Auditoria Mito o Realidad

7/28/2019 Auditoria Mito o Realidad

1/29

Shirley Jeeban

Acting Head of Internal Audit, Musanada

5th April 2011


2/29

Tradition:

Crisis:

Internal Audit and Risk:


3/29

Brief History of Internal Auditing

What is Risk Based Internal Auditing?

Risk Based Internal Auditing Advantages .....and potential difficulties

The 10 Deadly Sins of Risk Based Auditing

Summary

Today ..


4/29

Necessity created internal auditing and is making it anintegral part of modern business. No large business can

escape it. If they havent got it now, they will have tohave it sooner or later, and, if events keep developing asthey do at present, they will have to have it sooner.

Arthur E. Hald 1944

Internal Auditing Brief History


5/29

Internal Auditing a developing discipline

Early 20th century protection from theft and later

broader financial transactions;


6/29

USA 1957 Statement of Responsibilities of Internal Audit

Reviewing and appraising the soundness, adequacy, and application ofaccounting, financial, and operating controls.

Ascertaining the extent ofcompliancewith established policies, plansand procedures.

Ascertaining the extent to which company assets are accounted for, andsafeguarded from losses of all kinds.

Ascertaining the reliability of accounting and other data developedwithin the organization.

Appraising the quality of performancein carrying out assignedresponsibilities.



7/29

1978 IIA US Standards:

Internal auditing is an independent appraisal activity. It is acontrolwhich functions byexamining and evaluating the adequacyand effectiveness of other controls. The objective of internal auditing isto assist members of the organization in the effective discharge of their

responsibilities. The audit objective includespromoting effective controlat reasonable cost.

Developing Risk Thinking

COSO 1992: linked traditional internal controls to protecting against risks;

2000-02: Corporate Governance guidance explicitly talked ofManagements Responsibilities in respect of risk management and internalcontrol And in relation to all aspects of an entitys business



8/29

2004: The modern worldwide definition:

Internal Auditing is an independent, objective assurance and consultingactivitydesignedto add value and improve an organization's operations. Ithelps an organizationaccomplish its objectives by bringing a systematic,disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance processes.

IIA UK:

The role of internal audit is to provide independent assurance that an

organization's risk management, governance and internal controlprocesses are operating effectively. Internal auditors dealwith issuesthat are fundamentally important to the survival and prosperity ofany organization. They look beyond financial risks and statements toconsider wider issues such as the organization's reputation, growth,its impact on the environment and the way it treats its employees .



9/29

David Griffiths (UK) 2006:

The main aim of internal auditing is to help the organization achieve its

objectives

Arisk is a set of circumstances that hinder the achievement of objectives.

An internal control is a process which manages the risks.

Risk Based Internal Auditing Definition


10/29

Risk based internal auditing is an audit approach designedto provide assurance that the business is appropriatelymitigatingSIGNIFICANT risks to the achievement ofobjectives

ControlsRisks

Objectives

Risk Based Internal Auditing Definition


11/29

Risk Based Internal Auditing Advantages

ExternalEnvironment

Strategy

Operations

Policies &Procedures


12/29

POLICEMAN OBJECTIVE BUSINESS PARTNER



13/29

The potential for Internal Auditing to become amore attractive profession than we have beentraditionally.

Attracting the best people.



14/29

When I grow up Iwant to be anInternal Auditor



15/29

RiskbasedAudit

ReducedCost

TargetedResources



16/29

My business does not have Enterprise Risk Management (ERM) yet?- consult

- management input

- share outputs

What about compliance checks?- focussed

- as long as policies/procedures address objectives / risks

Audits perceived as important by management may disappear

- Education

Closer working relationship with management may compromiseindependence

- Boundaries

- Education

Potential Difficulties


17/29

The 10 Deadly Sins of Risk

Based Internal Audit


18/29

Audit Plan - Still auditing low risk areas;

Coverage of the whole business;

Spending time on minor risks within an audit area;

Auditing all the controls, not just key controls to key

risks;

(1) We want to do Risk Based Audit but

were scared


19/29

Overcomplicated low level Risk Assessments;

Risk Registers develop a life of their own multiplyingand mutating;

Success judged by number of risks rather than effectiveidentification ofkeyrisks and emerging risks

(2) Death By Risk


20/29

(3) Risk to what?

We forget:

Controls

Risks

Objectives


21/29

External Audit looks backwards, Internal Auditshould look forwards;

Internal audit only looks to the past to inform thefuture;

Looking at risks to the achievement of objectives

naturally gives a future focus, but it can be wasted;

(4) Looking Backwards not Forwards


22/29

New skill sets required;

Real business / strategic understanding;

Understanding of risk and assurance;

Logical thinking, not checklists;

Asking so what? in all that we do and allthat we find;

Ability to focus on whats important, and thecourage to leave whats not.

(5) Forgetting to train our auditors


23/29

(6) The controls checklist is still king


24/29

RISK: CONTROL: TEST PLAN: RESULT: RECOMMENDATION:

No succession plan inplace

Succession Plan Obtain successionplans for xxxx

No succession plans Put succession plan inplace.

SAMPLE RISK REGISTER EXTRACT AND AUDIT TESTING:

OBJECTIVE: RISK: CONTROL: TEST PLAN: RESULT: RECOMMENDATION

Businesscontinuity

Staff in keypositions are

absent / leave thebusiness

(1) Appropriatenotice

periods forkey staff;(2) Short and

long termsuccessionplans in place

(1) Obtain list ofkey staff /

positions(2) Check notice(3) Review

adequacy ofcontingencyplans

Notice periods ok,short term

contingency ok,lack of longer termplanning

Introducesuccession

planning acrossthe business linkedinto careerdevelopmentplans. This shouldinclude a one tofive year timeperiod.

MORE APPROPRIATE:

(7) Mixing up objectives, risks and controls

r

a


25/29

We may know weve changed . But the business wontknow unless we tell them.

(8) Forgetting to educate the business


26/29

Controls are only relevant when linked to a risk;

A risk is only a risk when linked to an objective;

Management want to know what our findings mean tothe business;

(9) Reporting on controls not risks

ControlsRisks

Objectives


27/29

Risk Registers remain in InternalAudit.

Wasted opportunities to discuss

risk with management.

(10) Keeping the benefits to ourselves

Audit Management


28/29

Many businesses have made moves towards risk based

Internal Audit; Business wide focus.

BUT:

Unless we eliminate the 10 Deadly Sins, we will notrealize the full benefits;

Internal Auditors need to think OBJECTIVE RISK CONTROL in everything they do;

Risk based thinking throughout the audit process isessential;

Risk based auditing must not be just a buzzword.

CONCLUSIONS


29/29

Thank You!

Documents

Auditoria Mito o Realidad