1. internal audit independent, objective assurance and consulting activity designed to add value and improve an organization's operations. independence
... [Show More] and objectivity, systematic and disciplined approach 2. governance the process conducted by the BOD to authorize, direct, and oversee management toward the achievement of the organization's objectives.It is the system of rules, prac- tices, and processes by which a company is directed and controlled. 3. risk manage- ment the process conducted by management to understand and deal with uncertainties that could affect the organi- zation's ability to achieve its objectives 4. control the process conducted by management to mitigate risks to acceptable levels 5. assurance an objective examination of evidence for the purpose of providing an independent assessment on risk manage- ment, control, or governance processes for the organiza- tion 6. consulting advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organizations governance, risk management, and control processses without the internal auditor assuming management re- sponsibilities 7. 3 components of value proposi- tion assurance, insight, objectivity 8. insight Internal auditor acts as a catalyst for improving an organi- zation's effectiveness and efficiency by providing insight and recommendation based on analyses and assess- ment of data and business processes. 9. objectivity 10. auditing vs ac- counting With commitment to integrity and accountability, internal auditor provides value to governing bodies and senior management as an objective source of independent ad- vice. accounting collects, classifies, summarizes and commu- nicates data, as well as measures and communicates business events and conditions. auditing considers business events and conditions also but does not have the task of measuring or communicat- ing them. they review them for propriety. it is analytical and investigative 11. Risk the effect of uncertainty on business objectives; risk mgmt refers to the set of coordinated activities to direct and control an organization to recognize opportunities while management negative events 12. compliance adherence to policies, plans, procedures, laws, regula- tions, contracts of other requirements 13. corporate gover- nance 14. governance um- brella 15. role of the Board in Governance 16. different types of outcomes values/goals are established and communicated, accom- plishment of goals are monitored, accountability is en- sured, and values are preserved board of directors up top- they have strategic direction, governance oversight to identify the stakeholders of an organization, under- stand the needs and expectations of the stakeholders, identify the potential outcomes that would be unaccept- able to key stakeholders financial, compliance, operations, strategic 17. Risk appetite Amount of risk the organization or function is willing to pursue or accept to attain its goals 18. risk tolerance The degree of uncertainty that an investor can ACTUALLY handle in regard to a negative change in the value of his or her portfolio. 19. risk owners individuals who have day to day responsibility for ensuring that risk management activities effectively manage risks within the organization's risk tolerance levels 20. internal auditors role in gover- nance 21. 3 lines of de- fense for the gov- erning body 22. SOX Act 2002 Ti- tle 1 23. SOX Act 2002 Ti- tle III 24. SOX Act 2002 Ti- tle IV 25. Risk defined by COSO 26. 4 categories of risk internal audit activity muts assess and make appropriate recommendations on how to improve governance 1st line: mgmt controls, internal control measures 2nd line: financial controller, risk mgmt, compliance, health and safety, environmental, quality assurance 3rd: internal auditor establishment of the PCAOB corporate responsibility- the public company audit com- mittee is responsible for oversight of the work of a public accounting firm, audit committee members must be from the board and not accept money, financial reports are re- quired to be signed by officers for accuracy of the financial statement enhanced disclosures: managements assessment of in- ternal controls, code of ethics, requires somebody to be able to have expertise in the area to perform these duties the possibility that an event will occur and adversely affect the achievement of an objective strategic, operational, financial reporting, compliance 27. strategic risk strategy goals of the business failing 28. operational risk risk that is related to the operations, manufacturing, in- ventory 29. financial report- risk that the financial reports are not reliable and accurate, ing risk reliability of the information 30. compliance risk legal risk 31. COSO ERM applied when setting an organization's strategy a process that is ongoing and flows throughout and orga- nization 32. 8 components of internal environment, setting objectives, event identifica- ERM tion, assessment of risk, risk response, activities, infor- mation and communications, monitoring 33. 4 types of objec- strategic, operational, reporting, compliance objectives tives 34. Roles of the providing oversight and direction to an organization's board of direc- management. the board can play a role in strategic set- tors for ERM ting, formulating high level objectives, broad based re- source allocation, and shaping the ethical environment 35. role of manage- all activities regarding ERM. the CEO is ultimately respon- ment ERM sible for the effectiveness and success of ERM 36. 11 principles of • Creates and protects value. ISO 31000 • Is an integral part of all organizational processes. • Is a part of decision making • Explicitly addresses uncertainty. • Is systematic, structured, and timely • Is based on the best available information. • Is tailored. • Takes human and cultural factors into account.0 Ë Health related issues, different country's cultures • Is transparent and inclusive. • Is dynamic, iterative, and responsive to change. • Facilitates continual improvement of the organization. 37. Framework of ISO 31000 1. Mandate and commitment from the board and senior management to ensure alignment with organizational ob- jectives and commitment of sufficient resources to enable success 2. Design of framework for managing risk; which ensures that the foundation is set for effective risk mgmt process 3. implementing the risk mgmt framework and process - to help organization objectives 4. monitor the framework to determine its ongoing effec- tiveness 5. continually improving the framework to ensure sustain- ability 38. process of ERM establish the context, assess the risks, treat the risks. monitor the risks, establish a communication and consult- ing process 39. residual risk the risk that is left over after going through the process.if the residual risk is higher than what the company can tol- erate than there is an issue and as an internal auditor you need to inform the management that there is a problem 40. core internal au- dit role 41. consulting role internal auditor in ERM 42. roles the internal auditor SHOULD NOT take on give assurance on risk mgmt process, give assurance that risks are correctly evaluated, evaluate risk mgmt process, evaluate reporting of key risks, review the mgmt of key risks facilitate identification and evaluation of risks, coach man- agement in responding to risks, coordinate ERM activi- ties, consolidate reporting on risks. maintain and develop erm framework setting risk appetite, setting risk tolerance, imposing risk mgmt processes, management assurance on risks, im- plementing risk responses on mgmt behalf, accountability for risk mgmt 43. defintion, international standards, code of ethics IPPF Framework Mandatory Guid- ance 44. IPPF Framework strongly recom- mended guid- ance position papers, practice advisories, practice guids 45. position papers assist a wide range of interested parties in understand- ing significant governance, risk, or control issues and delineating related roles and responsibilities of internal auditing. 46. practice advi- sories elaborate on certain issues, in between the papers and the guides. addresses the approach, methodology, and considerations but not detailed processes and proce- dures 47. practice guides detailed guidance for conducting internal audit activities including the detailed processes and procedures. it is to show what the issures are and how to attack it 48. 4 principles of the code of ethics 49. under the integri- ty principle, the internal auditor shall: integrity, objectivity, confidentiality, competency perform their work with honesty, diligence and responsi- bility observe the law and make disclosures expected by the law and the profession not knowingly be a party to any illegal activities or engage in acts that are discreditable to the profession of internal audit respect and contribute to the legitimate and ethical objec- tives of the organization 50. objectivity for in- ternal auditor Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assess- ment. Shall not accept anything that my impair or presumed to impair their professional judgment. Example: gift on Christmas from client that could impair independence Shall disclose all material facts known to them that if not disclosed, may distort the reporting of activities under review. 51. confidentiality internal auditors respect the value and ownership of infor- mation they received and do not disclose any information without appropriate authority unless there is a legal or professional obligation to do so. • Shall be prudent in the use and protection of information acquired in the course of their duties. • Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. 52. competency internal auditors apply the knowledge, skill, and experi- ence in the performance of internal audit services inac- cordance with the International standards for the profes- sional practice of internal auditing shall continually improve their proficiency and the effec- tiveness and quality of their services--- CPEs 53. 3 types of stan- dards 54. attribute stan- dards 55. standard 1000 attribute, performance standards, implementation stan- dards addresses the attirbutes of organization and individuals performing internal auditing Purpose, authority, responsibility. all defined in the internal audit charter, the CAE must review the charter and present it to senior mgmt and board 56. internal audit charter document that defines the internal audit activity's pur- pose, authority and responsibility 57. standard 1100 independence and objectivity 58. standard 1200 proficiency and due professional care. 59. proficiency knowledge skills and other competencies needed to fulfill the internal audit 60. due professional care the care and skill expected of a reasonably prudent and competent internal auditor 61. Standard 1300 quality assurance and improvement program 62. what do per- formance stan- dards do describe the nature of internal audting and provide quality criteria against which the performance of these services can be measured 63. implementation standards expand upon the attribute and performance standards by providing the requirements applicable to assurance.. or consulting... activities 64. 3 pillars of effec- independence and objectivity, proficiency, due profes- tive internal audit services 65. performance standards sional care describe the nature of the IA services and provide quality criteria against which the performance of these services can be assessed/measured 66. * the CAE must effectively manage the internal audit activity to ensure that it adds value to the organizaion 2000 Managing internal auditing activity 67. the internal audit the results of the work achieve the purpose and respon- activity is effec- tively managed when sibility, the activity conforms with the definition of internal auditing and standards, the individual who are part of the internal audit activity demonstrate conformance with the code of ethics and the standards 68. PS 2100 Nature of work- • The internal audit activity must evaluate and contribute to the improvement of governance , risk management, and control using a systematic and disci- plined approach 69. PS 2200 Engagement Planning - what are the objectives and what do we want to do 70. PS 2300 Performing the Engagement * Identify the info * analysis and evaluation * documenting information * engagement supervison 71. PS 2400 Communicating Results * criteria for communicating * quality of communications * errors and omissions * use of conducted in conformance with the standards * engagement disclosure of non conformance * disseminating results *overall opinion 72. PS 2500 monitoring progress 73. PS 2600 Communicating the acceptance of risks- * sometimes you can find that management is too aggres- sive with risk * the internal auditor needs to communicate this aggres- 74. top down ap- proach 75. bottom up ap- proach siveness for the acceptance of risks to the audit commit- tee or board begins at the high entity level with the organizations ob- jectives as a whole, and then identifies the key processes critical to the success of each of the organization's objec- tives begins by looking at all processes at the activity level. such an approach requires each area of the organization to identify and document the business processes in which they are involved 76. project operate represents businesses where projects are completed and then operations begin such as oil companies, drilling oil wells and then run the refineries. 77. project deliver represents businesses where projects are completed and then handed over to another business to run it. For ex- ample building a hotel and handing over to owner of the hotel. Construction companies are example of such businesses. 78. questions an in- ternal auditor should to ask to understand the key objectives of the processes 79. related docu- ments auditors should look at to understand how inputs and activ- ities combine to generate outputs 80. key performance indicators why does the process exist? how does the process sup- port the organizations strategy and contribute to its suc- cess? how are people expected to act? what else does the process do that is important process procedural manuals, policies related to the process, job descriptions of people in the process, process maps that describe the process flow provides a standard to perform the job, it also provides a way to evaluate the performance. meeting a standard 81. balanced score- card develop metrics for every process , so employees know what level it should be at to be successful and how it performs. The employee can know if they are doing a good job be seeing if they are at the standard or no 82. business to document the understanding of a business process. process map it is a high level business process map that may follow narrative descriptions to explain the processes and con- trols. in the current process flow diagrams, controls are not depicted. 83. business risk basic business risk model using the COSO framework identification 84. coso definition A process, effected by an entity's board of directors, of internal con- management, and other personnel, designed to provide trol reasonable assurance regarding the achievement of ob- jectives relating to operations, reporting, and compliance. 85. 5 main sections control environment, risk assessment, control activities, of the COSO info and communication, monitoring activities framework 86. division levels of coso 87. objective levels of coso 88. 5 principles of control environ- ment 89. 89. entity, division, operating unit, function operations, reporting, compliance 1. commitment to integrity and ethical values 2. independence of the BOD 3. Structures, authorities, responsibilities are established by management for objectives 4. Attract, develop retain competent employees 5. people/individuals are accountable for their internal control 4 Principles of Risk Assess- ment 90. 3 principles of control activities 91. 3 Principles of Information and Communication 92. 2 principles of Monitoring 1. clear objectives identified 2. Risk identification 3. Potential for fraud is considered 4. Identify and assess changes that can impact the sys- tem 1. the organization selects and develops control activities 2. selects and develops IT control activities 3. Deploys control activities through policies 1. obtain relevant and quality info 2. internally communicates info 3. external communicates info 1. selects, develops and performs ongoing and separate evaluations of the controls 2. communicates deficiencies in a timely manner 93. control activities responds to a specific risk, whereas a monitoring activity assesses whether controls within each of the five compo- nents of internal control are operating as intended 94. monitoring activ- ities 95. common control ongoing evaluations built into business processes at dif- ferent levels of entity that provide timely information. they vary in scope and frequency segregation of incompatible function, performance re- activities present view, IT access control activities, documentation, physical in well designed system of con- trols 96. 3 layers of moni- toring activities access control activities, IT application, physical access control activities 1. everyday activities performed by mgmt of a given area 2. non independent evaluation of internal controls per- formed by mgmt on a regular basis to identify and resolve any deficiency 3. independent assessment by an outside area or function 97. limitations of in- ternal control 98. reasons for lim- itations of inter- nal control 99. consequences of accepting exces- sive risk 100. consequences of implementing ex- cessive internal control 101. types of internal controls 102. entity level con- trol 103. process level control 104. transaction level control no system of internal controls can provide absolute assur- ance that organization's objectives have been met error in human judgment in decision making or bias, sim- ple error in processing due to human failure, mgmt over- ride, collusion, external event beyond the organization's control potential loss of assets, poor or ineffective business de- cision making, potential non compliance with laws and regs, potential for fraud to occur increased bureaucracy, excess cost, unnecessary com- plexity of controls, increased cycle time, non value added activities entity level, process level, transaction level A control that operates across an entire entity and, as such, is not bound by, or associated with, individual processes. an activity that operates within a specific process for the purpose of achieving process level objectives an activity that reduces risk related to a group or variety of operation-level tasks or transactions within an organi- zation 105. key control approval of a voucher for payment, tally PO, receiving report and invoice 106. secondary con- trol 107. preventive con- trols a 3rd person on a sample basis checks whether payments have been made to only genuine vouchers. this could be compensating controls prevents error from occurring, such as security camera for access to a physical facility, access code password 108. detective con- trols to enter a building. Segregation of duties. Preventing by design. reconciliation of accounts, detects errors and fixes them. Compensating control- you may not have the main control but there is another control that can help it from happen- ing [Show Less]