WIXLIB

ESTABLISHING AN EFFECTIVE INTERNALAUDIT FUNCTIONOCTOBER 2015The presentation will begin shortly.Learn Live Customer Support at:(888) 228-4188 or BDOonline support@learnlive.comBDO USA, LLP, a Delaware limited liability partnership, is the U.S.member of BDO International Limited, a UK company limited byguarantee, and forms part of the international BDO network ofindependent member firms.Page 1

CPE AND SUPPORTCPE Participation Requirements ‒ To receive CPE credit for thiswebcast: You’ll need to actively participate throughout the program.Be responsive to at least 75% of the participation pop-ups.Please refer the CPE & Support Handout in the Handouts section for moreinformation about group participation and CPE certificates.Q&A:Submit all questions using the Q&A feature on the lower right corner ofthe screen. At the end of the presentation, the presenter(s) will reviewand answer all questions submitted.Technical Support:If you should have technical issues, please contact LearnLive: Click on the Live Chat icon under the Support tab, OR call: 1-888-228-4088Page 2

WITH YOU TODAYVicky GregorcykNational Advisory Practice LeaderBDO USA, LLPvgregorcyk@bdo.comDawn WillifordRAS Houston PracticeLeaderBDO USA, LLPdwilliford@bdo.comBrian HaydenDirector of Internal AuditParagon OffshoreBHayden@paragonoffshore.comNeil FrazerDirector of Internal AuditLevitonNfrazer@leviton.comPage 3Amy RojikNational AssurancePartnerBDO USA, LLParojik@bdo.com

LEARNING OBJECTIVESUpon completion of this course participants will be able to: Describe the role the IA function plays in the riskmanagement of an organization. Recognize the structuring options for establishing an IAfunction and determine which structure may be mostbeneficial to your organization. Describe the audit committee’s oversight role of the IAfunction in assessing adequacy of corporate governance. Identify the key elements of the IA methodology to beproperly applied in designing an approach and framework.Page 4

AGENDA Assessing the Need for Internal AuditThe Roles & Functions of Internal AuditValue Proposition – Why Internal Audit?Establishing An Internal Audit Function Structure Options: Advantages and DisadvantagesIA Reporting LinesAudit Committee OversightKey Skills for IATechnology and Tools IA Methodology: Business Risk Assessment Approach & Framework ResourcesPage 5

ASSESSING THE NEED FOR INTERNAL AUDIT Growth of the business – E.g., rapid growth, small companyto much larger over time; expected growth) Recognized need given certain events – E.g., fraud; errorsdue to lack of controls Importance of internal controls to the board/leadership Structure of the company – E.g., decentralized; geographicfootprint; international expansion; etc.) More attractive to investors – E.g., private equity; banks Preparation for IPO Recent IPO Public company requirementsPage 6

THE ROLES & FUNCTIONS OF INTERNAL AUDIT“The role of internal audit is to provide independent assurancethat an organization’s risk management, governance, and internalcontrol processes are operating effectively.”Source: Institute of Internal AuditorsThe scope of the work of internal audit can encompass many aspects of anorganization’s operations and activities.Internal Audit guidance: Institute of Internal Auditors (IIA) Pages/Standards-and-Guidance-IPPF.aspxPage 7

THE ROLES & FUNCTIONS OF INTERNAL AUDIT Monitor and assist the Company with Risk Management Assist with documentation and development of theCompany’s internal control framework Monitor/test the effectiveness of the internal controlframework (SOX 404 requirement; some testingrecommended for all companies) Monitor/test the company’s operational processes forcompliance, efficiency, safety, etc.Page 8

VALUE PROPOSITION – WHY INTERNAL AUDIT? Structured approach to assessing and monitoring theCompany’s risks Heightened awareness of controls and driver of behavior Change agent for key processes (operational, financial andcompliance) Provides visibility of the processes and controls and issuesto the Audit Committee NYSE listed companies requirementPage 9

ESTABLISHING AN INTERNAL AUDIT FUNCTIONSTRUCTURE OPTIONS: ADVANTAGES AND DISADVANTAGESOption A – In-House In depth understanding of the every day aspects of the Company. Recruitment time and effort/tight labor market for experienced IAs. Heads of IA commanding basic salary of 200K . Senior Executives always have access to the IAD/VP/CAE Requires significant investment to ensure the latest IA methodology and technology.Option B – Co-Sourced Can be less expensive than in-house function and provides access to specialized skill sets from cosource partner. Options for degree of outsourcing (extra staff for busy times, specialized expertise, etc.) May require an external IA partner to fill skill & resource gaps – e.g., IT & regulatory knowledge) Allows for advantages of A-- knowledge of Company and Senior Executive access to IAD/VP/CAE andmany advantages of C.Option C - Outsourced Minimal time required to establish IA function Can be most cost effective solution. Access to experts in the industry, access to information and trends that a firm understands fromhaving large client base in internal audit. May not have access to leader on an everyday basis. May be harder for IA leader to stay abreast ofchanges/events in the Company on a real-time basis.Page 10

ESTABLISHING AN INTERNAL AUDIT FUNCTIONInitial Actions: Develop IA audit charter &framework Agree process to be followed indeveloping the IA plan Decide on extent to whichinduction sessions will be held tofamiliarize management with thenew IA function Agree on a S/T program ofinterim assignments (before riskassessment is completed) Develop risk registers with a viewto drafting a more developed oneyear audit plan for approval bythe AC after the risk assessmentis finished Agree on initial reviews to startabout a month afterappointment.Page 11Days 1-14START UP PROCESSES Develop IA charter Agree reporting lines for IA Agree programs, terms of reference, reportingstyle, etc.Days 15-28INITIAL MEETINGS With Executive Management team With Chair of the Audit Committee With key operational staff With your external auditors Development and agreement of your IA planDays 29-42PLANNING Agreement (with relevant individuals) of scope ofselected audits Approval of scope of work for selected audits andapproval of timeline for audits Carry out planning stage above for next auditsDays 42-90REVIEWS Selected audit reviews commence Draft report issued Management responses and final report issued Presentation of reports to the Audit Committee

Page 12CFOCEOCAOFunctionalAdministrativeINTERNAL AUDIT REPORTING LINESAuditCommittee

AUDIT COMMITTEE OVERSIGHTAudit Committee oversight responsibilities with respect to Internal Audit: Review with management and the chief audit executive the charter, plans,activities, staffing, and organizational structure of the internal audit function. Ensure there are no unjustified restrictions or limitations, and review andconcur in the appointment, replacement, or dismissal of the chief auditexecutive. Review the effectiveness of the IA function, including compliance with TheInstitute of Internal Auditors' Standards for the Professional Practice of InternalAuditing. On a regular basis, meet separately with the chief audit executive to discussany matters that the committee or internal audit believes should be discussedprivately.Source: IIA Sample Audit Committee CharterPage 13

AUDIT COMMITTEE OVERSIGHT CHECKLIST The AC engages in open, transparentrelationship with the chief auditexecutive (CAE). The AC reviews and approves the IAcharter annually. As a result of discussions with the CAE,the AC has a clear understanding of thestrengths and weaknesses of theorganization’s internal control and riskmanagement systems. IA audit activity is sufficiently resourceswith competent, objective IAprofessionals to carry out the IA plan,which has been reviewed and approvedby the AC. IA activity is empowered to beindependent by its appropriate reportingrelationships to executive managementand the AC. The AC addresses with the CAE all issuesrelated to IA independence and objectivity. The IA activity is quality-oriented, and hasin place a Quality Assurance andImprovement Plan. The AC regularly communicates with theCAE about the performance andimprovement of the CAE and the IA activity. IA reports are actionable, and auditrecommendations and/or otherimprovements are satisfactorilyimplemented by management. The AC meets periodically with the CAEwithout the presence of management.Source: IIA’s “The Audit Committee: Internal Audit Oversight”Page 14

KEY SKILLS FOR INTERNAL 5.1.2.3.4.AccountingFinanceMISBusiness Degree usually preferredWork history can include accounting,operations, finance, internal audit, riskmanagement, public accounting,industry, engineering, etc.A diverse internal audit group is key to awell rounded group that can assessfinancial, operational and compliance risksfor the company.CPA – Certified Public AccountantCIA – Certified Internal AuditorCISA – Certified Information System AuditorCRMA – Certification in Risk ManagementAssurance5. CFE – Certified Fraud ExaminerThere are several certifications available,some that are specific to industries, such asgovernment. The above represent some ofthe most common found in the professionSource: IIA’s “The Audit Committee: Internal Audit Oversight”Page 15

TECHNOLOGY & TOOLSIA WORK DASHBOARD - METHODWAREPage 16

TECHNOLOGY & TOOLSTechnology DescriptionPage 17BenefitsEnterprise Risk Assessor (ERA), by Methodware –This tool ERA is a scalable, flexible and cost effectivesoftware solution designed to help organizationsmanage risk-related data and its associatedassessment processes and reporting.ERA allows your organization to integrate allcommon GRC data elements such as risks andcontrols, related assessments and audits in a centralrepository. A configurable dashboard displays at-aglance graphical summaries of your risk and auditinformation.Worksite MP – Knowledge database that contains ourmethodologies and enablers,Process Models and Risk Universe, Leading Practices,professional Standards and Frameworks, such asCOSO ERM and COBIT, and Implementation guidancefor International Regulations such as SOX, JSOX, andBasel II.This tool provides efficient access to criticalknowledge required to bring value to IPG’s overallRisk Management activities. This knowledge will beshared with IPG personnel to assist them in theperformance of audits or other work.Data Analytic Tools – These are transactionmonitoring tools used to identify fraud, misuse,errors and controls violations. These tools areroutinely used to analyze numeric and non-numericinformation, verify calculations and scan for trendsand anomalies.These tools facilitate the review of an entirepopulation of data rather than relying on smallersample sizes. Use of this tool should drive betterrisk coverage and management insight into criticalprocesses and transaction streams.Controls Assessment Tools – These tools are used toaudit and monitor security and control settingswithin ERP applications such as Oracle and SAP.These tools facilitate the auditing of ERP systems byproviding pre-identified risk and controls specificallyrelated to that system; provide guidance as to which

RISK ASSESSMENT:BUSINESS RISK ASSESSMENTBUSINESS OBJECTIVES AND GOALSGain a firm understanding of management and the Audit Committee’s goals and objectives inachieving success. Gain a firm understanding of the business risks (operational, financial,compliance, information technology and systems, strategic). Includes: Direct input from keymembers of senior administrative officials and the Audit Committee; assessment governancedocumentation, key reports and other relevant documentation in order to gain a fullunderstanding of goals and objectives for a clear result.Page 18