Enhancing and Protecting

Organizational Value

Introducing Sawyers 7th Edition

Objectives

• Introduce Sawyers 7th Edition – Focused on achieving the

mission of internal audit
– Setting Up and Internal Audit Shop
– Delivering IA Products and Services

• Using Sawyers to define value delivered today and

opportunities to grow value tomorrow
 Sawyers 7th Edition Goals

• Mission Focused
– Enhancing & Protecting Organizational Value
• Readable by IA and Stakeholders
– Business Perspective of Internal Audit
• Relevant to today’s IA Challenges
– Growing Risk Functions, Collaboration
• Spirit of Knowing Modern Methods
- Staying Current with Leading Ideas
Enhancing and Protecting Organizational Value
Sawyers 7th Edition – Setting Up the IA Shop

Chapter 1: Internal Audit Strategy

Chapter 2: Audit Products/Services
Chapter 3: Audit Operations/Capabilities
Chapter 4: Audit Team/Resourcing Model
Chapter 5: Audit Leaders/Staff
Chapter 6: Building Relationships
Chapter 7: Business Acumen
Chapter 8: Context within which Audit
Works
 Examples from CH 1

Three Cornerstones of Internal Audit Strategy

• Stakeholder Expectations
• IA Professional Expectations
• CAE Expectations

What is the Value Proposition?

What Drives Value?

 Examples from CH 2

Type of Service and Expected Product

Generation 1 – Internal/External Auditor
Generation 2 – Internal Control Process Auditor
Generation 3 – Risk Based Auditor
Generation 4 – Risk Management Based Auditor
Generation 5 – Objective Based Auditor
 Examples from CH 3

Connecting People, Processes, Technology with Service/Product

- Using Capability Maturity Models

Considering Relationships and Culture

Considering Governance Structures

 Examples from CH 4-5

Implied Role of IA =
The Type of Services and Products Expected

Service and Product Expectations =

Core Skills & Certifications Required
Specialty Skills & Certifications Required

Skills Required =
Internal Audit Structure and Outsourcing Needs
 Examples from CH 6-8

Building Relationships
“Relationships with stakeholders can either contribute to the success of internal audit functions or break it.”

Business Acumen
“In general business acumen means CAEs effectively align their own perspective of value with the
perspective of board and management stakeholders”

Understanding the Context for IA

“It is more important than ever for internal audit to partner with SME’s and the second line of defense
functions…and define IA effectiveness”
Sawyers 7th Edition – Setting Up the IA Shop

Chapter 1: Internal Audit Strategy

Chapter 2: Audit Products/Services
Chapter 3: Audit Operations/Capabilities
Chapter 4: Audit Team/Resourcing Model
Chapter 5: Audit Leaders/Staff
Chapter 6: Building Relationships
Chapter 7: Business Acumen
Chapter 8: Context within which Audit
Works
 Sawyers 7th Edition – Delivering IA Services

Chapter 9: The Internal Audit Mission and Its Risks

Chapter 10: Risk Assessment and Audit Planning
Chapter 11: Planning the Audit Engagement
Chapter 12: Assessing Internal Control
Chapter 13: Audit Communication (Reporting and Follow-up)
Chapter 14: Assembling and Supervising the Internal Audit Team
Chapter 15: Specialty Skill Areas
Chapter 16: Advisory Services
 CH 10 Risk Assessment and Audit Planning - Generations

Risk Assessing – defined by service/product expectation

Generation 1 – Compliance or financial reporting risks audited
Generation 2 – Transaction, efficiency and hazard risks audited
Generation 3 – What could go wrong… risk assessments
Generation 4 – Top-down risk assessments, strategic risk, risk mgmt.
Generation 5 – Integrated risk assessment, 2nd line, risk mgmt., and audit
CH 11 Planning the Audit Engagement - Generations

Planning Considerations – defined by service/product

Generation 1 – standards, regulations, systems, policies
Generation 2 – add…flowcharting, key performance indicators
Generation 3 – scope implied by risk, further investigate, define
Generation 4 – strategic/operational priorities, risk mgmt. practices, culture
Generation 5 – business objectives at risk, sub objectives, strength of
oversight and operations, 2nd line assessments and actions
 CH 12 Internal Control - Generations

Risk and Control Implications – defined by types of

engagement
Generation 1 – Risk – noncompliance with standards and regulations
Control – transactional accuracy, completeness
Generation 2 – Risk – expands to inefficiency and ineffectiveness
Control – expands to process documentation, analytics
Generation 3 – Risk – Mgmt. perspective of what could go wrong
Control – less tangible definitions, stop bad events
Generation 4 – Risk – Risk Mgmt. is a Management job, they structure
Control – Expands to include good mgmt./governance
Generation 5 – Risk – simply the effect of uncertainty on objectives
Control – actions align with mgmt process for oversight,
operations alignment of people, process, and technology
 CH 13 - Communication

Value is in the eye of the beholder and what they hear through audit
communications
 CH 14-15 Putting the Team Together

• “Internal Auditors must possess the knowledge, skills and other

competencies needed to perform their individual responsibilities” – IIA
Competency Framework
• “Some objectives are narrow …they require a lower level of skill…general
and broad…higher level of skill”
• Specialty Skill – IT, Fraud, Accounting
 CH 16 Advisory Services (Consulting)

Consulting/Advisory service activities

• Agreed to with the client
• Intended to add value and improve an organization’s governance, risk
management, and control processes
• Examples include counsel, advice, facilitation, and training.
 Conclusion

• Enhancing and Protecting Organizational Value

– Requires the CAE to understand the value their organization is
producing
– Requires the CAE to align their services and products to add to
that value
– The future is one that will include Collaborative IA connecting
with the 1st and 2nd lines of defense around assurance and
management of risk
QUESTIONS
 Contributing Professionals
Contributing Authors
• Hans Beumer (Switzerland)
• Dan Clayton (USA)
• Farah Araj (UAE)
• Michael Levy (USA)
• Jenitha John (S.Africa)
• Jason Mefford (USA)
• Bruce Turner (Australia)
• Andrew Cox (Australia)
• Cris Shreve (USA)
• Angie Chin (USA/Brazil/Europe/Asia)
Technical Editors
• Paul Sobel (USA)
• Dan Clayton (USA)
• Angie Chin (USA/Brazil/Europe/Asia)
• Cris Shreve (USA)
Advisory Committee
• Larry Rittenberg (USA)
• Mark Salamasick (USA)
• Angie Chin (USA/Brazil/Europe/Asia)
 Thank You

The Institute of Internal Auditors

Dan Clayton
Director of Strategy & KM, System Audit Office
dclayton@utsystem.edu
LinkedIn: https://www.linkedin.com/in/dan-clayton-cia-
cpa-ckm-52b2227