Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | georgescala |
View: | 218 times |
Download: | 0 times |
of 32
7/28/2019 Internal Audit Updates
1/32
7/28/2019 Internal Audit Updates
2/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
2
Contents
Revision of the International Standards for the Professional Practice ofInternal Auditing
Changes to the Certified Internal Auditor (CIA) exam
New IIA exam Certification in Risk Management Assurance
Updated COSO Internal Control Integrated Framework
7/28/2019 Internal Audit Updates
3/32
Revision of theInternational Standards
for the Professional
Practice of InternalAuditing
7/28/2019 Internal Audit Updates
4/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
4
Revision process
The International Internal Audit Standards Board(IIASB)
proposed changes to the Standards after consideration of inputreceived from internal auditors and stakeholders, as well as
global surveys and other research focused on the Standards.
The proposed changes to the Standards had a 90-day exposure
(feedback) periodfrom 20 February, 2012 to 20 May, 2012.
The new Standards will be effective on January 1, 2013.
7/28/2019 Internal Audit Updates
5/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
5
Summary of key changes
Clarify responsibilities for conforming with the Standards
Increased focus on Quality Assurance & Improvement
Clarify the CAEs role to communicate unacceptable risk
Explicitly require timely audit plan adjustments
Emphasize coverage of risks to strategic objectives
Changes to Glossary Terms
7/28/2019 Internal Audit Updates
6/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
6
Clarify responsibilities for conforming with the Standards
Added the following wording to the Introduction of the Standards
The Standards apply to individual internal auditors and internal
audit activities.
Allinternal auditors are accountable for conforming with the
Standards related to individual objectivity, proficiency, and due
professional care. In addition, internal auditors are accountable forconforming with the Standards, which are relevant to the
performance of their job responsibilities.
Chief audit executives are accountable foroverall conformance
with the Standards.
7/28/2019 Internal Audit Updates
7/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
7
Increased focus on Quality Assurance & Improvement
Old version New version
1312 - External Assessments
External assessments must be conducted at least once
every five years by a qualified, independent revieweror
review team from outside the organization. The chief audit
executive must discuss with the board:
The need for more frequent external assessments;
and;
The qualifications and independence of the external
reviewerorreview team, including any potential conflict
of interest.
1312 - External Assessments
External assessments must be conducted at least once every
five years by a qualified, independent assessoror
assessment team from outside the organization. The chief
audit executive must discuss with the board:
The form and frequency of external assessments; and;
The qualifications and independence of the external
assessororassessment team, including any potential
conflict of interest.
Interpretation:
External assessments can be in the form of a full
external assessment, or a self-assessment with
independent external validation.
7/28/2019 Internal Audit Updates
8/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
8
Clarify the CAEs role to communicate unacceptable risk
Old version New version
2600 Resolution of Senior Management's Acceptance
of Risks
When the chief audit executive believes that senior
management has accepted a level ofresidual risk that
may be unacceptable to the organization, the chief audit
executive must discuss the matter with senior
management. If the decision regarding residual risk is
not resolved, the chief audit executive must report thematter to the board for resolution.
2600 Communicating the Acceptance of Risks
When the chief audit executive concludes that senior
management has accepted a level of risk that may be
unacceptable to the organization, the chief audit executive
must discuss the matter with senior management. If the chief
audit executive determines that the matter has not been
resolved, the chief audit executive must communicate thematter to the board.
Interpretation:
The identification of risk accepted by management may
be observed through an assurance or consulting
engagement, monitoring progress on actions taken by
management as a result of prior engagements, or other
means.
It is not the responsibility of the chief audit executive to
resolve the risk.
7/28/2019 Internal Audit Updates
9/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
9
Explicitly require timely audit plan adjustments
Old version New version
2010Planning
The chief audit executive must establish risk-based plans
to determine the priorities of the internal audit activity,
consistent with the organizations goals.
Interpretation:
The chief audit executive is responsible for developing a
risk-based plan. The chief audit executive takes intoaccount the organizations risk management framework,
including using risk appetite levels set by management for
the different activities or parts of the organization. If a
framework does not exist, the chief audit executive uses
his/her own judgment of risks afterconsultation with
senior management and the board.
2010Planning
The chief audit executive must establish a risk-based plan to
determine the priorities of the internal audit activity, consistent
with the organizations goals.
Interpretation:
The chief audit executive is responsible for developing a risk-
based plan. The chief audit executive takes into account theorganizations risk management framework, including using
risk appetite levels set by management for the different
activities or parts of the organization. If a framework does not
exist, the chief audit executive uses his/her own judgment of
risks afterconsideration of input from senior management
and the board.
The chief audit executive must review and adjust the plan,
as necessary, in response to changes in theorganizations business, risks, operations, programs,
systems, and controls.
7/28/2019 Internal Audit Updates
10/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
10
Emphasize coverage of risks to strategic objectives
2120.A1 Risk Management
The internal audit activity must evaluate risk exposures relating to the organizations governance, operations,
and information systems regarding the:
Achievement of the organizations strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.
2130.A1 Control
The internal audit activity must evaluate the adequacy and effectiveness of controls responding to risks
within the organizations governance, operations, and information systems regarding the:
Achievement of the organizations strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, and contracts.
7/28/2019 Internal Audit Updates
11/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
11
Changes to Glossary Terms
Clarified the definition of Board
A board is an organizations governing body, such as a board of directors, supervisory board, head of an
agency or legislative body, board of governors or trustees of a non-profit organization, or any other
designated body of the organization, including the audit committee to whom the chief audit executive may
functionally report.
The highest level of governing body charged with the responsibility to direct and/or oversee the activities and
management of the organization. Typically, this includes an independent group of directors (e.g., a board of
directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the
board may refer to the head of the organization. Board may refer to an audit committee to which thegoverning body has delegated certain functions.
New definitions
Engagement Opinion (as noted in Standard 2410 Criteria for communicating)
The rating, conclusion, and/or other description of results of an individual internal audit engagement, relating
to those aspects within the objectives and scope of the engagement.
Overall Opinion (as noted in Standard 2450 Overall Opinions)
The overall ratings, conclusions, or other descriptions of results provided by the chief audit executive
addressing, at a broad level, governance, risk management and control processes of the organization. An
overall opinion is based on the results of a number of individual engagements and other activities for a
specific time interval.
7/28/2019 Internal Audit Updates
12/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
12
Other minor changes
1311 Internal Assessment
1320 Reporting on the Quality Assurance and Improvement Program
2201 Plan Consideration
2210 Engagement Objectives
2220 Engagement Scope
Updated definition of Control Processes
Deleted the definition of residual risk
7/28/2019 Internal Audit Updates
13/32
Changes to the CertifiedInternal Auditor (CIA)
exam
7/28/2019 Internal Audit Updates
14/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
14
Overview
In 2011, The IIA conducted a Job Analysis Study (JAS) for the
CIA exam. More than 40,000 internal auditors globally weresurveyed on:
knowledge, competency, and skills required by todays
internal auditors;
frequency and importance of tasks performed by internal
auditors
The Study determined that the body of knowledge related to
the profession of internal auditing has changed since the last
exam content update in 2004, and therefore needs to be
adjusted to reflect changes, such as: environmental and social
safeguards, corporate social responsibility, stakeholders
relationships etc.
The new exam will be available starting July 1, 2013.
Registrations for the new exam will start on May 1, 2013.
7/28/2019 Internal Audit Updates
15/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
15
The new CIA exam
What is changing
A new three-part exam structure
Elimination of recognition credit previously applicable to
Part 4
Realignment of the exam content outline and question
count of each part
What is NOT changing
Entry and experience requirements (i.e. 2 years);
CIA exam in other languages: exams in 15 languages are
scheduled to be available starting October 1, 2013 and
January 1, 2014 (no date for Romanian version isavailable yet)
No changes to other IIA certifications (i.e. CCSA, CGAP,
CFSA)
7/28/2019 Internal Audit Updates
16/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
16
New content outline
Part 1 Internal Audit Basics
2.5 hours exam 125 questions
IIA Mandatory Guidance
Internal Control and Risk
Tools and Techniques for Conducting the Audit
Engagement
Part 2 Internal Audit Practice
2 hours exam 100 questions
Managing the internal audit function
Managing individual engagements
Fraud risks and controls
7/28/2019 Internal Audit Updates
17/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
17
New content outline (continued)
Part 3 Internal Audit Knowledge Elements
2 hours exam 100 questions
Governance
Risk Management
Organizational Structure and Business Processes
Communication
Leadership
IT/Business Continuity
Financial Management
Global Business Environment
The IIA provides information on its website on the:
Specific content outline for each exam;
Mapping of contents of the 4-part exam to the new 3-part
exam
Reference resources (study materials to be used)
7/28/2019 Internal Audit Updates
18/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
18
Other considerations
Review materials
According to the IIA, the preparation of review materials is
independent from the exam development process.
The final content outline has been released to the review
providers effective October 10, 2011.
Candidates should check with review providers for updated
materials.
Current candidates
For candidates that did not pass any exams and candidates
that passed part of the exams, the IIA provides a tool that helps
identify their options going forward. The Transition Planning
Tool can be accessed from IIAs website, under theCertification tab.
Key things to consider:
Four part exam will end on December 31, 2013 (English
version);
Part 1 and 2 will be recognizable under the new structure.
7/28/2019 Internal Audit Updates
19/32
New IIA examCertification in Risk
Management Assurance
7/28/2019 Internal Audit Updates
20/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
20
Overview
What is CRMA
The Certification in Risk Management Assurance (CRMA) is the
newest certification program offered by the IIA. The certification
will assist you in demonstrating the ability to:
Provide assurance on core business processes in risk
management and governance;
Educate management and the audit committee on risk and
risk management concepts; Focus on strategic organizational risks;
Add value for your organization.
The exam is designed for internal auditors and other individuals
interested in Risk Management Assurance.
Start date
The first exams will be offered beginning July 1, 2013. The
registration for the exam will be available starting May 1, 2013.
The exam will be offered in English.
7/28/2019 Internal Audit Updates
21/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
21
Requirements
Eligibility requirements
University degree (four years) or two years of University level
education plus three years of professional experience;
Candidates must submit a Character Reference Form signed
by a CIA, CCSA, CFSA, CRMA or the candidates
supervisor;
24 months of auditing experience or controls-related
business experience.
Continuous Professional Education (CPE) requirements
A CRMA who is practicing risk management assurance must
complete a total of 20 hours of acceptable CPE every year.
A non-practicing CRMA must complete a total of 10 hours of
acceptable CPE every year.
7/28/2019 Internal Audit Updates
22/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
22
Professional Experience Recognition (PER) Provision
Candidates that meet certain requirements can obtain the
CRMA certification before the exam is offered. The deadline forsubmitting applications is December 31, 2012.
Process
Candidates will need to submit an application form that provides
detailed information regarding:
Education; Current certifications held;
Professional experience in CRMA Domains:
Assessing/Assurance of Risk Management Activities;
Risk Management Fundamentals;
Elements of Risk Management;
Control Theory and Application;
Business Objectives and Organizational Performance.
Candidates must obtain a minimum of 155 points on the
application in order to earn the designation prior to the launch of
the CRMA exam.
Additional details can be found on the IIA website, under the
Certification section.
7/28/2019 Internal Audit Updates
23/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
23
Exam syllabus
CIA Part 1 exam
The candidate must pass Part 1 of the CIA exam. This can be
done before, during, or after completion of the CRMA exam, but
must be completed before the certification is appointed.
CRMA exam
A 2 hour exam consisting of 100 multiple choice questions,
covering four domains: Organizational governance related to risk management;
Principles of risk management processes;
Assurance role of the Internal Auditor;
Consulting role of the Internal Auditor.
Additional details for each domain and study resources
recommended by the IIA can be found on the IIA website, under
the Certification section.
7/28/2019 Internal Audit Updates
24/32
Updated COSO InternalControl Integrated
Framework
7/28/2019 Internal Audit Updates
25/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
25
Overview
In November 2010, COSO announced a project to review and update the 1992 Internal Control-Integrated
Framework. COSOs goal in updating the framework is to increase its relevance in the increasinglycomplex and global business environment.
In addition to updating the Framework, COSO is developing a compendium of approaches and examples
that illustrate how the principles set forth in the Framework can be applied in designing, implementing and
conducting internal control over external financial reporting.
Project timetable
2010 Assess and survey stakeholders
2011 Design and Build
2012 Public exposure and assessment
2013 Issuance of updated guidance
7/28/2019 Internal Audit Updates
26/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
26
The integrated framework at a glance
The Internal Control Integrated Framework was published in 1992. It gained wide acceptance
following financial control failures of early 2000s.
7/28/2019 Internal Audit Updates
27/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
27
Major changes
Expands the reporting category of objectives
The financial reporting objective category is expanded to consider other external reporting beyond financialreporting, as well as internal reporting, both financial and non-financial.
Considers different business models and organizational structures
The updated Framework explicitly considers the extended business model, including the responsibilities for
internal control in this model and the achievement of effective internal control.
7/28/2019 Internal Audit Updates
28/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
28
Major changes (continued)
Enhances governance concepts
The updated publication includes expanded discussion on governance relating to the board of directors andcommittees of the board, including audit, compensation, nomination/governance committees.
Considers expectations for competencies and accountabilities
Reflects the increased relevance of technology
Enhances consideration of anti-fraud expectations
This updated Framework contains considerably more discussion on fraud and also considers the potential of
fraud as a principle of internal control.
Applies a principles-based approach
The updated Framework focuses greater attention on principles. While the original framework implicitly
reflected the core principles of internal control, the updated version explicitly states the 17 principles, whichrepresent the fundamental concepts associated with the components of internal control.
7/28/2019 Internal Audit Updates
29/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
29
Major changes Principles
Control environment 1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
Risk assessment 6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
Control activities 10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Information and Communication 13. Uses relevant information
14. Communicates internally
15. Communicates externally
Monitoring activities 16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
7/28/2019 Internal Audit Updates
30/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),
a Swiss entity. All rights reserved.
30
What is NOT changing
Retains the core definition of internal control
Internal control is a process, effected by an entitys board of directors, management, and other personnel,designed to provide reasonable assurance regarding the achievement of objectives relating to operations,
reporting, and compliance.
Retains the five components of internal control
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Retains the requirement of five components for an effective system of internal control
Retains important role of judgment in designing, implementing, and conducting internal control, and
in assessing effectiveness of internal control
7/28/2019 Internal Audit Updates
31/32
Thank You!
Presentation by Georgiana Iancu (Timofte)
Senior Manager, Internal Audit Services, KPMG
Tel. 0743 139 405
7/28/2019 Internal Audit Updates
32/32
2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative (KPMG
International), a Swiss entity. All rights reserved.
The KPMG name, logo and "cutting through complexity" are registered
trademarks or trademarks of KPMG International Cooperative ("KPMG
International").