Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007

CBIZ Risk & Advisory Services, LLC1

Quality AssessmentsLessons Learned/Best Practices

Thomas A. Johnson, CIANovember 13, 2007

CBIZ Risk & Advisory Services, LLP

2

Agenda

Requirement Benefits Attributes of a “World-Class”

Internal Audit Quality and Quality Assessment Keys to an Effective QA Common Observations Leading Practices


3

Requirement

IIA Standard 1312- Requires an external assessment be performed by a competent and independent firm at least every 5 years.

Good ‘business practice” to provide an independent evaluation of internal audit as well as identifying potential ways to improve the process.

With Sarbanes-Oxley and other demands placed on Audit Committees and Internal Audit, a Quality Assurance Review serves to provide an assessment that the various Internal Audit responsibilities are being discharged effectively and efficiently.


4

Benefits Current State of “Conformance to the

Standards”.

Builds stakeholder confidence by showing management’s commitment to quality and leading practices.

Demonstrates that the Audit Committee and Internal Audit are concerned about the success of the organization’s internal controls, governance and risk management processes.


Benefits PCAOB Audit Standard 2 states “The

external auditor may use the work of internal auditors particularly when internal auditors are in compliance with the Standards.”

Observations on benchmarking & identification of successful practices

Recommendations for improvement aimed at adding value to the organization.

5


Benefits Identify Expectation Gaps

Among key stakeholder expectations

Current state & desired state of performance

Recommendations aimed at adding value to the organization

Internal marketing tool strengthening credibility and promoting integrity

6


Attributes of a “World-Class Internal Audit Activity

Empowered & Respected by Management and BoardObjective and IndependentHighly TalentedRisk FocusedProactiveTechnology Driven

7


Empowered and Respected

Best Reporting StructureFunctionally – Audit CommitteeAdministratively- CEO

Respected at All LevelsValue-Added Business Advisors“Out of the box” thinkingProvides effective resources and solutions to business challenges

8


Objective and Independent Seen as providing unbiased views

of the organization. Have no real or apparent conflicts

of interest Independent of the activities they

audit “No-No’s”

Designing and installing systems Drafting of procedures

9


Highly Talented Highly talented professionals

(certified) with unique combinations of skills & experiences Hiring and Retention Rotation in and out

Constantly adding value Collectively possess the essential

skills Consideration for co-sourcing

Must commit to a program of continuous development

10


Risk Focused Allocates Time & Resources

Based on RiskAnnual and Long Term Plans Individual Engagements Identifies critical risks & exposures before they become significant issues

Shares “lessons learned” across common business units and processes

11


Proactive Proactive, not only reactive Right balance between protecting

and enhancing shareholder value Level of consultative support

correlates with the organizations fluidityE.g., a flat, decentralized organization likely requires significant support in analyzing business risks and transferring company-wide best practices then a highly centralized organization

12


Technology & Process Driven Utilizes “state-of-the-art”

technology to:Reduce Risks Identify potential problems in nearly real time

Increase productivityContinuously improve the control environment and communications

Be committed to a program of continuous improvement

13


Foundation of World-Class Audit Departments

The International Standards for the Professional Practice of Internal Auditing and the Code of Ethics are the foundation for all world-class functions.

14


Quality Components

Adherence to the Code of Ethics

Practicing in accordance with the Standards

Continued Professional Development

Audit Practice is continuous improvement oriented

15


Quality Assurance To Evaluate Quality- Objectively

measure internal audit process To maintain Quality- Fully commit

to professional growth and development

To ensure Quality- Maintain quality assurance and improvement program

16


Quality Standards Internal audit must establish a

quality assurance program that includes both:Ongoing and periodic internal QA’sExternal QA a minimum of once every 5 years

Failure precludes IA from using the statement “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.”

17


Keys to an Effective QA Understanding the Professional

Practices Framework Awareness and Implementation of

the Standards Internal audit quality programs

and initiatives Leading practices in applying the

Standards

18


Professional Practices Framework Definition of Internal Auditing The Code of Ethics The Standards Practice Advisories Topical Index to the Practice

Advisories

19


Purpose of a Quality Assessment Assess conformance to the

Standards Assess the effectiveness and

efficiency of the internal audit activity

Identify opportunities for improvementImproving performanceImage of the department

20


Scope of External Assessments Conformance with the Standards & the

Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements

The expectations of the IA as expressed by the board, executive management and operational management

The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process

21


Scope (Cont’d) Tools and techniques Mix of knowledge, experience and

disciplines within the staff, including the focus on process improvement

Determination that the internal audit activity adds value and improves the organization’s operations

22


Areas of Focus The Mandate of the IA Activity The Relationship between IA & the

Audit Committee IA Reporting Lines Staffing of Internal Audit Obtaining & Maintaining Competency Coordination with External Audit Developing the Internal Audit Plan Reporting Findings &

Recommendations

23


Areas of Focus Follow-Up of Corrective Action Fraud Internal Quality Program Sufficiency of IA Resources Support from Senior Management Evaluation by the Audit

Committee

24


Common Findings Charters not current, inadequate

and/or misaligned Lacking support or sponsorship by

top management Department structure issues

Reporting linesAlignment with the organization

Insufficient business knowledge and/or technology capabilities

Lack of a defined and documented risk assessment

25


Common Findings Linkage of risk assessment to plan

Impact of Sar-Box Lack of external input to risk

assessment Audit Universe Deficiencies Ineffective resource planning,

including training Inadequate IT Coverage Limited use of technology Infrequent management interaction

26


Common Findings Lack of Performance

Measurements Failure to Track Auditors’ Time Inconsistent/Incomplete Work

Papers Lack of a defined and

documented Quality Assurance and Improvement Program

Insufficient reporting to the Audit Committee

27


Leading Practices Enterprise Risk Assessment Rigorous and coordinated approach Assessing all risks that affect the

organizations strategic & financial objectives

Risk & Control Self Assessment Using Control Frameworks (COSO) Effectiveness & Efficiency of Operations Reliability of Financial Reporting Compliance with Laws & Regulations

28


Leading Practices Partnering with Management Risk Assessment & Annual Audit Planning

Long Term Audit Plans Usually three years Higher risk areas should be reviewed

more frequently within the 3 year plan Frequent modifications to long term plan

Developing Staff Goal of 80 hours of training Stretch Objectives & Performance

Measures Certification

29


Leading Practices Communicating More Effectively User friendly format Executive summary, with clear concise

information and opinion Regular reporting of issues to the Audit

committee “Marketing” IA function

• Brochure• Intranet

30


Leading Practices Using Technology Data extraction and analysis Fraud detection/prevention Network security assessment Automated work-papers Audit administration tools

Benchmarking Performance measurements

31


Questions ? ? ? ? ? ? ?

32


Follow-Up

Tom [email protected]

33

mailto:[email protected]

Documents

Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007