optimizing the internal audit function - american gas … · · 2016-09-141300 –quality...
TRANSCRIPT
Audit Quality: Optimizing the
Internal Audit Function
Joyce Vassiliou, CIA, CRMA, CCSA
Vice President of Governance
The Institute of Internal Auditors, Inc.
EEI Utility
Internal Auditing Conference
August 22 – 24, 2016
Loews Hotel
Atlanta, Georgia
About the IIA
We are the internal audit profession’s most widely recognized
- Advocate
- Educator
- Provider of:
- Standards
- Guidance
- Certifications
Expectations of Internal Audit
Sustainable
Add value
3rd Line of
Defense
Part of control
environment
Continuously
improve
Independent
Objective
Identify Risks
Evaluate controlsA respected
advisor
Insightful
Qualified
Good communicator
Understand
the business
Align with company strategy
Think outside the box
Exceed
expectations
Proactive Future
focused
Competent
Effective and
Efficient
Promotes positive
change
Agenda
• Overview of Content
• Optimization: Linking Risks & Audit
Coverage
• Measuring Effectiveness: Quality and
Improvement Program
• Communicating Results: Know Your
Stakeholders
Surveys & Demographics
Pulse of Internal Audit370 completed Surveys
• October 2014
• 7th consecutive year
• 63% Public/Private
companies
• 84% CAEs and Directors
(311 responses)
• 92% internal audit managers
or above
311 Responses From CAEs and
Directors
CBOK12,570 completed the survey
• Q1 2015
• Conducted every five years
• 32% CAEs and Directors/Sr. Managers (4,043 responses)
• 28% North American participants
• 878 CAEs and Directors/Sr. Managers from North America
878 Responses From CAEs and Directors/Sr. Managers in North America
Sources: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center conducted in
collaboration with the 2015 Common Body of Knowledge Study, © 2015 The IIA and The IIA Research
Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise
disseminated without explicit permission from The IIA.
Key Themes: Pulse of Internal Audit
• Assessing Emerging and Evolving Risks is a Key Priority
• Linking Risks and Audit Coverage Remains an Enduring Challenge
• The Profession is Facing a New Talent Shortage
• Emphasis on Quality Assurance is Lagging ←
Common Body of Knowledge (CBOK)
Visit www.theiia.org/CBOK to learn about the free resources
made available through CBOK.
Linking Risks and Audit Coverage:The Paradox of “Structural Expectations”
• Stakeholders often expect base level of
coverage:
• Financial risks
• Regulatory risks
• Compliance risks
• Once base is addressed:
• Operating risks
• IT risks
• Only then, is there interest in strategic and
business risks
• The paradox:
• Base level coverage often provides
the lowest perceived value
Source: The CBOK 2015 Global Internal Audit Practitioner survey: : ©
2015 The IIA Research Foundation
Where are you spending your time?
Source: CBOK 2015 Global Internal Audit Practitioner Survey, Q49: What percentage of your audit
plan is made up of the following categories? North American utilities, CAEs only. n= 25.
24%
12%
12%
11%
10%
10%
7%
5%
3%
2%
2%
2%
1%
0% 5% 10% 15% 20% 25%
Operational
Information technology (IT)
Sarbanes-Oxley testing or support
Strategic business risks
Risk management assurance/effectiveness
Compliance/regulatory
General financial
Corporate governance
Third-party relationships
Fraud not covered in other audits
Cost/expense reduction or containment
Other (in particular, requests, training, etc.)
Crisis management
North American Utilities, 2015
Comparison: Utility Industry vs Global
8%
24%
29%
Utilities
Source: The CBOK 2015 Global Internal Audit Practitioner survey: : ©
2015 The IIA Research Foundation
Linking Risks and Audit Coverage
Conceptually: In Practice:
Risk Resources
Audit Coverage Audit Coverage
Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center.
Optimizing “TIPS”
• Develop an audit plan based on the “real risks”
• Identify areas in where resources and expertise gaps exist
• Formulate strategies for addressing gaps
• Have candid conversations with management and the audit committee regarding:
• Resource shortfalls
• Expertise gaps
• Risks that may fall victim
• A plan of action
• Develop a long-term strategy for addressing gaps
• Don’t let the “tail wag the dog”
“Disclosing the
gaps in risk
coverage and
discussing the
resources needed
to address the gaps
is essential.”
- Joe Steakley, CAE
of HCA
What is effective?
• Merriam-Webster: producing a result that
is wanted: having an intended effect of a
law, rule, etc.: in use
• The measure should correspond to the
desired outcome
Measure Effectiveness?
• What are some desired outcomes of your
stakeholders as related to internal audit?
• What are your desired outcomes as the
leader of internal audit?
• What methods/tools are you using?
Purpose of a QAIP
• Alignment with company strategy and
enterprise risk management
• Adherence to Audit Committee
requirements
• Promote on-going quality improvement of
internal audit
• Ensure compliance with IIA Standards*
Four Pillars of Internal Audit Quality
IA Governance(1000, 1100, 1300)
Code of Ethics &
The Definition of
Internal Audit
IA Staff (1200)
IA Management (2000, 2100,
2600 & 2450) IA Process (2200, 2300,
2400 & 2500)
Conformance with the Standards?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1130 – Impairment to Independence or Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Communicating the Acceptance of Risks
North America Manufacturing North America Global Average
Source: The CBOK 2015 Global Internal Audit Practitioner survey: : ©
2015 The IIA Research Foundation
Yet – Emphasis on Formal Quality
Assurance/Improvement is Lagging
Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body
of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part
of this data may be copied, reproduced or otherwise disseminated without explicit permission from
The IIA. Note: 1.3% indicated “other” as a response to this question.
Where are you in your QAIP?
31%
44%
20%
4%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Nonexistent or ad hoc
In the process of development
Well defined, including external qualityreview
Well defined, including external qualityreview and a formal link to continuous
improvement and staff training activities
Source: The CBOK 2015 Global Internal Audit Practitioner survey: : ©
2015 The IIA Research Foundation
Measuring Effectiveness: Audit
Processes
Analyze Your Audit Plan, consider:
• Percentage tied to the Risk Assessment
• Percentage tied to Strategic Initiatives
• Percentage of “ad hoc” management requests
Follow up of management’s action plan:
• Is it timely?
• Is it effective?
• Does it address the risk?
Measuring Effectiveness: People
COMPETENCY SKILL SET
1 Analytical/Critical Thinking
2 Communication Skills
3 Data Mining and Analytics
4 Industry-specific Knowledge
5 IT (general)
6 Business Acumen
7 Accounting
8 Risk Management Assurance
Measuring Effectiveness: Technology
• Automated work papers
• Data Analytics/Data Mining
• Computer Automated Assisted Techniques
(CAATs)
Communicate, Communicate,
Communicate
There is not a “One Size Fits All”
There are certain required communication –
as stated in the Standards
Internal Audit’s activity’s plans and resources
requirements
Results of engagements
Communicating the Acceptance of Risks
Content and Techniques
• Engagement Level
– Basics: Executive Summary, Scope, Risks,
Observations, Recommendations
– Beyond basics: Risk ratings (inherent,
residual)
• Internal Audit Management level
– Basics: Audit plan, resource needs
– Beyond basics: Pervasive risk concerns, risks
not covered in plan
Other Examples
• What are you communicating beyond the
basics?
• How are you communicating/frequency?
Effective Communication Traits
• Align communication with stakeholders
need / want to know
• Keep it simple
• Find the format that resonates with the
culture and stakeholders (collectively)
• Build trust
• Listen to all the cues
Going Beyond the Required
Communication – Moving up the ladder
• Analytics – are you sharing this data and assisting the organization?
• IA Team – are you a supplier of talent to the organization?
• Are you asked to be part of an initiative – i.e. to sit on a Steering Committee?
• Is Management’s requests for audits and special reviews increasing?
Successful Practices for IA
• Strategic: Strategic internal audit plan
• Talent: Build, acquire or recruit right talent to meet needs of organization.
• Trends: Report pervasive trends across audit reports.
• Combined Assurance: Coordination with other assurance groups within organization and demonstrate how IA results impact overall risk profile
Questions?
The Institute of Internal Auditors
Joyce Vassiliou, CIA, CRMA, CCSA
Vice President, Goverance
Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body
of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part
of this data may be copied, reproduced or otherwise disseminated without explicit permission from
The IIA. Note: 1.3% indicated “other” as a response to this question.