1 Strategies to Maintaining Internal & External Relationships The Institute of Internal Auditors April 13, 2004 Xenia Parker, CIA, CISA, CFSA Principal XLP Associates

2 Agenda Introduction & Overview Xenia Parker, XLP Associates Roles and Responsibilities Tony Tocco, DTE Energy Rating and Ranking Kimberly Gavaletz, Lockheed Martin Changing Relationships Eric Hespenheide, Deloitte Break Q & A

3 Moderator Xenia Ley Parker, CIA, CFSA, CISA

4 For Your Reference See April 1, 2003 Webcast archive, Coordinating Internal and External Audit Work In Meeting Sarbanes-Oxley Requirements –Audit Committee Expectations – Steve Goepfert –Impact on Annual Internal Audit Plan – Kimberly Gavaletz –Reliance on Internal Audit Work – Darryl Briley

5 Practice Advisory 2050 – Coordination with External Providers The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts See also: –2050-1:Coordination –2050-2: Acquisition of External Audit Services

6 Practice Advisory 2060 – Reporting to the Board and Senior Management The chief audit executive should report periodically to the board and senior management on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan Reporting should also include significant risk exposures and control issues, corporate governance issues and other matters needed or requested by the board and senior management See also –2060-1: Reporting to Board and Senior Management –2060-2: Relationship with the Audit Committee

7 Upcoming Practice Advisory: Internal Audit’s Role in 302 and 404 of the Sarbanes-Oxley Act The IIA International Professional Issues Committee (PIC) team of Chief Audit Executives (CAE), including those that took part in the November 2003 response to the PCAOB, developed this critical PA The PIC and the Internal Audit Standards Board (IASB) have signed off on the draft Next steps: Executive Committee review and comment Issue the final paper, communicating widely through web site, various IIA publications, etc

8. Practice Advisory Highlights The IIA recognizes organizations will respond differently to the reporting requirements Internal audit will play various roles, especially in the short-term However, this paper describes an ‘ideal’ role for internal audit that best fits within the Standards

9 Internal Audit: Recommended Role Services performed by internal audit may add significant value to the organization in meeting the requirements of SOX Sections 302 and 404 These services should not interfere with the requirement of the Standards for the internal auditor’s independence and objectivity Major areas identified are: –Project oversight –Consulting and project support –On-going monitoring and testing

10 Roles and Responsibilities Anthony M. Tocco, CIA, CFE Assistant General Auditor DTE Energy

11 Sarbanes-Oxley Governance Control Office COSO Framework Central Repository of Data Control Centers Internal Process Control Committee of Management Internal Control Steering Committee of Executives Audit Committee External Auditors

12 Control Office Project Management Office Develop methodology and standards Provide guidance and tools Coordinate 302 and 404 activities Maintain data repository Oversee Quality Assurance (QA) Report status to Steering Committee

13 Internal Audit Provide QA support Provide 302 support Share Risk Assessment/Audit Plan Participate on committees Coordinate work plan

14 Control Process Centers Perform Risk Assessment Document process and procedures Identify key controls and gaps Develop and perform testing Develop and implement remediation Report status to committee Provide QA support

15 Internal Control Committee Oversee Control Center activities Provide guidance Report status to Steering Committee Provides input & review for 302 and 404

16 Internal Control Steering Committee Provide strategic direction Serves as governance body Report status to executive team Report status to audit committee

17 External Auditors Provide certain advisory services Assess progress Attend committee meetings Coordinate work plan Perform testing

18 Rating and Ranking Kimberly Gavaletz VP, Corporate Internal Audit Lockheed Martin

19 Internal Audit’s Ratings & Rankings Before – Sarbanes-Oxley Evolving – With Sarbanes-Oxley

20 Before - Sarbanes-Oxley Decades of Commonly Used –Scope Definitions –Terms –Ratings –Report Distribution Practices –Issue Closure Processes Emerging Practices –Consulting –Value Add Work & Relationships –Trending –Risk Based Auditing Common Language With -Audit Committee -External Auditors -Management -Audit Staff

21 Evolving – With Sarbanes-Oxley Term Definitions Changed –Significant Deficiency, Key Controls, Control Weakness Scopes –Must be in Context of the Whole Reporting –Read Differently –Time Element Imposed Emerging Practices “Morphing” –Consulting & Advisory –Value Add Work & Relationships –Trending (Cautiously) –Risk Based Auditing & ERM Evolving With -Audit Committee -External Auditors -Management -Audit Staff PCAOB, Investors

22 Advice for the Journey Key to Internal Audit’s Success –Being Understood Must Adapt not Abdicate –Requires All of Audit Understanding and Relating to the Overall Context –Requires Letting Go & Updating/Re-tooling Realize that the Journey is Continuous Listen, Learn, Share  Succeed

23 The Changing Relationships Between Internal Audit and External Audit Firms Eric Hespenheide, CPA Global Managing Director Internal Audit Services Deloitte

24 Define Roles and Responsibilities elevated role of internal audit common goals – shared importance policies regarding information sharing align groups and initiatives independence and objectivity

25 Communicate & Coordinate Objectives CAE: key communication facilitator consistent communication between all parties establish regular joint meetings align audit committee agenda share access to workpapers, reports, etc. decide on audit coverage and scope eliminate duplicative work

26 Leverage Resources & Knowledge leverage knowledge exploit your auditor! leverage specific skill sets share schedules, rosters, assignments, etc. share key audit findings

27 Work on Building the Relationship IA and EA: match made in heaven? integrate external providers operate in an “ego-less” environment champion corporate governance focus on the end results and implications

28 Chief Audit Executive Role CAE’s new prominence sets the tone coordinates the parties develops processes communicates with audit committee

29 Develop a Joint Plan achieve effective audit coverage link control issues to financial statement exposure make it work: commitment, communications, continuous improvement maintain objectivity understand business scandals

30 To Get Your CPE Certificate

31 Next Webcast May 11, 2004 “ “ What is Internal Audits Role in Management's Assertion?” See you at our next webcast!

32 Webcast Evaluation