Embed Size (px)
Citation preview
1
Strategically
Setting Up Internal
Audit to Add Value: Sawyer’s 7th Edition
2
PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions
• Select the session through the
schedule icon and click on the polling
icon
• Ask a member of the Conference Staff
if you need assistance
• You can also go to https://ic.cnf.io/ from
your mobile device web browser
• Submit your questions for the session
or to specific presenters by selecting
the ASK icon
3
Polling Question 1Please open the conference app to participate
4
Polling Question 1
What role do you play? a. Internal Audit Leader (CAE/Director)
b. Internal Audit Manager
c. Audit Staff
d. Technical Auditor (IT, Data Analytics, etc.)
e. Non-Auditor (2nd Line Support, Compliance, Info Sec, etc.)
f. Outside Service Provider
5
6
The only guarantee is CHANGE…
Internal auditors produce information…how
much value does it deliver today?
7
The only guarantee is CHANGE…
Internal auditors produce information…how
much value does it deliver today?
8
The only guarantee is CHANGE…
Internal auditors produce information…how
much value does it deliver today?
9
Where are we today?
If our services and audit reports were technology…
Which type of technology would they be?
1973
1992
2019
What role with audit info play in integrated risk
management systems of tomorrow?
10
Polling Question 2Please open the conference app to participate
11
Polling Question 2
What certifications do you hold?a. Certified Internal Auditor (CIA)
b. Certified Information Security Auditor (CISA)
c. Any Risk Management Certification
d. Certified in Investigations/Fraud (CFE, etc.)
e. Certified in Accounting (CPA)
e. Other Certification
12
13
Strategic Internal Audit
Strategic Risks & Opportunities
14
Objectives Today
• Review Internal Audit
Strategic Risks
• Overview of Sawyers 7th
Edition Tools & Support
• Taking the Next Step
15
Internal Audit Strategic Risks
• Reputation – professionalism
• Competition – from 2nd line function growth
and outside service providers
• Collaboration – “enhance and protect
organizational value”
• Risk system consolidation – ERM
decision support
16
Polling Question 3Please open the conference app to participate
17
Polling Question 3
Which Strategic Risk is most significant to your
organization?a. Reputation – professionalism of internal audit
b. Competition – 2nd line of defense growth, InfoSec, Compliance, RM
c. Collaboration – Need to find new ways to add value, complexity
d. Risk System Consolidation – ERM involvement, role, politics
18
19
Sawyers 7th Edition – Strategic Tools
• Challenge your perspective of value
• Know where you are today – services and
products
• Identify what has to change to do more
• Consider best practices
20
Sawyers 7th Edition
“Enhancing and Protecting
Organizational Value”
21
Sawyer’s 7th Edition – Setting Up the IA Shop
Chapter 1: Internal Audit Strategy
Chapter 2: Audit Products/Services
Chapter 3: Audit Operations/Capabilities
Chapter 4: Audit Team/Resourcing Model
Chapter 5: Audit Leaders/Staff
Chapter 6: Building Relationships
Chapter 7: Business Acumen
Chapter 8: Context within which Audit Works
22
Chapter 1 - Challenge your perspective of value
Three Cornerstones of Internal Audit Strategy• Stakeholder Expectations
• IA Professional Expectations
• CAE Expectations
What is the Value Proposition?
What Drives Value?
23
Chapter 2 - Know where you are today
23
Type of Services & Products
Generation 5 – Objectives-Based Auditor
Generation 4 – Risk Management-Based
Auditor
Generation 3 – Risk-Based Auditor
Generation 2 – Internal Control Process
Auditor
Generation 1 – Internal/External Auditor
24
Identify what has to change to do more
Chapter 3: Audit Operations/Capabilities
Chapter 4: Audit Team/Resourcing Model
Chapter 5: Audit Leaders/Staff
25
Manage the environment for growth
CH 6 - Building Relationships
“Relationships with stakeholders can either contribute to the success of internal
audit functions or break it.”
CH 7 - Business Acumen
“In general business acumen means CAEs effectively align their own
perspective of value with the perspective of board and management
stakeholders”
CH – 8 Understanding the Context for IA
“It is more important than ever for internal audit to partner with SME’s and the
second line of defense functions…and define IA effectiveness”
26
Sawyer’s 7th Edition – Delivering IA Services
Chapter 9: The Internal Audit Mission and Its Risks
Chapter 10: Risk Assessment and Audit Planning
Chapter 11: Planning the Audit Engagement
Chapter 12: Assessing Internal Control
Chapter 13: Audit Communication (Reporting and Follow-up)
Chapter 14: Assembling and Supervising the Internal Audit Team
Chapter 15: Specialty Skill Areas
Chapter 16: Advisory Services
27
Chapter10 Risk Assessment and Audit Planning
Risk Assessing – defined by service/product expectation
Generation 5 – Integrated risk assessment, 2nd line, risk mgmt., and audit
Generation 4 – Top-down risk assessments, strategic risk, risk mgmt.
Generation 3 – What could go wrong… risk assessments
Generation 2 – Transaction, efficiency and hazard risks audited
Generation 1 – Compliance or financial reporting risks audited
28
Polling Question 4Please open the conference app to participate
29
Polling Question 4
What generation reflects your risk assessment
efforts? a. Generation 5 – Integrated risk assessment, 2nd line, risk mgmt.,
and audit
b. Generation 4 – Top-down risk assessments, strategic risk, risk
mgmt.
c. Generation 3 – What could go wrong… risk assessments
d. Generation 2 – Transaction, efficiency and hazard risks audited
e. Generation 1 – Compliance or financial reporting risks audited
30
31
Chapter 11 Planning the Audit Engagement
31
Planning Considerations – defined by service/product
Generation 5 – business objectives at risk, sub objectives, strength of
oversight and operations, 2nd line assessments and actions
Generation 4 – strategic/operational priorities, risk mgmt. practices, culture
Generation 3 – scope implied by risk, further investigate, define
Generation 2 – add…flowcharting, key performance indicators
Generation 1 – standards, regulations, systems, policies
32
Chapter 12 Internal Control
Risk and Control Implications – defined by types of engagement
Generation 5 – Risk – simply the effect of uncertainty on objectives
Control – actions align with mgmt. process for oversight,
operations alignment of people, process, and technology
Generation 4 – Risk – Risk Mgmt. is a management job, they structure
Control – expands to include good mgmt./governance
Generation 3 – Risk – mgmt. perspective of what could go wrong
Control – less tangible definitions, stop bad events
Generation 2 – Risk – expands to inefficiency and ineffectiveness
Control – expands to process documentation, analytics
Generation 1 – Risk – noncompliance with standards and regulations
Control – transactional accuracy, completeness
33
Sawyer’s 7th Edition – Delivering IA Services
Chapter 9: The Internal Audit Mission and Its Risks
Chapter 10: Risk Assessment and Audit Planning
Chapter 11: Planning the Audit Engagement
Chapter 12: Assessing Internal Control
Chapter 13: Audit Communication (Reporting and Follow-up)
Chapter 14: Assembling and Supervising the Internal Audit Team
Chapter 15: Specialty Skill Areas
Chapter 16: Advisory Services
34
Conclusion
35
Next Steps
• Understand your internal audit strategic risks
• Know expectations/needs of organization, and
plan to exceed them, lead change
• Get clinical about the value that you deliver
with services and products
• Define a few initiatives to begin mitigating your
strategic risk and elevating the value delivered
36
Thank You
The Institute of Internal Auditors
Dan Clayton, CPA, CIA, CKM
Independent Management Consultant - ISC
LinkedIn: https://www.linkedin.com/in/dan-clayton-cia-
cpa-ckm-52b2227
Paul J. Sobel, CIA, QIAL, CRMA
COSO Chairman
www.coso.org
37
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
Not using the conference app?
Visit: ic.cnf.io to complete
your session evaluations.
