Upload
dinhtuyen
View
214
Download
0
Embed Size (px)
Citation preview
9/21/2017
1
Is it Relevant? Alignment of Mission, Universe, and Reporting in Higher Education
Michael C. BowersAssociate Director, Information Technology and Campus Audit ServicesMassachusetts Institute of Technology
ACUA Annual Conference, Phoenix ArizonaTuesday 3:10 to 4:50 (100 minutes til’ the day is done!) 1
Is it Relevant? Alignment of Mission, Universe and Reporting in Higher Education
Through a case study of MIT’s Audit Universe, this session will explore how the alignment of culture to audit standards can facilitate relevant reporting that is in agreement with the culture, spirit and goals of the Institute.
After this session, participants will be able to:
❂ Build an audit universe that facilitates the conduct of credible engagements.
❂ Integrate enterprise (risk) frameworks with audit risk frameworks.
❂ Align reporting with the expectations of stakeholders.
What do you want from today?
2
9/21/2017
2
An intro to MIT, which of these statement is untrue
1. A “Smoot” is an acceptable unit of length for bridge measurement of approximately 5’ 7” each
2. Tony Stark, and Iron Man is real, was able to receive a bachelors degree from MIT “summa cum laude”, as rumored
3. MIT admits it class each year on Pi Day at “Tau Time” … March 14 @ 6:28 PM
3I like pie!
The mission of MIT is to advance knowledge and educate students in science, technology, and other areas of scholarship that will best serve the nation
and the world in the 21st century.
The Institute is committed to generating, disseminating, and preserving knowledge, and
to working with others to bring this knowledge to bear on the world’s great challenges. MIT is
dedicated to providing its students with an education that combines rigorous academic study
and the excitement of discovery with the support and intellectual stimulation of a diverse campus
community. We seek to develop in each member of the MIT community the ability and passion to work
wisely, creatively, and effectively for the betterment of humankind.
Mens et manus
Mind and Hand
4
9/21/2017
3
MIT by some of the Numbers
$1.5B Research Expenditures
(44%)
12,109 employees, 1,036 Faculty, 11,379 students (6,852 graduate / 60%)
Worldwide affiliations and
operations30% Int’l Students
168 acres in Cambridge include 100
public art works, a book press, and a nuclear reactor
87 Nobel Laureates,
(current and former
community members)
$3.3B Operating Expenditures
$14.8B Endowment 5
A disseminated control environment with …
The Audit Division is responsible for delivering audit services Institute-wide through a risk-based program of audit coverage, including compliance assessments and financial, operational, and information technology reviews and audits. In addition, the Audit Division provides Risk and Audit Committee with counsel and information regarding activities reviewed to assist them in fulfilling their responsibilities.
17 People 20 Professional Certifications 6 Advanced Degrees Diverse Undergraduate & Professional
Profiles
Executive Vice President & Treasurer
Risk & Audit Committee
Institute Auditor
Lincoln Laboratory
Audit ServicesCampus Audit
Services 6
Administrative Functional
MIT Audit DivisionWho we are and how are we organized
9/21/2017
4
Stakeholder Perception
As part of a Quality Assurance Review, an independent third party conducted interviews of
stakeholders across the Institute to gain an
understanding of how they see or perceived the Audit Division
These are their comments
Campus Audit Services is committed to improve on this
base of excellence
7Note: The relative size of the words correlates to their occurrence/use by interviewees.
RelevanceThe quality or state of being closely connected or appropriate.
Setting the Case
8
9/21/2017
5
“Internal Audit must be engaged, better prepared and more informedabout the resources used and the reasonable needs of its stakeholders”
- Anton Van Wyk, IIA Global Chairman (Internal Auditor, November 2014)
30%35%40%45%50%55%60%65%70%75%80%
CAE SeniorManagement
BoardMember
IDENTIFYING THEMATIC ISSUES THE ORGANIZATION
IS FACING
Expectation Performance
30%35%40%45%50%55%60%65%70%75%80%
CAE SeniorManagement
BoardMember
PROMOTING QUALITY IMPROVEMENT AND
INNOVATION
Expectation Performance
2014 State of the Internal Audit Profession study, PwC 9
PwC 2017 State of Internal Audit“Staying the Course toward True North
Despite strong ambition from CAEs to grow their value to the organization, PwC’s 2017 State of the Internal Audit Profession study shows Internal Audit is losing ground in trying to keep pace with stakeholder expectations. In the five years we’ve been tracking this sentiment, 2017 represented the LOWEST stakeholder perception of Internal Audit value.
Stakeholders, however, remain committed to wanting Internal Audit to play a greater and more value-added role. While few (7%) consider IA to be a trusted advisor today, nearly half (48%) want Internal Audit to be a trusted advisor to the business within the next five years.”
10
9/21/2017
6
11
Internal Audit Value
“The internal audit function’s position within a company is unique. It provides its principal stakeholders (audit committee members and management) valuable and objective assurance on governance, risk management and control processes, as well as consulting services to improve operations.”
- Knowledge Leader (Protivity), Internal Audit’s Performance – Raising the Bar, March 2014 Insight
• Catalyst • Analyses• Assessments
Assurance
• Governance • Risk• Control
Objectivity
• Integrity• Accountability• Independence
12
Institute of Internal Auditors Value Proposition
9/21/2017
7
UniverseBuild an audit universe that facilitates the conduct of credible engagements.
13
Audit Plan Equation
Universe / Resources
Time1
14
Audit Plan =
9/21/2017
8
Audit Universe
External Threats
Institute Risks
Limited Structure Initiatives
Auditable Processes (Entity)
The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, subsidiaries, alliances, and processes) that are considered “auditable” by internal audit teams.
- COSO.org “Kiko’s World”
• For MIT’s purposes, we may identify the context of our universe as: Areas that represent mature, auditable
processes Excludes areas or engagements
considered to be advisory Generally focuses on operations risk
rather than strategic risks Does not limit the scope of the Audit
Division, but rather defines processes that can be effectively audited
15
Design Core of the Audit Universe
Community
ResearchAcademics “Advance Knowledge”“Educate Students”
“Serve the Nation and the World”
16
9/21/2017
9
Design Core of the Audit Universe
Support
FacultyStudents “Advance Knowledge”“Educate Students”
“Serve the Nation and the World”
17
Design Core of the Audit Universe
Gifts & Other
Sponsored ResearchTuition “Advance Knowledge”“Educate Students”
“Serve the Nation and the World”
18
9/21/2017
10
Audit Universe: Current ConstructConceptual Design of Universe • Based on the processes established by
management in support of Institute mission L1 - Functions represent the mission
activities of the Institute (L1) L2 - Objectives Processes represent activities
and objective of engagements (audits) L3 - Scope Processes are the management
line objectives and scope of the engagement
Hierarchy of DLCs and Offices are a identifier for reporting or aggregation for reporting Implies that the long term Audit Plan
approach is vertical Short term may appear horizontal
What we do & Where we do it 19
L1 Function 1 Function 2
L2 Objective Process A
ObjectiveProcess B
Objective Process C
L3 Scope Proc. W
Scope Proc. X
Scope Process Y
Scope Process Z
DLC 1 Exists Exists
DLC 2 Exists Exists Exists Exists
DLC 3 Exists
Office A Exists Exists Exists
Office B Exists Exists
W h a t
Wh
er
e
DLC = Department, Laboratory or Center
Audit Universe: Current ConstructConceptual Design of Universe
Implied Vertical Audit Approach
Engagements may be one or many auditable entities
(entity can be seen as a box)
String engagements together or split scopes to provide systemic
coverage balanced with resources
Accepts Some Audit Risk
20
WhatW
here
9/21/2017
11
Audit Universe: Functions [What L1]
Primary operational objectives
• Governance & Communication
• Academic & Research
• Student & Campus
• Treasury & Investment
• Administration
• Alumni & Development
• Legal & Compliance
Each Function (primary process) is comprised of a family of Institute business objectives
Resources are recruited with an eye to provide for coverage of Functions
Individual engagement line items and audit objectives are aligned with next level in Universe:
Objective Processes
21
Internal Audit Approach
Audit Universe: Objective Processes [What L2]
Governance Communications Fraud & Abuse Sponsored Research Institute Initiatives and
International Engagement
Academic Programs & IP Libraries, Arts and
Institute Equity Education of
Undergraduates Student Life Graduate Education Digital Learning Financial Management
Internal audit approach
Represents Audit Objective Announced to Stakeholders
Represents basis for Global Risk Assessment (Annual Planning)
Assessment frameworks: Management inputs and outreach Institute risk management reports of
factors Historical coverage or perceived
weakness in control Scope of audit (engagement letter) is
aligned with next level:
Scope Processes 22
◦ Information Technology Human Resources
◦ Physical Infrastructure◦ Campus Health &
Safety◦ Environmental, Health
and Safety◦ Other Administrative
Processes◦ Credit and Long Term
Debt◦ Investments and Cash
Management◦ Alumni Relations and
Gift Revenues◦ Risk Management &
Insurance◦ Legal & Compliance
Process Areas
9/21/2017
12
Audit Universe: Scope Processes [What L3]
Scope Processes Example
• Financial Management (L2) Assets & Revenues Liabilities & Expenditures Budget & Financial analysis Financial Systems and Reporting Other Financial Management DLC Financial Management
Internal Audit Approach
Represents the Scope of the Audit Test plan individually designed each audit Test plan derived from control activities in
place to manage risks identified for each Scope Objective
Scope finalized after planning is compete
Each Scope Process will be risk assessed at the audit level (Likelihood / Impact format)
We express an opinion for each scope objective
23
As Applicable
Scope Objectives
• “Where” the mission is met
• Senior Management represents the de facto shared risk owners
• Institute has established structures, guidelines and process in place to achieve its mission
• Our use of the hierarchy places a “face” to the management of risk
• We audit process not people
24
Massachusetts Institute of Technology
This is the also the legacy Audit Universe
9/21/2017
13
RiskIntegrate enterprise (risk) frameworks with audit risk frameworks.
25
Revolutionary Risk Assessment Foundation
Medium Risk
High Risk
Low Risk
Medium Risk
26
Lik
elih
ood
of
real
izin
g th
e R
isk
Incr
easi
ng
Impact of Risk on Institute if RealizedIncreasing
Risks are assessed as to “likelihood” and
“impact”
9/21/2017
14
Risk @ MIT
MIT seeks to push beyond existing boundaries and to seize opportunities in support of its mission. We strive to create an exemplary risk-oversight framework that assists Institute personnel in taking informed risks, built on law, regulations, policy, and best practices, while respecting MIT’s decentralized, collaborative, and entrepreneurial culture.
- MIT Risk Management & Compliance Services
Executive Vice President
Risk & Audit Committee
Audit Division
Risk Management &
Compliance Services
General
Counsel
Respecting the Past, Protecting the Future, Taking Informed Risks
27
Risk @ MIT: Risk TypesRisk is the effect (positive or negative) of uncertainty on the Institute's mission and goals. Generally, risks at MIT are grouped into five categories: Safety, Operational, Behavior, Financial, Compliance. Additionally, Reputation is another risk type that could result from risks in any of these five categories.
28
9/21/2017
15
Risk @ MIT: Context
Student Safety
COI
Research
AR15.03 Procurement process is adequate to ensure costs charged to an award have a direct benefit to the award,
Procurement decisions are not sufficient to ensure costs charged to an award have a direct benefit to the award.
Spending of Sponsored Research funds is not in accordance with Sponsor requirements, Federal Compliance Guidelines, or MIT policies and procedures.
Around 28 ERM Style Risks
RMCS shows risk like … Audit normally see risk as …
29
Risk @ MIT: Environment
Emerging Risks
Operational Risks
30
Enterprise Risk
Management
Internal Audit
Relevancy & Opportunity
9/21/2017
16
Risk @ MIT: Universe Level
31
Receive Data• Outreach• Environmental• Changes• Institute Risks
Evaluate• Goals/Themes• Coverage• Prior Results• External
Threats
Create Plan
• Audit• Advisory• Other
Professional Judgement
Risk @ MIT: Universe Level - Results
32
46%
24%
20%
6%
4%
201x Plan Audit Effort by Primary Risk Category
Operational Financial
Compliance Safety
Behavior
0% 5% 10% 15% 20% 25% 30%
Other
Human Resources
Student Life
EHS
Financial
Research - Campus
Investments and Gifts
Information Technology
Research - Lincoln
201x Plan by Institute Function
% of Planned Audit Effort
9/21/2017
17
Risk @ MIT: Audit Engagement Execution
33
• Business objective of area being reviewed
• The goals of the area
Objective
• What prevents the achievement of the Objective
• Institute relativity
Risks• Activities designed
to manage Risks• Links to control
frameworks• Drives test plan
Controls
Wit
hin
Au
dita
ble
En
tity
Audit Execution Risk - Conceptual
34
Business Process Objective:
Operational Risk(s)
Compliance Risk(s)
Financial Risk(s)
Safety Risks(s)
Behavioral Risk(s)
Management provides control to administer each risk to an acceptable level.
It is at this point we can apply frameworks such as COSO
We ultimately test controls, However, the goal of the audit may be interpreted as the effectiveness of management of risks, rather than controls are operating
Reputation is incorporated into the five identified categories
9/21/2017
18
ReportingAlign reporting with the expectations of stakeholders.
35
Fundamentals of a Report
Three parts of the audit report that make it relevant The audit opinion or theme: overall message
Positive or confirming statements: what is done well
Issues and recommendations: opportunities for improvement
At all times the Report must be convincing Clear and concise Maintain a positive tone No auditor jargon Factually correct with sound analysis
Align with Organizational Objectives
Relevancy in Design of Audit Reporting
36
9/21/2017
19
Is Brand Relevant?
37
Your Brand is what other people say about your when your are not in the room
- Jeff Bezos, Amazon
• Clarity – What do you stand for? Your Values.
• Commitment – Are you committed? Understand.
• Protection – Do you defend you Brand?
• Responsiveness – Do you respond to change?
• Relevance – Do you know what your Customer Wants? What their needs and desires?
• Differentiation – What make your message different?
• Consistency – Are you consistent in its implementation? Does the customer know what to expect?
• Presence – Do they talk about you when you are out of the room?
Interbrand Framework
Think on how the message is delivered Culture Matters
38
9/21/2017
20
Starting Point – The Report Template• Structure of the MIT Issued Report
• Page 1: Summary – Included background information
and our opinions on the business process area reviewed
• Page 2: Audit Findings – Finding Recommendation and
Management Action Plan with each one being weighted for overall risk to the Institute’s mission.
• Page 3: Advisory Observations – Items identified an
communicated to management that are not necessarily control weakness of deficiencies.
39
Starting Point – The Report Template
• Overall opinion links to Results Matrix
• Result Matrix is comprised of Scope Objectives taken from a standard Library tied to the Audit Universe
• Universe is tied to Institute Risks
Each Report becomes a Data Point to be drawn upon in evaluating the Institute’s control environment
40
9/21/2017
21
Focus in on Opinion Matrix
Scope of Process/Area Tested
Design and Implementation of Controls
Related Audit Findings
Scope Process #1
Scope Process #1 Opinion
Finding Title And Statement
Scope Process #1
Scope Process #1 Opinion
Finding Title And Statement
Audit Scope Process– Locally relevant– Links Report & Entity
Entity Scope Process– Compare across entities– Senior mgmt. relevant– Links Entity & Universe
Universe Scope Process– Ties to Institute mission– R&AC relevant– Links Universe & Risk 41
Ernst & Young’s Value Risk Approach
0
10
20
30
40
50
60
0 1 2 3 4 5 6
Lik
elih
ood
of r
eali
zati
on
Velocity/ Urgency of Risk
Likelihood / Probability / Impact• Provide insight into the importance of the
business’s activity within the organization or the levels of risk it may pose;
• Give insight whether management knew about the identified audit issues and what they are doing to fix it.
• Performance level (“Satisfactory”, “Needs improvement”, “Unsatisfactory”) of the control environment of an auditable entity.
Data Analytics? …
but we do not have time for that!
42