Internal Auditing 101 - ACUIA Internal Auditing 101 ... statements auditing, internal management auditing,

  • View
    9

  • Download
    0

Embed Size (px)

Text of Internal Auditing 101 - ACUIA Internal Auditing 101 ... statements auditing, internal management...

  • 1

    Internal Auditing 101

    Presented By:

     Sam Capuano - Manager of Internal Audit, Wolf & Co.

     John Gallagher - Director of Internal Audit, SEFCU (NY)

     Barry Lucas - Internal Auditor, Desco FCU (Ohio)

    ACUIA Annual Conference June 2014

  • 2

     Introductions

     What is Internal Audit?

     Where Do I Start?

     Who Should I Interact With?

     What Do I Audit, and How?

     What and How Do I Report?

     With Whom Do I Meet and When?

     What Resources are Available?

    ACUIA Annual Conference June 2014

  • 3 ACUIA Annual Conference June 2014

     Sam Capuano - Manager of Internal Audit, Wolf & Co.

     John Gallagher - Director of Internal Audit, SEFCU (New York)

     Barry Lucas - Internal Auditor, Desco FCU (Ohio)

  • 4

     Definition Internal Auditing is an independent, objective

    assurance and consulting activity designed to add value and improve operations.

    Internal Audit helps the Credit Union accomplish its objetives by bringing a systematic, disciplined approach to evaluate and improve the effectivesness of risk management, control and governance processes.

    ACUIA Annual Conference June 2014

  • 5

     Define the roles and responsibilities

     Audit (Assurance Services)?

     Compliance?

     Fraud?

     Risk Management?

     Consulting?

     Security?

    ACUIA Annual Conference June 2014

  • 6

     Independent and Objective

     Reporting Lines?

    ACUIA Annual Conference June 2014

  • 7

     Authorities Internal Audit’s purpose, authority and

    responsibility must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards (STD 1000)

    ACUIA Annual Conference June 2014

  • 8

    Charter Documents - Supervisory

    Committee

    - Internal Audit

    Job Descriptions

    Department Structure

    ACUIA Annual Conference June 2014

    Responsibilities and Authority?

  • 9

    Who does Audit interact with?

     Board of Directors

     Supervisory Committee

     Management

     Staff

     Examiners

     External Auditors

    ACUIA Annual Conference June 2014

  • 10

    ACUIA Annual Conference June 2014

  • 11 ACUIA Annual Conference June 2014

  • 12

     Audit Universe

    The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, products, services, subsidiaries, third party vendors, and processes) that are considered “auditable” by

    internal audit.

    ACUIA Annual Conference June 2014

  • 13

     Risk Assessment Internal Audit’s audit plan must be based on a

    documented risk assessment, undertaken at least annually [STD 2010.A1]

    ACUIA Annual Conference June 2014

  • 14

    Internal Audit Plan Internal Audit must establish risk- based plans to determine Internal Audit’s priorities , consistent with the Credit Union’s goals. [STD 2010]

    ACUIA Annual Conference June 2014

  • 15

     Internal Audit Plan

    Internal Audit must develop and document a plan for each audit including the audit’s objectives, scope, timing and resource allocations [STD 2200]

    ACUIA Annual Conference June 2014

  • 16

     Audit Scheduling

    ◦ Disruptions

    ◦ Employee Investigations (Fraud)

    ◦ New CU Products, Services, Departments

    ◦ Staff Training and Development

    ◦ Staff Turnover

    ◦ Management and/or Committee Projects

    ◦ External Audits and Examinations

    ACUIA Annual Conference June 2014

  • 17

     Audit Work

    ◦ Stated Objective

    ◦ Scope of Work

    ◦ Sampling

    ACUIA Annual Conference June 2014

  • 18

     Audit Program

    ◦ Written Procedures (what, when, how…)

    ◦ Internal Control Questionnaires (ICQs)

    ◦ Documentation Requirements

    ACUIA Annual Conference June 2014

  • 19

     Audit Cycle

    Audit

    Notification

    Notification of intent

    to audit

    Preliminary

    scheduling

    discussions and

    document requests

    Establishing key

    area contacts

    Preliminary

    Audit Survey

    Conducting a risk

    assessment

    Developing an audit

    program

    Fieldwork

    Entrance

    Conference

    Sharing the audit

    program

    Coordinating the

    execution of

    fieldwork

    Fieldwork

    Detailed

    Appraisal

    Analytical Reviews

    Interviews

    Detailed testing

    Finding/ Comment

    Updates

    Ending

    Fieldwork

    Share preliminary

    results with area

    management

    Reporting

    Drafting Report

    Obtaining

    management action

    plans

    Exit meeting

    Finalizing Report

    Management

    Response

    Report Distribution

    to Supervisory

    Committee

    Follow-up

    Audit Satisfaction

    Survey

    Monitor completion

    of action plans

    Reporting to

    Supervisory

    Committee

    ACUIA Annual Conference June 2014

  • 20

     Audit Workpapers

    Audit workpapers are the documents which record all audit evidence obtained during financial statements auditing, internal management auditing, information systems auditing, and investigations. Audit working papers are used to support the audit work done in order to provide assurance that the audit was performed in accordance with the relevant auditing standards.

    ACUIA Annual Conference June 2014

    http://en.wikipedia.org/wiki/Audit_evidence http://en.wikipedia.org/wiki/Financial_statements http://en.wikipedia.org/wiki/Financial_statements http://en.wikipedia.org/wiki/Auditing

  • 21

    Paper vs. Electronic?

    ACUIA Annual Conference June 2014

  • 22

     Numbering

     Review Notes

     Sign-off

     Retention

     Access

    ACUIA Annual Conference June 2014

  • 23 ACUIA Annual Conference June 2014

  • 24

     The who, what, when, and how?

    Internal Auditors must communicate the results of the audit. [STD 2400]

    ACUIA Annual Conference June 2014

  • 25

     Who? Board

    Supervisory Committee

    Executive Management

    Department Management

    ACUIA Annual Conference June 2014

  • 26

     What?  Area Overview? Scope of Work?

    Audit Rating? Audit Findings?

     Risk and Control Deficiencies?  Operational Inefficiencies?  Cost Reduction Opportunities?  Compliance Infractions

    Recommendations? Comments for Discussion?

    ACUIA Annual Conference June 2014

  • 27

     When?

     To Management?

     Prior to Exit – Draft  Subsequent to Exit – Final

     To Supervisory Committee?

     Subsequent to Receipt of Management Response

     To Board of Directors?

     Subsequent to Committee Acceptance and/or Approval

    ACUIA Annual Conference June 2014

  • 28

     How?

    In-person Discussion Formal Presentations

    Written Reports Synopsis

    Executive Summary

    Full Report

    ACUIA Annual Conference June 2014

  • 29

     Frequency?

     Attendees?

     Agenda?

     Food? (just kidding, but important!)

    ACUIA Annual Conference June 2014

  • 30 ACUIA Annual Conference June 2014

  • 31

     Enterprise Risk Management (ERM)

    ◦ COSO Model

    ◦ NCUA Supervisory

    Letter No. 13-12

    (issued Nov. 2013)

    ACUIA Annual Conference June 2014

  • 32

     Internal Controls ◦ Structuring audit plans and programs

    ◦ Types of Internal Controls

    ◦ Assessment

    ACUIA Annual Conference June 2014

  • 33

     Types of Internal Controls ◦ Preventative

     Segregation of Duties

     Approvals

     Security of Assets

    ◦ Detective  Monitoring

     Reconciliations

     Audits

     Physical Inventories

    ACUIA Annual Conference June 2014

  • 34

    Control Self Assessments - similar to ICQ’s Example: General Controls

     Are there written rules, guidelines, policies, and/or procedures for all transactions and