Upload
jonathan-lamboi
View
21
Download
0
Tags:
Embed Size (px)
Citation preview
Presentation to the Audit Committee Internal Audit Overview
September 2009
2
AGENDA
Internal audit organization, mission statement & responsibilities
Internal control responsibilities
Audit approach & 2009/10 audit plan
Audit reports & rating system
Quality assurance
3
SFC GOVERNANCE MODEL
MD//GM/CFO/others
set policies & operating
principles
Depts. adheres to policies
and operating principles
SFC/IFRS. directs
compliance of controls
over financial reporting
Internal Audit evaluates
compliance against policies
& reports non-compliance
Board of Directors evaluates
risk& dictates organization
to review, evaluate,
monitor & control risk
GM evaluate risks &
compliance
with laws
Treasury evaluates
credit/treasury risks &
develops policies to
minimize risks
IT evaluates technology
risks & develops policies
to minimize risk Legal assures compliance
With laws
FC establishes reporting
Mechanism to assure
compliance to law & policy
4 Shareholders
INTERNAL AUDIT
PKF
Board
Senior Management
Departments
Inte
rnal
sta
kehold
ers
Exte
rnal
sta
ke
hold
ers
• Objective Assurance
• Consulting & value-add
• Best practice sharing
• Evaluate & improve effectiveness of risk management, control & governance processes
• Proactive communications to improve controls
• Consulting assistance to key initiatives (e.g. Sarbanes-Oxley, acquisitions)
• Objective Assurance
• Improve organization's operations
Independent
VALUE OF IAD TO SFC
5
KEY CUSTOMERS, PRODUCTS & METRICS KEY PRODUCTS PRIMARY CUSTOMERS SECONDARY
CUSTOMERS
METRICS
Audit Assurance Audit Committee
Bassem
Niall
Depts. FC
Entity receiving audit
Completion of audit plan
Quality of audit reports
Timeliness of audit reports
Successful external assurance
review
Talent Depts. receiving talent
Greater finance & IT
organizations
Attrition rates below benchmark
Quality of talent placed
Consulting Services Entity/Depts. receiving
consulting service
(Dependent upon the nature
of services provided)
Depts. Heads
Acct & Control
GM
Quality of services provided
Quantity of services provided
IAD Structure and Function
Audit Committee
Internal
Auditor
Finance Audit
Internal Control Audit
Information Systems
Audit
Compliance
Audit
Other
MISSION AND SCOPE OF WORK • The mission of the internal audit department is to provide independent, objective and
reasonable assurance and consulting services designed to add value and to assist
management in monitoring a system of internal control. The scope and frequency of these
evaluations are determined through an assessment of risks, including the effectiveness of
management’s ongoing monitoring procedures.
The scope of work of the internal audit department is to determine whether the organization’s
network of risk management, control, and governance processes, as designed and
represented by management, is adequate and functioning in a manner to ensure:
Risks are appropriately identified and managed
Interaction with the various governance groups occurs as needed
Significant financial, managerial, and operating information is accurate, reliable, and
timely
Employees’ actions are in compliance with policies, standards, procedures, and
applicable laws and regulations
Resources are acquired economically, used efficiently, and adequately protected
Programs, plans, and objectives are achieved
Quality and continuous improvement are fostered in the organization’s control process
Significant legislative or regulatory issues impacting the organization are recognized and
addressed appropriately
8
INTERNAL AUDIT RESPONSIBILITIES
Responsibilities include:
Independently assess internal controls at SFC departments
Maintain an annual cyclical audit plan
Perform compliance audits of contracts with the JVs
Perform IT system audits
Conduct control reviews at acquisitions generally within a year of purchase
Assist the organization in select investigations
Test compliance with policies & procedures
Review selected transactions for possible improper payments
9
MANAGEMENT RESPONSIBILITIES
Responsibilities include:
Establish internal control systems to provide safeguarding of assets, proper financial reporting and accomplish business objectives
Perform on-going management control reviews and control self-assessment activities
Maintain a system to track completion of control issues & recommendations
Comply with IFRS and local accounting requirements
AUDIT APPROACH
Input-Process-Output
Inputs
Audit Staff
Dept Staff
IS e.g. Final Accounts
Customers/ Suppliers
Processes
Work Programs
Control Reviews
Compliance/Substantive Tests
Walk through Tests
Outputs
Audit Reports
-Observations
-Recommendations
Management Action
Audit Universe 2009/2010
32%
19% 16%
11%
22%
Auditable areas
Accounts Operations Sales & Mktg HR Other
Audit Approach
Annual
Audit
Plan
Audit Risk
Assessment
Audit Execution
Identify critical risks
Measure objective
achievement
Capture known issues
quickly
Drill down into known issues,(dimension the issue and determine underlying cause) Measure, Test and Evaluate design of controls over critical objectives & risks
Annual Process cyclical and risk based Approach
Audit Methodology
Risk and Audit Universe (RAU)
planning
Details of planned audit
Quarterly plan for IA activity
Database for individual Audit
Monitoring and review
SFC risk register
Individual Audits
Define draft audit scope
Feedback results into risk and audit universe
Set up an audit database to record the audit details,
or update the Risk and Audit Universe
Agreed scope
Audit report
Test the monitoring and proper operation of controls
Audit plan
Meetings to determine objectives, risks and agree
scope
Draw preliminary conclusions and discuss them
Obtain relevant documentation on processes
Audit database
Examine the risk management process for the
area audited
Decide on audit approach
Conclude on risk maturity for the
area audited
Risk and audit universe
Key Criteria For Identifying Risk:
• Size
• Likelihood/impact
• Departmental risk
• Date and result of last audit
• Degree of changes (Management, organization, systems)
• Awareness of risks/control issues
Audit Reports
• Audit reports recommend control improvements and assess the adequacy of corrective actions taken or planned
• Ratings are given to conclude on the control environment:
Large Audit areas: -Unsatisfactory/Fail -Marginal/Some improvements -Acceptable/Pass
Small Audit areas: Pass Fail • Unsatisfactory and Fail reports are presented in detail to the audit
committee.
Large Depts. Small Depts.
Unsatisfactory Marginal Acceptable Fail Pass
Definition Controls substantially
below SFC standards
Controls do not fully meet
SFC standards
Controls meet
SFC standards
Controls substantially
below SFC standards
Controls generally
meet SFC standards
Key
Indicators
Fundamental weaknesses
exposing the company to
substantial risks.
Documentation for
financial reporting controls
does not exist, and key
controls not tested.
Weaknesses exist that
expose the SFC to
unnecessary risks.
Documentation for most
financial reporting controls
does not meet SFC
minimum standards, and
many key controls not
adequately tested.
No critical
process
breakdown or
policy violations.
Key financial
reporting controls
documented and
tested.
Fundamental weaknesses
exposing the company to
substantial risks
Weaknesses may
exist that expose the
company to
unnecessary risks
Deficiencies
identified
Number and nature of
observations indicate
clearly unsatisfactory
situations such as a
breakdown of critical
procedures and controls or
performance
Pertain to the design or
function of internal controls
Process
improvement
opportunities
Number and nature of
observations indicate
clearly unsatisfactory
situations such as a
exposure to fraud and
breakdown of critical
controls and procedures
May pertain to design
or function of internal
controls, or process
improvement
opportunities
Audit
Committee
Involvement
Each report discussed in
detail with the audit
committee
Presented to audit
committee on a summary
level – some discussed in
detail
Presented to
audit committee
on a summary
level only
Each report discussed in
detail with the audit
committee
Presented to audit
committee on a
summary level only
IAD
Follow-Up
Corrective action status
updates reviewed semi-
annually with the audit
committee.
A follow-up audit is
scheduled within a year.
Corrective action status
updates reviewed semi-
annually with the audit
committee
Corrective action status of
high risk findings reviewed
semi-annually with the
audit committee.
A follow-up audit is
scheduled within a year.
Corrective action
status of high risk
findings reviewed
semi-annually with
the audit committee
RATING SYSTEM DEFINITION & INDICATORS
AUDIT QUALITY ASSURANCE PROCESS
Determine
skills requirements
Develop &
execute plan
Hire
individuals &
assess
training
Schedule one
week
Orientation1
Scheduling process (New
joiner assigned with more
experienced staff)
Attend three-
day auditing
training
With audit experience²
Audit
engagement
quality
review
process
Engagement
staff evaluation
(Identity
development
needs)
Specialized training (For needs
identified or specific types of
audits)
General training (2 times a year) -
trends, Dept leaders, IIA training,
audit process, technical updates,
etc.
Audit plan
Determine
staffing
levels
Res
ou
rce
Pla
nn
ing
On
bo
ard
ing
(w
her
e n
eces
sary
)
Qu
alit
y re
view
, tr
ain
ing
&
dev
elo
pm
ent
1 Survey new hire on process & adjust if necessary
2 New standard 3 3 years average financial experience
On the job
training
Performance Evaluation
Internal Review
• A sample of the audit work papers reviewed each year by head of internal audit • Standard work (work program, templates) • Lessons learned communicated to department • Plans or in process for the following year audits.
• External Review
• Objective • Assess effectiveness • Validate conformance to IIAs standards and code of Ethics • Identify opportunities for improvement
• Scope • Risk assessment and audit planning processes • Audit tools and methodologies • Engagement and staff management process • Sample review of working papers and reports
• Benchmaking
SUMMARY - IAD OPERATING SYSTEM
Feedback/
interviews
Prioritization
Improvement
projects & activities
Current state
Achieve future
state(becomes current state)
Measure, control,
IAD will use IIA tools in support of this system
Survey data
Impact/maturity
Sustaining teams
Turnbacks process
&
Process certification
Performance
monitoring
Benefits
• Adherence to corporate policies, rules and regulations.
• Ongoing management control activities.
• Translates operational strategy and aligns it to the corporate mission.
• Serves as a motivational tool to employees.
***need for establishing IAD*** • Scale , diversity and complexity of company activities
• Number of employees – more employees increase need • Increase in unacceptable events • Problems with internal control systems • Amount of changes in information systems • Changes in key risks • Cost-benefit of department