Supervisory Committee Expectations of Internal Audit

Alan N. Siegfried, MBA, CPA, CIA, CISA,

CRMA, CCSA, CFSA, CGMA, CITP, CBA, CSP

Theresa M. Grafenstine, CPA, CIA, CGAP, CISA, CGEIT, CRISC, CGMA

June 18, 2014

Alan Siegfried Professional Bio • Principal and Managing Director, Quetzal GRC, LLC

• Over 30 years of private and public sector experience in accounting, internal auditing, risk management, internal controls, information technology auditing processes, operations, and business processes and strategy

• Board and Audit Committee member Bon Secours Health System, Audit Committee member UNICEF

• Former Internal Audit Partner at Ernst & Young, Deloitte and Grant Thornton

• Former Director of Internal Audit Bank-Fund Staff FCU

• Former Auditor General Inter-American Development Bank and Chief Audit Executive First Maryland Bancorp

• Former Chairman of Board and member of the IIA’s North American Board and member of the IIA’s Professional Certification Board

• Widely published and frequent speaker at international internal auditing and risk management events, teach graduate internal audit courses U of MD

• Holds 11 professional auditing, risk management and accounting related designations and certifications

Theresa M. Grafenstine Professional Bio

• Inspector General, U.S. House of Representatives

• Over 20 years of public and non-profit sector experience in accounting, internal auditing, risk management, internal controls, information technology auditing processes, operations, and business processes

• Supervisory Committee member Pentagon Federal Credit Union

• ISACA International Vice President and Chair of Relations Board

• Incoming AICPA Board of Directors member, member of Governing Council

• Director of the Standards and Accreditation Council and the Global Industry Council for the International Professional Practice Partnership (IP3)

• Advisory Committee member, IIA’s American Center for Government Auditing

• Holds 7 professional auditing, risk management and accounting related designations and certifications

Agenda

• Part 1 - The Continuum - Where are you?

• The Challenge?

• The Cause - Victims of our Own Success?

• The Impact – Departure from Risk-Based Auditing

• Strategy for Rebalancing

• Current Trends in Internal Audit Oversight

• Leading Practices in Internal Audit – Audit Committee Relationships

• Audit Committee Evaluation of Internal Audit

• Part 2 - Panel Discussion – Supervisory Committee Expectations of Internal Audit (Theresa and Alan)

• Questions

Revisit the Risk Assessment

• Redefine Risk Assessment

– Increase transparency of process

– Overall Ranking/prioritization methodology

– Ensure top-down approach

– Align with strategic plan

Guide your Organization to a

balanced response or focus towards various risk categories

Revalidate Stakeholder Expectations

Balanced Value

Protection Value

Enhancement Internal Audit Functional Focus

Relative Risk Coverage Limited Comprehensive Financial Risk

Management

ERM

Transaction Focus

Controls

Recommendations

Process

Improvements

Collaborating

With management

Enabling

Risk & Control

Self -Assessment

Financial/Compliance

Auditing Fraud

Detection Process Analysis

& Best practices

Risk

Consulting

Continuous Risk

Management

•Ensure IA is tailored to address stakeholder needs and are supported by effective process/tools/resources

Align Resources, Budget, and Staff Skills

• Internal audit resources constrained

• Equates to constrained capacity

• Permanent resource increases may not be an option

• Capacity multipliers enhance productivity

– Strategic sourcing

– Technology

– Guest Auditors

Capacity Multipliers: Streamlined Processes

• Many Internal Audit processes are not cost beneficial

• Capacity is further constrained

• Additional consequences:

- Excessive cycle time

- Outdated audit results

- Diminishing value

- Stakeholder Dissatisfaction

Processes to Target

1. Audit planning

2. Audit program

3. Documentation and review

4. Reporting

5. Monitoring and follow up

Capacity Multipliers: Technology

• Technologies can greatly improve internal audit’s

- Efficiency

- Quality

- Value

• Capacity multiplying technology solutions

- Data analysis software

- Internal audit infrastructure software

- Best-practice knowledge database

• Re-articulate the Charter

- Alignment with stakeholders

Value drivers and internal audit value proposition

- Key mechanism to codify relationship

• Measured Results

- Develop balance scorecard of KPIs and KRIs

Measures are an essential component of

managing the effectiveness of a

process (drivers) as well as the performance

(results)

Formalize & Measure

Indications of Robust Communications between CAE/IA & SC

• Answers questions fully and promptly

• Provides factual information to support responses

• Admits when it does not know the answer

• Supports the audit committee by contacting additional relevant resources and specialist

• Is easily accessible

• Reaches out regularly to the audit committee

• Advises the committee of significant transactions or issues in a timely manner

• Asks for audit committee input in advance of key decisions

Audit Committee Oversight of IA

2013 - Reviewed

At least Annually

2000

Charter 59% 77%

Operation Independence 79% 77%

Annual IA Plan 100% 93%

Changes To IA Plan 97% 67%

Adequacy of staffing levels 97% 90%

Adequacy of skill set and staff

qualifications

90% 61%

Budget 86% 58%

Internal Audit Director/CAE Reporting

Functionality

Audit Committee Chair 74%

CFO 14%

CEO 6%

Administrative

CFO 42%

CEO 36%

General Council 5%

Chief risk officer 9%

President or other position 8%

Trends From Recent Internal Audit Survey

• The Role of Internal Audit in Today’s Market Place

• Internal Audit in the Overall Risk Management Structure

• Internal Audit Risk Assessment Process

• Fraud Detection and Prevention

• Continued Shortage of Resources

• Training and Retention

• Maximizing Technology and Knowledge Investments

• Maintaining Quality

• Importance of Communication

• Challenges of a Global Environment

Leading Practices

• Risk Assessment & Audit Planning

• Governance

• Quality Assurance and Improvement

• Professional Development

• Increasing Awareness of Internal Audit

• Value Added Services

• Improving Audit Efficiency

• Innovative Audit Approach

Questions for Evaluating Internal Audit Function &

CAE/Director

• How well does the internal audit director respond to probing by the audit committee?

• How Knowledgeable is the internal audit in the company’s accounting and financial reporting policies?

• How well does the senior management respect the internal audit director, and how healthy is the tension between them?

• How well do the external auditors respect the internal audit director?

• Does the internal audit director provide adequate assurance in areas requested by the audit committee?

• Is the internal audit director respected within the auditing profession? Examples would be as a frequent speaker, writing articles, participating in industry organizations, etc.

Evaluation for the Internal Audit Team

1. Does the department appear to be using its time and resources effectively and efficiently?

2. Are the department's size and structure adequate to meet its established objectives? 3. Is the experience level of the internal auditors adequate? 4. Does the department appear to be objective? What procedures are performed to

ensure objectivity? 5. Is the technical knowledge of the department members sufficient to ensure that

duties are performed appropriately? 6. Does the department have an appropriate continuing education program? 7. Are there department members with sufficient information systems auditing expertise

to address the level of technology used by the organization? 8. is the department’s work planned appropriately? 9. Does planning include written audit plans and programs? 10. What types of reports are issued by the internal audit department and to whom? 11. Are the internal audit reports issued on a timely basis? 12. Do the internal audit reports include sufficient detail for effective action by

management and/or the audit committee?

Evaluation for the Internal Audit Team 13. Does management respond in an appropriate and timely fashion to significant

recommendations and comments made by the internal auditors? 14. Do internal audit procedures encompass operational as well as financial areas? 15. Was the department’s involvement in the annual audit effective? 16. What could be done in the future to maximize the department’s effectiveness and

efficiency? 17. To what extent is outsourcing used in the internal audit function, what areas are

outsourced, and to whom are the outsourced? 18. Does the internal audit team have a periodic “Peer review” performed and, if so, what

were the results of the latest review? 19. What criteria are used to establish and prioritize the annual and long-range internal

audit plan? 20. Is the department’s work concentrated in areas of high risk, judgment, and sensitivity? 21. To what extent does the internal audit team keep itself informed about, and involved in

professional activities? 22. What are the internal auditor’s views regarding controls, the risk of fraud, and

compliance matters? 23. Has the charter of the internal audit department been evaluated to determine it is still

appropriate?

Panel Discussion – Supervisory Committee Expectations of Internal Audit

Questions

Alan N. Siegfried, CPA, CIA, MBA Managing Director, Quetzal GRC Alan.Siegfried@QuetzalGRC.com

410-570-5400

Theresa M. Grafenstine, CPA, CIA, CISA

Inspector General, U.S. House of Representatives Theresa.Grafenstine@mail.house.gov

202-226-1250