internal auditing 101 - acuia · internal auditing 101 ... statements auditing, internal management...

1

Internal Auditing 101

Presented By:

Sam Capuano - Manager of Internal Audit, Wolf & Co.

John Gallagher - Director of Internal Audit, SEFCU (NY)

Barry Lucas - Internal Auditor, Desco FCU (Ohio)

ACUIA Annual Conference June 2014

2

Introductions

What is Internal Audit?

Where Do I Start?

Who Should I Interact With?

What Do I Audit, and How?

What and How Do I Report?

With Whom Do I Meet and When?

What Resources are Available?


3 ACUIA Annual Conference June 2014

Sam Capuano - Manager of Internal Audit, Wolf & Co.

John Gallagher - Director of Internal Audit, SEFCU (New York)

Barry Lucas - Internal Auditor, Desco FCU (Ohio)

4

Definition Internal Auditing is an independent, objective

assurance and consulting activity designed to add value and improve operations.

Internal Audit helps the Credit Union accomplish its objetives by bringing a systematic, disciplined approach to evaluate and improve the effectivesness of risk management, control and governance processes.


5

Define the roles and responsibilities

Audit (Assurance Services)?

Compliance?

Fraud?

Risk Management?

Consulting?

Security?


6

Independent and Objective

Reporting Lines?


7

Authorities Internal Audit’s purpose, authority and

responsibility must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards (STD 1000)


8

Charter Documents - Supervisory

Committee

- Internal Audit

Job Descriptions

Department Structure


Responsibilities and Authority?

9

Who does Audit interact with?

Board of Directors

Supervisory Committee

Management

Staff

Examiners

External Auditors


10


12

Audit Universe

The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, products, services, subsidiaries, third party vendors, and processes) that are considered “auditable” by

internal audit.


13

Risk Assessment Internal Audit’s audit plan must be based on a

documented risk assessment, undertaken at least annually [STD 2010.A1]


14

Internal Audit Plan Internal Audit must establish risk-based plans to determine Internal Audit’s priorities , consistent with the Credit Union’s goals. [STD 2010]


15

Internal Audit Plan

Internal Audit must develop and document a plan for each audit including the audit’s objectives, scope, timing and resource allocations [STD 2200]


16

Audit Scheduling

◦ Disruptions

◦ Employee Investigations (Fraud)

◦ New CU Products, Services, Departments

◦ Staff Training and Development

◦ Staff Turnover

◦ Management and/or Committee Projects

◦ External Audits and Examinations


17

Audit Work

◦ Stated Objective

◦ Scope of Work

◦ Sampling


18

Audit Program

◦ Written Procedures (what, when, how…)

◦ Internal Control Questionnaires (ICQs)

◦ Documentation Requirements


19

Audit Cycle

Audit

Notification

Notification of intent

to audit

Preliminary

scheduling

discussions and

document requests

Establishing key

area contacts

Preliminary

Audit Survey

Conducting a risk

assessment

Developing an audit

program

Fieldwork

Entrance

Conference

Sharing the audit

program

Coordinating the

execution of

fieldwork

Fieldwork

Detailed

Appraisal

Analytical Reviews

Interviews

Detailed testing

Finding/ Comment

Updates

Ending

Fieldwork

Share preliminary

results with area

management

Reporting

Drafting Report

Obtaining

management action

plans

Exit meeting

Finalizing Report

Management

Response

Report Distribution

to Supervisory

Committee

Follow-up

Audit Satisfaction

Survey

Monitor completion

of action plans

Reporting to

Supervisory

Committee


20

Audit Workpapers

Audit workpapers are the documents which record all audit evidence obtained during financial statements auditing, internal management auditing, information systems auditing, and investigations. Audit working papers are used to support the audit work done in order to provide assurance that the audit was performed in accordance with the relevant auditing standards.


http://en.wikipedia.org/wiki/Audit_evidence

http://en.wikipedia.org/wiki/Financial_statements

http://en.wikipedia.org/wiki/Financial_statements

http://en.wikipedia.org/wiki/Auditing

21

Paper vs. Electronic?


22

Numbering

Review Notes

Sign-off

Retention

Access


24

The who, what, when, and how?

Internal Auditors must communicate the results of the audit. [STD 2400]


25

Who? Board

Supervisory Committee

Executive Management

Department Management


26

What? Area Overview? Scope of Work?

Audit Rating? Audit Findings?

Risk and Control Deficiencies? Operational Inefficiencies? Cost Reduction Opportunities? Compliance Infractions

Recommendations? Comments for Discussion?


27

When?

To Management?

Prior to Exit – Draft Subsequent to Exit – Final

To Supervisory Committee?

Subsequent to Receipt of Management Response

To Board of Directors?

Subsequent to Committee Acceptance and/or Approval


28

How?

In-person Discussion Formal Presentations

Written Reports Synopsis

Executive Summary

Full Report


29

Frequency?

Attendees?

Agenda?

Food? (just kidding, but important!)


31

Enterprise Risk Management (ERM)

◦ COSO Model

◦ NCUA Supervisory

Letter No. 13-12

(issued Nov. 2013)


32

Internal Controls ◦ Structuring audit plans and programs

◦ Types of Internal Controls

◦ Assessment


33

Types of Internal Controls ◦ Preventative

Segregation of Duties

Approvals

Security of Assets

◦ Detective Monitoring

Reconciliations

Audits

Physical Inventories


34

Control Self Assessments - similar to ICQ’s Example: General Controls

Are there written rules, guidelines, policies, and/or procedures for all transactions and critical activities in this department?

Does the department have copies of all current policies and procedures manuals?

Do personnel have the knowledge and skills required for their jobs?

Are month end financial reports reviewed and verified for accuracy on a monthly basis?

Are month end financial reports reconciled to departmental supporting documents on a monthly basis?

Is a member of management reviewing and approving the reconciliation in a timely manner?

Does your department maintain a key and/or door access control log? This log should list all keys or access codes owned/issued by the department, to whom they are issued, locks each key will open, and key numbers.

Does your department have an operating plan that states goals to be accomplished and a timeline for completion of tasks?

Are department goals and tasks prioritized according to importance?

Has management established operating or work standards that can be used to measure department performance (i.e. metrics, KPIs) ?


35

Technology Paperless auditing

Internet Tools

Analytics (queries, access databases, “big data”, etc)


36

Other Resources (beyond ACUIA) ◦ NCUA

◦ IIA

◦ AICPA

◦ NAFCU

◦ CUNA

◦ NACUSAC

◦ External Audit Firms


37

Certifications ◦ CIA

◦ CPA

◦ CFSA

◦ CRP

◦ CISA

◦ CCSA

◦ CRCMP

Etc…..


38

ACUIA!!!! ◦ Conferences

◦ Webinars

◦ Website

◦ The Audit Report Magazine

◦ Forum

◦ Networking, Networking, Networking!!


39

The End !!!!
