Enhancing Governance Through Internal Audit Activities Kaveh Rikhtegar, CPA, CA, CISA, CIA Director of Internal Audit Canadian Commercial Corporation
Key Points Understanding your audience and the Governance framework, Building an effective and value added internal audit organizational structure and processes, Using a risk based approach linked to the ERM, to complete the annual audit plan, and Creating an effective reporting mechanism to the Audit Committee.
Canadian Commercial Corporation (CCC) CCC was created by an act of Parliament in 1946. CCC is a wholly owned Government corporation reporting to the Minister of International Trade CCC is mandated to facilitate Government to Government trade between Canadian exporters and international buyers.
Internal Audit Pendulum No Assurance Positive Assurance Negative Assurance
Governance Model Board Set and maintain polices and key Members priorities Measure, Monitor Measure, Monitor Develop and implement practices and Management procedures in order to role out the policies & accomplish key priorities Perform the day to day activities Operation based on established practices and procedures
Understating our Role Changes in Our Focus & Approach • Historically, IA has been known to be “Police” and “Watchdog”, • Internal and external environments are continually changing, • As a result, IA need to provide a more strategic role over Governance, Risk and Compliance: • Gain consensus on audit objectives and Develop relationships, • Stay informed with the plan, decisions and activities, • Be transparent.
Understand your Audience Board Members • Strategic, NO Surprises • Assurance and Compliance focus • Managing Risk • Short span of attention • Special education • Diplomatic Therefore you must stay informed of business plans, events, developments and new initiatives
Understand your Audience • Executive Management, Non Technical and Strategic • Operation Management, Technical and Tactical Expectation • Assurance and Compliance focus – Ask them • Value added audit shop, consulting activities • Appreciate complexity of competing agendas - Prioritize • “Co-operative independent” partner having a seat at the table. Ensure your charter reflects this understanding and provides the right authority.
Building an effective and value added internal audit organizational structure
Communication Effective communication is the KEY determinant of a successful IA function. Formal vs. Informal Communication • Identify, capture and communicate pertinent information in a form and timeframe that is appropriate to the recipient, • Communicate regularly, at multiple levels and multiple ways, • Determine each executives communication preference and style, • Create clear, concise presentation templates - Avoid information overload.
Audit Report TABLE OF CONTENT EXECUTIVE SUMMARY ............................................. 3 BACKGROUND ......................................................... 3 AUDIT OBJECTIVES AND SCOPE ............................... 3 APPROACH AND METHODOLOGY ............................ 3 STRENGTHS ............................................................ 3 OBSERVATIONS AND RECOMMENDATIONS ............ 4 K EY O BSERVATIONS ........................................................ 4 SUMMARY AND CONCLUSION ................................. 5
Rating of Audit Finding High : a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk is more than inconsequential. Corrective action is needed to ensure process objectives are achieved. Medium : a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk to the process is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls. Low : a minor weakness in the design and/or operation of a key control. Ability to achieve process objectives is unlikely to be impacted. Corrective action is suggested to strengthen controls.
Rating of Audit Opinion Effective : Key controls are effectively designed and operating as intended. Needs I mprovement : One or more key controls do not exist, are not designed properly or are not operating as intended. The impact to the audited process is more than inconsequential. Timely action is required. Unsatisfactory : Multiple key controls do not exist, are not designed properly or are not operating as intended. The impact to the audited process is material. Immediate action is required.
Executive Summary to the Audit Committee - Scope of activities performed in order - Objective of the audit as to achieve the objectives . approved by the Audit Committee. - Summary of Procedures Performed in order to complete the audit . - -
Summary Observations to the Audit Committee HIGH Detailed Finding Rating Timing Accountable a- Business Impact b- b a High Business Impact, LOW Low Business Impact, Easy to Implement Easy to Implement High Business Impact, HIGH LOW Low Business Impact, Difficult to Implement Difficult to Implement Ease of Implementation
Internal Audit Status Summary to the Audit Committee 2013 -14 Audit Activities Q1 Q2 Q3 Q4 Annual Planning Activity 1 Activity 2 Activity 3 Activity 4 Activity 5 Activity 6 Internal Audit Follow Up Consulting and Advisory Color Legend Complete In Progress Not Started
Status Update to the Audit Committee Period Ending Overall Scope Schedule Resourcin (Date) g Current On On On On Target Target Target Target Forecast Key Accomplishments this Quarter - - - - Key Upcoming Activities - - - -
Integrated Activities – Auditing Identify groups within/outside the organization such as ERM, Quality Control, External Auditors to ensure a more effective risk assessment: Maximizing Scarce Resources • Complete a coordinated annual planning process • Look for opportunities to share and receive information • Resulting in a more integrated audit activities
Training • It should be linked to the annual audit plan, as well as current and future talent needs • Auditors vs. Employees, • Technical vs. Non Technical training, • Must include key soft skills such as Problem Solving and Critical Thinking, Business Acumen • Must be flexible, • Must be recurring and not just a one time event.
Talent Retention Significant risk if a member leave the group 1. Establish a knowledge base within the team: • Have a proper repository on tracking so that information is easily available, 2. Attention to Retention: • Ensure the compensation is competitive and the department is viewed as a great place to work. • Ensure the employees understand their roles and the available opportunities for advancement.
Standardization of Method, Approaches & Techniques • Internal Audit Charter, • Annual Planning process , • Follow up tracking and reporting, • Internal Audit Manual, • Other templates, tools and guidelines, • Customer Satisfaction Surveys
Establishing the Annual Budgets • Head Count Budget • Consulting Budget • Training Budget ALL the above must be in line with the Annual Corporate Plan
Managing the Budget and Deliverables Internal Audit Time line 2013 - 2014 April May June July August September October 13-May 20-May 27-May 12-Aug 19-Aug 26-Aug 16-Sep 23-Sep 30-Sep 15-Apr 22-Apr 29-Apr 10-Jun 17-Jun 24-Jun 14-Oct 21-Oct 6-May 15-Jul 22-Jul 29-Jul 5-Aug 2-Sep 9-Sep 3-Jun 1-Apr 8-Apr 7-Oct Total 1-Jul 8-Jul Hours Audit project Sub activity Auditor 1 Annual planning 90 30 20 30 10 Audit Activity 1 Planning 50 20 30 Execution 90 30 30 30 60 30 30 Reporting Audit Activity 2 Planning 0 0 Execution Reporting 0 Audit Activity 3 Planning 0 Execution 0 Reporting 0 Audit Activity 4 Planning 0 Execution 0 0 Reporting Audit Activity 5 Planning 0 0 Execution Reporting 0 Audit Committee Support 0 MLP follow up 0 Vacation 0 Stat Holiday 0 Year end audit coordination with External Auditors 0 Training 0 0 Advisory and Consulting activities 290 TOTAL 30 20 30 10 20 30 30 30 30 30 30 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Customer Satisfaction Surveys Summary of Audit Surveys Audit 1 Audit 2 Audit 3 Audit 4 Overall Average # Survey Question 1 The audit scope and objectives were relevant and clearly conveyed. 3 3 4 4 3.50 2 The audit report is objective, accurate, succinct and clearly written. 3 3 3 4 3.25 3 The audit recommendations are constructive and actionable. 3 3 3 4 3.25 4 Communication lines were open and positive. 4 3 4 4 3.75 5 The audit staff were objective, qualified and professional. 4 3 4 4 3.75 6 The audit was well managed and performed in a timely and efficient manner. 4 3 4 4 3.75 7 The audit provided value to my organization. 3 3 4 4 3.50 Legend Very Unsatisfied Unsatisfied Satisfied Very Satisfied 1 2 3 4
Recommend
More recommend