Internal Auditing 101

Transcription

1 Internal Auditing 101 Presented By: Sam Capuano - Manager of Internal Audit, Wolf & Co. John Gallagher - Director of Internal Audit, SEFCU (NY) Barry Lucas - Internal Auditor, Desco FCU (Ohio) 1

2 Introductions What is Internal Audit? Where Do I Start? Who Should I Interact With? What Do I Audit, and How? What and How Do I Report? With Whom Do I Meet and When? What Resources are Available? 2

3 Sam Capuano - Manager of Internal Audit, Wolf & Co. John Gallagher - Director of Internal Audit, SEFCU (New York) Barry Lucas - Internal Auditor, Desco FCU (Ohio) 3

4 Definition Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve operations. Internal Audit helps the Credit Union accomplish its objetives by bringing a systematic, disciplined approach to evaluate and improve the effectivesness of risk management, control and governance processes. 4

5 Define the roles and responsibilities Audit (Assurance Services)? Compliance? Fraud? Risk Management? Consulting? Security? 5

6 Independent and Objective Reporting Lines? 6

7 Authorities Internal Audit s purpose, authority and responsibility must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards (STD 1000) 7

8 Responsibilities and Authority? Charter Documents - Supervisory Committee - Internal Audit Job Descriptions Department Structure 8

9 Who does Audit interact with? Board of Directors Supervisory Committee Management Staff Examiners External Auditors 9

10 10

11 11

12 Audit Universe The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, products, services, subsidiaries, third party vendors, and processes) that are considered auditable by internal audit. 12

13 Risk Assessment Internal Audit s audit plan must be based on a documented risk assessment, undertaken at least annually [STD 2010.A1] 13

14 Internal Audit Plan Internal Audit must establish riskbased plans to determine Internal Audit s priorities, consistent with the Credit Union s goals. [STD 2010] 14

15 Internal Audit Plan Internal Audit must develop and document a plan for each audit including the audit s objectives, scope, timing and resource allocations [STD 2200] 15

16 Audit Scheduling Disruptions Employee Investigations (Fraud) New CU Products, Services, Departments Staff Training and Development Staff Turnover Management and/or Committee Projects External Audits and Examinations 16

17 Audit Work Stated Objective Scope of Work Sampling 17

18 Audit Program Written Procedures (what, when, how ) Internal Control Questionnaires (ICQs) Documentation Requirements 18

19 Audit Cycle Audit Notification Preliminary Audit Survey Fieldwork Entrance Conference Fieldwork Detailed Appraisal Ending Fieldwork Reporting Follow-up Notification of intent to audit Preliminary scheduling discussions and document requests Establishing key area contacts Conducting a risk assessment Developing an audit program Sharing the audit program Coordinating the execution of fieldwork Analytical Reviews Interviews Detailed testing Finding/ Comment Updates Share preliminary results with area management Drafting Report Obtaining management action plans Exit meeting Finalizing Report Management Response Audit Satisfaction Survey Monitor completion of action plans Reporting to Supervisory Committee Report Distribution to Supervisory Committee 19

20 Audit Workpapers Audit workpapers are the documents which record all audit evidence obtained during financial statements auditing, internal management auditing, information systems auditing, and investigations. Audit working papers are used to support the audit work done in order to provide assurance that the audit was performed in accordance with the relevant auditing standards. 20

21 Paper vs. Electronic? 21

22 Numbering Review Notes Sign-off Retention Access 22

23 23

24 The who, what, when, and how? Internal Auditors must communicate the results of the audit. [STD 2400] 24

25 Who? Board Supervisory Committee Executive Management Department Management 25

26 What? Area Overview? Scope of Work? Audit Rating? Audit Findings? Risk and Control Deficiencies? Operational Inefficiencies? Cost Reduction Opportunities? Compliance Infractions Recommendations? Comments for Discussion? 26

27 When? To Management? Prior to Exit Draft Subsequent to Exit Final To Supervisory Committee? Subsequent to Receipt of Management Response To Board of Directors? Subsequent to Committee Acceptance and/or Approval 27

28 How? In-person Discussion Formal Presentations Written Reports Synopsis Executive Summary Full Report 28

29 Frequency? Attendees? Agenda? Food? (just kidding, but important!) 29

30 30

31 Enterprise Risk Management (ERM) COSO Model NCUA Supervisory Letter No (issued Nov. 2013) 31

32 Internal Controls Structuring audit plans and programs Types of Internal Controls Assessment 32

33 Types of Internal Controls Preventative Segregation of Duties Approvals Security of Assets Detective Monitoring Reconciliations Audits Physical Inventories 33

34 Control Self Assessments - similar to ICQ s Example: General Controls Are there written rules, guidelines, policies, and/or procedures for all transactions and critical activities in this department? Does the department have copies of all current policies and procedures manuals? Do personnel have the knowledge and skills required for their jobs? Are month end financial reports reviewed and verified for accuracy on a monthly basis? Are month end financial reports reconciled to departmental supporting documents on a monthly basis? Is a member of management reviewing and approving the reconciliation in a timely manner? Does your department maintain a key and/or door access control log? This log should list all keys or access codes owned/issued by the department, to whom they are issued, locks each key will open, and key numbers. Does your department have an operating plan that states goals to be accomplished and a timeline for completion of tasks? Are department goals and tasks prioritized according to importance? Has management established operating or work standards that can be used to measure department performance (i.e. metrics, KPIs)? 34

35 Technology Paperless auditing Internet Tools Analytics (queries, access databases, big data, etc) 35

36 Other Resources (beyond ACUIA) NCUA IIA AICPA NAFCU CUNA NACUSAC External Audit Firms 36

37 Certifications CIA CPA CFSA CRP CISA CCSA CRCMP Etc.. 37

38 ACUIA!!!! Conferences Webinars Website The Audit Report Magazine Forum Networking, Networking, Networking!! 38

39 The End!!!! 39