beginning the journey into internal auditingprocurement and contract audits audits of significant...
Post on 13-Aug-2020
0 Views
Preview:
TRANSCRIPT
1
Beginning the Journey
into Internal Auditing Insights, Stories and Tips for Success
from Expert Practitioners from Across
the World
Bruce Turner AM, CRMA, CISA, CFE
2
PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions
• Select the session through the
schedule icon and click on the polling
icon
• Ask a member of the Conference Staff
if you need assistance
• You can also go to https://ic.cnf.io/ from
your mobile device web browser
• Submit your questions for the session
or to specific presenters by selecting
the ASK icon
3
My community ‘down under’
Sydney
Harbour (left)
Nepean River (right)
Blue
Mountains (below)
4
Wisdom of a global luminary
“Everyone starting a career should understand the value of
personal branding. We all have a brand, whether we know
it or not. But those who proactively manage that brand will
see their career accelerate faster than those who don’t
manage their brand.”
—Larry Harrington
Chief Audit Executive, U.S.
Past Chairman of IIA Global Board of Directors 2015–2016
5
Long and winding road
21,024,000minutes
6
Personal branding: storytelling and people listen
Publications
Conferences
Courses and Webinars
Quality Assessment Reviews
48
* Since 2012
31
16
11
7
Wisdom of a global business leader
“A good company delivers excellent products and services,
and a great company does all that and strives to make the
world a better place.”
—Bill Ford Jr., great-grandson of ‘captain of industry’ Henry
Ford and business leader in his own right
8
Personal branding: making the world a better place
Influencing the
broader community
White Ribbon Ambassador
Aboriginal Health & Wellbeing
Maintaining a Local Presence
9
Session context
The twenty-first century has thrown up fresh challenges for
auditors as a consequence of rapid business changes,
global connectivity, emerging technologies, and
increasingly complex economic, regulatory and operating
environments.
But auditors need to first get the basics right …
10
Talking basics …
Process
Objective
Quantity
Just do it!
Mop Head?
Scrubbing?
How Much?
Tools
11
Session objective
Equip new auditors and those
who support them to deliver
upon increasing expectations
of key stakeholders by thinking
beyond the traditional auditing
scope, and having the tools to
do so.
12
Understanding stakeholder expectations
The success in conducting internal audits is highly
dependent on the support and influence of key
stakeholders
Some stakeholders have greater influence than others
Areas of focus for auditors in dealing with stakeholders:
– Become masters in knowing the mission, strategy, objectives, and risks of
your business
– Help stakeholders recognize you understand the business, framing your
communication with them within the context of strategy and objectives
13
Enhancing and protecting organizational value
“Creating a strong business and building a better world are
not conflicting goals—they are both essential ingredients
for long-term success.”
—Bill Ford Jr., great-grandson of ‘captain of industry’ Henry
Ford and business leader in his own right
14
Getting started
15
Polling Question 1Please open the conference app to participate
16
Polling Question 1
What do you primarily hope to gain from this
session? a. Insights to aid own personal development
b. Knowledge to develop audit colleagues
c. General awareness of auditing and business practices
d. Tips to influence internal audit leaders
e. None of the above
17
18
Session content - expand the thinking … 10 key features
Planning
• Understand the context
• Considering ‘what if’ scenarios
Fieldwork
• Right to audit (third parties)
• Decision-support reporting (spreadsheet risks)
Reporting
• Reporting creatively
• Reporting on financial stewardship
Follow-up
• Reporting useful and meaningful solutions
• Telling the story
Quality
• People -attuned, balanced and credible
• Outcomes -scrutiny of audit workpapers
Content of today’s presentationTypical elements of the internal audit process
19
Planning – understanding
the context
20
Wisdom of a global luminary
“Master the fundamentals—the business, risk management
(the way it should be, not the way it generally is), and
internal control. Seek to understand why people do the
things they do, the way they do them, and always think
about what would be best for the organization as a whole.”
—Norman Marks
Retired Chief Audit Executive, U.K. and U.S.Author, Evangelist, and Mentor for Better Run Organizations
21
Environmental scanning is fundamental
Many traditional business models have been disrupted
and won’t recover to their previous form
Understand changing business practices and what that
means for audit coverage
Strive to deliver insights to management that are
relevant to them, timely, and genuinely add value
Be attuned to what’s over the horizon
22
Severe drought
Extreme fire risk
Pole storage
Near Fence
Wild-fires break out
Pristine Forests
Case 1 – Energy company pole yard – field trip
23
Planning … considering
‘what if’ scenarios
24
Controls over currency processing operation
Inherent Risk: Theft of cash. Note: Banknotes are highly liquid.
Strong control environment including:
Impregnable physical security Rigorous employee vetting
Movements under triple control Code of conduct reminders
Custodianship under triple control Strict segregation of duties
Senior staff hold keys & combinations Transactions computerized
CCTV covers all banknote movements Passwords involve triple control
Auto destruction damaged banknotes Daily scrutiny of records
Daily reconciliation of all transactions Regular surprise cash counts
25
Polling Question 2Please open the conference app to participate
26
Polling Question 2
How would you rate the residual risk of theft
(likelihood) in the currency processing area?a. Rare
b. Unlikely
c. Possible
d. Likely
e. Almost certain
27
28
Theft of cash … unbelievably it happened!
Source of excerpts: ‘The Age’ and
‘The Herald Sun’ newspapers
29
Controls over currency processing bypassedInherent Risk: Theft of cash. Note: Banknotes are highly liquid.
Strong control environment including:
Impregnable physical security Rigorous employee vetting
Movements under triple control Code of conduct reminders
Custodianship under triple control Strict segregation of duties
Senior staff hold keys & combinations Transactions computerized
CCTV covers all banknote movements Passwords involve triple control
Auto destruction damaged banknotes Daily scrutiny of records
Daily reconciliation of all transactions Regular surprise cash counts
Long-term employee
who was overlooked for
promotion
Stole passwords of 2
workmates; discreetly
watched their keystrokes
Changed paper records
to accord with
transaction; unnoticed
Entered false
destruction transaction
of $100,000
Falsified paper-work so
it ‘looked right’
Dropped physical
banknotes in areas not
covered by CCTV
Retrieved banknotes
later and snuck them out
in loose clothing
Nobody noticed!
Changed destruction
transactions to agree
with computer system
30
Essence of risk-based auditing
Internal auditors must consider inherent risks in a
manner where they always remain alert and
suspicious, apply challenging ‘what if’ scenarios, and
never become complacent.
31
Fieldwork … and a ‘right
to audit’ (third parties)
32
Trust but verify …
Increased outsourcing to third-party providers
o Often non-core and may be low-value/high-volume
o … or requiring specialist expertise
o These are operational risks requiring effective controls
Be cognizant of activities within scope of audit that are
undertaken outside organization
Invoke ‘right to audit’ as part of audit fieldwork
33
Deep dive higher-risk contracts: ‘right to audit’
Third party
security provider
Contract to destroy hardware securely
Escalated reputation and legal
risks
Paying for premium service;
not getting
Case 2 – Obsolete hardware ‘cleaned’ by third party supplier
34
Risk of sensitive information being compromised
Contractor of good repute … but myriad of serious
breaches of critical contractual conditions:
Lax custodianship
Absence of security clearances for contractor’s staff
Untimely destruction
Hardware not separated from other non-secure items
Security bins left open (people could take hardware)
35
Fieldwork … decision-support
reporting (spreadsheet risks)
36
Determining key management reports
Common audit objective is to
review the reliability and
integrity of financial,
operational, and decision-
support information
Requires systematic approach
to determine and rank key
reports
High reliance on spreadsheets
List of Key
Reports
Report Name
Purpose
Report Type
Data Source
CriticalityList of Key
Reports
Report Name
Purpose
Report Type
Data Source
Criticality
Often from
spreadsheets
37
Spreadsheet errors are problematic
Global organizations have suffered major reputational
damage due to spreadsheet errors:
o Adverse financial impacts
o Profit overstated by $A10 million; income expectation overstated
by $US15 million; underestimation of profit by 3.5%
o Democratic outcomes compromised
o False election result
o Serious privacy breaches
38
Spreadsheet risks – recent surveys and polls
75% of spreadsheets (of a large number) are ‘business
critical’ … many of the remainder are ‘significant’ for
business management
70% of poll participants confirmed their entities rely
heavily on spreadsheets for critical business needs
BUT 43% have little or no processes to confirm the
spreadsheets are functioning properly
39
Develop List of Key
Reports
Determine future IT solution
Policy and f/work -develop;
use; control
Staff trained in
risks, controls, f/work
Utilize monitoring / checking software
Case 3 – Controlling spreadsheet risks
40
Polling Question 3Please open the conference app to participate
41
Polling Question 3
How do you rate your IPPF expertise? a. Expert level – fully apply ALL IPPF elements
b. Highly developed – fully apply audit standards
c. Reasonably familiar – partially apply IPPF / standards in work
d. Developing – know a little about it but really at a ‘novice’ level
e. Have little, limited or no knowledge
42
43
Reporting creatively
44
Creative reporting
Identify observations that need to be addressed by
business
Determine solutions and priorities
Deliver timely reporting
Be guided by organization’s values, mission, strategic
priorities, and risk appetite
Be creative in reporting issues (eg photos)
45
Individual observations without analysing reasons a
problem occurred may:
o Miss the underlying reasons
o Restrict insights to narrow operational perspective
Auditors raise insights to a strategic level where they
conduct root cause analysis to determine why the
problem occurred in the first place
Root cause analysis
46
Business Objective
Obsolete Equipment
Oil CreekFlora and
FaunaMajor River
Case 4 – Business practices at odds with business objectives
47
WHY: Manager restricted by ‘budgetary constraints’
WHY: No authority or priority to address problems
WHY: Little grasp of applying company’s safety and
environmental values
WHY: Inherited a poor safety culture
WHY: Manager new to role and never trained in
workplace health, safety and environment priorities
Strategic insights
Root cause analysis typically involves a series of five “why?” questions.
48
Reporting on financial
stewardship
49
Meeting stakeholder expectations
Think outside the box … to
provide foresight
Embrace full ambit of
capability
Transition from delivering
assurance-based outcomes
to delivering insightful,
proactive, and future-
focused outcomes
Value for money using the Four E’s
Shaping different outcomes
Assessing hard and soft controls
50
Value from money derived from Four E’s
Term Meaning Example
Efficiency Using resources well. Producing the
maximum output from inputs.
Where cost has been reduced
over time.
Effectiveness Using resources wisely. Achieving
objectives as intended.
Where wastage has been
reduced over time.
Economy Using resources economically but still
maintaining quality. Minimizing the
cost of resources used.
Where supplies of a specific
quality are purchased at the
best price.
Ethical Applying resources ethically. Living
the corporate values of honesty and
integrity (or similar).
Where integrity and ethical
behavior is evident throughout
all phases of the process.
51
Delivering different financial audit outcomes
Assurance-Based Insights (Insightful, Proactive, Future-Focused Outcomes)
Revenue and
expenditure cycles
Accounts payable audit … extend analysis into metrics, like
average processing costs, in order to present benchmarking
as part of audit report
Procurement and
contract audits
Audits of significant contracts … extend analysis onto supply
chain and periodic (at least annual) review of contractor’s
continued reputation, service quality, and creditworthiness
Major contracts
execution
Potentially an independent observer on selection panel for
major contracts
Reasonableness of
delegations and
segregation of duties
For business efficiency … balance the authorization controls
(e.g., delegations and segregation) against potential
processing bottlenecks
52
Hard controls and soft controls equally valuable
Hard controls are tangible, involve explicit
activities, and are usually objective.
Examples: locks, authorizations, approvals,
delegations of authority, verifications,
reconciliations, segregation of duties, and
performance reviews.
Hard controls
Soft controls
Overall opinionSoft controls are intangible in nature and
include things like culture, tone at the top,
living shared values, morale, integrity, trust,
and empowerment. They are typically
subjective and reflect implicit attitudes.
53
Follow-up – reporting useful
and meaningful solutions
54
Reporting is structured … but flair is encouraged
Audit Report
Background information, risk
profile, audit objectives, and
scope (from engagement plan)
Audit opinion (determined by the
team leader in consultation with
the auditors)
Holistic root cause analysis (based on
analysis of observations
undertaken by the team as a whole)
Action plan (i.e. summary of
recommendations once management
comments are received)
Details of reportable
observations and recommendations (determined from
fieldwork)
55
Audit reporting
Typically primary means of communicating outcomes
Reflects observations, opinions, and recommendations
Stakeholders more discerning … want reports that are:
o Easy to read, get to point, tell a story, provide opinions
o Clear, concise, and address agreed audit objectives
Value is added to an organization and stakeholders when
audit recommendations are implemented
56
Delivering insights that help the business
Punitive:
“Gotcha”
Mindset
Educative:
Cooperative
Mindset
Less
valued
insights
More
valued
insights
57
Follow-up - ‘Telling the
Story’
58
Reporting on recommendations … beyond mundane
Detailed
view
Telling the
story
Low
value
High
value
Insights that
help the
business
59
Report on open recommendations – detail view
Short covering paper (if any), essentially:
“We are required to follow-up recommendations under
auditing standards; here is a list of all the audit
recommendations”
Detailed list of ALL recommendations with their status
LOW VALUE: Barely meets basic requirements of audit
committee
60
Report on open recommendations – tell the story
Opinion on management’s overall level of commitment to
Insights on any positive improvement from implementation
Validation of implementation of higher-risk recommendations
Commentary on at-risk recommendations, including original
and revised targeted completion dates and comments on action
Graphs illustrating different lenses of overdue
recommendations
o Risk ratings (high, medium, low). Ageing of periods overdue.
Business area.
61
Report open recommendations – tell story (cont’d)
Trends (3 to 5 years) of actions opened, closed, on track,
completed on time, overdue, and total number currently open
Trends and/or graphs on recommendations being raised applied
against different business risk categories
List of open recommendations (in full or part) as an attachment
HIGH VALUE: Meets basic requirements of audit committee, and
helps to provide risk-based and objective assurance, advice, and
insights (i.e., ‘value proposition’).
62
Quality people – attuned,
balanced and credible
63
Polling Question 4Please open the conference app to participate
64
Polling Question 4
What is your experience in having a mentor (through formal program, informal arrangement, or both)?
a. Found it very worthwhile; would highly recommend
b. It was somewhat helpful; would recommend
c. Not sure just yet (neutral)
d. Not a good experience; would not recommend
e. Never had a mentor
65
66
Wisdom of a global luminary
“After more than twenty years of experience as an internal
auditor and as a chief audit executive, my personal advice
to a newcomer will be to find a mentor … willing to provide
you with regular feedback and advice … your personal role
model for your career as an internal auditor!”
—Angela Witzany
Head of Internal Audit, Austria
Past Chairman of IIA Global Board of Directors 2016–2017
67
Common approaches to performance development
Performance Insights
Annual Reviews
Engagement Feedback
Probationary Reviews
Informal Feedback
Coach or Mentor
Profiling
Professional Development
Developing an
Auditor’s Skillset
Feedback on Auditor’s
PerformancePerformance
Insights
Annual Reviews
Engagement Feedback
Probationary Reviews
Informal Feedback
Coach or Mentor
Profiling
Professional Development
68
The ABCs of auditing
In the eyes of an experienced audit committee chair:
“Some internal auditors have good process developed
into an art form where the process is perfect but nothing is
ever discovered.”
Attuned
Knows the business and
what needs audit focus
Balanced
Applies a balanced approach
to provide valued insights
Credible
Regarded as credible in
the eyes of stakeholders
Valu
e Ad
ded
Going beyond the process is as easy as ABC …
69
Transforming from hindsight to insight … then foresight
Foresight o Helping organizations prepare for
the future
Insight o Risks facing organization and
control assurance in the here and
now
Hindsighto Assessing what happened in the
past to provide control assurance Source : Sawyers Internal
Auditing 7th edition
70
Quality outcomes - scrutiny of
audit workpapers
71
Protecting an internal audit asset
One of internal audit’s major assets is its credibility with
stakeholders
It’s protected through ongoing monitoring of quality
There’s a need for quality control across all audit phases
Quality of Planning
Quality of Fieldwork
Quality of Reporting
72
Maintaining internal audit credibility
Audit workpapers need to be prepared to withstand
intense external scrutiny
Purpose and intensity of external scrutineer reviews can
be quite diverse
Can represent a relatively high risk to organization’s
brand and reputation of its senior management
73
Range of external scrutineers
• External auditors
• Regulatory auditors (industry specific)
• External quality assessors
Routine
• Regulatory review
• Parliament committee
• Corruption inquiry
• Taxation compliance review
Stipulated
• Special or royal commission of inquiry
•Coronial enquiry
• Federal or state investigation
• Fraud investigation
Special
74
Closing
75
Wisdom of a global luminary
“Aspiring internal auditors must be able to look beyond
today’s concerns to what future demands and changes
might be. Organisations continue to demand more value
from internal audit, more insight into the affairs of the
business and an improved level of assistance around
control optimisation.”
—Anton van Wyk
Partner Big 4 Firm, South Africa
Past Chairman of IIA Global Board of Directors 2014–15
76
Must get basics right before tackling challenges
Artificial Intelligence
Conversational Commerce
Big Data Analytics
Internet of Things
Biometrics
Robotic Process
Automation
Blockchain
77
Wisdom of a global luminary
“Have an insatiable curiosity and do not be afraid to ask
questions. Rudyard Kipling said it best in his book The
Elephant’s Child – ‘I keep six honest serving-men: (They
taught me all I knew). Their names are What and Where
and When and How and Why and Who.’”
—Paul Sobel
Chief Audit Executive, U.S.
Past Chairman of IIA Global Board of Directors 2013–2014
78
Unleashing the power of storytelling
20 chapters covering the who, why, how, when,
what, and where of auditing
> 50 contributors from across the world
> 140 terms explained in comprehensive
glossary
≃ 70 exhibits with practical examples and
diagrams
> 50 references to useful published materials
36 stories on practitioner’s ‘favorite audits ever’
20 insights on ‘what practitioners love about
internal audit’
79
Wisdom of a global luminary
“I had the best job in America. Every single day was
interesting, rewarding, and sometimes just plain fun.”
—Barbara Bush
Former First Lady, United States 1989–93
—Many successful internal auditors would reflect this
same sentiment!!!
80
There has never been a better
time to be an internal auditor!
Questions
81
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
Not using the conference app?
Visit: ic.cnf.io to complete
your session evaluations.
top related