Best Practices on Internal Auditing_2.pdf

8/10/2019 Best Practices on Internal Auditing_2.pdf

1/79

INTERNAL AUDITING:

WHAT'S THE LATEST?

Lilian S. Linsangan, CPA, CIA, CCSA, CFE


2/79

Internal Auditing - Evolution

What precipitated it?

Globalization ofBusiness


3/79

Internal Auditing - Evolution

Growing Complexity of Business


4/79

Internal Auditing

Evolution

Manual Computerized


5/79

Internal Auditing

Evolution

Internal Police/

Adversary

Valued Advisor

Partner


6/79

Internal Auditing

Definition

Internal Auditing is an independent, objective

assurance and consulting activity designed to add

value and improve an organization's operations. Ithelps an organization accomplish its objectives by

bringing a systematic, disciplined approach to

evaluate and improve the effectiveness of risk

management, control and governance processes


7/79

Internal Auditing

Definition


assurance and consulting activitydesigned to add value and improve an organization's

operations. It helps an organization accomplish its

objectives by bringing a systematic, disciplined

approach to evaluate and improve the effectiveness of

risk management, control and governance processes


8/79

Internal Auditing

Nature of Activity

Objective

ASSURANCE

* an objective examination ofevidence for the purpose ofproviding an independentassessment of governance, riskmanagement, and controlprocesses

CONSULTING

* Objective advisory,facilitative, and trainingactivities, the nature and scopeof which are agreed to with thecustomer, intended to improvegovernance, risk management,

and control processes.

Paul J. Sobel, Blended Engagements


9/79

Internal Auditing

Assurance vs Consulting

ASSURANCE

* To provide anindependent assessmentbased on examination ofevidence

CONSULTING* To provide andindependent advice,facilitation, or trainingservices at the request ofthe customer

ASSURANCE

* Internal auditfunction determinesthe nature and scopeof the engagement

CONSULTING* The customer andthe IA function agreeon the nature andscope of theengagement

ASSURANCE

* The processowner, the IAfunction, the usersof the assessment

CONSULTING* The customerand the IA function

Primary aim of

the engagement

Who

determines

the nature

and scope

Parties

involved


10/79

Internal Auditing

Assurance vs Consulting

The challenge

is . . . . . strikinga balance and

making a

paradigm shift.


11/79

Internal Auditing

Definition

Internal Auditing is an independent, objective assurance

and consulting activity designed to add value and

improve an organization's operations. It helps an

organization accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and

improve the effectiveness of risk management,

control and governance processes


12/79

Internal Auditing

Coverage

Internal

Audit

Assurance

Governance

RiskManagement

Consulting Controls


13/79

Internal Auditing on Governance

Assess & make recommendations for improving thegovernance process in its accomplishments of thefollowing objectives (IIA-PS 2110)

Promoting appropriate ethics and values within the

organization Ensuring effective organizational performance management

and accountability

Communicating risk and control information to appropriateareas of the organization

Coordinating the activities of and communicatinginformation among the board, external and internalauditors, and management


14/79

Internal Auditing on Governance

Evaluate the design, implementation and

effectiveness of the organization's ethics-related

objectives, programs and activities (2110.A1)

Assess whether the information technologygovernance of the organization supports the

organization's strategies and objectives (2110.A2)


15/79

Internal Auditing on Risk Management

Evaluate the effectiveness and contribute to theimprovement of risk management processes (2120)Interpretation):

Organizational objectives support and are aligned with the

organization's mission Significant risks are identified and assessed

Appropriate risk responses are selected that align risk withthe organization's risk appetite

Relevant risk information is captured and communicated in a

timely manner across the organization, enabling staff,management and the board to carry out their responsibilities


16/79


Evaluate risk exposures relating to the

organization's governance, operations, and

information systems regarding the (2120.A1):

Reliability and integrity of financial and operational

information

Effectiveness and efficiency of operations and

programs

Safeguarding of assets

Compliance with laws, regulations, policies, procedures

and contracts


17/79


Evaluate the potential for the occurrence of fraud

and how the organization manages fraud risk(2120.A2)

Address risk consistent with the engagement's

objectives and be alert to the existence of other

significant risks (2120.C1)

Incorporate knowledge of risks gained from consulting

engagements into their evaluation of the

organization's RM processes (2120.C2)


18/79


Objective assurance on the following areas:

Process

Risk management processes, both theirdesign and how well they are working

Management

Management of those risks classified as"key", Including the effectiveness of thecontrols and other responses to them

Assessment&

Reporting

Reliable and appropriate assessment of

risks and reporting of risk and controlsstatus

IIA ERM PP

January 2009


19/79


Consulting Role

Making available to management tools andtechniques used by internal auditing to analyze risksand controls

Providing advice, facilitating workshops, coaching the organizationon risk and control and promoting the development of a commonlanguage, framework and understanding

Supporting managers as they work to identify the best way tomitigate a risk

Being a champion for introducing ERM into the organization,

leveraging its expertise in risk management and controland its overall knowledge of the organization

Acting as the central point for coordinating, monitoring

and reporting on risks

IIA ERM PPJanuary 2009


20/79

Internal Auditing on Control

Must assist the organization in maintaining effective

controls by evaluating their effectiveness and

efficiency and by promoting continuous

improvement (2130)

Incorporate knowledge of controls gained from

consulting engagements into evaluation of the

organization's control processes.


21/79

Internal Auditing

Definition


assurance and consulting activity designed to add

value and improve an organization'soperations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplinedapproach to evaluate and improve the effectiveness

of risk management, control and governanceprocesses


22/79

Internal Auditing

Deliver Value

Assurance

ObjectivityInsight

Internal Auditing

IIARF - Insight: Delivering Value to Stakeholders


23/79

Internal Auditing

Insightthe capacity to gain an accurate and

deep intuitive understanding of a person or thing

IIARF - Insight: Delivering Value to Stakeholders

One of the key goals of the IAfunction is to provide its

stakeholders with insights gleaned

while performing assessments, both

with respect to the implications of

those assessments and providingrecommendations


24/79

Internal Auditing

Evolution

Internal Police/

Adversary

Valued Advisor

Partner


25/79

What it is all about

2010 Global IA Survey


26/79


Most comprehensive study ever to capture the

current perspective and opinions from a large cross

section of IA stakeholders about internal auditing

worldwide

13,500 usable responses

107 countries


27/79


REPORTS:

1. Characteristics of an Internal Audit Activity

2. Core Competencies for Today's Internal Auditors

3.

Measuring Internal Audit Value4. What's Next for Internal Auditing

5. Imperatives for Change: The IIA's GlobalInternal Audit Survey in Action


28/79

Characteristics of Internal Audit



29/79


Characteristics of the Internal Audit Population:

30% are in the age group of 26 36, compared with11% in 2006

2/3 male; 1/3 female

Increasing % of IAs obtaining master's/graduate ordoctoral degrees

Increasing % of those with IA majors

50%+ of IA units get their staff from within,followed by employment agencies and referrals from

professional affiliates


30/79



IA units rely on outsourcing or co-sourcing to

compensate for missing skills in the IA activity

Approx. 50% will recruit more staff during the next 5

years; others will maintain current staffing level

Most CAEs report either to CEO or Audit Committee;

highest % reporting to AC was in Middle East, US &

Canada, and Latin America


31/79



In the next 5 years, focus of IA activities will be:

Corporate governance

ERM

Strategic reviews

Ethics audit

Migration to IFRS


32/79


33/79

Core Competencies for Today's

Internal Auditors



34/79

2010 Global Survey

Core Competencies Common at all levels

Communications skills (including oral, written, report

writing and presentation)

Problem identification and solution skills (including core,

conceptual and analytical thinking)

Keeping up to date with industry and regulatory

changes and professional standards.


35/79

2010 Global Survey

Incremental Core Competencies

IA Staff Accounting frameworks, tools and techniques

IT/ICT frameworks, tools and techniques

ManagementOrganizational skills, including project and time management

Conflict resolution and negotiation skills

CAE Ability to promote the value of IA function within the organization

Conflict resolution and negotiation skills


36/79


Core competencies

Behavioral

Confidentiality

Communication Skills

Technical

Understanding business

Risk analysis & control assessment techniques

Knowledge

Auditing Internal audit standards


37/79

Measuring Internal Auditing's Value



38/79


Most respondents believe IA add value; objectivity

and independence as the major driver

While most respondents view IA as contributing to

controls; they do not have the same view for risk

management & governance

Declining trend in outsourcing


39/79


Most important factors to the perceived contribution

of IA activity

Appropriate access to AC

Independence; functioning without coercion to change

or withdraw audit findings

More use of audit tools or technology in typical audit

engagements


40/79


Measurement methods frequently used:

% of audit plan completed

Acceptance and implementation of recommendations

Surveys/feedback from board/AC/management

Surveys/feedback from auditee

Reliance by external auditors on the IA activity

Assurance of sound risk management


41/79

What's Next for Internal Auditing



42/79


Clear convergence of the governance and controls

context of IA activity

Role in risk management and governance will

continue to increase:

Training AC members

Advisory role in strategy development

Education role for the organization's personnel


43/79


Top 5 activities performed in 2010

Operational auditing (89%)

Audit of compliance with regulatory code, including

privacy requirements (75%)

Auditing financial risks (72%)

Investigations of fraud and irregularities (71%)

Evaluating the effectiveness of control framework (i.e.

COSO and COBIT) (69%)


44/79


Top seven (7) activities expected to be performed

in the next 5 years:

Corporate governance reviews (23%)

Audits of ERM processes (20%)

Reviews addressing linkage of strategy and

performance (20%)

Ethics audit (19%)

Social and sustainability audits (19%)

Migration to IFRS (19%)

Disaster recovery testing and support (18%)


45/79


Top five (5) audit tools and techniques predicted to

be used more in the next 5 years:

CAATs (63%)

Electronic workpapers (55%)

Continuous / Real-time Auditing (54%)

Data Mining (52%)

Risk-based Audit Planning (52%)


46/79

Imperatives for Change:

The IIA's Global Internal Audit Survey inAction



47/79


Ten (10) Imperatives for Change

Group 1 Emphasize Risk Management &

Governance

1. Sharpen your focus on risk management andgovernance

2. Conduct a more responsive and flexible risk-based

audit plan


48/79



Group II Address Key Stakeholder Priorities

3. Develop a strategic vision for IA

4. Focus, monitor and report on IA's value5. Strengthen Audit Committee communications and

relationships

6. View compliance with IIA'sInternational Standards

for the Professional Practice of Internal Auditing as

mandatory, not optional


49/79



Group III Optimize Internal Audit Resources

7. Acquire and develop top talent

8. Enhance training for internal audit activities9. Take advantage of expanding service provider

membership

Group IV Leverage Technology Effectively

10. Step up use of audit technology and tools.


50/79

Internal Auditing

What does it mean forIAs?


51/79

Internal Auditing

. . . . presents significantchallenges


52/79

Internal Auditing

. . . .but, at the same time offers a lot of

opportunities for career andpersonal advancement


53/79

Internal Auditing

Developments in 2012


54/79

New IPPF Standards


55/79

Internal Auditing

New IPPF Standards

Effective January 1, 2013

Changes:

Applicability to individual auditors

Explicitly including in the interpretation of Standard

1110 - Organizational Independence that functional

reporting to the Board include:

Approving the IA budget & resource plan

Approving the remuneration of the CAE


56/79

Internal Auditing

New IPPF Standards

Changes (cont.):

Including in the interpretation of Standard 2010

Planning that:

In the absence of a RM framework, the CAE uses his/herown judgment after consideration of input from senior

management & the board.

The CAE must review & adjust the plan in response to

changes in organizations business, risks, operations,

programs, systems & controls


57/79

Internal Auditing

New IPPF Standards

Changes (cont.):2120 Risk Management & 2130 Control

Inclusion of "Achievement of the organization's strategic

objectives" among the objectives of RM & IC, along with: Reliability and integrity of financial and operational

information;

Effectiveness and efficiency of operations andprograms;

Safeguarding of assets; and

Compliance with laws, regulations, policies,procedures, and contracts.


58/79

Internal Auditing

New IPPF Standards

Changes (cont.):

2201 Planning Considerations inclusion of

"governance" among the activities that must be

covered in planning

2210 Engagement Objectives inclusion of

"governance & risk management" (along with

control) in the areas for which adequate evaluation

criteria must be established.


59/79

Internal Auditing

New IPPF Standards

Changes (cont.):

2440 - Disseminating Results the interpretation

clearly indicated that the CAE retains the

responsibility for the report even if he/she delegatesthe signing of the report.

2600 "Resolution of Senior Management's

Acceptance of Risks" changed to "Communicating

the Acceptance of Risks" Interpretation It is not the CAE's responsibility to resolve the

risks


60/79

Internal Auditing

New IPPF Standards

Changes (cont.):

Glossary:

Board - The highest level of governing body charged with the

responsibility to direct and/or oversee the activities andmanagement of the organization. Typically, this includes an

independent group of directors (e.g., a board of directors, a

supervisory board, or a board of governors or trustees). If such a

group does not exist, the board may refer to the head of the

organization. Board may refer to an audit committee to which

the governing body has delegated certain functions.


61/79

New IPPF Guidance


62/79


63/79

Internal Auditing

New IPPF Guidance (technology related)

GTAG 17 Auditing IT Governance

GTAG 7 Information Technology Outsourcing

GTAG 2 Change and Patch Management Controls:

Critical for Organizational Success

GTAG 1 Information Technology Risk and Controls

New Practice Advisory

2320-2 Root Cause Analysis


64/79

Internal Auditing

Public Sector Supplementary Guidance

Public Sector Definition

The Role of Auditing in Public Sector Governance

Value Proposition of Internal Audit and the Internal Audit

Capability Model Implementing a New Internal Audit Function in the Public

Sector

IIA Standards/GAGAS, a Comparison

Optimizing Public Sector Audit Activities

Model Legislation (coming soon)

Transparency in Public Sector Reporting (coming soon)


65/79

New Syllabus for CIA


66/79

Internal Auditing


To be launched in mid 2013

Realign content from the current four-part exam

to a three-part exam

Removed certain topics

Introduced new topics

Changed knowledge level on certain topics

"A" - Awareness"P" - Proficiency


67/79

Internal Auditing


Significant Additions:

Build and maintain networking with other organization

executives and the audit committee (P)

Educate senior management and the board on best

practices in governance, risk management, control and

compliance (P)

Assess the adequacy of the performance measurement

system, achievement of corporate objective (A)


68/79


69/79

Internal Auditing


Significant Additions:

Outsourcing business process (A)

Stakeholder relationships (A)

Organizational theory (structure and configuration) (A)

Lead, inspire, mentor, and guide people, building

organizational commitment and entrepreneurial

orientation (A)

Create group synergy in pursuing collective goals. (A)


70/79

IIA - Philippines

Whats Happening @ the Local Front?


71/79

Internal Auditing

Business AnalysisLeadership &

Management

Special Topics

& Integration

Information

Technology &

SecurityFraud

Assurance &

Consulting

Audit processAudit

Communication

Ethics,

Governance &

Risks

Building Block Framework

Developmental

Courses

Technical

Courses

FoundationCourses

Develop IA Resources


72/79

Internal Auditing

Foundation Courses

* InternalAuditing theory

* Operationsaudit

* Engagements &

practice*Problem-solvingand decision-making

*Communicatingaudit results

* Specializedcommunicationskills

* Presentationskills

* Ethics, socialresponsibility &governance

* Riskmanagement,

controls andmethodology

Internal

Auditing

Audit

Communication

Ethics,

Governance

& Risks


73/79

Internal Auditing

Technical Courses

* Informationsystems auditing

* Advance ITaudit

* Information

Security andTechnology

* Fraudexamination

* Forensicaccounting andfraud

investigation* Lawcriminology &ethics

* Assuranceand consulting,skills &attitudes

Information

Technology

& SecurityFraud

Assurance &

Consulting


74/79


75/79

Internal Auditing

Certifications

CIA

CCSACFSA

CISA

CFECISM

etc.

Integration


76/79

Internal Auditing

Integration through Collaboration

IT, AUDIT

& FRAUDSUMMIT

ISACA

IIA-P

ACFE-P


77/79

Internal Auditing Course

FEU Bachelor of Science in Business Administration

Major in Internal Auditing Since 2006 (BSC- major in Internal Auditing)

USC Masters of Arts in Internal Auditing Since 2004


78/79

Internal Auditing

The world is in your

hands now it is up to

you to decide how you

use it.


79/79

END OF PRESENTATION

Documents

Best Practices on Internal Auditing_2.pdf