Internal Audit Updates

7/28/2019 Internal Audit Updates

1/32


2/32

2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMGnetwork of i ndependent member firms affiliated with KPMG International Cooperative (KPMG International),

a Swiss entity. All rights reserved.

2

Contents

Revision of the International Standards for the Professional Practice ofInternal Auditing

Changes to the Certified Internal Auditor (CIA) exam

New IIA exam Certification in Risk Management Assurance

Updated COSO Internal Control Integrated Framework


3/32

Revision of theInternational Standards

for the Professional

Practice of InternalAuditing


4/32



4

Revision process

The International Internal Audit Standards Board(IIASB)

proposed changes to the Standards after consideration of inputreceived from internal auditors and stakeholders, as well as

global surveys and other research focused on the Standards.

The proposed changes to the Standards had a 90-day exposure

(feedback) periodfrom 20 February, 2012 to 20 May, 2012.

The new Standards will be effective on January 1, 2013.


5/32



5

Summary of key changes

Clarify responsibilities for conforming with the Standards

Increased focus on Quality Assurance & Improvement

Clarify the CAEs role to communicate unacceptable risk

Explicitly require timely audit plan adjustments

Emphasize coverage of risks to strategic objectives

Changes to Glossary Terms


6/32



6

Clarify responsibilities for conforming with the Standards

Added the following wording to the Introduction of the Standards

The Standards apply to individual internal auditors and internal

audit activities.

Allinternal auditors are accountable for conforming with the

Standards related to individual objectivity, proficiency, and due

professional care. In addition, internal auditors are accountable forconforming with the Standards, which are relevant to the

performance of their job responsibilities.

Chief audit executives are accountable foroverall conformance

with the Standards.


7/32



7

Increased focus on Quality Assurance & Improvement

Old version New version

1312 - External Assessments

External assessments must be conducted at least once

every five years by a qualified, independent revieweror

review team from outside the organization. The chief audit

executive must discuss with the board:

The need for more frequent external assessments;

and;

The qualifications and independence of the external

reviewerorreview team, including any potential conflict

of interest.

1312 - External Assessments

External assessments must be conducted at least once every

five years by a qualified, independent assessoror

assessment team from outside the organization. The chief

audit executive must discuss with the board:

The form and frequency of external assessments; and;

The qualifications and independence of the external

assessororassessment team, including any potential

conflict of interest.

Interpretation:

External assessments can be in the form of a full

external assessment, or a self-assessment with

independent external validation.


8/32



8

Clarify the CAEs role to communicate unacceptable risk


2600 Resolution of Senior Management's Acceptance

of Risks

When the chief audit executive believes that senior

management has accepted a level ofresidual risk that

may be unacceptable to the organization, the chief audit

executive must discuss the matter with senior

management. If the decision regarding residual risk is

not resolved, the chief audit executive must report thematter to the board for resolution.

2600 Communicating the Acceptance of Risks

When the chief audit executive concludes that senior

management has accepted a level of risk that may be

unacceptable to the organization, the chief audit executive

must discuss the matter with senior management. If the chief

audit executive determines that the matter has not been

resolved, the chief audit executive must communicate thematter to the board.

Interpretation:

The identification of risk accepted by management may

be observed through an assurance or consulting

engagement, monitoring progress on actions taken by

management as a result of prior engagements, or other

means.

It is not the responsibility of the chief audit executive to

resolve the risk.


9/32



9

Explicitly require timely audit plan adjustments


2010Planning

The chief audit executive must establish risk-based plans

to determine the priorities of the internal audit activity,

consistent with the organizations goals.

Interpretation:

The chief audit executive is responsible for developing a

risk-based plan. The chief audit executive takes intoaccount the organizations risk management framework,

including using risk appetite levels set by management for

the different activities or parts of the organization. If a

framework does not exist, the chief audit executive uses

his/her own judgment of risks afterconsultation with

senior management and the board.

2010Planning

The chief audit executive must establish a risk-based plan to

determine the priorities of the internal audit activity, consistent

with the organizations goals.

Interpretation:

The chief audit executive is responsible for developing a risk-

based plan. The chief audit executive takes into account theorganizations risk management framework, including using

risk appetite levels set by management for the different

activities or parts of the organization. If a framework does not

exist, the chief audit executive uses his/her own judgment of

risks afterconsideration of input from senior management

and the board.

The chief audit executive must review and adjust the plan,

as necessary, in response to changes in theorganizations business, risks, operations, programs,

systems, and controls.


10/32



10

Emphasize coverage of risks to strategic objectives

2120.A1 Risk Management

The internal audit activity must evaluate risk exposures relating to the organizations governance, operations,

and information systems regarding the:

Achievement of the organizations strategic objectives;

Reliability and integrity of financial and operational information;

Effectiveness and efficiency of operations and programs;

Safeguarding of assets; and

Compliance with laws, regulations, policies, procedures, and contracts.

2130.A1 Control

The internal audit activity must evaluate the adequacy and effectiveness of controls responding to risks

within the organizations governance, operations, and information systems regarding the:

Achievement of the organizations strategic objectives;

Reliability and integrity of financial and operational information;

Effectiveness and efficiency of operations and programs;

Safeguarding of assets; and

Compliance with laws, regulations, policies, procedures, and contracts.


11/32



11

Changes to Glossary Terms

Clarified the definition of Board

A board is an organizations governing body, such as a board of directors, supervisory board, head of an

agency or legislative body, board of governors or trustees of a non-profit organization, or any other

designated body of the organization, including the audit committee to whom the chief audit executive may

functionally report.

The highest level of governing body charged with the responsibility to direct and/or oversee the activities and

management of the organization. Typically, this includes an independent group of directors (e.g., a board of

directors, a supervisory board, or a board of governors or trustees). If such a group does not exist, the

board may refer to the head of the organization. Board may refer to an audit committee to which thegoverning body has delegated certain functions.

New definitions

Engagement Opinion (as noted in Standard 2410 Criteria for communicating)

The rating, conclusion, and/or other description of results of an individual internal audit engagement, relating

to those aspects within the objectives and scope of the engagement.

Overall Opinion (as noted in Standard 2450 Overall Opinions)

The overall ratings, conclusions, or other descriptions of results provided by the chief audit executive

addressing, at a broad level, governance, risk management and control processes of the organization. An

overall opinion is based on the results of a number of individual engagements and other activities for a

specific time interval.


12/32



12

Other minor changes

1311 Internal Assessment

1320 Reporting on the Quality Assurance and Improvement Program

2201 Plan Consideration

2210 Engagement Objectives

2220 Engagement Scope

Updated definition of Control Processes

Deleted the definition of residual risk


13/32

Changes to the CertifiedInternal Auditor (CIA)

exam


14/32



14

Overview

In 2011, The IIA conducted a Job Analysis Study (JAS) for the

CIA exam. More than 40,000 internal auditors globally weresurveyed on:

knowledge, competency, and skills required by todays

internal auditors;

frequency and importance of tasks performed by internal

auditors

The Study determined that the body of knowledge related to

the profession of internal auditing has changed since the last

exam content update in 2004, and therefore needs to be

adjusted to reflect changes, such as: environmental and social

safeguards, corporate social responsibility, stakeholders

relationships etc.

The new exam will be available starting July 1, 2013.

Registrations for the new exam will start on May 1, 2013.


15/32



15

The new CIA exam

What is changing

A new three-part exam structure

Elimination of recognition credit previously applicable to

Part 4

Realignment of the exam content outline and question

count of each part

What is NOT changing

Entry and experience requirements (i.e. 2 years);

CIA exam in other languages: exams in 15 languages are

scheduled to be available starting October 1, 2013 and

January 1, 2014 (no date for Romanian version isavailable yet)

No changes to other IIA certifications (i.e. CCSA, CGAP,

CFSA)


16/32



16

New content outline

Part 1 Internal Audit Basics

2.5 hours exam 125 questions

IIA Mandatory Guidance

Internal Control and Risk

Tools and Techniques for Conducting the Audit

Engagement

Part 2 Internal Audit Practice

2 hours exam 100 questions

Managing the internal audit function

Managing individual engagements

Fraud risks and controls


17/32



17

New content outline (continued)

Part 3 Internal Audit Knowledge Elements

2 hours exam 100 questions

Governance

Risk Management

Organizational Structure and Business Processes

Communication

Leadership

IT/Business Continuity

Financial Management

Global Business Environment

The IIA provides information on its website on the:

Specific content outline for each exam;

Mapping of contents of the 4-part exam to the new 3-part

exam

Reference resources (study materials to be used)


18/32



18

Other considerations

Review materials

According to the IIA, the preparation of review materials is

independent from the exam development process.

The final content outline has been released to the review

providers effective October 10, 2011.

Candidates should check with review providers for updated

materials.

Current candidates

For candidates that did not pass any exams and candidates

that passed part of the exams, the IIA provides a tool that helps

identify their options going forward. The Transition Planning

Tool can be accessed from IIAs website, under theCertification tab.

Key things to consider:

Four part exam will end on December 31, 2013 (English

version);

Part 1 and 2 will be recognizable under the new structure.


19/32

New IIA examCertification in Risk

Management Assurance


20/32



20

Overview

What is CRMA

The Certification in Risk Management Assurance (CRMA) is the

newest certification program offered by the IIA. The certification

will assist you in demonstrating the ability to:

Provide assurance on core business processes in risk

management and governance;

Educate management and the audit committee on risk and

risk management concepts; Focus on strategic organizational risks;

Add value for your organization.

The exam is designed for internal auditors and other individuals

interested in Risk Management Assurance.

Start date

The first exams will be offered beginning July 1, 2013. The

registration for the exam will be available starting May 1, 2013.

The exam will be offered in English.


21/32



21

Requirements

Eligibility requirements

University degree (four years) or two years of University level

education plus three years of professional experience;

Candidates must submit a Character Reference Form signed

by a CIA, CCSA, CFSA, CRMA or the candidates

supervisor;

24 months of auditing experience or controls-related

business experience.

Continuous Professional Education (CPE) requirements

A CRMA who is practicing risk management assurance must

complete a total of 20 hours of acceptable CPE every year.

A non-practicing CRMA must complete a total of 10 hours of

acceptable CPE every year.


22/32



22

Professional Experience Recognition (PER) Provision

Candidates that meet certain requirements can obtain the

CRMA certification before the exam is offered. The deadline forsubmitting applications is December 31, 2012.

Process

Candidates will need to submit an application form that provides

detailed information regarding:

Education; Current certifications held;

Professional experience in CRMA Domains:

Assessing/Assurance of Risk Management Activities;

Risk Management Fundamentals;

Elements of Risk Management;

Control Theory and Application;

Business Objectives and Organizational Performance.

Candidates must obtain a minimum of 155 points on the

application in order to earn the designation prior to the launch of

the CRMA exam.

Additional details can be found on the IIA website, under the

Certification section.


23/32



23

Exam syllabus

CIA Part 1 exam

The candidate must pass Part 1 of the CIA exam. This can be

done before, during, or after completion of the CRMA exam, but

must be completed before the certification is appointed.

CRMA exam

A 2 hour exam consisting of 100 multiple choice questions,

covering four domains: Organizational governance related to risk management;

Principles of risk management processes;

Assurance role of the Internal Auditor;

Consulting role of the Internal Auditor.

Additional details for each domain and study resources

recommended by the IIA can be found on the IIA website, under

the Certification section.


24/32

Updated COSO InternalControl Integrated

Framework


25/32



25

Overview

In November 2010, COSO announced a project to review and update the 1992 Internal Control-Integrated

Framework. COSOs goal in updating the framework is to increase its relevance in the increasinglycomplex and global business environment.

In addition to updating the Framework, COSO is developing a compendium of approaches and examples

that illustrate how the principles set forth in the Framework can be applied in designing, implementing and

conducting internal control over external financial reporting.

Project timetable

2010 Assess and survey stakeholders

2011 Design and Build

2012 Public exposure and assessment

2013 Issuance of updated guidance


26/32



26

The integrated framework at a glance

The Internal Control Integrated Framework was published in 1992. It gained wide acceptance

following financial control failures of early 2000s.


27/32



27

Major changes

Expands the reporting category of objectives

The financial reporting objective category is expanded to consider other external reporting beyond financialreporting, as well as internal reporting, both financial and non-financial.

Considers different business models and organizational structures

The updated Framework explicitly considers the extended business model, including the responsibilities for

internal control in this model and the achievement of effective internal control.


28/32



28

Major changes (continued)

Enhances governance concepts

The updated publication includes expanded discussion on governance relating to the board of directors andcommittees of the board, including audit, compensation, nomination/governance committees.

Considers expectations for competencies and accountabilities

Reflects the increased relevance of technology

Enhances consideration of anti-fraud expectations

This updated Framework contains considerably more discussion on fraud and also considers the potential of

fraud as a principle of internal control.

Applies a principles-based approach

The updated Framework focuses greater attention on principles. While the original framework implicitly

reflected the core principles of internal control, the updated version explicitly states the 17 principles, whichrepresent the fundamental concepts associated with the components of internal control.


29/32



29

Major changes Principles

Control environment 1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

Risk assessment 6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

Control activities 10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

Information and Communication 13. Uses relevant information

14. Communicates internally

15. Communicates externally

Monitoring activities 16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies


30/32



30

What is NOT changing

Retains the core definition of internal control

Internal control is a process, effected by an entitys board of directors, management, and other personnel,designed to provide reasonable assurance regarding the achievement of objectives relating to operations,

reporting, and compliance.

Retains the five components of internal control

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

Retains the requirement of five components for an effective system of internal control

Retains important role of judgment in designing, implementing, and conducting internal control, and

in assessing effectiveness of internal control


31/32

Thank You!

Presentation by Georgiana Iancu (Timofte)

Senior Manager, Internal Audit Services, KPMG

[email protected]

Tel. 0743 139 405


32/32

2012 KPMG Romania S.R.L., a Romanian limited liability company and a member firm of the KPMG

network of independent member firms affiliated with KPMG International Cooperative (KPMG

International), a Swiss entity. All rights reserved.

The KPMG name, logo and "cutting through complexity" are registered

trademarks or trademarks of KPMG International Cooperative ("KPMG

International").

Date post:	03-Apr-2018
Category:	Documents
Upload:	georgescala
View:	218 times
Download:	0 times

Internal Audit Updates

Documents