Performance audit adding value

1. Performance AuditAdding ValueICGFM Conference May 19, 2011Lily Bi, CIA, CGEIT, CISADirector, Standards and GuidanceInstitute of Internal Auditors

2. Program ObjectivesUnderstand the Landscape –

3. Internal Audit

4. Concept and Benefits of Performance Audit

5. Increase your ability to work with management in a positive and constructive partnership

6. The International Standards for Professional Practice of Internal AuditingAnalyze risks and develop a risk-based performance auditLearn a value-for-money approach for performance auditFinal Thoughts – Trend of Internal Audit Profession

7. Program TopicsUnit 1 - Understand the LandscapeUnit 2 - Management Functions and Performance MeasuresUnit 3 - International Standards For Performance AuditUnit 4 - Risk-Based Approach (Case Study)Unit 5 - Value-for-Money Approach (Case Study)Unit 6 – Final Thoughts

8. Working AgreementP = ParticipationO = OpennessS = Sense of funE = Enthusiasm

9. Unit 1Understand the LandscapeThe road map of internal audit profession

10. The definition of internal Auditing

11. The definition of performance audit

12. Benefit of performance auditRoad Map of Internal Audit Profession

13. Road Map of Internal AuditModern Internal Audit1941 - Internal Audit, a separate and distinctive discipline.

14. About the IIAEstablished in 1941, global headquarters in Altamonte Springs, Florida, USANonprofit professional association170,000 members worldwide103 national institutes worldwideKey focus:Standards-setting body for internal auditorsProfessional certificationsGlobal research centerPrincipal educator Global voice for the profession

15. Definition of Internal Auditing

16. Images of Internal AuditorsWhich metaphor do you like?Magnifying glassTelescopeCompassHunting dogsWatch dogsPolicemenConsultantsEyes and ears of the Audit Committee

17. Definition of Internal Auditing Internal auditing is an independent, objectiveassurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.Source: International Professional Practices Framework (IPPF) The Institute of Internal Auditors

18. Internal Auditing IsAdd Value IndependentAssurance Activitydesigned toImprove OperationsObjectiveConsulting Activity

19. Internal Auditing HelpsTo HelpToThe Effectiveness ofOrganization accomplish it’s ObjectivesRisk Management ProcessEvaluateControl ProcessImproveGovernance Process

20. Performance Audit

21. Definitions of PAINTOSAI: Performance auditing is an independent examination of the efficiency and effectiveness of government undertakings, programs, or organizations, with due regard to economy, and the aim of leading to improvements.US Government Auditing Standards:Performance audits are defined as engagements that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria, such as specific requirements, measures, or defined business practices. Performance audits provide objective analysis so that management and those charged with governance and oversight can use the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability.

22. Working Definition of PA Performance Audit is an independent and objective examination of a program, function, operation or the management systems of a governmental entity to:assure the entity’s objectives are carried out in an economic, efficient and effective way, andidentify opportunity for improvement

23. Financial vs. Compliance vs. Performance Auditing

24. What Makes this Performance Audit?An Example:“…to determine whether laws, contracts, policies and procedures have been properly observed and whether all business transactions were conducted in accordance with established policies and with success. In this connection, the auditors are to make suggestions for the improvement of existing facilities and procedures, criticisms of contracts with suggestions for improvement, etc.”

25. Benefit of Performance Audit

26. Benefit of PA – Adding ValueRelevantFocus on the key initiativesFlexible Define the scope of the audit based on riskImproving organizational performanceStrengthen the governanceFraud prevention and detectionGaining public trust

27. Internal Audit ValueAssurance = Governance, Risk Management, ControlInsight = Catalyst, Analyses, AssessmentsObjectivity = Integrity, Accountability, Independence

28. Exercise - Connect the Dotso o oo o oo o oConnect all nine dots using just 4 lines without taking the pencil off the paper

29. Think Outside the Boxo o oo o oo o o

30. Unit 2Management Functions and Performance MeasuresUnderstanding the management functions

31. Seeing the organization through the eyes of management

32. Understanding performance measuresManagement Functions

33. Management Issues and ConcernsCost ContainmentHuman Resources Values and Vision Initiatives Empowered Environments vs. Traditional Structures Technological Changes and Innovations

34. Communication

35. Customer Satisfaction

36. Public PerceptionPlanOrganizeDirectManagement’s RolesGet the Job DoneControl

37. Management’s Roles

38. Performance Auditor’s RolesEvaluate the management processes and identify the heart of the problemAlert to actual and potential changesIdentify the opportunity for improvementAll units, programs, systems and activities are subject to internal auditor’s evaluations

39. See though the Eyes of ManagementAlmost every deviation or deficiency results from the violation of some principle of management or good administration.See the organization and its activities through the eyes of management

40. Three Simple Questions to Ask ManagementWhat can go wrong?How do you it won’t go wrong?So what?

41. Performance Measures

42. Types of Management Performance MeasuresINPUTS - Measures of service efforts, e.g., number of hours, amount of materials.OUTPUTS - Measures of service level, e.g., number of residences served, amount of service provided.OUTCOMES - Measures of service accomplishments, e.g., measures related to program goals, including effectiveness of quality.EFFICIENCY - Measures that relate service efforts to service accomplishments, e.g., output/unit of input, productivity indexes.

43. PrinciplesMeasure only what are important to the organizationUse of output-oriented measuresIdentify the total costs of service deliveryFocus on continuous process improvementPerformance measures should interconnect throughout the organization

44. One Example – Five Performance Categories:Effectiveness – the degree to which process output conforms to requirementsEfficiency – the degree to which the process produces the output at a minimum cost of resourcesQuality – the degree to which the product or service meets customer expectationsTimeliness – the degree to which a unit of work was done correctly and on timeSafety – the measure of health and the working environment of the organization

45. Unit 3International Standards For Performance AuditInternational Professional Practices Framework - IPPF from the IIA

46. Why the Standards MatterTheStandardsLeadRepresentAdvancement of theProfession

47. Road Map of Internal Audit- Changestothe IIA Standards

48. The IIA’s IPPFInternational Professional Practices Framework

49. MandatoryStrongly recommendedAUTHORITATIVE GuidanceAuthoritative=

50. Code of EthicsIntegrityThe integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.ObjectivityInternal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.ConfidentialityInternal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.CompetencyInternal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.

51. International Standards for Professional Practice of Internal Auditing

52. Importance of the StandardsThey define the profession.

53. They set the bar that every auditor should comply with.

54. They give you a reference guide for how to conduct yourself.

55. They lay the ground work, but are not the ultimate goal.

56. They give our customers peace of mind and confidence they’re getting a quality product.The International StandardsMandatory requirements consisting of:Statements of basic requirements for professional practice of internal auditing Interpretations which clarify terms or concepts within the Statements.Glossary26 changes effective Jan 2011

57. Overview of the IIA StandardsAttribute Standards:Purpose, Authority and Responsibility……………………1000

58. Independence and Objectivity………………………………..1100

59. Proficiency and Due Professional Care……………….….1200

60. Quality Assurance and Improvement Program……..…1300Performance Standards:Managing the Internal Auditing Activity……………………2000

61. Nature of Work.……………………………………………….…………2100

62. Engagement Planning…………………………………….……..…2200

63. Performing the Engagement…………………………..……… 2300

64. Communicating Results………………………………..….………2400

65. Monitoring Progress………………………………………….……. 2500

66. Resolution of Management’s Acceptance of Risks……..2600Important Knowledge for Satisfactory Performance Of Internal AuditingIIA CBOK 2006 - Figure 2-12010 IIA Global Internal Audit Study

67. Who Uses the StandardsMandatory requirements for 170,000 IIA members and 100,000 Certified Internal Auditors

68. Translated into 21 languages

69. Recognized or referenced by International Standards Setting Bodies, such as:

70. INTOSAI (IIA Standards are recognized globally for public sector audit professions)

71. Basel Committee on Banking Supervision

72. OECD Internal Audit Function

73. Referenced on the mandated legislation or regulation in countries or territories, such as

74. Belgium, Bosnia & Herzegovina, Canada, Chinese Taiwan, Estonia, Poland, Romania, South Africa, Sweden, Thailand, Tunisia, Unites States, United Kingdom, Zimbabwe, and …IPPF Strongly Recommended Guidance Practice Advisories (56)Address approach, methodology and considerations, but NOT detailed processes and procedures. Concise and timely guidance to assist internal auditors in applying Code of Ethics and Standards and promoting good practices. Position Papers (2)IIA statement to assist a wide range of interested parties, including those not in internal auditing profession, in understanding significant governance, risk or control issues and delineating related roles and responsibilities of internal auditing.Practice Guides (26)Detailed guidance for conducting internal audit activities. Includes detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables.www.theiia.org/guidance

75. Unit 4Risk-Based Performance AuditPerformance audit process

76. The importance of clearly defined business objectives and associated performance measures (goals) to a performance audit

77. Risk assessment using a Risk/Control Matrix methodology

78. Case Study Performance Audit ProcessPlanning Examining and Evaluating InformationCommunicating ResultsFollowing Up

79. IIA Standards Related to Performance Audit Process

80. Plan Performance AuditThe most important part of an audit is the planning phase. Standard 2010 – Planning: The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.

81. Plan Performance AuditStandard 2201 – Planning Considerations: In planning the engagement, internal auditors must consider:The objectives of the activity being reviewed and the means by which the activity controls its performance;The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level;The adequacy and effectiveness of the activity’s risk management and control processes compared to a relevant control framework or model; andThe opportunities for making significant improvements to the activity’s risk management and control processes.

82. Risk-based Performance AuditStart with an organization’s objectives and associated performance measures.Focus on an evaluation of performance risks and controls related to those objectives.Help the organization achieve the desirable goals and protect it from bad or undesirable things happening.Help reduce the chance of missed opportunities.Provide suggestions for improvement in controls designed to mitigate the risks associated with meeting performance objectives.

83. Risk Assessment Formula

84. Identification of ObjectivesObjectives are the things an organization wants to accomplish.Objectives should be S.M.A.R.T.

85. Objectives CascadeMissionVisionObjective 3Objective 2Objective 1Sub-ObjectiveSub-ObjectiveSub-ObjectiveSub-ObjectiveSub-ObjectiveSub-ObjectiveSub-ObjectiveSub-ObjectiveSub-Objective

86. What is RiskRisks are things that could prevent an organization from meeting its objectives.IIA definition - Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

87. Business Risk ExamplesErroneous records and/or informationBusiness interruption (Government shutdown)Public criticism or legal actionHigh costsLoss or destruction of assetsCustomer dissatisfaction due to ineffective program/service designFraud or conflict of interestInappropriate mgmt. policy and/or decision making process

88. Focusing on the “Real Risks”Operational 20%Strategic & Business 60%Financial 15%Compliance 5%

89. HHighRisk ImpactTotal Audit UniverseLowLHLikelihood Risk Assessment

90. Risk ResponsesExamples of risk response options:Acceptance

91. Avoidance

92. Transfer

93. MitigationRisk Response StrategyManagement identifies available risk response options

94. Considers their effect on event likelihood and impact, in relation to risk appetite and cost versus benefit

95. Effective enterprise risk management does not dictate which response management should chose, but that the chosen response brings the expected likelihood and impact within the desired risk tolerancesRisk Assessment - Two perspectives Inherent RiskInherent (Gross) - BEFORE RISK RESPONSE

96. Residual (Net) - AFTER RISK REPONSEResponses Residual Risk

97. Exercise: Rain and UmbrellaWhen it rains, where are Inherent and Residual Risk (IR and RR)?

98. When it rains, where are IR and RR?IRIRIRIRIRIRIRRRCRRRRRRRRRIR = All the raindropsRR = The raindrops outside the umbrellaCR = Control Risk, possibility the umbrella leaksRisk Appetite = How big the umbrella is

99. What is ControlControls are things that help meet an organization's objectives.IIA Definition Control - any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

100. Control to Mitigate These RisksErroneous records and/or informationBusiness interruptionPublic criticism or legal actionHigh costsLoss or destruction of assetsCustomer dissatisfaction due to ineffective program/service designFraud or conflict of interestInappropriate mgmt. policy and/or decision making process

101. Risk Management and ControlTwo sides of the same coin: Risk is managed by having in place the right controls to safeguard against its occurrence;Internal control exists only in relation to what they do to mitigate risk. Risk management and internal control are integrated parts of an entity’s overall governance and management system.

102. Control - Who Is ResponsibleManagement is responsible to design, implement and monitor controls

103. Internal auditors is responsible to assess the adequacy and effectiveness of controlsRisk Control MatrixUse RCM to Plan an audit

104. Document an audit Benefits of Risk Control MatrixOpen-endedDisciplinedRisk-basedInclusive Most organizations modify, delete, and add columns on the Risk/Control Matrix to fit their own environment.

105. MandatedHAUDIT RESOURCESHighRisk ImpactTotal Audit Universe*LowLHLikelihood Validate the Audit PlanSpecial Request

106. Case StudyState Department of Fruit and Vegetable

107. Unit 5Value for Money ApproachWhy Value-for-Money approach?

108. Three E’s Performance Measures

109. Difference between Risk-Based and Value-for-Money approaches

110. Twelve Attributes for Evaluating Effectiveness

111. Case StudyNeeds for Performance AuditTo evaluate a unit or program and answer questions like:Do we get value for money?Is it possible to spend the money better or more wisely?Are the right things been done?If so, are things been done in the right way?If not, what are the causes?

112. Value-for-MoneyDefinition: VFM is utility derived from every purchase or every sum of money spent. VFM is based not only on the minimum purchase price (economy) but also on the maximum efficiency and effectiveness of the purchase.Looks at how well an organization provides value for money.Focuses on economy, efficiency, and effectivenessBased on the Twelve Attributes for Evaluating Effectiveness

113. Audit Performance Measures – 3E’sThe principle of ECONOMY is keeping costs low. It requires that the resources used by the audited entity for its activities shall be made available in due time, in appropriate quantity and quality and at the best price. The principle of EFFICIENCY is getting the most from available resources. It is concerned with the best relationship between resources employed, conditions given and results achieved.The principle of EFFECTIVENESS is meeting the objectives set. It is concerned with attaining the specific aims or objectives set and/or achieving the intended results.

114. 12 Attributes For Evaluating EffectivenessCosts and ProductivityResponsiveness Financial ResultsWorking EnvironmentProtection of AssetsMonitoring and ReportingManagement DirectionRelevanceAppropriatenessAchievement of Intended ResultsAcceptanceSecondary Impacts

115. Conducting Performance Audit- PlanningGather background information on the audit area.Understand the organization’s business, objectives, mission, etc.Interview management and staff.Use the twelve attributes to scope the audit by looking at each attribute to choose which are most applicable.For the selected attributes, form questions to be answered during the next phase.

116. Conducting Performance Audit- Examining and EvaluatingThe questions are answered through:- Interviews with management, employees and others- Industry research- Performance measures (criteria)- Benchmarking (criteria)- Other management and audit reports.- Site visits.

117. Conducting Performance Audit- Reporting and Following UpCommunicating Results PhaseIssues should be communicated to client throughout the audit.The report is written and presented to the client. Following UpManagement implements action items from the report. Audit assists as required.

118. Case StudyState Department of Fruit and Vegetable

119. Unit 6Final ThoughtsSummary of What We Discussed

120. Internal Audit - Today and TomorrowSummaryUnderstanding of internal audit and performance auditPerformance measuresIIA’s International Professional Practices Framework (IPPF)Management functionsRisk-based performance auditValue-for-money performance audit

121. Modern Internal AuditingClient-focused, value-added service to management and oversight bodies

122. Guided by international standards and enhanced emphasis on quality

123. Adoption of risk-based methodologies

124. Consulting service + assurance service

125. More independence and enhanced stature

126. Add value to the organization and stronger alignment

127. More strategic approach to staffing: out-sourcing and co-sourcing

128. Integration of IT and non-IT audit resources

129. Enhanced use of technology tools/services

130. Started to be part of governance structureTop 5 Internal Audit Activities TodayOperational auditing (89% of respondents).Audits of compliance with regulatory code (including privacy) requirements (75% of respondents).Auditing of financial risks (72% of respondents).Investigations of fraud and irregularities (71% of respondents).Evaluating the effectiveness of control frameworks (i.e., using COSO and COBIT) (69 percent of respondents).2010 IIA Global Internal Audit Study

131. What Is Next? Top Five Imperatives Assess and align with key stakeholder expectations

132. “Step up to the plate” in risk management

133. Enhance internal audit knowledge of the business

134. Streamline internal audit processes and operations

135. Coordinate and align with other risk, control and compliance functionsPerformance Audit Adds Value ByReducing risk exposure

136. Improving opportunities to achieve goals

137. Identifying operational improvementQuestionsGuidance@theiia.orgwww.theiia.org/guidance90

Performance audit adding value

More Related Content

What's hot (20)

Similar to Performance audit adding value (20)

More from icgfmconference (20)

Recently uploaded (20)

Performance audit adding value

Editor's Notes