Embed Size (px)
Citation preview
AUDIT COMMUNICATIONS ACUIA SEPTEMBER 23 2016
1
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING**
• Standards and Implementation Guidance (Practice Advisories)
• ST 2400 Communicating Results
• PA 2400-1 Legal Considerations
• ST 2410 Criteria
• PA 2410-1 Criteria
• ST 2410.A1 Audit Opinion/Conclusions
• ST 2410.A2 Satisfactory Performance
• ** Assurance standards
2
STANDARDS AND PA’S
• ST 2410.A3 3rd Parties
• ST 2420 Quality
• PA 2420-1 Quality
• ST 2421 Errors and Omissions
• ST 2430 Conformance with Standards
• ST 2431 Non-conformance
• ST 2440 Dissemination
• PA 2440-1 Dissemination 3
STANDARDS AND PA’S
• PA 2440-1 Sensitive Information
• ST 2440.A1 Due Consideration
• ST 2440.A2 3rd Parties
• PA 2440.A2-1 3rd Parties
• ST 2450 Overall Opinion
• www.theiia.org
4
GLOSSARY
• Assurance – objective assessment of evidence; nature and scope determined by internal auditor
• Consulting – advisory services performed at the request of management
• Engagement – specific internal auditor assignment, task, or review activity
• CAE – Chief Audit Executive
5
COMMUNICATE RESULTS
• ST 2400 Internal Auditors MUST communicate the results of audits
• ST 2410 Reports MUST include the audit objectives, scope and applicable conclusions, recommendations and action plans
6
AUDIT REPORT FORMAT
• Objectives
• Scope
• Conclusions
• Recommendations
• Action Plans
7
TEMPLATE • Number:
• Date:
• To:
• From:
• Subject:
• AUDIT OBJECTIVE:
• SCOPE:
• CONCLUSION:
• RECOMMENDATIONS:
• ACTION PLAN: 8
PA 2410-1
Audit reports might include
• Background information
• Summaries
• Status of recommendations from prior reports
• Scheduled audit or unplanned audit
• Client accomplishments
9
OBJECTIVE AND SCOPE
• AR# 2016-32
• Date: September 23 2016
• To: John Doe, VP Finance
• From: Pat Richey, Director Internal Audit
• Subject: Home Equity Loans
• AUDIT OBJECTIVE: To determine that home equity loans comply with the credit union’s Lending Policy and procedures
• SCOPE: Internal Audit reviewed a random sample of 25 home equity loans closed in the 2nd quarter of 2016
10
OBSERVATIONS
• OBSERVATIONS:
Appraisals: 4 of the 25 loans reviewed……………..
Incomplete Loan Files: Documents were missing in 3 of the 25
loan files reviewed
• CONCLUSION:
• RECOMMENDATIONS:
• ACTION PLANS: 11
OBSERVATIONS
• OBSERVATION #1 Appraisals
• CRITERIA: The way it should be
• CONDITION: The way it is
• CAUSE: The reason for the difference between the way it should be and the way it is
• EFFECT: The “so what”, “why should I care”
12
CONCLUSIONS
• AUDIT OBJECTIVE: To determine that home equity loans comply with the credit union’s Lending Policy and procedures
• OBSERVATIONS: Overall, home equity loans comply with the credit union’s Lending Policy and procedures. However, Internal Audit noted the following issues:
Appraisals:
Incomplete Loan Files:
13
RECOMMENDATIONS
• OBSERVATIONS:
Appraisals: Blah, blah, blah,…… Internal Audit recommends xxxxx
Incomplete Loan Files: Blah, blah, blah……….. Internal Audit
recommends yyyy
• RECOMMENDATIONS
1. xxxxxxxxx
2. yyyyyyyy 14
CLIENT’S VIEWS
• Due Date for Management Response: 9/30/2016
• Management Response:
1. Agree
2. Agree
• Implementation Date: 10/31/2016
15
MANAGEMENT RESPONSE
• Agreement on the audit results
• Agreement on the plan of action
• Disagreement on the audit results
• Disagreement on the plan of action
• Management’s comments may be included as appendix, in body of report, or in cover letter
16
SENSITIVE INFORMATION
• Privileged, proprietary, or improper/illegal acts
• Disclose in a separate report
• If the conditions involve senior management, report to the Board
17
INTERIM REPORTS
• Written or oral; formal or informal
• When issues need immediate attention
• Keep management informed of progress
• Preliminary Drafts
• Final Reports
18
SIGNED REPORTS
• A signed report is issued after audit completion
– the internal auditor’s name is manually or
electronically signed in the report or cover letter
- if reports are distributed electronically, a signed version
is kept on file by internal audit
19
ST 2410.A1 OPINION OR CONCLUSION
• Final reports MUST contain the internal auditor’s opinion or conclusion
• The opinion/conclusion MUST take into account the expectations of senior management, the board and other stakeholders
• The opinion/conclusion MUST be supported by sufficient, reliable, relevant and useful information
20
RATINGS
• Audit opinions may be ratings, conclusions or other description of the results
• 17-page Practice Guide “Formulating and Expressing Internal Audit Opinions”
21
ST 2410.A2 SATISFACTORY PERFORMANCE
• Internal Auditors are ENCOURAGED to acknowledge satisfactory performance in audit reports
22
ST 2410.A3 OUTSIDE PARTIES
• When releasing audit results to 3rd parties, the communication must include limitations on distribution and use of the results
23
ST 2420 QUALITY
• Accurate
• Objective
• Clear
• Concise
• Constructive
• Complete
• Timely 24
INTERPRETATION AND PA 2420-1 ACCURACY
• Care and precision
- gathering data
- evaluating evidence
- summarizing
• Free from errors and distortions
• Faithful to underlying facts
25
OBJECTIVE
• Standards 1100, 1120, 1130 are related to the objectivity of the internal auditor (attribute standards)
• Fair, impartial, unbiased, fair-minded, balanced
• Without prejudice or partisanship
• Exclude personal interests
• Avoid undue influence of others
26
CLEAR
• Easily understood
• Logical
• No jargon, technical language
• Significant and relevant information in context
27
CONCISE
• To the point
• Avoid elaboration, superfluous detail, redundancy, wordiness
• Make each sentence meaningful and succinct
28
CONSTRUCTIVE
• Content and tone
• Focus on the credit union’s objectives
• Leads to improvement
• Useful, helpful
• Positive
• Well-meaning
• Consistent with the credit union’s style and culture 29
COMPLETE
• All essential, significant and relevant information to support conclusions
30
TIMELY
• Avoid undue delay
• Opportune, expedient
• Depends on significance of the issues
31
ST 2421 ERRORS AND OMISSIONS
• If final audit report contains a significant error or omission the CAE MUST communicate corrected information to all parties who received the original audit report
32
ST 2430 CONDUCTED IN CONFORMANCE
• Internal auditors may report that their audits are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing” only if the results of the Quality Assurance and Improvement Program support that statement
33
ST 2431 NON-CONFORMANCE
When non-conformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific audit, audit reports MUST disclose
- the principle or rule of conduct of the Code of Ethics or Standards with
which full conformance is not achieved
- reasons for non-conformance
- impact of non-conformance on the audit and the audit report
34
ST 2440 DISSEMINATING RESULTS
• The CAE MUST communicate results to appropriate parties
35
REPORT ISSUANCE
• The CAE reviews and approves the final audit report before issuance
• The CAE decides to whom and how the audit report will be disseminated
• The CAE can delegate these responsibilities, but retains overall responsibility
36
PA 2440-1 WHO
• Discuss conclusions and recommendations with appropriate levels of management BEFORE the CAE issues the final report
• Appropriate level varies by credit union and nature of audit report
• Individuals who are knowledgeable of detailed operations
• Those who can authorize the implementation of corrective action
37
HOW
• During the course of the audit
• Post-audit exit meetings
• Preliminary draft report
- Avoid misunderstandings or misinterpretations of fact
- Opportunity for management to clarify issues and
express views
38
ST 2440.A1 DUE CONSIDERATION
• The CAE is responsible for communicating final audit results to parties who can ensure that the results are given due consideration
39
FINAL AUDIT REPORT
• Distribute to management of the audited area
• Distribute to those who can take corrective action or ensure corrective action is taken
• Can send summary report to higher-level persons
• When required by the internal audit charter or credit union policy, communicate to other interested or affected parties such as external auditors and the board of directors
40
ST 2440.A2 OUTSIDE COMMUNICATIONS
• Prior to releasing results to parties outside the credit union, the CAE MUST
- assess the potential risk to the credit union
- consult with senior management and/or legal counsel
- restrict the use of the audit results
41
CREDIT UNION POLICY
• Authorization required for reporting information outside the credit union
• Process for seeking approval
• Guidelines for permissible and non-permissible information that may be reported
• Outside persons authorized to receive information and the types of information they may receive
• Related privacy regulations, regulatory requirements and legal considerations
42
REQUEST FOR INTERNAL AUDIT REPORT
• Internal auditor needs to determine whether it is suitable for dissemination outside the credit union
• May be possible to create a special-purpose report to make the report suitable for dissemination
43
WRITTEN AGREEMENT
• With intended recipient concerning the information to be reported
• Internal auditor’s responsibilities
• Copyright issues
• Intended use of information
• Limitations on further distribution or sharing
44
ST 2450 OVERALL OPINIONS
• An overall opinion – a conclusion addressing, at a broad level, the governance, risk management and/or control processes of the credit union
• Professional judgement of the CAE based on the results of a number of individual audits for a specific time interval
• When an overall opinion is issued, it must take into account the expectations of senior management, the board, and other stakeholders
• The opinion must be supported by sufficient, reliable, relevant and useful information
45
OVERALL OPINION
• The report will identify
- the scope, including the time period to which the opinion pertains
- scope limitations
- considerations of all related projects including the reliance on other
assurance providers
- the risk or control framework or other criteria used as a basis for the overall
opinion
- overall opinion, judgement or conclusion reached
- reasons for an unfavorable overall opinion 46
PA 2440-2 SENSITIVE INFORMATION
• Critically sensitive information that is substantial to the credit union
• Poses significant material consequences
• Exposures, threats, uncertainties, fraud, waste, mismanagement, illegal activities, abuse of power, misconduct or other wrongdoings
• Adversely impacts the credit union’s reputation, image, competitiveness, success, viability, investments, earnings
47
NORMAL CHAIN OF COMMUNICATIONS
• ST 2060 The CAE reports periodically to senior management and the board of directors on internal audit activity
48
UNACCEPTABLE RISK
• ST 2600 –when management accepts a level of risk that may be unacceptable to the credit union, the CAE MUST communicate the matter to the Board
49
LAWS AND REGULATIONS
• Typical chain of communication scenario may be accelerated for certain types of sensitive issues because of laws and regulations
• Some laws pertaining to whistleblowing actions protect citizens if they come forward
• Be aware of the laws and regulations of various jurisdictions in which the credit union operates
50
WHISTLEBLOWING
• Communicating information to persons outside the normal chain, or even outside the credit union
• Does the CAE trust the credit union’s policies and mechanisms to investigate allegations of illegal or other improper activity and to take appropriate action?
• Does the CAE fear retribution?
• Does the CAE have evidence about an illegal or improper activity that jeopardizes the health, safety or well-being of people in the credit union or the community?
51
WHISTLEBLOWING
• Evaluate alternative ways of communicating the risk the CAE sees to persons outside the normal chain
• Proceed with caution
• Examine the pros and cons of each potential action
• Legal counsel can assist internal auditors
52
IIA’S CODE OF ETHICS
• Internal auditors do not disclose information without appropriate authority unless there is a legal or professional obligation to do so
• Internal auditors shall uphold the law and make disclosures expected by the law and the profession
• Internal auditors shall respect and contribute to the legitimate and ethical objectives of the credit union
53
PROFESSIONAL DUTY
• Carefully evaluate all evidence and reasonableness of conclusions
• Decide whether further actions are needed to protect the credit union’s interests
• Discussions with experts may provide a different perspective, and opinions about potential impact
• The manner used to resolve situation may create reprisals and liability
54
PA 2400-1 LEGAL CONSIDERATIONS
• ATTORNEY-CLIENT PRIVILEGE
• Consult legal counsel in matters involving legal issues
• Requirements vary significantly in different jurisdictions
55
NON-COMPLIANCE
• Exercise caution when communicating noncompliance with laws, regulations and other legal issues
• Develop policies and procedures regarding the handling of those matters
• Have a close working relationship with legal counsel and compliance areas
56
DISCOVERABLE EVIDENCE
• Internal auditor’s need to prepare audit records VS legal counsel’s desire to not leave discoverable evidence that could harm the credit union in legal matters
• Do internal audit’s facts and analyses negatively impact the credit union from a legal perspective?
• Proper planning and policy making so that internal audit and legal counsel are not at odds with one another
• Foster an ethical and preventative perspective throughout the credit union
• Sensitize and educate management about the established policies
57
ATTORNEY-CLIENT PRIVILEGE
• Legal system that protects information and work performed for, or communicated to an engaged attorney
• Some courts have recognized a privilege of critical self-analysis that shields materials like audit work papers from discovery
• Does confidentiality of self-analysis outweigh the public interest?
58
2014 IIA GENERAL AUDIT MANAGEMENT CONFERENCE
• Go to legal counsel BEFORE beginning an audit, if the auditor is concerned there might be issues uncovered
• The attorney can issue a letter of privilege and the audit work products are protected
• Review the annual audit plan with counsel to determine in advance if any audits needs this protection
59
