Internal audit: Quality and Certification
Yerevan
28 November 2013
Jean-Pierre Garitte, CIA, CCSA, CISA, CFE, RFA Past Chairman of the Board IIA Past President ECIIA
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
In
tern
al A
ud
it
Security
Risk Management
Inspection
Quality
Financial Control Exte
rn
al a
ud
it / N
AO
Reg
ula
tor
Man
ag
em
en
t C
on
tro
ls
In
tern
al C
on
tro
l M
easu
res
Compliance
Three lines of defense model
Board of Directors / Audit Committee
Senior Management
JPG Consulting 2
3 JPG Consulting
Some critical thoughts
1. Can Senior Management and a Board of Directors or an Audit
Committee perform their role without a qualified internal audit function?
2. How does Senior Management and a Board of Directors or the Audit Committee obtain assurance on the performance of the internal audit function?
3
Internal audit in practice(1)
• Internal audit does not always provide assurance. • Internal audit does not always provide value-
added consulting services.
• Internal audit does not often evaluate the governance processes.
• Internal audit does not often evaluate the risk management processes.
JPG Consulting 4
Internal audit in practice (2)
• Internal audit operates as a second line of defense.
• Internal audit acts and is perceived as a compliance function.
• Internal audit inspects branches, stores.
JPG Consulting 5
1st Line of Defense 2nd Line of Defense
Internal Audit
Security
Risk Management
Inspection
Quality
Financial Control Exte
rn
al a
ud
it / N
AO
Reg
ula
tor
Man
ag
em
en
t C
on
tro
ls
In
tern
al C
on
tro
l M
easu
res
Compliance
Three lines of defense model
Board of Directors / Audit Committee
Senior Management
JPG Consulting 6
Perception by stakeholders
• No added value.
• No business partner.
• No alignment with company strategy.
• Fear factor: from errors to punishment.
• No managerial talent.
• No meaningful KPIs.
• Not focused on the proper risks.
JPG Consulting 7
Conditions of audit committees
• No proper monitoring of risk management, internal control and internal audit.
• Not always properly staffed.
• Not well prepared.
• No support when needed.
• No voice at the Board.
JPG Consulting 8
Conditions of companies
• No risk and control culture.
• No risk ownership.
• No accountability.
• Control is not my business.
• Cost cutting affects control tasks.
JPG Consulting 9
The Pursuit of Quality
With so much riding on internal audit both from a regulatory and competitiveness standpoint, the optimal functioning of the function becomes a vital concern:
– Every stakeholder, but especially management and the audit committee, relies heavily on internal audit
– How can these parties be sure that the function is up to the task?
The answer comes in the form of quality
assessments. An examination of the
effectiveness and efficiency of the function.
JPG Consulting 10
11 JPG Consulting
Quality Assessment Review IIA Standards Scorecard Example
Rating
1000 - Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks
IIA Attribute Standards
IIA Performance Standards Rating
Generally conforms to the relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, complies with the requirements of the individual Standard.
Partially conforms to the activity and is making good-faith efforts to comply with the requirements of the individual Standard.
Does not conform to the activity and is not aware of, is not making good-faith efforts to comply with, or failing to achieve many/all of the objectives of the individual Standard.
12 JPG Consulting
Planning Human Resources Information
Technology
Supporting Processes Production Processes
Vision, values, &
strategic objectives
Constitution of a team
of experts
Electronic
management system
of work files
Mapping of company
risks
Collaboration with the
audited entity
Structure
and organisation
(Processes / Methods)
Recruitment
Specific applications
and technologies
Knowledge of internal
audit clients
expectations
Needs for expertise
evaluation and
responses to main
issues
Communication /
Reporting to audited
entities
Resource management Training and
personal development Internal audit plan
Follow up
Communication /
Reporting to
management
Activity measurement Internal communication Work Program
Communication /
Reporting to audit
committee
Individual evaluations Tests and analysis
Communication with
external auditors and
other control entities
Work documentation
Engagement
supervision
Internal audit clients
satisfaction
measurement
Remuneration
Database of best
practices
Information on
objectives and
expectations for each
mission
Performance Communication
and reports
Coordination with
external auditors and
other control entities
Resources assignment
The structural elements in a shaded color frame appear in the IIA (Institute of Internal Auditors) professional standards
The Structural elements of an Internal Audit Function
Activity organization
and management
Need for
improvement Perfectible Satisfying Not applicable Need for
improvement Room for
Satisfying Not applicable Out of scope improvement
13 JPG Consulting
Key Performance Indicators (1/2)
Example of KPIs
Dimension KPI
Audit Committee and Executive
Management
• AC/EM survey rating
• Materiality level of audit findings
• Percentage of unsatisfactory ratings
• Number of frauds per annum and value of frauds
• Number of complaints from regulatory bodies
• Number of auditors per 1000 employees
• Percentage of audit universe covered per year
Audit Clients • Satisfaction survey rating
• Percentage of subject matters in the audit plan identified by the business lines
• Percentage of unsatisfactory rating/compliance
• Percentage of issues open/closed/past due per business line
• Number of best practices identified in the business line
• Percentage of recommendations accepted/refused
• Number of repeat findings
• Number of requests by local management for audit support
• Average response time to management requests for support
Audit Processes • Percentage of audits performed versus plan
• Percentage of time spent on automated/manual controls
• Average number of SAP standard queries used per audit
• Mean time from closing meeting to report issuance
• Percentage of annual audit costs versus annual budget
14 JPG Consulting
Example of KPIs
Dimension KPI
Innovation and Capabilities • Percentage of auditors with university degrees
• Percentage of auditors with economic/engineering/mathematics/etc. education
• Number of years of relevant business experience
• Number of years of audit experience
• Percentage of certified auditors
• Percentage of planned/unplanned staff turnover per year
• Percentage of planned leavers being promoted in the organization
• Audit group rating by staff members
• Number of training hours per auditor and year
• Percentage of auditors rated per year
• Percentage of auditors with rating above/below expectations
• Average peer review rating (quality rating given by peer reviewer to a specific file)
Internal Stakeholders • Number of ERM steering committee and work group meetings
• Number of significant initiatives developed/implemented
• Number of audit subjects within the internal audit plan coming from the external
auditors
• Number of external audit hours saved and effectiveness enhanced as a result of
internal audit initiatives
• Number of audit subjects within the external audit plan coming from IA
Key Performance Indicators (2/2)
Efforts by the CAE (1)
• Internal audit should be an agent for change:
– Change the risk and control culture of your organization.
– Coordinate risk management activities.
– Develop an assurance map for your organization.
JPG Consulting 15
Efforts by the CAE (2)
• Focus on the areas that need to be audited, not what is easy to audit.
• Provide assurance on major risks.
• Audit the second lines of defense and, if OK, rely on the results of their work.
• Do not duplicate second line of defense activities.
JPG Consulting 16
Efforts by the CAE (3)
• Develop a comprehensive audit universe.
• Assess the risks on a periodical basis.
• Do not adhere to your audit plan in a rigid way.
• Develop metrics that are relevant for your stakeholders.
JPG Consulting 17
Efforts by the CAE (4)
• Write reports with impact.
• Do not focus on problems, but offer solutions.
• Solutions should not be academic but rather pragmatic.
• Listen to your stakeholders.
JPG Consulting 18
JPG Consulting 19
Why does internal audit need certification?
• We are a self-regulated profession
JPG Consulting 20
Certified Internal Auditor
• The only globally accepted certification for internal auditors.
• The global standard by which individuals demonstrate their competency and professionalism in the internal auditing field.
• Program launched in 1973.
• Exam consists of 3 parts.
• Computer-based testing.
JPG Consulting 21
Certified Internal Auditor
Exam Syllabus
Part 1 – Internal Audit Basics 125 questions | 2.5 hours (150 minutes) Topics tested: • aspects of mandatory guidance from the IPPF; • internal control and risk concepts; • tools and techniques for conducting internal audit engagements.
Most items tested at the Proficiency knowledge level.
JPG Consulting 22
Certified Internal Auditor
Exam Syllabus (continued)
Part 2 – Internal Audit Practice 100 questions | 2.0 hours (120 minutes) Topics tested: • managing the internal audit function; • establishing a risk-based plan; • managing individual engagements; • fraud risks and controls.
Most items tested at the Proficiency knowledge level.
JPG Consulting 23
Certified Internal Auditor
Exam Syllabus (continued)
Part 3 – Internal Audit Knowledge Elements 100 questions | 2.0 hours (120 minutes) Topics tested: • governance and business ethics; • risk management; • organizational structure, including business processes and risks; • communication; • management and leadership principles; • information technology and business continuity; • financial management; • global business environment.
Most items tested at the Awareness knowledge level.
JPG Consulting 24
• Education: Bachelor’s degree (4 years)
– Alternative 1 : 2 years post secondary education and 5 years verified experience
– Alternative 2: 7 years verified experience
• Work experience: 2 years of internal audit experience (1 year for Masters degree)
• Character Reference
• Code of Ethics
Certified Internal Auditor
Eligibility Requirements
JPG Consulting 25
Certified Government Auditing Professional
• Designed especially for auditors working in the public sector at all levels: national and local governments, state owned companies.
• Exam consists of 1 part.
• Computer-based testing.
JPG Consulting 26
Certified Government Auditing Professional Exam Syllabus
115 questions | 2 hours and 55 minutes (175 minutes) The exam covers 4 domains: • standards, governance and risk / control frameworks; • government auditing practice; • government auditing skills and techniques; • government auditing environment.
Items tested at the Awareness and/or Proficiency knowledge level.
JPG Consulting 27
Certified Financial Services Auditor
• Specialty certification for audit professionals working in banking institutions, savings and loan organizations, credit unions, insurance companies, security and commodity services, holding and investment companies, credit agencies, financial services regulatory agencies, and other financial services organizations.
• Exam consists of 1 part. • Computer-based testing.
JPG Consulting 28
Certified Financial Services Auditor Exam Syllabus
115 questions | 2 hours and 55 minutes (175 minutes) • 80% of the exam covers all three disciplines (banking, insurance and securities) in 4 core domains. • The remaining 20% relate to the candidate’s chosen discipline and will be at the proficiency level.
Items tested at the Awareness and/or Proficiency knowledge level.
JPG Consulting 29
Certification in Control Self-Assessment
• The CCSA exam tests the understanding of important control self-assessment fundamentals, processes, and related topics such as risk, controls, and business objectives. services organizations.
• Exam consists of 1 part.
• Computer-based testing.
JPG Consulting 30
Certification in Control Self-Assessment
115 questions | 2 hours and 55 minutes (175 minutes) The CCSA exam content covers six domains: • CSA fundamentals (5-10 percent) • CSA program integration (15-25 percent) • Elements of the CSA process (15-25 percent) • Business objectives/Organizational performance (10-15 percent) • Risk identification and assessment (15-20 percent) • Control theory and application (20-25 percent)
Items tested at the Awareness and/or Proficiency knowledge level.
Exam Syllabus
JPG Consulting 31
Certification in Risk Management Assurance
• The IIA developed the CRMA designation to respond to stakeholders’ demand for advice and assurance on risk management to audit committees and executive management .
• Exam consists of 1 part.
• Computer-based testing.
JPG Consulting 32
Certification in Risk Management Assurance
100 questions | 2 hours (120 minutes) The CRMA exam includes two sections: Part 1 of the CIA exam and a separate CRMA exam, which covers four domains: • Organizational governance related to risk management (25-30%) • Principles of risk management processes (25-30%) • Assurance role of the Internal Auditor (20-25%) • Consulting role of the Internal Auditor (20-25%)
Items tested at the Proficiency knowledge level.
Exam Syllabus
JPG Consulting 33
Why should you be certified?
• Increase your value to management
• Demonstrate your competence
• Enhance your professional image
• A prestigious credential for the employment market
• Recognition by management and peers
• Personal satisfaction
JPG Consulting 34
Why should you be certified?
Internal audit: Quality and Certification
Yerevan
28 November 2013
Jean-Pierre Garitte, CIA, CCSA, CISA, CFE, RFA Past Chairman of the Board IIA Past President ECIIA