Quality Assessments what you need to know

Transcription

1 Quality Assessments what you need to know Patty Miller, Partner Deloitte & Touche LLP Cavell Alexander, VP-Internal Audit Intermountain Healthcare

2 Overview of requirements Scope of assessment Approaches to achieving compliance Getting started and being prepared Benefits Challenges Examples Agenda 2

3 Institute of Internal Auditors (IIA) Quality Standards (1300 Series) Quality Assurance and Improvement Program The chief audit executive (CAE) must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit (IA) activity Requirements of the Quality Assurance and Improvement Program 1311 Internal Assessments 1312 External Assessments 1320 Reporting on the Quality Assurance and Improvement Program 1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing 1322 Disclosure of Nonconformance Overview of requirements 3

4 Standard 1312 External Assessments External assessments must be conducted at least once every five years by qualified, independent reviewer or review team from outside. CAE must discuss with the board: need for more frequent external assessments; and qualifications and independence of external reviewer, including potential conflict of interest. Interpretation Qualified reviewer or team demonstrates competence in two areas: professional practice of internal auditing and external assessment process. Competence can be demonstrated through mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues more valuable than less relevant experience. Not all members of team need to have all competencies; it is the team as a whole that is qualified. Independent reviewer or review team means not having either real or apparent conflict of interest and not being a part of, or under control of, the organization to which the internal audit activity belongs. Overview of requirements 4

5 Standard 1320 Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of quality assurance and improvement program to senior management and the board. Interpretation The form, content, and frequency of communicating the results of quality assurance and improvement program is established through discussions with senior management and board and considers responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and results of ongoing monitoring are communicated at least annually. The results include reviewer s or review team s assessment with respect to degree of conformance. Overview of requirements 5

6 Standard 1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing The chief audit executive may state that internal audit activity conforms with International Standards for the Professional Practice of Internal Auditing only if results of quality assurance and improvement program support this statement. Interpretation The internal audit activity conforms with the Standards when it achieves the outcomes described in the Definition of Internal Auditing, Code of Ethics, and Standards. The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments. Standard 1322 Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, Code of Ethics, or Standards impacts the overall scope or operation of internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. Overview of requirements 6

7 International Standards for the Professional Practice of Internal Auditing Attribute Standards Purpose, Authority, and Responsibility Independence and Objectivity Proficiency and Due Professional Care Quality Assurance and Compliance Performance Standards Manage the IA Activity Nature of Work Engagement Planning Perform Engagement Communicate Results Monitor Progress Report Conclusion as to whether the activity: Generally conforms Partially conforms Does not conform Scope of assessment 7

8 Key Inputs Interviews, Org. Structure, Charter Enterprise Objectives for Audit and Risks Leading Practices State of the Art International Standards Interviews and survey Process Review of process, reports, risk assessment Conduct Interviews Independence Professional Proficiency Complete Surveys Document Examination Perform Analysis Scope of Work Performance Management Review of Work Papers and Technology Plan Review Reports Objectivity Status Available Resources Structure Budgets Skills Specialists Depth Training Supervision Risk Focus Financial Operational Compliance Response To Change Tools Techniques Reports Work Papers Technology Contribution Productivity Charter Plans Policies Personnel Administration Interfaces Quality Assurance Reporting/Communications Document observations and analysis Conclusion as to compliance to IIA standards Deliver observations External assessment approach 8

9 Key Focus Areas Organization & People Processes / Methodologies Stakeholder Perceptions Performance Organization size and structure Reporting relationships Strategies and scope of work (IA Charter) Leadership and staff competency and qualifications Diversity of skills Organization funding and cost management Human resource strategies Risk assessment methodology Audit planning process Audit execution methodologies Communication and reporting strategies Coordination with Sarbanes-Oxley activities Coordination and synergy with external auditors and other risk management functions Quality of service Business perspective Focused on right areas Competency of people Adding value and providing insight Use of technology Coverage of risks and control environment Adequacy of performance metrics Stakeholder feedback process Compliance with professional standards External assessment approach 9

10 Illustrative Project phases Planning Interviews/ Surveys Field work Report preparation Primary tasks Identify interview and survey participants and schedule Conduct project kick-off and entrance conference Modify and finalize draft workplan Create survey template Conduct internal audit interviews and surveys Conduct interviews and surveys with audit committee, external auditors, senior management, and business unit management Review charter, mission statements, organizational structure, span of controls, personnel credentials and education levels, training policies, performance appraisal process, and recruiting policies Comparisons/benchmarking with other companies and leading practices Analyze risk assessment, quality control, self auditing, and follow-up activities Review management and coverage of internal audit, policies, and compliance Review reporting and communication protocols, format, frequency, and tracking procedures Review use, effectiveness, and efficiency of technology used in performing audit work Identify successful practices Assess compliance to IIA standards Develop executive summary and report of observations, recommendations, identify areas of superior performance, and areas for improvement, if any Prepare draft report Participate in meetings, exit conference, and presentations as necessary Final report preparation and delivery Project week External assessment approach 10

11 Do you agree with the quality Standards and the requirement for an external assessment? Are your audit committee and senior management aware of the requirement? What are their views? Discussion point 11

12 External assessment IIA Service providers Self assessment with independent validation IIA Service providers Peer review At least three organizations Approaches 12

13 Approach Less Expense Less Time Commitment More Insight External Assessment P P Self Assessment with Independent Validation P P Peer Review P P Best option varies based on objectives and priorities to achieve compliance at lowest cost, with least time required, or to obtain more suggestions and leading practices Approaches 13

14 Most organizations use an external assessor or team. Has anyone here considered or used the other two approaches? What do you see as the relative benefits? Discussion point 14

15 Choosing an approach Key objective of assessment Developing a request for proposal Competence/knowledge Independence/objectivity Experience/ability to provide insights Desired focus areas Cost Selecting a provider Decision criteria Selection committee; role of board and senior executives Getting started 15

16 Performing self assessment Identifying key contact for coordination Collecting and organizing documentation Company s organization chart Organization chart of the Internal Audit department and geographic coverage Audit Committee charter and Internal Audit charter List of departmental professional personnel Number of professionals Current number and level distribution Skill complement List of Audit Committee members Copy of risk assessment and audit plan for the current period and prior period Being prepared 16

17 IIA Standards require external quality assessment every five years, effective since January 2002 Increased attention to controls Increased responsibility of, and focus on, Audit Committees Audit Committee / CxOs increasing their reliance on IA for regulatory requirements, risk management, and Sarbanes-Oxley program administration Increased focus on corporate governance and fraud prevention Attest auditors reliance on IA work Internal Audit increasingly called upon by executive management to be value-adding in meeting challenges of operating in today s complex business environment Changes in leadership: Audit Committee, CAE Desire to role model continuous improvement Why consider a quality assessment? 17

18 Affirmation of quality focus External validation of quality for key stakeholders Receipt of objective feedback from key stakeholders and customers New ideas to enhance value delivery External support, if needed, for CAEs pushing the envelope Realignment of mission and objectives Respect of key stakeholders and customers Benefits 18

19 Having support of audit committee and senior management Being audited! Time commitment Disruption to work activities Setting expectations Challenges and lessons learned 19

20 What benefits do you see? What challenges have you experienced and how did you overcome them? If your senior leadership was not supportive of getting an external assessment, what would you suggest to convince them it was worthwhile? Discussion point 20

21 Limited strategic/operational scope due to focus on financial/compliance objectives Limited technology focus or integrated audit approaches due to lack of IT specialist skillsets Misalignment of objectives between audit committee, senior management and CAE Limited use of tools/technology to enhance effectiveness and efficiency of audit process and to facilitate insight delivery Limited career advancement/development for internal auditors Lack of awareness of ongoing changes in Standards Focus on reporting test results vs. business issues, root cause, and collaborative solutions Missed opportunity to collaborate with other risk management functions and develop holistic risk assessment process Lack of explicit audit committee involvement in selection, evaluation and compensation of CAE Typical observations 21

22 Engagement Scope and Objectives Company A requested Deloitte & Touche LLP ( Deloitte & Touche ) to perform a Quality Assessment of the Internal Audit (IA) Department at Company A. The key objectives of the Assessment were to: Assess Internal Audit's compliance with the Institute of Internal Audit (IIA) International Standards for the Professional Practice of Internal Auditing ( Standards ). Determine whether the Internal Audit Department is effective in carrying out its mission, as set forth in the Internal Audit Charter, and whether it is meeting expectations of the Audit Committee and management. Compare to leading practices in the profession and in the industry to identify opportunities to enhance Internal Audit's work processes and products, as well as its value to the Company. The Assessment focused on evaluating Internal Audit's risk assessment and audit planning processes, audit tools and methodologies, audit and staff management processes, and on reviewing a sample of working papers and reports. Interviews were conducted with the Chair of the Audit Committee, members of the senior management team, the Internal Audit Manager (the Chief Audit Executive (CAE)), and members of the Internal Audit team. 1 This report is intended solely for the information and internal use of Company A, and should not be used or relied upon by any other person or entity. Report examples 22

23 Standards Compliance - Overview Standards Groupings Results Attribute Standards 1000 Purpose, Authority & Responsibility 1100 Objectivity and Independence 1200 Proficiency and Due Professional Care 1300 Quality Assurance and Improvement Program Performance Standards 2000 Managing the Internal Audit Activity 2100 Nature of Work 2200 Engagement Planning Attribute Standards Standards Summary Comments on Compliance and Recommendations 2300 Performing the Engagement 2400 Communicating Results 2500 Monitoring Progress 2600 Resolution of Senior Management s Acceptance of Risks 13 This report is intended solely for the information and internal use of Company A, and should not be used or relied upon by any other person or entity Proficiency and due professional care Internal auditors must possess the knowledge, skills and other competencies needed to perform their individual responsibilities, and the IA activity must collectively possess or obtain the knowledge, skills and other competencies to perform its responsibilities. The CAE must obtain competent advice and assistance if the auditors lack the knowledge, skills or other competencies needed. Auditors must have sufficient knowledge to evaluate the risk of fraud, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Auditors must have sufficient knowledge of key information technology risks and controls. Auditors must apply the care and skill expected of a reasonably prudent and competent auditor; due professional care does not imply infallibility. Auditors must enhance their knowledge, skills and competencies through continuing professional development. The IA group collectively maintains skills and competencies to implement the SOX program, and supplements its IT knowledge via a cosourcing arrangement. For the current scope of work, the IA Department seems to have the requisite knowledge and skills and performs its activities with due care. The IA group has installed the Approva tool which is used for testing of the segregation of duties, access rights and monitoring for compliance with approval procedures in selected areas (e.g., Journal Entry posting). Recommendations As the IA Department broadens its responsibilities beyond SOX, the CAE should assess the knowledge, skills and other new competencies required and develop a plan to obtain those skills such as through selective hiring, cosourcing or the use of guest auditors. The CAE should consider enhancing the current department policies to 1) specify the amount and nature of training, with a priority on training to support IA responsibilities in areas such as fraud and information technology controls; and 2) to specify the expectations for certification of staff. Many IA departments require a professional certification to be promoted into a senior or leadership role in the department. The IA department should consider expanding the use of technology-based data analysis and audit techniques beyond the current use of Approva noted above. The use of transactional data analysis tools can enhance the coverage of the audit population and provide for more targeted sample selection. For example, an analysis of the entire population of Accounts Payable transactions for a selected period against employee records and the vendor master file can assist in identifying potential fictitious vendors, duplicate vendors, unauthorized or duplicate payments, and other discrepancies which might not have been detected otherwise. The use of these tools is highly recommended to improve the effectiveness as well as efficiency of the IA team. 15 This report is intended solely for the information and internal use of Company A, and should not be used or relied upon by any other person or entity. Report examples 23

24 Benchmark Data: Selected Metrics Benchmark Data: Company A vs. Industry & Total Universe Similar size Benchmark Description Company A Industry Universe (IA function) Revenue per Auditor (000s) $120 M $264 M $356 M $329 M Employees per Auditor IT Audit Staff (cosourced) (% of Total Staff) 16.5% 15% 16% 17% Training Costs per Auditor $2,500 $2,608 $2,732 $2,464 Total Costs per Auditor (w/benefits) $250,000 $162,209 $160,478 $159,546 Total Costs per Auditor (w/o benefits) $143,000 $130,000 $130,500 $129,546 Percentage Staff with Professional Designations 50% 75% 74% 68% Staff Turnover 25% 22% 14% 20% Average Training Hours per Auditor Internal Audit SOX Role - Utilities Responsible for the testing of controls only 54% Responsibility over all aspects of SOX 8% Audit SOX process only 23% Acts in a consultative manner assisting management only 15% Internal Audit SOX Role - All Industries Responsibility over all aspects of SOX 23% Responsible for the testing of controls only 37% Audit SOX process only 27% Acts in a consultative manner assisting management only 13% Benchmarking indicates that the size of the IA function appears relatively larger than average based on Revenues and Number of Employees per Auditor. However, as noted below, the majority of benchmarked functions do not have full responsibility for the SOX program, suggesting there are relatively more resources in the benchmarked organizations applied to non-sox activities. Although management is responsible for executing the controls and maintaining the documentation, Company A s internal audit department is involved in all aspects of SOX and has taken a leadership role in designing the program, testing controls and assessing results. This broad responsibility for the SOX program is unusual, as compared to the industry, as well as against general practice across all industries. The Cost/Auditor is higher than industry benchmarks. This is attributable to higher wages in California and above average benefits at Company A Company A s certifications rate is lower than industry, which might be partially due to the small size of the department. 23 This report is intended solely for the information and internal use of Company A, and should not be used or relied upon by any other person or entity. Company A Internal Audit Report examples 24

25 Process/Methodologies Reporting IA should consider modifying its reporting process to report on all significant issues identified and associated management action plans. A risk reporting matrix could be used for consistent categorization, prioritization and reporting of all types of issues and risks under evaluation. Such a matrix is often used to provide the Audit Committee with a broader understanding of corporate governance and risk management activities related to financial, operational and compliance objectives. IA should consider an executive summary presentation, to aid the reader in focusing on the more significant areas. Such summaries often use color coding or key phrases to quickly communicate the significance of the issues, and would require IA to exercise judgment in prioritizing and summarizing issues. A leading practice of IA departments is to enhance the visual impact of internal audit reports by the thoughtful use of formats, charts, graphs, colors, etc. IA should consider increasing the visual formatting with charts, graphs and colors to more quickly attract the reader to the report, while helping him focus on key areas and discern important information quickly. PowerPoint presentations can effectively serve as a final report format, as well as support meeting presentations. This is typically a less formal approach, but is often a more economical approach, while still providing an effective reporting format. To reinforce the use and value of the COSO framework, a leading practice is to incorporate it into the Illustrative Roadmap standard report format. An example is provided to the right. Timing Action Step Key Activities IA should also consider including more prominent positive comments regarding operating strengths identified, to provide a balanced assessment with the issues identified presented in a clear context. 30 This report is intended solely for the information and internal use of Company A, and should not be used or relied upon by any other person or entity. 1Q CY11 1Q 2Q CY11 Evaluate and Prioritize Activities for Standards Compliance Conduct Comprehensive Enterprise Risk Assessment and Discuss Potential Audit Topics with Audit Committee and Management Consider compliance recommendations and prioritize action steps Develop plan to update current IA policies and procedures as compliance activities impact current department processes Review ERM assessment and consider risk factors; select risk factors (impact and vulnerability factors) and criteria to use in IA risk assessment Consider risks within business processes via interviews, document reviews, and knowledge of business Prioritize the identified risks for discussion with Audit Committee and management 2Q CY11 Define Overall Audit Scope and Audit Plan Develop a proposed internal audit plan that addresses the higher relative (unmitigated) risk areas, using either a consultative or assurance approach based on degree of vulnerability and existing mitigation Summarize proposed audits and develop audit budgets 2Q CY11 3Q CY11 4Q CY11 1Q CY12 2Q 4Q CY12 Assess Organizational Structure, Resources, Skills, Competency Requirements and Sourcing Options Present Recommended Plan, Structure/Staffing, and Charter to Audit Committee and Management for Approval Develop/Enhance Audit Execution and Reporting Processes and Associated Policies Execute New Plan and Report Progress and Results Develop Action Plans to Address Other Improvement Opportunities Identify skills required to complete proposed plan and assess requirements against department resources; identify skill gaps Consider alternative resource sourcing (in house guest auditor or cosourced) Consider longer term organizational structure and sourcing approaches to achieve risk-based audit coverage Communicate proposed IA Plan, budget, and updated IA Charter, as required Communicate higher relative risk projects that will not be addressed by Plan and budget Obtain respective approvals from Audit Committee and management Design a new IA reporting approach to communicate the results and insights from broader risk-based reviews; consider the use of ratings to prioritize findings Consider other leading practice recommendations and prioritize action plan Develop plan to update IA policies and procedures as changes in activities impact department processes Develop a risk based audit program for each project in scope Coordinate the project schedule with the auditees Design a formal approach to monitor the resolution of the action plans based on significance of finding 9 This report is intended solely for the information and internal use of Company A, and should not be used or relied upon by any other person or entity. Report examples 25

26 Open discussion Discussion point 26

27 We appreciate your participation Thank you! 27

28 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Certain services may not be available to attest clients under the rules and regulations of public accounting. 28

29 Save the Date: August 26-29, st Annual Conference in Philadelphia Pennsylvania 29