Enhancing Governance Through Internal Audit Activities Kaveh - - PowerPoint PPT Presentation

Enhancing Governance Through Internal Audit Activities

Kaveh Rikhtegar, CPA, CA, CISA, CIA Director of Internal Audit Canadian Commercial Corporation

Key Points

• Understanding your audience and the Governance

framework,

• Building an effective and value added internal audit
• rganizational structure and processes,
• Using a risk based approach linked to the ERM, to complete

the annual audit plan, and

• Creating an effective reporting mechanism to the Audit

Committee.

• CCC was created by an act of Parliament in 1946.
• CCC is a wholly owned Government corporation reporting to

the Minister of International Trade

• CCC is mandated to facilitate Government to Government

trade between Canadian exporters and international buyers.

Canadian Commercial Corporation (CCC)

Negative Assurance Positive Assurance No Assurance

Internal Audit Pendulum

Governance Model

Board Members Operation Management Set and maintain polices and key priorities Develop and implement practices and procedures in order to role out the policies & accomplish key priorities Perform the day to day activities based on established practices and procedures

Measure, Monitor Measure, Monitor

Understating our Role

Changes in Our Focus & Approach

• Historically, IA has been known to be “Police” and “Watchdog”,
• Internal and external environments are continually changing,
• As a result, IA need to provide a more strategic role over

Governance, Risk and Compliance:

• Gain consensus on audit objectives and Develop relationships,
• Stay informed with the plan, decisions and activities,
• Be transparent.

Board Members

• Strategic, NO Surprises
• Assurance and Compliance focus
• Managing Risk
• Short span of attention
• Special education
• Diplomatic

Therefore you must stay informed of business plans, events, developments and new initiatives

Understand your Audience

Expectation

• Assurance and Compliance focus – Ask them
• Value added audit shop, consulting activities
• Appreciate complexity of competing agendas -

Prioritize

• “Co-operative independent” partner having a seat

at the table. Ensure your charter reflects this understanding and provides the right authority.

• Executive Management, Non Technical and

Strategic

• Operation Management, Technical and Tactical

Understand your Audience

Building an effective and value added internal audit

• rganizational structure

Communication

Effective communication is the KEY determinant of a successful IA function. Formal vs. Informal Communication

• Identify, capture and communicate pertinent information in a form and

timeframe that is appropriate to the recipient,

• Communicate regularly, at multiple levels and multiple ways,
• Determine each executives communication preference and style,
• Create clear, concise presentation templates - Avoid information overload.

Audit Report

TABLE OF CONTENT EXECUTIVE SUMMARY ............................................. 3 BACKGROUND ......................................................... 3 AUDIT OBJECTIVES AND SCOPE ............................... 3 APPROACH AND METHODOLOGY ............................ 3 STRENGTHS ............................................................ 3 OBSERVATIONS AND RECOMMENDATIONS ............ 4 KEY OBSERVATIONS ........................................................ 4 SUMMARY AND CONCLUSION ................................. 5

Rating of Audit Finding

High: a key control does not exist, is poorly designed or is not operating as

intended and the financial and/or reputation risk is more than inconsequential. Corrective action is needed to ensure process objectives are achieved.

Medium: a key control does not exist, is poorly designed or is not operating

as intended and the financial and/or reputation risk to the process is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls.

Low: a minor weakness in the design and/or operation of a key control. Ability

to achieve process objectives is unlikely to be impacted. Corrective action is suggested to strengthen controls.

Rating of Audit Opinion

Effective: Key controls are effectively designed and operating as

intended.

Needs I mprovement: One or more key controls do not exist, are not

designed properly or are not operating as intended. The impact to the audited process is more than inconsequential. Timely action is required.

Unsatisfactory: Multiple key controls do not exist, are not designed

properly or are not operating as intended. The impact to the audited process is material. Immediate action is required.

• Objective of the audit as

approved by the Audit Committee.

• Summary of Procedures Performed in order to complete the audit.
• Scope of activities performed in order

to achieve the objectives.

Executive Summary to the Audit Committee

Timing Low Business Impact, Easy to Implement High Business Impact, Difficult to Implement High Business Impact, Easy to Implement Low Business Impact, Difficult to Implement Detailed Finding

a- b-

Rating Accountable

Ease of Implementation Business Impact LOW LOW HIGH HIGH a b

Summary Observations to the Audit Committee

Internal Audit Status Summary to the Audit Committee

Q1

2013 -14

Q2 Q3 Q4

Audit Activities Annual Planning Activity 1 Activity 2 Activity 3 Activity 4 Activity 5 Activity 6 Internal Audit Follow Up Consulting and Advisory

Complete In Progress Not Started

Color Legend

Key Upcoming Activities

• Key Accomplishments this Quarter
• Status Update to the Audit

Committee

Current Forecast Resourcin g Schedule Scope Overall

Period Ending (Date)

On Target On Target On Target On Target

Identify groups within/outside the organization such as ERM, Quality Control, External Auditors to ensure a more effective risk assessment:

• Maximizing Scarce Resources
• Complete a coordinated annual planning process
• Look for opportunities to share and receive information

Resulting in a more integrated audit activities

Integrated Activities – Auditing

Training

• It should be linked to the annual audit plan, as well as

current and future talent needs

• Auditors vs. Employees,
• Technical vs. Non Technical training,
• Must include key soft skills such as Problem Solving

and Critical Thinking, Business Acumen

• Must be flexible,
• Must be recurring and not just a one time event.

Talent Retention

Significant risk if a member leave the group

1. Establish a knowledge base within the team:

• Have a proper repository on tracking so that

information is easily available, 2. Attention to Retention:

• Ensure the compensation is competitive and the

department is viewed as a great place to work.

• Ensure the employees understand their roles and

the available opportunities for advancement.

• Internal Audit Charter,
• Annual Planning process ,
• Follow up tracking and reporting,
• Internal Audit Manual,
• Other templates, tools and guidelines,
• Customer Satisfaction Surveys

Standardization of Method, Approaches & Techniques

• Head Count Budget
• Consulting Budget
• Training Budget

ALL the above must be in line with the Annual Corporate Plan

Establishing the Annual Budgets

Managing the Budget and Deliverables

Internal Audit Time line 2013 - 2014

Audit project Sub activity Total Hours 1-Apr 8-Apr 15-Apr 22-Apr 29-Apr 6-May 13-May 20-May 27-May 3-Jun 10-Jun 17-Jun 24-Jun 1-Jul 8-Jul 15-Jul 22-Jul 29-Jul 5-Aug 12-Aug 19-Aug 26-Aug 2-Sep 9-Sep 16-Sep 23-Sep 30-Sep 7-Oct 14-Oct 21-Oct Auditor 1 Annual planning 90 30 20 30 10 Audit Activity 1 Planning 50 20 30 Execution 90 30 30 30 Reporting 60 30 30 Audit Activity 2 Planning Execution Reporting Audit Activity 3 Planning Execution Reporting Audit Activity 4 Planning Execution Reporting Audit Activity 5 Planning Execution Reporting Audit Committee Support MLP follow up Vacation Stat Holiday Year end audit coordination with External Auditors Training Advisory and Consulting activities TOTAL 290 30 20 30 10 20 30 30 30 30 30 30 April May June July August September October

Customer Satisfaction Surveys

Summary of Audit Surveys

# Survey Question Audit 1 Audit 2 Audit 3 Audit 4 Overall Average 1 The audit scope and objectives were relevant and clearly conveyed. 3 3 4 4 3.50 2 The audit report is objective, accurate, succinct and clearly written. 3 3 3 4 3.25 3 The audit recommendations are constructive and actionable. 3 3 3 4 3.25 4 Communication lines were open and positive. 4 3 4 4 3.75 5 The audit staff were objective, qualified and professional. 4 3 4 4 3.75 6 The audit was well managed and performed in a timely and efficient manner. 4 3 4 4 3.75 7 The audit provided value to my organization. 3 3 4 4 3.50

Very Unsatisfied Unsatisfied Satisfied Very Satisfied 1

Legend

2 3 4

• Presidents Executive Meetings,
• Key Management Committees,
• Quarterly One on One with Executives,
• Strategic Planning Sessions.

Must have a Voice, Participate and Contribute

Executive Participation

• Active at international and local chapters,
• Participate or create internal audit round table discussion

groups,

• Participate at the CAE discussion group - get another

perspective,

• Webinars,
• Conferences.

Networking and Continuous Development

• Develop Performance Measure Scorecard,
• Complete Benchmarking to compare your operation and effectiveness

with those of other organization

• Perform Internal Evolution ,
• Perform External Quality Assessment

Assessing Effectiveness of IA Function

Internal Audit Performance Scorecard

Benchmarking - Years Covered by Audit Plan

Benchmarking – Allocation of Audit Plan

Benchmarking – Audit Life Cycle

• Identify budget - done once every five years
• Provide information in advance so that AC and Executives can mark

calendar

• Key factors to Identify qualified individuals to perform in

accordance with the IIA performance and attribute standards,

• Team and Individual Experience with business sector , industry

and your IA size in performing EQA

• Expected deliverables, timeline and cost
• Prepare and provide documents, schedule and manage interviews,
• Realize that one size does not fit all in meeting the IIA standards
• Embrace and accept change, it will make your team more effective

& efficient. Remain open-minded about suggestions

External Quality Assessment

Building an effective and

value added internal audit processes

Audit Planning Objective

• Link the plan to the corporate objectives;
• Provide assurance on the areas considered to be of highest

risk and significance;

• Focus audit resources primarily on the provision of assurance

services while providing consulting services to further enhance our processes;

• Provide a schedule of audits to be undertaken with the

resources available during the period covered by the plan; and

• Allow flexibility to accommodate special tasks and projects if

requested by the Audit Committee or President of CCC.

Planning Process

CCC I nternal Audit Plan

President & CFO Prioritize Audit Areas & Draft Plan Corporate ERM Review of various internal/external documents

Valid lidat e BOD OD Appr pproval

Discussion with Other Corporations Self assessment

Prio iorit it iz ize Rev eview ew I nput

Internal Audit Risk assessment including FS decomposition Discuss with External Auditors Discuss with Subject Matter Experts Discuss with Senior Mgt

Financial Statement De- Composition

Admin PO T & H Work order / Operational Purchase Order Cuba Processing Goods Receipt and Payment Processingn Account Receivable and Cash Receipt China Offices Acquire assets Depericiate assets Period End Close Tax Accounting Cash Management Appropriations Hire and Terminate Calculate Payrol and Disbursment Triggers TimeSheet Transactions Approval, Goods Receipt and Payment Processing Approval and Payment Processing 10010 Bank - CAD Account X X X X X X X X X 10011 Bank - USD Account X X X X X 10012 Bank - USD Account Quito X X X X 10013 Bank - AUD Account X X X X 10014 Bank - GBP Account X X X X GL Account # GL Account Name GL Account $ 2013 Contract M gt and Financial Administration Assets Financial Close HR and Payrol Other

• Start with the approved Financial Statements,
• Use chart of accounts to map the financial statement line items to the final year

end General Ledger (GL) accounts,

• linked the grouping of the GL accounts to the generic listing of financial processes.

Internal Audit Risk Assessment

Business Environment Organizational Mandate Reputational Financial Policies and Process People I nformation Management I nformation System Business continuity Planning Foreign Environment Export Foreign Exchange Corporate Social Responsibility Fraud Supplier performance Contract Materiality Process Volatility Volume of transaction Relevance Susceptibility to error Susceptibility to fraud Last Audited Prior Audit I ssues Quarterly Financial Close Process L L L L M H M H H M L L L H Travel and Hospitality L L L M M M L M L L L M

Audit Comments

Internal Audit Risk assessment

Auditors Overall Rating ( Judgm ental) ERM Assessm ent Other factors RISK RATING CRITERIA (H-High, M-Medium, L-Low)

Auditable unit

Internal Audit Risk Assessment

Qualitative Factors RISK

Factor Definition LOW MEDI UM HI GH ERM score Risks identified through the ERM process. See ERM – Low and Low/ Medium See ERM - Medium See ERM – Medium/ High, High and Damage Control Materiality Dollar impact of the transition/ process on the financial statements. Less than 10% of the External Auditors Materiality. More than 10% but less than 25% of the External Auditors Materiality. More than 25% of the External Auditors Materiality. Process Volatility Risk of error increases with amount of change. No significant change. Process subject to limited change (people, technology and processes). Process subject to significant change (people, technology and processes). Volume and size of transactions processed Size and volume of individual transactions. Small balance, few transactions (i.e. yearend bookings). Small balance, few transactions (weekly or monthly transactions). Large balance, many transactions daily. Relevance The degree that the processes directly impact the corporate objectives. Low likelihood and impact on corporate plan

• r objectives.

Medium likelihood and impact on corporate plan

• r objectives.

High likelihood and impact

• n corporate plan or
• bjectives.

Susceptibility to error Susceptibility of loss due to error. Processing of transactions are not subject to error or misinterpretation. Processing of transactions are subject to limited error or misinterpretation. Processing of transactions are subject to error or misinterpretation. Susceptibility to fraud Susceptibility of loss due to fraud. Assets not easily moved

• r converted to cash, low

potential for fraud. Assets not easily moved

• r converted to cash,

medium potential for fraud. Assets highly mobile or convertible to cash, higher potential for fraud. Last Audited Date the process was last audited. Within one year. Less than two years. More than two years. Internal and External Audit Management Letter Points Previously identified issues. No significant previously identified issues. Medium rated previously identified issues. Significant previously identified issues.

COBIT Domain COBIT Ref COBIT Process Description Comments

Audit 1 Audit 2 Audit 3 Audit 4 Audit 5 Audit 6 Audit 7 Audit 8 Audit 9 Audit 10

Plan and Organize PO1 Define a strategic IT Plan To strike an optimum balance of information technology opportunities and IT business requirements as well as to ensure that further accomplishments are undertaken through the strategic planning process. In turn the long-term plans should periodically be translated into

• perational plans setting clear and concrete

short-term goals. The IT strategic plan is included in the business units plan which is approved by its VP and which in turn feeds into the 5 year corporate plan which is approved by the BOD.

x

Plan and Organize PO2 Define the Information Architecture Optimizing the organizations information systems by creating and maintaining a business information model and ensuring that appropriate systems are defined to optimize the use of this information.

x x x

Plan and Organize PO3 Determine Technological Direction Take advantage of available and emerging technology in order to executive the business strategy by creating and maintaining a technological infrastructure plan that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms.

x x x x

Plan and Organize PO4 Define the IT

• rganization

and relationship To deliver the right IT services suitable in numbers and skills with roles and responsibilities defined and communicated, aligned with the business and that facilitates the strategy and provides for effective direction and adequate control.

x x x x

IT Risk assessment

IA Risk Assessment Summary Report to the Audit Committee

High Medium Low Significance (to strategy, reputation, etc.)

Low High

Likelihood (considering controls and inherent risks)

Low High

21 1 15 8 4 6 5 12 9 7 10 11 16 13 17 18 19 20 3 2 14 22 24 23 25

This matrix summarizes the results of the risk assessment process. Each audit unit was evaluated based on the importance to Corporate strategy and the likelihood of control / process issues.

Benefits

• Creates a common language and agreement to share
• wnership in order to manage risks,
• Improves identification and prioritization of key risks,
• Engages upfront input and agreement from stakeholders,
• Assurance vs. Consultation.

Continuous Assessment

Documentation of Key Controls Quarterly Testing of Key Control Quarterly Reporting

• f Key Controls

Annual Scoping of Significant Processes Q1

• Authorization
• Training
• Security of Asset
• Segregation of Duties
• Policies & Procedures
• IT Controls
• Management Reviews

Transactional Processes - Automated and Manual

Continuous Assessment Report

Q1 Q2 Q3 Q4

Policy Instrument Review

1

ERM Assessment

1

Annual Training Plan

1

Annual Disaster Recovery Exercise

1

Annual Access Review

1

Structuring & Approving Contracts

5 5

Approving Purchase Order

4

Processing Supplier Invoice

4 4

Processing Loans

2 1

Processing Supplier Payment

5 7

Processing Customer Invoice

11

Performing Finance Close

6 4 Total

27 36 Process

EXAMPLE ONLY

# of Manual Controls Key controls that impact a SINGLE PROCESS Key controls that impact MANY PROCESSES

Overall Results

# of Automated Controls 12 3 62 1 8 4 1 10 1 1 1 1 9 1 1 1 1 1 1 10 4 8 3 11 12 10 62 1 11

Effective

Key control is effectively designed and operating as intended.

Needs Improvement

Key control does not exist, is not designed properly or is not operating as intended and the risk is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls.

Unsatisfactory Key control does not exist, is poorly designed or is not operating as intended and the risk is more than inconsequential. Corrective action is needed to ensure

process objectives are achieved.

Performing the Assurance Activities

Select Sample Size Perform Testing Document Results Execute Test Reporting Assess Magnitude Planning Evaluate Design Review Documentations Perform a Walkthrough Recommend Corrective Action Complete Plan Memo Report and Follow up Recommend Corrective Action

Planning memo

Table of contents BACKGROUND .......................................................................................................

• History and Current Operation...................................................................................
• Audit contact

..............................................................................................................

• Planning Meeting with the Management

..................................................................

• External Assistance ....................................................................................................

RISK INDICATORS ...................................................................................................

• Regulatory compliance ..............................................................................................
• Extent of changes

.......................................................................................................

• Prior audits

.................................................................................................................

• Linked to the Enterprise Risk Management (ERM) ....................................................
• Consider the impact of other factors .........................................................................
• Overall risk assessment

..............................................................................................

OVERVIEW OF AUDIT ENGAGEMENT ..............................................................................

• Objective ....................................................................................................................
• Scope ..........................................................................................................................
• Methodology

..............................................................................................................

• Audit program

............................................................................................................

• Resourcing

..................................................................................................................

• Audit time table .........................................................................................................

REPORTING REQUIREMENTS .......................................................................................

Reporting

• Write the report as audit progresses,
• Use Data to drive critical message,
• Do not strive for perfection for either the “Report” or the

“Management Action Plan”,

• Reach consensus with management before distribution,
• Do not be an alarmist,
• Recommend a remediation plan that is possible,

practical, supportable and forward thinning, and

• Include Value added comments in your report.

Mgt Action Plan (MAP)

• Primary Business Unit Accountable.
• Detail Description of the Management Action Plan (MAP),

including funding and resourcing if required.

• Person accountable for completing the MAP

.

• Date MAP will be completed.
• Describe the activities in order to prepare users to accept the

changes (Change Management Plan)

File Closure Check List

Activity Date Auditor Sign off Reviewer Sign off Planning section Planning memo approved Execution section All working papers signed off All review notes actioned Reporting section Opinion criteria completed MAPs have been received Report finalized and distributed File closure section Survey completed and summarized Electronic files finalized Physical working papers have been filed Observation included in the follow up binder Budget Analysis

Actual Budget Variance

Planning Start Date Audit Report Date Audit Report Issuance Date Total time in hours

• Informal vs. formal follow up.
• Follow-up activity responsibilities defined
• Provide management with the timeline of the follow up activates.

Follow Up

Follow up reporting

5 OVERALL

Status of Management Action Plan

Total Observations

Audit Date Audit

Completed On target Revise target date Target date at risk

Unit 1 Oct 2012 4

Q1 - 2013/ 1 4

1 1 3

Feb 2013 Unit 2 1

3

Q2 - 2013/ 1 4

1 1

• Over Committing,
• Surprise your audience,
• Not being verse in ERM,
• Having a non value added audit plan,
• Continue with status quo,
• Being reactive and not proactive,
• Not knowing your audience,
• Presenting data with our interpretation – Not connecting the dots,
• Not continually educating,
• Not being technically current.

Summary – Things NOT to do

• Know your audience and build relationship – “Have a set

at the table”.Be a collaborator, not a policeman,

• Clarify expectations,
• If possible, audit before the project, not after,
• Meet, ask question and get their perspective on audit

plan, objectives and timing,

• Avoid surprises, make sure they know before the CEO,
• Be fully verse in Enterprise Risk Management, and
• Listen, learn and improve

Summary – Things You Should Do

Thank You

Kaveh Rikhtegar, CISA, CPA, CA, CIA Director of Internal Audit Canadian Commercial Corporation krikhtegar@ccc.ca