Presentation on theme: "Supervisory Committee Communications with Management and the Board"— Presentation transcript:
1 Supervisory Committee Communications with Management and the Board Association of Credit Union Internal AuditorsJune 21, 2012Vicki A. McIntyre, CIA, CPAVice President, FirstPlus Resolutions, Inc.
2 Agenda Champion the Audit Activity The Risk-Based Audit Plan Impact of Resource LimitationsSupervisory Committee Evaluation of Internal AuditSupervisory Committee considerationsTop 10 Worst Things You Can DoQuestions?
3 Champion the Audit Activity Know the purpose, authority and responsibility of your audit activity.Understand key concepts of governance, risk and control.Empower and challenge internal audit to add value.
4 Definition of Internal Audit “An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
5 IA’s Purpose, Authority & Responsibility The Audit Activity CharterCode of EthicsIndependence & reporting linesAccessNature of Assurance & Consulting Services
6 What is Governance ?Governance is the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.It is the culture, values, mission, structure and layers of processes, policies and measures by which organizations are directed and controlled.
7 IA’s Role in Governance IA must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:Promoting appropriate ethics and values within the organizationEnsuring effective organizational performance management and accountabilityCommunicating risk and control information to appropriate areas of the organizationCoordinating the activities of and communicating information among the board, external and internal auditors, and management
8 What is Risk?The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.Risks to the Internal Audit Activity:Audit failureFalse assuranceReputation risks
9 What is Control?Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
10 Hard vs. Soft Controls Policies/Procedures Competence Organizational StructureBureaucracyRestrictive Formal ProcessesCompetenceTrustShared ValuesStrong LeadershipHigh ExpectationsOpennessHigh Ethical Standards
11 Empower & Challenge IA to Add Value Become more relevant to broader business objectivesEnhance ability to identify emerging risksImprove risk assessment processesReduce audit fatigue on the business
12 The Risk-Based Audit Plan Consider risk appetite levelsConsider organizational risk management frameworkConsult with senior management and the BoardIA exercises judgment of risks
13 The Risk-Based Audit Plan Ask the critical questions:What keeps you up at night?Is IA providing assurance in those areas?Does IA cover the right things at the right time?Can IA identify emerging risks; is the audit plan flexible enough to provide coverage?Is IA perceived as a valued business partner?
14 Are Audit Resources Aligned with Risk? Root causes of organizations loosing a large percentage of shareholder value in a short period of time:60% - Business or strategic risks20% - Operational risks15% - Financial risks5% - Compliance risks
15 Impact of Resource Limitations Must communicate to senior management and the BoardAdvocate for IABe sure resources are effectively deployed
16 Impact of Resource Limitations Beware of SALY and JELLY(Same as last year & just exactly like last year)Beware of pet projectsBeware of isolated concerns of constituentsConsider management’s responsibility for monitoring and self-assessment
17 Evaluation of Internal Audit Does the Board have confidence in IA’s assurance activities?Does the Board believe it is sufficiently and timely informed of IA’s significant findings?Does the Board believe IA has the skills and foresight to build emerging risks into the audit plan?Does the Board believe the audit plan is sufficiently broad in scope and executed in a timely manner?Does management believe audit reports are actionable?Does management perceive IA as a valued business partner?Does management believe it gets superior value for its investment in IA?Is the Board and management confident of IA’s independence, objective and fair-minded approach and that IA is empowered and sufficiently staffed and resourced?
18 Evaluation of Internal Audit How well does the IA director respond to probing by the Supervisory Committee?How knowledgeable is the IA director in the company’s accounting and financial reporting policies?How well does the senior management respect the IA director, and how healthy is the tension between them?How well do the external auditors respect the IA director?Does the IA director provide adequate assurance in areas requested by the audit committee?Is the IA director respected within the auditing profession? Examples would be as a frequent speaker, writing articles, participating in industry organizations, etc.
19 Supervisory Committee Considerations Promote effective Sup Committee functioning; staff with sufficient expertisePromote an open, transparent relationship with IA and other organizational control functionsConsider term limits for committee membersPerform an annual self-assessmentRequest candid feedback from the Board and IA
20 The Top 10 Worst Things You Can Do…… Not being a proactive communicatorFail to remain up-to-date on your CU’s business, the CU industry and IA successful practicesNot being aware of your CU’s risk management activitiesNot having an audit plan that adds valueFail to support IA independence
21 The Top 10 Worst Things You Can Do…… Ineffective evaluation of the Chief Audit Executive; not making a needed changeFail to perform regular self-assessmentsFailure to honor high ethical standards; integrity, objectivity, confidentiality and competencyFail to deliver bad news to the Board timelyParalysis – do nothing - not knowing what to do when there are serious problems
23 Vicki A. McIntyre, CIA, CPA FirstPlus Resolutions, Inc.Tustin, CA
24 Bibliography“Top 10 Worst Things…” adapted from Managing Director of the IA Division of the MIS Training Institute, Joel Kramer’s presentation titled “Best Practices in Educating the Audit Committee.”“Are Audit Resources Aligned…” adapted from IIA CEO Richard Chambers’ presentation on the state of the IA profession, IIA So Cal District Conference, Anaheim, CA, 6/4/2012.“Evaluation of Internal Audit…” adapted from Alan Siegfried’s (former Chair IIA North American Board) presentation on Audit Committee Expectations of IA-Best Practices