1 / 33

Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007

Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007. Agenda. Requirement Benefits Attributes of a “World-Class” Internal Audit Quality and Quality Assessment Keys to an Effective QA Common Observations Leading Practices. Requirement.

haley-terrell
Download Presentation

Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quality AssessmentsLessons Learned/Best PracticesThomas A. Johnson, CIANovember 13, 2007

  2. Agenda • Requirement • Benefits • Attributes of a “World-Class” Internal Audit • Quality and Quality Assessment • Keys to an Effective QA • Common Observations • Leading Practices

  3. Requirement • IIA Standard 1312- Requires an external assessment be performed by a competent and independent firm at least every 5 years. • Good ‘business practice” to provide an independent evaluation of internal audit as well as identifying potential ways to improve the process. • With Sarbanes-Oxley and other demands placed on Audit Committees and Internal Audit, a Quality Assurance Review serves to provide an assessment that the various Internal Audit responsibilities are being discharged effectively and efficiently.

  4. Benefits • Current State of “Conformance to the Standards”. • Builds stakeholder confidence by showing management’s commitment to quality and leading practices. • Demonstrates that the Audit Committee and Internal Audit are concerned about the success of the organization’s internal controls, governance and risk management processes.

  5. Benefits • PCAOB Audit Standard 2 states “The external auditor may use the work of internal auditors particularly when internal auditors are in compliance with the Standards.” • Observations on benchmarking & identification of successful practices • Recommendations for improvement aimed at adding value to the organization.

  6. Benefits • Identify Expectation Gaps • Among key stakeholder expectations • Current state & desired state of performance • Recommendations aimed at adding value to the organization • Internal marketing tool strengthening credibility and promoting integrity

  7. Attributes of a “World-Class Internal Audit Activity • Empowered & Respected by Management and Board • Objective and Independent • Highly Talented • Risk Focused • Proactive • Technology Driven

  8. Empowered and Respected • Best Reporting Structure • Functionally – Audit Committee • Administratively- CEO • Respected at All Levels • Value-Added Business Advisors • “Out of the box” thinking • Provides effective resources and solutions to business challenges

  9. Objective and Independent • Seen as providing unbiased views of the organization. • Have no real or apparent conflicts of interest • Independent of the activities they audit • “No-No’s” • Designing and installing systems • Drafting of procedures

  10. Highly Talented • Highly talented professionals (certified) with unique combinations of skills & experiences • Hiring and Retention • Rotation in and out • Constantly adding value • Collectively possess the essential skills • Consideration for co-sourcing • Must commit to a program of continuous development

  11. Risk Focused • Allocates Time & Resources Based on Risk • Annual and Long Term Plans • Individual Engagements • Identifies critical risks & exposures before they become significant issues • Shares “lessons learned” across common business units and processes

  12. Proactive • Proactive, not only reactive • Right balance between protecting and enhancing shareholder value • Level of consultative support correlates with the organizations fluidity • E.g., a flat, decentralized organization likely requires significant support in analyzing business risks and transferring company-wide best practices then a highly centralized organization

  13. Technology & Process Driven • Utilizes “state-of-the-art” technology to: • Reduce Risks • Identify potential problems in nearly real time • Increase productivity • Continuously improve the control environment and communications • Be committed to a program of continuous improvement

  14. Foundation of World-Class Audit Departments • The International Standards for the Professional Practice of Internal Auditing and the Code of Ethics are the foundation for all world-class functions.

  15. Quality Components • Adherence to the Code of Ethics • Practicing in accordance with the Standards • Continued Professional Development • Audit Practice is continuous improvement oriented

  16. Quality Assurance • To Evaluate Quality- Objectively measure internal audit process • To maintain Quality- Fully commit to professional growth and development • To ensure Quality- Maintain quality assurance and improvement program

  17. Quality Standards • Internal audit must establish a quality assurance program that includes both: • Ongoing and periodic internal QA’s • External QA a minimum of once every 5 years • Failure precludes IA from using the statement “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.”

  18. Keys to an Effective QA • Understanding the Professional Practices Framework • Awareness and Implementation of the Standards • Internal audit quality programs and initiatives • Leading practices in applying the Standards

  19. Professional Practices Framework • Definition of Internal Auditing • The Code of Ethics • The Standards • Practice Advisories • Topical Index to the Practice Advisories

  20. Purpose of a Quality Assessment • Assess conformance to the Standards • Assess the effectiveness and efficiency of the internal audit activity • Identify opportunities for improvement • Improving performance • Image of the department

  21. Scope of External Assessments • Conformance with the Standards & the Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements • The expectations of the IA as expressed by the board, executive management and operational management • The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process

  22. Scope (Cont’d) • Tools and techniques • Mix of knowledge, experience and disciplines within the staff, including the focus on process improvement • Determination that the internal audit activity adds value and improves the organization’s operations

  23. Areas of Focus • The Mandate of the IA Activity • The Relationship between IA & the Audit Committee • IA Reporting Lines • Staffing of Internal Audit • Obtaining & Maintaining Competency • Coordination with External Audit • Developing the Internal Audit Plan • Reporting Findings & Recommendations

  24. Areas of Focus • Follow-Up of Corrective Action • Fraud • Internal Quality Program • Sufficiency of IA Resources • Support from Senior Management • Evaluation by the Audit Committee

  25. Common Findings • Charters not current, inadequate and/or misaligned • Lacking support or sponsorship by top management • Department structure issues • Reporting lines • Alignment with the organization • Insufficient business knowledge and/or technology capabilities • Lack of a defined and documented risk assessment

  26. Common Findings • Linkage of risk assessment to plan • Impact of Sar-Box • Lack of external input to risk assessment • Audit Universe Deficiencies • Ineffective resource planning, including training • Inadequate IT Coverage • Limited use of technology • Infrequent management interaction

  27. Common Findings • Lack of Performance Measurements • Failure to Track Auditors’ Time • Inconsistent/Incomplete Work Papers • Lack of a defined and documented Quality Assurance and Improvement Program • Insufficient reporting to the Audit Committee

  28. Leading Practices • Enterprise Risk Assessment • Rigorous and coordinated approach • Assessing all risks that affect the organizations strategic & financial objectives • Risk & Control Self Assessment • Using Control Frameworks (COSO) • Effectiveness & Efficiency of Operations • Reliability of Financial Reporting • Compliance with Laws & Regulations

  29. Leading Practices • Partnering with Management • Risk Assessment & Annual Audit Planning • Long Term Audit Plans • Usually three years • Higher risk areas should be reviewed more frequently within the 3 year plan • Frequent modifications to long term plan • Developing Staff • Goal of 80 hours of training • Stretch Objectives & Performance Measures • Certification

  30. Leading Practices • Communicating More Effectively • User friendly format • Executive summary, with clear concise information and opinion • Regular reporting of issues to the Audit committee • “Marketing” IA function • Brochure • Intranet

  31. Leading Practices • Using Technology • Data extraction and analysis • Fraud detection/prevention • Network security assessment • Automated work-papers • Audit administration tools • Benchmarking • Performance measurements

  32. Questions • ? • ? • ? • ? • ? • ? • ?

  33. Follow-Up Tom Johnson tomjohnson11@msn.com 330-759-0046

More Related