Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing a Successful Integrated Audit Approach September 14, 2010.

Similar presentations


Presentation on theme: "Developing a Successful Integrated Audit Approach September 14, 2010."— Presentation transcript:

1 Developing a Successful Integrated Audit Approach September 14, 2010

2 Introduction and Perspectives An Integrated Audit Methodology Topics

3 INTRODUCTION AND PERSPECTIVES Developing a Successful Integrated Audit Approach

4 An audit approach that takes into consideration key areas of risk regardless of type, such as: – Operations – Finance and accounting, including fraud – Information technology and security – Regulatory/compliance – Other, tailored to the business Defining Integrated Auditing

5 Audit efficiencies Comprehensive view of an auditable entity Consolidated report covering key areas – fewer audits per entity Enhanced stakeholder perceptions of audit coverage Improved auditor morale Accelerated auditor talent Focused leverage of business knowledge and collaboration across the audit team Benefits

6 People – Expanding auditor skill sets to cover all areas while retaining benefits of subject matter expertise – Helping auditors with different skills communicate and find better ways to work together Ensuring coverage is “just right” – Broad enough to cover the key risk areas – Deep enough where necessary – Organized sufficiently to avoid “spin-off” audits Challenges

7 Perspective – Management: operational understanding – Auditor: process, risk and controls Core audit skills – the raw materials translate easily! – Understand/document any process – Recognize risk where it exists – Translate across multiple disciplines IIA body of knowledge – CIA’s are well positioned to help drive an integrated approach Prerequisites to an Integrated Approach

8 Solid enterprise-level and engagement-level risk assessment processes Scope – Top-down, bottom-up, aligned with the business – Includes Material financial exposure Possible reputational harm Emerging risks and changes Management’s operational concerns – Helps us say “yes, we looked at that” Critical Success Factors

9 AN INTEGRATED AUDIT METHODOLOGY Developing a Successful Integrated Audit Approach

10 There are diverse schools of thought, methodologies, and approaches to integrated auditing – why so many? – Diversity in business – a desire for a tailored approach and a search for the “one best way” – Variability in what one believes should be integrated – people, process, technology or parts thereof – Differences in viewpoint taken: auditor or management – Inherent need for subject matter expertise – Timing and logistics for getting audits done Integrated Audit Methodology(ies!)

11 Integrated Auditing People Diverse team has an operational center surrounded by relevant subject matter experts Auditors with different skills are on the same team AND are actively engaged in evaluating and testing business processes together Process Process view of the operations – key Understanding of the business operations – key Use risk assessment to drive top-down approach Technology Build a reliable process first, then look to technology to make it more efficient (always)

12 Ensure the integrated audit team is working together – not just sitting in the same room Offer tools to help – Formally documented methodology – A layered, multi-disciplined perspective with a common language Recognize auditor common ground – Risk, control, and process orientation – Control assertions Integrating People

13 Integrating Process Process Input Authorization Database Reconciliation Custody System Occurrence Authorization Occurrence Authorization Occurrence Completeness Accuracy Occurrence Completeness Accuracy Output All Other Areas to Overlay: Operational efficiencies, including technology aspects Regulatory/compliance considerations Fraud risk considerations Recording Confidentiality Availability Integrity Confidentiality Availability Integrity

14 Aligning Control Assertions IT Auditors: Information security components – Confidentiality – Availability – Integrity Financial Auditors: Financial statement assertions on transactions – Occurrence – Completeness – Accuracy – Authorization – Cutoff – Classification

15 Training for everyone Get everyone talking and involved in planning/risk assessment Drive efficiencies – Map in-scope risks to key controls in common across all areas – Drive efficiencies with audit coverage (SOX, SAS 70) During fieldwork – Assign testing based on expertise – Establish periodic checkpoints within the team and an end- to-end quality review process Integrating People and Process

16 Question: When is the right time to get subject matter experts involved? a)During fieldwork when the team gets in a bind b)During the report writing phase when a question leads to an area that should have been looked at more closely c)Engagement-level planning and risk assessment Subject Matter Experts

17 INTEGRATING THE AUDIT APPROACH AND RISK ASSESSMENT Developing a Successful Integrated Audit Approach

18 Risk Assessment Identify Enterprise Level Risks Identify the Audit Universe Assess Risk Top-Down Asses Risk Bottom-Up Prioritize the Quarterly Audit Plan Enterprise-Level Risk Assessment Process to determine the audit plan Engagement-Level Risk Assessment Process to determine the scope of a specific audit Understand the Auditable Entity Identify Key Risk Areas Map Key Risks to Other Audit Coverage Finalize Audit Scope Integrated Audit Considerations

19 Best Practice: Align coverage with corporate strategy Enterprise-Level Risk Assessment Identify Enterprise Level Risks Identify the Audit Universe Assess Risk Top-Down Asses Risk Bottom-Up Prioritize Audit Plan Enterprise-Level Risk Assessment Corporate Strategy Objectives Enterprise Risk Best Practice

20 Identify the Audit Universe Auditable Entity: – A discrete unit or process – Horizontal coverage is more efficient – Level of aggregation is key Entity Segment Sub-Segment Lines of Business Process Layers Where Controls Reside:

21 Assess Risk Top-Down CorporateOperating Segment 1Operating Segment 2Operating Segment 3Operating Segment 4Shared Service Segment Tier 1 ($x+) Auditable entity 1 Auditable entity 2 Auditable entity 3 Auditable entity 13 Auditable entity 14 Auditable entity 15 Auditable entity 28 Auditable entity 35 Auditable entity 42 Auditable entity 43 Tier 2 ($x-$x) Auditable entity 4 Auditable entity 5 Auditable entity 6 Auditable entity 16 Auditable entity 17 Auditable entity 18 Auditable entity 36 Auditable entity 37 Auditable entity 38 Auditable entity 44 Auditable entity 45 Tier 3 ($x-$x) Auditable entity 7 Auditable entity 8 Auditable entity 9 Auditable entity 19 Auditable entity 20 Auditable entity 21 Auditable entity 22 Auditable entity 23 Auditable entity 24 Auditable entity 39 Auditable entity 40 Auditable entity 41 Auditable entity 46 Tier 4 (<$x) Auditable entity 10 Auditable entity 11 Auditable entity 12 Auditable entity 25 Auditable entity 26 Auditable entity 27 Auditable entity 29 Auditable entity 30 Auditable entity 31 Auditable entity 32 Auditable entity 33 Auditable entity 34 Auditable entity 47

22 Assess Risk – Bottom Up Segment Auditable Entity$ Financial Risk Compliance and Regulations Changes in Audit Universe IT Risk Average Availa- bilityIntegrity Confiden- tiality Inherent Risk Residual Risk Inherent Risk Residual Risk Inherent Risk Residual Risk Inherent Risk Residual Risk Inherent Risk Residual Risk Inherent Risk Residual Risk Inherent Risk Residual Risk Operating Segment1 Auditable entity 1 $104333353334533.5 Traditional Quantitative Approach

23 Assess Risk – Bottom Up Qualitative Map to ERM SegmentAuditable Entity Year Last Audited Top ERM Risk #1 Top ERM Risk #2 Top ERM Risk #3 Top ERM Risk #4 Top ERM Risk #5 Top ERM Risk #6 Top ERM Risk #7 Top ERM Risk #8 Top ERM Risk #9 Top ERM Risk #10 Operating Segment1 Auditable Entity 12010 Operating Segment1 Auditable Entity 22010

24 Prioritize Audit Plan Tier 1 Auditable Entity Prior Coverage Q1 2011Q2 2011Q3 2011Q4 2011 Corporate Auditable entity 1 Auditable entity 2 Auditable entity 3 2009 2008 2007 Audit 1 Audit 3 Audit 7 Operating Segment 1 Auditable entity 13 Auditable entity 14 Auditable entity 15 2009 Audit 2 Audit 4 Audit 10 Operating Segment 3 Auditable entity 282010 Audit 5 Operating Segment 4 Auditable entity 352008 Audit 6 Shared Service Segment Auditable entity 42 Auditable entity 43 2009 Audit 8 Audit 9

25 Aggregation of cumulative knowledge about the entity Integrated view Links to ERM Don’t forget consideration of fraud risk Engagement Level Risk Assessment Risk Relevance/ Significance at this Line of Business Areas to Test Covered via other audits? Test?Budget- Testing Time Top 10 ERM High-Level Risk Category Specific Risk Areas IR 1 2 I=Inherent Risk: Risk before consideration of controls. R=Residual Risk: Risk after consideration of controls, e.g. prior audit results and remediation or other issues identified.

26 26 Source: The ACFE’s 2010 Report on Fraud to the Nations

27 Ground integrated auditing in solid risk assessment from the beginning Resolve the auditor SME communication barrier once and for all Expect efficiencies Leverage existing core auditor skills as place to start Align with operations to drive the most value Takeaways

28 QUESTIONS? Developing a Successful Integrated Audit Approach

29 – Kim Furlin – 904 357 1611 – kim.furlin@fisglobal.com Contact Information


Download ppt "Developing a Successful Integrated Audit Approach September 14, 2010."

Similar presentations


Ads by Google