EUROSAI and ECIIACooperation Committee

Internal Audit topics

Index

2

1. The Three Lines of Defence Model

2. Internal Audit Role

3. IIA International Certifications

4. Audit Committees

5. Questions & Suggestions

THE THREE LINES OF DEFENCE MODEL

Introduction

4

Recent papers have been developed between ECIIA and Ferma (1) , regardingguidance for proper implementation of art. 41 of the 8th European Company LawDirective, in particular paragraph 2b:

“….the audit committee shall, inter alia: monitor theeffectiveness of the company’s internal control, internal

audit where applicable (2), and risk management systems…”

The ECIIA intends to provide useful guidance to help reinforce the Auditcommittee’s oversight capabilities, with particular regard to global assurancemeasures and internal audit, essential for governing bodies and stakeholders ingeneral.

Based on the above , an appropriate Audit Committee oversight must rely on anappropiate, comprehensive structure that incorporates all elements of corporategovernance, risk and control.

(1) European Federation of Risk Manager Associations.(2) Almost 70% of corporate governance codes of the EU member states recognise Internal Audit is an essential part of the corporate governance framework.

A single defined governance framework for global riskmanagement and assurance

5

By promoting a single defined framework for the risk management and internalcontrol system, oversight and assurance measures work from a proper foundation.

The risk management and internal control system should be evaluated in acomprehensive manner by all those involved in the assurance process.

This complete and cross-functional approach to evaluating risks constitutes a keyelement of the governance processes and must:

Ø Guarantee full coverage of significant risks of the organisationØ Adopt approaches to identifying risks on a global basisØ Ensure that these risks are clearly correlated to the entity’s objectivesØ Promote a proper and proporcionate allocation of resources to the control

functions dedicated to monitoring the risks based on their assessed importance.

6

In this context, and as shown below, Audit Committees should obtain a complete and balanced understanding of theassurance role provided by Internal Audit over information processes which do not pertain strictly to financialreporting and also ensure proper distinction of the financial auditing by statutory auditors and internal auditing ofall other control objectives.

The adoption of a global systematic risk management processes, such as the Enterprise RiskManagement framework, is intended to guarantee a structured approach for the identification andmeasurement of effective levels of risk in all areas of the organisation – from strategic risk, tothose emerging in operational, financial and legal areas.

Statutory Audit(Financial)

InternalAudit

Assurance

Global risk management and assurance

Internal Audit function performs a wide scope of examination of processes whichprovide assurance to the Audit Committee and Board of the reliability of internalcommunication and information.

This information formulates the basis for strategic and operational decisions ofmanagement at all levels up to the Board. Assurance include:

• Operational performance reporting• Risk reporting• IT Processes• Budgetary management reporting• Accounting processes interrelated to Operations

External Auditor, performs certain limitedprocedures to assess the internal controlenvironment and financial reporting process forexamination of the Financial Statements

7

The ECIIA endorses the adoption by Boards or other governing bodies of the Threelines of Defence model in order to ensure clarity of roles and responsibilities inorganisational governance.

This model, as shown below, is in fact a valid conceptual delineation of controllevels:

The Three Lines of Defence Model for global assurance

• First Line of Defence: Line Controls• Second Line of Defence: Monitoring Controls• Third Line of Defence: Independent Assurance

The Three lines of defence Model for global assurance

8

9

Ensuring the adequacy of the Internal Audit Function

The positive value of Internal Audit depends on its own quality structure and performance. Thefollowing are key successful factors for the internal audit function:

Definition of Internal Audit

Code of Ethics

International Standards for the

Professional Practiceof Internal Auditing

Quality Review

Internal auditing is anindependent, objectiveassurance and consultingactivity designed to add valueand improve an organizationoperations.

It helps an organizationaccomplish its objectives bybringing in systematic,disciplined approach toevaluate and improve theeffectiveness of riskmanagement, control andgovernance processes.

The Management of InternalAudit function in accordancewith IIA Standards.

§ Attribute Standards

§ Performance Standards

§ Implementation Standards

Internal auditors areexpected to apply and upholdthe following principles:

§ Integrity

§ Objectivity

§ Competency

§ Confidentiality

The implementation andresults of the qualityassurance review processrequired by the InternationalStandards (IPPF), includingthe external assessment everyfive years by qualifiedassessors.

Certifications support the quality of services provided by Internal Audit

10

International Standards for Profesional practice of Internal Auditing

Ø Implementation Standards: Aimed to expand upon the attribute and performance standards, by providing the requirements applicable toassurance and consulting activities.

Ø Attribute Standards: Address the attributes of organizations and individuals performing internal auditing.

q 1000 – Purpose, Authority and Responsibility: The purpose, authority, and responsibility of the internal audit activity must be formally definedin an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executivemust periodically review the internal audit charter and present it to senior management and the board for approval.

q 1100 – Independence and Objetivity: The internal audit activity must be independent, and internal auditors must be objective in performingtheir work.

q 1200 – Proficiency and Due professional Care: Engagements must be performed with proficiency and due professional care.q 1300 – Quality Assurance and Improvement Program: The Chief Audit Executive must develop and maintain a quality assurance and

improvement program that covers all aspects of the internal audit activity.

Ø Performance Standards: Describe the nature of internal auditing and provide quality criteria against which the performance of these servicescan be measured

q 2000 – Managing the internal audit activity: The Chief Audit Executive must effectively manage the internal audit activity to ensure it addsvalue to the organization.

q 2100 – Nature of Work: The internal audit activity must evaluate and contribute to the improvement of governance, risk management, andcontrol processes using a systematic and disciplined approach.

q 2200 – Engagement Planning: Internal auditors must develop and document a plan for each engagement, including its objectives, scope, timingand resource allocation.

q 2300 – Performing the engagement: Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve theengagement’s objectives.

q 2400 – Communicating results: Internal auditors must communicate the results of the engagements.q 2500 – Monitoring Progress: The Chief Audit Executive must establish and maintain a system to monitor the disposition of results

communicated to management.

INTERNAL AUDIT ROLE

12

“ Internal auditing is an independent, objectiveassurance and consulting activity designed to addvalue and improve an organization operations. Ithelps an organization accomplish its objectives bybringing in systematic, disciplined approach toevaluate and improve the effectiveness of riskmanagement, control and governance processes “.

The definition of Internal Auditing states that the role is more important thancompliance alone. The Chartered Institute of Internal Auditors define the role as:

Internal Audit: definition

13

Internal Audit Basics

What does Internal Audit do?

• Assess the adequacy of risk management

• Provide independent assurance to senior management and the board

• Evaluate overall compliance with laws and regulations

• Promote an ethical culture

Why is Internal Audit important? Because the internal audit function reports to the board of directors, itis uniquely positioned to provide independent assurance on:

• Internal controls are in place and are adequate to mitigate risks

• Governance and risk-management processes are efficient and effective

• Organizational goals and strategic objectives are being met

14

RISKSASSESSMENT

INTERNALAUDIT UNIT

COMPANY STRATEGY

EXTERNAL INPUTS

LEGALREQUIREMENTS

TOP MANAGEMENT

AUDIT COMMITTEE

AUDIT PLANResources

Inputs

Main sources for creating the Internal Audit Plan

15

Trends in Internal Audit• Increasing profound changes and requirements in the regulatory framework

are having a direct impact on Internal Audit considered as a key function.Internal Audit is a key function for the Supervisor.

• The profession is increasingly seen by regulators, supervisors and investorsas a key player in protecting and organization´s value.

• Supervisors need to rely on organization´s internal audit function.

Regulation

• Risk assessment to prioritize internal audit assignments.

• Monitoring new risk that are emerging.

• Continuous audits as part of the risk assessment process.

• More emphasis on process reviews, management information and corporategovernance.

Risk, statutory responsibilities and

corporate governance

recommendations

• Aligned with the organization strategy producing more relevant andimpacting audit reports. Strategic alliance with the second line of defense.

• Monitor more closely the projects, businesses and special operations thatmake up the reality of the organization.

Top management and Company Strategic Plan requirements

IIA INTERNATIONAL CERTIFICATIONS

EUROSAI and ECIIACooperation Committee

CERTIFICATIONS

17

18

CERTIFICATIONS

IIA Global Certifications and Qualifications

19

20

The Certified Internal Auditor® (CIA®)

It is designation is the only globally accepted certification for internalauditors and remains the standard by which individuals demonstrate theircompetency and professionalism in the internal auditing field.

Since 1973

21

FIRST

- Education. CIA candidates must hold a 3- or 4-year post-secondary degree (or higher)

- Work Experience.Minimum of 24 months of internal auditing experience or its equivalent

- Character ReferenceThe candidate's supervisor

- Proof of IdentificationOfficial passport or national identity card

Requirements

22

AFTER

- Code of Ethics

- CPE. Continuing Professional Education

A CIA who is performing internal auditing functions must complete a total of 40 hours of acceptable CPE every year

- Education- Publications- Translations- Oral Presentations- External Quality Assessments

- IIA Membership

Requirements

23

EXAM

Part 1 –Internal Audit Basics

Part 2 –Internal Audit Practice

Part 3 –Internal Audit Knowledge

Elements

125 questions | 2.5 Hours 100 questions | 2.0 Hours 100 questions | 2.0 Hours

- mandatory guidance

from the IPPF

- internal control and risk

concepts

- tools and techniques for

conducting internal audit

engagements

- managing the internal audit

function via the strategic and

operational role of internal

audit and establishing a risk-

based plan

- the steps to manage individual

engagements

- fraud risks and controls

- governance and business

ethics

- risk management

- management and

leadership principles

- information technology

and business continuity

- financial management

24

According to IIA guidance, independence of the internal audit activity is

achieved through which of the following?

a Staffing and supervision

b Continuing professional development and due professional care

c Human relations and communications

d Organizational status and objectivity

Part 1 –Internal Audit Basics

25

Which of the following statements are true regarding audit workpaperdocumentation for a fraud investigation?

1. All incriminating evidence should be included in the workpapers.

2.All important testimonial evidence should be reviewed to ensure that it provides sufficient basis for the conclusions reached.

3.If interviews are held with a suspected perpetrator, written transcripts or statements should be included in the workpapers.

a 1 and 2 only

b 1 and 3 only

c 2 and 3 only

d 1, 2 and 3

Part 2 –Internal Audit Practice

26

Part 3 –Internal Audit Knowledge Elements

Franchising and horizontal mergers are commonly used strategies in

which of the following industry environments?

a Emerging industries

b Declining industries

c Fragmented industries

d Mature industries

27

Courses

Student Books (Gleim, PreparaCia)

Computer simulation. Mock testing

28

Computer-based TestingThe CIA exam is available through computer-based testing, allowing you to test year-round at more than 500 locations worldwide

The CIA exam is offered in the following languages: Arabic, Chinese (simplified), Chinese (unsimplified), English, French,German, Hebrew, Indonesian, Italian, Japanese, Korean, Polish,Portuguese, Russian, Spanish, Turkish, and Thai (available only inThailand)

29

Certified Government Auditing Professional (CGAP)

Certification program is designed especially for auditors working in thepublic sector at all levels — federal/national, state/provincial, local, quasi-governmental, or crown authority — and is an excellent professionalcredential that prepares you for the many challenges you face in thisdemanding arena

Since 1973

30

The same than CIA

Only the CPE:A CGAP who is practicing government auditing must complete a total of 20 hours of acceptable CPE every year

Requirements

31

EXAM

Domain I:

Standards, Governance, and

Risk/Control Frameworks

Domain II:

Government Auditing Practice

Domain III:

Government Auditing Skills and

Techniques

Domain IV:

Government Auditing

Environment

10-20% 35-45% 20-25% 20-25%

32

EXAM

Domain I:

Standards, Governance, and

Risk/Control Frameworks

10-20%

A. Standardsü Role of a comprehensive set of auditing/evaluation

standardsü Application of appropriate standards in all assignmentsü Role and impact of other auditing standards (standards

of public accounting bodies, quality assurance bodies, etc.) and their relationship with the above standards

B. Governanceü Governance in the public sector (e.g., audit committee,

code of conduct, open government)ü Role of audit within the governance structure

C. Risk/Control Frameworks (e.g., COSO, CoCo)ü Role of frameworks ü Elements of a risk/control frameworkü Application of frameworks

D. IIA Code of Ethics

33

Computer-based TestingThe CIA exam is available through computer-based testing, allowing you to test year-round at more than 500 locations worldwide

The CGAP exam is offered in the following languages: Chinese (unsimplified), English, Estonian, Polish, Spanish, and Turkish

34

Certified EUROPEAN Public Sector Auditor (CEPSA)

Certification program is designed especially for:ü EU-governed professional credential for public sector auditors in EUü Internal auditors in public entities and auditors at SAIsü Also recommendable for financial auditors

Promoted by PIC. Public InternalControl from EU

35

Member Non-member

Application Fee (Per Program) US $100 US $200

CIA® Exam Part Fee, Part 1 only US $250 US $350

CIA® Exam Part Fee, Part 2 only US $200 US $300

CIA® Exam Part Fee, Part 3 only US $200 US $300

Specialty Exam Part Fee (CGAP®, CFSA®, CCSA®, CRMA®) US $350 US $450

36

https://na.theiia.org/certification/Pages/Certification.aspx

37

https://i7lp.integral7.com/durango/do/login?ownername=iia&channel=iia&basechannel=integral7

AUDIT COMMITTEES

39

ü In the UK, listed company boards are required to establishan audit committee of at least three, or in the case ofsmall companies’ two, independent non-executivedirectors [UK Corporate Governance Code]

ü All UK ministries are similarly required to have AuditCommittees

ü The National Audit Office regards effective AuditCommittees as key to helping public organisations achievegood corporate governance

Audit Committees

40

ü Inspires trust and confidence in how public organisationsare managed

ü Helps organisations succeed by providing oversight ofgovernance, risk management and internal control

ü Promotes effective audit activity

ü Provides independent challenges to the executive toexplain how they are delivering their objectives andmanaging their risks

Why have an Audit and Risk Committee?

41

ü Independent oversight , challenge and advice:

§ Values and ethics

§ Strategic processes for risk, control and governance

§ Accounting policies/ accounts/ organisation’s annual report

§ Planned activity and results of both internal and external audit

§ Adequacy of management response to issues identified by audit activity

§ Assurances on the management of risk and corporate governance

§ Anti-fraud policies and whistle-blowing processes

[NB Decision-making rests with management]

Role of Audit and Risk Committee in UK

42

ü Membership should be solely non-executives

ü Executives invited to attend to provide information,explanations and take part in discussions

ü Attended by both Internal and External Audit

ü Terms of Reference approved by the Board

How should ARCs be organised?

43

ü Fully supported by executive Board

ü Independent and objective

ü Equipped with the right skills

ü Scope should encompass comprehensiveness andreliability of assurances on governance, riskmanagement and controls

ü Effective communication

Principles for ARC effectiveness

QUESTIONS & SUGGESTIONS

45

Thanks very much for your attendance