8/3/2019 Internal Audit Best Practices
1/56
Nicholas DiMola, Principal
Quality Plus & Associates
8/3/2019 Internal Audit Best Practices
2/56
Internal Audit Best Practices
What makes an EffectiveInternal Audit Function ?
8/3/2019 Internal Audit Best Practices
3/56
Internal Audit Best PracticesAccording to a survey conducted by KPMG, an effective
Internal Audit function is a combination of:
IAs position within the organization
The people and resources that it has to meet itsresponsibilities and challenges
The processes that it uses to assess risk, plan itsactivities and to deliver its results
8/3/2019 Internal Audit Best Practices
4/56
Risk Assessment Process
There is a Strong Link between effective Risk
Assessments and effective Audit Coverage
According to the IIA Standards, IA Groupsshould base their audit plans around riskassessments conducted on an annual ormore frequent basis with input from seniormanagement and the board of directors.
8/3/2019 Internal Audit Best Practices
5/56
Risk Assessment ProcessSteps to Strengthen Risk Assessment Process
Adopt a Process Approach to Risk Assessment and
Audit PlanningSupplement Annual Risk Assessments with more
frequent updates
Leverage prior Audit results
Align and Leverage Risk assessmentsSeek out and Utilize Specialist
Coordinate with other Risk management groups
8/3/2019 Internal Audit Best Practices
6/56
Risk Assessment ProcessAdopt a Process Approach to Risk Assessment and Audit
Planning
Need to keep the Audit Committee and SeniorManagement informed of changes to IAs position onRisk Exposure.
Requires a Process Drive Approach and Flexible Audit
PlanReview changes to the Audit Plan
8/3/2019 Internal Audit Best Practices
7/56
Risk Assessment ProcessSupplement Annual Risk Assessments with
more frequent updates - need to monitor risk
on a regular, on going basis though out theyear.
Leverage prior Audit results learn frompast audits and reach out to key playerswithin the company to strengthen the riskassessment process.
8/3/2019 Internal Audit Best Practices
8/56
Risk Assessment ProcessAlign and Leverage Risk Assessments should use a
common framework to avoid confusion.
Seek Out and Utilize Specialist
IA should use bothinternal and external resources to expand capability incritical business areas, technology and frauddetection.
Coordinate with other Risk Management Groups
important to be knowable of and involved with otherrisk management groups and share informationaccordingly.
8/3/2019 Internal Audit Best Practices
9/56
Risk Assessment ProcessPwC recommends the following check list for IA in its
approach to risk assessments and audit planning
Conduct enterprise level risk assessments at leastannually.
Apply risk based assessment results to thedevelopment of the audit plan and planning audit
engagements.Adopt a formal process to periodically update or revise
risk assessments .
8/3/2019 Internal Audit Best Practices
10/56
Risk Assessment Process Update the audit plan to address the results of the risk
assessment
Conduct a preliminary risk assessment at thebeginning of every internal audit engagement
Keep the Audit Committee informed about IAs viewsof risk the companys emerging or changes to its riskposition.
8/3/2019 Internal Audit Best Practices
11/56
Flexible Audit ApproachObjective :
Shift from a traditional audit process toPartnering with Management to
Enhance Stakeholder Value
8/3/2019 Internal Audit Best Practices
12/56
Flexible Audit ApproachMajor Drivers
Changes to BusinessEnvironment
Greater Expectations
8/3/2019 Internal Audit Best Practices
13/56
Audit PlanCarryover
Cancelled
Deferred
On-Hold
8/3/2019 Internal Audit Best Practices
14/56
Audit Plan
Audit Plan needs to beFlexible -
Not Set in Stone
8/3/2019 Internal Audit Best Practices
15/56
Flexible Audit PlanBroad Functional Areas
Expand Budgets/Drill Down asNeeded
Increase Scope of ProjectsImplementation Assistance
8/3/2019 Internal Audit Best Practices
16/56
Flexible Audit PlanAvailability of Outside Resources
Ability to Respond Quickly
Increase Management Support Capability
Use of Specialist/Experts
Develop In-House Skill Sets
8/3/2019 Internal Audit Best Practices
17/56
Flexible Audit PlanBenefits:Audit Focus on Quality Not Quantity
Reduces Expectation Gap between IA &Management
Empowers Auditors to Define the Scope of Work
More efficient utilization of ResourcesIA can be of Greater assistance to Management
8/3/2019 Internal Audit Best Practices
18/56
Flexible Audit PlanChallenges
Maintain Administrative Control over Audit Plan
Effectively Manage Additional Resources
Incorporate Continuous Business Risk Assessment
Process
8/3/2019 Internal Audit Best Practices
19/56
Flexible Audit PlanSummary
An value added Audit Plan is more a factor of Qualitativeinformation than Quantitative
Audit Plan is more in line with the Needs of theOrganization
The Audit Plan is an Evolving Process
Monitoring and Assessing auditor performance is Critical
8/3/2019 Internal Audit Best Practices
20/56
Audit Reporting
Auditing Reporting Process
Is it Timely and Efficient?
8/3/2019 Internal Audit Best Practices
21/56
Audit ReportingChallenges:
Lengthy Cycle Times
Reports must be Factually Correct butissued Timely
Constant Complaint Audits Take To Long
8/3/2019 Internal Audit Best Practices
22/56
Audit Reporting
Consequences of Lengthy Audit Cycles
Audit results are not timely
Stakeholders dissatisfaction
Inefficient use of audit time
8/3/2019 Internal Audit Best Practices
23/56
Audit ReportingReporting Issues
Ineffective communication with auditee
Delays in writing draft report
Editing process
Quality Control
Delays by Management in Responding
8/3/2019 Internal Audit Best Practices
24/56
Audit ReportingA survey of CAEs have reported that it takes on average
more than a quarter of the audit cycle time to processan audit report.
Delays in getting audit responses
Repetitive re-editingLengthy, narrative-format audit reports
8/3/2019 Internal Audit Best Practices
25/56
Audit ReportingPossible Considerations:
Issue reports without management comments
Use power-point presentations instead of a report
Use a standardized report format
Issue audit findings on a piecemeal basis while the
audit is in progress.Advise senior management and the Audit Committeeof only high risk audit results with all findingscommunicated to the auditee.
8/3/2019 Internal Audit Best Practices
26/56
Audit Reporting
Exception Reporting
Most Relevant findings and issues upfront
Recommendations
8/3/2019 Internal Audit Best Practices
27/56
Audit ReportingUse of Audit Ratings
More IA departments are using audit ratings tocommunicate the significance of audit findings and
overall results.
Why?
8/3/2019 Internal Audit Best Practices
28/56
Audit ReportingAudit Report Ratings
Keys
Rating scheme should fit organizationDevelop and communicate the criteria for assigning audit
ratings
Communicate the basis and rational of the scheme to
Senior Management and the Audit CommitteeHave appropriate report distribution and follow up process
8/3/2019 Internal Audit Best Practices
29/56
Surveys
Performance Agreement
Results to Audit Committee
8/3/2019 Internal Audit Best Practices
30/56
Cost Savings
Efficiency Effectiveness
Assurance Consultative
8/3/2019 Internal Audit Best Practices
31/56
Training and Guidance
8/3/2019 Internal Audit Best Practices
32/56
Contract Audit
Why Audit Contracts ?
8/3/2019 Internal Audit Best Practices
33/56
Contract AuditWhy Audit Contracts?
So you know you got what you paid for!
Strengthen contract terms & conditionsImprove procurement process (contract letting) &
contract administration
Ensure compliance with procurement regulations
Indentify opportunities for cost reductions orsavings
8/3/2019 Internal Audit Best Practices
34/56
Contract AuditContracting Activities3 Major Phases
Pre Award
Contract Performance
Completion & Closeout
8/3/2019 Internal Audit Best Practices
35/56
Contract AuditPre-AwardApproved and Authorized
Terms and scope is clearPrices are fair and reasonable
Rights are included in contract terms
Comply with requirementsFunding is ok
8/3/2019 Internal Audit Best Practices
36/56
Contract AuditContract Performance
Work performed = Scope in contract
Payments = Value received
Deliverables on schedule
Comply with laws environmental and safety
Rights inspect, audit, claims, liquidated damages
8/3/2019 Internal Audit Best Practices
37/56
Contract AuditCompletion and CloseoutScope of work, payments, deliverables comply with
terms of contractUser acceptance
Post performance obligations manuals,
warranties, testing and trainingClaims resolved
Liquidated damages collected
8/3/2019 Internal Audit Best Practices
38/56
Contract AuditExamples of Findings & Results Consultants charged at higher than actual rate
Adding fringe benefit cost to independent contractors
Failure to get allowance for material discounts
Inflated travel cost
$2.5 million recovered form equipment manufacture for using wrong
inflation indexes $13.7 million reduction to a claim due to overstated labor and material
cost
$2.1 million saved for material cost charged but not incurred
8/3/2019 Internal Audit Best Practices
39/56
Building Effective Audit Committee
Relationships
Audit Committees are continuouslyrelying more heavily on Internal Audit
keeping them informed on businessstrategies and risk, oversight andgovernance, and the effectives of
controls.
8/3/2019 Internal Audit Best Practices
40/56
Building Effective Audit Committee
RelationshipsInternal Audit should:
Have access to the Committee
Review with the Committee its audit plan,reports and significant findings
Provide assurance on risk and controls
Position IA as a strategic advisor to theCommittee
Provide an objective set of eyes and ears
8/3/2019 Internal Audit Best Practices
41/56
Building Effective Audit Committee
RelationshipsThe Audit Committee should:
Understands IAs role in the organization
Be involved in the selection and dismissal of the CAE
Be involved in determining the CAEs compensation
Monitor performance of the IAD and require an
external QARKnow the next level of IA management team for
succession planning
8/3/2019 Internal Audit Best Practices
42/56
Who Audits the Auditors?
The Value of External QualityAssessments
8/3/2019 Internal Audit Best Practices
43/56
8/3/2019 Internal Audit Best Practices
44/56
Some Elements of a QAR Staff Information (education, skills, certifications)
Audit Plan Budget to Actual
Audit Cycle Time
Issues and Recommendations Tracking
Customer Satisfaction Survey Staff Meeting
Benchmarking to Best Practices
Training
Work Paper Review (ongoing)
QA Review Action Plan
8/3/2019 Internal Audit Best Practices
45/56
What is the Value of Quality to Internal
Audit ABC Organization
InternalAudit
Executive Level
At this level Internal Audit is notconsidered a valued resource to theOrganization
8/3/2019 Internal Audit Best Practices
46/56
What is the Value of Quality to Internal
Audit ABC Organization
InternalAudit
Executive Level
As the Quality of Internal Audit increases the acceptance atthe Executive Level gets Internal Audit closer
8/3/2019 Internal Audit Best Practices
47/56
What is the Value of Quality to Internal
Audit ABC Organization
Executive Level
InternalAudit
Once Quality is achieved Internal Audit is embraced by the
Executive Level as a valuable resource within the Organization
8/3/2019 Internal Audit Best Practices
48/56
Whos Responsible for the Quality of
Internal Audit? Organization Chief Audit Executive (CAE)
Who will Benefit
Internal Audit Profession IA Stakeholders
(AC, BOD, Regulatory Body, Sr. Mgmt) Internal Auditors
8/3/2019 Internal Audit Best Practices
49/56
External Quality AssessmentObjectives that should be Achieved1) Assess the efficiency and effectiveness of the IA activity in
light of its Charter and the Board and managements
expectations.2) Provide an opinion on IAs conformance to the spirit and
intent of the Standards.
3) Benchmarking and industry comparisons for internal auditing
practices4) Identify and offer recommendations to improve IAs
performance and increase the value added to the AuditCommittee and management.
8/3/2019 Internal Audit Best Practices
50/56
What are the benefits of an external QA?
Expert advice & counsel from practitioners withdecades of experience and broad exposure to thebest IA functions
Sounding Board
Leverage for funding, authority, independence &training
Visibility
Pipeline to the audit committee & seniormanagement
8/3/2019 Internal Audit Best Practices
51/56
Why have an external QA?
Professional credibilityOrganizational credibility
Legal liabilityCompliance with Standards
Continuous improvementAudit Committee oversight
8/3/2019 Internal Audit Best Practices
52/56
Inadequate Quality Assurance &Improvement Program
Consulting omitted from the mission andcharter
Inadequate IT coverage or technical skills
Lack of performance measures
What problems are commonly found?
8/3/2019 Internal Audit Best Practices
53/56
Inappropriate CAE reportingrelationships
Out-of-date charters
Client perception of inadequate auditstaff knowledge
No formalized risk assessmentprocess
What problems are commonly found?
8/3/2019 Internal Audit Best Practices
54/56
Best Practice Make sure you learn something from the QAR
process
Embrace the process as a way to move towardscontinuous improvement
Ask for suggestions to improve the IA department as awhole
Be open-minded
8/3/2019 Internal Audit Best Practices
55/56
SummaryA Best Practice Internal Audit function
should be:
Risk focusedAligned with the business
A source of advise on governance, risk and controls
Adaptable to changeAble to provide coverage where needed
Have sufficient resources to be effective
8/3/2019 Internal Audit Best Practices
56/56
Internal Audit Best PracticesQuestions?
Thank You
Nick DiMola
Quality Plus & Associates
Top Related