Upload
morgan-parrish
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
The Role and Benefits of a State Audit Committee
Presented by:
Joe Bell, Chief Audit Executive, State of Ohio,
OBM Office of Internal Audit
Maria Jackson, Assistant Chief Auditor, Information Systems AuditOffice of Dave Yost, Ohio Auditor of State
2
Presentation ‘Kickoff’
3
Session ObjectivesYou will learn how:• An effective audit committee improves overall
governance• Coordinated monitoring/auditing improves
organizational controls• Reducing repeat audit comments allows for
more efficient audits and enables auditors to focus on emerging issues
4
Today’s Game Plan
5
Today’s Game Plan
• An early Penalty – Impact of “Coingate”• The IIA’s 3 Lines of Defense• Reaching the End Zone – IA Capability Model• Building the Audit Team - OIA & SAC• Teamwork – AOS & OIA working together
6
Penalty Situation
7
“Coingate”
8
Evolution of Internal Audit in Ohio
9
IIA’s 3 Lines of Defense
10
IIA’s Three Lines of Defense
11
Risk
12
3 Groups Responsible for Risk Management
1. Own & Manage Risks
2. Oversee Risks
3. Provide Independent Assurance
13
1st Line of Defense: Operational Management
• Own and Manage Risks
• Day to Day Performance of Internal controls
• Responsible for Corrective Actions
14
2nd Line of Defense: Risk Management & Compliance
FunctionsEnsures the 1st Line is properly designed, in place, and operating effectively.
• Risk Management Function• Compliance Function• Controllership Function
15
3rd Line of Defense: Internal Audit
• Provides assurance on effectiveness of governance, risk management, & internal control.
• High level of independence & objectivity.
• Broad scope.
16
External Audit & Regulators
• Outside the Organization Structure
• Additional Line of Defense when Coordinated Effectively
• Limited Scope
17
Coordinating the 3 Lines of Defense
FIRST LINE OF DEFENSE
SECOND LINE OF DEFENSE
THIRD LINE OF DEFENSE
Risk Owners/Managers
Risk Control and Compliance
Risk Assurance
• operating management
• limited independence• reports primarily to management
• internal audit• greater independence• reports to governing body
18
Building the Audit Team
19
Building the Audit Team in Ohio
Building the Audit Team in Ohio
Point A - 2007• Decentralized, ad hoc
Internal Audit functions in a few agencies.
• No Audit Committee• Many external audit
issues.
Point B - 2014• Centralized Office of
Internal Audit, aligned to IIA Standards
• Established State Audit Committee
• Improvement in Internal Control
20
21
Audit Landscape in Ohio• OBM Office of Internal Audit• State Audit Committee• Ohio Auditor of State• Ohio Inspector General• Federal Oversight Agencies
22
Ohio Reporting Relationships
23
OIA Team CompositionTeam Number Certifications
Financial Auditors 14 CPA – 9CISA – 7CIA – 4
CGAP – 5
Information TechnologyAuditors
9
24
OIA Roles• Assurance
– Internal and system control effectiveness– Business process effectiveness– Evaluate and improve effectiveness of risk
management, control and governance
• Consulting– Document process maps– New programs, IT systems, and process
consulting– Training and education – Business process and internal control design
25
Legal Authority for Office of Internal Audit
• Ohio Revised Code Section 126.45 created OIA within the Office of Budget and Management.
• Requires OIA to conduct internal audits of certain state agencies
• Requires an annual audit plan• Requires reporting audit recommendations to the
State Audit Committee.
26
State Audit Committee
• Five member committee meets quarterly• Assists Governor and Director of the OBM in
oversight responsibilities:– Financial Reporting,– Internal Controls,– Risk Assessment,– Audit Processes, – Compliance: Laws, Rules, & Regulations.
27
Independent State Audit Committee:
28
Audit Committee Composition• Chairperson, Governor Appointed, external
to state management.• Two appointed by the House Speaker, • Two appointed by Senate President, • Not More Than Two from Same Party• Three-year Term, One Reappointment
29
Required SA Committee Expertise
At least one member who is• Financial Expert• Certified Public Accountant• Familiar with Governmental Accounting• Representative of the Public• Familiar with Information Technology
30
Key Functions of Audit Committee
1. Review annual OIA plan
2. Review OIA preliminary reports
3. Review OIA conformance to IIA Standards (Peer Review)
4. Review State of Ohio CAFR
5. Review financial statements with external auditor (Auditor of State)
31
Audit Committee Continuous Improvement• Audit Charter – Annual Review• Event Calendar – Cover All Responsibilities• Meeting Evaluation – Assess content/adequacy• Annual Evaluation – OIA• Audit Committee Self-evaluation
– Financial reporting– OIA– External Audit– Management and Other Reporting
32
OIA Continuous Improvement
33
Reaching the ‘Goal Line’
34
Capability Model: Governance Examples in Practice for Key Process Areas
Level 5 - Optimizing Strategic information and communication strategy advocating independence & authority of internal audit
Level 4 - Managed Legislation/policy requires independent oversight
committee CAE reports directly to oversight committee
Level 3 - Integrated Legislation/policy requiring an oversight committee Management supports internal audit funding
Level 2 - Infrastructure Organizational policy to allow internal auditors full access
to information, assets, and people Approved internal audit charter
Level 1 - Initial Not applicable; ad hoc and unstructuredAdapted from the IIA’s Internal Audit Capability Model (IA-CM) for the Public Sector
35
Teamwork
Dave Yost, Ohio Auditor
• One of five independently elected statewide offices.
• Four year term, 2 consecutive terms max
36
37
Ohio Auditor of State
• ORC 117.10 – The Auditor of State shall audit all public offices as provided in this chapter.
• Audits all public offices – 5800 entities• 600 of 800 staff are financial auditors• Performs financial audits of state
agencies, boards and commissions
37
38
AOS State Region
• Exclusively audits state agencies• Performs financial audits of state
agencies, boards and commissions• Includes the Information System Audit
group (ISA), which analyzes information systems and performs “SOC 1” audits
38
39
Information Systems Audit Group
• Section of Financial Audit • 3 Groups (North, South, State)• 26 Auditors
Ohio Auditor of State
40
Working together• Meet biannually to discuss audit plans
and to provide update on current audits.• Rely on work completed by OIA.• OIA consults with agencies to remediate
significant audit comments.• OIA uses AOS work for background
information.
41
What Gets Measured Gets Done
• Audit Timelines established and reported on quarterly
• Audit comment status– Committee may request agency to appear
and report on remediation • Number of Audit Comments • Audit Progress and Difficulties
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20131
5
9
13
17
21
25
29
33
37
41
45
49
53
57
61
65
69
73
77 78 79
62
49
5355
40
44
59
3735
AOS State of Ohio Single Audit Findings Trend
Total FindingsYB Findings
42
2009 2010 2011 2012 20130
2
4
6
8
10
12
14
16
18
20
Trend for IT Comments from State Single Audit
Number of IT Comments
43
44
Benefits
• Increased Accountability• Audits are more timely.• Comments are remediated.• Controls are improved.
45
Benefits• Controls built in to the process instead
of after the fact.• Greater awareness of the importance
of financial reporting and the role of audit.
• Improved cooperation among auditors.
46
Benefits• Improved cooperation between clients
and auditors.• Increased focus on emerging issues.
– ERM– COSO– Cyber Security
47
2 Minute Warning
48
Summary Points• A well-designed audit committee enhances
effective governance • Embracing the ‘3 Lines of Defense’ model
promotes an effective and coordinated focus on continuous internal control improvement
• Transparency and accountability of audit comment remediation leads to more effective and value-added audits
50
Contact InformationJoe Bell, CPA, CIA, CGAP
Chief Audit Executive, State of Ohio
OBM Office of Internal Audit
614.466.1985
http://obm.ohio.gov/InternalAudit/
51
Information Systems Audit
State Region88 East Broad Street
Columbus, Ohio 43215
Maria Jackson, CPA, CISAPresenter Phone: (800) 282-0370
Presenter Fax: (614) 466-4490E-mail: [email protected]