What is Internal Audits Role in Managements Assertion
- Slides: 58
What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP Associates 1
The IIA Welcomes New President David A. Richards, CIA, CPA 2
Agenda • Introduction & Overview Xenia Ley Parker, XLP Associates • Internal Audits Role in SOX Larry Harrington, Staples • How Solectron Addresses 404 & IT Controls Norman Marks, Solectron • Internal Audit’s Role Dennis Drent, Nationwide Insurance • Break • Q&A 3
What is the Right Role? • Organizations have to find the right process to address Sarbanes-Oxley – Internal Auditors have more than one possible role – Maintaining objectivity and independence is critical, whichever role they take on • There is no one ‘right’ answer 4
Possible Roles • Consideration of Internal Audit Standards and professional practices • Other sources of information • We’ll look at some of the possible roles – Project management – Consulting – Documentation and testing 5
Internal Audit’s Role in Sarbanes Oxley 302 & 404 Larry Harrington, CPA Chief Audit Executive Staples 6
Professional Practices Framework • Definition of Internal Auditing • Ethics & Standards • Practice Advisories • Development & Practice Aids 7
IIA Whitepaper- Internal Audit Role in Sarbanes Oxley 302 & 404 • Purpose • Summary Role of Management, Audit Committees, and External Auditors • Recommended Role for Internal Audit • Practical Considerations 8
Purpose of This White Paper Discuss the roles Internal Auditors play today: – – – Consulting Monitoring/Testing Creating the Documentation Performing the Assessment Managing the Entire Project Compliance with IIA International Standards – Objectivity – Independence – Evaluation & contribution to improving the company’s risk assessment, control, and governance process 9
Key Operating Principles • Sarbanes Oxley creates requirements for Audit Committees, management, and external auditors • Management is responsible for implementing the process to meet the requirements of Sarbanes Oxley, not Internal Audit 10
Roles for Internal Auditors Project Management – Participation on project steering committees • Objectivity and independence is not impaired when effort is limited to evaluation/recommendation/monitoring (e. g. assessment methodology and tools; definition of documentation standards; communicating project status) • Objectivity & independence is impaired when involved in the decision process and the implementation process – Training on project, risk and controls • Objectivity and independence is not impaired when creating or delivering training on these topics – Facilitation between management and external audit 11
Roles for Internal Auditors • Consulting – Advise on best practices • Objectivity and independence not impaired when advising on documentation standards, tools, or test strategies • Objectivity and independence is not impaired when advising on the design, scope, or testing frequency, or in assessing management’s testing and assessment process • Providing advice control gaps, review management plans for correcting control gaps, and performing follow-ups to ascertain whether control gaps have been adequately addressed does not impair objectivity or independence. 12
Role For Internal Auditors • Documentation and Testing – Provide IA documentation/create new documentation • Objectivity and independence not impaired if assisting management in documentation because of limited resources • Objectivity and independence is impaired if audit slips into making management decisions • Management owns the design/testing process; however, IA may be asked to help. Objectivity and independence is not impaired when IA assists. Objectivity and independence is impaired if IA makes decisions-control design, effectiveness, what to remediate, etc. 13
Roles for Internal Auditors • Documentation and Testing (cont. ) – Performing a quality assessment review prior to management handoff to external audit does not impair objectivity or independence 14
Audit Committee Disclosure • Disclosure to the Audit Committee that the internal auditors objectivity or independence has been impaired is required when: – Internal Audit actively participates in making or directing key management decisions – Internal Audit designs, installs, drafts procedures for, or operates such systems – Internal Audit makes key management decisions 15
Contact Information If you have any questions regarding the Professional Practices Framework or guidance materials or you wish to forward additions, contributions or suggestions e-mail The IIA at: issues@theiia. org 16
How Solectron Addresses 404 and IT Controls Norman Marks, CPA Vice President, Internal Audit Solectron Corporation 17
Topics • Internal Audit and § 404 in 2004 • The future for Internal Audit and § 404 • Assessing the impact of IT control deficiencies 18
IA and § 404 in 2004 • Project led by Corporate Controller • IA consults on controls theory and practice • IA (independent) testing of key controls, incl. mitigating/compensating controls • IA reports on testing results – Provides an opinion by location/function • Controls design & effectiveness • Adequacy of documentation 19
IA and § 404 in 2004 • Retesting of remediated controls • Assessment of deficiencies and identification of mitigating/compensating controls – Impact on overall assessment by management • Member of Disclosure Review Committee • Consider § 404 results in § 302 assessment, & forming annual IA opinion on internal controls (COSO) 20
The future for IA and § 404 • How will the role of IA change as § 404/§ 302 practices mature? • Integration of § 404/§ 302 testing into audit plan • Impact on the charter of IA within the organization Norman’s opinion 21
What is the role of IA? “Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. ” 22
What is the role of IA? • It should be more than financial controls • Financial controls is more than § 404 23
e nc pl ia m Co Fi Re nan po ci rti al ng O pe ra tio ns COSO and § 404 Monitoring Information and Communication Control Activities Risk Assessment Control Environment 24
e nc pl ia m Co Fi Re nan po ci rti al ng O pe ra tio ns COSO and § 404 Monitoring Information and Communication Control Activities Risk Assessment Control Environment § 404 25
COSO and § 404 Financial Reporting Compliance with laws and regulations 26 Operations
COSO and § 404 Financial Reporting § 404 Compliance with laws and regulations 27 Operations
COSO and § 404 Not included in § 404: • Management reporting Financial Reporting • Matters not material to SEC financials Partly included in § 404: • Controls affecting future periods: • IT security • contingency planning • physical security • fraud • Efficiency of financial reporting Compliance with laws and regulations 28 § 404 Operations
Future role of IA • § 404 work should be integrated into the risk assessment and audit planning process • Don’t limit yourself to § 404 – – 29 Not even for the next 2 years You will become defined as only there to do § 404 You will lose your mission and purpose You will become irrelevant
Future role of IA Audit Committee and senior management: • “We have: – management’s assessment of internal controls – the external auditor’s assessment” • “Why do we also need IA’s opinion? ” • “We have survived with a limited IA function” • “Why do we need a full scope one? ” 30
Summary – the future • • 31 Define the future role Don’t limit yourself to § 404 Build an integrated plan, including § 404 Communicate and sell your strategic vision – NOW!
IT control deficiencies Control Assertion Key Control 32
IT control deficiencies Control Assertion Key Control User procedure Automated process 33
IT control deficiencies Control Assertion Key Control User procedure Automated process 34 Test
IT control deficiencies Control Assertion Key Control User procedure Automated process IT general controls 35 • Development & Maintenance • Operations • Program security Test
IT control deficiencies Control Assertion Key Control User procedure Automated process Test IT general controls Test 36 • Development & Maintenance • Operations • Program security
IT control deficiencies Control Assertion Key Control User procedure Automated process Test IT general controls Test 37 • Development & Maintenance • Operations • Program security Deficiency
IT control deficiencies Control Assertion Key Control User procedure Automated process Test IT general controls Test 38 • Development & Maintenance • Operations • Program security Deficiency
IT Security Deficiencies 1. What is the risk? • Business disruption • Fraud 39 no § 404 impact
IT Security Deficiencies 1. What is the risk? • Business disruption no § 404 impact • Fraud 2. Could it result in financial reporting error? • No no § 404 impact • Yes 40
IT Security Deficiencies 1. What is the risk? • Business disruption no § 404 impact • Fraud 2. Could it result in financial reporting error? • No no § 404 impact • Yes 3. Are there detective controls? • Yes Test no § 404 impact • No 41
IT Security Deficiencies 1. What is the risk? • Business disruption no § 404 impact • Fraud 2. Could it result in financial reporting error? • No no § 404 impact • Yes 3. Are there detective controls? • Yes Test no § 404 impact • No 4. Are there compensating controls? Test no § 404 impact • Yes • No § 404: Assess accounts affected 42
Internal Audit’s Role Dennis Drent, CPA Senior Vice President, Office of Internal Audit Nationwide Insurance 43
Internal Audit “hired” as Section 404 Project Manager by Management with Audit Committee approval IA PMO 44
Coordinate, consult on or perform documentation, gap analysis and remediation IA PMO 45
Coordinate, consult on or perform documentation, gap analysis and remediation IA PMO Maintain documentation 46
Coordinate, consult on or perform documentation, gap analysis and remediation IA PMO Maintain documentation 47 Coordinate quarterly control certification and management verification processes
Coordinate, consult on or perform documentation, gap analysis and remediation IA PMO Maintain documentation Coordinate ongoing gap analysis and remediation 48 Coordinate quarterly control certification and management verification processes
Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate with Legal and Finance and report conclusions to Disclosure and Audit Committees Coordinate ongoing gap analysis and remediation 49 IA PMO Maintain documentation Coordinate quarterly control certification and management verification processes
Perform independent testing of controls providing certification Coordinate with Legal and Finance and report conclusions to Disclosure and Audit Committees Coordinate ongoing gap analysis and remediation 50 IA PMO Coordinate, consult on or perform documentation, gap analysis and remediation Maintain documentation Coordinate quarterly control certification and management verification processes
Support Management Assertions Summary of Key Points: • Ownership of control resides with business through the control certification process • Internal Audit manages certification process and is in a position to perform real time analysis of control adequacy and ensures ongoing quality of control documentation • Internal Audit develops deep understanding of link between controls and financial statements assertions; this provides value-added consulting services 51
Support Management Assertions Summary of Key Points (continued): • Internal Audit, Finance and Legal jointly interpret “open items” for potential deficiency in a legal sense • Works with External Auditor to ensure effective and efficient audit • Internal Audit assures sustainability of Section 404/302 process 52
Looking Forward • Maintenance of documentation and ongoing gap analysis will be core of what we do - “real time” auditing • Sarbanes 404 will be embedded with NW ERM process in development • Bolt operational and compliance controls on to Sarbanes controls data base over time to create full audit universe 53
To Email your questions, Email info@tvworldwide. com (Click link to left) 54
To Get Your CPE Certificate Click Here 55
Special Webcast May 25, 2004 “Does your SOX 404 work measure up? Hear what will satisfy your CPA firm!” See you at our next webcast! 56
June 8, 2004 “Anti Fraud Programs” 57
Webcast Evaluation 58
Health and food audits and analysis
Difference between inspection and audit
Do254
Klinische audits
When conducting post project audits
Essential elements of internal audit
Cjis audit
Defend from license audits
Evaluating channel member performance
Second party audits
Issai 4200
Environmental audits
Multimedia ehs audits
Dependent audits
Total resource management
Ocga 30-10-2
Infection control audits
Horizontal and vertical audit
Nap 5 infographic
Sas 70 audits
Interview method of data collection
Role conflict occurs when fulfilling the role expectations
C# azure worker role example
Role making krappmann
Elements of internal control system
Audit report of a company
I language assertion
Introduce assertion
Assertion based verification
Topic 17
Assertion propaganda meaning
Assertion statement
A thesis statement is an assertion
Axes paragraph format
Assertion roulette
Assertion sql
Testing of hypothesis
Example of bandwagon propaganda
Interpersonal assertion
Kalviamuthu blogspot.com
Confrontive assertion example
What does commonplace assertion mean
Assertion paragraph example
Thesis assertion example
Security assertion markup language definition
Aec essay example
Examples of assertion statements
Assertion evidence commentary examples
Abilene paradox
Discrepancy assertion
Aces essay format
Jenis assertion
Transfer pricing meaning
Lesson 1 american free enterprise capitalism
Emerging role of finance manager in india
What role did he play
Role-play rubric
Scenario planning workforce planning
Role of cellular respiration
