Has the internal audit function considered all high-risk areas in
its risk assessment? Is the risk universe complete? Is the audit plan balanced? Are there emerging areas that the organization has overlooked? The answers to the above questions probably wont be readily apparent without a reliable process in place to evaluate progress. This white paper presents 10 key areas that should assist organizations in their risk assessments and internal audit planning. These areas are: 1. Compliance with The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing (Standards) The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal audit functions. Two of the Standards that describe assessment requirements are: Standard 1311, Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices. Standard 1312, External Assessments External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. Complying with the Standards helps to ensure that quality is built into the internal audit process and validates the process in place. Toward this end, internal audit needs to communicate the requirements of these Standards with the audit committee.
Protiviti | 2 2. Technology Is the organization adequately covering all of its technology risks? It is important to review mission-critical applications (e.g., front-end transaction capture, business intelligence and customer interfaces), as well as applications that affect financial reporting (in scope for Sarbanes-Oxley compliance). Key areas to consider are: a. Governance The organization should assess whether its information technology governance sustains and supports its strategies and objectives (specified by IIA Standard 2110). b. Change Control This includes development, user access testing and access to the production environment. c. Security and Privacy Among the covered security and privacy areas are external penetration reviews, networks, applications, Payment Card Industry Data Security Standard (PCI DSS), data leakage identification and prevention. d. Backup and Retention Does the organization know the location of its critical information? In addition to core systems, does the organization know where else critical and/or sensitive customer, pricing, sales and other data are housed? Has anyone made changes to the IT infrastructure or business applications? If so, it may be time to determine whether critical data is properly stored and backed up, and if retention mechanisms comprehensively address the ever- changing business needs and IT environment. e. Spreadsheet Controls Are spreadsheets used extensively in any of the key processes (e.g., financial or management reports, footnotes, bonus calculations, fixed assets, stock options)? Has internal audit noticed any errors related to spreadsheets (e.g., financial restatements or accounting adjustments)? In such cases, performing a detailed analysis of spreadsheets for logical and/or formula errors is a prudent move. f. E-Discovery and Records Retention Does the company have a comprehensive records retention program? Is a litigation readiness and effectiveness program in place? Economic and market constraints increase an organizations exposure to litigation and investigations. By proactively assessing the organizations level of readiness and identifying gaps and areas for improvement, internal audit can potentially save millions of dollars for the organization and help reassure management and the board that exposure to these costly risks has been greatly reduced. A single legal discovery failure can undermine any current cost-saving measures that the company has implemented. g. Risk Assessments Does the organization adequately consider technology risk in its annual and project risk assessments? Are there critical technology risks that the organization is not addressing? Having a sufficient understanding of the IT environment and the related risks can help ensure that the internal audit plans are complete.
Protiviti | 3 3. Fraud Risk Assessment Is the organization addressing fraud and hotline calls adequately and in a timely manner? Has internal audit performed a fraud risk assessment and is the process sufficient? As part of good governance and a strong control environment, a process should be in place to identify fraud risk, define controls and promptly respond to reported fraud (addresses IIA Standard 2120). 4. Disbursements Anal ysi s and Strategic Sourcing Opportunities Assessment Is the organization analyzing disbursements data to identify unusual trends and items that warrant follow-up? Duplicate payments, suspicious spending patterns, unusual vendors and missed discount opportunities frequently can be identified through data analysis and may result in monies that can be recovered. 5. Enterprise Risk Management (ERM) Is internal audit receiving questions from management and the board regarding the ERM process? There is a requirement for increased disclosure regarding the boards role in risk oversight. The process can be difficult to define and begin. Some of the process steps include setting objectives, identifying a sponsor, establishing risk definitions, ranking risks, and assessing related controls and risk mitigation techniques. 6. Enterprise Resource Planning (ERP) Effectiveness Is the company considering an ERP system implementation, upgrade or enhancement? Is the company realizing the anticipated value from its ERP system? Many organizations are using software vendors to provide integrated, automated and real-time solutions that enable executives to better manage their business. Outsourcing and co-sourcing are viable options for companies needing to maximize their significant software investments through a variety of comprehensive enterprise application services and solutions. 7. Business Continuity Management (BCM) Does the BCM program address the core components (e.g., crisis management, business resumptions and IT disaster recovery) necessary for recovery from a significant business disruption? Is there defined ownership of the organizations BCM program? Are BCM plans exercised on a regular and frequent basis? A well-designed BCM program will help enable a company to better protect its existing assets, as well as ensure successful recovery of critical operations in the event of a disruption to business and technology operations. 8. Sarbanes-Oxley Optimization Is internal audit over-auditing and testing the same controls that were identified when the organization was first implementing its Sarbanes-Oxley compliance program? If so, the organization may want to re-evaluate which Sarbanes-Oxley risks and controls are reviewed, and consider a control-owner self-assessment, entity-level monitoring controls, and ERP configurable control optimization. The company may derive benefits from reducing the compliance effort or by increasing external audits reliance on managements work. 9. Audit Location Selection Does the organization have multiple audit locations? Does it determine the number of location audits to be performed and then select the locations haphazardly? Is the selection done outside of internal audits typical annual risk assessment process? Are locations selected solely based on size? Is internal audit able to support and defend its approach? Performing a location risk
Protiviti | 4 assessment based on quantitative and qualitative factors may result in a more risk-based, quantifiable and balanced assessment of audit locations. 10. Technology-Enabled Audits and Continuous Monitoring Are resources insufficient to obtain the audit coverage that internal audit would prefer? Is internal audit sufficiently targeting the transactions that warrant further review, or is it relying on the luck of the draw in its audit sample? Would internal audit like to broaden its number of locations, frequency of coverage and number of transactions? By incorporating the use of the right tools and technology, internal audit can identify key metrics that can be monitored to identify outliers that may indicate risk or the need for additional follow-up. This can help internal audit more efficiently focus limited resources and achieve greater audit coverage. In Closing To be thorough in conducting all assessments and completing the internal audit planning process, it is essential to invest sufficient time and allocate the appropriate resources. By integrating ERM, compliance with the aforementioned IIA Standards, BCM and the other discussed key areas with internal audit risk assessments and planning processes, organizations will be better positioned to find satisfactory answers to the questions posed at the beginning of this white paper. About Proti viti Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. We help solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Our highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. About Our Internal Audit and Financial Controls Solution We work with audit executives, management and audit committees at companies of virtually any size, public or private, to assist them with their internal audit activities. This can include starting and running the activity for them on a fully outsourced basis or working with an existing internal audit function to supplement their team when they lack adequate staff or skills. Protiviti professionals have assisted hundreds of companies in establishing first-year Sarbanes-Oxley compliance programs as well as ongoing compliance. We help organizations transition to a process-based approach for financial control compliance, identifying effective ways to appropriately reduce effort through better risk assessment, scoping and use of technology, thus reducing the cost of compliance. Reporting directly to the board, audit committee or management, as desired, we have completed hundreds of discrete, focused financial and internal control reviews and control investigations, either as part of a formal internal audit activity or apart from it.
2010 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
One of the key features about Protiviti is that we are not an audit/accounting firm, thus there is never an independence issue in the work we do for clients. Protiviti is able to use all of our consultants to work on internal audit projects this allows us at any time to bring in our best experts in various functional and process areas. In addition, Protiviti can conduct an independent review of a companys internal audit function such a review is called for every five years under The IIAs Standards. Among the services we provide are: Internal Audit Outsourcing and Co-Sourcing Financial Control and Sarbanes-Oxley Compliance Internal Audit Quality Assurance Reviews and Transformation Audit Committee Advisory For more information about the topics discussed in this white paper and our services, please contact: David Brand Managing Director, Internal Audit and Financial Controls +1.312.476.6401 david.brand@protiviti.com Scott Graham Managing Director, Internal Audit and Financial Controls +1.469.374.2432 scott.graham@protiviti.com Robert Hirth J r. Managing Director, Internal Audit and Financial Controls +1.415.402.3621 robert.hirth@protiviti.com Keith Kawashima Managing Director, Internal Audit and Financial Controls +1.408.808.3222 keith.kawashima@protiviti.com Frederick Umbach Managing Director, Internal Audit and Financial Controls +1.212.603.8390 frederick.umbach@protiviti.com