internal / external audit may 19, 2015...may 19, 2015 · risk analysis • thematic control issues...
TRANSCRIPT
![Page 1: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/1.jpg)
The views expressed in this presentation do not necessarily reflect those of
the Federal Reserve Bank of New York or the Federal Reserve System
Internal / External Audit May 19, 2015
Presented By: Martin Hayes
![Page 2: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/2.jpg)
2
AGENDA
• The Role of Internal Audit • Effective Components of Internal Audit
• Areas Emphasized During Supervisory Reviews
• Additional Internal Audit Processes
• Role of External Audit
![Page 3: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/3.jpg)
3
INTERNAL AUDIT RESPONSIBILITY
• Independent assessment of the effectiveness of controls, risk management, and governance processes
• Understanding/analysis of key businesses/risks
• Detailed review of controls based on sufficient transaction testing
• Inclusion of all legal entities and business lines in Audit coverage
![Page 4: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/4.jpg)
4
KEY COMPONENTS OF EFFECTIVE INTERNAL AUDIT
• Effective Oversight by Audit Committee
• Independent and Competent Audit Group
• Ongoing Engagement with Senior Management
• Comprehensive Audit Universe
• Effective Risk Assessment Process
• Appropriate Audit Frequency
• Adequate Controls Identification and Testing
• Comprehensive Reporting
• Adequate Issue Tracking / Issue Follow-Up
• Timely Clearance of Audit Issues • SR 13-1 Supplemental Policy Statement on the Internal Audit Function and Its
Outsourcing (www.federalreserve.gov / Banking Information & Regulation)
![Page 5: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/5.jpg)
5
ROLE OF THE AUDIT COMMITTEE
• Provides oversight over the internal audit function
• On an annual basis the audit committee should approve: Audit charter Budget/staffing levels Audit plan
• Should receive ongoing MIS regarding the audit function including: Audit results Audit plan status including changes Audit issue information including aging of issues and root
cause/thematic trends Significant changes in audit processes
![Page 6: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/6.jpg)
6
INDEPENDENCE
• Reporting Line: • Domestic: Audit Committee of the Board of Directors • US Branches and Agencies of Foreign Banks - Head Office Audit
• Administrative Reporting Lines to Senior Management preferably the CEO
• No Operational Responsibility • Management is responsibility for the internal control environment!
![Page 7: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/7.jpg)
7
AUDIT STAFF COMPETENCY
• Adequacy of Resources
• Qualifications of Staff
• Appropriate Skill Level and Training
• Professional Development
• Opportunities for Transfer
• Career Path
![Page 8: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/8.jpg)
8
SENIOR MANAGEMENT INTERACTION
• Discussions regarding Risk Assessment
• Audit Meetings with Senior Management
• Prompt Issue Resolution by Management
• Self-Identified Issues discussed with Audit
• Participation on Committees
• Non-Operational Special Projects
![Page 9: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/9.jpg)
9
COMPREHENSIVE AUDIT UNIVERSE
• Establish auditable entities - • E.g. identify all legal entities, departments, corporate functions,
geographic locations, committees • Wide variety of tools can be utilized, including:
• General ledger • Cost Centers • Organizational Charts • Department Listings • New Product Approval Process
• Review at least once a year for changes
![Page 10: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/10.jpg)
10
RISK ASSESSMENT
• Credit Risk • Market & Interest Risk • Liquidity Risk • Operational Risk • Information Technology • Reputation Risk • Legal & Compliance Risk • Other Specific Entity Risks (systemic, strategic, etc.)
![Page 11: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/11.jpg)
11
RISK ASSESSMENT (cont.)
• Changes in: Transaction Values &Volumes Quality and Turnover in Management and Staff Products & Processes Laws and Regulations Organizational Structure
• Access to Physical Assets • Systems/Technology Impact and Errors & Outages • Last Audit Date • Last Audit Rating
![Page 12: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/12.jpg)
12
CONTINUOUS MONITORING
• Integral part of risk assessment and audit plan processes
• Facilitates changes in the audit universe • Can drive changes in the audit plan • Types of continuous monitoring Meetings with management Review of metrics and self-assessment results Participation on Committees
![Page 13: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/13.jpg)
13
ANNUAL AUDIT PLAN
• Should provide comprehensive coverage of all identified auditable entities
• Two approaches: • Multi-year plan • Dynamic plan with focus on most significant risks
• For the multi-year plan approach, typically firms utilize a 3 or 4 year plan with high risk areas being evaluated at least every 18 months
• For the dynamic plan approach, the firm must have robust risk assessment and continuous monitoring processes
• There also should be a mechanism whereby areas that have not been audited for extended time are approved by the Audit Committee
![Page 14: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/14.jpg)
14
AUDIT TESTING
• Full Scope Audits
• Target Audits
• Conversion/System Development Audits/Data Center and Application Reviews
• Non-Rated Audits
![Page 15: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/15.jpg)
15
AUDIT TESTING (cont.)
• Workprograms • Detailed, customized to business relevant, and risk based
audit programs • Completed as part of initial audit and updated/tailored for
subsequent audits • Appropriate level of testing • Scope Exclusions
• Audit Work Papers • Proper documentation, referencing, and supervisory sign-
off • Sampling methodology • Validation of Controls • Appropriate Narratives and Conclusions • Audit Trail for Findings/Report Issues
![Page 16: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/16.jpg)
16
AUDIT REPORTS
• Executive Summary • Scope & Objective • Description of the Work Performed • Audit Comments & Recommendations • Analysis of Conditions • Audit Ratings • Management Responses
![Page 17: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/17.jpg)
17
ATTRIBUTES OF AN AUDIT RESULT
• Condition – “What is”
• Criteria – “What should be”
• Cause – “Reason for the condition”
• Effect – “Impact/risk of the condition”
• Recommendation – “Suggested corrective action”
![Page 18: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/18.jpg)
18
EXCEPTION FOLLOW-UP • Tracking Process/System
• Target Dates for both tactical and strategic remediation
• Follow-Up Process/Timing
• Documentation for Issue Follow-Up
• Significant items cleared in a timely manner
• Escalation and Reporting Process for Open Issues
• Perform validation prior to issue closure with substantive testing for high risk issues
![Page 19: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/19.jpg)
19
ENHANCED INTERNAL AUDIT PRACTICES
• Risk Analysis
• Thematic Control Issues
• Challenging the Adequacy of Controls
• Governance
• Infrastructure
• Business Strategy and Risk Tolerance
![Page 20: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/20.jpg)
20
RISK ANALYSIS
Analysis of risks including risk management functions on a cross-business and cross-functional basis including IA’s evaluation of the level of risks in both individual areas and on a cross-functional basis including the effectiveness of the risk management functions.
![Page 21: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/21.jpg)
21
THEMATIC CONTROL ISSUES Identification of themes across all audit areas and the
impact on the institution's overall risks (e.g. reconciliations, information security, significant use of manual processes, etc) and effectively communicating these issues to Senior Management and the Audit Committee
![Page 22: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/22.jpg)
22
CHALLENGING THE ADEQUACY OF CONTROLS
The extent to which Internal Audit challenges management when audit believes that existing controls are inadequate or could be enhanced including enforcing new controls prior to a business expanding.
![Page 23: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/23.jpg)
23
GOVERNANCE
Internal audit should develop procedures to evaluate governance at all levels within the institutions including both at the senior management level and within all business lines.
![Page 24: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/24.jpg)
24
INFRASTRUCTURE Internal Audit’s role in notifying management of potential
internal control issues if infrastructure is not sufficient (e.g., applications, MIS reporting, etc)
![Page 25: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/25.jpg)
25
BUSINESS STRATEGY AND RISK TOLERANCE
The role of audit in both understanding and pointing out to management the risks in the institution and ensuring that management is aware of the risk appetite that is being taken.
![Page 26: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/26.jpg)
26
AUDIT’S ANALYSIS OF CONTROL ISSUES
When an adverse event occurs at the institution, internal audit should: Review the post-mortem analysis conducted by management to analyze the causes of the event Perform its own “post-mortem” analysis of internal audit coverage and determine whether additional audit coverage is needed in specific areas
![Page 27: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/27.jpg)
27
ADDITIONAL AUDIT PROCESSES
• Outsourcing/Co-sourcing
• Internal/External Quality Assurance
• Emerging Best Practices
![Page 28: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/28.jpg)
28
AUDIT OUTSOURCING/ CO-SOURCING
• The Performance of Internal Audit Activities by an External Party e.g., an External Audit Firm
• Co-sourcing, Contract to work with Internal Audit
• Important Issues/Concerns: Independence, Conflicts of Interest, Skill Level, Continuity of Staffing, Familiarity with the Organization, Responsibility for Compliance with Audit Department Standards/Processes/Review Process
• Internal Audit management is responsible for all audit activities performed by External Party
![Page 29: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/29.jpg)
29
INTERNAL AND EXTERNAL QUALITY ASSURANCE (QA)
• Internal Assessments • Periodic reviews to assess consistency of audit work across
groups • Internal Audit management should reach conclusions on whether
changes to processes or additional training is needed • Results should be communicated to the Audit Committee at least
annually
• External Assessments • IIA requires an external review by an outside firm once every 5
years • Focus on compliance with IIA’s definition of internal auditing, code
of ethics, and standards • Review compliance with the internal audit charter and policies • Results reported to the Audit Committee
![Page 30: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/30.jpg)
30
EMERGING BEST PRACTICES
Assessment rating of the Control Environment and Management Control Approach for business units and global functions reported to the Audit Committee (also on individual audit reports). Used as an input to management scorecards affecting compensation.
Enhanced accountability and MIS related to issue remediation (for “critical” past due issues, the issue owner must present explanation and mitigating actions to the Audit Committee).
Audits Quality Assurance incorporation of “Hot reviews” (involvement in live audits, providing challenge and coaching, from planning through the final audit report and file closure process).
Greater use of data analytics and “real time” automated testing.
![Page 31: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/31.jpg)
31
ROLE OF EXTERNAL AUDIT
• Services provided - Financial Statement Audits, Internal Control Reviews, Consulting
• In the U.S., Rules for the profession will be stricter under Sarbanes/Oxley Law - Public Company Accounting Oversight Board
• Opine on the appropriateness of financial data, emphasis on analyzing both risk factors and the institution’s financial condition
• Legal requirements dictate the type of audit work performed
![Page 32: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/32.jpg)
32
RULES FOR EXTERNAL AUDITORS
• Sarbanes-Oxley (Public Companies & Public Banking Organizations) Lead and Concurring Partners rotate every 5 years (Section 206) CPA firm cannot Audit a client for one year if a CEO, CFO, Controller or Chief Accounting Officer was employed by the Firm and participated in the Audit in any capacity (Section 206) CPA Firm cannot provide audit and non-audit services (Section 201) Bans certain consulting services performed by the same external auditor who performs the financial statement audit
![Page 33: Internal / External Audit May 19, 2015...May 19, 2015 · Risk Analysis • Thematic Control Issues ... Audits Quality Assurance incorporation of “Hot reviews” (involvement in](https://reader033.vdocuments.mx/reader033/viewer/2022050110/5f483ba3e4f38e4aad3804d5/html5/thumbnails/33.jpg)
33
QUESTIONS?