Kickstart Internal Audit in 2014 January 2014 41875

Kickstart Internal Audit in 2014
A Reminder
Following the webinar, all attendees will receive a link to a copy of the recorded webinar. You can download a PDF version of the slides through the Attachments link. If you are experiencing technical difficulties during the webinar, let us know by clicking on the Questions link at the top of your screen. Please provide your e-mail address for a swift reply.
We will have a formal Q&A at the end of this webinar, we encourage you to submit your questions throughout the webcast. We will address your content questions at the end of the webinar.
If you are having trouble hearing the audio through the computer, separate phone lines are available. International United States Conference ID +44 (0) 1452 552 630 +1 877 894 4122 31151469
2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
CPE and Supplemental Information

We are issuing 1.5 CPE credit for this webinar
To be eligible for CPE credit, you must answer four (4) out of the five (5) polling questions throughout the duration of this webinar. You will receive your CPE certificate within 4-6 weeks of the webinar.
You can download the the CPE Course Evaluation Form through the Attachments link.
Return this evaluation form to Lark Scheierman at Protiviti via e-mail: lark.scheierman@protiviti.com Download the PDF version of todays presentation and related publications through the Attachments link.
Trouble hearing the audio through the computer? Dial in! Phone: + 1 877 894 4122, Conference ID: 31151469
3
Todays Presenters
Brian Christensen is a member of Protivitis executive leadership team and is the global leader of the firms Internal Audit and Financial Advisory Solution. In this role, he is responsible for the development and execution of Protivitis internal audit products. He has more than 25 years of experience in helping clients increase the value of their internal audit function. He holds a bachelors degree in accounting from the University of Wisconsin. He is a frequent speaker on auditing and risk topics at national conferences. Brian.Christensen@protiviti.com
Dave Brand is a Managing Director in Protivitis Chicago office. He leads the global IT Audit practice for Protiviti. He has over 15 years experience working with companies across multiple industries in the areas of IT Auditing, Computer Aided Auditing Techniques, audit formation, risk assessments and audit committee reporting. David.Brand@protiviti.com
4
Todays Presenters
Keith Keller is a Managing Director in Protivitis Atlanta office. He is a member of the Financial Services team and serves as the market lead for the Internal Audit and Financial Advisory Solution. Keith is a seasoned executive with more than 30 years of business experience working with a variety of organizations to enhance their business performance through risk management, operational effectiveness and enhanced governance. Keith.Keller@protiviti.com
5
Definition of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Source: The IIA
Supports Current Internal Auditing Practice Environment.
Fosters Enterprise Risk Management
Addresses Role of Internal Auditing in Governance
6
Increased Demands
The demands and expectations placed on internal audit are growing constantly: Management
Audit Committees
Standard Setters IIA Standards and Practice Advisories Regulatory Bodies New COSO Framework
Regulators And new and emerging risks are arising that need to be addressed
7
Assessing Success in 2013
Tone at the Top
Process Issues
IT Matters
Risk Management
Corruption Risk
Sustainability
Regulatory Matters
Financial Reporting Matters
Kickstart 2014
Planning Ahead
As we enter 2014, what can we expect in the year ahead? No one knows for sure, but change will be a big part of what is on the horizon.
The challenges and opportunities highlighted in this presentation are based on our experiences and input from audit leaders and their departments We spent 2013 in partnership with organizations from around the world, through benchmarking surveys, client projects, and interviews, to gain insight into the key areas of concern for their organizations We are happy to share our insight with you today to help kickstart 2014 Different industries face different issues and priorities. The applicability and prioritization of the challenges included in this presentation will vary by industry.
10
Establish Open Dialogue

As a result of this presentation, we hope it will help internal audit:
Provide observations and ideas for consideration by management, the board and audit committees as they: Continue to navigate uncertainty Make and execute appropriate plans for the future The complexity and velocity of change in an increasingly interdependent world are altering the dynamics of doing business.
Discuss major challenges the organization currently faces and will likely face in the near term
Summarize top-of-mind issues facing your organization and key stakeholders
11
Road Map for 2014 and Beyond
Flash Reports and Bulletins
Internal Auditing Around the World
IT Audit Survey
IA Capabilities and Needs Survey
IT Security and Privacy Survey
2013 SOX Survey
12
Regulations and Standard Setters
Poll Question #1
Do you believe you are well informed on COSOs updated Internal Control Integrated Framework 2013?
Yes
No
Unsure
14
NASDAQ and NYSE

In March 2013, the NASDAQ proposed a new rule to require listed companies to have an internal audit function In light of the breadth and nature of the comments from its issuer community and other stake holders, the NASDAQ determined in May 2013 to withdraw its proposal so that it may adequately consider these comments It also stated, its intent to revise the proposed rule, taking into account the comments received, and resubmit it
NYSE currently requires all listed companies to have an internal audit function The exchange recently approved a one-year transition period for newly listed companies to establish this function We expect the NASDAQ to offer this same flexibility to listed companies when it resubmits is proposal
15
Auditor Rotation, Standards, and PCAOB Inspection Reports

Mandatory Auditor Rotation The House of Representatives approved a bill that prohibits the PCAOB from forcing public companies to change or rotate their independent auditing firms
Updates to IIA Standards Standards 1110, 2010.A2 and 2410.A1, 2450. New Practice Advisories 2320-4, 2120-3, 2320-3
On December 10, 2012, the PCAOB issued the report Observations from 2010 Inspections of Domestic Annually Inspected Firms regarding Deficiencies in Audits of Internal Control over Financial Reporting Summarizes inspection observations related to deficiencies in registered public accounting firms audits of ICFR for public companies Describes the most pervasive deficiencies On October 24, 2013, the PCAOB issued Practice Alert #11,which highlights areas in which significant auditing deficiencies have been cited frequently in PCAOB inspection reports over the last three years
16
PCAOB Auditing Standard No. 16, Communications with Audit Committees, and Amendments to other PCAOB Standards Approved by SEC
PCAOB Reproposes Auditing Standard, Related Parties, and Related Amendments, Including Amendments Regarding Significant Unusual Transactions
17
SEC Action Against Fraud

Examples from 2013
Archer-Daniels-Midland Co. - SEC charged the Illinois-based global food processor for failing to prevent illicit payments made by foreign subsidiaries to Ukrainian government officials in violation of the FCPA. ADM agreed to pay more than $36 million to settle the SEC's charges. (12/20/13) Weatherford International - SEC charged the Swiss-based oilfield services company with authorizing bribes and improper travel and entertainment for foreign officials in the Middle East and Africa to win business. Weatherford agreed to pay more than $250 million to settle cases with the SEC and other agencies. (11/26/13) Stryker Corporation - SEC charged the Michigan-based medical technology company with violating the FCPA by bribing doctors and other government officials in five countries to obtain or retain business and make $7.5 million in illicit profits. Stryker agreed to pay more than $13.2 million to settle the SEC's charges. (10/24/13)
Diebold - SEC charged the Ohio-based manufacturer of ATMs and bank security systems with violating the FCPA by bribing officials at government-owned banks with pleasure trips to popular tourist destinations in order to illicitly win business. Diebold agreed to pay $48 million to settle SEC and Justice Department cases. (10/22/13)
Source: http://www.sec.gov/spotlight/fcpa/fcpa-cases.shtml
18
Financial Services Hot Topics

Consumer Financial Lending and Deposits Product Mortgage Lending and Services Remittance Transfers Third-Party Risk Management Complaints, Issue Management and Responsible Business Conduct Fair Lending Unfair, Deceptive and Abusive Acts or Practices Specialized DFA Consumer Protections Anti-Money Laundering and Sanctions Common Issues The Role of Technology Broker-Dealer Investment Advisors New Data Collection and Reporting Requirements Disclosure and Reporting of Representative Compensation for Recruits Expansion of FINRAs Minor Rule Violation Plan Hedge Fund Examinations Due Diligence and Supervision of Third-Party Service Providers Identify Theft Prevention/Red Flags Impact on Compliance Functions and Compliance Governance
19
COSO Why Change

Environment changes
Expectations for governance oversight Risk and risk-based approaches receive greater attention Globalization of markets and operations
have driven Framework updates
Increased complexity of business and organizational structures

Use of, and reliance on, evolving technologies Demands and complexity in laws, rules, regulations and standards Large-scale governance and internal control breakdowns Expectations for competencies and accountabilities Expectations relating to preventing and detecting fraud
Source: Updated COSO Internal Control Framework FAQs-Second Edition
20
COSO Cube (2013 Edition)* *

Source: Chapter 2 of COSO Internal Control: Integrated Framework (2013).
COSO Whats Changed

1 2 Codifies 17 principles that support the five components of internal control
Clarifies role of objective-settling as a precursor to internal control
Reflects increased relevance of technology Incorporates an enhanced discussion of governance concepts (the oversight role of the board and its committees) Expands the reporting category of objectives to include non-financial and internal
Enhances consideration of anti-fraud expectations in its own principle
Increases the focus on non-financial reporting objectives to broaden use Additional approaches and examples for operations, compliance and non-financial reporting objectives
8
21
Source: Updated COSO Internal Control Framework FAQs-Second Edition

COSOs IT Implications
Connecting IT to the COSO Principles
Impacts to Existing IT SOX Documentation
Linkage of COSO to Other Frameworks
Impact of PCAOB Inspection Reports on IT Documentation
Register via the Attachments Link for our January 15, 2014 webinar where we will discuss the IT implications associated with the 2013 COSO Framework.
22
Technology Considerations
Poll Question #2
Does your organization conduct an IT audit risk assessment? Yes, it is conducted separately from the overall risk assessment Yes, it is conducted as part of the overall risk assessment process No, an IT audit risk assessment is not conducted
24
Audit Process Knowledge Overall Results

"Need to Improve" Rank 1 (tie)
Areas Evaluated by Respondents

Data Analysis Tools: Data Manipulation
Competency (5-pt. scale) 3.3
Fraud: Monitoring
Auditing IT: New Technologies Fraud: Fraud Risk Assessment Data Analysis Tools: Statistical Analysis Fraud: Fraud Detection/Investigation Fraud: Management/Prevention Computer-Assisted Audit Tools (CAATs) Data Analysis Tools: Sampling
3.4
2.9 3.4 3.3 3.4 3.5 3.1 3.4
2 (tie)
3 (tie)
4 (tie)
5
Source: 2013 Internal Audit Capabilities and Needs Survey

25
Audit Process Knowledge CAE Results

"Need to Improve" Rank Areas Evaluated by Respondents Competency (5-pt. scale)
1
2 3
Data Analysis Tools: Data Manipulation

Auditing IT: New Technologies Data Analysis Tools: Sampling Computer-Assisted Audit Tools (CAATs)
3.2
3.1 3.4 3.3 3.3 3.7
4
Data Analysis Tools: Statistical Analysis 5 Fraud: Fraud Risk Assessment

26
PCAOB Inspection Reports

The following are representative of the IT-specific findings from 2010 PCAOB Inspection Reports.
Placed unwarranted reliance on certain important system generated data and reports after underlying ITGCs failed testing; failed to identify/test manually generated reports Failed to identify that the issuer used spreadsheets, not the inventory application, as the primary system for maintaining pricing and quantities, and failed to test any controls Failed to select and test controls over user-definable settings in the issuers general ledger system
Failed to test controls over completeness and accuracy of delivery data received electronically from vendors. Further failed to evaluate the implications of the significant differences between the delivery and invoice date in testing unbilled revenue
27
IT Security and Privacy is a Priority

Information management as strategic priority CIOs are more active in governance oversight and execution, along with crisis communications. More CIOs are in place today within companies, reflecting a recognition that data is a critically important asset that must be managed differently and even more effectively than other assets. Lack of key data policies One in four companies do not have a written information security policy (WISP) and one in three lack a data encryption policy.
Less-than-ideal data retention and storage practices Few address data with a detailed and comprehensive classification system. Many, in fact, treat all of their data the same, rather than classifying it appropriately. Unprepared for a crisis In light of the many well-publicized data breach incidents and numerous data breach and privacy laws, a surprisingly high number of companies are not adequately prepared to respond to such a crisis.
Source: 2013 IT Security and Privacy Survey

28
Social Media Risk and the Audit Process

29

30

31
Top Technology Challenges

2013
IT security: data security, cyber security and mobile security IT governance
2012
Information security (including data privacy, storage and management) Cloud computing Social media
Lack of ERP implementations, development and knowledge Social media

Vendor management Cloud computing Emerging technology and infrastructure changes Big data and analytics PCI compliance
Risk management and governance

Regulatory compliance Technology integration and up gradation
Resource management Infrastructure management Fraud monitoring Business continuity/disaster recovery
Source: Protivitis 3rd Annual IT Audit Benchmarking Survey

32
Sarbanes-Oxley Compliance
Poll Question #3
Does your organization have plans to continue automating controls to gain efficiencies within the SOX compliance process? Yes No
Unsure
34
Poll Question #4
In the last year, has your organization experienced an increased level of reliance by the external auditor on the work of internal audit? Yes No
Unsure
35
PCAOB Practice Alert #11

Highlights areas in which significant auditing deficiencies have been cited frequently in PCAOB inspection reports over the last three years. These include failures to:
Identify and sufficiently test controls that are intended to address the risks of material misstatement Sufficiently test the design and operating effectiveness of management review controls that are used to monitor the results of operations Obtain sufficient evidence to update the results of testing of controls from an interim date to the company's year end (i.e., the roll-forward period) Sufficiently test controls over the system-generated data and reports that support important controls Sufficiently perform procedures regarding the use of the work of others; and Sufficiently evaluate identified control deficiencies
Source: Public Company Accounting Oversight Board Alert # 11

36
PCAOB Practice Alert #11

Risk assessment and the audit of internal control
Selecting controls to test
Testing management review controls
Information technology ("IT") considerations
Roll-forward of controls tested at an interim date
Using the work of others
Evaluating identified control deficiencies

Source: Public Company Accounting Oversight Board Alert # 11
37
Sarbanes-Oxley Key Findings

More companies are adjusting compliance efforts to focus on high-risk processes and walkthroughs
External auditor reliance on these efforts, continues to evolve, due in part to guidance from the PCAOB SOX compliance oversight responsibilities are shifting away from project management to internal audit functions SOX compliance costs are rising, as are external audit fees. However, for most organizations, the cost of SOX compliance remains at a manageable level Organizations continue to report significant improvements in their internal control structures since Section 404(b) became a requirement
The automation of controls remains an enticing option and perhaps the final frontier for achieving significant improvements and efficiencies
Source: 2013 Sarbanes-Oxley Survey
38
Changes in Sarbanes-Oxley Compliance Processes Over Past Year

39
Companies Are

40
Managing Risk through Collaboration
Poll Question #5
Do The IIA Standards support internal audits role in managing risk? Yes No Unsure
42
Internal Audits Role in Managing Risk

Practice Advisory 2120-3: Internal Audit Coverage of Risks to Achieving Strategic Objectives - The internal audit activity must evaluate risk exposures relating to the organizations governance, operations, and information systems
IIA Performance Standard 2010.A1 - The internal audit activitys plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process.
IIA Performance Standard 2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organizations governance, operations, and information systems. This should include: (a) reliability and integrity of financial and operational information, (b) effectiveness and efficiency of operations, (c) safeguarding of assets, and (d) compliance with laws, regulations, and contracts.
43
Three Lines of Defense
The IIAs Position Paper, The Three Lines of Defense in Effective Risk Management and Control, addresses how organizations can holistically mitigate risks in a business environment that is continuously growing in complexity
The paper is designed to provide guidance to organizations regardless of their size or the level of formality to their risk management approach It discusses the uses for risk management frameworks, But more importantly it highlights a critical component that most frameworks do not adequately address; how specific duties should be assigned and coordinated within the organization
44
Key Obstacles to Integration and Alignment of Risk Management

Poor alignment of strategy and risk management Growth of silos and/or lack of cooperation amongst silo leaders Mismatches with stakeholder expectations Gaps and overlaps in ownership of risk/control responsibilities Lack of engagement from risk and process owners Vague objectives and incoherent control requirements Fragmented, diffused reporting of risk and control data Conflicting points of view and duplicative efforts (e.g., risk assessment, documentation, testing, etc.)
45
Understanding Risk: Getting Started
What are our top 10 risks?
Understanding and responding to a changing risk profile
What are our emerging risks? How do we identify these and how often? How do we determine if we are doing the right thing in accepting, reducing, sharing or avoiding risk? Have we articulated a statement of risk appetite?
46
Managing Risk through Collaboration
Many organizations want to lower their risk profile by fostering a collaborative culture where everyone in the organization understands risk and their role in helping the business to manage and mitigate them. The call for both greater collaboration, and an enterprise focus on risk, is accelerating internal audits path to the top table in the organisation, where it can be a true partner to management and the board.
Source: Internal Auditing Around the World Volume IX

47
Seeking Alignment
Executive Management
Board of Directors Audit Committee
Quantification Models Risk Assessment Methodologies

Compliance Security
External Audit
Issue Management Procedures
Internal Audit
Control Repositories Policies
Risk Management
Legal
Systems
Process Owners
48
Ten Major Challenges Facing Businesses

1
Regulatory changes and increased regulatory scrutiny may affect operations
Economic conditions in current markets may not present significant growth opportunities
Uncertainty surrounding political leadership may limit growth opportunities
Succession challenges and the ability to attract and retain top talent may constrain efforts to achieve operational targets
5
49
Organic growth through existing customers presents a significant challenge
Source: Setting the 2014 Audit Committee Agenda The Bulletin Volume 5, Issue 5
Ten Major Challenges Facing Businesses

6
Ensuring privacy/identity management and information security protection could require resources the organization may not have; cyber threats could significantly disrupt core operations Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations
Uncertainty surrounding costs of complying with healthcare reform legislation will limit growth
Anticipated volatility in global financial markets and currencies may create challenges Other challenges such as the inability of the organizations operations to meet performance expectations as well as competitors; disruption of the organizations business model; and an unexpected crisis that could impact the organization
10
50
Source: Setting the 2014 Audit Committee Agenda The Bulletin Volume 5, Issue 5
Questions and Answers
Register via the Attachments Link for our January 15, 2014 webinar where we will discuss the IT implications associated with the 2013 COSO Framework.
51
Brian Christensen
Executive Vice President Global Internal Audit Phone: +1 602 273 8020
Brian.Christensen@protiviti.com Phoenix, AZ
David Brand
Managing Director
Phone: +1 312 476 6401 David.Brand@protiviti.com Chicago, IL
Powerful Insights. Proven Delivery.
Keith Keller
Managing Director
Phone: +1 404 443 8224 Keith.Keller@protiviti.com Atlanta, GA
52

Kickstart Internal Audit in 2014 January 2014 41875

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Kickstart Internal Audit in 2014 January 2014 41875

Загружено:

Авторское право:

Доступные форматы

Kickstart Internal Audit in 2014

CPE and Supplemental Information

Definition of Internal Auditing

Supports Current Internal Auditing Practice Environment.

Fosters Enterprise Risk Management

Addresses Role of Internal Auditing in Governance

Assessing Success in 2013

Tone at the Top

Financial Reporting Matters

Establish Open Dialogue

Road Map for 2014 and Beyond

Flash Reports and Bulletins

Internal Auditing Around the World

IA Capabilities and Needs Survey

IT Security and Privacy Survey

2013 SOX Survey

Regulations and Standard Setters

NASDAQ and NYSE

Auditor Rotation, Standards, and PCAOB Inspection Reports

SEC Action Against Fraud

Financial Services Hot Topics

COSO Why Change

have driven Framework updates

Increased complexity of business and organizational structures

COSO Cube (2013 Edition)* *

COSO Whats Changed

Clarifies role of objective-settling as a precursor to internal control

Enhances consideration of anti-fraud expectations in its own principle

Source: Updated COSO Internal Control Framework FAQs-Second Edition

Connecting IT to the COSO Principles

Impacts to Existing IT SOX Documentation

Linkage of COSO to Other Frameworks

Impact of PCAOB Inspection Reports on IT Documentation

Audit Process Knowledge Overall Results

Areas Evaluated by Respondents

Competency (5-pt. scale) 3.3

Source: 2013 Internal Audit Capabilities and Needs Survey

Audit Process Knowledge CAE Results

Data Analysis Tools: Data Manipulation

Source: 2013 Internal Audit Capabilities and Needs Survey

PCAOB Inspection Reports

IT Security and Privacy is a Priority

Source: 2013 IT Security and Privacy Survey

Social Media Risk and the Audit Process

Source: 2013 Internal Audit Capabilities and Needs Survey

Social Media Risk and the Audit Process

Source: 2013 Internal Audit Capabilities and Needs Survey

Social Media Risk and the Audit Process

Source: 2013 Internal Audit Capabilities and Needs Survey

Top Technology Challenges

Lack of ERP implementations, development and knowledge Social media

Risk management and governance

Resource management Infrastructure management Fraud monitoring Business continuity/disaster recovery

Source: Protivitis 3rd Annual IT Audit Benchmarking Survey

PCAOB Practice Alert #11

Source: Public Company Accounting Oversight Board Alert # 11

PCAOB Practice Alert #11

Selecting controls to test

Testing management review controls

Information technology ("IT") considerations

Roll-forward of controls tested at an interim date

Using the work of others

Evaluating identified control deficiencies

Sarbanes-Oxley Key Findings