1 / 31

Internal Audit: Risk Assessment, Documentation & Fieldwork

Internal Audit: Risk Assessment, Documentation & Fieldwork. NTGC/R Fall 2013 Conference Ryan Santacruz, San Manuel Tribal Gaming Commission. Goals. Share my background and tell you about the SMTGC Consider IIA Standards Share best practices Collaborate - Learn through sharing!. About me.

markku
Download Presentation

Internal Audit: Risk Assessment, Documentation & Fieldwork

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internal Audit: Risk Assessment, Documentation & Fieldwork NTGC/R Fall 2013 Conference Ryan Santacruz, San Manuel Tribal Gaming Commission

  2. Goals • Share my background and tell you about the SMTGC • Consider IIA Standards • Share best practices • Collaborate - Learn through sharing!

  3. About me • GAAP Specialist/Financial Auditor, Compliance Department, San Manuel Tribal Gaming Commission • 2nd Vice President, IIA Inland Empire Chapter • First time at NTGC/R • 2008 - Started in Indian gaming • Credentials: • B.A., Economics - 2007 • CIA - 2010 • MBA - 2012

  4. About you • What’s your name? • Where do you work? • What do you do there? • How long have you been in gaming?

  5. About San Manuel • 1891 - San Manuel Reservation established, home to the Yuhaviatam Clan of the Serrano Indians • 1986 - San Manuel Indian Bingo and Casino opened

  6. About San Manuel • 1891 - San Manuel Reservation established, home to the Yuhaviatam Clan of the Serrano Indians. • 1986 - San Manuel Indian Bingo and Casino opened • Southern California mid-way between Los Angeles and Palm Springs, closest Vegas-style casino to Los Angeles • 2013 - More than 3,500 employees • Draws approximately 2.2 million visitors every year • Over 3,000 slot machines, dozens of table and poker tables, 2,500 seat bingo hall 6 nights/wk

  7. About the San Manuel TRIBAL gaming commission • Gaming Commissioner, Norm DesRosiers and Deputy Commissioner, John Roberts • Licensing, compliance, surveillance, and administrative functions • Audit department under compliance, which also handles inspections, P&Ps, promotions, and technical compliance • Audit staff of 10, including audit supervisor, IT Auditors, Auditors • Audit TICS (based on NIGC MICS), GCRs, Compact, Tribal Gaming Act, as requested

  8. The INSTITUTE OF INTERNAL AUDITORS • Established 1941 • 180,000 members globally; 70,000 members in North America in 160 chapters • Mission is to provide dynamic leadership for the global profession of internal auditing by: • Advocate and promote the value of IA • Education and development, standards and professional practice guidance, and certification programs • Research and promote knowledge • Educate on IA best practices • Bring people together to share information and experiences.

  9. IIA Standards • The purpose of the Standards is to: • 1. Set basic principles • 2. Framework for IA • 3. Establish basis for IA evaluation • 4. Foster improved organizational processes and operations • The Standards are principles-focused, mandatory requirements consisting of: • Statements of basic requirements • Interpretations, which clarify terms or concepts within the Statements

  10. IIA STANDARDS USE • 2010 IIA Research Foundation Global Internal Audit Survey with 13,582 respondents from 107 countries. (From “Core Competencies for Today’s Internal Auditor – Report II”)

  11. COSO Internal Control Framework • IA evaluates internal controls • Internal control is: • A process • Affected by people • Used to provide reasonable assurance • Geared toward the achievement of objectives

  12. COSO Internal control Framework

  13. RISK ANALYSIS

  14. RISK ANALYSIS

  15. Risk • Inherent Risk: • “Natural” risk involved in the nature of the business or transaction ignoring internal controls in place • Gaming-specific risks • Control Risk: • Risk of failure of internal control mechanism to detect and correct or prevent • Since internal controls help mitigate inherent risk, consider their strength when assessing control risk

  16. Risk • Residual Risk • Risk that remains after all efforts have been made to mitigate or eliminate known risks associated with a business process • Known but not completely controllable, or unknown • Detection Risk • Risk that audit procedures may fail to detect existence of a material error or fraud • Major elements of detection risk

  17. Risk Assessment Standards • 2010 – Planning • The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. • Interpretation: The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consultation with senior management and the board.

  18. Risk Assessment Standards (Cont’d) • 2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. • 2010.A2 – The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions. • 2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.

  19. Risk Assessment • Goal: linking risk to budget • Focus on key risks • Audit “investment” and “payoff” • Assignment basis (quantitative vs. qualitative) • Documentation • Reasonableness • “Living” document

  20. Fieldwork • Review supporting documentation • Interview department personnel • Perform analyses • Identify exceptions, recommendations for improvement • Prepare written audit comments (i.e., findings) • Department provides written response and corrective action plan for findings

  21. Fieldwork • Audit program • Approach/Tone in interviews • Challenge the status quo! • Sampling methodology and documentation • Look across the organization and identify opportunities and good practice • Be a catalyst for change • Bring people together

  22. Documentation Standards • 2330 – Documenting Information – Internal auditors must document relevant information to support the conclusions and engagement results. • 2330.A1 – The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

  23. Documentation Standards (Cont’d) • 2330.A2 – The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements. • 2330.C1 – The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

  24. Documentation • Audit WPs show that the audit was: • Properly planned • Carried out • Performed with adequate supervision • Reviewed appropriately • WPs evidence must be sufficient and appropriate to support the audit opinion!

  25. Documentation • What is documentation? • Needed to enable an experienced auditor to understand the work performed and conclusions reached • May be paper or on electronic or other media. • Formatting/layout, ease of use/readability • Does it make sense? • Free of subjectivity • Using words like “all”, “some”, “none”, “never”, etc.

  26. Documentation • Principal support for the auditor’s report that the auditor performed the audit in accordance with GAAS, internal P&Ps, regulations, etc. • Provides a clear understanding of work performed, audit evidence obtained, and conclusions reached • Use to evaluate effectiveness of staff • Training, monitoring, coaching • Essential element of audit quality

  27. Documentation at SMTGC • Separate WP summary sheet for each TICS • Similar sections may be combined • Consistent formatting with space for: • Evidence of review and approval • Purpose • Scope • Procedure Review, Interviews, Observations, Documentation Review, Prior Audit Review • Conclusion

  28. Conclusion • IIA Standards • Risk Assessment • Fieldwork • Documentation

  29. Questions/Comments? My Contact Info: Ryan Santacruz Email: rsantacruz@sanmanuel.com Phone: (909) 863-2150 x. 5543 LinkedIn

More Related