Nicholas DiMola, Principal Quality Plus & Associates

Internal Audit Best Practices

What makes an Effective Internal Audit Function ?

Internal Audit Best Practices

According to a survey conducted by KPMG, an effective Internal Audit function is a combination of:
IAs position within the organization The people and resources that it has to meet its

responsibilities and challenges The processes that it uses to assess risk, plan its activities and to deliver its results

Risk Assessment Process

There is a Strong Link between effective Risk Assessments and effective Audit Coverage According to the IIA Standards, IA Groups should base their audit plans around risk assessments conducted on an annual or more frequent basis with input from senior management and the board of directors.

Risk Assessment Process

Steps to Strengthen Risk Assessment Process Adopt a Process Approach to Risk Assessment and Audit Planning Supplement Annual Risk Assessments with more frequent updates Leverage prior Audit results Align and Leverage Risk assessments Seek out and Utilize Specialist Coordinate with other Risk management groups

Risk Assessment Process

Adopt a Process Approach to Risk Assessment and Audit Planning Need to keep the Audit Committee and Senior Management informed of changes to IAs position on Risk Exposure. Requires a Process Drive Approach and Flexible Audit Plan Review changes to the Audit Plan

Risk Assessment Process

Supplement Annual Risk Assessments with more frequent updates - need to monitor risk

on a regular, on going basis though out the year. Leverage prior Audit results learn from past audits and reach out to key players within the company to strengthen the risk assessment process.

Risk Assessment Process

Align and Leverage Risk Assessments should use a common framework to avoid confusion. Seek Out and Utilize Specialist IA should use both internal and external resources to expand capability in critical business areas, technology and fraud detection. Coordinate with other Risk Management Groups important to be knowable of and involved with other risk management groups and share information accordingly.

Risk Assessment Process

PwC recommends the following check list for IA in its approach to risk assessments and audit planning Conduct enterprise level risk assessments at least annually. Apply risk based assessment results to the development of the audit plan and planning audit engagements. Adopt a formal process to periodically update or revise risk assessments .

Risk Assessment Process

Update the audit plan to address the results of the risk

assessment
Conduct a preliminary risk assessment at the

beginning of every internal audit engagement

Keep the Audit Committee informed about IAs views

of risk the companys emerging or changes to its risk position.

Flexible Audit Approach

Objective :
Shift from a traditional audit process to

Partnering with Management to Enhance Stakeholder Value

Flexible Audit Approach

Major Drivers
Changes to Business

Environment Greater Expectations

Audit Plan
Carryover

On-Hold

Cancelled

Deferred

Audit Plan

Audit Plan needs to be Flexible Not Set in Stone

Flexible Audit Plan

Broad Functional Areas
Expand Budgets/Drill Down as

Needed Increase Scope of Projects Implementation Assistance

Flexible Audit Plan

Availability of Outside Resources
Ability to Respond

Quickly Increase Management Support Capability Use of Specialist/Experts Develop In-House Skill Sets

Flexible Audit Plan

Benefits:
Audit Focus on Quality Not Quantity Reduces Expectation Gap between IA &

Management Empowers Auditors to Define the Scope of Work More efficient utilization of Resources IA can be of Greater assistance to Management

Flexible Audit Plan

Challenges
Maintain Administrative Control over Audit Plan Effectively Manage Additional Resources Incorporate Continuous Business Risk Assessment Process

Flexible Audit Plan

Summary
An value added Audit Plan is more a factor of Qualitative

information than Quantitative Audit Plan is more in line with the Needs of the Organization The Audit Plan is an Evolving Process Monitoring and Assessing auditor performance is Critical

Audit Reporting
Auditing Reporting Process Is it Timely and Efficient?

Audit Reporting
Challenges:
Lengthy Cycle Times

Reports must be Factually Correct but

issued Timely Constant Complaint Audits Take To Long

Audit Reporting
Consequences of Lengthy Audit Cycles
Audit results are not timely
Stakeholders dissatisfaction

Inefficient use of audit time

Audit Reporting
Reporting Issues Ineffective communication with auditee Delays in writing draft report Editing process Quality Control Delays by Management in Responding

Audit Reporting
A survey of CAEs have reported that it takes on average more than a quarter of the audit cycle time to process an audit report.
Delays in getting audit responses Repetitive re-editing

Lengthy, narrative-format audit reports

Audit Reporting
Possible Considerations:
Issue reports without management comments Use power-point presentations instead of a report Use a standardized report format Issue audit findings on a piecemeal basis while the

audit is in progress. Advise senior management and the Audit Committee of only high risk audit results with all findings communicated to the auditee.

Audit Reporting
Exception Reporting Most Relevant findings and issues up

front Recommendations

Audit Reporting
Use of Audit Ratings More IA departments are using audit ratings to communicate the significance of audit findings and overall results.

Why?

Audit Reporting
Audit Report Ratings
Keys Rating scheme should fit organization Develop and communicate the criteria for assigning audit ratings Communicate the basis and rational of the scheme to Senior Management and the Audit Committee Have appropriate report distribution and follow up process

Surveys
Performance Agreement Results to Audit Committee

Assurance

Consultative

Cost Savings

Efficiency

Effectiveness

Training and Guidance

Contract Audit

Why Audit Contracts ?

Contract Audit
Why Audit Contracts?
So you know you got what you paid for! Strengthen contract terms & conditions

Improve procurement process (contract letting) & contract administration

Ensure compliance with procurement regulations

Indentify opportunities for cost reductions or savings

Contract Audit
Contracting Activities
3 Major Phases
Pre Award
Contract Performance Completion & Closeout

Contract Audit
Pre-Award
Approved and Authorized Terms and scope is clear

Prices are fair and reasonable

Rights are included in contract terms Comply with requirements

Funding is ok

Contract Audit
Contract Performance
Work performed = Scope in contract

Payments = Value received

Deliverables on schedule Comply with laws environmental and safety

Rights inspect, audit, claims, liquidated damages

Contract Audit
Completion and Closeout
Scope of work, payments, deliverables comply with terms of contract

User acceptance
Post performance obligations manuals, warranties, testing and training

Claims resolved
Liquidated damages collected

Contract Audit
Examples of Findings & Results
Consultants charged at higher than actual rate Adding fringe benefit cost to independent contractors Failure to get allowance for material discounts

Inflated travel cost

$2.5 million recovered form equipment manufacture for using wrong

inflation indexes $13.7 million reduction to a claim due to overstated labor and material cost $2.1 million saved for material cost charged but not incurred

Building Effective Audit Committee Relationships

Audit Committees are continuously relying more heavily on Internal Audit keeping them informed on business strategies and risk, oversight and governance, and the effectives of controls.

Building Effective Audit Committee Relationships

Internal Audit should: Have access to the Committee Review with the Committee its audit plan, reports and significant findings Provide assurance on risk and controls Position IA as a strategic advisor to the Committee Provide an objective set of eyes and ears

Building Effective Audit Committee Relationships

The Audit Committee should:
Understands IAs role in the organization Be involved in the selection and dismissal of the CAE Be involved in determining the CAEs compensation Monitor performance of the IAD and require an

external QAR Know the next level of IA management team for succession planning

Who Audits the Auditors?

The Value of External Quality Assessments

Quality Assurance and Improvement Program

Why is a Quality Assurance & Improvement Program necessary? As an Organization and its Internal Audit shops grow, its operations undergo refinement, and its internal processes change and evolve, its quality monitoring process must keep pace.

Some Elements of a QAR

Staff Information (education, skills, certifications)

Audit Plan Budget to Actual

Audit Cycle Time Issues and Recommendations Tracking

Customer Satisfaction Survey

Staff Meeting Benchmarking to Best Practices

Training
Work Paper Review (ongoing) QA Review Action Plan

What is the Value of Quality to Internal Audit

ABC Organization Executive Level

Internal Audit

At this level Internal Audit is not considered a valued resource to the Organization

What is the Value of Quality to Internal Audit

ABC Organization Executive Level

Internal Audit

As the Quality of Internal Audit increases the acceptance at the Executive Level gets Internal Audit closer

What is the Value of Quality to Internal Audit

ABC Organization Executive Level Internal Audit

Once Quality is achieved Internal Audit is embraced by the Executive Level as a valuable resource within the Organization

Whos Responsible for the Quality of Internal Audit?

Organization Chief Audit Executive (CAE)

Who will Benefit

Internal Audit Profession IA Stakeholders

(AC, BOD, Regulatory Body, Sr. Mgmt) Internal Auditors

External Quality Assessment

Objectives that should be Achieved
1)

2) 3)

4)

Assess the efficiency and effectiveness of the IA activity in light of its Charter and the Board and managements expectations. Provide an opinion on IAs conformance to the spirit and intent of the Standards. Benchmarking and industry comparisons for internal auditing practices Identify and offer recommendations to improve IAs performance and increase the value added to the Audit Committee and management.

What are the benefits of an external QA?

Expert advice & counsel from practitioners with

decades of experience and broad exposure to the best IA functions

Sounding Board Leverage for funding, authority, independence &

training

Visibility Pipeline to the audit committee & senior

management

Why have an external QA?

Professional credibility Organizational credibility Legal liability Compliance with Standards Continuous improvement Audit Committee oversight

What problems are commonly found?

Inadequate Quality Assurance &

Improvement Program

Consulting omitted from the mission and

charter

Inadequate IT coverage or technical skills Lack of performance measures

What problems are commonly found?

Inappropriate CAE reporting

relationships

Out-of-date charters Client perception of inadequate audit

staff knowledge

No formalized risk assessment

process

Best Practice
Make sure you learn something from the QAR process
Embrace the process as a way to move towards

continuous improvement Ask for suggestions to improve the IA department as a whole Be open-minded

Summary
A Best Practice Internal Audit function should be:
Risk focused

Aligned with the business

A source of advise on governance, risk and controls Adaptable to change

Able to provide coverage where needed

Have sufficient resources to be effective

Internal Audit Best Practices

Questions? Thank You
Nick DiMola Quality Plus & Associates ndimola@aol.com