Скачать презентацию ICPAK 11 th April 2013 Audit Committee and Скачать презентацию ICPAK 11 th April 2013 Audit Committee and

22a4cb861ce7defa3cecfc86b695f8bc.ppt

  • Количество слайдов: 41

ICPAK 11 th April 2013 “Audit Committee and the Board The Reporting Challenge” Facilitator: ICPAK 11 th April 2013 “Audit Committee and the Board The Reporting Challenge” Facilitator: Kariithi M. Murimi JMG STRATEGY INNOVATIONS LTD CEO and Team Leader

WHAT AUDIT COMMITTEE MUST DELIVER TO THE ORGANISATION 1) PURPOSE The company’s reason for WHAT AUDIT COMMITTEE MUST DELIVER TO THE ORGANISATION 1) PURPOSE The company’s reason for being; why it exists; its core mission as an enterprise 2) VISION The position or status a company aspires to achieve within a reasonable time frame 3) TARGETS AND MILESTONES The metrics that are used to assess the extent to which a company has progressed towards its vision. www. jmgstrategyinnovations. com 2

4) STRATEGIC AND OPERATIONAL PRIORITIES The actions taken (and not taken) in pursuit of 4) STRATEGIC AND OPERATIONAL PRIORITIES The actions taken (and not taken) in pursuit of its vision 5) BRAND PROMISE The commitments made to stakeholders (customers, communities, investors, employees, regulators and partners) about the experience it will provide 6) CORE VALUES The guiding principles that dictate what the company stands for as an organization in good times and bad 7) LEADER BEHAVIOURS How senior management acts day-by-day as they seek to implement the company’s vision and strategy in pursuit of fulfilling its brand promise and living up to its values. www. jmgstrategyinnovations. com 3

ROLE OF AUDIT COMMITTEE • Audit committees are increasingly seen as critical to ensuring ROLE OF AUDIT COMMITTEE • Audit committees are increasingly seen as critical to ensuring that the organization has strong and effective processes relating to independence, internal control, risk management, compliance, ethics and financial disclosures. www. jmgstrategyinnovations. com 4

ROLE OF AUDIT COMMITTEE cont. . • Audit committees need to be independent and ROLE OF AUDIT COMMITTEE cont. . • Audit committees need to be independent and must review management decisions with healthy skepticism. This process necessarily includes a close analysis of the way companies assess and manage risk. • To fulfill its responsibilities, an audit committee should use all available tools, including the company’s internal audit function, external auditors, and, if necessary, the retention of outside counsel and advisers. Each of these tools serves a key function. www. jmgstrategyinnovations. com 5

Authority of the Audit Committee The authority of the audit committee must not be Authority of the Audit Committee The authority of the audit committee must not be restricted. The audit committee should have the explicit authority to: • Obtain external independent professional advice; • Have access to such resources and information from within the company as they consider necessary; • Have access to any individual (s) in the company and to require them to attend committee meetings; • Conduct their own special investigations on activities that fall within the committee’s responsibilities; • Consult with the external auditors on any relevant topic, including the external auditor’s independence. In addition, individual members should have authority to seek external independent advice. www. jmgstrategyinnovations. com 6

Audit committee should: • Monitor the company’s internal audit procedures and its risk management Audit committee should: • Monitor the company’s internal audit procedures and its risk management system; • Meet regularly with those who are responsible for the internal audit procedures and risk management system; • Consider to what extent the findings of the risk management system should be reported in the company’s financial statements. www. jmgstrategyinnovations. com 7

THE THREE PILLARS OF INTERNAL AUDITING Internal auditing can be identified as involving three THE THREE PILLARS OF INTERNAL AUDITING Internal auditing can be identified as involving three main components the evaluation and improvement of risk management, control and governance processes. These elements are sometimes referred to as the “three pillars” of internal auditing. The three elements are reinforcements of the fundamentals of an internal audit function in the public sector. www. jmgstrategyinnovations. com 8

Risk management, control and governance encompass the policies and procedures established to ensure the Risk management, control and governance encompass the policies and procedures established to ensure the achievement of objectives and include the appropriate assessment of risk, the reliability of internal and external reporting and accountability processes, compliance with applicable laws and regulations, and compliance with the behavioral and ethical standards set for organizations and employees. www. jmgstrategyinnovations. com 9

INTERNAL AUDIT PILLARS. INTERNAL AUDITING RISK MANAGEMENT CONTROL GOVERNANCE www. jmgstrategyinnovations. com 10 INTERNAL AUDIT PILLARS. INTERNAL AUDITING RISK MANAGEMENT CONTROL GOVERNANCE www. jmgstrategyinnovations. com 10

MISSION The mission of the Internal Audit Department is to provide independent, objective assurance MISSION The mission of the Internal Audit Department is to provide independent, objective assurance and support designed to add value and improve the Company's operations and systems of internal controls. The Internal Audit Department assists the Company with accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 11

SCOPE OF WORK • The scope of audit coverage is company-wide and no department SCOPE OF WORK • The scope of audit coverage is company-wide and no department or business unit of the Company is exempt from audit and review. • In order to fulfill its mission, the Internal Audit Department must determine whether the Company's network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure that: • Risks are appropriately identified and managed. 12

 • Interaction occurs as needed between the various departments and external regulatory authorities. • Interaction occurs as needed between the various departments and external regulatory authorities. • Operations are transacted in accordance with sufficient and adequate controls. • Significant financial, managerial, and operating information is accurate, reliable, and timely. • Employee actions are in compliance with policies, standards, procedures, and applicable laws and regulations. www. jmgstrategyinnovations. com 13

CONT… • Significant legislative or regulatory issues impacting the Company are recognized and addressed CONT… • Significant legislative or regulatory issues impacting the Company are recognized and addressed properly. • Programs, plans and objectives are achieved. • Resources are acquired economically, used efficiently, and adequately protected. www. jmgstrategyinnovations. com 14

Independence of the Internal Auditor “ Internal auditing is an independent, objective assurance and Independence of the Internal Auditor “ Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. ” www. jmgstrategyinnovations. com 15

“Independence – The freedom from conditions that threaten objectivity or the appearance of objectivity. “Independence – The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional and organizational levels. ” “Objectivity – An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others. ” www. jmgstrategyinnovations. com 16

Cont… The IIA Code of Ethics consists of a number of basic principles which Cont… The IIA Code of Ethics consists of a number of basic principles which internal auditors are expected to uphold, together with rules of conduct which describe the norms of behaviour expected of internal auditors. The principle relating to objectivity requires i nternal auditors to “exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. ” Furthermore, internal auditors are expected to make a balanced assessment of all the relevant circumstances and they should not be unduly influenced by their own or others’ interests when forming judgments. T he rules of conduct specify that int ernal auditors: www. jmgstrategyinnovations. com 17

Cont… (i) shall not participate in any activity or relationship that may impair or Cont… (i) shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment; (ii) shall not accept anything that may impair or be presumed to impair their professional judgment; (iii) shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review. www. jmgstrategyinnovations. com 18

Gauging the quality of the audit report • Quality audit is the process of Gauging the quality of the audit report • Quality audit is the process of systematic examination of a quality system carried out by an internal or external quality auditor or an audit team. It is an important part of organization's quality management system and is a key element in the ISO quality system standard, ISO 9001. • Quality audits are typically performed at predefined time intervals and ensure that the institution has clearly defined internal system monitoring procedures linked to effective action. This can help determine if the organization complies with the defined quality system processes and can involve procedural or results-based assessment criteria. www. jmgstrategyinnovations. com 19

What is Quality Management Auditing? To ensure that quality is maintained throughout the enterprise, What is Quality Management Auditing? To ensure that quality is maintained throughout the enterprise, frequent audits are required to gauge the quality and effectiveness of the processes, systems, and personnel employed by the company. Quality management auditing gives businesses the necessary tools for planning as well as for gauging and improving quality control and quality assurance procedures. 20

Cont. . • Incorporating effective quality management auditing can help companies achieve, sustain, and Cont. . • Incorporating effective quality management auditing can help companies achieve, sustain, and improve their quality standards. • When an audit concludes, the audit team presents its findings to the auditees at a closing meeting. At the closing, or before the audit team departs the facility, it is typical for the auditee’s representative to receive findings in handwritten format. This documentation contains only factual statements of nonconformities supported by objective evidence. www. jmgstrategyinnovations. com 21

Audit Report Content - ISO 19011: 2002 provides a very good guideline for audit Audit Report Content - ISO 19011: 2002 provides a very good guideline for audit reports and should be reviewed and used as a reference by all quality auditors. The report should include, as applicable, the following: • The scope and objectives of the audit. This would include areas that were audited. When the scope is broad and inclusive of multiple sites, this would be very important, as the boundaries need to be defined. www. jmgstrategyinnovations. com 22

 • Details of the audit plan. • Identification of the reference documents and • Details of the audit plan. • Identification of the reference documents and standards against which the audit was conducted. For a third-party audit, this would typically include the quality management system standard, such as IS 0 9001, ISO/TS 16949, ISO 17025, etc. For internal audits, the documents and standards may be a list of internal documents and procedures associated with the functions and activities that were audited. Examples may include the quality plan, approved procedures, policies, work instructions, etc. • Identification of the auditor or audit team members. When multiple auditors are used, the lead auditor must be identified. The auditee representative also should be identified. 23

 • Audit dates and length of the audit needs to be identified. This • Audit dates and length of the audit needs to be identified. This is important as it provides evidence that audits are conducted in accordance with established audit schedules. By identifying the audit days, it also is evidence of resource needs. This provides an indication of expenses the organization has spent and might need to consider when planning future audits. • Identification of interviewees. Process owners should be interviewed and names documented. Recording of the names, on working papers, of interviewees provide connectivity to objective evidence while providing supporting evidence that the auditors have fulfilled the requirements of the audit process. www. jmgstrategyinnovations. com 24

 • Auditors should always find positive activities or areas of best practices to • Auditors should always find positive activities or areas of best practices to highlight. Modern auditing is not about catching people doing something wrong; it is about confirming compliance and conformance. Therefore, it is important that the audit report mention positive practices or behavior. • Documentation of nonconformities. When documenting findings, it is important to be clear and precise. What is the actual nonconformity and why is it a nonconformity? What standard has been violated? What is the objective evidence used to determine that a nonconformity exists? • The audit report should be concise. Auditors should use care not to over-load the auditee organization with minutia. For example, if there are findings in three different areas regarding document control, combine them into one finding that indicates where the non-conformities were noted. www. jmgstrategyinnovations. com 25

 • Identification of Opportunities for Improvements (OFI) or Areas of Improvement. It is • Identification of Opportunities for Improvements (OFI) or Areas of Improvement. It is permissible for auditors to make statements, or judgments, regarding the auditee’s compliance with the applicable system standards and related documentation. • Distribution list. For external audits, the report distribution is small and generally limited to the clienttypically the organization management representative. The client or representative has the responsibility for broader distribution within their organization. For internal audits, the audit report distribution tends to be much larger, but is typically specified in an internal procedure governed by the audit group management. www. jmgstrategyinnovations. com 26

Audit report • The audit report should be considered the end product of the Audit report • The audit report should be considered the end product of the audit. Care should be taken to protect the integrity of the report and the confidentiality of the information contained therein. Audit reports are considered a controlled document and should be maintained in accordance with approved practices, but minimally until the next scheduled audit of the same area. www. jmgstrategyinnovations. com 27

Conflict between a powerful Executive and the Internal Audit • Companies with a powerful Conflict between a powerful Executive and the Internal Audit • Companies with a powerful CEO exhibit higher turnover among senior management, higher pay differentials between the CEO and senior management, and are more likely to engage in risky corporate activities. • Power produces overconfidence and risk taking, insensitivity to others, stereotyping, and a tendency to see other people as a means to the power holder’s gratification. • Companies with powerful CEOs tend to award higher executive compensation. 28

Upsides • Power [is] the basic energy to initiate and sustain action translating intention Upsides • Power [is] the basic energy to initiate and sustain action translating intention into reality, the quality without which leaders cannot lead. • Power transforms individual interests into coordinated activities that accomplish valuable ends. • Powerful CEOs are more likely to take actions to pursue their objectives, which can have a positive effect on corporate performance. • They also exhibit decreased inhibition, meaning that they feel less subject to social restraints that otherwise limit behavior. • Having a powerful CEO clearly positioned at the top can contribute to stability and productivity in the organization. www. jmgstrategyinnovations. com 29

ROLE OF INTERNAL AUDITORS IN RISK MANAGEMENT • The role of internal audit is ROLE OF INTERNAL AUDITORS IN RISK MANAGEMENT • The role of internal audit is to provide independent and objective assurance to the accounting officers, chief executives of state corporations and clerks to local authorities on the effectiveness of the risk management framework put in place by management and recommending appropriate risks mitigation measures. www. jmgstrategyinnovations. com 30

Cont. . ROLE OF INTERNAL AUDITORS IN RISK MANAGEMENT • Internal auditors playing the Cont. . ROLE OF INTERNAL AUDITORS IN RISK MANAGEMENT • Internal auditors playing the role of internal consultants can assist the ministry, state corporation and local authority to identify and evaluate risks that impact on the operations and then assist in identifying the most appropriate strategies, policies, procedures and controls to manage risks to a level acceptable to management. • Internal audit unit in every public institution will ensure that : 31

Cont…ROLE OF INTERNAL AUDITORS IN RISK MANAGEMENT I. The organization risk management processes address Cont…ROLE OF INTERNAL AUDITORS IN RISK MANAGEMENT I. The organization risk management processes address the objectives which generally gauge the adequacy and effectiveness of risk management process; II. Risks relating to the organization are categorized into strategic operational, compliance, environmental, political, financial and are then prioritized; www. jmgstrategyinnovations. com 32

Cont. . ROLE OF INTERNAL AUDITORS IN RISK MANAGEMENT III. Risk mitigation measures are Cont. . ROLE OF INTERNAL AUDITORS IN RISK MANAGEMENT III. Risk mitigation measures are developed and implemented to reduce or otherwise manage risks that are determined to be acceptable to the organization; IV. Monitoring activities are conducted periodically to re-assess risk and effectiveness of controls to manage the risks V. Management is provided with periodic reports on the effectiveness of the risk management process. www. jmgstrategyinnovations. com 33

The Public Finance Management Act, 2012 Under Clause 73 and Clause 155 both governments The Public Finance Management Act, 2012 Under Clause 73 and Clause 155 both governments must maintain internal auditing arrangements and “shall establish an audit committee whose composition and functions shall be prescribed by the regulations” www. jmgstrategyinnovations. com 34

THE PFM ACT, 2012 Requires Internal Auditing to include; 1) Reviewing the governance mechanisms THE PFM ACT, 2012 Requires Internal Auditing to include; 1) Reviewing the governance mechanisms of the entity 2) Conducting risk-based, value-for-money and systems audits 3) Verifying the existence of assets administered by the entity 4) Providing assurance that appropriate institutional policies and procedures and good business practices are followed by the entity 5) evaluating the adequacy and reliability of information available to management for making decisions. www. jmgstrategyinnovations. com 35

INTERNAL AUDIT CHARTER 1. PURPOSE The purpose of this charter is to set out INTERNAL AUDIT CHARTER 1. PURPOSE The purpose of this charter is to set out the nature, role, responsibility, status and authority of the Internal Audit Department and to outline the scope of their work. www. jmgstrategyinnovations. com 36

2. APPROVAL This charter establishes the authority and responsibility conferred by management 3. ROLE 2. APPROVAL This charter establishes the authority and responsibility conferred by management 3. ROLE OF INTERNAL AUDIT The role of the Internal Audit Department is to assist the Managers to meet their objectives and to discharge their responsibilities by providing an independent appraisal of the adequacy and effectiveness of the controls set up by management to help run the respective Directorates. www. jmgstrategyinnovations. com 37

4. RESPONSIBILITIES OF MANAGEMENT The Head of the Internal Audit Department is responsible for 4. RESPONSIBILITIES OF MANAGEMENT The Head of the Internal Audit Department is responsible for determining the scope of internal audit work, and for deciding the action to be taken on the outcome of or findings from their work. Management is responsible for: • proposing the areas of investigation by internal audit • ensuring the internal audit function has: www. jmgstrategyinnovations. com 38

Cont…management • the support of top management; • direct access and freedom to report Cont…management • the support of top management; • direct access and freedom to report to top management, including the Audit Committee. • maintaining internal control, including proper accounting records and other management information suitable for running the Directorate. www. jmgstrategyinnovations. com 39

Cont…management • reviewing internal audit reports within a period not exceeding two weeks and Cont…management • reviewing internal audit reports within a period not exceeding two weeks and implementation of recommendations as considered appropriate. • Nothing set out above shall restrict the freedom of the Internal Audit Department to conduct their own independent investigation on any matter www. jmgstrategyinnovations. com 40

LEARNING TO FORGET Every manager carries around in his or head a set of LEARNING TO FORGET Every manager carries around in his or head a set of biases, assumptions and presuppositions about the structure of the relevant “industry”, about how one makes money in that industry, about the competition is and isn’t, about who the customers are and aren’t, about what customers want or don’t want, about which technologies are viable and which aren’t, and so on. This genetic coding also encompasses beliefs, values and norms. www. jmgstrategyinnovations. com 41