1 / 58

What is Internal Audit’s Role in Management’s Assertion

What is Internal Audit’s Role in Management’s Assertion. The Institute of Internal Auditors May 11, 2004. Xenia Ley Parker, CIA, CISA, CFSA Principal XLP Associates. The IIA Welcomes New President. David A. Richards, CIA, CPA. Agenda. Introduction & Overview

Download Presentation

What is Internal Audit’s Role in Management’s Assertion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. What is Internal Audit’s Role in Management’s Assertion The Institute of Internal AuditorsMay 11, 2004 Xenia Ley Parker, CIA, CISA, CFSAPrincipalXLP Associates

  2. The IIA Welcomes New President David A. Richards, CIA, CPA

  3. Agenda • Introduction & Overview • Xenia Ley Parker, XLP Associates • Internal Audits Role in SOX • Larry Harrington, Staples • How Solectron Addresses 404 & IT Controls • Norman Marks, Solectron • Internal Audit’s Role • Dennis Drent, Nationwide Insurance • Break • Q & A

  4. What is the Right Role? • Organizations have to find the right process to address Sarbanes-Oxley • Internal Auditors have more than one possible role • Maintaining objectivity and independence is critical, whichever role they take on • There is no one ‘right’ answer

  5. Possible Roles • Consideration of Internal Audit Standards and professional practices • Other sources of information • We’ll look at some of the possible roles • Project management • Consulting • Documentation and testing

  6. Internal Audit’s Role in Sarbanes Oxley 302 & 404 Larry Harrington, CPA Chief Audit Executive Staples

  7. Professional Practices Framework • Definition of Internal Auditing • Ethics & Standards • Practice Advisories • Development & Practice Aids

  8. IIA Whitepaper- Internal Audit Role in Sarbanes Oxley 302 & 404 • Purpose • Summary Role of Management, Audit Committees, and External Auditors • Recommended Role for Internal Audit • Practical Considerations

  9. Purpose of This White Paper Discuss the roles Internal Auditors play today: • Consulting • Monitoring/Testing • Creating the Documentation • Performing the Assessment • Managing the Entire Project Compliance with IIA International Standards • Objectivity • Independence • Evaluation & contribution to improving the company’s risk assessment, control, and governance process

  10. Key Operating Principles • Sarbanes Oxley creates requirements for Audit Committees, management, and external auditors • Management is responsible for implementing the process to meet the requirements of Sarbanes Oxley, not Internal Audit

  11. Roles for Internal Auditors Project Management • Participation on project steering committees • Objectivity and independence is not impaired when effort is limited to evaluation/recommendation/monitoring (e.g. assessment methodology and tools; definition of documentation standards; communicating project status) • Objectivity & independence is impaired when involved in the decision process and the implementation process • Training on project, risk and controls • Objectivity and independence is not impaired when creating or delivering training on these topics • Facilitation between management and external audit

  12. Roles for Internal Auditors • Consulting • Advise on best practices • Objectivity and independence not impaired when advising on documentation standards, tools, or test strategies • Objectivity and independence is not impaired when advising on the design, scope, or testing frequency, or in assessing management’s testing and assessment process • Providing advice control gaps, review management plans for correcting control gaps, and performing follow-ups to ascertain whether control gaps have been adequately addressed does not impair objectivity or independence.

  13. Role For Internal Auditors • Documentation and Testing • Provide IA documentation/create new documentation • Objectivity and independence not impaired if assisting management in documentation because of limited resources • Objectivity and independence is impaired if audit slips into making management decisions • Management owns the design/testing process; however, IA may be asked to help. Objectivity and independence is not impairedwhen IA assists. Objectivity and independence is impaired ifIA makes decisions-control design, effectiveness, what to remediate, etc.

  14. Roles for Internal Auditors • Documentation and Testing (cont.) • Performing a quality assessment review prior to management handoff to external audit does not impair objectivity or independence

  15. Audit Committee Disclosure • Disclosure to the Audit Committee that the internal auditors objectivity or independence has been impaired is required when: • Internal Audit actively participates in making or directing key management decisions • Internal Audit designs, installs, drafts procedures for, or operates such systems • Internal Audit makes key management decisions

  16. Contact Information If you have any questions regarding the Professional Practices Framework or guidance materials or you wish to forward additions, contributions or suggestions e-mail The IIA at: issues@theiia.org

  17. How Solectron Addresses 404 and IT Controls Norman Marks, CPA Vice President, Internal Audit Solectron Corporation

  18. Topics • Internal Audit and §404 in 2004 • The future for Internal Audit and §404 • Assessing the impact of IT control deficiencies

  19. IA and §404 in 2004 • Project led by Corporate Controller • IA consults on controls theory and practice • IA (independent) testing of key controls, incl. mitigating/compensating controls • IA reports on testing results • Provides an opinion by location/function • Controls design & effectiveness • Adequacy of documentation

  20. IA and §404 in 2004 • Retesting of remediated controls • Assessment of deficiencies and identification of mitigating/compensating controls • Impact on overall assessment by management • Member of Disclosure Review Committee • Consider §404 results in §302 assessment, & forming annual IA opinion on internal controls (COSO)

  21. The future for IA and §404 • How will the role of IA change as §404/§302 practices mature? • Integration of §404/§302 testing into audit plan • Impact on the charter of IA within the organization Norman’s opinion

  22. What is the role of IA? “Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

  23. What is the role of IA? • It shouldbe more than financial controls • Financial controls is more than §404

  24. COSO and §404 Financial Reporting Operations Compliance Monitoring Information and Communication Control Activities Risk Assessment Control Environment

  25. §404 COSO and §404 Financial Reporting Operations Compliance Monitoring Information and Communication Control Activities Risk Assessment Control Environment

  26. COSO and §404 Financial Reporting Compliance with laws and regulations Operations

  27. §404 COSO and §404 Financial Reporting Compliance with laws and regulations Operations

  28. Not included in §404: • Management reporting • Matters not material to SEC financials • Partly included in §404: • Controls affecting future periods: • IT security • contingency planning • physical security • fraud • Efficiency of financial reporting §404 COSO and §404 Financial Reporting Compliance with laws and regulations Operations

  29. Future role of IA • §404 work should be integrated into the risk assessment and audit planning process • Don’t limit yourself to §404 • Not even for the next 2 years • You will become defined as only there to do §404 • You will lose your mission and purpose • You will become irrelevant

  30. Future role of IA Audit Committee and senior management: • “We have: • management’s assessment of internal controls • the external auditor’s assessment” • “Why do we also need IA’s opinion?” • “We have survived with a limited IA function” • “Why do we need a full scope one?”

  31. Summary – the future • Define the future role • Don’t limit yourself to §404 • Build an integrated plan, including §404 • Communicate and sell your strategic vision – NOW!

  32. IT control deficiencies Control Assertion Key Control

  33. User procedure Automated process IT control deficiencies Control Assertion Key Control

  34. Test User procedure Automated process IT control deficiencies Control Assertion Key Control

  35. Test User procedure Automated process IT general controls • Development & Maintenance • Operations • Program security IT control deficiencies Control Assertion Key Control

  36. Test User procedure Automated process Test IT general controls • Development & Maintenance • Operations • Program security IT control deficiencies Control Assertion Key Control

  37. Test User procedure Automated process Test IT general controls • Development & Maintenance • Operations • Program security Deficiency IT control deficiencies Control Assertion Key Control

  38. Test User procedure Automated process Test IT general controls • Development & Maintenance • Operations • Program security Deficiency IT control deficiencies Control Assertion Key Control

  39. 1. What is the risk? • Business disruption • Fraud no §404 impact IT Security Deficiencies

  40. 1. What is the risk? • Business disruption • Fraud no §404 impact 2. Could it result in financial reporting error? • No • Yes no §404 impact IT Security Deficiencies

  41. 1. What is the risk? • Business disruption • Fraud no §404 impact 2. Could it result in financial reporting error? • No • Yes no §404 impact 3. Are there detective controls? • Yes • No Test no §404 impact IT Security Deficiencies

  42. 1. What is the risk? • Business disruption • Fraud no §404 impact 2. Could it result in financial reporting error? • No • Yes no §404 impact 3. Are there detective controls? • Yes • No Test no §404 impact 4. Are there compensating controls? • Yes • No Test §404: Assess accounts affected no §404 impact IT Security Deficiencies

  43. Internal Audit’s Role Dennis Drent, CPA Senior Vice President, Office of Internal Audit Nationwide Insurance

  44. Internal Audit “hired” as Section 404 Project Manager by Management with Audit Committee approval IA PMO

  45. Coordinate, consult on or perform documentation, gap analysis and remediation IA PMO

  46. Coordinate, consult on or perform documentation, gap analysis and remediation IA PMO Maintain documentation

  47. Coordinate, consult on or perform documentation, gap analysis and remediation IA PMO Maintain documentation Coordinate quarterly control certification and management verification processes

  48. Coordinate, consult on or perform documentation, gap analysis and remediation IA PMO Maintain documentation Coordinate quarterly control certification and management verification processes Coordinate ongoing gap analysis and remediation

  49. Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate with Legal and Finance and report conclusions to Disclosure and Audit Committees IA PMO Maintain documentation Coordinate quarterly control certification and management verification processes Coordinate ongoing gap analysis and remediation

  50. Perform independent testing of controls providing certification Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate with Legal and Finance and report conclusions to Disclosure and Audit Committees IA PMO Maintain documentation Coordinate quarterly control certification and management verification processes Coordinate ongoing gap analysis and remediation

More Related