1
Gather information regarding best practices.
 Learn as much as you can from other Internal
Audit shops.
 Steal the wheel and modify it to your needs don’t
reinvent it. Take the ideas you like from
everyone’s process and adapt them to your own
process and be open to helping each other.
 I am going to present the Illinois process today,
hopefully you can take something with you that
is useful. I also hope that you will share your
ideas with me so I can improve upon my process.

2
Illinois has a State Internal Audit Advisory Board
(SIAAB) that is responsible for the following:
1. Promulgating uniform standards and code of ethics
and providing guidance to State Internal Auditors.
The standards and interpretations predominantly
followed by Illinois are those of the Institute of
Internal Auditors (IIA) although some GAO standards
have been adopted as well as some State specific
requirements and adaptations.
2. Provide and coordinate training, including setting
standards for training.
3. Coordinate Peer or Quality Assurance Reviews.

3
4

The Board is comprised of the Chief Internal
Auditor of each Illinois Constitutional Officer, the
General Services agency for the State, and six
Chief Internal Auditors appointed by the
Governor. I am the current Chair. If you are
interested, SIAAB maintains a website managed
by the University of Illinois that can be found at
http://siaab.audits.uillinois.edu/ . Free on-line
training regarding the Standards of the Institute
of Internal Auditor (IIA) and Illinois specific
requirements is available on the website. If you
have any questions, please feel free to contact
me.
5
IIA Standard 2010- Planning
“The chief audit executive must establish riskbased plans to determine the priorities of the
internal audit activity, consistent with the
organization’s goals.”
 In order to link the Internal Audit Plan to the
risks of the Department, Internal Audit
created an “Audit Universe” or “Auditable
Units” for IDOT based upon the primary
owner of the process.

6

It is a vital component of the risk assessment
process and consists of dividing the entire
Department into various control areas that
cover all responsibilities and functions of the
Department. These areas are listed by the
primary owner of the process.
7
The key to a good Auditable Units schedule is
periodically verifying that there have been no
changes or additions to the universe.
 IIA Practice Advisory 2010-1 (4) states, “The
audit universe and related audit plan are
updated to reflect changes in management
direction, objectives, emphasis, and focus. It
is advisable to assess the audit universe on at
least an annual basis to reflect the most
current strategies and direction of the
organization.”

8






Provides the framework for monitoring the internal control
structure of the Department by operational area and
provides the foundation for the risk assessment process.
Allows Internal Audit to communicate with each Division or
Office of IDOT in a standardized manner to monitor the
Department’s internal controls.
Provides a mechanism for confirming whether all
processes have been captured.
Provides a means for monitoring historic audit coverage
for all functions and activities of the Department.
Demonstrates compliance with the Standards and the law
that governs the internal audit function.
Considered a best practice under the IIA Standards.
9
Create and regularly update Permanent Files
regarding your Auditable Units. This helps
provide you with a starting point not only for
your Internal Audit Plan Risk Assessment but also
your audit specific Risk Assessment. Files should
include the following:
1. Applicable Statutes, Rules & Regulations;
2. Policies and Procedures, Manuals, Guidelines;
3. Prior Audits- External, Internal, Federal;
4. Management Control Certifications;
5. List of Information Technology Systems Used;
6. Interview Notes;
7. System Narrative.

10

I learned a lesson early in my career that you
should never assume that you and management
are working from the same playbook. All people
have different experiences and understandings of
processes and management techniques. Make
sure you and management have a common
understanding of definitions. Internal Auditors
are the internal control and risk management
experts and educators for their agency. Take
audit planning as an opportunity to get on the
same page. I do that by providing an Internal
Audit Plan Framework.
11

Each Director is provided a copy of the framework to
be followed during the planning process. It is a
framework for how they should make their
assessment of their areas. This ensures the Chief
Auditor that he and all Directors are working from the
same page. The areas covered are as follows:
1.
2.
3.
4.
5.
6.
7.
Risk, inherent risk, residual risk;
Internal Control;
Types of Internal Control;
Methods of Internal Control;
Risk Considerations;
Risk Management;
Major Threats to Internal Control
12
Risk- The probability that an event or activity
will occur that adversely impacts the
achievement of an organization’s objectives.
 Inherent Risk- The risk that exists in an
environment without the benefit of internal
controls.
 Residual Risk- The risk that exists after
consideration of the controls management
has implemented to mitigate or transfer risk.
(This is where we want to focus our efforts).

13

“Control is the employment of all means devised
in an enterprise to promote, direct, restrain,
govern, and check upon the various activities for
the purpose of seeing that enterprise objectives
are met. These means of control include but are
not limited to form of organization, policies,
systems, procedures, instructions, standards,
committees, charts of account, forecasts,
budgets, schedules, reports, records, checklists,
methods, devices and internal auditing.”
***Source: “Sawyer’s Internal Auditing”, Sawyer
14

In order to work through the risk assessment
process, you have to make sure that
management understands internal controls,
the control structure, and the environment in
which they are operating. Again, if they are
not working from the same page, they can
not communicate to you the information that
you need to make your risk assessment and
provide a risk based plan. Never miss an
opportunity to educate (teaching moment),
that’s a preventative control.
15
 To
achieve the objectives of the agency,
management must place assets at risk. It is
management's responsibility to decide how
much and what risk it is willing to accept to
achieving the objectives of the agency.
Management mitigates risks and ensures
that management’s objectives are met,
through the use of internal controls.
16
 Preventative- Segregation of Duties; Authorization & Approval; Edit Checks;
Reasonableness Checks; Completeness Checks; Accuracy Checks; Dual
Controls; Data Input Controls within IT System.
 Detective- Detect errors & often come in the form of monitoring devices.
Computer system scans for exceptions to certain parameters & generates
exception reports for managerial review; comparative actions such as
reconciling vendor billings to payments; physical checks such as annual
inventory; management review of reports of actions taken by personnel.
 Corrective-Correct problems identified by detective controls. Computer
program that prompts personnel to correct problems; exception reports.
 Directive- Produce positive results. Strategic plan and its specific goals &
objectives, organizational charts which assign responsibility to ensure tasks are
completed to meet the agency mission. Written procedures which instruct how
management wants various tasks accomplished providing the exact steps &
chronological sequence and required documentation to ensure uniform
execution; important reference & training tool ensuring continuity of
operations.
 Compensating- Compensate for shortcomings in the system thus offsetting the
need to correct another control weakness. It may also be part of a redundant
system.
***Source: “Internal Auditing Principles & Techniques”, Ratliff
17





Organizational Controls- Establish the framework in which the agency operates.
Define purpose and general focus of operations; mission, goals & objectives;
structure & division responsibilities; establish decision making hierarchy; job
descriptions for detailed outline of duties & responsibilities; outline reporting
responsibilities.
Operational Controls- Functional activities that include planning; budgeting;
accounting; program activities; documentation; authorization; policies &
procedures; manuals & guides; information systems.
Personnel Controls- Recruiting & selection of suitable personnel; orientation,
training, development of personnel; supervision & direction of personnel.
Periodic Review Controls- Appropriate monitoring of agency operations.
Performance reviews of individual employees; internal reviews of operations &
programs through management reports; quality management & assurance reviews;
internal & external audits; peer reviews.
Facilities & Equipment Controls- Ensure facilities & equipment are properly
acquired, tracked & maintained. Lease management; building & property
management; maintenance; tracking & monitoring of equipment.
***Source: “Internal Auditing Principles & Techniques”, Ratliff
18
Congress established the Committee of Sponsoring Organizations (COSO) & they
developed a risk management framework in 1992. This was updated in 2004 &
became the Enterprise Risk Management Integrated Framework (ERM). It is the
recognized standard for risk management. ERM consists of 8 components that are
key to management managing risk within the organization:
1. Internal Control Environment- Formulates a risk management philosophy & sets the tone
of the organization.
2. Objective Setting- Sets what the entity strives to achieve.
3. Event Identification- What has to be done to implement the agency’s strategy & achieve
established objectives.
4. Risk Assessment- Consideration of how potential events may affect the achievement of
the strategy & objectives.
5. Risk Response- Identify actions to reduce risk.
6. Control Activities- Implement action through policies & procedures and other activities
to control risk.
7. Information & Communication- Dissemination of information to all personnel regarding
the process & its importance.
8. Monitoring- Monitor and check for the appropriateness and effectiveness of controls &
the management of risk.
***Source: Institute of Internal Auditors
19

These 8 COSO core components provide the
framework for how management and Internal
Audit needs to think during the Risk
Assessment process. Is management doing
well in these core areas? Even if they have
appropriate internal controls in place, are
they effective and are they working properly.
20

Provide management with a list of risk considerations
that should be utilized by management in assessing
the risk within a process. All of these factors should
be considered during management’s determination of
whether they have an effect on the environment in
which the area is operating or have caused a change
to that environment. Through an assessment of these
factors, management should arrive at a list of areas
or programs for which they believe there is a higher
risk or level of importance. The end result of this
process is a ranking of activities that helps Internal
Audit identify areas to which limited resources should
be allocated first in order to provide useful input to
management.
21










Priority of Agency Head or Management and reasons;
Cause-Suspicion of fraud, improper conduct, blatant
disregard for procedures, suspected misuse or improper
use of assets;
Financial Exposure-Size of auditee or amount of agency
assets at risk, liquidity of assets (easy theft), transaction
volume;
Significance of area to agency operations;
Changes to laws, rules and regulations;
Adequacy, effectiveness & quality of internal controls;
Major changes in technology, operations, programs,
systems or controls;
New programs or initiatives;
Complexity of operations;
Rapid growth of the Division;
22











Competence, experience or time in position of management for
the area or recent key management personnel changes;
Competence, experience or time in position of staff, recent key
personnel changes or high staff turnover;
Significance and number of previous internal and/or external
audit findings;
Time since last audit;
Political or press exposure or general public impact
considerations;
Extent or changes to the computerization of the area;
Ethical climate such as pressure by management on area to
meet objectives;
Low employee morale or problematic personnel;
Changes in capabilities or experience of audit staff;
Audit plans of external auditors;
Opportunities to achieve operating benefits.
23







This helps management to think about what causes things to go
wrong with the Internal Control System.
Management Override- Controls that are readily set aside at the option of management or
personnel. This is equivalent to no controls at all.
Optional or Incomplete Controls- Controls that say “may” or those that give options without
guidance for making decisions about how to proceed are not effective. They must include clear
direction regarding the choice that should be made.
Form Over Substance- Controls appear to be well designed but there is no substance to them
or they are ineffective or miss their intended mark.
Conflicts of Interest- Causes personnel to place their interest above that of the organization.
Access to Assets- Having improper access to assets can result in theft, misuse or abuse.
Inadequately Trained or Uninformed Personnel- Results in personnel not being able to properly
perform required tasks. Personnel not understanding the reason for a particular control and
the desired result may not properly execute the necessary steps. It does not matter how well
the procedures are written if personnel cannot execute them properly. The end result is the
same as if no controls were in place.
***Source: “Internal Auditing Principles & Techniques”, Ratliff
24










The process becomes routine and this familiarity causes steps in the
process to be overlooked;
Information concerning a law, rule or procedure was never given to an
employee;
Employees not properly trained or instructed;
Personnel do not recognize the importance of a step or process or its
impact on another area;
Personnel miss the handoff to another area or there is confusion over
which area is responsible (each area incorrectly thinks the other is
handling the process);
Time constraints;
Inadequate resources devoted to the process;
Employees unknowingly overlooked something;
Personnel too close to the process to think of improvements (married to
the existing process);
It is hard to proofread your own work.
25
The Internal Auditor is not meant to be an
adversary but rather a partner. According to the
Institute of Internal Auditors, Internal Auditing
provides:
 Assurance that the organization is operating as
management intends (Governance, Risk, Control).
 Insight
for improving controls, processes,
procedures, performance, and risk management;
and for reducing expenses and managing &
controlling
revenues
(Catalysts,
Analyses,
Assessments.)
 Objective assessments of operations (Integrity,
Accountability, Independence.)

***Source: Institute of Internal Auditors, “Value of Internal Auditing Presentation to Stakeholders”
26

IIA Standard 2130: Control
“The Internal audit activity must assist the
organization in maintaining effective controls
by evaluating their effectiveness and
efficiency and by promoting continuous
improvement.”
27

IIA Standard 2130.A1
“The internal audit activity must evaluate the
adequacy and effectiveness of controls in
responding to risks within the organization’s
governance, operations, and information systems
regarding the:
1.Reliability and integrity of financial and
operational information.
2. Effectiveness and efficiency of operations and
programs.
3. Safeguarding of assets; and
4. Compliance with laws, regulations, policies,
procedures and contracts.”
28

Base your risk assessment and Audit Plan
around the Auditable Units or Audit Universe.
29

Each Director is sent a Risk Assessment Questionnaire. Items covered include the
following:
1. Any changes to the Auditable Units;
2. New Programs or Initiatives;
3. Rapid growth or significant increases funding or expenditures;
4. Turnover of Key Management or Key Personnel;
5. Reviews or audits by a Federal Agency: e.g. FHWA, FTA, FRA, FAA, NHTSA,
FMCSA, GAO;
6. Press exposure;
7. Law changes;
8. Administrative Rule changes;
9. Information technology that was developed or had major modifications in the
last year or any that are currently in process or planned;
10. Any fraudulent activity, improper conduct, blatant disregard for procedures,
suspected or improper use of assets or State resources;
11. Any processes or programs they believe would be helpful for internal audit to
review;
12. Rank what they consider to be the five most significant areas for which the are
responsible.
30

The responses to the Risk Questionnaire are
reviewed and analyzed prior to the meeting
with each Director. One critical area is
ensuring the accuracy of the Auditable Units.
Each Director is asked to provide any updates
or changes to the “Auditable Units”. In many
cases, Internal Audit may also have
knowledge about new programs. It is
important to note these as they are
discovered
to make sure they are not
overlooked during the Questionnaire process.
31

Illinois requires each Chief Internal Auditor to
prepare a two year Audit Plan. However, the
second year of the Internal Audit Plan is
always given reconsideration at the time of
the development of the next year’s two year
plan. This is because of changes in
circumstances and risks that occur over the
one year period, since the plan was last
developed. If you only create a one year plan
you may wish to consider this option. It at
least allows you to anticipate the next year.
32

Chief Internal Auditor conducts a meeting with
the Director of each of the Offices and Divisions.
The meetings are designed to discuss the
information gathered from the Questionnaires in
more detail. It is also a chance to discuss the top
five areas and why the Director believes they are
important. The various Auditable Units are
discussed in terms of the risk factors and how
they relate to the area as well as the effectiveness
of the controls and any issues or concerns they
may be aware of. The end result is a collection of
notes including the development of the areas
proposed for audit during the next two fiscal
years. This is verified with each Director.
33


Assess all of the information you gathered and
determine which areas should receive audit
coverage. Start with making the assessment at
the individual Division or Office level.
Take the results of each individual Division or
Office level assessment and weigh them against
each other to develop a proposed Internal Audit
Plan with resource hours listed. Weigh those
areas that are most important against the
available resources. Take into account other
desirable activities such as providing coverage
across your whole organizational structure.
34


In Illinois the Internal Audit Plan must be
approved by the Secretary of Transportation.
A meeting is held to discuss the proposed
Audit Plan with the Secretary. We look at the
priorities listed from the assessment and
together formulate the final Internal Audit
Plan priorities.
The Final Internal Audit Plan is presented and
signed by the Chief Internal Auditor and the
Secretary of Transportation.
35


Now go forth and audit and remember what
Confucius said, “No matter where you go,
there you are.” So I say, why not make the
best of it!
Any Questions????????
36
Stephen Kirk, CIA, CGAP
Chief Internal Auditor
Illinois Department of Transportation
2300 S. Dirksen Parkway
Springfield, IL 62764
(217)557-1258
Stephen.Kirk@Illinois.Gov
37