The Role and Value of Internal Audit

The Role and Value of Internal Audit

Association of Credit Union Internal Auditors

September 26, 2012

ACUIA

September 26, 20121

Part I. The Value Proposition in Internal Audit

You Have to Start Someplace Circumstances Change How Do You Define Value?

ACUIA

September 26, 20122

Duke Pre-2005

A. 11 Auditors

B. Average Longevity in Department - >10 years

C. Audit Plan

1. Predictable; rotated every five years

2. Financial emphasis

a) Expense reports

b) Vacation

c) Expenditures

d) Time cards

ACUIA

September 26, 20123

Duke 2005-2008

A. 21 Auditors

B. Average Longevity in Department - < 3 years

C. No one pre-2005 remained after mid-2006

D. Audit Plan

1. Risk based

2. Control orientated

3. Best Practices expected

ACUIA

September 26, 20124

Duke 2009

A. Financial Meltdown

B. IA budget $1.1 in 2004; $3.3 million 2008

C. Cut expenses 18%; Four FTEs

D. Incorporate operational efficiencies into IA projects

ACUIA

September 26, 20125

Meltdown Changes

A. Deliver services that were of most value to Duke

B. Add operations as important element of each job

C. Take noise out of reports

1. Only include important issues

2. Client service letters

D. Recommendations no longer only best practice

1. Effective and efficient

2. Partner in arriving at recommendation

ACUIA

September 26, 20126

Duke 2011

A. Used ERM risk management heat maps to develop audit plan

B. Management identified problems

1. Points out areas to audit because “There is a problem”

2. IA response – We will facilitate a consulting project to address the issue

3. Result - Audit plans include over 10 consulting projects in University and Duke Medicine

ACUIA

September 26, 20127

Duke 2012

A. Health System EPIC implementation

B. University IT

1. Vertical audits

2. Same findings – Not telling them what they don’t know

3. Management not addressing the system issue

C. IA meets with IT and Management

1. Agree on IT priorities

ACUIA

September 26, 20128

Duke 2012 (continued)

2. Agree on how IA can best support IT priorities a) Facilitateb) Consultc) Audit

D. IT and Management comment this is of greater value to Duke Medicine

E. AC approves conceptual change

ACUIA

September 26, 20129

Part II. A Role for Internal Audit in Governance Activities

Organizational Governance Process Managing Agendas Organizational Change

ACUIA

September 26, 201210

Organizational Governance Process

A. Audit Committee Charter

1. Purpose

2. Authority and Responsibilities

3. Membership

4. Operations

ACUIA



B. Responsibilities – Best Practices

1. External Audit

2. Internal Audit

3. Financial Reporting

4. Compliance

5. Controls and Risk Management

6. Ethics and Conflict of Interest

ACUIA



1. External Audit

a) Very standard and developed

b) Focus on risk and judgments

ACUIA



2. Internal Audit

a) Committee role in appointment, evaluation, reassignment, promotion, dismissal of CAE

b) Private meeting with CAE

c) Require QAR every five years

ACUIA



3. Financial Reporting

a) Not a public company, so less emphasis

b) Allows AC to understand and agree with changes management makes to statements

c) External Auditor involved in the discussion

ACUIA



4. Compliance

a) Annual approval of formal compliance structure

i. Definition of roles and responsibilitiesa. Governanceb. Program Development and Oversightc. Risk ownershipd. Audit

ACUIA



b) Institutional risks

i. Approve

ii. Receive monitoring reports

c) Audit plans

d) Governmental investigations

ACUIA



5. Controls and Risk Management

a) Controls

i. Annual management presentation

ii. Focus on significant aspects (systematic; judgments, decentralized environment)

b) Risk Management

i. Approve annual process

ii. Receive report from Senior Leadership on strategic risk

ACUIA



6. Ethics and Conflict of Interest

a) Annually revisit Code of Conduct

b) Annually approve Conflict of Interest process and receive report of process conclusion

c) Annually receive report on hot line activities

ACUIA


Managing Agendas

A. Annual Plan

1. Identify areas of focus for each responsibility

2. Allocate them to meetings

a) Tests whether adequate number of meetings are scheduled

b) Helps organize topics (financial reporting changes with external audit plan)

c) Allows planning for presenters at future meetings to begin early

3. Approval by the AC at its last meeting of the year

ACUIA


Managing Agendas

B. Individual Meeting Agendas

1. Group items by committee responsibility

2. Most important items first

3. Presenter is the owner from management

a) Background materials

i. Executive Summary

ii. Context

iii. Level of detail

ACUIA


Managing Agendasb) Presentation

i. High level

ii. Not repetitive of background material

iii. Tees up discussion

iv. Presentation and discussion 50/50 of allocated time (use of board talent)

4. Questions Only

a) Reports with nothing of significance to discuss (IA, Compliance)

b) Last item on the agenda

5. Use of conference calls

ACUIA


Organizational Change

A. Perfect Storm

1. Significant Issue

2. Management Owner presenting issue and response

3. Discussion time provided for AC

4. AC weighs in on management response

ACUIA


Organizational ChangeB. Risk Management Process

1. Informal in 2005

2. Senior Leadership discussion of risk

3. AC sets future objective

a) Top Ten

b) Heat Map

c) Owner identified

d) Mitigation strategy

4. Annually add more to risk management process

5. Now full COSO model in place

ACUIA



C. Patient enrollment in clinical trials

1. 2010 Problem in one department

2. AC asks how risk is mitigated in other departments

3. SOM reports

4. 2011 Problem exists in second department

5. SOM revises organizational reporting of clinicians to mitigate risk

ACUIA



D. Code of Conduct

1. No Code of Conduct

2. 2006 attempt to establish; settled for Statement of Ethical Principles

3. 2011 Faculty member cited in Senate investigation

4. COI form incomplete disclosure; Would have prevented being PI in grants

ACUIA



5. AC asks about ethic education for faculty

6. Senior Leadership accepts CAE recommendation to complete Code of Conduct

7. Six months later approved as part of Statement of Ethical Principles

ACUIA



E. Take-Aways

1. AC role

a) Assessing management response to risk

b) Providing time to discuss and consider

2. Management role

a) Provide proposed solution

b) Respond to AC additional concerns

ACUIA



3. Internal Audit role

a) Right agenda items

b) Work with management to understand their role and AC expectations

c) Work with management to address AC concerns

ACUIA


QUESTIONS?

The Role and Value of Internal Audit

Documents

Transcript of The Role and Value of Internal Audit