View
345
Download
16
Category
Preview:
Citation preview
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
The challenges for the internal auditor
Rodoljub Kajganić, Wiener Osiguranje Vienna Insurance Group VIG Internal Audit Group Workshop November 2015
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Agenda
IntroductionSuccessful internal auditorCompliance Case study: How to audit compliance with group policiesInformation system audit Case study: How to do a project auditFraud Case study: How to do fraud investigationObservationsQ&A
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Introduction
Experienced Insurance/Banking Internal Auditor, Information Systems Auditor, Compliance Specialist, Fraud Investigator, AML ProfessionalHead of Security&Compliance&AML departmentProfessional Certificate of Competency in the field of Compliance ALCO, IFBL: L'Institut, ATTF LuxembourgManagement Program, IEDC Bled School of ManagementAudit Committee, IT Steering Committee, Outsourcing Committee member, FATCA, ISMS project team member... ISACA memberEnjoy road and mountain biking, traveling, reading, practice Krav maga
Presenter biography:
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
“Success always comes when preparation meets opportunity” Henry Hartman
Introduction - personal mission statement
Change. Adapt. Grow. Learn. Repeat process.
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
How to become a successful internal auditor?
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Successful internal auditor
Skill
s
Knowledge
Attitudes
Triangle of Success
Analytic
Critical
Integrity
Confidence
Passion
Co-operative
Commitment
It AuditComplianceFraud
Accounting
CommunicationTeamwork
Time management
Lifelong Learning, Regulatives, Market Rules
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Company Strategy
Legal Framework
Audit Resources
Internal audit
Successful internal auditor
Value and risk based auditingFind balance between control and productivityFrom compliance to risk managementLearn to speak the language of business
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Have you got what is takes to be a successful internal auditor?
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
COMPLIANCE
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance-definition
Compliance means adherence to, or conformance with, rules, laws, standards, and policies. It also implies a sense of accountability and an obligation to uphold pertinent codes of conduct. Corporate compliance entails devising a formal internal system of policies, procedures, controls, and actions to detect and prevent violations of laws, regulations, rules, standards, and policies.
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit legality, propriety,
expediency
Internal Audit
Forecast,plans,
measure risk
Controlling,
Actuary
Evaluating insurance portfolio
Enterprise R
isk M
anagement
Manage regulatory obligations
Com
pliance
Third line of defence
External Audit
BoardRisk Management
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance with laws and regulations-policies and proceduresStructuring the compliance deptment- independence, reporting linesCompliance program- risk assessment, mitigating risk, monitoring, reporting, trainingTone at the top and whistle-blowing (hot line)Dealing with ethical challenges - compliance with laws/local regulations, non-discrimination, corruption and bribery, data privacy, insider trading, AML, protection of the environment
Compliance
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance audit – compliance audit deals with the degree to which the audited entity follows rules, laws and regulation, policies, established codes, standards.
Compliance
Potential threats:Legal impact: regulatory or legal action brought against the organization or its employees that could result in fines, penalties, litigation...Financial impact: negative impacts with regard to share price, potential future earnings, or loss of investor confidence.Reputational impact: damage to the organization’s reputation or brand (bad press or social media discussion, loss of customer trust, decreased employee morale).
To succeed you must know what success looks like, to succeed you must measure success, to succeed you must verify you measures.
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
How to audit compliance with group policiesApplicable for all types of auditsRisk based approach
Compliance - case study issue
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
The up-to-date version of all Group guidelines is available in the VIG Intranet:https://intranet.vig.com/en/infos-guidelines/guidelines.html
Upon request the guidelines can be provided in paper form or via email.
Contact: Sabine Stiller (sabine.stiller@vig.com)
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
Prepare an audit planMake a compliance risk assessmentsCollect evidence by using interviews, questionnaires,review of documentsObtain copies of departmental procedures for each area you intend to auditCross-reference internal procedures with group regulationsVerify compliance with local regulations, best practice and relevant standardsCheck reports from regulators, inspections, external auditor
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance - case study analysis
Possibilities for improving efficiency and effectiveness in implementation of regulations.The effectiveness of internal controls.Is there a system for monitoring new regulations?Is information communicated on a timely basis in the organisation?Deviation from Group guidelines need a reasonable legal ground. If activities are outsourced, how is compliance and performance monitored?Consider materiality for reporting purpose (amount of potential fines).
The final goal is to determine whether the internal procedures compliant and properly implemented in the processes
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
INFORMATION SYSTEM AUDIT
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.
Information system audit - definition
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Information system audit:
General control examination or facility auditApplication auditSystem development auditTechnical or special topic audit
Information system audit
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Compliance with legal and regulatory requirements
Confidentiality
Integrity
Reliability
Availability
Information system audit - goals
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Governance: Responsibility and accountability for risk Risk appetite and tolerance Awareness and communication Risk cultureRisk Evaluation: Risk scenarios Business impact descriptionsRisk Response Key risk indicators (KRIs) Risk response definition and prioritisation
Information system audit - IT risk
IT risk:The business risk
associated with the use, ownership, operation,
involvement, influence and adoption of IT within an
enterprise.
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Information system audit - Internal controls
Preventive
ManualAutomatic
Detective
Deterrent
Corrective
Compensating
Recovery
Adm
inis
trat
ive
Tech
nica
l
Phys
ical
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Understanding of the audit areaRisk assessment/audit planEvaluating audit areaVerifying and evaluating controlsCompliance testing/substantive testingReporting/follow-up
Information system audit - audit procedures
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Auditing security checklist
Microsoft Excel Worksheet
IS audit - resources
Auditing systems development
Adobe Acrobat Document
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study issue
How to do a project auditProjects related to information systemPurchase or own development New service or new products
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit project areas:IntergationScope,time&costQuality, procurementRisk managementHuman resources, communication
IS audit - case study analysis
Project risk:Never be delivered or be delivered lateExceed budgetNot deliver the required functionalityContain errors, fail frequentlyBe unfriendly, difficult and costly to operate
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Success criterion Relative importanceUser involvement 19%Executive management support 16%Clear statement of requirements 15%Proper planning 11%Realistic expectations 10%Smaller project milestones 9%Competent staff 8%Ownership 6%Clear visions and objectives 3%Hardworking, focused staff 3%Total 100%
IS audit - case study analysis
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Audit plan:Identify the audit scope, determine audit objectives, gather basic information about project, determine materiality, assess risk, and evaluate internal controls.
IS audit - case study analysis
Check: IT strategies, plans and budgetsFeasibility study, requirements, RFP Security policy Organization charts, job descriptions Steering committee reports Program change procedures Operations procedures, quality assurance procedures
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study analysisFeasibility study
Well documented and clear?Have departments recommendations been included?Has the feasibility analysis report been submitted to the management steeringcommittee for action?
User Requirement AnalysisEfficiency/EffectivenessHave the user executives approved the requirements?Is the new system compatible with other applications/systems?Could the new system recover after failure?Do user requirements include security, controls and privacy measures?Is there clear segregation of duties among those who build, test and operate the system?
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Purchased software
IS audit - case study analysis
Are there vendor evaluation criteria/selection procedures?
Contract – remedy, backup and recovery controls, user manuals, audit trail Does the contract provide how the user will request changes to software?Can the organisation terminate the contract at any time?Does vendor have a high probability of being in business during the duration of the contract?
Is the level of internal controls satisfactory?Has all data been transferred to the new system in a controlled manner?
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
The optimal way to ensure a successful IT project is to do an effective analysis of the risks associated with that particular project and develop a plan to manage the identified and substantial risks.
IT risks are managed, IT delivers value to the business
Postimplementation phase
IS audit - case study analysis
Review of the project successFinancial review of the feasibility study vs. resultsLessons learned and improvements for the future
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
IS audit - case study analysis
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
FRAUD
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - definition
Fraud is generally defined in the law as an intentional misrepresentation of material existing fact made by one person to another with knowledge of its falsity andfor inducing the other person to act, and upon which the other person relies with resulting injury or damage.
Which is the biger risk?External attacker vs. employee frauds
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - statistics
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud – cyber attacks
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
General red flagsOften first in and last out of the officeLots of unused holidayChanges in lifestyle –spending, socializing, married statusResigned,working out redundancyPassed over for promotion or pay reviewPending HR disciplinary
Fraud - statistics
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - resources
Red flags of insurance fraud
Microsoft Word 97 - 2003 Document
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Anti-fraud policy is most effective when applied with a clear methodology and implementation plan as opposed to random reviews which seek to rely primarily on a chance discovery of fraud or wrongdoing.
Anti-fraud policy proactively look for fraud (rather than focussing on specific known types or incidents).
Anti-fraud policyRoles&responsibilitiesFraud risk assessmentPrevention, detection, investigation
Fraud - anti fraud framework
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Fraud - case study issue
How to do fraud investigationFraud risk assessmentsChecking transaction accounts of employeesInvestigation
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Do we have internal controls?Are they are sufficient and effective?
Fraud – internal controls
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Risk based audit-follow the moneyAppoint a fraud protection officerRegular fraud risk assessmentsEnforce separation of dutiesFour eyes controls, use red flags, black listAutomatic preventive controls in the information system
Fraud - case study analysis
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Perform background checksInstitute a policy of job rotation, mandatory vacation policyHave employees bonded with the proper insurance policiesCreate annual financial disclosure policies for the people in the organizational process
Separate the authorization of the transactions from their recordingRequire multiple signatures-formal signatures!Define the trust levels with the appropriate checksWhistle-blowing — make sure you hear the bad news first
Fraud - case study analysis
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
ObservationsWork on attitude, knowledge and skillsChange, adapt, grow, learn, repeat process.
Consider whether IT risks are managed, IT delivers value to
the business. Analyze project
risks, ensure you have a plan to manage the
identified and significant risks.
Ensure you have a Anti-fraud policy, fraud protection officer and
fraud risk assessments, follow the money.
Determine whether the internal procedures compliant and properly implemented in the processes.
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
QUESTIONS & ANSWERS
rkajganic@wiener.ba
+387 (0)65 422 242
https://ba.linkedin.com/in/rodoljubkajganic
Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
Thank you for your attention
Recommended