Metodologie, tecniche e pratiche di Audit

Auditing Executive Compensation and Benefits

Auditing the structure and operation of Executive Compensation and Benefits (ECB) programs is a legitimate and appropriate role for internal auditing. If a risk assessment indicates a review is warranted, the Chief Audit Executive (CAE) should add ECB to the audit plan, which the board will review and approve. Internal auditing will choose the audit approach and design risk-based audit procedures. This Practice Guide provides discussions relating to such an audit and includes several considerations that may be relevant to an organization’s business activities or risk profile.Strong governance systems are needed for ECB programs, as management often is in the position of both designing and recommending its own compensation. There are several specific risks internal auditors should consider, including employment market, compliance, financial reporting, reputation, operating, and external business relationship risks. ECB programs also are subject to fraud risk.Due to the sensitive nature of this area, internal auditing must have an appropriate audit approach and access to the necessary information. While there can be obstacles to obtaining this information, internal audit needs to proceed in accordance with its charter.The audit scope could include a focus on the board, management, and extended business relationships. There are a number of unique aspects in audits of each of these areas of focus which should be considered before performing audit work.This guide will assist internal auditors with an explanation of the audit approach, audit considerations such as access to information and privileged communications, as well as the skills and knowledge necessary to serve on the audit team. A section on audit program development includes various concepts, potential tests, and questions to help auditors create an audit program. The appendix provides definitions relative to various types of compensation and benefits.ECB programs have risks that require effective board governance and management processes. Internal auditors have an important role in providing assurance that appropriate and effective controls are in place around ECB programs.

Internal Auditing and Fraud

This guide discusses fraud and provides general guidance to help internal auditors comply with professional standards. Because fraud negatively impacts organizations in many ways — financially, reputational, and through psychological and social implications — it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection programs, as well as a fraud risk assessment process to identify risks within the organization. To help organizations and internal auditors combat fraud, the guide discusses:

• Fraud awareness (e.g., reasons and examples for fraud and potential fraud indicators).
• Fraud roles and responsibilities.
• Internal audit responsibilities during audit engagements (e.g., execution responsibilities and communicating with the board).
• Fraud risk assessment (e.g., identifying relevant fraud risk factors and mapping existing controls to potential fraud schemes and identifying gaps).
• Fraud prevention and detection.
• Fraud investigation.
• Forming an opinion on internal controls related to fraud.

The guide also includes reference material, questions to consider, and a fraud risk assessment template.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.

 

Auditing External Business Relationships

This guide provides internal auditors with guidance in auditing external or extended business relationships (EBRs). Management also may use this guide in managing and monitoring the risks associated with these relationships.

When contemplating the internal audit activity's EBR responsibilities, consider the following:

• Organizations have multiple EBRs that satisfy a variety of business needs.
• Each relationship presents risks.
• It is management’s responsibility to manage these risks and realize the benefits.
• Internal auditing plays a key role in assisting management and validating management’s efforts.

Organizations conduct business with EBR partners for a variety of reasons. Organizations may seek benefits like enhancing revenues through licensing and distribution arrangements, reducing costs in areas of an organization’s that are outside of its core competencies, or augmenting existing resources focused on its core competencies. However, with these business relationships also comes inherent and control risks associated with working with external business partners. By associating with external partners, an organization often bears risks similar to those it would experience internally, without the external association (for example, an organization still bears risks for outsourced processes). In addition, the organization is exposed to risks imposed by association with the third party, as well as the activities of the third party, including reputation, brand, and economic risks. Internal auditors can help management and the board identify, assess, and manage these risks.

Organizations’ managements are responsible for managing and monitoring their EBRs and related risks. While entering into a business relationship allows an organization to create benefits and share some risk with the EBR, the organization still retains ultimate responsibility and accountability over a number of risks. Not all risks can be relegated to the business partner. The organization needs to monitor and manage these risks.

The organization is responsible for risk management activities encompassing tasks such as selection of business partners, contract effectiveness, partner/customer contract management controls, contract compliance monitoring and reporting, and business relationship management. Without proper controls in place to address the risks associated with these responsibilities, the organization may lose revenue or incur higher costs, as well as have inefficient operations, misreporting, and even damaged brand, in addition to impacted business relationships.

By taking ownership and control of these responsibilities, organizations have the ability to reduce risk and help foster a relationship of trust and accountability with its business partners. With good oversight of its business relationships, an organization can account for all revenues and potentially reduce costs ― the organization can receive the full benefits of the business relationship.

Internal auditors need to understand all the elements associated with EBRs, from initiating a relationship, contracting and defining a relationship, procurement, managing and monitoring the continued relationship (including control environment considerations of objectivity and independence of those responsible for managing and monitoring), and finally discontinuing the relationship. After understanding the expectations of both parties, along with the appropriate processes to manage and monitor the relationship, the internal auditor develops an appropriate internal audit program with relevant audit objectives for internal audits of external relationships. In addition, internal audit procedures may include elements of evaluating adherence to (and compliance with) contractual terms to determine whether monetary and non-monetary obligations are met.

It is important for organizations to know that they are getting what they are paying for, that they are collecting what they are earning, or, simply, that they are receiving the benefits anticipated from the relationship. Internal audit procedures may uncover missed revenue or cost savings, improve reporting accuracy, and enhance value resulting from the relationship through one or more of the following: limiting fraudulent activity, increasing trust with participants in the relationship, fostering feedback, improving relationships, and helping management improve internal and external control.

Formulating and Expressing Internal Audit Opinions

This Practice Guide provides practical guidance to internal auditors who wish to form and express an opinion on some or all of an organization’s governance, risk management, and internal control systems.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.

Background

Internal audit activities are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).

Examples of macro and micro opinions include:

• An opinion on the organization’s overall system of internal control over financial reporting (macro).
• An opinion on the organization’s controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries (macro).
• An opinion on the effectiveness of controls such as budgeting and performance management, when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organization’s assets, resources, revenues, etc. (macro).
• An opinion on an individual business process or activity within a single organization, department, or location (micro).
• An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit (micro).
• An opinion on the organization’s compliance with policies, laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units (micro).Formulating and Expressing Internal Audit Opinions

GTAG 3 - Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment

The information in the second edition of GTAG 3: Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, provide practitioners the most up-to-date guidance and best practices to enable them to successfully implement a continuous auditing approach. It focuses on technology-enabled aspects of continuous auditing and addresses:

• A definition of related terms and techniques including continuous auditing, ongoing control assessment, ongoing risk assessment, continuous monitoring, and assurance.
• The role of continuous auditing in relation to continuous monitoring.
• Areas where continuous auditing can be applied by the internal audit activity.
• Challenges and opportunities related to continuous auditing. 
• The implications for internal auditing, the chief audit executive, and management.

The guide provides the key considerations practitioners need to implement continuous auditing, which will ultimately help them develop a better understanding of the business environment and the risks to the company to support compliance and drive business performance.

The Three Lines of Defense in Effective Risk Management and Control: Is Your Organization Positioned for Success?

“The Three Lines of Defense in Effective Risk Management and Control” è il nuovo Position Paper, edito dall'IIA, che fornisce le linee guida utili alla mitigazione dei rischi, con speciale riferimento alle organizzazioni che operano in un contesto di business in continua evoluzione, indipendentemente dalle dimensioni delle aziende o dal loro grado di avversione al rischio.In particolare, il documento:sottolinea le criticità del risk management, espletando le specifiche mansioni che dovrebbero essere assegnate e coordinate all’interno dell'organizzazione stessa;fornisce un modo semplice ed efficace per migliorare le attività di comunicazione in ambito di risk management e controllo. 

Gli obiettivi del Workshop "Audit sul processo ICAAP"

Workshop AUDIT SUL PROCESSO ICAAP20 novembre 2013Obiettivi del workshop - Pietro Sivo, Unicredit SpA

Approcci e modalità di Audit del processo ICAAP nella comune esperienza dei principali Gruppi Bancari

Workshop AUDIT SUL PROCESSO ICAAP20 novembre 2013Approcci e modalità di Audit del processo ICAAP nella comune esperienza dei principali Gruppi Bancari Paola Bernardoni, Intesa Sanpaolo Silvia Crivelli, UBI Banca