the role and value of internal audit
DESCRIPTION
The Role and Value of Internal Audit. Association of Credit Union Internal Auditors September 26, 2012. Part I. The Value Proposition in Internal Audit. You Have to Start Someplace Circumstances Change How Do You Define Value?. Duke Pre-2005. 11 Auditors - PowerPoint PPT PresentationTRANSCRIPT
The Role and Value of Internal Audit
Association of Credit Union Internal Auditors
September 26, 2012
ACUIA
September 26, 20121
Part I. The Value Proposition in Internal Audit
You Have to Start Someplace Circumstances Change How Do You Define Value?
ACUIA
September 26, 20122
Duke Pre-2005
A. 11 Auditors
B. Average Longevity in Department - >10 years
C. Audit Plan
1. Predictable; rotated every five years
2. Financial emphasis
a) Expense reports
b) Vacation
c) Expenditures
d) Time cards
ACUIA
September 26, 20123
Duke 2005-2008
A. 21 Auditors
B. Average Longevity in Department - < 3 years
C. No one pre-2005 remained after mid-2006
D. Audit Plan
1. Risk based
2. Control orientated
3. Best Practices expected
ACUIA
September 26, 20124
Duke 2009
A. Financial Meltdown
B. IA budget $1.1 in 2004; $3.3 million 2008
C. Cut expenses 18%; Four FTEs
D. Incorporate operational efficiencies into IA projects
ACUIA
September 26, 20125
Meltdown Changes
A. Deliver services that were of most value to Duke
B. Add operations as important element of each job
C. Take noise out of reports
1. Only include important issues
2. Client service letters
D. Recommendations no longer only best practice
1. Effective and efficient
2. Partner in arriving at recommendation
ACUIA
September 26, 20126
Duke 2011
A. Used ERM risk management heat maps to develop audit plan
B. Management identified problems
1. Points out areas to audit because “There is a problem”
2. IA response – We will facilitate a consulting project to address the issue
3. Result - Audit plans include over 10 consulting projects in University and Duke Medicine
ACUIA
September 26, 20127
Duke 2012
A. Health System EPIC implementation
B. University IT
1. Vertical audits
2. Same findings – Not telling them what they don’t know
3. Management not addressing the system issue
C. IA meets with IT and Management
1. Agree on IT priorities
ACUIA
September 26, 20128
Duke 2012 (continued)
2. Agree on how IA can best support IT priorities a) Facilitateb) Consultc) Audit
D. IT and Management comment this is of greater value to Duke Medicine
E. AC approves conceptual change
ACUIA
September 26, 20129
Part II. A Role for Internal Audit in Governance Activities
Organizational Governance Process Managing Agendas Organizational Change
ACUIA
September 26, 201210
Organizational Governance Process
A. Audit Committee Charter
1. Purpose
2. Authority and Responsibilities
3. Membership
4. Operations
ACUIA
September 26, 201211
Organizational Governance Process
B. Responsibilities – Best Practices
1. External Audit
2. Internal Audit
3. Financial Reporting
4. Compliance
5. Controls and Risk Management
6. Ethics and Conflict of Interest
ACUIA
September 26, 201212
Organizational Governance Process
1. External Audit
a) Very standard and developed
b) Focus on risk and judgments
ACUIA
September 26, 201213
Organizational Governance Process
2. Internal Audit
a) Committee role in appointment, evaluation, reassignment, promotion, dismissal of CAE
b) Private meeting with CAE
c) Require QAR every five years
ACUIA
September 26, 201214
Organizational Governance Process
3. Financial Reporting
a) Not a public company, so less emphasis
b) Allows AC to understand and agree with changes management makes to statements
c) External Auditor involved in the discussion
ACUIA
September 26, 201215
Organizational Governance Process
4. Compliance
a) Annual approval of formal compliance structure
i. Definition of roles and responsibilitiesa. Governanceb. Program Development and Oversightc. Risk ownershipd. Audit
ACUIA
September 26, 201216
Organizational Governance Process
b) Institutional risks
i. Approve
ii. Receive monitoring reports
c) Audit plans
d) Governmental investigations
ACUIA
September 26, 201217
Organizational Governance Process
5. Controls and Risk Management
a) Controls
i. Annual management presentation
ii. Focus on significant aspects (systematic; judgments, decentralized environment)
b) Risk Management
i. Approve annual process
ii. Receive report from Senior Leadership on strategic risk
ACUIA
September 26, 201218
Organizational Governance Process
6. Ethics and Conflict of Interest
a) Annually revisit Code of Conduct
b) Annually approve Conflict of Interest process and receive report of process conclusion
c) Annually receive report on hot line activities
ACUIA
September 26, 201219
Managing Agendas
A. Annual Plan
1. Identify areas of focus for each responsibility
2. Allocate them to meetings
a) Tests whether adequate number of meetings are scheduled
b) Helps organize topics (financial reporting changes with external audit plan)
c) Allows planning for presenters at future meetings to begin early
3. Approval by the AC at its last meeting of the year
ACUIA
September 26, 201220
Managing Agendas
B. Individual Meeting Agendas
1. Group items by committee responsibility
2. Most important items first
3. Presenter is the owner from management
a) Background materials
i. Executive Summary
ii. Context
iii. Level of detail
ACUIA
September 26, 201221
Managing Agendasb) Presentation
i. High level
ii. Not repetitive of background material
iii. Tees up discussion
iv. Presentation and discussion 50/50 of allocated time (use of board talent)
4. Questions Only
a) Reports with nothing of significance to discuss (IA, Compliance)
b) Last item on the agenda
5. Use of conference calls
ACUIA
September 26, 201222
Organizational Change
A. Perfect Storm
1. Significant Issue
2. Management Owner presenting issue and response
3. Discussion time provided for AC
4. AC weighs in on management response
ACUIA
September 26, 201223
Organizational ChangeB. Risk Management Process
1. Informal in 2005
2. Senior Leadership discussion of risk
3. AC sets future objective
a) Top Ten
b) Heat Map
c) Owner identified
d) Mitigation strategy
4. Annually add more to risk management process
5. Now full COSO model in place
ACUIA
September 26, 201224
Organizational Change
C. Patient enrollment in clinical trials
1. 2010 Problem in one department
2. AC asks how risk is mitigated in other departments
3. SOM reports
4. 2011 Problem exists in second department
5. SOM revises organizational reporting of clinicians to mitigate risk
ACUIA
September 26, 201225
Organizational Change
D. Code of Conduct
1. No Code of Conduct
2. 2006 attempt to establish; settled for Statement of Ethical Principles
3. 2011 Faculty member cited in Senate investigation
4. COI form incomplete disclosure; Would have prevented being PI in grants
ACUIA
September 26, 201226
Organizational Change
5. AC asks about ethic education for faculty
6. Senior Leadership accepts CAE recommendation to complete Code of Conduct
7. Six months later approved as part of Statement of Ethical Principles
ACUIA
September 26, 201227
Organizational Change
E. Take-Aways
1. AC role
a) Assessing management response to risk
b) Providing time to discuss and consider
2. Management role
a) Provide proposed solution
b) Respond to AC additional concerns
ACUIA
September 26, 201228
Organizational Change
3. Internal Audit role
a) Right agenda items
b) Work with management to understand their role and AC expectations
c) Work with management to address AC concerns
ACUIA
September 26, 201229
QUESTIONS?