Many auditors often forget the fundamentals of internal auditing. This webinar will focus on areas of internal auditing that every auditor should know. This includes understanding Audit’s role in the organization, IIA standards, internal control, and the key components of the audit process.
This webinar is for auditors who want to understand the key components of the audit process including characteristics of successful auditors.
The learning objectives include the following:
Learn about the IIA Professional Practices Framework
Learn about the framework of internal control as defined by the Committee of Sponsoring Organizations (COSO)
Learn about the basic elements of the audit process
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Internal Auditing Basics
1. 11/2/2017
1
Internal Audit Skills
Training
Internal Auditing Basics
About Jim Kaplan, CIA, CFE
President and Founder of
AuditNet®, the global
resource for auditors
Auditor, Author, Web Site
Guru, Internet for
Auditors Pioneer
Recipient of the IIA’s
2007 Bradford Cadmus
Memorial Award.
2. 11/2/2017
2
About AuditNet LLC
• AuditNet®, the global resource for auditors, is the pre-eminent
online portal for the global audit community hosting a
comprehensive catalogue of audit procedures.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,700 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Housekeeping
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage
or recording of this webinar or any of its material is strictly forbidden.
If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join
link.
We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
You must answer all the polling questions to qualify for CPE per NASBA.
If you meet the NASBA criteria for earning CPE you will receive a link via email within 5 days to
download your certificate. You must be able to receive emails from gensend.io with HTML links. Check
you inbox and junk mail folders and contact your IT department if your system blocks emails. The email
will be sent to the same email address that you used to register for the Webinar.
Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
Please complete the evaluation questionnaire to help us continuously improve our Webinars.
3. 11/2/2017
3
IMPORTANT
INFORMATION
REGARDING CPE!
Regarding CPE – If you attend the Webinar and are a basic, premium , group subscriber or a site
license users and answer all the polling questions you will receive an email within one week with the
link to download your CPE certificate. The official email for CPE will be sent out and the sender
address will be NoReply@gensend.io. Blocks or spam filters in your email system or a firewall that
will redirect or not allow delivery of this email from Gensend.io will impact your receiving the email
with the link.
If we receive an email request for CPE after sending out the official CPE email because you did not
receive your CPE we will require a $10 processing fee to resend to an alternate email address or to
send you a claim link.
We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We
highly recommend that you work with your IT department to identify and correct any email delivery
issues prior to attending the Webinar.
We are not responsible for any connection, audio or other computer related issues. You must have
pop-ups enabled on you computer otherwise you will not be able to answer the polling questions
which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see
to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views, positions, or
opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them,
are for educational purposes only and do not constitute accounting or legal advice or create
an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and linked
to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
4. 11/2/2017
4
William Woodington
CPA CIA CRMA
President Woodington Training
Solutions
Managed the Learning &
Development (L&D) function for Wells
Fargo Audit & Security for 18 years.
Audit Specialist for 4 years
supervising audit projects prior to
moving into the L&D position.
Worked for First Bank System and
Deloitte and Touche.
Member IIA and ATD
Teaches audit, business writing, and
leadership seminars
Internal Auditing Basics
5. 11/2/2017
5
Training Objectives
Learn about the IIA Professional Practices
Framework
Lean about COSO
Learn about the basic elements of the audit
process
Definition of Internal Auditing
Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization's operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
6. 11/2/2017
6
Audit’s Impact on the Company
Identify risk exposures and evaluate the adequacy and effectiveness of
risk management and control practices for the business’s governance,
operations and information systems regarding:
Reliability and integrity of financial and operational information
Effectiveness and efficiency of operations
Safeguarding of Assets
Compliance with policies, procedures, laws, regulations, and contracts
Effectiveness of security of computer systems that support the
business processes
Audit’s Role and Responsibilities
Audit provides independent, objective assurance and advisory services to
evaluate and improve the effectiveness of risk management, control, and
governance processes.
Conducts tests and provides conclusive reporting regarding the health
of the risk management and internal control structure within the
Company.
Advises management on cost effective risk management practices and
controls in the design of new business products/processes.
Ensures risk issues are escalated and resolved.
Functions as a source of talent and a training ground for other areas in
the Company.
7. 11/2/2017
7
Audit & Exam (A&E) Committee
The principal objectives of the Board of Directors A&E Committee are:
Review and approve the annual audit plan.
Review and approve the audit department’s annual financial budget.
Recommend board approval of the corporation’s external audit firm
each year.
Receive reports and updates from the regulators, external accounting
firm, and others relating to the control environment in the corporation.
The A&E Committee assists the Board in fulfilling its oversight role related
to risk management and establishes a forum for open exchanges of views
and information.
Polling Question #1
8. 11/2/2017
8
Foreign Corrupt Practices Act
The Act arose because of illegal payments (bribes) made to
officials in foreign countries. In most cases the payments
were legal under the laws of the countries in which they were
made, but they were not in accordance with American
business ethics. In some instances these questionable
payments were made without the authorization or knowledge
of the top executives of the companies involved. This
legislation is government's attempt to eliminate these
unauthorized transactions. It makes the person giving the
bribe as guilty as the one receiving it.
Foreign Corrupt Practices Act
The Act requires each SEC registrant to devise and maintain a system of
internal accounting control sufficient to provide the following assurances:
Transactions are executed with the knowledge and authorization of
management.
Transactions are recorded as necessary to permit preparation of the
financial statements and to maintain accountability for assets.
Access to assets is permitted only with management's authorization.
Existing assets are compared with recorded accountability, and
appropriate action is taken with respect to any differences.
10. 11/2/2017
10
The Foundation of Success
Successful companies typically adhere to the
following:
Control
Profitability
Growth
Control Comes First!
Management’s Responsibility
Management is responsible for controlling its operations. This
includes the following:
Identify and evaluate the risks and exposures of
conducting operations.
Establish appropriate controls to mitigate risks to an
acceptable level.
Monitor controls to ensure they remain in place and
function effectively.
11. 11/2/2017
11
Polling Question #3
Treadway Commission
Report of the National Commission on Fraudulent Financial
Reporting (Treadway Commission):
The company has the final responsibility for its financial
statements.
The tone set by senior management (the corporate
environment or culture within which financial reporting
occurs) is the single most important factor contributing to
the integrity of the financial reporting process.
12. 11/2/2017
12
Committee of Sponsoring
Organizations (COSO)
Internal Control - A process, effected by an entity’s board,
management, and other personnel designed to provide
reasonable assurance regarding the achievement of
objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
24
COSO Internal Control
Integrated Framework
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Scope of 404
13. 11/2/2017
13
Internal Control Components
The control environment provides an atmosphere in which
people conduct their activities and carry out their control
responsibilities. It serves as the foundation for the other
components. Within this environment, management assesses
risks to the achievement of specified objectives. Control
activities are implemented to help ensure that management
directives to address the risks are carried out. Meanwhile,
relevant information is captured and communicated
throughout the organization. The entire process is monitored
and modified as conditions warrant.
Control Environment
Sets the tone of an organization
Influences the control consciousness of its people - “tone at the top”
Provides discipline and structure and is the foundation for all other
components of internal control
Key Factors to a successful control environment:
Integrity and ethical values
Commitment to competence
Management’s philosophy and operating style
Organizational structure and assignment of authority
Direction from the board of directors
14. 11/2/2017
14
Risk Assessment
The identification and analysis of relevant risks to the
achievement of the entity’s objectives.
Forms the basis for determining how the risks should be
managed.
Leads to Management decisions related to acceptable
levels of risk.
Control Activities
A control is any action taken by management to enhance the
likelihood that established objectives and goals will be
achieved. Control activities include a wide range of activities
such as approvals, verifications, policies, and standards that
help ensure:
Management directives are carried out.
Actions are taken to address risks and achieve the entity’s
objectives.
15. 11/2/2017
15
Control Activities
Control Types
Preventive - Controls that deter undesirable events from occurring.
(proactive) Examples include segregation of duties and computer
passwords.
Detective - Controls that detect and correct undesirable events that
have occurred. (reactive) Examples include supervisor reviews and
exception reports.
Directive - Controls that cause or encourage a desirable event to
occur. (proactive) Examples include employee training programs and
employee bonus plans.
Auditors ensure that controls are adequate and function effectively!
Information & Communication
Information and communication systems “surround” control
activities.
Enable people to capture and exchange information
needed to conduct, manage, and control the operations.
Effective communication must flow down, across, and up
the organization.
16. 11/2/2017
16
Monitoring
Ensures that internal controls continue to operate
effectively.
Includes regular management and supervisory activities
and separate evaluations.
Ensures modifications to controls are made as necessary.
Allows for dynamic reaction to changing conditions.
Polling Question #4
17. 11/2/2017
17
Audit Process Overview
Understand the
Enterprise
Define Audit Universe
and Validate
Completeness
Risk Analysis
Assess Risk and
Develop Audit Plan
Execute Audit Plan
Identify and Manage
Resources
Analyze Business
Processes
Review Strategies,
Finances, Systems and
Processes
Execute Audit
Program
Test Controls, Issue
Findings
Report to
Management
Report results, agree
on action plans with
management
Validation
Assess Management’s
progress in resolving
significant issues and
report to the A&E
Risks Assessment
Assess risk levels and
control design to
develop Audit Program
Business
Monitoring
Understand the
Business
Strategies, Processes,
Products, Systems,
Regulations, etc.
Plan Approval
Review Plan with
Senior Management
and Present to A&E
Committee
Annual Audit Plan Development
Audit Plan
Development
Risk Considerations
Audit
Universe
Accounting/Financial
Technology
OperationalOperational
Compliance
Credit
Market
Plan is evaluated on an
ongoing basis in response to
emerging risks and changing
business requirements.
Time Since Last Audit
Risk
Frequency
Considerations
18. 11/2/2017
18
Steps in the Audit Process
Pre-Audit Planning
Planning
Fieldwork
Reporting & Wrap-Up
Validation
Business Monitoring
Audit Process –
Pre-Audit Planning
Assignment of AIC – Senior Audit Manager or Supervisor
Review of business information – AIC
Business Partner notification – AIC or Supervisor
Request for information from Business Partner – AIC
19. 11/2/2017
19
Audit Process - Planning
Business Analysis – AIC
Understanding the Business
Process Flowcharts – Identification of key control points
Risk Assessment – AIC
Identification and assessment of risks and controls
Business Partner validation
Audit scope definition and Audit Program development (Risk, Control &
Test Documents) – AIC
Engagement letter delivered to Business Partner – AIC
Kickoff meeting with Business Partner and Audit Team – AIC
Audit Process - Fieldwork
Testing For Control Effectiveness Related To Key Risk Areas – Audit
Team
Completed within 75 days – Audit Team
Documentation of data analysis – AIC
Sampling of key control areas – Audit Team
Workpaper completion – Audit Team
Business Partner status updates – AIC
Significant Issues & Recommendations communicated in writing –
Audit Team
Written management response required – Business Partner
20. 11/2/2017
20
Audit Process –
Reporting & Wrap-Up
Audit Ratings Matrix completion
Draft report shared with Business Partner
Exit conference held With Business Partner
Final report issued within 30 days of fieldwork end date
Written interim performance appraisals completed for team members
who work at least 80 hours on an audit project
Audit Process – Reporting
Final Report includes:
Executive Summary
Summary Assessment of the Internal Control Environment
Summary of Issues and Corrective Actions
Best Practices
Objective and Scope of the Audit
Business Unit Summary
Risk Assessment and Ratings Methodology
Enterprise Risk Area Coverage
Details of Issues and Corrective Actions
21. 11/2/2017
21
41
5-Tier Audit Rating – Matrix Overview
CONDITON 5 4 3 2 1
Control Environment The tone of the organization influences the control
consciousness of its people. Examples include the integrity,
ethical values, attitude and competence of employees;
management philosophy; and input provided by the board of
directors.
Risk Identification & Assessment Identification and analysis of risks relevant to achieving
corporate goals, determination of how such risks should be
managed and implementation of a process to address risk
associated with change.
Control Activities Policies, procedures and processes that help ensure a
company carries out management directives. Examples
include approvals, verifications, reconciliations, reviews of
operating performance, security of assets & segregation of
duties.
Information & Communication Communication within the company and with external parties
such as customers, regulators and shareholders. For
example, reports that contain operational, compliance or
financial data or that share ideas or events across lines of
business are generated from a company’s information
systems.
Monitoring & Testing Assessing the quality of a company’s internal control
systems. This is done through ongoing monitoring of
activities within the business unit and an independent
evaluation of existing controls by auditors.
42
5-Tier Audit Rating – Opinion Statements
Audit Rating Standard Opinion Statements
5 The system of internal control, as defined in the scope of this
audit, is strong and effective and provides assurance the risks
are well-managed.
4 The system of internal control, as defined in the scope of this
audit, is effective and provides reasonable assurance the risks
are being effectively managed.
3 The system of internal control, as defined in the scope of this
audit, is generally effective and provides reasonable assurance
that risks are being managed. Control exceptions exist but
corrective action plans are in place.
2 The system of internal control, as defined in the scope of this
audit, needs improvement and may not provide reasonable
assurance the risk are being managed. Control exceptions
exist that need to be addressed.
1 The system of internal control, as defined in the scope of this
audit, is ineffective and does not provide assurance the risks
are being managed. Immediate management attention is
needed to address the control exceptions.
22. 11/2/2017
22
Audit Process – Follow-Up
Standardized process to capture, monitor and report corrective actions
from reported audit issues
Establishes guidelines for the timing/extent of follow-up work
Issues close when business partner notifies Audit
Results of follow-up work communicated to business partner
Audit Process – Issue Escalation
Issues aged based on original corrective action due dates and number
of date revisions tracked
Aging reports/escalation of past due issues discussed with business
unit and senior management as part of Business Monitoring by Audit
Manager and/or AIC
All Very High, High and Moderate risk issues past due over 31 days
are reported to the Audit & Examination Committee
23. 11/2/2017
23
Audit Process –
Business Monitoring
Typically managed at the Senior Director, Director and SAM levels thru
email, phone conversations, and live meetings. Frequency is based on
risk of auditable unit.
Fosters strong relationships between WFAS and Business Partners
Provides a mechanism for validating the status of corrective actions
taken
Allows for identification of emerging risks
Re-validates risk assessments
Enables timely reaction to business/risk changes
Enables identification and escalation of adverse trends
Allows for discussion of investigation issues
Ensures key information is communicated to management
Questions?
24. 11/2/2017
24
Thank You!
William Woodington, CPA, CIA
Woodington Training Solutions
763-568-1181
http://woodingtontraining.com/
bill@woodingtontraining.com
Jim Kaplan, CIA, CFE
AuditNet LLC®
800-385-1625
www.auditnet.org
webinars@auditnet.org
AuditNet® and cRisk Academy
If you would like forever
access to this webinar
recording
If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacade
my.com
Use coupon code: 50OFF
for a discount on this
webinar for one week