1 / 30

The Role and Value of Internal Audit

The Role and Value of Internal Audit. Association of Credit Union Internal Auditors September 26, 2012. Part I. The Value Proposition in Internal Audit. You Have to Start Someplace Circumstances Change How Do You Define Value?. Duke Pre-2005. 11 Auditors

aquila-mendoza
Download Presentation

The Role and Value of Internal Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Role and Value of Internal Audit Association of Credit Union Internal Auditors September 26, 2012

  2. Part I. The Value Proposition in Internal Audit • You Have to Start Someplace • Circumstances Change • How Do You Define Value? 1

  3. Duke Pre-2005 • 11 Auditors • Average Longevity in Department - >10 years • Audit Plan • Predictable; rotated every five years • Financial emphasis • Expense reports • Vacation • Expenditures • Time cards 2

  4. Duke 2005-2008 • 21 Auditors • Average Longevity in Department - < 3 years • No one pre-2005 remained after mid-2006 • Audit Plan • Risk based • Control orientated • Best Practices expected 3

  5. Duke 2009 • Financial Meltdown • IA budget $1.1 in 2004; $3.3 million 2008 • Cut expenses 18%; Four FTEs • Incorporate operational efficiencies into IA projects 4

  6. Meltdown Changes • Deliver services that were of most value to Duke • Add operations as important element of each job • Take noise out of reports • Only include important issues • Client service letters • Recommendations no longer only best practice • Effective and efficient • Partner in arriving at recommendation 5

  7. Duke 2011 • Used ERM risk management heat maps to develop audit plan • Management identified problems • Points out areas to audit because “There is a problem” • IA response – We will facilitate a consulting project to address the issue • Result - Audit plans include over 10 consulting projects in University and Duke Medicine 6

  8. Duke 2012 • Health System EPIC implementation • University IT • Vertical audits • Same findings – Not telling them what they don’t know • Management not addressing the system issue • IA meets with IT and Management • Agree on IT priorities 7

  9. Duke 2012 (continued) • Agree on how IA can best support IT priorities • Facilitate • Consult • Audit • IT and Management comment this is of greater value to Duke Medicine • AC approves conceptual change 8

  10. Part II. A Role for Internal Audit in Governance Activities • Organizational Governance Process • Managing Agendas • Organizational Change 9

  11. Organizational Governance Process • Audit Committee Charter • Purpose • Authority and Responsibilities • Membership • Operations 10

  12. Organizational Governance Process • Responsibilities – Best Practices • External Audit • Internal Audit • Financial Reporting • Compliance • Controls and Risk Management • Ethics and Conflict of Interest 11

  13. Organizational Governance Process • External Audit • Very standard and developed • Focus on risk and judgments 12

  14. Organizational Governance Process • Internal Audit • Committee role in appointment, evaluation, reassignment, promotion, dismissal of CAE • Private meeting with CAE • Require QAR every five years 13

  15. Organizational Governance Process • Financial Reporting • Not a public company, so less emphasis • Allows AC to understand and agree with changes management makes to statements • External Auditor involved in the discussion 14

  16. Organizational Governance Process • Compliance • Annual approval of formal compliance structure • Definition of roles and responsibilities • Governance • Program Development and Oversight • Risk ownership • Audit 15

  17. Organizational Governance Process • Institutional risks • Approve • Receive monitoring reports • Audit plans • Governmental investigations 16

  18. Organizational Governance Process • Controls and Risk Management • Controls • Annual management presentation • Focus on significant aspects (systematic; judgments, decentralized environment) • Risk Management • Approve annual process • Receive report from Senior Leadership on strategic risk 17

  19. Organizational Governance Process • Ethics and Conflict of Interest • Annually revisit Code of Conduct • Annually approve Conflict of Interest process and receive report of process conclusion • Annually receive report on hot line activities 18

  20. Managing Agendas • Annual Plan • Identify areas of focus for each responsibility • Allocate them to meetings • Tests whether adequate number of meetings are scheduled • Helps organize topics (financial reporting changes with external audit plan) • Allows planning for presenters at future meetings to begin early • Approval by the AC at its last meeting of the year 19

  21. Managing Agendas • Individual Meeting Agendas • Group items by committee responsibility • Most important items first • Presenter is the owner from management • Background materials • Executive Summary • Context • Level of detail 20

  22. Managing Agendas • Presentation • High level • Not repetitive of background material • Tees up discussion • Presentation and discussion 50/50 of allocated time (use of board talent) • Questions Only • Reports with nothing of significance to discuss (IA, Compliance) • Last item on the agenda • Use of conference calls 21

  23. Organizational Change • Perfect Storm • Significant Issue • Management Owner presenting issue and response • Discussion time provided for AC • AC weighs in on management response 22

  24. Organizational Change • Risk Management Process • Informal in 2005 • Senior Leadership discussion of risk • AC sets future objective • Top Ten • Heat Map • Owner identified • Mitigation strategy • Annually add more to risk management process • Now full COSO model in place 23

  25. Organizational Change • Patient enrollment in clinical trials • 2010 Problem in one department • AC asks how risk is mitigated in other departments • SOM reports • 2011 Problem exists in second department • SOM revises organizational reporting of clinicians to mitigate risk 24

  26. Organizational Change • Code of Conduct • No Code of Conduct • 2006 attempt to establish; settled for Statement of Ethical Principles • 2011 Faculty member cited in Senate investigation • COI form incomplete disclosure; Would have prevented being PI in grants 25

  27. Organizational Change • AC asks about ethic education for faculty • Senior Leadership accepts CAE recommendation to complete Code of Conduct • Six months later approved as part of Statement of Ethical Principles 26

  28. Organizational Change • Take-Aways • AC role • Assessing management response to risk • Providing time to discuss and consider • Management role • Provide proposed solution • Respond to AC additional concerns 27

  29. Organizational Change • Internal Audit role • Right agenda items • Work with management to understand their role and AC expectations • Work with management to address AC concerns 28

  30. QUESTIONS? 29

More Related