Audit Practice & Framework

Auditing Executive Compensation and Benefits

Auditing the structure and operation of Executive Compensation and Benefits (ECB) programs is a legitimate and appropriate role for internal auditing. If a risk assessment indicates a review is warranted, the Chief Audit Executive (CAE) should add ECB to the audit plan, which the board will review and approve. Internal auditing will choose the audit approach and design risk-based audit procedures. This Practice Guide provides discussions relating to such an audit and includes several considerations that may be relevant to an organization’s business activities or risk profile.Strong governance systems are needed for ECB programs, as management often is in the position of both designing and recommending its own compensation. There are several specific risks internal auditors should consider, including employment market, compliance, financial reporting, reputation, operating, and external business relationship risks. ECB programs also are subject to fraud risk.Due to the sensitive nature of this area, internal auditing must have an appropriate audit approach and access to the necessary information. While there can be obstacles to obtaining this information, internal audit needs to proceed in accordance with its charter.The audit scope could include a focus on the board, management, and extended business relationships. There are a number of unique aspects in audits of each of these areas of focus which should be considered before performing audit work.This guide will assist internal auditors with an explanation of the audit approach, audit considerations such as access to information and privileged communications, as well as the skills and knowledge necessary to serve on the audit team. A section on audit program development includes various concepts, potential tests, and questions to help auditors create an audit program. The appendix provides definitions relative to various types of compensation and benefits.ECB programs have risks that require effective board governance and management processes. Internal auditors have an important role in providing assurance that appropriate and effective controls are in place around ECB programs.

Evaluating Corporate Social Responsibility

Corporate Social Responsibility (CSR) presents significant risks and opportunities for many organizations. Stakeholders expect boards and management to accept responsibility and implement strategies and controls to manage their impact on society and the environment, to engage stakeholders in their endeavors, and to inform the public about their results. The proliferation of regulation and voluntary standards has made CSR management a complex endeavor.

Internal auditors should understand the risks and controls related to CSR objectives. Where appropriate, the Chief Audit Executive (CAE) should plan to audit, facilitate control self-assessments, verify results, and/or consult on the various subjects. Internal auditors should maintain the skills and knowledge necessary to understand and evaluate the governance, risks, and controls of CSR strategies.

This guide will assist internal auditors in understanding:

• The risks (operational, reputational, etc.) associated with CSR activities and how to use such knowledge in audit planning.
• The approaches to evaluating CSR activities, including auditing, facilitating, and consulting.
• Audit considerations such as use of the audit opinion, independence and objectivity, and types of resources.
• Considerations in developing the internal audit program, including whether CSR information is consistent with standards and how management communicates and sets priorities for CSR strategies.

The guide also explains detailed approaches to auditing in the following appendices:

• Auditing by Element
• Auditing by Stakeholder Group
• Stakeholder Theory
• Additional Resources (includes references to additional Practice Guides)

Internal Auditing and Fraud

This guide discusses fraud and provides general guidance to help internal auditors comply with professional standards. Because fraud negatively impacts organizations in many ways — financially, reputational, and through psychological and social implications — it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection programs, as well as a fraud risk assessment process to identify risks within the organization. To help organizations and internal auditors combat fraud, the guide discusses:

• Fraud awareness (e.g., reasons and examples for fraud and potential fraud indicators).
• Fraud roles and responsibilities.
• Internal audit responsibilities during audit engagements (e.g., execution responsibilities and communicating with the board).
• Fraud risk assessment (e.g., identifying relevant fraud risk factors and mapping existing controls to potential fraud schemes and identifying gaps).
• Fraud prevention and detection.
• Fraud investigation.
• Forming an opinion on internal controls related to fraud.

The guide also includes reference material, questions to consider, and a fraud risk assessment template.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.

 

Auditing External Business Relationships

This guide provides internal auditors with guidance in auditing external or extended business relationships (EBRs). Management also may use this guide in managing and monitoring the risks associated with these relationships.

When contemplating the internal audit activity's EBR responsibilities, consider the following:

• Organizations have multiple EBRs that satisfy a variety of business needs.
• Each relationship presents risks.
• It is management’s responsibility to manage these risks and realize the benefits.
• Internal auditing plays a key role in assisting management and validating management’s efforts.

Organizations conduct business with EBR partners for a variety of reasons. Organizations may seek benefits like enhancing revenues through licensing and distribution arrangements, reducing costs in areas of an organization’s that are outside of its core competencies, or augmenting existing resources focused on its core competencies. However, with these business relationships also comes inherent and control risks associated with working with external business partners. By associating with external partners, an organization often bears risks similar to those it would experience internally, without the external association (for example, an organization still bears risks for outsourced processes). In addition, the organization is exposed to risks imposed by association with the third party, as well as the activities of the third party, including reputation, brand, and economic risks. Internal auditors can help management and the board identify, assess, and manage these risks.

Organizations’ managements are responsible for managing and monitoring their EBRs and related risks. While entering into a business relationship allows an organization to create benefits and share some risk with the EBR, the organization still retains ultimate responsibility and accountability over a number of risks. Not all risks can be relegated to the business partner. The organization needs to monitor and manage these risks.

The organization is responsible for risk management activities encompassing tasks such as selection of business partners, contract effectiveness, partner/customer contract management controls, contract compliance monitoring and reporting, and business relationship management. Without proper controls in place to address the risks associated with these responsibilities, the organization may lose revenue or incur higher costs, as well as have inefficient operations, misreporting, and even damaged brand, in addition to impacted business relationships.

By taking ownership and control of these responsibilities, organizations have the ability to reduce risk and help foster a relationship of trust and accountability with its business partners. With good oversight of its business relationships, an organization can account for all revenues and potentially reduce costs ― the organization can receive the full benefits of the business relationship.

Internal auditors need to understand all the elements associated with EBRs, from initiating a relationship, contracting and defining a relationship, procurement, managing and monitoring the continued relationship (including control environment considerations of objectivity and independence of those responsible for managing and monitoring), and finally discontinuing the relationship. After understanding the expectations of both parties, along with the appropriate processes to manage and monitor the relationship, the internal auditor develops an appropriate internal audit program with relevant audit objectives for internal audits of external relationships. In addition, internal audit procedures may include elements of evaluating adherence to (and compliance with) contractual terms to determine whether monetary and non-monetary obligations are met.

It is important for organizations to know that they are getting what they are paying for, that they are collecting what they are earning, or, simply, that they are receiving the benefits anticipated from the relationship. Internal audit procedures may uncover missed revenue or cost savings, improve reporting accuracy, and enhance value resulting from the relationship through one or more of the following: limiting fraudulent activity, increasing trust with participants in the relationship, fostering feedback, improving relationships, and helping management improve internal and external control.

Formulating and Expressing Internal Audit Opinions

This Practice Guide provides practical guidance to internal auditors who wish to form and express an opinion on some or all of an organization’s governance, risk management, and internal control systems.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.

Background

Internal audit activities are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).

Examples of macro and micro opinions include:

• An opinion on the organization’s overall system of internal control over financial reporting (macro).
• An opinion on the organization’s controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries (macro).
• An opinion on the effectiveness of controls such as budgeting and performance management, when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organization’s assets, resources, revenues, etc. (macro).
• An opinion on an individual business process or activity within a single organization, department, or location (micro).
• An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit (micro).
• An opinion on the organization’s compliance with policies, laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units (micro).Formulating and Expressing Internal Audit Opinions

GTAG 2 - Change and Patch Management Controls: Critical for Organizational Success (2^ edizione)

Ogni rischio IT contribuisce alla definizione del grado di rischio sottostante ai processi dell'impresa, ed è importante per il Chief Audit Executives (CAEs) affinchè possa capire a fondo le tematiche del change management e della gestione della patch.Esse sono definibili come l’insieme dei processi eseguiti all’interno della funzione IT, progettati per gestire i miglioramenti, gli aggiornamenti e le patch incrementali ai sistemi di produzione che includono: l’applicazione del code review, gli aggiornamenti del sistema (applicazioni, sistemi operativi e database) e le modifiche infrastrutturali (server, cavi, router, firewall, ecc).

Le tematiche discusse nel GTAG2 sono trattate con un linguaggio appropriato, che permette al CAE di fornire valore aggiunto alle conversazioni con il senior management, il board e il responsabile IT.Questa guide ti fornirà anche il know-how per:

• distinguere i processi di change management, tra efficaci e inefficaci;
• raccomandare le best practice per affrontare i temi oggetto d’interesse, sia per il risk assurance (compresi gli attestati di controllo), sia per aumentare l’efficacia e l’efficienza;
• consigliare in modo più efficace e convincente il Chief Information Officer, il Chief Executive Officer e/o il Chief Financial Officer;
• avere le competenze operative che ti permetteranno di migliorare i processi IT.

The Three Lines of Defense in Effective Risk Management and Control: Is Your Organization Positioned for Success?

“The Three Lines of Defense in Effective Risk Management and Control” è il nuovo Position Paper, edito dall'IIA, che fornisce le linee guida utili alla mitigazione dei rischi, con speciale riferimento alle organizzazioni che operano in un contesto di business in continua evoluzione, indipendentemente dalle dimensioni delle aziende o dal loro grado di avversione al rischio.In particolare, il documento:sottolinea le criticità del risk management, espletando le specifiche mansioni che dovrebbero essere assegnate e coordinate all’interno dell'organizzazione stessa;fornisce un modo semplice ed efficace per migliorare le attività di comunicazione in ambito di risk management e controllo. 

Alternative nella scelta di risorse per l'Internal Auditing

Questo documento è la traduzione del Position Paper "Resourcing alternatives for the Internal Audit Function", emesso dall'Institute of Internal Auditors e fa parte del IPPF.Lo scopo è di offrire delle linee guida e dei suggerimenti al Management, al Comitato per il Controllo Interno e al Responsabile Internal Auditing (RIA) sull'assegnazione di risorse dedicata all'attività di Internal Auditing e sulle possibili conseguenze che tale scelta comporta.Risultati empirici indicano che la maggior parte degli internal auditor concorda sull'opportunità di utilizzare l'outsourcing parziale. Tuttavia non c'è unanimità di opinione circa la corretta quantità di risorse esterne, per non parlare del criterio per quantificarle, poiché non è possibile rispondere ad una simile domanda senza considerare la dimensione, la natura e la complessità dell'organizzazione in cui l'attività di Internal Auditing si effettua. La propensione verso contratti di outsourcing completo delle risorse di Internal Auditing genera ulteriori quesiti in merito a come gestire l'attività.La pubblicazione in formato PDF è gratuita per tutti i soci che possono effettuare il download. Il documento, scaricabile gratuitamente per tutti i soci AIIA, è acquistabile in formato elettronico per tutti i non soci >>

Gli obiettivi del Workshop "Audit sul processo ICAAP"

Workshop AUDIT SUL PROCESSO ICAAP20 novembre 2013Obiettivi del workshop - Pietro Sivo, Unicredit SpA