Professional Documents
Culture Documents
Adding Value
ICGFM Conference May 19, 2011
[1] www.theiia.org/Training
Program Objectives
[2] www.theiia.org/Training
Program Topics
Unit 1 - Understand the Landscape
Unit 2 - Management Functions and Performance
Measures
Unit 3 - International Standards For Performance
Audit
Unit 4 - Risk-Based Approach (Case Study)
Unit 5 - Value-for-Money Approach (Case Study)
Unit 6 – Final Thoughts
[3] www.theiia.org/Training
Working Agreement
P = Participation
O = Openness
S = Sense of fun
E = Enthusiasm
[4] www.theiia.org/Training
Unit 1
Understand the Landscape
[5] www.theiia.org/Training
Road Map of
Internal Audit Profession
[6] www.theiia.org/Training
Road Map of Internal Audit
1941 - Internal Audit, Mod
ern
a separate and distinctive Inte
rnal
discipline. A ud
it
[7] www.theiia.org/Training
About the IIA
• Established in 1941, global
headquarters in Altamonte
Springs, Florida, USA
• Nonprofit professional association
• 170,000 members worldwide
• 103 national institutes worldwide
• Key focus:
– Standards-setting body for internal
auditors
– Professional certifications
– Global research center
– Principal educator
– Global voice for the profession
[8] www.theiia.org/Training
Definition of Internal Auditing
[9] www.theiia.org/Training
Images of Internal Auditors
Which metaphor do you like?
• Magnifying glass
• Telescope
• Compass
• Hunting dogs
• Watch dogs
• Policemen
• Consultants
• Eyes and ears of the Audit Committee
[10] www.theiia.org/Training
Definition of Internal Auditing
[11] www.theiia.org/Training
Internal Auditing Is
designed
to
Consulting Improve
Objective Operations
Activity
[12] www.theiia.org/Training
Internal Auditing Helps
To The Effectiveness of To Help
Organization
Control Process accomplish it’s
Objectives
Improve
Governance
Process
[13] www.theiia.org/Training
Performance Audit
[14] www.theiia.org/Training
Definitions of PA
• INTOSAI: Performance auditing is an independent examination of
the efficiency and effectiveness of government undertakings,
programs, or organizations, with due regard to economy, and
the aim of leading to improvements.
[16] www.theiia.org/Training
Financial vs. Compliance vs. Performance Auditing
Financial Compliance Performance
[17] www.theiia.org/Training
What Makes this Performance Audit?
An Example:
“…to determine whether laws, contracts, policies
and procedures have been properly observed and
whether all business transactions were conducted
in accordance with established policies and with
success. In this connection, the auditors are to
make suggestions for the improvement of existing
facilities and procedures, criticisms of contracts
with suggestions for improvement, etc.”
[18] www.theiia.org/Training
Benefit of
Performance Audit
[19] www.theiia.org/Training
Benefit of PA – Adding Value
• Relevant
– Focus on the key initiatives
• Flexible
– Define the scope of the audit based
on risk
• Improving organizational performance
• Strengthen the governance
• Fraud prevention and detection
• Gaining public trust
•
[20] www.theiia.org/Training
Internal Audit Value
Assurance = Governance,
Risk Management,
Control
Insight = Catalyst,
Analyses,
Assessments
Objectivity = Integrity,
Accountability,
Independence
[21] www.theiia.org/Training
Exercise - Connect the Dots
o o o
o o o
o o o
[22] www.theiia.org/Training
Think Outside the Box
o o o
o o o
o o o
[23] www.theiia.org/Training
Unit 2
Management Functions and
Performance Measures
[24] www.theiia.org/Training
Management Functions
[25] www.theiia.org/Training
Management
Issues and Concerns
Direct
[27] www.theiia.org/Training
Management’s Roles
[28] www.theiia.org/Training
Performance Auditor’s Roles
[29] www.theiia.org/Training
See though the Eyes of
Management
cy results from the violation of some principle of management or good administration
[30] www.theiia.org/Training
Three Simple Questions to
Ask Management
[31] www.theiia.org/Training
Performance Measures
[32] www.theiia.org/Training
Types of Management
Performance Measures
• INPUTS - Measures of service efforts, e.g., number of
hours, amount of materials.
• OUTPUTS - Measures of service level, e.g., number of
residences served, amount of service provided.
• OUTCOMES - Measures of service accomplishments,
e.g., measures related to program goals, including
effectiveness of quality.
• EFFICIENCY - Measures that relate service efforts to
service accomplishments, e.g., output/unit of input,
productivity indexes.
[33] www.theiia.org/Training
Principles
[34] www.theiia.org/Training
One Example –
Five Performance Categories:
• Effectiveness – the degree to which process output
conforms to requirements
• Efficiency – the degree to which the process produces
the output at a minimum cost of resources
• Quality – the degree to which the product or service
meets customer expectations
• Timeliness – the degree to which a unit of work was
done correctly and on time
• Safety – the measure of health and the working
environment of the organization
[35] www.theiia.org/Training
Unit 3
International Standards
For Performance Audit
[36] www.theiia.org/Training
Why the Standards Matter
The Standards
Lead Represent
[37] www.theiia.org/Training
Road Map of Internal Audit
- Changes to the IIA Standards
[38] www.theiia.org/Training
The IIA’s IPPF
International
Professional
Practices
Framework
[39] www.theiia.org/Training
AUTHORITATIVE Guidance
Mandatory
Authoritative =
Strongly
recommended
[40] www.theiia.org/Training
Code of Ethics
• Integrity
– The integrity of internal auditors establishes trust and thus
provides the basis for reliance on their judgment.
–
• Objectivity
– Internal auditors exhibit the highest level of professional
objectivity in gathering, evaluating, and communicating
information about the activity or process being examined.
Internal auditors make a balanced assessment of all the
relevant circumstances and are not unduly influenced by
their own interests or by others in forming judgments.
–
• Confidentiality
– Internal auditors respect the value and ownership of
information they receive and do not disclose information
without appropriate authority unless there is a legal or
professional obligation to do so.
–
• Competency
– Internal auditors apply the knowledge, skills, and experience
needed in the performance of internal auditing services.
[41] www.theiia.org/Training
International Standards for
Professional Practice of
Internal Auditing
[42] www.theiia.org/Training
Importance of the Standards
They define the profession.
They set the bar that every auditor
should comply with.
They give you a reference guide for
how to conduct yourself.
They lay the ground work, but are
not the ultimate goal.
They give our customers peace of
mind and confidence they’re
getting a quality product.
[43] www.theiia.org/Training
The International Standards
Mandatory requirements consisting of:
– Statements of basic requirements
for professional practice of
internal auditing
– Interpretations which clarify terms
or concepts within the
Statements.
11
fe c ti v e Jan 20
– Glossary 26 chang
es e f
[44] www.theiia.org/Training
Overview of the IIA Standards
Attribute Standards:
Purpose, Authority and Responsibility……………………1000
●
●
Performance Standards:
Managing the Internal Auditing Activity……………………2000
●
●
Nature of Work.……………………………………………….…………2100
●
●
Engagement Planning…………………………………….……..…2200
●
●
Communicating Results………………………………..….………2400
●
●
[45] www.theiia.org/Training
Important Knowledge for Satisfactory Performance
Of Internal Auditing
[46] www.theiia.org/Training
2010 IIA Global Internal Audit Study
Who Uses the Standards
Mandatory requirements for 170,000 IIA members and 100,000 Certified
Internal Auditors
ØTranslated into 21 languages
audit professions)
ØBasel Committee on Banking Supervision
[47] www.theiia.org/Training
IPPF Strongly
Recommended Guidance
Practice Advisories (56)
Address approach, methodology and considerations, but NOT detailed
processes and procedures. Concise and timely guidance to assist internal
auditors in applying Code of Ethics and Standardsand promoting good
practices.
Position Papers (2)
IIA statement to assist a wide range of interested parties, including those
not in internal auditing profession, in understanding significant
governance, risk or control issues and delineating related roles and
responsibilities of internal auditing.
Practice Guides (26)
Detailed guidance for conducting internal audit activities. Includes
detailed processes and procedures, such as tools and techniques,
programs, and step-by-step approaches, including examples of
deliverables.
www.theiia.org/guidance
[48] www.theiia.org/Training
Unit 4
Risk-Based Performance Audit
Performance audit process
The importance of clearly defined business objectives and
associated performance measures (goals) to a
performance audit
Risk assessment using a Risk/Control Matrix methodology
Case Study
[49] www.theiia.org/Training
Performance Audit Process
• Planning
• Examining and Evaluating Information
• Communicating Results
• Following Up
•
•
[50] www.theiia.org/Training
IIA Standards Related to
Performance Audit Process
[51] www.theiia.org/Training
Plan Performance Audit
[52] www.theiia.org/Training
Plan Performance Audit
• Standard 2201 – Planning Considerations: In
planning the engagement, internal auditors must
consider:
– The objectives of the activity being reviewed and the means
by which the activity controls its performance;
– The significant risks to the activity, its objectives,
resources, and operations and the means by which the
potential impact of risk is kept to an acceptable level;
– The adequacy and effectiveness of the activity’s risk
management and control processes compared to a
relevant control framework or model; and
– The opportunities for making significant improvements to
the activity’s risk management and control processes.
[53] www.theiia.org/Training
Risk-based Performance Audit
[54] www.theiia.org/Training
Risk Assessment Formula
[55] www.theiia.org/Training
Identification of Objectives
Objectives are the things an
organization wants to
accomplish.
Objectives should be S.M.A.R.T.
[56] www.theiia.org/Training
Objectives Cascade
Mission
Vision
[57] www.theiia.org/Training
What is Risk
•
• Risks are things that could prevent an
organization from meeting its
objectives.
•
• IIA definition - Risk is the possibility of an
event occurring that will have an impact
on the achievement of objectives. Risk
is measured in terms of impact and
likelihood.
[58] www.theiia.org/Training
Business Risk Examples
[59] www.theiia.org/Training
Focusing on the “Real Risks”
[60] www.theiia.org/Training
Risk Assessment
H
High
Risk Impact
Total Audit
Universe
Low
L Likelihood H
[61] www.theiia.org/Training
Risk Responses
[62] www.theiia.org/Training
Risk Response Strategy
[63] www.theiia.org/Training
Risk Assessment
- Two perspectives
Inherent (Gross) - BEFORE RISK
RESPONSE
Residual (Net) - AFTER RISK REPONSE
Responses
Residual
Risk
Inherent
Risk
[64] www.theiia.org/Training
Exercise: Rain and Umbrella
When it rains, where are Inherent and
Residual Risk (IR and RR)?
[65] www.theiia.org/Training
When it rains, where are IR and RR?
IR IR
IR IR
IR
IR IR
RR CR
RR RR
RR
[66] www.theiia.org/Training
What is Control
• Controls are things that help meet an
organization's objectives.
•
• [67] www.theiia.org/Training
Control to Mitigate These Risks
[68] www.theiia.org/Training
Risk Management and Control
[69] www.theiia.org/Training
Control - Who Is Responsible
Management is responsible to design,
implement and monitor controls
Internal auditors is responsible to
assess the adequacy and
effectiveness of controls
[70] www.theiia.org/Training
Risk Control Matrix
Objectives Risk Control
Use RCM to
Plan an audit
Document an audit
[71] www.theiia.org/Training
Benefits of Risk Control Matrix
• Open-ended
• Disciplined
• Risk-based
• Inclusive
Most organizations modify, delete, and
add columns on the Risk/Control Matrix
to fit their own environment.
[72] www.theiia.org/Training
Validate the Audit Plan
Special
Request Mandated
H
AUDIT RESOURCES
High
Risk Impact
Total Audit
Universe
*
Low
L Likelihood H
[73] www.theiia.org/Training
Case Study
State Department of
Fruit and Vegetable
[74] www.theiia.org/Training
Unit 5
Value for Money Approach
Why Value-for-Money approach?
Three E’s Performance Measures
Difference between Risk-Based and Value-for-Money
approaches
Twelve Attributes for Evaluating Effectiveness
Case Study
[75] www.theiia.org/Training
Needs for Performance Audit
questions like:
• Do we get value for money?
• Is it possible to spend the money better or more
wisely?
• Are the right things been done?
• If so, are things been done in the right way?
• If not, what are the causes?
•
[76] www.theiia.org/Training
Value-for-Money
[77] www.theiia.org/Training
Audit Performance Measures
– 3E’s
•
• The principle of ECONOMY is keeping costs low. It requires that
the resources used by the audited entity for its activities shall
be made available in due time, in appropriate quantity and
quality and at the best price.
•
[78] www.theiia.org/Training
12 Attributes For
Evaluating Effectiveness
•
1. Management 7.Costs and Productivity
Direction 8.Responsiveness
2. Relevance 9.Financial Results
3. Appropriateness 10.Working Environment
4. Achievement of 11.Protection of Assets
Intended Results 12.Monitoring and
5. Acceptance Reporting
6. Secondary Impacts
[79] www.theiia.org/Training
Conducting Performance Audit
- Planning
• Gather background information on the audit area.
• Understand the organization’s business, objectives,
mission, etc.
• Interview management and staff.
• Use the twelve attributes to scope the audit by looking at
each attribute to choose which are most applicable.
• For the selected attributes, form questions to be
answered during the next phase.
[80] www.theiia.org/Training
Conducting Performance Audit
- Examining and Evaluating
[81] www.theiia.org/Training
Conducting Performance Audit
- Reporting and Following Up
Communicating Results Phase
• Issues should be communicated to client throughout the
audit.
• The report is written and presented to the client.
Following Up
• Management implements action items from the report.
Audit assists as required.
[82] www.theiia.org/Training
Case Study
State Department of
Fruit and Vegetable
[83] www.theiia.org/Training
Unit 6
Final Thoughts
Summary of What We Discussed
Internal Audit - Today and Tomorrow
[84] www.theiia.org/Training
Summary
[85] www.theiia.org/Training
Modern Internal Auditing
Client-focused, value-added service to management and
oversight bodies
Guided by international standards and enhanced emphasis
on quality
Adoption of risk-based methodologies
Consulting service + assurance service
More independence and enhanced stature
Add value to the organization and stronger alignment
More strategic approach to staffing: out-sourcing and co-
sourcing
Integration of IT and non-IT audit resources
Enhanced use of technology tools/services
Started to be part of governance structure
[86] www.theiia.org/Training
Top 5 Internal Audit Activities
Today
• Operational auditing (89% of respondents).
• Audits of compliance with regulatory code (including
privacy) requirements (75% of respondents).
• Auditing of financial risks (72% of respondents).
• Investigations of fraud and irregularities (71% of
respondents).
• Evaluating the effectiveness of control frameworks (i.e.,
using COSO and COBIT) (69 percent of respondents).
[87] www.theiia.org/Training
What Is Next?
Top Five Imperatives
[88] www.theiia.org/Training
Performance Audit
Adds Value By
[89] www.theiia.org/Training
Questions
Guidance@theiia . org
www.theiia.org/guidance
[90] www.theiia.org/Training
90