Transcription
Internal Audit and SOXBest PracticesERIC LISTERRISK ADVISORY SERVICES
AgendaInternal Audit Procedures and ExamplesSOX 404 Procedures and ExamplesQuestions and Discussion
Overview of IABest Practices- Planning- Fieldwork- Reporting- Post Audit
Audit Timelines and ProceduresPlanning – AuditAssignment andobjectives areestablished here indepth after beingadded to the riskassessment.Fieldwork – Createflowcharts, select and testsamples, compare to idealcondition, and reportfindings or discrepancies.Audit Program – Specificaudit steps and personnelinvolved are establishedhere, which leads to moreefficient testing ofprocedures and samples.Post Audit – Follow-up onremediation actions arereviewed and quality surveysare sent to process owners toobtain an idea of the valueadded by internal audit andopportunities for improvement.Reporting – Createrecommendations andremediation plans forany issues found witha timeline forcorrection.
Risk Assessment and Audit PlanEstablish Annual Audit Plan:- Done by the CAE and senior management.- Various types of audits should be introduced.- Risk-based approach based on auditableitems in the company.- Should be approved by the board ofdirectors.- External and internal risks are considered:Environmental, regulations, turnover,segregation of duties.- Should present to process owners to providereasonable amount of time to prepare.- Best use of audit teams time is considered.
PlanningEstablish Audit Assignment and Objective:- Does the objective meet the organization’sgoals?- Send engagement memo.- Will the testing procedures reach the mosteffective conclusion on performance?- Send preliminary survey and questionnairesfor background information.- Do we have adequate knowledge andresources?- Develop audit program- Gather and review policies and proceduresrelated to the specific activity.
Audit ProgramEstablish Audit Testing Procedures:- Restate the audit objective to ensure clarityand focus- Describe the tests that will be performed tovalidate the operating effectiveness.- Establish the time period of the audit- Fraud Considerations- Populate initial risks to address based onpreliminary surveys, interviews, and riskassessments.- Testing Reference to identify location oftesting phase documents.- Document controls in place and how theyshould be operating.
Audit Program Example
FieldworkTesting and Documentation Stage:- Evidence is created from tests or questionswith process owners.- Document method of selecting samples(judgmental or random)- Request evidence and compare toestablished criteria obtained during planning.- Document the test procedure, area of workpaper reviewed, and identifying information.- Support conclusions (pass/fail) reached.- Establish recommendation and remediationneeded in order to correct any issues.- Create flowcharts, conduct interviews,meetings, etc.- Discuss issues with management in order forthem to accept or address the risk identified.
Audit:Dallas Superconference Registration AuditObjective:To determine whether processes were followed correctly.Procedures:How did you do it?Testwork Performed:What did you do?Results:Were there any issues?Audit TestsSample NumberSample NameDescriptiveInformationAudit TestTickmark Legend (Note Exception or No Exception)[a]Explain the issue noted.PNo exceptions noted in performance of test.Audit TestAudit TestResultTickmarkWorkpaper Reference
ReportingCommunicate the findings of the audit:- Provide documented communication toprocess owners.- Provides Internal Audit Activity a way todemonstrate their value to entity.- Provide operating management with- Provides auditor and management withassessments and/or expected corrective action. follow-up actions if needed and a timeline forexpected remediation.
Reporting
Reporting
Post-AuditCommunicate the findings of the audit:- Follow up on the corrective action needed tobe taken by management outlined in thereport.- Finalize presentations to BOD members.- Complete Audit Checklist to ensure allprocedures outlined previously have beencompleted and documented.- Send survey to managers and process ownersto gain an understanding of the value andeffectiveness of the internal audit activity.
Post-Audit
Overview of SOXBest Practices- Population- Sampling- Testing- Reporting
What Are Internal Controls?- Any action taken by management, the board,and other parties to manage risk and increaselikelihood that established objectives andgoals will be achieved.- The control wording should list the “idealstate” of the process being tested.- Related to financial reporting and corporategovernance- Identify roles and responsibility of the peoplein the process.
What Are Internal Controls?
Who Is Responsible?-Internal Auditors are not responsible forestablishing or maintaining internal controls.- Must examine the adequacy andeffectiveness of the internal controls.- Board, management, employees- Make Recommendations whereimprovements to design or application areneeded.- Contribute to the effectiveness of the controlenvironment.
What Is The Difference?AuditCompliance- Less frequent, more formalized- Frequent, repeating- Larger scale, scope, and sample- Scope and scale oftentimes do not change- System or program based- Large number of inspectors per year- Structured and allows for further investigationand analysis- More rigid and checklist based- Risk-based
SOX Timelines and ProceduresPopulation – based onthe company orentity’s fiscal year. Theentire 12 monthsshould be consideredin the population fortesting.Testing – Test based on thecriteria established inwalkthroughs, narratives,and flowcharting exercisesperformed.Sampling – Samplesshould be representativeof the population and aredetermined based ondaily, weekly, monthly,annual action.Testing – Test second half ofpopulation and document theremediation actions taken byprocess owners and determineif noncompliance has beenremediated.Reporting – Highlightany issues ofnoncompliance andreport to processowners forremediation.
Population and Sampling- Ensure population is accurate and complete. Provided by entity versus pulled by Internal Audit?- Sampling should be representative of the process being audited.- Coordinate with external auditors on sampling to reduce burden on the process owners.
TestingTesting and Documentation Stage:- Evidence is created from documentsobtained by systems or provided by processowners.- Provide remediation action if controls are tofail.- Verify accuracy and authenticity whenreceiving documents second-hand.- During the initial testing phase, allow enoughtime for process owners to remediate during asecond testing window.- Support conclusions (pass/fail) reached.
ReportingCommunicate the findings of the testing:- Provide documented communication toprocess owners, CEO, CFO, and board ofdirectors.- Coordinate with external auditors on issues,risk rating, and impact to the organization.- Identify whether issues and/or control failures - Issue final memo documenting controlare control deficiencies, significant deficiencies, failures, remediated items, open issues, riskor material weaknesses.level, and plan of action.
SOX Best PracticesAreaBest PracticePlanning and OrientationInterviews with management and internal process experts should see SOX testers gain anunderstanding of the business practices, policies and procedures, and departmental processes.Governance AssessmentSenior management and BOD members should be interviewed to gain an understanding of theircommitment to ethics, anti-fraud policies, their management philosophy, and corporate tone.DocumentationNarratives and flowcharts should be established documenting key processes with high complexity.Narratives provide a written description of people and systems involved and can identify weak areas.Control MatrixA complete matrix of internal controls should be maintained to identify changes, areas tested, processowners, document requests, and any noncompliance.RemediationFor control issues, a remediation plan of action should be established quickly in order for theorganization and process owners to have a chance to conform effectively.
SOX Best PracticesAreaBest PracticeTest ProceduresProcedures and types of tests should be established prior to performance to ensure full understandingof all involved. Tests should also be complete and test all areas of the control.Retesting RemediationSelect a second sample of items to be tested for any control that did not operate effectively in the initialtesting phase. After agreeing with process owners, the new samples are tested similarly to the originals.
ReputationInternal Audit TestingProcedures to EnsureComplianceFraudAssessmentsProcess OwnersShareholdersExternal AuditorsCorporate ITSystemsStock Priceand ingGovernmentAgenciesBoard ofDirectorsInfrastructure(Availability,Security)
SOX Takeaways: Convincing Doubters—What is the Return onInvestment?———Why do we need it?———What does it involve?—————Know your customers and their requirementsCoordinate with external auditors for reliance on controls to reduce burdenMaintains high assurance that controls and governance activities are operating effectivelyBecome an efficient and valuable part of the organization by incorporating SOX into audits.Know your compliance requirements and the types of regulations that run your businessAddresses risks beyond just a financial impactKnow when to “push back”Communication, Communication, CommunicationDefine the scope of the system or process including infrastructure, software, people, procedures and dataConstant verification of changesCooperation between the entire entity to ensure effective controls and remediation of ineffective controlsKnow when to “push back”
Questions?
- Complete Audit Checklist to ensure all procedures outlined previously have been completed and documented. - Finalize presentations to BOD members. - Send survey to managers and process owners to gain an understanding of the value and effectiveness of the internal audit activity. Post-Audit. Overview of SOX Best Practices - Population - Sampling - Testing - Reporting. What Are Internal .
