290 likes | 408 Views
Developing a Successful Integrated Audit Approach September 14, 2010. Topics. Introduction and Perspectives An Integrated Audit Methodology. Developing a Successful Integrated Audit Approach. Introduction and perspectives. Defining Integrated Auditing.
E N D
Developing a Successful Integrated Audit ApproachSeptember 14, 2010
Topics • Introduction and Perspectives • An Integrated Audit Methodology
Developing a Successful Integrated Audit Approach Introduction and perspectives
Defining Integrated Auditing • An audit approach that takes into consideration key areas of risk regardless of type, such as: • Operations • Finance and accounting, including fraud • Information technology and security • Regulatory/compliance • Other, tailored to the business
Benefits • Audit efficiencies • Comprehensive view of an auditable entity • Consolidated report covering key areas – fewer audits per entity • Enhanced stakeholder perceptions of audit coverage • Improved auditor morale • Accelerated auditor talent • Focused leverage of business knowledge and collaboration across the audit team
Challenges • People • Expanding auditor skill sets to cover all areas while retaining benefits of subject matter expertise • Helping auditors with different skills communicate and find better ways to work together • Ensuring coverage is “just right” • Broad enough to cover the key risk areas • Deep enough where necessary • Organized sufficiently to avoid “spin-off” audits
Prerequisites to an Integrated Approach • Perspective • Management: operational understanding • Auditor: process, risk and controls • Core audit skills – the raw materials translate easily! • Understand/document any process • Recognize risk where it exists • Translate across multiple disciplines • IIA body of knowledge • CIA’s are well positioned to help drive an integrated approach
Critical Success Factors • Solid enterprise-level and engagement-level risk assessment processes • Scope • Top-down, bottom-up, aligned with the business • Includes • Material financial exposure • Possible reputational harm • Emerging risks and changes • Management’s operational concerns • Helps us say “yes, we looked at that”
Developing a Successful Integrated Audit Approach An Integrated audit methodology
Integrated Audit Methodology(ies!) • There are diverse schools of thought, methodologies, and approaches to integrated auditing – why so many? • Diversity in business – a desire for a tailored approach and a search for the “one best way” • Variability in what one believes should be integrated – people, process, technology or parts thereof • Differences in viewpoint taken: auditor or management • Inherent need for subject matter expertise • Timing and logistics for getting audits done
Integrating People • Ensure the integrated audit team is working together – not just sitting in the same room • Offer tools to help • Formally documented methodology • A layered, multi-disciplined perspective with a common language • Recognize auditor common ground • Risk, control, and process orientation • Control assertions
Integrating Process Occurrence Authorization All Reconciliation Authorization Input Output $ Database System Occurrence Completeness Accuracy Recording Confidentiality Availability Integrity Custody Other Areas to Overlay: Operational efficiencies, including technology aspects Regulatory/compliance considerations Fraud risk considerations
Aligning Control Assertions Financial Auditors: • Financial statement assertions on transactions • Occurrence • Completeness • Accuracy • Authorization • Cutoff • Classification IT Auditors: • Information security components • Confidentiality • Availability • Integrity
Integrating People and Process • Training for everyone • Get everyone talking and involved in planning/risk assessment • Drive efficiencies • Map in-scope risks to key controls in common across all areas • Drive efficiencies with audit coverage (SOX, SAS 70) • During fieldwork • Assign testing based on expertise • Establish periodic checkpoints within the team and an end-to-end quality review process
Subject Matter Experts Question: When is the right time to get subject matter experts involved? • During fieldwork when the team gets in a bind • During the report writing phase when a question leads to an area that should have been looked at more closely • Engagement-level planning and risk assessment
Developing a Successful Integrated Audit Approach Integrating the audit approach and risk assessment
Risk Assessment Enterprise-Level Risk Assessment • Process to determine the audit plan Integrated Audit Considerations Engagement-Level Risk Assessment • Process to determine the scope of a specific audit Integrated Audit Considerations Integrated Audit Considerations
Enterprise-Level Risk Assessment Best Practice: Align coverage with corporate strategy Best Practice Enterprise-Level Risk Assessment
Identify the Audit Universe • Auditable Entity: • A discrete unit or process • Horizontal coverage is more efficient • Level of aggregation is key Layers Where Controls Reside:
Assess Risk – Bottom Up • Traditional Quantitative Approach
Assess Risk – Bottom Up • Qualitative Map to ERM
Engagement Level Risk Assessment • Aggregation of cumulative knowledge about the entity • Integrated view • Links to ERM • Don’t forget consideration of fraud risk I=Inherent Risk: Risk before consideration of controls. R=Residual Risk: Risk after consideration of controls, e.g. prior audit results and remediation or other issues identified.
Takeaways • Ground integrated auditing in solid risk assessment from the beginning • Resolve the auditor SME communication barrier once and for all • Expect efficiencies • Leverage existing core auditor skills as place to start • Align with operations to drive the most value
Developing a Successful Integrated Audit Approach Questions?
Contact Information • Kim Furlin • 904 357 1611 • kim.furlin@fisglobal.com