operational auditing--spring 2011 1 operational auditing spring 2011 professor bill o’brien
Post on 21-Dec-2015
220 views
TRANSCRIPT
Operational Auditing--Spring 2011 1
Operational Auditing
Spring 2011
Professor Bill O’Brien
Operational Auditing--Spring 20112-2
Managing the Internal Audit Activity
Effective management Establish a risk-based plan Communicate the plan Ensure adequate resources Coordinate services Report on a regular basis Monitor implementation of recommendations
Operational Auditing--Spring 20112-3
Reporting Structure
Solid to Audit Committee
Dotted line to functional and committed executive
Operational Auditing--Spring 20112-4
Planning Activities
Operating plan and financial plan (budget)
Establish goals and objectives Determine overall resources
Operational Auditing--Spring 20112-5
Resource Management
Staffing approaches Flat versus hierarchical Futures’ files
Commitment to training Pathways for career development Co-sourcing and outsourcing
Operational Auditing--Spring 20112-6
Working with External Auditors
Coordinated coverage Cross access to workpapers Exchange of reports Expansion of expertise Facilitation of relationship w/senior mgt.
Operational Auditing--Spring 20112-7
Dealing with the External Auditors
Different objectives Different accountability Different qualifications Different activities
Operational Auditing--Spring 20112-8
Cooperation
Economy Efficiency Effectiveness Advantages for the external auditor
Increases external auditor client insight Improves client relations Rotates emphasis
Advantages for the internal auditor Improves training Source of additional work Increases professional knowledge Independent appraisal source
Compliance with SAS 65 and SAS 99
Operational Auditing--Spring 20112-9
Hints for Starting or Taking Over a Dept.
Report to the Audit Committee or the highest level possible
Avoids conflict of interest Have an administrative manager as well
Establish an agreed upon review approach For example, operations v. compliance
Prepare a set of achievable objectives Commit to IIA standards Establish a team approach with BPOs Invest in continuing education
Operational Auditing--Spring 20112-10
Corporate Governance
Strategic direction Governance oversight
Enterprise risk management Assurance that processes are working
Operational Auditing--Spring 20112-11
Ops. Audit & Governance
Process of overseeing the achievement of objectives
Some elements of good governance Assessing the control environment Serving as an ethics advocate
Operational Auditing--Spring 20112-12
Control Objectives
Staying under control as evidenced by Safeguarding of assets Compliance with laws and regulations Organizational goal & obj. achievement Reliability & integrity of information Economical & efficient use of assets
Expansion of material on 9-19 —20
Operational Auditing--Spring 20112-13
Control Environment
Integrity and ethical values Management philosophy and operating
style Organizational structure Assignment of authority and
responsibility H/R policies and practices Sustained competency of personnel
Operational Auditing--Spring 20112-14
Other Management Issues
Performance metrics Control self assessment
We will cover these in the next class
Operational Auditing--Spring 20112-15
COSO
Committee of Sponsoring Organizations AICPA, IIA, IMA, FEI, AAA Treadway Commission 1992 I/C; 2004 ERM
Control Objectives Compliance with laws and regulations Reliability of financial reporting Effectiveness & efficiency of operations
Operational Auditing--Spring 20112-16
Frameworks
Internal control IC-Integrated Framework (COSO) Guidance on Controls (CoCo) Internal Control Guidance (Turnbull)
Enterprise risk management Australian/New Zealand Std. Risk Mgt. ERM-Integrated Framework (COSO)
Operational Auditing--Spring 20112-17
Integrating COSO-ERM with COSO-I/C
The COSO-ERM Model incorporates rather than replaces the COSO-I/C Model.
-Control Environment-Risk Assessment
Processes-Operational Control
Activities-Information Flow
Systems-Monitoring Activities
COSO APPROACH TO CONTROL
ACHIEVEMENT
-Internal Environment-Objective Setting
-Event Identification-Risk Assessment-Risk Response
-Control Activities-Information & Communication
-Monitoring
COSO-ERMCOMPONENTS
Operational Auditing--Spring 20112-18
Components of I/C
Control environment Risk assessment Control activities Information and communication Monitoring
Operational Auditing--Spring 20112-19
Threats to Control
Management override Open access to assets Form over substance approach Conflict of interest
Operational Auditing--Spring 20112-20
Balancing Risk and Control
Too much risk Loss of assets Poor decision making Potential non-compliance Potential for fraud
Too much control Increased bureaucracy Excess costs Excess cycle-time Increase in non-value added effort
Operational Auditing--Spring 20112-21
Control Activities Segregation of duties Performance reviews Approvals IT access Documentation Physical access IT applications Independent verifications & reconciliations
Operational Auditing--Spring 20112-22
IIA and Control
IIA control objectives: S-C-O-R-E Safeguarding of assets Compliance with laws and regulations Objective and goal achievement Reliability & integrity of information Economical & efficient use of assets
Operational Auditing--Spring 20112-23
Risk Management
Strategy formulation Range of activities Risk = barriers to objective achievement
Operational Auditing--Spring 20112-24
COSO and ERM
COSO 2 cube ERM defined:
“A process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”
Operational Auditing--Spring 20112-25
Remember this Key Point
Risk is BOTH BOTH positive and negative
Operational Auditing--Spring 20112-26
COSO ERM Objectives: S-C-O-R
SStrategic
CCompliance
OOperations
RReporting
Operational Auditing--Spring 20112-27
COSO-ERM Components
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring
Operational Auditing--Spring 20112-28
ERM and Ops. Audit
Provide assurance on risk mgt. Provide assurance of risk evaluation Evaluate risk mgt. processes Evaluate risk reporting Review the mgt. of key risks. See Exhibit 4-4
Operational Auditing--Spring 20112-29
IIA ERM Advisory
Audit plan should be based on risk assessment Audit plan may include the strategic planning
process Audit plan should be updated for significant
changes Audit plan should be prioritized based on risk
likelihood and exposure Audit reporting should convey risk related
conclusions
Operational Auditing--Spring 20112-30
O’Brien’s Suggestions Finance should be involved in active
conceptualconceptual support. Finance should be an implementation
driverdriver. Finance should provide on-going
assessmentassessment of the process. Finance should add insightinsight to ERM and
vice-versa. Finance should assume the role of process
coordinatorcoordinator.
Operational Auditing--Spring 20112-31
Where Do We Go from Here?
Increased demand Increased respect Increased contribution Increased advancement opportunities…
IT’S A GREAT TIME TO BE FOCUSED IT’S A GREAT TIME TO BE FOCUSED ON OPERATIONAL AUDIT ON OPERATIONAL AUDIT OPPORTUNITIES!!!OPPORTUNITIES!!!
Operational Auditing--Spring 20112-32
Systematic Approach
Planning: Selecting the BPO Pre-site planning
Evaluating: Conducting the preliminary survey Review internal controls Expanding tests as necessary Generating findings
Communicating: Reporting the results Conducting follow-up Assessing the process
Note Exh. 2-6 and Exh. 13-4