1. The Role and Benefits of a State Audit Committee Presented by: Joe Bell, Chief Audit Executive, State of Ohio, OBM Office of Internal Audit Maria Jackson, Assistant Chief Auditor, Information Systems Audit Office of Dave Yost, Ohio Auditor of State

2. 2 Presentation ‘Kickoff’

3. 3 Session Objectives You will learn how: An effective audit committee improves overall governance Coordinated monitoring/auditing improves organizational controls Reducing repeat audit comments allows for more efficient audits and enables auditors to focus on emerging issues

4. 4 Today’s Game Plan

5. 5 An early Penalty – Impact of “Coingate” The IIA’s 3 Lines of Defense Reaching the End Zone – IA Capability Model Building the Audit Team - OIA & SAC Teamwork – AOS & OIA working together

6. 6 Penalty Situation

7. 7 “Coingate”

8. 8 Evolution of Internal Audit in Ohio

9. 9 IIA’s 3 Lines of Defense

10. 10 IIA’s Three Lines of Defense

11. 11 Risk

12. 12 3 Groups Responsible for Risk Management 1.Own & Manage Risks 2.Oversee Risks 3.Provide Independent Assurance

13. 13 1 st Line of Defense: Operational Management Own and Manage Risks Day to Day Performance of Internal controls Responsible for Corrective Actions

14. 14 2 nd Line of Defense: Risk Management & Compliance Functions Ensures the 1 st Line is properly designed, in place, and operating effectively. Risk Management Function Compliance Function Controllership Function

15. 15 3 rd Line of Defense: Internal Audit Provides assurance on effectiveness of governance, risk management, & internal control. High level of independence & objectivity. Broad scope.

16. 16 External Audit & Regulators Outside the Organization Structure Additional Line of Defense when Coordinated Effectively Limited Scope

17. 17 Coordinating the 3 Lines of Defense FIRST LINE OF DEFENSE SECOND LINE OF DEFENSE THIRD LINE OF DEFENSE Risk Owners/Managers Risk Control and Compliance Risk Assurance operating management limited independence reports primarily to management internal audit greater independence reports to governing body

18. 18 Building the Audit Team

19. 19 Building the Audit Team in Ohio

20. Point A - 2007 Decentralized, ad hoc Internal Audit functions in a few agencies. No Audit Committee Many external audit issues. Point B - 2014 Centralized Office of Internal Audit, aligned to IIA Standards Established State Audit Committee Improvement in Internal Control 20

21. 21 Audit Landscape in Ohio OBM Office of Internal Audit State Audit Committee Ohio Auditor of State Ohio Inspector General Federal Oversight Agencies

22. 22 Ohio Reporting Relationships

23. 23 OIA Team Composition TeamNumberCertifications Financial Auditors14CPA – 9 CISA – 7 CIA – 4 CGAP – 5 Information Technology Auditors 9

24. 24 OIA Roles Assurance –Internal and system control effectiveness –Business process effectiveness –Evaluate and improve effectiveness of risk management, control and governance Consulting –Document process maps –New programs, IT systems, and process consulting –Training and education –Business process and internal control design

25. 25 Legal Authority for Office of Internal Audit Ohio Revised Code Section 126.45 created OIA within the Office of Budget and Management. Requires OIA to conduct internal audits of certain state agencies Requires an annual audit plan Requires reporting audit recommendations to the State Audit Committee.

26. 26 State Audit Committee Five member committee meets quarterly Assists Governor and Director of the OBM in oversight responsibilities: –Financial Reporting, –Internal Controls, –Risk Assessment, –Audit Processes, –Compliance: Laws, Rules, & Regulations.

27. 27 Independent State Audit Committee:

28. 28 Audit Committee Composition Chairperson, Governor Appointed, external to state management. Two appointed by the House Speaker, Two appointed by Senate President, Not More Than Two from Same Party Three-year Term, One Reappointment

29. 29 Required SA Committee Expertise At least one member who is Financial Expert Certified Public Accountant Familiar with Governmental Accounting Representative of the Public Familiar with Information Technology

30. 30 Key Functions of Audit Committee 1.Review annual OIA plan 2.Review OIA preliminary reports 3.Review OIA conformance to IIA Standards (Peer Review) 4.Review State of Ohio CAFR 5.Review financial statements with external auditor (Auditor of State)

31. 31 Audit Committee Continuous Improvement Audit Charter – Annual Review Event Calendar – Cover All Responsibilities Meeting Evaluation – Assess content/adequacy Annual Evaluation – OIA Audit Committee Self-evaluation –Financial reporting –OIA –External Audit –Management and Other Reporting

32. 32 OIA Continuous Improvement

33. 33 Reaching the ‘Goal Line’

34. 34 Capability Model: Governance Examples in Practice for Key Process Areas Level 5 - Optimizing  Strategic information and communication strategy advocating independence & authority of internal audit Level 4 - Managed  Legislation/policy requires independent oversight committee  CAE reports directly to oversight committee Level 3 - Integrated  Legislation/policy requiring an oversight committee  Management supports internal audit funding Level 2 - Infrastructure  Organizational policy to allow internal auditors full access to information, assets, and people  Approved internal audit charter Level 1 - Initial  Not applicable; ad hoc and unstructured Adapted from the IIA’s Internal Audit Capability Model (IA-CM) for the Public Sector

35. 35 Teamwork

36. Dave Yost, Ohio Auditor One of five independently elected statewide offices. Four year term, 2 consecutive terms max 36

37. 37 Ohio Auditor of State ORC 117.10 – The Auditor of State shall audit all public offices as provided in this chapter. Audits all public offices – 5800 entities 600 of 800 staff are financial auditors Performs financial audits of state agencies, boards and commissions 37

38. 38 AOS State Region Exclusively audits state agencies Performs financial audits of state agencies, boards and commissions Includes the Information System Audit group (ISA), which analyzes information systems and performs “SOC 1” audits 38

39. 39 Information Systems Audit Group Section of Financial Audit 3 Groups (North, South, State) 26 Auditors Ohio Auditor of State

40. 40 Working together Meet biannually to discuss audit plans and to provide update on current audits. Rely on work completed by OIA. OIA consults with agencies to remediate significant audit comments. OIA uses AOS work for background information.

41. 41 What Gets Measured Gets Done Audit Timelines established and reported on quarterly Audit comment status –Committee may request agency to appear and report on remediation Number of Audit Comments Audit Progress and Difficulties

42. 42

43. 43

44. 44 Benefits Increased Accountability Audits are more timely. Comments are remediated. Controls are improved.

45. 45 Benefits Controls built in to the process instead of after the fact. Greater awareness of the importance of financial reporting and the role of audit. Improved cooperation among auditors.

46. 46 Benefits Improved cooperation between clients and auditors. Increased focus on emerging issues. –ERM –COSO –Cyber Security

47. 47 2 Minute Warning

48. 48 Summary Points A well-designed audit committee enhances effective governance Embracing the ‘3 Lines of Defense’ model promotes an effective and coordinated focus on continuous internal control improvement Transparency and accountability of audit comment remediation leads to more effective and value-added audits

49. 49 Thank You!

50. 50 Contact Information Joe Bell, CPA, CIA, CGAP Chief Audit Executive, State of Ohio OBM Office of Internal Audit Joe.bell@obm.state.oh.us 614.466.1985 http://obm.ohio.gov/InternalAudit/

51. 51 Information Systems Audit State Region 88 East Broad Street Columbus, Ohio 43215 Maria Jackson, CPA, CISA Presenter Phone: (800) 282-0370 Presenter Fax: (614) 466-4490 E-mail: contactus@ohioauditor.govcontactus@ohioauditor.gov mjackson@ohioauditor.gov