Best Practices on Internal Auditing_2.pdf

Embed Size (px)

Citation preview

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    1/79

    INTERNAL AUDITING:

    WHAT'S THE LATEST?

    Lilian S. Linsangan, CPA, CIA, CCSA, CFE

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    2/79

    Internal Auditing - Evolution

    What precipitated it?

    Globalization ofBusiness

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    3/79

    Internal Auditing - Evolution

    Growing Complexity of Business

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    4/79

    Internal Auditing

    Evolution

    Manual Computerized

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    5/79

    Internal Auditing

    Evolution

    Internal Police/

    Adversary

    Valued Advisor

    Partner

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    6/79

    Internal Auditing

    Definition

    Internal Auditing is an independent, objective

    assurance and consulting activity designed to add

    value and improve an organization's operations. Ithelps an organization accomplish its objectives by

    bringing a systematic, disciplined approach to

    evaluate and improve the effectiveness of risk

    management, control and governance processes

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    7/79

    Internal Auditing

    Definition

    Internal Auditing is an independent, objective

    assurance and consulting activitydesigned to add value and improve an organization's

    operations. It helps an organization accomplish its

    objectives by bringing a systematic, disciplined

    approach to evaluate and improve the effectiveness of

    risk management, control and governance processes

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    8/79

    Internal Auditing

    Nature of Activity

    Objective

    ASSURANCE

    * an objective examination ofevidence for the purpose ofproviding an independentassessment of governance, riskmanagement, and controlprocesses

    CONSULTING

    * Objective advisory,facilitative, and trainingactivities, the nature and scopeof which are agreed to with thecustomer, intended to improvegovernance, risk management,

    and control processes.

    Paul J. Sobel, Blended Engagements

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    9/79

    Internal Auditing

    Assurance vs Consulting

    ASSURANCE

    * To provide anindependent assessmentbased on examination ofevidence

    CONSULTING* To provide andindependent advice,facilitation, or trainingservices at the request ofthe customer

    ASSURANCE

    * Internal auditfunction determinesthe nature and scopeof the engagement

    CONSULTING* The customer andthe IA function agreeon the nature andscope of theengagement

    ASSURANCE

    * The processowner, the IAfunction, the usersof the assessment

    CONSULTING* The customerand the IA function

    Primary aim of

    the engagement

    Who

    determines

    the nature

    and scope

    Parties

    involved

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    10/79

    Internal Auditing

    Assurance vs Consulting

    The challenge

    is . . . . . strikinga balance and

    making a

    paradigm shift.

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    11/79

    Internal Auditing

    Definition

    Internal Auditing is an independent, objective assurance

    and consulting activity designed to add value and

    improve an organization's operations. It helps an

    organization accomplish its objectives by bringing a

    systematic, disciplined approach to evaluate and

    improve the effectiveness of risk management,

    control and governance processes

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    12/79

    Internal Auditing

    Coverage

    Internal

    Audit

    Assurance

    Governance

    RiskManagement

    Consulting Controls

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    13/79

    Internal Auditing on Governance

    Assess & make recommendations for improving thegovernance process in its accomplishments of thefollowing objectives (IIA-PS 2110)

    Promoting appropriate ethics and values within the

    organization Ensuring effective organizational performance management

    and accountability

    Communicating risk and control information to appropriateareas of the organization

    Coordinating the activities of and communicatinginformation among the board, external and internalauditors, and management

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    14/79

    Internal Auditing on Governance

    Evaluate the design, implementation and

    effectiveness of the organization's ethics-related

    objectives, programs and activities (2110.A1)

    Assess whether the information technologygovernance of the organization supports the

    organization's strategies and objectives (2110.A2)

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    15/79

    Internal Auditing on Risk Management

    Evaluate the effectiveness and contribute to theimprovement of risk management processes (2120)Interpretation):

    Organizational objectives support and are aligned with the

    organization's mission Significant risks are identified and assessed

    Appropriate risk responses are selected that align risk withthe organization's risk appetite

    Relevant risk information is captured and communicated in a

    timely manner across the organization, enabling staff,management and the board to carry out their responsibilities

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    16/79

    Internal Auditing on Risk Management

    Evaluate risk exposures relating to the

    organization's governance, operations, and

    information systems regarding the (2120.A1):

    Reliability and integrity of financial and operational

    information

    Effectiveness and efficiency of operations and

    programs

    Safeguarding of assets

    Compliance with laws, regulations, policies, procedures

    and contracts

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    17/79

    Internal Auditing on Risk Management

    Evaluate the potential for the occurrence of fraud

    and how the organization manages fraud risk(2120.A2)

    Address risk consistent with the engagement's

    objectives and be alert to the existence of other

    significant risks (2120.C1)

    Incorporate knowledge of risks gained from consulting

    engagements into their evaluation of the

    organization's RM processes (2120.C2)

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    18/79

    Internal Auditing on Risk Management

    Objective assurance on the following areas:

    Process

    Risk management processes, both theirdesign and how well they are working

    Management

    Management of those risks classified as"key", Including the effectiveness of thecontrols and other responses to them

    Assessment&

    Reporting

    Reliable and appropriate assessment of

    risks and reporting of risk and controlsstatus

    IIA ERM PP

    January 2009

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    19/79

    Internal Auditing on Risk Management

    Consulting Role

    Making available to management tools andtechniques used by internal auditing to analyze risksand controls

    Providing advice, facilitating workshops, coaching the organizationon risk and control and promoting the development of a commonlanguage, framework and understanding

    Supporting managers as they work to identify the best way tomitigate a risk

    Being a champion for introducing ERM into the organization,

    leveraging its expertise in risk management and controland its overall knowledge of the organization

    Acting as the central point for coordinating, monitoring

    and reporting on risks

    IIA ERM PPJanuary 2009

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    20/79

    Internal Auditing on Control

    Must assist the organization in maintaining effective

    controls by evaluating their effectiveness and

    efficiency and by promoting continuous

    improvement (2130)

    Incorporate knowledge of controls gained from

    consulting engagements into evaluation of the

    organization's control processes.

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    21/79

    Internal Auditing

    Definition

    Internal Auditing is an independent, objective

    assurance and consulting activity designed to add

    value and improve an organization'soperations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness

    of risk management, control and governanceprocesses

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    22/79

    Internal Auditing

    Deliver Value

    Assurance

    ObjectivityInsight

    Internal Auditing

    IIARF - Insight: Delivering Value to Stakeholders

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    23/79

    Internal Auditing

    Insightthe capacity to gain an accurate and

    deep intuitive understanding of a person or thing

    IIARF - Insight: Delivering Value to Stakeholders

    One of the key goals of the IAfunction is to provide its

    stakeholders with insights gleaned

    while performing assessments, both

    with respect to the implications of

    those assessments and providingrecommendations

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    24/79

    Internal Auditing

    Evolution

    Internal Police/

    Adversary

    Valued Advisor

    Partner

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    25/79

    What it is all about

    2010 Global IA Survey

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    26/79

    2010 Global IA Survey

    Most comprehensive study ever to capture the

    current perspective and opinions from a large cross

    section of IA stakeholders about internal auditing

    worldwide

    13,500 usable responses

    107 countries

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    27/79

    2010 Global IA Survey

    REPORTS:

    1. Characteristics of an Internal Audit Activity

    2. Core Competencies for Today's Internal Auditors

    3.

    Measuring Internal Audit Value4. What's Next for Internal Auditing

    5. Imperatives for Change: The IIA's GlobalInternal Audit Survey in Action

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    28/79

    Characteristics of Internal Audit

    2010 Global IA Survey

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    29/79

    2010 Global IA Survey

    Characteristics of the Internal Audit Population:

    30% are in the age group of 26 36, compared with11% in 2006

    2/3 male; 1/3 female

    Increasing % of IAs obtaining master's/graduate ordoctoral degrees

    Increasing % of those with IA majors

    50%+ of IA units get their staff from within,followed by employment agencies and referrals from

    professional affiliates

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    30/79

    2010 Global IA Survey

    Characteristics of the Internal Audit Population:

    IA units rely on outsourcing or co-sourcing to

    compensate for missing skills in the IA activity

    Approx. 50% will recruit more staff during the next 5

    years; others will maintain current staffing level

    Most CAEs report either to CEO or Audit Committee;

    highest % reporting to AC was in Middle East, US &

    Canada, and Latin America

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    31/79

    2010 Global IA Survey

    Characteristics of the Internal Audit Population:

    In the next 5 years, focus of IA activities will be:

    Corporate governance

    ERM

    Strategic reviews

    Ethics audit

    Migration to IFRS

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    32/79

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    33/79

    Core Competencies for Today's

    Internal Auditors

    2010 Global IA Survey

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    34/79

    2010 Global Survey

    Core Competencies Common at all levels

    Communications skills (including oral, written, report

    writing and presentation)

    Problem identification and solution skills (including core,

    conceptual and analytical thinking)

    Keeping up to date with industry and regulatory

    changes and professional standards.

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    35/79

    2010 Global Survey

    Incremental Core Competencies

    IA Staff Accounting frameworks, tools and techniques

    IT/ICT frameworks, tools and techniques

    ManagementOrganizational skills, including project and time management

    Conflict resolution and negotiation skills

    CAE Ability to promote the value of IA function within the organization

    Conflict resolution and negotiation skills

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    36/79

    2010 Global IA Survey

    Core competencies

    Behavioral

    Confidentiality

    Communication Skills

    Technical

    Understanding business

    Risk analysis & control assessment techniques

    Knowledge

    Auditing Internal audit standards

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    37/79

    Measuring Internal Auditing's Value

    2010 Global IA Survey

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    38/79

    2010 Global IA Survey

    Most respondents believe IA add value; objectivity

    and independence as the major driver

    While most respondents view IA as contributing to

    controls; they do not have the same view for risk

    management & governance

    Declining trend in outsourcing

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    39/79

    2010 Global IA Survey

    Most important factors to the perceived contribution

    of IA activity

    Appropriate access to AC

    Independence; functioning without coercion to change

    or withdraw audit findings

    More use of audit tools or technology in typical audit

    engagements

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    40/79

    2010 Global IA Survey

    Measurement methods frequently used:

    % of audit plan completed

    Acceptance and implementation of recommendations

    Surveys/feedback from board/AC/management

    Surveys/feedback from auditee

    Reliance by external auditors on the IA activity

    Assurance of sound risk management

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    41/79

    What's Next for Internal Auditing

    2010 Global IA Survey

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    42/79

    2010 Global IA Survey

    Clear convergence of the governance and controls

    context of IA activity

    Role in risk management and governance will

    continue to increase:

    Training AC members

    Advisory role in strategy development

    Education role for the organization's personnel

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    43/79

    2010 Global IA Survey

    Top 5 activities performed in 2010

    Operational auditing (89%)

    Audit of compliance with regulatory code, including

    privacy requirements (75%)

    Auditing financial risks (72%)

    Investigations of fraud and irregularities (71%)

    Evaluating the effectiveness of control framework (i.e.

    COSO and COBIT) (69%)

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    44/79

    2010 Global IA Survey

    Top seven (7) activities expected to be performed

    in the next 5 years:

    Corporate governance reviews (23%)

    Audits of ERM processes (20%)

    Reviews addressing linkage of strategy and

    performance (20%)

    Ethics audit (19%)

    Social and sustainability audits (19%)

    Migration to IFRS (19%)

    Disaster recovery testing and support (18%)

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    45/79

    2010 Global IA Survey

    Top five (5) audit tools and techniques predicted to

    be used more in the next 5 years:

    CAATs (63%)

    Electronic workpapers (55%)

    Continuous / Real-time Auditing (54%)

    Data Mining (52%)

    Risk-based Audit Planning (52%)

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    46/79

    Imperatives for Change:

    The IIA's Global Internal Audit Survey inAction

    2010 Global IA Survey

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    47/79

    2010 Global IA Survey

    Ten (10) Imperatives for Change

    Group 1 Emphasize Risk Management &

    Governance

    1. Sharpen your focus on risk management andgovernance

    2. Conduct a more responsive and flexible risk-based

    audit plan

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    48/79

    2010 Global IA Survey

    Ten (10) Imperatives for Change

    Group II Address Key Stakeholder Priorities

    3. Develop a strategic vision for IA

    4. Focus, monitor and report on IA's value5. Strengthen Audit Committee communications and

    relationships

    6. View compliance with IIA'sInternational Standards

    for the Professional Practice of Internal Auditing as

    mandatory, not optional

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    49/79

    2010 Global IA Survey

    Ten (10) Imperatives for Change

    Group III Optimize Internal Audit Resources

    7. Acquire and develop top talent

    8. Enhance training for internal audit activities9. Take advantage of expanding service provider

    membership

    Group IV Leverage Technology Effectively

    10. Step up use of audit technology and tools.

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    50/79

    Internal Auditing

    What does it mean forIAs?

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    51/79

    Internal Auditing

    . . . . presents significantchallenges

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    52/79

    Internal Auditing

    . . . .but, at the same time offers a lot of

    opportunities for career andpersonal advancement

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    53/79

    Internal Auditing

    Developments in 2012

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    54/79

    New IPPF Standards

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    55/79

    Internal Auditing

    New IPPF Standards

    Effective January 1, 2013

    Changes:

    Applicability to individual auditors

    Explicitly including in the interpretation of Standard

    1110 - Organizational Independence that functional

    reporting to the Board include:

    Approving the IA budget & resource plan

    Approving the remuneration of the CAE

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    56/79

    Internal Auditing

    New IPPF Standards

    Changes (cont.):

    Including in the interpretation of Standard 2010

    Planning that:

    In the absence of a RM framework, the CAE uses his/herown judgment after consideration of input from senior

    management & the board.

    The CAE must review & adjust the plan in response to

    changes in organizations business, risks, operations,

    programs, systems & controls

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    57/79

    Internal Auditing

    New IPPF Standards

    Changes (cont.):2120 Risk Management & 2130 Control

    Inclusion of "Achievement of the organization's strategic

    objectives" among the objectives of RM & IC, along with: Reliability and integrity of financial and operational

    information;

    Effectiveness and efficiency of operations andprograms;

    Safeguarding of assets; and

    Compliance with laws, regulations, policies,procedures, and contracts.

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    58/79

    Internal Auditing

    New IPPF Standards

    Changes (cont.):

    2201 Planning Considerations inclusion of

    "governance" among the activities that must be

    covered in planning

    2210 Engagement Objectives inclusion of

    "governance & risk management" (along with

    control) in the areas for which adequate evaluation

    criteria must be established.

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    59/79

    Internal Auditing

    New IPPF Standards

    Changes (cont.):

    2440 - Disseminating Results the interpretation

    clearly indicated that the CAE retains the

    responsibility for the report even if he/she delegatesthe signing of the report.

    2600 "Resolution of Senior Management's

    Acceptance of Risks" changed to "Communicating

    the Acceptance of Risks" Interpretation It is not the CAE's responsibility to resolve the

    risks

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    60/79

    Internal Auditing

    New IPPF Standards

    Changes (cont.):

    Glossary:

    Board - The highest level of governing body charged with the

    responsibility to direct and/or oversee the activities andmanagement of the organization. Typically, this includes an

    independent group of directors (e.g., a board of directors, a

    supervisory board, or a board of governors or trustees). If such a

    group does not exist, the board may refer to the head of the

    organization. Board may refer to an audit committee to which

    the governing body has delegated certain functions.

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    61/79

    New IPPF Guidance

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    62/79

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    63/79

    Internal Auditing

    New IPPF Guidance (technology related)

    GTAG 17 Auditing IT Governance

    GTAG 7 Information Technology Outsourcing

    GTAG 2 Change and Patch Management Controls:

    Critical for Organizational Success

    GTAG 1 Information Technology Risk and Controls

    New Practice Advisory

    2320-2 Root Cause Analysis

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    64/79

    Internal Auditing

    Public Sector Supplementary Guidance

    Public Sector Definition

    The Role of Auditing in Public Sector Governance

    Value Proposition of Internal Audit and the Internal Audit

    Capability Model Implementing a New Internal Audit Function in the Public

    Sector

    IIA Standards/GAGAS, a Comparison

    Optimizing Public Sector Audit Activities

    Model Legislation (coming soon)

    Transparency in Public Sector Reporting (coming soon)

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    65/79

    New Syllabus for CIA

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    66/79

    Internal Auditing

    New Syllabus for CIA

    To be launched in mid 2013

    Realign content from the current four-part exam

    to a three-part exam

    Removed certain topics

    Introduced new topics

    Changed knowledge level on certain topics

    "A" - Awareness"P" - Proficiency

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    67/79

    Internal Auditing

    New Syllabus for CIA

    Significant Additions:

    Build and maintain networking with other organization

    executives and the audit committee (P)

    Educate senior management and the board on best

    practices in governance, risk management, control and

    compliance (P)

    Assess the adequacy of the performance measurement

    system, achievement of corporate objective (A)

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    68/79

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    69/79

    Internal Auditing

    New Syllabus for CIA

    Significant Additions:

    Outsourcing business process (A)

    Stakeholder relationships (A)

    Organizational theory (structure and configuration) (A)

    Lead, inspire, mentor, and guide people, building

    organizational commitment and entrepreneurial

    orientation (A)

    Create group synergy in pursuing collective goals. (A)

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    70/79

    IIA - Philippines

    Whats Happening @ the Local Front?

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    71/79

    Internal Auditing

    Business AnalysisLeadership &

    Management

    Special Topics

    & Integration

    Information

    Technology &

    SecurityFraud

    Assurance &

    Consulting

    Audit processAudit

    Communication

    Ethics,

    Governance &

    Risks

    Building Block Framework

    Developmental

    Courses

    Technical

    Courses

    FoundationCourses

    Develop IA Resources

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    72/79

    Internal Auditing

    Foundation Courses

    * InternalAuditing theory

    * Operationsaudit

    * Engagements &

    practice*Problem-solvingand decision-making

    *Communicatingaudit results

    * Specializedcommunicationskills

    * Presentationskills

    * Ethics, socialresponsibility &governance

    * Riskmanagement,

    controls andmethodology

    Internal

    Auditing

    Audit

    Communication

    Ethics,

    Governance

    & Risks

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    73/79

    Internal Auditing

    Technical Courses

    * Informationsystems auditing

    * Advance ITaudit

    * Information

    Security andTechnology

    * Fraudexamination

    * Forensicaccounting andfraud

    investigation* Lawcriminology &ethics

    * Assuranceand consulting,skills &attitudes

    Information

    Technology

    & SecurityFraud

    Assurance &

    Consulting

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    74/79

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    75/79

    Internal Auditing

    Certifications

    CIA

    CCSACFSA

    CISA

    CFECISM

    etc.

    Integration

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    76/79

    Internal Auditing

    Integration through Collaboration

    IT, AUDIT

    & FRAUDSUMMIT

    ISACA

    IIA-P

    ACFE-P

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    77/79

    Internal Auditing Course

    FEU Bachelor of Science in Business Administration

    Major in Internal Auditing Since 2006 (BSC- major in Internal Auditing)

    USC Masters of Arts in Internal Auditing Since 2004

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    78/79

    Internal Auditing

    The world is in your

    hands now it is up to

    you to decide how you

    use it.

  • 8/10/2019 Best Practices on Internal Auditing_2.pdf

    79/79

    END OF PRESENTATION