing. Assist in the investigation of suspected fraudulent activities. Consider the scope of work of external auditors. Assist the Audit Committee in complying with Regulation 361/10. 8 Audit planning • Annually, the RIAM shall submit to the director of education, senior business official and audit committee of each DSB a summary of the audit plan (current year work schedule and multi-year plan), staffing plan, and budget for the following fiscal year. Plan is driven by two key factors: risk assessment results and Internal Multi-Year Plan Audit resources. It describes the Internal Audit objectives, audit goals, a forecast of available audit hours, the planned allocation of audit hours to each type of audit and school board for a five year period given the identified risk areas and the available resources. Changes in risk or audit resources may lead to a change in the plan. Describes in further detail audit responsibilities, audit focus and audit Annual Internal direction for the fiscal year. The plan will be uniquely prepared from a Audit Plan regional perspective. • The audit plan is to be developed based on a prioritization of the audit universe using a risk-based methodology. (Source: Sample Internal Audit Mandate and Guideline on Establishing the IA Plan- Ministry of Education Website) 9 Role of Audit Committee vis-à-vis Audit Plans • Approve multi-year and annual audit plan for YOUR school board part of a larger plan How ? 1. Presentation of allocation of resources by RIAM for ALL boards that are part of your region 2. Fair and equitable based on risk assessment results of ALL boards….Yes? Recommend Approval …. No? Regional Conflict Resolution Committee • Regional Conflict Resolution Committee (RCRC) designed by the Ministry of Education in conjunction with the host board workgroup to resolve audit committee conflicts 10 Regional Conflict Resolution Committee Background: To be created in each of the 8 regions only when the need arises Purpose: To ensure that the conflict resolution process is fair and unbiased for all of the school boards in the region Composition: Odd number of school boards in region = One trustee member from each Audit Committee in the region Even number of school boards in region = Same as above + one additional trustee member of the Audit Committee of the host board 11 Regional Conflict Resolution Committee(cont’d) RCRC Structure • The chair of the RCRC will be the trustee member of the host board • Meetings will be called by the chair as-needed • 75% of the members must be present for quorum • Each member is entitled to one vote Conflict Resolution Process • Discussion of matter • Vote by each member • Majority decision binding to all boards • A conflict should be fully resolved within six weeks from the date the issue is submitted to the chair of the RCRC. 12 Relationship between the Internal Audit Function and the External Auditor • • External auditors can, in certain circumstances, use the work of the Internal Audit function External auditors must determine: 1. If the work of the internal auditor is likely to be adequate for the external audit. Consider points: • objectivity • technical competence • due professional care • effective communication 2. The impact on the nature, timing and extent of the external auditor’s procedures Consider points: • nature and scope of specific internal audit work • risks of material misstatements • degree of subjectivity involved in evaluating evidence 13 Independence of the Internal Audit function • When the Internal Audit function’s direct reporting line is to the Audit Committee, it allows the Internal Auditors to remain structurally separate from management and enhances objectivity. • It also encourages the free flow of communication on issues and promotes direct feedback from the Audit Committee on the performance of the Chief Audit Executive (CAE). In relation to the school board environment, this would refer to the Regional Internal Audit Manager (RIAM). 14 Independence of the Internal Audit function (cont’d) • The Institute of Internal Auditor’s (IIA’s) Standards for Professional Practice of Internal Auditing mandate that the Internal Auditors maintain a certain level of independence from the work they audit. – An Internal Auditor should have no personal or professional involvement with the area being audited – The Internal Auditor should maintain an impartial perspective on all engagements – Internal Auditors should have access to records and personnel when necessary, and they should be allowed to employ appropriate investigative techniques without impediment 15 Interaction with the Audit Committee Audit Committees should take several steps to facilitate a mutually beneficial relationship with the Internal Auditors. An effective relationship here is fundamental to the success of the IA function. Communication • Hold regular private sessions with the Internal Auditors • Be available when contacted by the RIAM • Engage in a substantial and communicative reporting relationship Goal Setting • Actively participate in discussing goals and evaluating the performance of the RIAM; these responsibilities should not be delegated solely to the host board management • Challenge the RIAM and the Internal Audit function by setting expectations, communicating those expectations clearly, and holding the function accountable for meeting them Support • See that the Internal Auditors have appropriate stature and respect and are visibly supported by senior management throughout the organization • Support the RIAM providing guidance and assistance, if needed 16 Practical tools to guide interaction between Internal Auditors and the Audit Committee • Quarterly report: – – – – – • Should highlight activities performed and status of each audit on plan Provide timelines indicating if audits are ahead or behind schedule (metrics) Highlight the number of high priority findings from completed audits Identify the status of outstanding action plans for prior audit observations Include a quality assessment score based on audit and stakeholder feedback Executive summary for completed audits: – Review the scope and objectives of the review – Summarize key findings and action steps – Provide an overall conclusion of the effectiveness of risk management procedures in the areas reviewed • Planning Memo – Introduce the upcoming audits and key risks to be addressed – Outline the scope, approach and timelines for the review 17 Questions for Audit Committees to consider • • • • • • Are the Internal Auditors responsive to the needs of today’s rapidly changing environment? Are the Internal Auditors monitoring critical controls and identifying and addressing emerging risks? Is the function proactively evaluating DSB internal controls and risk management as conditions change? Are the Internal Auditors cognizant of new laws, regulations, and leading practices? Are Internal Audit personnel appropriately qualified and pursuing appropriate professional development? Does the Internal Audit function have the necessary and appropriate skills sets and experience to evaluate risk and carry-out the Internal Audit plan? Is the Internal Audit Plan aligned with the DSB’s critical risks and focusing on what is important rather than reviewing those processes easiest to review? 18 An Example of the Audit Committee’s Evaluation of the Internal Auditors Question Expectations for the IA function Are the Internal Auditors responsive to the needs of today’s rapidly changing environment? Awareness of the “Ontario Equity and Inclusive Education Strategy”. Are the Internal Auditors monitoring critical controls and identifying and addressing emerging risks? Monitoring and reporting on Administrator’s action on policy development and implementation for equity and inclusive education. Are the Internal Auditors cognizant of new laws, regulations, and best practices? Understanding of the Policy/Program Memorandum No. 119 on Developing and implementing equity and inclusive education policies in Ontario schools Does Internal Audit have the necessary and appropriate skills sets and experience to evaluate risk and carry-out the Internal Audit plan? The risk-based Internal Audit plan has been designed considering policy documents, regulations, and best practice. 19 Questions for Audit Committees to consider (cont’d) • • • • • • Have key DSB stakeholders including the Audit Committee, Trustees, Directors and Superintendents, reconciled their expectations for the Internal Audit function with the RIAM? How does the Internal Audit function relate to other risk management related functions, such as legal, security, and health and safety? Are there duplications of effort or gaps between these functions? Has the audit committee reached a supportable conclusion as to whether the Internal Auditors are operating in compliance with Institute of Internal Auditors standards? Is the Internal Audit function viewed as objective and competent by the external auditor? How is the internal audit function perceived by its stakeholders? How has Internal Audit's performance been assessed by those that have been audited? 20 Audit Committee leading practices Audit Committee leading practices for interacting with the Internal Auditors include the following: • Assess whether the Internal Auditors have a direct functional reporting line to the Audit Committee and an indirect line to management for administrative activities. • Be involved in Internal Audit Planning Process through the review and approval of the risk assessment and Internal Audit Plan. • Constructively challenge the Internal Audit function. • Conduct annual performance evaluations. • Understand Internal Audit staffing and succession planning. 21 Audit Committee Evaluation of Internal Audit • Audit Committees must complete annual evaluation of the Regional Internal Audit Manager (RIAM) and the Internal Auditor (senior auditors and audit staff) performance. • Sample Areas of evaluation Regional IA Manager Internal Auditors Management of the Regional Internal Audit Team Professional Behaviour Audit Committee Meetings Written Communication Communication Timeliness General Skills Initiative Overall Evaluation Overall Evaluation 22 Source: Ministry Evaluation Worksheet