Internal Audit Quality Assessment Auditoria de Calidad II Congresso Internacional de Finanzas y Auditoria Punta Cana, República Dominicana August 2007 prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit A Changing Profession – Part of ERM Process Every entity, whether for profit or not, exists to realize value for its stakeholder Requires effective risk management (ERM) by all members of the organization: Board of Director provides monitoring, guidance, and direction Management sets the tone at the top, shapes organizational values, principles and policies Manager takes ownership for risk management Chief Risk Officer serves as part of management and is the facilitator and challenger Internal Audit provides objective opinions, information, support and education to board and management prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit The Corporate Governance Cycle Corporate Governance Umbrella STAKEHOLDERS Assurance Activities (Internal and External Auditors) Enterprise Risk Management Process Board of Directors Sr. Management Risk Mgmt. Risk Owners prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Audit Process Evolution Generation “one” = Control Based Auditing with focus on: Compliance with laws and regulations Financial accuracy of account balances Operations of specific controls or procedures Generation “two” = Process Based Auditing to determine the efficiency and effectiveness of key operational processes Generation “three” = Risk Based Auditing Generation “four” = Risk Management Based Auditing prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Audit Process Evolution Criteria Generation “3” Generation “4” Objective Effectiveness of controls and procedures to mitigate key risks Effectiveness of Risk Mgt. activities to achieve objectives and optimize/mitigate risks Approach Identify key business risks and evaluate controls to mitigate risks Understand objectives, identify related risks, understand tolerance levels, identify performance and risk measures and assess risk management effectiveness Generation 3 is from the early 1990's , born out of the fact that external auitors offerred internal audit services, needed to understand business to define scope and justify prices. Late 90's early 2000 the ERM approach was born. Very similar to risk based audit but more focus on "key business objectives, management's tolerance to risk, key risk measures Rsik management based audit is key part of a successfull ERM program prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Audit Process Evolution Criteria Generation “3” Generation “4” Focus Identify controls and procedures that are not operating as needed to mitigate risks Identify gaps between current and desired risk management effectiveness Testing approach Combination of substantive and compliance tests focusing on key risks Same as “3” but focusing only on key objectives and related risks Recommen- dations Relate exceptions or errors to key risks Relate gaps in risk mgt. effectiveness to underlying risks and key bus. objectives prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Internal Auditing’s Value to ERM* Core internal audit role: Give assurance on the risk management process Give assurance that risks are correctly evaluated Evaluate risk management processes Evaluate the reporting of key risks Review the management of key risks * IIA publication, May 2007 “A holistic view of risk” prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Internal Auditing’s Value to ERM* Legitimate internal audit roles with safeguards: Facilitate identification and evaluation of risks Coaching management in responding to risks Coordinating ERM activities Consolidate reporting of risks Maintain and develop the ERM framework Championing establishment of ERM Developing ERM strategy for board approval * IIA publication, May 2007 “A holistic view of risk” prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Internal Auditing’s Value to ERM* Roles internal audit should NOT undertake: Setting the risk appetite Imposing risk management process Management assurance on risks Taking decisions on risk responses Implementing risk responses on management’s behalf Accountability for risk management * IIA publication, May 2007 “A holistic view of risk” prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment Internal Audit is a trusted partner for board and management to fulfill their responsibilities Internal Audit is a reliable source for external auditors to opine on an organization's risk management structure (AS 322) An ongoing assessment of performance, quality of work and depths of the Internal Audit Division is required prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment The International Audit Standards define the need for a quality assurance program Standard 1300 – Quality Assurance and Improvement Program Standard 1320 – Reporting on the Quality Program Standard 1330 – Use of “Conducted in Accordance with the Standards” Standard 1340 – Disclosure of Non Compliance prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – Standard 1300 Chief Audit Executive to develop and maintain a quality assurance and improvement program Must cover all aspects of the audit activity and continuously monitors effectiveness Should include periodic internal and external quality assessment and ongoing internal monitoring Assurance that the internal audit activity is in conformity with the Standards and Code of Ethics prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – The Benefits Other than compliance with the IIA’s Standards, what are some of the added benefits to having an External Quality Assessment? Establishing credibility and endorsing the quality of the internal audit department. Educating internal stakeholders on the workings and abilities of internal audit. Determining the current state of performance. Identifying performance gaps. Presenting solutions to help internal audit increase its “value” to an organization. Providing the means to reinforce or elevate internal audit’s position in the organization prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – Additional Reason PCAOB requires the following "…internal auditors are expected to have greater competence with regard to internal controls over financial reporting than other company personnel. This is particularly true in the case of internal auditors who follow the International Standards for the Professional Practice of Internal Auditing.” prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – The Elements The areas evaluated will vary depending on the scope and objectives of the assessment, but the common areas reviewed include: Departmental structure and organization Risk assessment and engagement planning Staffing skills and experience Information technology management Production and value added Individual work paper files prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – Different Stages Internal Quality Assessment Review: Ongoing reviews of the performance of the IA activity, and Periodic reviews performed through self-assessment External Quality Assessment Review: At least once every five years to be performed by qualified, independent reviewer prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – The Objectives Should include the following objectives: Determine whether or not the IAD’s activity is consistent with charter and meets expectations of management and audit committee Provides insights into the level of audit effectiveness and efficiency Determine whether or not assurance and consulting services apply best practices and add value to the organization’s business processes Provides recommendations for improvements Demonstrates conformity to the Standards prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – Team’s Qualification Level of objectivity Knowledge of the Standards Management skills Technical knowledge in financial, operational, management and technology Professional certification Bank specific knowledge Human relations and communication skills Ability to provide constructive analysis, comments and recommendations for improvement prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – The Process The following methodologies should be used: Review of work quality Audit preparation Risk assessment process Fieldwork process Work paper quality Report writing Communication process with customer Interview with auditor and/or auditee Customer survey with customer who have been audited or the consulting service was performed prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – The Process (Ctd.) The following documents/processes will be reviewed: Departmental structure and organization Risk assessment and engagement planning Staffing skills and experience Information technology management Production and value added Individual work paper files Utilize Performance Measurements (Balanced Score Card) Results need to be documented and reported prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – The Process (Ctd.) Prepare a plan of areas reviewed, covering all type of business line audits (technology, branches, support units, corporate banking, etc.) Review type of engagement, staff assigned, time budget, report issuance date, etc. Use “best internal practices” and identify way to make IAD department aware of those practices Organize internal training sessions if needed Benchmark results against the balance scorecard Prepare report to CAE with improvement suggestions prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – The Process (Ctd.) How to proceed from here? Communicate new initiative to the organization Prepare Balance Scorecard goals Prepare Internal Customer questionnaire Prepare Internal Audit staff questionnaire Prepare IAD activity documentation* Develop review plan for 2007 (it is not possible to review all processes, however, plan should include all businesses Choose one recent audit to initiate process Develop plan to prepare “real time review process” *explained in next page prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment – The Process (Ctd.) IAD activity documentation contents: Audit charter Audit job description Audit practices and procedures manual Organization chart Balance Score Card Audit plan versus actual Financial budget prepared by Erich Schumann; Global Atlantic Partners LLC
Internal Audit Quality Assessment Questions??? Contact: Erich Schumann Global Atlantic Partners LLC Boston, MA, USA Fone: 617 345 0222 E-mail: eschumann@globalatlanticpartners.com Website: www.globalatlanticpartners.com prepared by Erich Schumann; Global Atlantic Partners LLC