internal audit best practices

8/3/2019 Internal Audit Best Practices

1/56

Nicholas DiMola, Principal

Quality Plus & Associates


2/56

Internal Audit Best Practices

What makes an EffectiveInternal Audit Function ?


3/56

Internal Audit Best PracticesAccording to a survey conducted by KPMG, an effective

Internal Audit function is a combination of:

IAs position within the organization

The people and resources that it has to meet itsresponsibilities and challenges

The processes that it uses to assess risk, plan itsactivities and to deliver its results


4/56

Risk Assessment Process

There is a Strong Link between effective Risk

Assessments and effective Audit Coverage

According to the IIA Standards, IA Groupsshould base their audit plans around riskassessments conducted on an annual ormore frequent basis with input from seniormanagement and the board of directors.


5/56

Risk Assessment ProcessSteps to Strengthen Risk Assessment Process

Adopt a Process Approach to Risk Assessment and

Audit PlanningSupplement Annual Risk Assessments with more

frequent updates

Leverage prior Audit results

Align and Leverage Risk assessmentsSeek out and Utilize Specialist

Coordinate with other Risk management groups


6/56

Risk Assessment ProcessAdopt a Process Approach to Risk Assessment and Audit

Planning

Need to keep the Audit Committee and SeniorManagement informed of changes to IAs position onRisk Exposure.

Requires a Process Drive Approach and Flexible Audit

PlanReview changes to the Audit Plan


7/56

Risk Assessment ProcessSupplement Annual Risk Assessments with

more frequent updates - need to monitor risk

on a regular, on going basis though out theyear.

Leverage prior Audit results learn frompast audits and reach out to key playerswithin the company to strengthen the riskassessment process.


8/56

Risk Assessment ProcessAlign and Leverage Risk Assessments should use a

common framework to avoid confusion.

Seek Out and Utilize Specialist

IA should use bothinternal and external resources to expand capability incritical business areas, technology and frauddetection.

Coordinate with other Risk Management Groups

important to be knowable of and involved with otherrisk management groups and share informationaccordingly.


9/56

Risk Assessment ProcessPwC recommends the following check list for IA in its

approach to risk assessments and audit planning

Conduct enterprise level risk assessments at leastannually.

Apply risk based assessment results to thedevelopment of the audit plan and planning audit

engagements.Adopt a formal process to periodically update or revise

risk assessments .


10/56

Risk Assessment Process Update the audit plan to address the results of the risk

assessment

Conduct a preliminary risk assessment at thebeginning of every internal audit engagement

Keep the Audit Committee informed about IAs viewsof risk the companys emerging or changes to its riskposition.


11/56

Flexible Audit ApproachObjective :

Shift from a traditional audit process toPartnering with Management to

Enhance Stakeholder Value


12/56

Flexible Audit ApproachMajor Drivers

Changes to BusinessEnvironment

Greater Expectations


13/56

Audit PlanCarryover

Cancelled

Deferred

On-Hold


14/56

Audit Plan

Audit Plan needs to beFlexible -

Not Set in Stone


15/56

Flexible Audit PlanBroad Functional Areas

Expand Budgets/Drill Down asNeeded

Increase Scope of ProjectsImplementation Assistance


16/56

Flexible Audit PlanAvailability of Outside Resources

Ability to Respond Quickly

Increase Management Support Capability

Use of Specialist/Experts

Develop In-House Skill Sets


17/56

Flexible Audit PlanBenefits:Audit Focus on Quality Not Quantity

Reduces Expectation Gap between IA &Management

Empowers Auditors to Define the Scope of Work

More efficient utilization of ResourcesIA can be of Greater assistance to Management


18/56

Flexible Audit PlanChallenges

Maintain Administrative Control over Audit Plan

Effectively Manage Additional Resources

Incorporate Continuous Business Risk Assessment

Process


19/56

Flexible Audit PlanSummary

An value added Audit Plan is more a factor of Qualitativeinformation than Quantitative

Audit Plan is more in line with the Needs of theOrganization

The Audit Plan is an Evolving Process

Monitoring and Assessing auditor performance is Critical


20/56

Audit Reporting

Auditing Reporting Process

Is it Timely and Efficient?


21/56

Audit ReportingChallenges:

Lengthy Cycle Times

Reports must be Factually Correct butissued Timely

Constant Complaint Audits Take To Long


22/56

Audit Reporting

Consequences of Lengthy Audit Cycles

Audit results are not timely

Stakeholders dissatisfaction

Inefficient use of audit time


23/56

Audit ReportingReporting Issues

Ineffective communication with auditee

Delays in writing draft report

Editing process

Quality Control

Delays by Management in Responding


24/56

Audit ReportingA survey of CAEs have reported that it takes on average

more than a quarter of the audit cycle time to processan audit report.

Delays in getting audit responses

Repetitive re-editingLengthy, narrative-format audit reports


25/56

Audit ReportingPossible Considerations:

Issue reports without management comments

Use power-point presentations instead of a report

Use a standardized report format

Issue audit findings on a piecemeal basis while the

audit is in progress.Advise senior management and the Audit Committeeof only high risk audit results with all findingscommunicated to the auditee.


26/56

Audit Reporting

Exception Reporting

Most Relevant findings and issues upfront

Recommendations


27/56

Audit ReportingUse of Audit Ratings

More IA departments are using audit ratings tocommunicate the significance of audit findings and

overall results.

Why?


28/56

Audit ReportingAudit Report Ratings

Keys

Rating scheme should fit organizationDevelop and communicate the criteria for assigning audit

ratings

Communicate the basis and rational of the scheme to

Senior Management and the Audit CommitteeHave appropriate report distribution and follow up process


29/56

Surveys

Performance Agreement

Results to Audit Committee


30/56

Cost Savings

Efficiency Effectiveness

Assurance Consultative


31/56

Training and Guidance


32/56

Contract Audit

Why Audit Contracts ?


33/56

Contract AuditWhy Audit Contracts?

So you know you got what you paid for!

Strengthen contract terms & conditionsImprove procurement process (contract letting) &

contract administration

Ensure compliance with procurement regulations

Indentify opportunities for cost reductions orsavings


34/56

Contract AuditContracting Activities3 Major Phases

Pre Award

Contract Performance

Completion & Closeout


35/56

Contract AuditPre-AwardApproved and Authorized

Terms and scope is clearPrices are fair and reasonable

Rights are included in contract terms

Comply with requirementsFunding is ok


36/56

Contract AuditContract Performance

Work performed = Scope in contract

Payments = Value received

Deliverables on schedule

Comply with laws environmental and safety

Rights inspect, audit, claims, liquidated damages


37/56

Contract AuditCompletion and CloseoutScope of work, payments, deliverables comply with

terms of contractUser acceptance

Post performance obligations manuals,

warranties, testing and trainingClaims resolved

Liquidated damages collected


38/56

Contract AuditExamples of Findings & Results Consultants charged at higher than actual rate

Adding fringe benefit cost to independent contractors

Failure to get allowance for material discounts

Inflated travel cost

$2.5 million recovered form equipment manufacture for using wrong

inflation indexes $13.7 million reduction to a claim due to overstated labor and material

cost

$2.1 million saved for material cost charged but not incurred


39/56

Building Effective Audit Committee

Relationships

Audit Committees are continuouslyrelying more heavily on Internal Audit

keeping them informed on businessstrategies and risk, oversight andgovernance, and the effectives of

controls.


40/56


RelationshipsInternal Audit should:

Have access to the Committee

Review with the Committee its audit plan,reports and significant findings

Provide assurance on risk and controls

Position IA as a strategic advisor to theCommittee

Provide an objective set of eyes and ears


41/56


RelationshipsThe Audit Committee should:

Understands IAs role in the organization

Be involved in the selection and dismissal of the CAE

Be involved in determining the CAEs compensation

Monitor performance of the IAD and require an

external QARKnow the next level of IA management team for

succession planning


42/56

Who Audits the Auditors?

The Value of External QualityAssessments


43/56


44/56

Some Elements of a QAR Staff Information (education, skills, certifications)

Audit Plan Budget to Actual

Audit Cycle Time

Issues and Recommendations Tracking

Customer Satisfaction Survey Staff Meeting

Benchmarking to Best Practices

Training

Work Paper Review (ongoing)

QA Review Action Plan


45/56

What is the Value of Quality to Internal

Audit ABC Organization

InternalAudit

Executive Level

At this level Internal Audit is notconsidered a valued resource to theOrganization


46/56



InternalAudit

Executive Level

As the Quality of Internal Audit increases the acceptance atthe Executive Level gets Internal Audit closer


47/56



Executive Level

InternalAudit

Once Quality is achieved Internal Audit is embraced by the

Executive Level as a valuable resource within the Organization


48/56

Whos Responsible for the Quality of

Internal Audit? Organization Chief Audit Executive (CAE)

Who will Benefit

Internal Audit Profession IA Stakeholders

(AC, BOD, Regulatory Body, Sr. Mgmt) Internal Auditors


49/56

External Quality AssessmentObjectives that should be Achieved1) Assess the efficiency and effectiveness of the IA activity in

light of its Charter and the Board and managements

expectations.2) Provide an opinion on IAs conformance to the spirit and

intent of the Standards.

3) Benchmarking and industry comparisons for internal auditing

practices4) Identify and offer recommendations to improve IAs

performance and increase the value added to the AuditCommittee and management.


50/56

What are the benefits of an external QA?

Expert advice & counsel from practitioners withdecades of experience and broad exposure to thebest IA functions

Sounding Board

Leverage for funding, authority, independence &training

Visibility

Pipeline to the audit committee & seniormanagement


51/56

Why have an external QA?

Professional credibilityOrganizational credibility

Legal liabilityCompliance with Standards

Continuous improvementAudit Committee oversight


52/56

Inadequate Quality Assurance &Improvement Program

Consulting omitted from the mission andcharter

Inadequate IT coverage or technical skills

Lack of performance measures

What problems are commonly found?


53/56

Inappropriate CAE reportingrelationships

Out-of-date charters

Client perception of inadequate auditstaff knowledge

No formalized risk assessmentprocess

What problems are commonly found?


54/56

Best Practice Make sure you learn something from the QAR

process

Embrace the process as a way to move towardscontinuous improvement

Ask for suggestions to improve the IA department as awhole

Be open-minded


55/56

SummaryA Best Practice Internal Audit function

should be:

Risk focusedAligned with the business

A source of advise on governance, risk and controls

Adaptable to changeAble to provide coverage where needed

Have sufficient resources to be effective


56/56

Internal Audit Best PracticesQuestions?

Thank You

Nick DiMola

Quality Plus & Associates

[email protected]

internal audit best practices

Documents