The ABC’s of the Internal Auditing Standards

Ericka F. Kranitz, CPAAndrew RectorMarch 23, 2016

1

Think about…

• What is your biggest challenge?• Given additional resources, what would you

ask for?

2

Today’s Focus

• How do you APPLY the standards to your organization?A

• What are the BASIC activities you should be doing?B

• Are you COMMUNICATING the right information to your board?C

3

Applying the Standards

4

International Professional Practices Framework (IPPF)

5

Mission Statement

To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

6

Mandatory Guidance

• Required and essential– Core Principles July 2015– International Standards for the Professional

Practice of Internal Auditing (Standards) 2013– Definition of Internal Auditing– Code of Ethics

7

Core Principles

Demonstrates integrity

Demonstrates competence and due professional care

Is objective and free from undue influence (independent)

Aligns with the strategies, objectives, and risks of the organization

Is appropriately positioned and adequately resourced

8

Core Principles

Demonstrates quality and continuous improvement

Communicates effectively

Provides risk-based assurance

Is insightful, proactive, and future-focused

Promotes organizational improvement

9

Definition of IA

• Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

10

Code of Ethics

Promote an ethical culture in the profession

Expectations on behavior

Principles and Rules of Conduct

• Integrity• Objectivity• Confidentiality• Competence

11

Recommended Guidance

• Implementation Guidance– Previously known as “Practice Advisories”– Revisions - next 18 months

• What’s required for Standards• Suggestions on how to show conformance

• Supplemental Guidance • Global Technology Audit Guides (GTAGs)• Guide to the Assessment of IT Risk (GAITs)

12

The Basic Activities

13

Purpose, Authority, and Responsibility

• Defines role• Assurance and consulting• Position and reporting• Functionally and administratively• Unrestricted access to people,

places, information• Clearly state what will and will NOT

do

IA Charter

14

Purpose, Authority, and Responsibility

• Board approves, document in minutes• Revisit regularlyIA Charter

• Role and responsibility for internal audit• Hire and review top audit executive

Audit Committee Charter

• Standard 1010, Model IA and Audit Committee Charters on IIA websiteReference

15

Independence (STD 1110, 1111)

• Functional reporting line for auditOrganization chart

• No interference as to people and audits

Ability to do the job

• Opportunity to meet directly Access to board

• Scope restrictions, access limitationsImpairment

16

Individual Objectivity (STD 1120)

• Impartial and unbiased• Conflicts of interests

– Fact and appearance

• Code of conduct - does one exist– Process to disclose and manage conflicts

• Examples:– Recent employment – Family member

17

Proficiency (STD 1210)

• Evaluate as a group for competency to do job

Knowledge, skills

• CIA, CPA, CISA, CFE, industry specificCertifications

• IIA opportunity• Network with others – leverage resources

Professional associations

• Fraud and ITBasic

knowledge

18

Due Professional Care (STD 1220)

• Prudent person test• Skills needed for audits

– Extent of detail work – Understand risks and complexity– Brainstorm about potential issues– Consider assistance from other state agencies

• Training and development– Profession and industry

19

Quality Assurance and Improvement Program (STDS 1300)

• Internal assessments– Ongoing monitoring of routine practices

• Proper supervision/review • Adhering to checklists, guidelines, internal processes• Monitoring of audit plan

– Are you following your own practices?– Periodic self-assessments

• Measure conformance with Standards• How to document

20

Quality Assurance and Improvement Program

• External Assessment– Once every 5 years– Leverage self-assessment– Independence of review team– Relevant knowledge of your operations– See questionnaire on OSBM site under QAR– Report results to board

21

Annual Audit Plan (STDS 2010, 2020)

Audit Universe – define

Risk based criteria

Audit what’s important

Be realistic – expect the unexpected

Evaluate resources and skills

Communicate to organization

22

Engagement Planning (STD 2200)

Clear scope and objective • Audit Plan – revisit• What you are and are not reviewing• Reasonable timeframe

Consider errors and fraud

Match work with competencies of staff

Review and oversight

Questionnaires – background information

23

Performing the Engagement (STDS 2300)

• Documentation – Ability to reproduce– Standardize - checklists and templates

• Sufficient, relevant, reliable information• Confirm all facts• Adequate review and supervision• Retention - reports and support

– Final copies only

24

Monitoring Progress (STD 2500)

Timely follow-up

Formal closure of audit

Process if don’t pass?

Discuss concerns with management

Include in audit plan if significant

25

• Doing the wrong audits• Mismatch of staff competencies to work• Communication issues – question and confirm

Audit failure

• Clarify what is/not in scope of work• IA role may be vague

False assurance

• Strong IA processes• Continual training and developmentReputational

Risk of IA Activity

26

Communicating the Right Information

27

Communicating Results (STD 2400)

Clearly state objective and scope

Accurate – verify facts with client

Easily understood – basic terms

Concise and complete – relevant, to the point

Acknowledge good work

Distribute to appropriate individuals

28

Communicating Results

• Condition – “what is”• Requirements – “should be”• Cause – how did this happen• Effect – impact and risk

Audit Reports

• What must be provided• Process for requesting and providing

Public records request

29

Board Communications (STDS 1111, 2060, 2600)

Regular communication – each meeting

What do they want?

Status of audit plan vs. actual

Resource requirements or deficiencies

Unacceptable levels of risk

Opportunity to meet 1:1

NO SURPRISES

30

Board Approvals (STD 1110)

• Audit Plan – Significant changes and why

• Charter – revisit regularly • Budget and resource needs

– Training– Staffing– External assistance

31

Think about…

• What is your biggest challenge?• Given additional resources, what would you

ask for?

32

Resources• IIA: https://www.theiia.org

– Template for IA and Audit Committee Charter– Magazine “Internal Auditor”– Members only webinar

• OSBM– Information on IIA membership

• http://www.osbm.nc.gov/management/internal-audit/iia

– Peer review program http://www.osbm.nc.gov/management/internal-audit/qar

33

IIA Webinars

34

Contact Information

• Ericka F. Kranitz, CPA– Director of Compliance Monitoring– ericka.kranitz@duke.edu

• Andrew Rector– Principal Auditor– andrew.rector@duke.edu

35