internal auditing 101 - acuia · internal auditing 101 ... statements auditing, internal management...
TRANSCRIPT
1
Internal Auditing 101
Presented By:
Sam Capuano - Manager of Internal Audit, Wolf & Co.
John Gallagher - Director of Internal Audit, SEFCU (NY)
Barry Lucas - Internal Auditor, Desco FCU (Ohio)
ACUIA Annual Conference June 2014
2
Introductions
What is Internal Audit?
Where Do I Start?
Who Should I Interact With?
What Do I Audit, and How?
What and How Do I Report?
With Whom Do I Meet and When?
What Resources are Available?
ACUIA Annual Conference June 2014
3 ACUIA Annual Conference June 2014
Sam Capuano - Manager of Internal Audit, Wolf & Co.
John Gallagher - Director of Internal Audit, SEFCU (New York)
Barry Lucas - Internal Auditor, Desco FCU (Ohio)
4
Definition Internal Auditing is an independent, objective
assurance and consulting activity designed to add value and improve operations.
Internal Audit helps the Credit Union accomplish its objetives by bringing a systematic, disciplined approach to evaluate and improve the effectivesness of risk management, control and governance processes.
ACUIA Annual Conference June 2014
5
Define the roles and responsibilities
Audit (Assurance Services)?
Compliance?
Fraud?
Risk Management?
Consulting?
Security?
ACUIA Annual Conference June 2014
6
Independent and Objective
Reporting Lines?
ACUIA Annual Conference June 2014
7
Authorities Internal Audit’s purpose, authority and
responsibility must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards (STD 1000)
ACUIA Annual Conference June 2014
8
Charter Documents - Supervisory
Committee
- Internal Audit
Job Descriptions
Department Structure
ACUIA Annual Conference June 2014
Responsibilities and Authority?
9
Who does Audit interact with?
Board of Directors
Supervisory Committee
Management
Staff
Examiners
External Auditors
ACUIA Annual Conference June 2014
10
ACUIA Annual Conference June 2014
11 ACUIA Annual Conference June 2014
12
Audit Universe
The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, products, services, subsidiaries, third party vendors, and processes) that are considered “auditable” by
internal audit.
ACUIA Annual Conference June 2014
13
Risk Assessment Internal Audit’s audit plan must be based on a
documented risk assessment, undertaken at least annually [STD 2010.A1]
ACUIA Annual Conference June 2014
14
Internal Audit Plan Internal Audit must establish risk-based plans to determine Internal Audit’s priorities , consistent with the Credit Union’s goals. [STD 2010]
ACUIA Annual Conference June 2014
15
Internal Audit Plan
Internal Audit must develop and document a plan for each audit including the audit’s objectives, scope, timing and resource allocations [STD 2200]
ACUIA Annual Conference June 2014
16
Audit Scheduling
◦ Disruptions
◦ Employee Investigations (Fraud)
◦ New CU Products, Services, Departments
◦ Staff Training and Development
◦ Staff Turnover
◦ Management and/or Committee Projects
◦ External Audits and Examinations
ACUIA Annual Conference June 2014
17
Audit Work
◦ Stated Objective
◦ Scope of Work
◦ Sampling
ACUIA Annual Conference June 2014
18
Audit Program
◦ Written Procedures (what, when, how…)
◦ Internal Control Questionnaires (ICQs)
◦ Documentation Requirements
ACUIA Annual Conference June 2014
19
Audit Cycle
Audit
Notification
Notification of intent
to audit
Preliminary
scheduling
discussions and
document requests
Establishing key
area contacts
Preliminary
Audit Survey
Conducting a risk
assessment
Developing an audit
program
Fieldwork
Entrance
Conference
Sharing the audit
program
Coordinating the
execution of
fieldwork
Fieldwork
Detailed
Appraisal
Analytical Reviews
Interviews
Detailed testing
Finding/ Comment
Updates
Ending
Fieldwork
Share preliminary
results with area
management
Reporting
Drafting Report
Obtaining
management action
plans
Exit meeting
Finalizing Report
Management
Response
Report Distribution
to Supervisory
Committee
Follow-up
Audit Satisfaction
Survey
Monitor completion
of action plans
Reporting to
Supervisory
Committee
ACUIA Annual Conference June 2014
20
Audit Workpapers
Audit workpapers are the documents which record all audit evidence obtained during financial statements auditing, internal management auditing, information systems auditing, and investigations. Audit working papers are used to support the audit work done in order to provide assurance that the audit was performed in accordance with the relevant auditing standards.
ACUIA Annual Conference June 2014
21
Paper vs. Electronic?
ACUIA Annual Conference June 2014
22
Numbering
Review Notes
Sign-off
Retention
Access
ACUIA Annual Conference June 2014
23 ACUIA Annual Conference June 2014
24
The who, what, when, and how?
Internal Auditors must communicate the results of the audit. [STD 2400]
ACUIA Annual Conference June 2014
25
Who? Board
Supervisory Committee
Executive Management
Department Management
ACUIA Annual Conference June 2014
26
What? Area Overview? Scope of Work?
Audit Rating? Audit Findings?
Risk and Control Deficiencies? Operational Inefficiencies? Cost Reduction Opportunities? Compliance Infractions
Recommendations? Comments for Discussion?
ACUIA Annual Conference June 2014
27
When?
To Management?
Prior to Exit – Draft Subsequent to Exit – Final
To Supervisory Committee?
Subsequent to Receipt of Management Response
To Board of Directors?
Subsequent to Committee Acceptance and/or Approval
ACUIA Annual Conference June 2014
28
How?
In-person Discussion Formal Presentations
Written Reports Synopsis
Executive Summary
Full Report
ACUIA Annual Conference June 2014
29
Frequency?
Attendees?
Agenda?
Food? (just kidding, but important!)
ACUIA Annual Conference June 2014
30 ACUIA Annual Conference June 2014
31
Enterprise Risk Management (ERM)
◦ COSO Model
◦ NCUA Supervisory
Letter No. 13-12
(issued Nov. 2013)
ACUIA Annual Conference June 2014
32
Internal Controls ◦ Structuring audit plans and programs
◦ Types of Internal Controls
◦ Assessment
ACUIA Annual Conference June 2014
33
Types of Internal Controls ◦ Preventative
Segregation of Duties
Approvals
Security of Assets
◦ Detective Monitoring
Reconciliations
Audits
Physical Inventories
ACUIA Annual Conference June 2014
34
Control Self Assessments - similar to ICQ’s Example: General Controls
Are there written rules, guidelines, policies, and/or procedures for all transactions and critical activities in this department?
Does the department have copies of all current policies and procedures manuals?
Do personnel have the knowledge and skills required for their jobs?
Are month end financial reports reviewed and verified for accuracy on a monthly basis?
Are month end financial reports reconciled to departmental supporting documents on a monthly basis?
Is a member of management reviewing and approving the reconciliation in a timely manner?
Does your department maintain a key and/or door access control log? This log should list all keys or access codes owned/issued by the department, to whom they are issued, locks each key will open, and key numbers.
Does your department have an operating plan that states goals to be accomplished and a timeline for completion of tasks?
Are department goals and tasks prioritized according to importance?
Has management established operating or work standards that can be used to measure department performance (i.e. metrics, KPIs) ?
ACUIA Annual Conference June 2014
35
Technology Paperless auditing
Internet Tools
Analytics (queries, access databases, “big data”, etc)
ACUIA Annual Conference June 2014
36
Other Resources (beyond ACUIA) ◦ NCUA
◦ IIA
◦ AICPA
◦ NAFCU
◦ CUNA
◦ NACUSAC
◦ External Audit Firms
ACUIA Annual Conference June 2014
37
Certifications ◦ CIA
◦ CPA
◦ CFSA
◦ CRP
◦ CISA
◦ CCSA
◦ CRCMP
Etc…..
ACUIA Annual Conference June 2014
38
ACUIA!!!! ◦ Conferences
◦ Webinars
◦ Website
◦ The Audit Report Magazine
◦ Forum
◦ Networking, Networking, Networking!!
ACUIA Annual Conference June 2014
39
The End !!!!
ACUIA Annual Conference June 2014