First Plus Resolutions, Inc. Vicki McIntyre, CIA, CPA Supervisory Committee Communications with...

First Plus Resolutions, Inc. Vicki McIntyre, CIA, CPA

Supervisory Committee Communications with Management

and the Board

Association of Credit Union Internal Auditors June 21, 2012

Vicki A. McIntyre, CIA, CPAVice President, FirstPlus Resolutions, Inc.


Agenda

• Champion the Audit Activity• The Risk-Based Audit Plan• Impact of Resource Limitations• Supervisory Committee Evaluation of

Internal Audit• Supervisory Committee considerations• Top 10 Worst Things You Can Do• Questions?


Champion the Audit Activity

• Know the purpose, authority and responsibility of your audit activity.

• Understand key concepts of governance, risk and control.

• Empower and challenge internal audit to add value.


Definition of Internal Audit

“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”


IA’s Purpose, Authority & Responsibility

• The Audit Activity Charter• Code of Ethics• Independence & reporting lines• Access• Nature of Assurance & Consulting

Services


What is Governance ?

Governance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

It is the culture, values, mission, structure and layers of processes, policies and measures by which organizations are directed and controlled.


IA’s Role in Governance

IA must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization

• Ensuring effective organizational performance management and accountability

• Communicating risk and control information to appropriate areas of the organization

• Coordinating the activities of and communicating information among the board, external and internal auditors, and management


What is Risk?

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

Risks to the Internal Audit Activity:• Audit failure• False assurance• Reputation risks


What is Control?

Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.


Hard vs. Soft Controls

• Policies/Procedures• Organizational

Structure• Bureaucracy• Restrictive Formal

Processes

• Competence• Trust• Shared Values• Strong Leadership• High Expectations• Openness• High Ethical

Standards


Empower & Challenge IA to Add Value

• Become more relevant to broader business objectives

• Enhance ability to identify emerging risks

• Improve risk assessment processes• Reduce audit fatigue on the

business


The Risk-Based Audit Plan

• Consider risk appetite levels• Consider organizational risk

management framework• Consult with senior management

and the Board• IA exercises judgment of risks


The Risk-Based Audit Plan

Ask the critical questions:

• What keeps you up at night?• Is IA providing assurance in those areas?• Does IA cover the right things at the right

time?• Can IA identify emerging risks; is the audit

plan flexible enough to provide coverage?• Is IA perceived as a valued business partner?


Are Audit Resources Aligned with Risk?

Root causes of organizations loosing a large percentage of shareholder value in a short period of time:

• 60% - Business or strategic risks• 20% - Operational risks• 15% - Financial risks• 5% - Compliance risks


Impact of Resource Limitations

• Must communicate to senior management and the Board

• Advocate for IA• Be sure resources are effectively

deployed


Impact of Resource Limitations

• Beware of SALY and JELLY(Same as last year & just exactly like last year)

• Beware of pet projects• Beware of isolated concerns of

constituents• Consider management’s

responsibility for monitoring and self-assessment


Evaluation of Internal Audit

• Does the Board have confidence in IA’s assurance activities?• Does the Board believe it is sufficiently and timely informed of

IA’s significant findings?• Does the Board believe IA has the skills and foresight to build

emerging risks into the audit plan?• Does the Board believe the audit plan is sufficiently broad in

scope and executed in a timely manner?• Does management believe audit reports are actionable?• Does management perceive IA as a valued business partner?• Does management believe it gets superior value for its

investment in IA?• Is the Board and management confident of IA’s independence,

objective and fair-minded approach and that IA is empowered and sufficiently staffed and resourced?


Evaluation of Internal Audit

• How well does the IA director respond to probing by the Supervisory Committee?

• How knowledgeable is the IA director in the company’s accounting and financial reporting policies?

• How well does the senior management respect the IA director, and how healthy is the tension between them?

• How well do the external auditors respect the IA director?

• Does the IA director provide adequate assurance in areas requested by the audit committee?

• Is the IA director respected within the auditing profession? Examples would be as a frequent speaker, writing articles, participating in industry organizations, etc.


Supervisory Committee Considerations

• Promote effective Sup Committee functioning; staff with sufficient expertise

• Promote an open, transparent relationship with IA and other organizational control functions

• Consider term limits for committee members• Perform an annual self-assessment• Request candid feedback from the Board and

IA


The Top 10 Worst Things You Can Do……

1) Not being a proactive communicator2) Fail to remain up-to-date on your CU’s

business, the CU industry and IA successful practices

3) Not being aware of your CU’s risk management activities

4) Not having an audit plan that adds value

5) Fail to support IA independence


The Top 10 Worst Things You Can Do……

6) Ineffective evaluation of the Chief Audit Executive; not making a needed change

7) Fail to perform regular self-assessments8) Failure to honor high ethical standards;

integrity, objectivity, confidentiality and competency

9) Fail to deliver bad news to the Board timely10)Paralysis – do nothing - not knowing what to

do when there are serious problems


Questions?


Vicki A. McIntyre, CIA, CPA

FirstPlus Resolutions, Inc.Tustin, CA

714.469.2440

[email protected]


Bibliography

• “Top 10 Worst Things…” adapted from Managing Director of the IA Division of the MIS Training Institute, Joel Kramer’s presentation titled “Best Practices in Educating the Audit Committee.”

• “Are Audit Resources Aligned…” adapted from IIA CEO Richard Chambers’ presentation on the state of the IA profession, IIA So Cal District Conference, Anaheim, CA, 6/4/2012.

• “Evaluation of Internal Audit…” adapted from Alan Siegfried’s (former Chair IIA North American Board) presentation on Audit Committee Expectations of IA-Best Practices

First Plus Resolutions, Inc. Vicki McIntyre, CIA, CPA Supervisory Committee Communications with...

Documents

Transcript of First Plus Resolutions, Inc. Vicki McIntyre, CIA, CPA Supervisory Committee Communications with...