Operational Auditing

1
Operational Auditing
Spring 2011 Professor Bill OBrien
2
Managing the Internal Audit Activity

• Effective management
• Establish a risk-based plan
• Communicate the plan
• Ensure adequate resources
• Coordinate services
• Report on a regular basis
• Monitor implementation of recommendations

3
Reporting Structure

• Solid to Audit Committee
• Dotted line to functional and committed executive

4
Planning Activities

• Operating plan and financial plan (budget)
• Establish goals and objectives
• Determine overall resources

5
Resource Management

• Staffing approaches
• Flat versus hierarchical
• Futures files
• Commitment to training
• Pathways for career development
• Co-sourcing and outsourcing

6
Working with External Auditors

• Coordinated coverage
• Cross access to workpapers
• Exchange of reports
• Expansion of expertise
• Facilitation of relationship w/senior mgt.

7
Dealing with the External Auditors

• Different objectives
• Different accountability
• Different qualifications
• Different activities

8
Cooperation

• Economy
• Efficiency
• Effectiveness
• Advantages for the external auditor
• Increases external auditor client insight
• Improves client relations
• Rotates emphasis
• Advantages for the internal auditor
• Improves training
• Source of additional work
• Increases professional knowledge
• Independent appraisal source
• Compliance with SAS 65 and SAS 99

9
Hints for Starting or Taking Over a Dept.

• Report to the Audit Committee or the highest
  level possible
• Avoids conflict of interest
• Have an administrative manager as well
• Establish an agreed upon review approach
• For example, operations v. compliance
• Prepare a set of achievable objectives
• Commit to IIA standards
• Establish a team approach with BPOs
• Invest in continuing education

10
Corporate Governance

• Strategic direction
• Governance oversight
• Enterprise risk management
• Assurance that processes are working

11
Ops. Audit Governance

• Process of overseeing the achievement of
  objectives
• Some elements of good governance
• Assessing the control environment
• Serving as an ethics advocate

12
Control Objectives

• Staying under control as evidenced by
• Safeguarding of assets
• Compliance with laws and regulations
• Organizational goal obj. achievement
• Reliability integrity of information
• Economical efficient use of assets
• Expansion of material on 9-19 20

13
Control Environment

• Integrity and ethical values
• Management philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• H/R policies and practices
• Sustained competency of personnel

14
Other Management Issues

• Performance metrics
• Control self assessment
• We will cover these in the next class

15
COSO

• Committee of Sponsoring Organizations
• AICPA, IIA, IMA, FEI, AAA
• Treadway Commission
• 1992 I/C 2004 ERM
• Control Objectives
• Compliance with laws and regulations
• Reliability of financial reporting
• Effectiveness efficiency of operations

16
Frameworks

• Internal control
• IC-Integrated Framework (COSO)
• Guidance on Controls (CoCo)
• Internal Control Guidance (Turnbull)
• Enterprise risk management
• Australian/New Zealand Std. Risk Mgt.
• ERM-Integrated Framework (COSO)

17
Integrating COSO-ERM with COSO-I/C
The COSO-ERM Model incorporates rather than
replaces the COSO-I/C Model.
18
Components of I/C

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring

19
Threats to Control

• Management override
• Open access to assets
• Form over substance approach
• Conflict of interest

20
Balancing Risk and Control

• Too much risk
• Loss of assets
• Poor decision making
• Potential non-compliance
• Potential for fraud
• Too much control
• Increased bureaucracy
• Excess costs
• Excess cycle-time
• Increase in non-value added effort

21
Control Activities

• Segregation of duties
• Performance reviews
• Approvals
• IT access
• Documentation
• Physical access
• IT applications
• Independent verifications reconciliations

22
IIA and Control

• IIA control objectives S-C-O-R-E
• Safeguarding of assets
• Compliance with laws and regulations
• Objective and goal achievement
• Reliability integrity of information
• Economical efficient use of assets

23
Risk Management

• Strategy formulation
• Range of activities
• Risk barriers to objective achievement

24
COSO and ERM

• COSO 2 cube
• ERM defined
• A process, effected by an entitys board of
  directors, management and other personnel,
  applied in a strategy setting and across the
  enterprise, designed to identify potential events
  that may affect the entity, and manage risk to be
  within its risk appetite, to provide reasonable
  assurance regarding the achievement of entity
  objectives

25
Remember this Key Point

• Risk is BOTH positive and negative

26
COSO ERM Objectives S-C-O-R

• Strategic
• Compliance
• Operations
• Reporting

27
COSO-ERM Components

• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring

28
ERM and Ops. Audit

• Provide assurance on risk mgt.
• Provide assurance of risk evaluation
• Evaluate risk mgt. processes
• Evaluate risk reporting
• Review the mgt. of key risks.
• See Exhibit 4-4

29
IIA ERM Advisory

• Audit plan should be based on risk assessment
• Audit plan may include the strategic planning
  process
• Audit plan should be updated for significant
  changes
• Audit plan should be prioritized based on risk
  likelihood and exposure
• Audit reporting should convey risk related
  conclusions

30
OBriens Suggestions

• Finance should be involved in active conceptual
  support.
• Finance should be an implementation driver.
• Finance should provide on-going assessment of the
  process.
• Finance should add insight to ERM and vice-versa.
• Finance should assume the role of process
  coordinator.

31
Where Do We Go from Here?

• Increased demand
• Increased respect
• Increased contribution
• Increased advancement opportunities
• ITS A GREAT TIME TO BE FOCUSED ON OPERATIONAL
  AUDIT OPPORTUNITIES!!!

32
Systematic Approach

• Planning
• Selecting the BPO
• Pre-site planning
• Evaluating
• Conducting the preliminary survey
• Review internal controls
• Expanding tests as necessary
• Generating findings
• Communicating
• Reporting the results
• Conducting follow-up
• Assessing the process
• Note Exh. 2-6 and Exh. 13-4