Corporate Responsibility and Internal Audit Programs Urton Anderson, CIA, CGAP, CCSA
Objectives Learn how an effective IA function adds value to the organization Understand the three fundamental processes underlying corporate responsibility and IA s role in each Learn how to use IA effectively and efficiently in the design and oversight of compliance control systems
Session Plan What is IA? A New Definition Adding Value with IA The Role of IA in the Governance Process The Role of IA in the Risk Management Process The Role of IA in the Control Process The effective and efficient use of IA in compliance control systems
Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Adding Value Who is IA s customers What does the customer want?
IA Customers Audit Committee Auditee External Auditors Financial Management Vendors Suppliers Regulators Senior Management
Add- Value Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services Glossary to IIA Standards
What does the customer want? Audit Committee/Board Safeguarding Assets Compliance with Laws and Regulations Reliability of Data QUALITY OF INFORMATION Operating Management Effectiveness and Efficiency of Operations Achievement of Organizational Objectives CHANGE AGENT
IA s Role in the Governance Process
Corporate Governance Problem Corporate form of business organization is very fragile Adam Smith very skeptical of corporate concept East India Company Never able to solve contracting problem Throughout its history shareholders never made money but agents made fortunes
What is corporate governance? The process through which (1) values and goals are established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is ensured, and (4) values are preserved.
Parties in the Governance Process Oversight group board and committees of the board Stewardship group executive management Dual role of stewardship of resources allocated by board and accountability of results of operations Performance group operating and support management and staff Assurance group internal and external auditing functions.
NYSE Corporate Governance Rules 303A.07(d) (d) Each listed company must have an internal audit function. Commentary: Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company s risk management processes and system of internal control. A company may choose to outsource this function to a third party service provider other than its independent auditor.
IA s Role The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability. Effectively communicating risk and control information to appropriate areas of the organization. Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management. IIA 2130
The Role of IA in the Risk Management Process
IA s Role Two aspects: 1.Assistance in the risk assessment process 2.Evaluation of the risk management process
5 Key Objectives of Risk Management Process 1. Risks arising from business strategies and activities are identified and prioritized. 2. Management and the board have determined the level of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization s strategic plans. 3. Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk at levels that were determined to be acceptable to management and the board. 4. Ongoing monitoring activities are conducted to periodically reassess risk and the effectiveness of controls to manage risk. 5. The board and management receive periodic reports of the results of the risk management processes. The corporate governance processes of the organization should provide periodic communication of risks, risk strategies, and controls to stakeholders.
The Role of IA in the Control Process The effective and efficient use of IA in compliance control systems
Monitoring 1. The Role of Monitoring and Oversight Controls 2. Examples of Monitoring and Oversight Controls in Compliance Systems 3. Designing Monitoring/Oversight Controls for Effective and Efficient Assurance 4. Providing Assurance of Compliance
Monitoring in Internal Control Monitoring Function - Actions taken by management and others to assess the quality of internal control system performance over time
The Monitoring Function Monitoring Controls Investigation of unusual items Oversight Controls Customer surveys and complaint analysis Internal Auditing Controls Traditional internal audit
Compliance Examples Monitoring UT Southwestern Patient Satisfaction Survey reviewed daily and any potential issues distributed to appropriate parties for prompt attention Oversight - UT El Paso NCAA Eligibility faculty representatives have begun to spot-check individual records.
Compliance Examples Internal Auditing Control UT Tyler Peer review of health and safety program Internal Auditing Control UT Houston Office of Institutional Compliance conducted review of Medical School s monitoring plan for physician billing process. Review included verifying and validating chart abstraction process
Compliance Examples - UTH PATIENT DOS POS CPT PHYSICIAN COMMENTS AGREE WITH AUDITOR'S FINDINGS ICD.9 CODED TO HIGHEST LEVEL OF SPECIFICITY / SUPPORTED IN DOCUMENTATION MEDICAL NECESSITY DOCUMENTED PROCEDURES DOCUMENTED ACCORDINGLY RESIDENT NOTE IN CHART SUMMARY OF KEY COMPONENTS DOCUMENTED TP / ATTENDING PARTICIPATION DOCUMENTED IN CHART TP / ATTENDING SIGNATURE IN CHART TP/ ATTENDING NOTE IN CHART RECORD LEGIBLE
Designing Effective Monitoring Functions Monitoring is a way to evaluate effectiveness, efficiency and consistency of operational controls Benefits of monitoring is process improvement, identification of new risk, assurance Monitoring (especially internal audit control) should not be the operating control
Effective Monitoring
Providing Assurance Monitoring Controls need to be auditable Responsibility for monitoring assigned Plan in place verifiable (documented) Goal is to do internal audit of monitoring and oversight controls with little time on operational
Providing Assurance Audit Criteria Documented evidence of actions taken when monitoring controls identify failure Instances of non-compliance documented and dealt with appropriately Instances of non-compliance reported to Compliance committee or Chief Administrative Officer Documented training related to risk been provided to all employees Documented training provided in each case of failure of operating controls or non-compliance Periodic reporting to compliance officer and committee
Effective Assurance of Monitoring Plan Compliance Officer reviews monitoring plan External Review Peer Commercial IA performs inspection of monitoring plan (determines if it can be audited) IA performs audit of plan
Questions? Urton Anderson Red McCombs School of Business The University of Texas at Austin (512)471-9481 Urton@mail.utexas.edu