Internal Audit

02/01/2012

Chief Audit Executives – Appointment, Performance Evaluation, and Termination

Rating

This article covers the various factors senior management and the board of directors should consider when appointing, evaluating, or terminating the Chief Audit Executive (CAE). The position of the CAE is important and requires independence and objectivity while also partnering with the organization and adding value.

Appointing a CAE

CAEs should demonstrate the following soft skills:

  • Ability to accurately assess situations and instinctively do the right thing even under resistance

  • Good judgment and character strength
  • Integrity

In addition, effective CAEs possess the following attributes and skills:

  • Independence and objectivity
  • Intellectual curiosity
  • Quality focused
  • Business and technical skills
  • Communication and listening skills
  • People management

Continue reading "Chief Audit Executives – Appointment, Performance Evaluation, and Termination" »

Posted at 11:34 AM in Internal Audit | | Comments (0)

|

12/21/2011

Assisting Small Internal Audit Activities in Implementing the Standards

Climbing Stack of PaperThe International Professional Practices Framework (IPPF) and underlying International Standards for the Professional Practice of Internal Auditing (Standards) provide guidance to the internal audit activity. The Standards are applicable to all internal audit departments regardless of size, level of resources, complexity, or objectives and scope. Small audit activities face some unique challenges when implementing the Standards. Typically, a small audit activity has one or more of the following characteristics:

  • One to five auditors
  • Productive internal audit hours below 7,500 a year
  • Limited level of co-sourcing or out-sourcing

Standards with a High Degree of Challenge for Small Audit Activities

The Practice Guide notes the following standards for which small internal audit activities face a high level of challenge when implementing:

  • 1100 – Independence and Objectivity
  • 1300 – Quality Assurance/Improvement Program
  • 2000 – Managing the Internal Audit Activity
  • 2200 – Engagement Planning
  • 2300 – Performing the Engagement

These challenges are most likely to affect small internal audit activities, but they may affect internal audit activities of any size. This paper will review each of these standards, identify challenges to meeting the standard, and provide guidance to mitigate these challenges.

1100 - Independence and Objectivity

Standard:  The internal audit activity must be independent, and internal auditors must be objective in performing their work.

Challenge: Auditors may have operational responsibilities such as records management, compliance, IT security, risk management, or other finance and accounting activities.  The Chief Audit Executive (CAE) may report to an individual who has direct responsibility for areas that are subject to audits.

Guidance:  Internal audit should explain to the board the difficulties involved with auditing areas where operational responsibilities or chain of command cause independence issues. They should recommend alternatives for audits such as, using external resources, and verifying only auditors that are not involved with the operational activity complete and review the audit. The CAE should discuss any challenges relating to the reporting structure or operational duties with the board and/or senior management when establishing the audit plan. If internal audit issues a report where there is a lack of independence and objectivity, the audit report must disclose this condition along with the related impacts.

1300 – Quality Assurance/Improvement Program

Standard: The CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.

Challenge:  Lack of financial resources may limit the ability to perform an external or internal quality assessment (QA) in accordance with the Standards.  The performance of an internal QA may be challenging due to time and staff constraints.

Guidance: Small organizations may use peer organization reviews or self-assessment with external validation to satisfy the external QA requirement.  These approaches will have a lower monetary cost but will require a larger amount of internal audit staff hours.  Organizations may consider utilizing employees outside of the internal audit activity for internal assessments if they have prior audit experience or QA training.

Continue reading "Assisting Small Internal Audit Activities in Implementing the Standards" »

Posted at 02:50 PM in Internal Audit | | Comments (1)

|

11/17/2011

Internal Auditing and Fraud

Fraud-Traingle-737837This practice guide summary will discuss how Internal audit can add value to the organization through its role in helping to deter and identify fraud. Fraud results in negative financial, reputational, psychological, and social effects on an organization.  To minimize the risk associated with fraud it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection programs.

Fraud Awareness

Fraud schemes are often ongoing and can last for months or years. Employees commit fraud when they have access to confidential information and internal controls are inadequate or management can override controls without question.

Most frauds have the following characteristics:

  • Pressure or incentive – need the fraudster is trying to satisfy by committing the fraud.
  • Opportunity – the fraudster’s ability to commit the fraud.
  • Rationalization – the fraudster’s ability to justify the fraud in his or her mind.

There are often red flags to indicate individuals might be committing fraud such as spending lavishly, becoming more secretive of their activities, and reluctance to take vacation or sick time.  While none of these red flags means an employee is actually committing fraud, a combination of occurrences may indicate the need for inquiries and increased audit attention.

Continue reading "Internal Auditing and Fraud" »

Posted at 10:52 AM in Fraud Risk Management, Internal Audit | | Comments (1)

|

10/25/2011

Assessing the Adequacy of Risk Management

Risk DiceRecently, there has been an increased focus on the importance of managing risk as part of an overall strong corporate governance and enterprise risk management (ERM) program. With this new emphasis comes a responsibility for Internal Audit to assess the effectiveness of the risk management strategy within the organization. Though there are multiple risk management frameworks, this guide uses ISO 31000 as the basis for the risk assessment. This article discusses management’s role and the types of approaches for Internal Audit to measure the effectiveness of risk management within their organization.

The organization should not conduct the ERM process in isolation. Instead, involve all key stakeholders and use the following control-based assurance framework:

  • Effectively identify and appropriately analyze risks.
  • Implement adequate and appropriate risk treatment and control.
  • Management effectively monitors and reviews processes to detect changes in risks and controls.

The organization’s ERM approach should change over time as internal and external factors change.  For example, changes may occur due to the arrival of new personnel, changes in entity structure, new processes, and if the business objective changes. In the same way, the assessment of the ERM process must occur on an ongoing basis.

Responsibilities

Management is responsible for determining the organization’s risk attitude and the Board is responsible for determining if the risk attitude supports the best interests of stakeholders.  Internal Audit should assess whether the company’s framework takes into consideration and defines risk management responsibilities and strategy, and whether the elements of the framework allow for building a risk-smart environment while still allowing for responsible risk-taking.

Monitoring and Assurance

Organizations must monitor risk management systems to ensure they are performing as intended.  Most organizations accomplish monitoring through ongoing activities, separate evaluations, or a combination of these two methods. Ongoing monitoring is often most effective since it is completed on a real-time basis, can react dynamically to changing conditions, and is ingrained in the organization.

Line management, internal audit, risk management specialists, and the compliance function often share the monitoring responsibility. As a result, it is important for the organization to coordinate assurance activities to ensure it uses resources efficiently and effectively.

Continue reading "Assessing the Adequacy of Risk Management" »

Posted at 10:37 AM in ERM - Enterprise Risk Management, Internal Audit | | Comments (1)

|

10/03/2011

Practice Guide Series - Introduction

RiskThe IIA’s practice guides [i] provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques; programs; and step-by-step approaches, as well as examples of deliverables.  This is the first in The RMC advisors series on the practice guides.

Formulating and Expressing Internal Audit Opinions[ii]

Internal auditors generally provide opinions for each audit and it can often be a challenging task to ensure the opinion provides all the necessary information to meet stakeholders’ objectives.

Planning

Auditors should determine stakeholder requirements for audit opinions including the level of assurance required before beginning an audit.  Careful planning and development of an audit plan helps to ensure the auditor obtains sufficient evidence to support an opinion. Audit plans and opinions must consider the scope of work performed.  Common elements to consider when defining the scope include:

  • Descriptions of the portions of the organization being covered;
  • Control components covered by the audit;
  • The point in time or the time period over which the opinion is expressed.

Types of Opinions

Opinions generally fall into one of the following categories:

  • Macro-level – broad level for the organization as a whole
  • Micro-level – individual components of the organization’s operations 

Macro-level opinions are more complex and may require aggregation of findings from several audits, incorporation of evidence obtained through less formal means, and consideration of evidence obtained through reliance on the work of others.  Recent surveys indicate that most audit organizations issue micro-level audit opinions.

Generally, stakeholders request that internal audit activities provide positive assurance opinions.  A positive assurance opinion involves the auditor taking a definite position (i.e. internal controls are or are not effective), provides the highest level of assurance, and requires the highest level of evidence.  Positive assurance opinions imply the auditor gathered sufficient evidence to provide reasonable assurance that they would identify evidence contrary to the opinion if it existed.  Opinions can be qualified if there is an exception to the general opinion (i.e. controls were satisfactory with the exception of accounts payable controls, which require significant improvement).

In contrast, a negative assurance opinion is a statement that nothing came to the auditor’s attention about a particular objective (i.e. the effectiveness of a system of internal control).  The internal auditor takes no responsibility for the sufficiency of the audit scope and procedures to find all significant concerns or issues.  In general, this opinion is less valuable than positive assurance.

Results

Developing criteria framework can help achieve the objective of providing a valued opinion. This framework provides a baseline against which to apply measurement and judgment to evidence obtained in the course of the audit.  When establishing suitable criteria, it is important to determine if the organization has established basic principles regarding what constitutes an appropriate governance, risk management, and control process. These criteria may include:

Continue reading "Practice Guide Series - Introduction" »

Posted at 05:18 PM in Internal Audit, Internal Audit & Controls, Risk & Internal Controls | | Comments (0)

|

03/29/2011

Fourth Annual TRENDS Symposium – June 3, 2011

TrendsIV logo
Join McKonly & Asbury on Friday, June 3, 2011 for our fourth annual TRENDS symposium focusing on accounting and audit issues for the insurance industry. The session provides 6.5 CPE credits, which includes 1 tax credit and 1 ethics credit. McKonly & Asbury is an approved continuing professional education program sponsor through the Pennsylvania State Board of Accountancy.

We have an exciting array of speakers and topics planned, based on comments we received from previous participants.

  • Legislative Update - Patricia Vance, Pennsylvania State Senator and member of the Pennsylvania Banking & Insurance Committee.
  • Insurance Department Update - Stephen Johnson, Deputy Insurance Commissioner, and David DelBiondo, Director, Bureau of Financial Examinations.
  • Tax Update – McKonly & Asbury Tax Group
  • Business/Professional Ethics – Elaine Nissley, MBA, CISA, PMP, CCSA, CRISC, Principal, McKonly & Asbury Risk Management Services Group.
  • Cloud Computing & Social Media: Risks and Controls - Samuel BowerCraft, MIS, CISA, Senior Manager, McKonly & Asbury Risk Management Services Group.
  • Reinsurance –Jane Taylor, FCAS, MAAA, JD, Consulting Actuary, Huggins Actuarial Services.
  • Safeguarding Confidential Data – John Dormuth, MSIM, CPCU, ARM, Account Executive, McConkey Insurance & Benefits. 

Sponsored by McKonly & Asbury and McConkey Insurance & Benefits, the symposium will take place at the Radisson Penn Harris Hotel & Convention Center at 1150 Camp Hill Bypass in Camp Hill, PA on June 3rd!

Agenda and Details

  • June 3 (Friday)
  • Registration starts at 7:30am
  • The seminar will run from 8:00am to no later than 4:00pm. 
  • Radisson Penn Harris Hotel & Convention Center (Camp Hill)

The cost to attend is $50, which includes a continental breakfast and lunch.

To register, please contact Erin Hench at ehench@macpas.com or by calling 717-972-5814.

 

Posted at 12:37 PM in About Us, ERM - Enterprise Risk Management, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security, Social Media | | Comments (2)

|

01/24/2011

Core Competencies for Today’s Internal Auditor

Shoutimg
Another recent report similar to the Internal Audit Activity Summary in the IIA’s Global Internal Audit Survey focuses on core competencies for internal auditors.

Do your internal audit employees and management have the industry’s core competencies? Why is competence important? The IIA’s Code of Ethics requires competency based on the following rules:

  • Rule 4.1 – “Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience”
  • Rule 4.3 – “Internal auditors shall continually improve their proficiency and the effectiveness and quality of their services”

 Competencies, Skills, and Knowledge

The survey noted the following core competencies were highly ranked for all levels of the internal audit activity (staff, management, and CAE).

  • Communication skills
  • Problem identification and solution skills
  • Keeping up to date with industry and regulatory changes and professional standards.

The survey considered technical skills very important and ranked them in the following order:

  • Understanding the business
  • Risk analysis and control assessment techniques
  • Identifying types of controls

Continue reading "Core Competencies for Today’s Internal Auditor" »

Posted at 09:29 AM in Internal Audit, Internal Audit & Controls | | Comments (0)

|

01/18/2011

Internal Audit Activity Characteristics

Ciaimg   Grcimg Ifrsimg


How does your internal audit activity compare to your competition?  How are you preparing for upcoming changes in the internal audit industry?

 In 2010, the Institute of Internal Auditors (IIA) completed a survey of internal audit activities.  The survey focused on three key areas:

  1. Internal audit activities, scope, structure, and reporting structure
  2. Demographics of internal auditors and their organizations
  3. Staffing issues

The following is a summary of this survey; consider the ranked responses and compare them to your internal audit environment.  You may find areas for change or improvement based on these insights.

Internal Audit Activities

 The top five highest ranked activities currently performed by internal auditors are:

  • Operational audits
  • Compliance audits
  • Financial risk audits
  • Fraud investigations
  • Evaluating effectiveness of control systems

In contrast, the top five emerging activities identified over the next years by internal auditors include:

  • Corporate governance reviews
  • Enterprise risk management audits
  • Reviews of linkage of strategy and company performance
  • Ethics audits
  • Migration to IFRS

Auditors will need to adapt and strengthen their skills to align with emerging internal audit activities.  Currently, 43% of organizations co-source or outsource a portion of the internal audit activity.  25% of respondents in the survey anticipated increases in the co-sourcing/outsourcing budget.

Continue reading "Internal Audit Activity Characteristics" »

Posted at 09:27 AM in Internal Audit | | Comments (3)

|

01/04/2011

What Can Internal Audit Learn from the IIA Down Under?


World

Why do we care what is happening in Australia? In this global economy, it is important to leverage best practices and forward thinking ideas when available. In this case, Australia has consistently ranked ahead of the US on the Corruption Perceptions Index issued by Transparency International. The Corruption Perceptions Index is on a scale from ten (10 - very clean) to zero (0 - highly corrupt). Check out the Transparency International website for more details of their annual studies.

Corruption Perceptions Index (CPI)

Year

Australia

United States

Rank

CPI

Rank

CPI

2010

8

8.7

22

7.5

2009

8

8.7

19

7.5

2008

9

8.7

18

7.3

2007

11

8.6

20

7.2

2006

9

8.7

20

7.3

2005

9

8.8

17

7.6

2004

9

8.8

17

7.5

 

Lessons Learned

What are some of the lessons learned that we in the US could leverage from Australia? Achieving High Performance, a study completed by the IIA and Protiviti, provides some insight into the Internal Audit profession in Australia and how they function. Some key lessons learned include:

What do Audit Committees at high achieving companies do?

  • Appoint and remove the Chief Audit Executive.
  • Approve the scope and budget of the Internal Audit plan.
  • Approve the Chief Audit Executive’s salary.
  • Evaluate the performance of the Chief Audit Executive.


What are the top five priorities of the Chief Audit Executives?

  • Internal controls over the core financial processes.
  • Proactive involvement in major project implementations.
  • Attesting to risk management.
  • Information Technology.
  • Strategic risk.


IIA Australia Policy Agenda

The IIA in Australia is calling for action to reduce the reputational scandals and destruction of shareholder value that continues in all industries.  Their recommendations include five policy principles, which apply to all organizations. These policy statements call for effective self-regulation. It is time for organizations to stop relying upon government regulations and to proactively take accountability for their organization’s risk management and internal control processes.

Policy 1: Good Governance

Strong Internal Audit Function: Internal Audit provides a separation of ownership and an independence not afforded by management. This independent review function is a critical component of good governance.

Policy 2: Oversight

Strong and Effective Audit Committee: A strong independent Audit Committee is required to maintain oversight of management and the internal audit functions. Key characteristics include:

  • At least three members with a majority being independent.
  • The Audit Committee Chair is independent and does not chair the board.
  • The Audit Committee members collectively provide deep finance, accounting and audit experience.
  • The pay for Audit Committee members is commensurate with their workload, experience and personal exposure.

Policy 3: Internal Audit Reporting Lines

Independent Audit Function: Reporting to an active and knowledgeable Audit Committee is important to maintain the independence of the Internal Audit function. Key audit committee oversight functions include:

  • The Board makes Chief Audit Executive (CAE) hiring and firing decisions based upon Audit Committee recommendations.
  • The Audit Committee recommends and approves the Chief Audit Executive’s compensation.
  •  Based upon the Chief Audit Executive’s recommendations, the Audit Committee decides audit scope and budget.
  • The Chief Audit Executive reports all audit work to the Audit Committee who regularly monitors progress against the audit plan.
  • The Audit Committee monitors the Internal Audit function including:   
    • 1) Audit Committee Chair private meetings with the CAE, and 
    • 2) Audit Committee meetings with the CAE without management at least annually.

Policy 4: Accountability for Risk Management and Internal Controls

Management Accountability: A risk culture where management is aware of and owns risks and risk mitigation strategies are keys to proactive risk management and internal control. Steps to accomplish this include:

  • Implementation of an effective system of risk management and internal control.
  • Management attests quarterly or annually that:
    • 1) The system of risk management and internal control is effective, and 
    • 2) They have reported all known material risks to the board with a true status of these risks.
  • Internal Audit independently reviews and advises the Board on management’s attestation.
  • Awareness that delegation of management’s attestation requirement to Internal Audit is not appropriate.

Policy 5: Internal Audit Maintains a High Standard

IIA International Standards for the Professional Practice of Internal Auditing (Standards): The IIA Standards provide solid guidance for effective management and operations of an Internal Audit function. Requirements of the Internal Audit function should include:

  • Mandatory use of the IIA Standards.
  • Audit Committee commissioning of an external quality review every five years. Internal Audit provides a plan for remediation of any issues found during the review.
  • Maintenance of active IIA membership by the Internal Audit function.
  • The CAE and internal auditors who issue reports maintain active IIA certification.


Conclusion

An effective, independent Internal Audit function serves as a deterrent and reduces the opportunity for risks to elevate to the level of reputational damage or erosion of shareholder value. Do you have an Internal Audit function? If so, are you getting the unaltered facts?

For any questions, contact Elaine Nissley, Principal at ENissley@macpas.com.

References

Transparency International: http://www.transparency.org/

IIA Australia: www.iia.org.au/

 

Posted at 01:18 PM in Fraud Risk Management, Internal Audit, Internal Audit & Controls, Risk & Internal Controls | | Comments (0)

|

11/23/2010

Internal Audit – Emerging Risks: Business Climate Change and Sustainability

Image1 Image3
 
New opportunities, as well as new risks accompany change.  Companies face external and internal pressures to address sustainable development in the current business climate; companies are no longer insulated from the eyes of public and private shareholders.  If you are not refocusing your risk assessment, you may not successfully weather the storm.

The article highlights the importance of addressing the business climate change and sustainability including five key risk areas for internal audit departments to consider based on an article by Ernst & Young (2010), Climate Change and Sustainability: Five Highly Charged Risk Areas for Internal Audit.

The five key areas to address include:

Strategic  - As the climate changes, so do markets and consumer preferences.  It is imperative that executive management discusses strategy with internal audit in order to build a complete and effective audit plan.

Compliance – Governments are becoming increasingly more involved in regulating business to address the growing social and environmental risks that accompany climate change and sustainability.  It is imperative that internal audit demonstrates that related risks are being incorporated into the audit plan to executive management.

Financial – Responsiveness comes at a cost.  As companies face increased sustainability costs and look to reduce costs (i.e. cutbacks) in existing areas, they are exposed to new risks.  It is imperative that internal audit reassess financial controls as operations change.

Reputational – Companies are beholden to a variety of stakeholders with increasing demands.  Technological advancement creates greater exposure in the form of information sharing.  It is imperative that internal audit takes measures to assure the integrity of information distributed to all stakeholders.

Operational – New risks put pressure on a company’s infrastructure and operations.  Sustainability impacts the supply chain directly and indirectly.  It is imperative that internal audit incorporate supply chain and operational initiatives into the audit plan to address climate change and sustainability. 

The challenge is to stay ahead of the storm when managing risk.  The article provides these takeaways for all internal audit departments.

  • Make climate change and sustainability a standard part of your risk assessment.
  • Identify the five categorical risks within your organization.
  • Identify and assess all key risks related to climate change and sustainability.
  • Evaluate risk and integrity of information across all reporting channels.
  • Educate management and the board.
  • Incorporate climate change and sustainability into current risk policies and procedures.
  • Revisit your assessment regularly and revise as necessary.
  • Ensure management is monitoring compliance.
  • Maintain an open line of communication with the board.

Become an expert in all areas of risk within your company to best maximize your role as in internal auditor.  Challenge yourself to look internally in order to position yourself to successfully face climate and sustainability risks.

Please direct questions and comments to Elaine Nissley, MBA, CISA, PMP, CCSA, Principal, McKonly & Asbury, ENissley@macpas.com.

 

 

 

Posted at 11:43 AM in Internal Audit, Internal Audit & Controls, Risk & Internal Controls | | Comments (0)

|

Next »

Search

Links


McKonly & Asbury LLP.
News & Updates


The Affordable Housing Gurus


Contractors Center Point


The Lean Accountants


The Risk, Management, and Control Advisors


The Corporate Confidante