The RMC Advisors: Risk & Internal Controls

Risk & Internal Controls

10/03/2011

Practice Guide Series - Introduction

The IIA’s practice guides [i] provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques; programs; and step-by-step approaches, as well as examples of deliverables. This is the first in The RMC advisors series on the practice guides.

Formulating and Expressing Internal Audit Opinions[ii]

Internal auditors generally provide opinions for each audit and it can often be a challenging task to ensure the opinion provides all the necessary information to meet stakeholders’ objectives.

Planning

Auditors should determine stakeholder requirements for audit opinions including the level of assurance required before beginning an audit. Careful planning and development of an audit plan helps to ensure the auditor obtains sufficient evidence to support an opinion. Audit plans and opinions must consider the scope of work performed. Common elements to consider when defining the scope include:

Descriptions of the portions of the organization being covered;
Control components covered by the audit;
The point in time or the time period over which the opinion is expressed.

Types of Opinions

Opinions generally fall into one of the following categories:

Macro-level – broad level for the organization as a whole
Micro-level – individual components of the organization’s operations

Macro-level opinions are more complex and may require aggregation of findings from several audits, incorporation of evidence obtained through less formal means, and consideration of evidence obtained through reliance on the work of others. Recent surveys indicate that most audit organizations issue micro-level audit opinions.

Generally, stakeholders request that internal audit activities provide positive assurance opinions. A positive assurance opinion involves the auditor taking a definite position (i.e. internal controls are or are not effective), provides the highest level of assurance, and requires the highest level of evidence. Positive assurance opinions imply the auditor gathered sufficient evidence to provide reasonable assurance that they would identify evidence contrary to the opinion if it existed. Opinions can be qualified if there is an exception to the general opinion (i.e. controls were satisfactory with the exception of accounts payable controls, which require significant improvement).

In contrast, a negative assurance opinion is a statement that nothing came to the auditor’s attention about a particular objective (i.e. the effectiveness of a system of internal control). The internal auditor takes no responsibility for the sufficiency of the audit scope and procedures to find all significant concerns or issues. In general, this opinion is less valuable than positive assurance.

Results

Developing criteria framework can help achieve the objective of providing a valued opinion. This framework provides a baseline against which to apply measurement and judgment to evidence obtained in the course of the audit. When establishing suitable criteria, it is important to determine if the organization has established basic principles regarding what constitutes an appropriate governance, risk management, and control process. These criteria may include:

Continue reading "Practice Guide Series - Introduction" »

Posted at 05:18 PM in Internal Audit, Internal Audit & Controls, Risk & Internal Controls | Permalink | Comments (0)

03/29/2011

Fourth Annual TRENDS Symposium – June 3, 2011

Join McKonly & Asbury on Friday, June 3, 2011 for our fourth annual TRENDS symposium focusing on accounting and audit issues for the insurance industry. The session provides 6.5 CPE credits, which includes 1 tax credit and 1 ethics credit. McKonly & Asbury is an approved continuing professional education program sponsor through the Pennsylvania State Board of Accountancy.

We have an exciting array of speakers and topics planned, based on comments we received from previous participants.

Legislative Update - Patricia Vance, Pennsylvania State Senator and member of the Pennsylvania Banking & Insurance Committee.
Insurance Department Update - Stephen Johnson, Deputy Insurance Commissioner, and David DelBiondo, Director, Bureau of Financial Examinations.
Tax Update – McKonly & Asbury Tax Group
Business/Professional Ethics – Elaine Nissley, MBA, CISA, PMP, CCSA, CRISC, Principal, McKonly & Asbury Risk Management Services Group.
Cloud Computing & Social Media: Risks and Controls - Samuel BowerCraft, MIS, CISA, Senior Manager, McKonly & Asbury Risk Management Services Group.
Reinsurance –Jane Taylor, FCAS, MAAA, JD, Consulting Actuary, Huggins Actuarial Services.
Safeguarding Confidential Data – John Dormuth, MSIM, CPCU, ARM, Account Executive, McConkey Insurance & Benefits.

Sponsored by McKonly & Asbury and McConkey Insurance & Benefits, the symposium will take place at the Radisson Penn Harris Hotel & Convention Center at 1150 Camp Hill Bypass in Camp Hill, PA on June 3rd!

Agenda and Details

June 3 (Friday)
Registration starts at 7:30am
The seminar will run from 8:00am to no later than 4:00pm.
Radisson Penn Harris Hotel & Convention Center (Camp Hill)

The cost to attend is $50, which includes a continental breakfast and lunch.

To register, please contact Erin Hench at ehench@macpas.com or by calling 717-972-5814.

Posted at 12:37 PM in About Us, ERM - Enterprise Risk Management, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security, Social Media | Permalink | Comments (2)

01/31/2011

Five Court Cases Every Internal Auditor and Audit Committee Member Should Know

Are your workpapers privileged? The Institute of Internal Auditors (IIA) recently presented a webinar entitled “Five Court Cases Every Internal Auditor and Audit Committee Member Should Know.” The webinar focused on court cases related to privileges that may protect internal audit workpapers and how to protect privileged information.

Four main privileges related to your workpapers include:

Work Product
- Protects work prepared in anticipation of litigation.
Self-Critical Analysis
- Protects self-evaluative materials and results of candid assessments of compliance with laws and regulations from discovery when the public interest in preserving the internal evaluations of organizations outweighs a plaintiff’s right to the evidence.
Attorney-Client
- Protects communications between client and attorney made for the purpose of obtaining professional legal advice or assistance. Generally, this implies an establishment of a relationship. Some jurisdictions only allow this privilege with external counsel.
Accountant-Client
- Protects information shared by a client and their accountant. The purpose of the accountant-client privilege is to create an atmosphere in which the client is able to provide all relevant information to an accountant without fear of subsequent disclosure.
- No confidential accountant-client privilege exists under federal law. Some states including Pennsylvania recognize Accountant-Client Privilege.
- Pennsylvania accountant-client privilege statute specifically notes “certified public accountant, public accountant or firm” but does specifically include internal audit.

Accountant-client, attorney-client, and work product privileges do not extend to matters disclosed to a third party. Reference IIA: Practice Advisory 2400-1: Legal Considerations in Communicating Results for additional information regarding privileges.

Continue reading "Five Court Cases Every Internal Auditor and Audit Committee Member Should Know" »

Posted at 10:09 AM in Internal Audit & Controls, Risk & Internal Controls | Permalink | Comments (2)

01/04/2011

What Can Internal Audit Learn from the IIA Down Under?

Why do we care what is happening in Australia? In this global economy, it is important to leverage best practices and forward thinking ideas when available. In this case, Australia has consistently ranked ahead of the US on the Corruption Perceptions Index issued by Transparency International. The Corruption Perceptions Index is on a scale from ten (10 - very clean) to zero (0 - highly corrupt). Check out the Transparency International website for more details of their annual studies.

Corruption Perceptions Index (CPI)
Year	Australia		United States
Year	Rank	CPI	Rank	CPI
2010	8	8.7	22	7.5
2009	8	8.7	19	7.5
2008	9	8.7	18	7.3
2007	11	8.6	20	7.2
2006	9	8.7	20	7.3
2005	9	8.8	17	7.6
2004	9	8.8	17	7.5

Lessons Learned

What are some of the lessons learned that we in the US could leverage from Australia? Achieving High Performance, a study completed by the IIA and Protiviti, provides some insight into the Internal Audit profession in Australia and how they function. Some key lessons learned include:

What do Audit Committees at high achieving companies do?

Appoint and remove the Chief Audit Executive.
Approve the scope and budget of the Internal Audit plan.
Approve the Chief Audit Executive’s salary.
Evaluate the performance of the Chief Audit Executive.

What are the top five priorities of the Chief Audit Executives?

Internal controls over the core financial processes.
Proactive involvement in major project implementations.
Attesting to risk management.
Information Technology.
Strategic risk.

IIA Australia Policy Agenda

The IIA in Australia is calling for action to reduce the reputational scandals and destruction of shareholder value that continues in all industries. Their recommendations include five policy principles, which apply to all organizations. These policy statements call for effective self-regulation. It is time for organizations to stop relying upon government regulations and to proactively take accountability for their organization’s risk management and internal control processes.

Policy 1: Good Governance

Strong Internal Audit Function: Internal Audit provides a separation of ownership and an independence not afforded by management. This independent review function is a critical component of good governance.

Policy 2: Oversight

Strong and Effective Audit Committee: A strong independent Audit Committee is required to maintain oversight of management and the internal audit functions. Key characteristics include:

At least three members with a majority being independent.
The Audit Committee Chair is independent and does not chair the board.
The Audit Committee members collectively provide deep finance, accounting and audit experience.
The pay for Audit Committee members is commensurate with their workload, experience and personal exposure.

Policy 3: Internal Audit Reporting Lines

Independent Audit Function: Reporting to an active and knowledgeable Audit Committee is important to maintain the independence of the Internal Audit function. Key audit committee oversight functions include:

The Board makes Chief Audit Executive (CAE) hiring and firing decisions based upon Audit Committee recommendations.
The Audit Committee recommends and approves the Chief Audit Executive’s compensation.
Based upon the Chief Audit Executive’s recommendations, the Audit Committee decides audit scope and budget.
The Chief Audit Executive reports all audit work to the Audit Committee who regularly monitors progress against the audit plan.
The Audit Committee monitors the Internal Audit function including:
- 1) Audit Committee Chair private meetings with the CAE, and
- 2) Audit Committee meetings with the CAE without management at least annually.

Policy 4: Accountability for Risk Management and Internal Controls

Management Accountability: A risk culture where management is aware of and owns risks and risk mitigation strategies are keys to proactive risk management and internal control. Steps to accomplish this include:

Implementation of an effective system of risk management and internal control.
Management attests quarterly or annually that:
- 1) The system of risk management and internal control is effective, and
- 2) They have reported all known material risks to the board with a true status of these risks.
Internal Audit independently reviews and advises the Board on management’s attestation.
Awareness that delegation of management’s attestation requirement to Internal Audit is not appropriate.

Policy 5: Internal Audit Maintains a High Standard

IIA International Standards for the Professional Practice of Internal Auditing (Standards): The IIA Standards provide solid guidance for effective management and operations of an Internal Audit function. Requirements of the Internal Audit function should include:

Mandatory use of the IIA Standards.
Audit Committee commissioning of an external quality review every five years. Internal Audit provides a plan for remediation of any issues found during the review.
Maintenance of active IIA membership by the Internal Audit function.
The CAE and internal auditors who issue reports maintain active IIA certification.

Conclusion

An effective, independent Internal Audit function serves as a deterrent and reduces the opportunity for risks to elevate to the level of reputational damage or erosion of shareholder value. Do you have an Internal Audit function? If so, are you getting the unaltered facts?

For any questions, contact Elaine Nissley, Principal at ENissley@macpas.com.

References

Transparency International: http://www.transparency.org/

IIA Australia: www.iia.org.au/

Posted at 01:18 PM in Fraud Risk Management, Internal Audit, Internal Audit & Controls, Risk & Internal Controls | Permalink | Comments (0)

12/07/2010

Strengthening ERM: A Wise Decision

What is the state of Enterprise Risk Management (ERM) in your organization? What are the components of ERM and what can they do for your organization? The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued the paper, Enterprise Risk Management for Strategic Advantage, to assist management in addressing improvements in risk oversight. It highlights four important areas of ERM for management and the board to review and consider. The following presents some important questions for you to chew on.

Organization Risk Appetite and Philosophy: Is your board, executive management, and middle management all on the same page when making decisions on the level of risk to take on behalf of your organization? Does the Board set the “Tone at the Top” and influence corporate culture regarding risk appetite and philosophy? Is there a shared understanding from the Board down through middle management regarding the amount of risk that is acceptable in the pursuit of meeting corporate objectives?

Risk Management Practices: Do you understand your organization’s approach to risk management? Does the board challenge management and determine if key risk exposures are within acceptable risk levels? Is there a threat for your executive compensation package to encourage risk-taking beyond acceptable risk levels? Do you reward strong performance without considering the risks assumed by the organization to meet the performance targets? Case in point: the sub-prime mortgage crisis.

Portfolio of Risks: Do you understand all of the significant risks facing your organization? Do you know how management is addressing these risks? How do you know they are addressing the right risks? Does the board packet contain relevant risk information? Is risk a board agenda item?

Key Risk Indicators (KRI): Do you have a set of key risk indicators for your organization? Does everyone understand the KRIs and the appropriate risk responses? What is your process to report on KRIs?

Is this case, what you do not know can hurt you. As Warren Buffett said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” A corporate risk assessment can start your organization on the way to answering these questions.

For more information, contact Elaine Nissley at ENissley@macpas.com.

Posted at 03:20 PM in ERM - Enterprise Risk Management, Risk & Internal Controls | Permalink | Comments (0)

11/23/2010

Internal Audit – Emerging Risks: Business Climate Change and Sustainability

New opportunities, as well as new risks accompany change. Companies face external and internal pressures to address sustainable development in the current business climate; companies are no longer insulated from the eyes of public and private shareholders. If you are not refocusing your risk assessment, you may not successfully weather the storm.

The article highlights the importance of addressing the business climate change and sustainability including five key risk areas for internal audit departments to consider based on an article by Ernst & Young (2010), Climate Change and Sustainability: Five Highly Charged Risk Areas for Internal Audit.

The five key areas to address include:

Strategic - As the climate changes, so do markets and consumer preferences. It is imperative that executive management discusses strategy with internal audit in order to build a complete and effective audit plan.

Compliance – Governments are becoming increasingly more involved in regulating business to address the growing social and environmental risks that accompany climate change and sustainability. It is imperative that internal audit demonstrates that related risks are being incorporated into the audit plan to executive management.

Financial – Responsiveness comes at a cost. As companies face increased sustainability costs and look to reduce costs (i.e. cutbacks) in existing areas, they are exposed to new risks. It is imperative that internal audit reassess financial controls as operations change.

Reputational – Companies are beholden to a variety of stakeholders with increasing demands. Technological advancement creates greater exposure in the form of information sharing. It is imperative that internal audit takes measures to assure the integrity of information distributed to all stakeholders.

Operational – New risks put pressure on a company’s infrastructure and operations. Sustainability impacts the supply chain directly and indirectly. It is imperative that internal audit incorporate supply chain and operational initiatives into the audit plan to address climate change and sustainability.

The challenge is to stay ahead of the storm when managing risk. The article provides these takeaways for all internal audit departments.

Make climate change and sustainability a standard part of your risk assessment.
Identify the five categorical risks within your organization.
Identify and assess all key risks related to climate change and sustainability.
Evaluate risk and integrity of information across all reporting channels.
Educate management and the board.
Incorporate climate change and sustainability into current risk policies and procedures.
Revisit your assessment regularly and revise as necessary.
Ensure management is monitoring compliance.
Maintain an open line of communication with the board.

Become an expert in all areas of risk within your company to best maximize your role as in internal auditor. Challenge yourself to look internally in order to position yourself to successfully face climate and sustainability risks.

Please direct questions and comments to Elaine Nissley, MBA, CISA, PMP, CCSA, Principal, McKonly & Asbury, ENissley@macpas.com.

Posted at 11:43 AM in Internal Audit, Internal Audit & Controls, Risk & Internal Controls | Permalink | Comments (0)

08/16/2010

Security and Fraud Prevention Seminar

McKonly & Asbury will be hosting a Security and Fraud Prevention Seminar on Friday, September 24, 2010, at the Sheraton Harrisburg/Hershey on Lindle Road in Harrisburg, PA. The seminar will begin at 8:00am and conclude at 3:30 pm, with lunch provided at noon. There is a $35 registration fee and CPE credits are available.

At this seminar, you'll learn more about...

Current trends in cyber crime and identity theft, along with a discussion of the methods you can use to protect yourself from being a victim.
Resources available to prevent attacks on our critical infrastructure and how to report suspicious activity and crime.
The components of fraud, identification of red flags, and other fraud prevention tips related to financial institutions.
Banking fraud concerns for businesses and options for minimizing risk.
Practical security and the 10 Tips for Success.
Mortgage fraud.

Speakers include:

Scott Sutherland, Special Agent of the FBI

David Clark, Special Agent of the FBI

Julie Krause, Regional Sales Manager - Treasury Management at M&T Bank

Tom Strause, Partner with Financial Outsourcing Solutions

David Hammarberg, IT Director with McKonly & Asbury

Samuel BowerCraft, Senior Manager with McKonly & Asbury

Agenda:

8:00am - 8:30am: Registration
8:30am - 8:35am: Welcome (Scott Heintzelman, McKonly & Asbury)
8:35am - 10:00am: IT Security Topic (Scott Sutherland, FBI)
10:00am - 10:15am: Break
10:15am - 11:15am: Practical Security: 10 Tips for Success (David Hammarberg & Samuel BowerCraft, McKonly & Asbury)
11:15am - 12:00pm: Banking Fraud Concerns for Businesses (Julie Krause, M&T Bank)

12:00pm - 1:00pm: Lunch

1:00pm - 1:45pm: Financial Institution Fraud (Tom Strause, Financial Outsourcing Solutions)
1:45pm - 2:00pm: Break
2:00pm - 3:25pm: Mortgage Fraud (David Clark, FBI)
3:25pm - 3:30pm: Closing (Scott Heintzelman, McKonly & Asbury)

If you would like to register, please contact Melissa Roberson at mroberson@macpas.com or by calling 717-761-7910.

Posted at 10:11 AM in Fraud Risk Management, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security | Permalink | Comments (1)

06/08/2010

Keeping Watch & Monitoring IT

More and more new technology is released into working environments each day, whether it be intentional installations of servers and software, or unintentional releases of viruses and malware. Given all the possibilities of what might and can occur, vigilance over what is going on is more important than ever.

Historically, keeping watch has been an extremely important duty. Sentries would be placed at key locations at all hours to look for invaders, storms, fires, and friends approaching a castle. Depending on what the sentry saw, he would alert different groups of people to respond appropriately to the threat or the opportunity that was presented.

The success in these situations is to cut response times (and downtime), and improve customer satisfaction. This also helps to cut costs, as preventing major problems and attacks is almost always better than repairing the aftermath of the issue.

Today, the analogy to IT is quite similar, but the methods have changed. You can’t use a person to track all the events on a network, there are too many systems, and too many transactions per second for this to be viable. Instead, we need to take a risk based approach by putting sentries on watch at the most important areas. If we don’t, then the risk of invaders, fire, or other catastrophe increases, as does the risk that we won’t discover the problem until after it is far too late.

Step 1: The first step is to identify everything you want to monitor. Areas to consider will be specific to your business but may include: firewall and network attacks, changes to systems, changes to logical access/user access, bandwidth usage, hard drive usage, server utilization, backup tape usage, database utilization, printer usage, and/or login times.

Step 2: Identify the areas of your network that you are able to monitor. If you can track attacks on your network, that is something worth noting. If your current system cannot track attacks on your network, that is also worth noting.

Step 3: Compare the list of things you want to monitor to the things you can monitor. You now have to decide what you will be monitoring in the short term (items you want to monitor and can monitor) and make decisions about items you want to monitor in the future (those you want to monitor but cannot monitor now). Further decisions must be made on how you will monitor these items (the criteria). Monitoring hard drive space is a good idea, but how often will you check it, and what is the threshold for concern? 90% usage? 91%?

Moving ahead with monitoring of your IT investment will help to streamline and optimize your environment, and provide you with increased return on your investment (ROI). Depending on the assessment, you may find that you can use existing tools, or conversely that you need a special monitoring tool. Either way, by evaluating your environment, deciding what needs to be monitored, and posting sentries, you will be safer and better prepared for whatever may come your way.

“Never neglect details. When everyone's mind is dulled or distracted the leader must be doubly vigilant.”- Colin Powell

By: Samuel BowerCraft

Posted at 02:42 PM in ERM - Enterprise Risk Management, IT, Risk & Internal Controls, SOX | Permalink | Comments (0)

01/20/2010

Save The Date! Trends III: Current Accounting & Audit Issues for Insurance Professionals

TrendsIII
Join McKonly & Asbury on Friday, May 21, 2010 for our third annual TRENDS symposium focusing on accounting and audit issues for the insurance industry. 7 CPE credits are offered for a modest cost of $75 which includes 1.5 tax credits. McKonly & Asbury is an approved continuing professional education program sponsor through the Pennsylvania State Board of Accountancy.

We have an exciting array of speakers and topics planned, based on comments we received from previous participants.

Continue reading "Save The Date! Trends III: Current Accounting & Audit Issues for Insurance Professionals" »

Posted at 01:35 PM in Internal Audit, Risk & Internal Controls | Permalink | Comments (2)

01/14/2010

Trust but Verify

Ronald Reagan frequently used the phrase, “Trust but Verify”. He acknowledged the risks of just accepting information we are told as the truth without checking to verify the accuracy. This applies to many areas of life including the assessment of internal controls. During the course of our work, we seldom find that internal controls are truly operating as reported based on mere inquiry. Many factors contribute to this phenomenon. One reason is communication issues caused by the different mental models of the participants.

Continue reading "Trust but Verify" »

Posted at 01:29 PM in Internal Audit, Risk & Internal Controls | Permalink | Comments (0)

The RMC Advisors

Categories

Archives