10 Key Internal Audit Topics for Audit Committee Consideration

Total Page:16

File Type:pdf, Size:1020Kb

10 Key Internal Audit Topics for Audit Committee Consideration August 2013 Audit Committee Brief From the Business, Industry & Government Team 10 Key Internal Audit Topics for Audit Committee Consideration By Richard J. Anderson, MBA, CPA J. Christopher Svare Submitted to Journal of Accountancy the data as a springboard to take a forward look at the profession and suggest 10 areas for Introduction scrutiny and focus in the years ahead. One of an audit committee’s most important responsibilities is to oversee the organization’s Although developed for internal auditors, the internal audit function, which plays a major role Imperatives for Change report also suggests in the areas of risk management and corporate a roadmap of important topics for joint governance. Typically, a Chief Audit Executive, consideration by the audit committee and chief or CAE, will have a direct reporting line to audit executive. They also point to the linkages the audit committee, which has functional between topics and the need to consider the oversight of internal audit activities. To assist implications of their interrelationships. audit committees with this oversight, and to provide a strategic framework for the direction 10 Key Questions for Audit Committees and orientation of internal audit, the authors Outlined below are the 10 imperative topics for outline 10 suggested topics for discussion internal auditors recast into rhetorical questions between the CAE and the audit committee. for audit committees. Each question is followed These topics, framed as questions, stem by a short discussion of the topic, examples of from the results of the largest-ever global related internal audit activities, and additional survey of internal auditors, which identified 10 topics and/or questions for audit committee “imperatives” for internal audit focus. consideration. Every five years, the Institute of Internal Q1: What is the internal audit coverage of Auditors (the “IIA”) conducts its Global Internal the organization’s risk management and Audit Survey to gain a current snapshot of governance processes? the profession. The IIA’s most recent survey In recent years, internal auditors have been included responses from more than 13,000 increasing their focus on the risk management internal auditors around the world. During and governess processes of the organizations 2011, the Institute of Internal Auditors they audit and assess. At the same time, audit Research Foundation (IIARF) published a series committees have stepped up their interest in of reports to discuss the results of the global risk management and governance, reflecting survey. One report, “The Global Internal the heightened oversight of these areas on the Audit Survey, Imperatives for Change: The IIA’s parts of regulatory and supervisory bodies in Global Internal Audit Survey in Action,” used both the public and private sector. Given the aicpa.org/BIG Guidance from the Board importance of these areas, the audit committee their risk assessment and how responsive of Governors of the needs to evaluate the current and projected and flexible they are with their audit plans. In Federal Reserve System scope of internal audit coverage of risk addition to recommended changes to the audit on the relationship management and governance . plan, the audit committee needs to ensure between the risk that internal audit provides it with a rundown assessment and the In organizations in the initial stages of risk audit plan on changes to the organization’s risk profile management implementation, the role of internal or new emerging risks that are driving audit “Risk assessments audit is often that of a catalyst or facilitator to plan changes. By reviewing changes to the should be revised in help foster development of the organization’s organization’s risk profile, the audit committee light of changing market risk management processes. In such situations, conditions, or laws and can gain comfort that the recommended audit internal auditors’ knowledge of the organization regulations and updated plan changes will address current risks. during the year as and its risks can be very helpful. And as the changes are identified organization’s risk management processes mature, One further point: The audit committee should in the business activities internal audit can serve in more of an assurance have a clear understanding that the CAE’s role of the institution or capacity, providing audit coverage of the risk extends beyond audit plan execution to ensure observed in the markets practices that have been implemented. that the internal audit process is identifying in which the institution changes to the organization’s risks and operates, but no less On a similar note, internal audit also can provide addressing these risks on a timely basis. than annually. When advice and assurance over the organization’s the risk assessment governance processes. Of note, the IIA’s Q3: How does internal audit use technology to indicates a change in International Standards for the Professional enhance its auditing and monitoring activities? risk, the audit plan should be reviewed to Practice of Internal Auditing (the “Standards”) Technology tools are increasingly being used by determine whether the now require internal auditors to address both risk internal auditors to enhance both the efficiency planned audit coverage management and governance processes in their and effectiveness of their auditing activities. For should be increased or audit coverage. example, powerful data mining tools enable decreased to address internal auditors to perform audit tests on entire the revised assessment Q2: How responsive to change and flexible is populations of data as opposed to testing data of risk.” internal audit’s risk-based audit plan? samples alone. In addition, data mining tools Supplemental Policy on Internal auditors are required by the Standards enable internal auditors to monitor controls, the Internal Audit Function to conduct a risk-based audit plan. While there is and It’s Outsourcing, risk and fraud indicators, and performance January 23, 2013 no one approach to conducting risk assessments metrics. Given the scope of these capabilities, and developing the related audit plan, many many internal auditors find that such tools offer internal audit groups conduct an annual risk significant opportunities to improve and enhance assessment and prepare an annual audit plan. their auditing efforts. In today’s world of complex and dynamic risks, however, more and more internal audit groups Audit committees need to determine how are updating their risk assessments and audit their internal auditors are using technology, plans on a more frequent and timely basis their plans for leveraging technology further, than just annually. For example, survey results and what types of support the internal audit indicate that it is becoming more common for function needs to be successful. To make these internal auditors to update their audit plans determinations, the audit committee also on a quarterly basis. What’s more, a number of needs to be aware of the specialized skills and internal audit groups have moved to “rolling” budgetary support required by internal audit audit plans of that only cover six-month periods. to achieve its technology objectives. These By taking a more timely approach to their audit are all topics of possible inquiry by the audit planning, organizations are helping to ensure committee. that their audit coverage is focused at the most critical issues in a given time period. Q4: What is the strategic vision and plan for internal audit? The audit committee needs to understand how, With the rapid changes in commerce today, and with what frequency, internal audit updates strategic planning has taken a new and elevated aicpa.org/BIG focus in many organizations. Internal auditing is clearly what those expectations for adding value no different. For internal auditors to keep current are and then to tailor their processes to meet with new developments in auditing, technology those expectations. and business, they must plan effectively. As the IIA Global Survey indicates, “A well-conducted For any internal audit function, providing strategic planning exercise will allow the CAE assurance is a core and expected value to develop his or her mission and various driver. But what other types of value do approaches and strategies to achieving that stakeholders expect internal audit to provide? mission.” For example, some internal auditors today add value by providing high quality talent to To assess the strategic orientation of their their organizations. Others assist management internal audit functions, audit committees should by providing monitoring and data mining ask questions such as these: capabilities that contribute to improved business- unit performance, or assist in enhancing risk • What is internal audit’s vision for the near- management and governance processes. and mid-term future? • Does internal audit have a strategic plan? Irrespective of the specific value drivers of an • How does internal audit plan to keep pace organization, however, there should be clarity with the risks and processes in the business? and agreement among internal audit, executive • Has internal audit identified gaps between management and the audit committee as to where its processes and practices are today stakeholder expectations and the specific and where they need to be in the 3-5 years? internal audit activities to which stakeholders • Does the internal audit strategy align with and ascribe value. It’s then up to internal audit
Recommended publications
  • KPMG Internal Audit
    Top 10 key risks in 2015 KPMG Internal Audit kpmg.ch The role of an effective internal audit (IA) function today is much more than simply compliance. Competing in a rapidly changing business world, companies must grapple with emerging challenges seemingly every day: new and complex regulations, cyber threats, increased reliance on data and analytics, mergers and acquisitions, expanding international operations, outsourcing, and more. IA needs to stay current with these wide-ranging business issues as they emerge so it can remain relevant to the organization. These business trends carry new risks, and IA needs to continually monitor these risks and their potential effects on the organization. To provide the greatest value, IA must find opportunities to challenge the status quo to reduce risk, improve controls, and identify potential efficiencies and cost benefits across the organization. To help IA functions achieve these goals, KPMG LLP (KPMG) has surveyed its professionals and IA departments from companies in multiple industries. The result is KPMG Internal Audit: Top 10 key risks in 2015, which outlines areas where IA can improve its focus so it can more effectively add value across the organization and maximize its influence, including allocating its resources in those areas of highest impact to the organization. Top 10 key risks in 2015 1 Cybersecurity 2 Regulatory compliance 3 Antibribery/Anticorruption 4 International operations 5 Third-party relationships 6 Mergers, acquisitions, and divestitures 7 Strategic alignment 8 Integrated
    [Show full text]
  • Audit Committees and Auditor Independence Brochure
    relationships with the company, its officers, directors or significant Change of Independent Auditors shareholders. Thus, audit committees should consider whether the company The auditor generally must be independent for has implemented processes that identify the entire engagement period and the period such prohibited relationships. covered by the financial statements being audited. Once this relationship is terminated, z Certain Financial Relationships. Audit there is no continuing requirement for the auditor committees should be aware that certain to remain independent. The auditor may financial relationships between the generally re-issue its former opinions on the company and the independent auditor company’s financial statements. However, if a are prohibited. These include creditor/ restatement of the financial statements becomes debtor relationships, banking, broker- necessary, the auditor must be independent to dealer, futures commission merchant audit the restatement adjustments and re-issue its accounts, insurance products and opinion. Further, if the Board is contemplating or interests in investment companies. plans a change in auditors, the audit committee Communications Between the Audit must consider whether the prospective firm will be independent during the audit engagement period. Committee and the Independent Auditor That is, the prospective firm must cease all Independence Standards Board Standard No. 1 prohibited services and/or sever all prohibited AUDIT COMMITTEES AND requires that the auditor disclose to the audit relationships with the issuer prior to the beginning AUDITOR INDEPENDENCE committee in writing all relationships between of the audit engagement period. Therefore, the the audit firm and the company that may audit committee should consider these issues reasonably be thought to bear on the audit firm’s before hiring a predecessor auditor or a independence.
    [Show full text]
  • The Role of Internal Auditing in Enterprise-Wide Risk Management
    IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT Issued: January 2009 ERM PP Revised: Page 1 of 8 Introduction The importance to strong corporate governance of managing risk has been increasingly acknowledged. Organizations are under pressure to identify all the business risks they face; social, ethical and environmental as well as financial and operational, and to explain how they manage them to an acceptable level. Meanwhile, the use of enterprise-wide risk management frameworks has expanded, as organizations recognize their advantages over less coordinated approaches to risk management. Internal auditing, in both its assurance and its consulting roles, contributes to the management of risk in a variety of ways. What is Enterprise-wide Risk Management? People undertake risk management activities to identify, assess, manage, and control all kinds of events or situations. These can range from single projects or narrowly defined types of risk, e.g. market risk, to the threats and opportunities facing the organization as a whole. The principles presented in this paper can be used to guide the involvement of internal auditing in all forms of risk management but we are particularly interested in enterprise-wide risk management because this is likely to improve an organization’s governance processes. Enterprise-wide risk management (ERM) is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Responsibility for ERM The board has overall responsibility for ensuring that risks are managed. In practice, the board will delegate the operation of the risk management framework to the management team, who will be responsible for completing the activities below.
    [Show full text]
  • Control Self-Assessment: an Introduction
    Control Self-assessment: An Introduction Control self-assessment (CSA) is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization's risk management and control processes. In its various formats, CSA can cover objectives, risks, controls and processes. Internal auditors can utilize CSA programs for gathering relevant information about risks and controls; for focusing audit work on high risk, unusual areas; and to forge greater collaboration with operating managers and work teams. Managers can utilize CSA programs to clarify business objectives and to identify and deal with the risks to achieving those objectives. In both the facilitated workshop and survey formats of CSA, the people performing the work assess their own risks and controls, and increase the ability to achieve business objectives. Internal auditors, in a consulting role, often act as facilitators to help work teams in the assessment of risks and controls. Involvement of people performing the work in evaluation of risks and controls utilizes the expertise of the organization, increases buy-in to any action items, and focuses efforts on important business activities. Participants will benefit from understanding the different formats of facilitated and survey-based self- assessments, and discussing use of CSA in Enterprise Risk Management (ERM), regulatory financial reporting requirements, such as Sarbanes-Oxley (SOX), fraud and ethics programs, and operational auditing. After this seminar, participants will be able to evaluate the need for self-assessment in their organization's risk management and control processes, and design an implementation program for self-assessment in their organization.
    [Show full text]
  • Audit Committee Charter & Checklist
    Audit Committee Charter & Checklist GP Natural Resource Partners LLC Purpose The Audit Committee (the "Committee") is appointed by the Board of Directors of GP Natural Resource Partners LLC (the "Company") to serve as an independent and objective party to: • oversee the quality and integrity of the financial statements, reports and other financial information of Natural Resource Partners L.P. (the "Partnership") that the Partnership provides to any governmental body or to the public; • oversee the Partnership's compliance with legal and regulatory requirements; • oversee the independent public accountant's qualifications and independence; • oversee the performance of the independent public accountants; • oversee the performance of the internal audit functions of the Partnership and the Company; • oversee the Partnership's systems of internal controls regarding finance, accounting, legal compliance and ethics that management and the Board of Directors have established; • prepare on an annual basis a Report of the Audit Committee for inclusion in the Partnership's annual report on Form 10-K; • provide an open avenue of communication among the independent public accountants, financial and senior management, the personnel responsible for internal audit functions, and the Board of Directors, always emphasizing that the independent public accountants are accountable to the Committee; and • perform such other duties as are directed by the Board of Directors and report regularly to the Board of Directors. Consistent with this purpose, the Committee should encourage continuous improvement of, and should foster adherence to, the Partnership's policies, procedures and practices at all levels. Committee Membership The Committee shall be comprised of three or more Directors, as recommended by the Compensation, Nominating and Governance Committee and approved by the Board of Directors.
    [Show full text]
  • Understanding Internal Audit
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Understanding Audit committees have an essential role to play internal audit in ensuring the integrity and transparency of corporate reporting. The PwC Audit Committee Guide is designed to help members of the audit committee work through their maze of responsibilities in a practical manner. 82 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Understanding internal audit The guide consists of: Audit committees have an essential role to play in ensuring the integrity and transparency of corporate reporting. • Introduction The PwC Audit Committee Guide is designed to help members of the • Setting up the audit committee audit committee work through their maze of responsibilities in a • Financial reporting: Reviewing practical manner. financial information • Risk management & internal control • Working with the external auditor Financial reporting Risk management & • Understanding internal audit • Appropriateness of accounting policies internal control • Disclosure requirements • Maintaining & measuring • Fairness and balance of MD&A/ • Understanding of key risk areas effectiveness operating review • Effectiveness of controls • GAAP conversion • Fraud risk • Communicating & reporting • Ethical, regulatory & Audit committees: compliance matters External audit Areas of focus Internal audit • Compliance frameworks • Appointment and remuneration • Charter, authority and resources • Scope of work • Scope of work • The audit committee’s role in • Independence requirements • Internal audit effectiveness ‘fit and proper’ requirements for • Significant audit findings/recommendations • Responses to internal audit • Reviewing the performance of external auditors recommendations financial services entities • Materiality in audits Maintaining Communicating & Regulatory, compliance & measuring reporting & ethical matters We hope you will find this guide of value to your important role.
    [Show full text]
  • Brookfield Business Partners Limited Audit Committee Charter
    BROOKFIELD BUSINESS PARTNERS LIMITED AUDIT COMMITTEE CHARTER A committee of the board of directors (the “Board”) of Brookfield Business Partners Limited (the “BBU General Partner”), the general partner of Brookfield Business Partners LP (the “Partnership”), to be known as the Audit Committee (the “Committee”) shall have the following terms of reference: MEMBERSHIP AND CHAIR Annually the Board shall appoint three or more directors (the “Members” and each a “Member”) to serve on the committee for the upcoming year or until the Member ceases to be a director, resigns or is replaced, whichever occurs first. The Members will be selected by the Board on the recommendation of the Governance and Nominating Committee of the BBU General Partner (the “Governance and Nominating Committee”). Any Member may be removed, with or without cause, from office or replaced at any time by the Board. All Members will be Independent directors (as defined below). In addition, every Member will be Financially Literate (as defined below). Members may not serve on more than two other public company audit committees, except with the prior approval of the Chair of the Board. Not more than fifty percent of the Members may be residents of any one jurisdiction (other than Bermuda and any other jurisdiction designated by the Board from time to time). The Board shall appoint one Member as the chair of the Committee (the “Chair”). If the Board fails to appoint a Chair, the Members of the Committee shall elect a Chair by majority vote to serve at the pleasure of the majority. If the Chair is absent from a meeting, the Members shall select a Member from those in attendance to act as Chair of the meeting.
    [Show full text]
  • The Audit Committee's Role in Control and Management of Risk
    Mauritius Audit Committee Forum Position Paper 3 The Audit Committee’s Role in Control and Management of Risk December 2015 2 | Mauritius Audit Committee Forum About the Mauritius Audit Committee Forum Recognising the importance of Audit Committees as part of good Corporate Governance, the Mauritius Institute of Directors (MIoD) and KPMG have set up the Mauritius Audit Committee Forum (the Forum) in order to help Audit Committees in Mauritius, in both the public and the private sectors, improve their effectiveness. The Position Paper 3 deals with the Audit Committee's role in control and management of risk. The purpose of the Forum is to serve Audit Committee members and help them adapt to their changing role. Historically, Audit Committees have largely been left on their own to keep pace with rapidly changing information related to governance, risk management, audit issues, accounting, financial reporting, current issues, future changes and international developments. The Forum provides guidance for Audit Committees based on the latest legislative and regulatory requirements. It also highlights best practice guidance to enable Audit Committee members to carry out their responsibilities effectively. To this end, it provides a valuable source of information to Audit Committee members and acts as a resource to which they can turn for information or to share knowledge. The Forum’s primary objective is thus to communicate with Audit Committee members and enhance their awareness and ability to implement effective Audit Committee processes. Position Paper series The Position Papers, produced periodically by the Mauritius Audit Committee Forum, aim to provide Board directors and specifically Audit Committee members with basic best practice guidance notes in running an effective Audit Committee.
    [Show full text]
  • The Role of the Audit Committee Chair
    The role of the audit committee chair Audit Committee Institute Part of the KPMG Board Leadership Centre The importance of the audit committee chair’s leadership in setting the committee’s tone, work style, and agenda is vital to the committee’s effectiveness. In our experience, the most effective audit committee chairs are fully engaged – recognising that the position may require their attention at any time, and often beyond regularly scheduled meetings. They understand the culture of the organisation; they set clear expectations for committee members; they understand, and hold to account, both management and auditors; and they ensure that the right resources are being employed to support quality financial reporting. To provide effective leadership, the audit committee Audit committee chairs often set aside “white chair must have a clear understanding of the space” at the beginning of each meeting for the committee’s duties and responsibilities; be able to committee members to have one last look at the commit the necessary time (which will vary depending agenda (including time allocated to each agenda item) on the size, complexity and circumstances of the after they have had the opportunity to review the pre- business); be readily available on urgent matters and in meeting materials. times of crisis; and have the requisite business, financial, communication, and leadership skills. Many audit committee chairs also set aside time at each meeting for the audit committee to take a deep Setting the agenda dive into an important area of risk, accounting policy, judgement estimate or the company’s use of non- The audit committee chair plays a critical role in GAAP measures.
    [Show full text]
  • Sample Audit Committee Charter Center for April 2018 Board Effectiveness Sample Audit Committee Charter
    Sample audit committee charter Center for April 2018 Board Effectiveness Sample audit committee charter Sample audit committee charter This sample audit committee charter is based on observations of selected companies and the requirements of the SEC, the NYSE, and NASDAQ. The information presented can and will change; we are under no obligation to update such information.1 This template is designed for US public companies; exceptions to the requirements noted below may apply for certain issuers, including investment companies, small-business issuers, and foreign private issuers. Many of the items presented here are not applicable to voluntary filers. All companies should consult with legal counsel regarding the applicability and implementation of the various requirements identified. Audit committee of the board of directors—charter I. Purpose and authority The audit committee is established by and among the board of directors for the primary purpose of assisting the board in: • Overseeing the integrity of the company’s financial statements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)] and the company’s accounting and financial reporting processes and financial statement audits [NASDAQ Corporate Governance Rule 5605(c)(1)(C)] • Overseeing the company’s compliance with legal and regulatory requirements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)] • Overseeing the registered public accounting firm’s (independent auditor’s) qualifications and independence [NYSE Corporate Governance Rule 303A.07(b)(i)(A) and NASDAQ Corporate Governance Rule 5605(c)(1)(B)] • Overseeing the performance of the company’s independent auditor and internal audit function [NYSE Corporate Governance Rule 303A.07(b)(i)(A)] • Overseeing the company’s systems of disclosure controls and procedures • Overseeing the company’s internal controls over financial reporting • Overseeing the company’s compliance with ethical standards adopted by the company.
    [Show full text]
  • Model Audit Committee Charter
    Model Audit Committee Charter PURPOSE To assist the board of directors in fulfilling its oversight responsibilities for the financial reporting process, the system of internal control, the audit process, and the company's process for monitoring compliance with laws and regulations and the code of conduct. AUTHORITY The audit committee has authority to conduct or authorize investigations into any matters within its scope of responsibility. It is empowered to: Appoint, compensate, and oversee the work of any registered public accounting firm employed by the organization. Resolve any disagreements between management and the auditor regarding financial reporting. Pre-approve all auditing and non-audit services. Retain independent counsel, accountants, or others to advise the committee or assist in the conduct of an investigation. Seek any information it requires from employees-all of whom are directed to cooperate with the committee's requests-or external parties. Meet with company officers, external auditors, or outside counsel, as necessary. COMPOSITION The audit committee will consist of at least three and no more than six members of the board of directors. The board or its nominating committee will appoint committee members and the committee chair. Each committee member will be both independent and financially literate. At least one member shall be designated as the "financial expert," as defined by applicable legislation and regulation. MEETINGS The committee will meet at least four times a year, with authority to convene additional meetings, as circumstances require. All committee members are expected to attend each meeting, in person or via tele- or video-conference. The committee will invite members of management, auditors or others to attend meetings and provide pertinent information, as necessary.
    [Show full text]
  • INTERNAL and EXTERNAL AUDIT EVALUATION Core Analysis Decision Factors
    Core Analysis Decision Factors INTERNAL AND EXTERNAL AUDIT EVALUATION Core Analysis Decision Factors Examiners should evaluate the Core Analysis in this section to determine whether an Expanded Analysis is necessary. This module should incorporate and summarize audit findings from all of the completed ED Modules for a given examination. Click on the hyperlinks found within each of the Core Analysis Decision Factors to reference the applicable Core Analysis Procedures. Do Core Analysis and Decision Factors indicate that risks are appropriately identified, measured, monitored, and controlled? Note: If, after completing this module, examiners answer this question no, continue to the Management and Internal Control Evaluation (MICE) Expanded Analysis module. C.1. Has the board of directors established an audit committee that monitors and provides effective oversight of audit activities? Refer to Core Analysis Procedures #1-8 & Procedure #12. C.2. Has management established audit policies and procedures that are adequate for the size, complexity, activities, and risk profile? Refer to Core Analysis Procedure #11. C.3. Is the internal audit function independent from all functional areas? Refer to Core Analysis Procedure #10. C.4. Is the internal audit program sufficient for the risk profile? Refer to Core Analysis Procedures #11- 13. C.5. Are internal audit record keeping and reporting processes sufficient? Refer to Core Analysis Procedures #14-15. C.6. Is the internal audit function adequately staffed with auditors who possess an appropriate level of experience and expertise? Refer to Core Analysis Procedure #12. C.7. Do the internal auditors adequately identify, document, and report key risks in the organization? Refer to Core Analysis Procedures #15-16.
    [Show full text]