The challenges for the internal auditor

Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen

The challenges for the internal auditor

Rodoljub Kajganić, Wiener Osiguranje Vienna Insurance Group VIG Internal Audit Group Workshop November 2015


Agenda

IntroductionSuccessful internal auditorCompliance Case study: How to audit compliance with group policiesInformation system audit Case study: How to do a project auditFraud Case study: How to do fraud investigationObservationsQ&A


Introduction

Experienced Insurance/Banking Internal Auditor, Information Systems Auditor, Compliance Specialist, Fraud Investigator, AML ProfessionalHead of Security&Compliance&AML departmentProfessional Certificate of Competency in the field of Compliance ALCO, IFBL: L'Institut, ATTF LuxembourgManagement Program, IEDC Bled School of ManagementAudit Committee, IT Steering Committee, Outsourcing Committee member, FATCA, ISMS project team member... ISACA memberEnjoy road and mountain biking, traveling, reading, practice Krav maga

Presenter biography:


“Success always comes when preparation meets opportunity” Henry Hartman

Introduction - personal mission statement

Change. Adapt. Grow. Learn. Repeat process.


How to become a successful internal auditor?


Successful internal auditor

Skill

s

Knowledge

Attitudes

Triangle of Success

Analytic

Critical

Integrity

Confidence

Passion

Co-operative

Commitment

It AuditComplianceFraud

Accounting

CommunicationTeamwork

Time management

Lifelong Learning, Regulatives, Market Rules


Company Strategy

Legal Framework

Audit Resources

Internal audit

Successful internal auditor

Value and risk based auditingFind balance between control and productivityFrom compliance to risk managementLearn to speak the language of business


Have you got what is takes to be a successful internal auditor?


COMPLIANCE


Compliance-definition

Compliance means adherence to, or conformance with, rules, laws, standards, and policies. It also implies a sense of accountability and an obligation to uphold pertinent codes of conduct. Corporate compliance entails devising a formal internal system of policies, procedures, controls, and actions to detect and prevent violations of laws, regulations, rules, standards, and policies.


Audit legality, propriety,

expediency

Internal Audit

Forecast,plans,

measure risk

Controlling,

Actuary

Evaluating insurance portfolio

Enterprise R

isk M

anagement

Manage regulatory obligations

Com

pliance

Third line of defence

External Audit

BoardRisk Management


Compliance with laws and regulations-policies and proceduresStructuring the compliance deptment- independence, reporting linesCompliance program- risk assessment, mitigating risk, monitoring, reporting, trainingTone at the top and whistle-blowing (hot line)Dealing with ethical challenges - compliance with laws/local regulations, non-discrimination, corruption and bribery, data privacy, insider trading, AML, protection of the environment

Compliance


Compliance audit – compliance audit deals with the degree to which the audited entity follows rules, laws and regulation, policies, established codes, standards.

Compliance

Potential threats:Legal impact: regulatory or legal action brought against the organization or its employees that could result in fines, penalties, litigation...Financial impact: negative impacts with regard to share price, potential future earnings, or loss of investor confidence.Reputational impact: damage to the organization’s reputation or brand (bad press or social media discussion, loss of customer trust, decreased employee morale).

To succeed you must know what success looks like, to succeed you must measure success, to succeed you must verify you measures.


How to audit compliance with group policiesApplicable for all types of auditsRisk based approach

Compliance - case study issue


Compliance - case study analysis

The up-to-date version of all Group guidelines is available in the VIG Intranet:https://intranet.vig.com/en/infos-guidelines/guidelines.html

Upon request the guidelines can be provided in paper form or via email.

Contact: Sabine Stiller ([email protected])



Prepare an audit planMake a compliance risk assessmentsCollect evidence by using interviews, questionnaires,review of documentsObtain copies of departmental procedures for each area you intend to auditCross-reference internal procedures with group regulationsVerify compliance with local regulations, best practice and relevant standardsCheck reports from regulators, inspections, external auditor



Possibilities for improving efficiency and effectiveness in implementation of regulations.The effectiveness of internal controls.Is there a system for monitoring new regulations?Is information communicated on a timely basis in the organisation?Deviation from Group guidelines need a reasonable legal ground. If activities are outsourced, how is compliance and performance monitored?Consider materiality for reporting purpose (amount of potential fines).

The final goal is to determine whether the internal procedures compliant and properly implemented in the processes


INFORMATION SYSTEM AUDIT


Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.

Information system audit - definition


Information system audit:

General control examination or facility auditApplication auditSystem development auditTechnical or special topic audit

Information system audit


Compliance with legal and regulatory requirements

Confidentiality

Integrity

Reliability

Availability

Information system audit - goals


Governance: Responsibility and accountability for risk Risk appetite and tolerance Awareness and communication Risk cultureRisk Evaluation: Risk scenarios Business impact descriptionsRisk Response Key risk indicators (KRIs) Risk response definition and prioritisation

Information system audit - IT risk

IT risk:The business risk

associated with the use, ownership, operation,

involvement, influence and adoption of IT within an

enterprise.


Information system audit - Internal controls

Preventive

ManualAutomatic

Detective

Deterrent

Corrective

Compensating

Recovery

Adm

inis

trat

ive

Tech

nica

l

Phys

ical


Understanding of the audit areaRisk assessment/audit planEvaluating audit areaVerifying and evaluating controlsCompliance testing/substantive testingReporting/follow-up

Information system audit - audit procedures


Auditing security checklist

Microsoft Excel Worksheet

IS audit - resources

Auditing systems development

Adobe Acrobat Document


IS audit - case study issue

How to do a project auditProjects related to information systemPurchase or own development New service or new products


Audit project areas:IntergationScope,time&costQuality, procurementRisk managementHuman resources, communication

IS audit - case study analysis

Project risk:Never be delivered or be delivered lateExceed budgetNot deliver the required functionalityContain errors, fail frequentlyBe unfriendly, difficult and costly to operate


Success criterion Relative importanceUser involvement 19%Executive management support 16%Clear statement of requirements 15%Proper planning 11%Realistic expectations 10%Smaller project milestones 9%Competent staff 8%Ownership 6%Clear visions and objectives 3%Hardworking, focused staff 3%Total 100%



Audit plan:Identify the audit scope, determine audit objectives, gather basic information about project, determine materiality, assess risk, and evaluate internal controls.


Check: IT strategies, plans and budgetsFeasibility study, requirements, RFP Security policy Organization charts, job descriptions Steering committee reports Program change procedures Operations procedures, quality assurance procedures


IS audit - case study analysisFeasibility study

Well documented and clear?Have departments recommendations been included?Has the feasibility analysis report been submitted to the management steeringcommittee for action?

User Requirement AnalysisEfficiency/EffectivenessHave the user executives approved the requirements?Is the new system compatible with other applications/systems?Could the new system recover after failure?Do user requirements include security, controls and privacy measures?Is there clear segregation of duties among those who build, test and operate the system?


Purchased software


Are there vendor evaluation criteria/selection procedures?

Contract – remedy, backup and recovery controls, user manuals, audit trail Does the contract provide how the user will request changes to software?Can the organisation terminate the contract at any time?Does vendor have a high probability of being in business during the duration of the contract?

Is the level of internal controls satisfactory?Has all data been transferred to the new system in a controlled manner?


The optimal way to ensure a successful IT project is to do an effective analysis of the risks associated with that particular project and develop a plan to manage the identified and substantial risks.

IT risks are managed, IT delivers value to the business

Postimplementation phase


Review of the project successFinancial review of the feasibility study vs. resultsLessons learned and improvements for the future




FRAUD


Fraud - definition

Fraud is generally defined in the law as an intentional misrepresentation of material existing fact made by one person to another with knowledge of its falsity andfor inducing the other person to act, and upon which the other person relies with resulting injury or damage.

Which is the biger risk?External attacker vs. employee frauds


Fraud - statistics


Fraud – cyber attacks


General red flagsOften first in and last out of the officeLots of unused holidayChanges in lifestyle –spending, socializing, married statusResigned,working out redundancyPassed over for promotion or pay reviewPending HR disciplinary

Fraud - statistics


Fraud - resources

Red flags of insurance fraud

Microsoft Word 97 - 2003 Document


Anti-fraud policy is most effective when applied with a clear methodology and implementation plan as opposed to random reviews which seek to rely primarily on a chance discovery of fraud or wrongdoing.

Anti-fraud policy proactively look for fraud (rather than focussing on specific known types or incidents).

Anti-fraud policyRoles&responsibilitiesFraud risk assessmentPrevention, detection, investigation

Fraud - anti fraud framework


Fraud - case study issue

How to do fraud investigationFraud risk assessmentsChecking transaction accounts of employeesInvestigation


Do we have internal controls?Are they are sufficient and effective?

Fraud – internal controls


Risk based audit-follow the moneyAppoint a fraud protection officerRegular fraud risk assessmentsEnforce separation of dutiesFour eyes controls, use red flags, black listAutomatic preventive controls in the information system

Fraud - case study analysis


Perform background checksInstitute a policy of job rotation, mandatory vacation policyHave employees bonded with the proper insurance policiesCreate annual financial disclosure policies for the people in the organizational process

Separate the authorization of the transactions from their recordingRequire multiple signatures-formal signatures!Define the trust levels with the appropriate checksWhistle-blowing — make sure you hear the bad news first

Fraud - case study analysis


ObservationsWork on attitude, knowledge and skillsChange, adapt, grow, learn, repeat process.

Consider whether IT risks are managed, IT delivers value to

the business. Analyze project

risks, ensure you have a plan to manage the

identified and significant risks.

Ensure you have a Anti-fraud policy, fraud protection officer and

fraud risk assessments, follow the money.

Determine whether the internal procedures compliant and properly implemented in the processes.


QUESTIONS & ANSWERS

[email protected]

+387 (0)65 422 242

https://ba.linkedin.com/in/rodoljubkajganic


Thank you for your attention

Documents

The challenges for the internal auditor