The Red (Book) Rocks The Latest and Greatest Audit Standards Presenter Toni Stephens Chief Audit Executive The University of Texas at Dallas Insert Logo Here Course Objectives Explain the development of internal auditing standards and related guidance. Identify the latest and greatest enhancements to the framework for the professional practice of internal auditing. Apply the Standards and related guidance to your internal audits and your departmental operations to enhance the value of the internal audit process at your organization. Insert Logo Here 1
Internal Audit History 101 2
Mission To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Mandatory Guidance A. The Core Principles B. The Definition of Internal Auditing C. The Code of Ethics D. The Standards 3
A. Core Principles 1. Demonstrates integrity. 2. Demonstrates competence and due professional care. 3. Is objective and free from undue influence - independent. 4. Aligns with the strategies, objectives, and risks of the organization. 5. Is appropriately positioned and adequately resourced. 6. Demonstrates quality and continuous improvement. 7. Communicates effectively. 8. Provides risk-based assurance services. 9. Is insightful, proactive, and future-focused. 10. Promotes organizational improvement. B. Definition of Internal Auditing Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 4
Assurance vs. Consulting C. Code of Ethics Integrity Competency Code of Ethics Objectivity Confidentiality 5
D. Standards Attribute Performance Recommended Guidance UPDATED Implementation Guidance Supplemental Guidance Implementation Guides updated for 2017 Standards Practice Guides GTAGs GAITs 6
IIA Attribute Standards Attribute 1000 Purpose, Authority, and Responsibility 1100 Independence and Objectivity 1200 Proficiency and Due Professional Care 1300 Quality Assurance and Improvement Program 1000 Purpose, Authority, Responsibility 1100 Independence & Objectivity New! 7
New Standards! 1112: CAE Roles Beyond Internal Auditing 1130.A3: Impairment to Independence and Objectivity 1200: Proficiency & Due Professional Care 8
1300: Quality Assurance and Improvement Program UPDATED CAE Must Report on QAIP and current level of conformance Updated! 9
Policy Charter, P&P CAE establishes & maintains; Reports Program to Management & Board Methodology & Process People Based on Standards QAIP documented in IA P&P Staff aware, trained Periodic internal and external assessments 5 Key Characteristics of Effective QAIPs Systems & Information Standardized audit management system documents work Key performance indicators monitored & used Communication & Reporting Results of internal assessments action plans to improve, reported to management and audit committee Client feedback received External reviews reported to management and audit committee 10
Example Monitoring Quality Effectiveness & Efficiency Sustainability Audit Plan Actual hours completed Staffing levels are adequate to complete annual plan Audit Plan projects completed Staff have professional certifications Audit reports issued within standard timeframe Management Recommendations for Priority Findings are implemented by due date Audit recommendations are implemented timely Management responses received timely after draft report Direct audit hours meets standard Key Accomplishments (Quarterly) Worked with six student interns Fall 2015 on three different audit projects. Professional participation included CAE speaking at national conference. IT Staff Auditor achieved CISA status. Annual Performance Appraisals External QAR Annual goals on data analytics, consulting, management requests, special projects Client satisfaction IIA Performance Standards 2000 Managing the Internal Auditing Activity 2100 Nature of Work 2200 Engagement Planning 2300 Performing the Engagement 2400 Communicating Results 2500 Monitoring Progress 2600 Communicating the Acceptance of Risks 11
2000: Managing the Internal Auditing Activity The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. IIA Internal Audit Capability Model 12
2010: Planning The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization s goals. Risk-Based Plan 13
2040: Policies and Procedures Policies Procedures QAIP Administrative Matters Staff Meetings Emails Signed Acknowledgements 2050: Coordination and Reliance 14
2060: Reporting to Senior Management and the Board UPDATED The CAE must report periodically to senior management and the board Charter Independence Audit Plan & Progress Resources Needed Results of Audit Activities Conformance with Code of Ethics & Standards Significant Risk & Control Issues Value Proposition of Internal Auditing for Key Stakeholders Governing bodies and senior management rely on Internal Auditing for objective assurance and insight on the effectiveness and efficiency of governance, risk management and internal control processes. Help the organization achieve its strategic, operational, financial, and compliance objectives. Catalyst for improving effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. Provide value as an objective source of independent advice and counsel. 15
2100: Nature of Work The internal audit activity must evaluate and contribute to the improvement of Risk Management (2120) using a systematic and disciplined approach. Risk exposures and adequacy and effectiveness of controls over: Achievement of organization s strategic objectives Reliability and integrity of financial and operations information. Effectiveness and efficiency of operations and programs Safeguarding of assets Compliance with laws, regulations, policies, procedures, and contracts 2110: Governance The internal audit activity must assess and make appropriate recommendations for improving the governance process 16
2200: Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement s objectives, scope, timing, and resource allocations. Work Program Resource Allocation Planning Considerations Engagement Scope Objectives Defining Objectives and Scope 2210: Engagement Objectives Objectives must be established for each engagement. 2220: Engagement Scope The established scope must be sufficient to achieve the objectives of the engagement. Initial Assignment & Objectives Gain an understanding Risk Assessment Final Objectives & Procedures Scope (Nature, Timing, Extent) 17
What about IT? What about FRAUD? 2210.A2 Internal auditors must consider the probability of significant errors, FRAUD, noncompliance, and other exposures when developing the engagement objectives. 18
2300: Performing the Engagement Identifying Information Analysis & Evaluation Documenting Information Engagement Supervision 2310 2320 2330 2340 Engagement Supervision Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. Performance Appraisals Review/Coaching Notes 19
Audit Results 2400: Communicating Results 2410 Criteria for Communicating 2420 Quality of Communications 2421 Errors & Omissions 2430 Use of Conducted in Conformance with Standards 2431 Engagement Disclosure of Nonconformance 2440 Disseminating Results 2450 Overall Opinions 2500: Monitoring Progress Risk Rating Category Open at 8/31/17 New Closed 1 st Quarter Open at 11/30/17 Priority 1 0 1 High 6 4 0 10 Medium 68 9 23 54 Low 5 5 4 6 Total 80 18 27 71 Past Due with no Response Type CIO CISO Provost VP Admin Etc. Priority 1 High 2 1 2* Medium 11 9 8 5 8 Low 3 2 Total 13 11 11 7 10 The CAE should maintain a system to monitor the disposition of results communicated to management. 20
2600: Communicating the Acceptance of Risks Generally Accepted Governmental Auditing Standards (GAGAS) 21
Yellow Book Red Book Auditors conducting financial audits of government and non profit organizations receiving federal funds. Foundation and Ethical Principles General Standards Independence Professional Judgment Competence QC & Assurance Fieldwork Standards Reasonable Assurance Significance Audit Risk Planning Supervision Evidence Audit Documentation Reporting Standards for Performance Audits Reporting Report Contents Distributing Reports Internal auditors and internal audit activities. Definition of Internal Auditing & Code of Ethics Attribute Standards Performance Standards IPPF A. Consulting B. Independence C. Performing Nonaudit Work D. Reviewing the Organization s Ethics Program E. Risk Assessment for Overall Audit Planning F. External QAR G. Quality Assurance Systems H. Reporting Compliance with the Standards I. Referencing the Standards J. Fraud K. Follow up on Previous Audits L. CPE GAGAS 2017 Exposure Draft Major Proposed Changes Independence requirements guidance CPE requirement for GAGAS Standards for Review Added a definition of waste and requirements for reporting (2011 version defines fraud, non compliance, internal control weakness, and abuse) More emphasis on Internal Controls alignment with green book 22
Green Book! Speaking of internal controls 23
We ve Rocked the Red Book! We now understand the development of internal auditing standards and guidance! We have identified the latest and greatest enhancements to the framework for the professional practice of internal auditing! We are going to apply the standards and guidance to our internal audits and our departmental operations to enhance the value of our internal audits! tstephens@utdallas.edu 972 883 4876 utdallas.edu/audit 24