Moving Internal Audit Back into Balance

Size: px
Start display at page:

Download "Moving Internal Audit Back into Balance"

Transcription

1 Moving Internal Audit Back into Balance A Post-Sarbanes-Oxley Survey Fourth Edition

2 Table of Contents Introduction... 1 Executive Summary... 2 Overview of Rebalancing Initiatives... 4 Current Status of Sarbanes-Oxley Compliance... 4 State of Rebalancing... 5 Making Progress... 6 Primary Benefits... 7 Key Activities by Organizations Seeking to Rebalance... 8 Addressing IT Audits... 9 Sarbanes-Oxley Compliance Strategies as Part of Rebalancing Efforts Addressing IT Audits Primary Ownership Impact of SEC S Interpretive Guidance and PCAOB AS Rebalancing Efforts Changes in Efforts/Hours Quantity and Scope of Processes and Controls Impact of Rebalancing Initiatives Internal Audit Responsibilities in Sarbanes-Oxley Compliance Allocating Internal Audit Efforts for COSO Internal Control Objectives Rebalancing the Skills Gap Internal Audit Staffing, Hours and Budget Allocations Impact of SEC s and PCAOB s Guidance Outsourcing Sarbanes-Oxley Compliance Activities External Quality Assessments Changing Landscape Demands Ongoing Rebalancing Methodology survey Demographics About Protiviti INC... 34

3 Introduction Unless commitment is made, there are only promises and hopes... but no plans. Peter Drucker Without question, much has changed in the seven years since the U.S. Sarbanes-Oxley Act became law. We conducted our first Internal Audit Rebalancing study in 2005 to assess how organizations were relying on their internal audit departments for Sarbanes-Oxley compliance-related activities while seeking to rebalance these functions to also address more traditional internal auditing responsibilities. (For the purposes of this survey, rebalancing is defined as the process of moving activities away from Sarbanes-Oxley compliance to a broader coverage of business objectives as defined by the COSO framework.) In subsequent years of the study, we noted how the landscape continued to change, with organizations becoming more familiar with the Sarbanes-Oxley compliance process and thus streamlining their efforts. Perhaps most notably, in 2007, a potential paradigm shift was introduced with the U.S. Securities and Exchange Commission s (SEC) interpretive guidance to management on implementing Section 404 of Sarbanes-Oxley, along with a new standard, Auditing Standard No. 5 (AS5), from the Public Company Accounting Oversight Board (PCAOB). Both of these were intended, in part, to alleviate some of the time and cost burdens associated with the compliance process. The results of our 2008 Rebalancing survey suggested that both the SEC s interpretive guidance and PCAOB AS5 were having their intended effect. In our 2009 Rebalancing survey, one of the more interesting trends emerging from our analysis of the data is an apparent drop among organizations in activities and perceived benefits relating to these regulatory pronouncements. Both were designed to ease compliance burdens among companies and facilitate a more efficient and streamlined attestation by external auditors of internal control over financial reporting. There could be several reasons behind this trend. Certainly there is a heightened regulatory environment in the wake of the many well-publicized bank and corporate failures worldwide. There also could be a general aura of compliance conservatism because of the global financial crisis that is impacting virtually every organization around the world. It also could be that the rate of changes being implemented by companies has slowed since it has now been two years since the SEC s and PCAOB s announcements. We explore these and other themes further throughout this report. This year s survey, which was modified slightly from previous years, consisted of questions grouped into two divisions: Rebalancing Strategy and Internal Audit Organization and Focus. More than 600 respondents a majority of whom are chief audit executives, audit directors and audit managers took part by completing the survey in person or online. We would like to extend our appreciation to all of the chief audit executives and internal audit professionals who participated in our 2009 Rebalancing survey. We also want to recognize The Institute of Internal Auditors for its continued leadership and guidance for the profession. We are very appreciative of the continued positive feedback on this study that we receive from chief executive officers, chief financial officers, board members and other executives, as well as internal audit leaders. We are certain our 2009 report will again be of interest to any organization assessing how to balance ongoing Sarbanes-Oxley compliance with traditional internal auditing responsibilities. Protiviti June 2009 Moving Internal Audit Back into Balance 1

4 Executive Summary Impact of the SEC s Interpretive Guidance and PCAOB Auditing Standard No. 5 While approximately half of survey participants reported the SEC s guidance and PCAOB AS5 are enabling them to increase rebalancing efforts significantly or moderately, the response was down from Hours for external audit, internal company and other external resources have decreased, but not as much as reported last year. A majority of respondents reported decreases in the number of key controls and total controls documented and tested. One of the more notable trends in this year s results is an apparent lessening in the positive effects of the SEC s interpretive guidance and PCAOB AS5, with a general across-the-board decrease in their respective impact. This could be a result of many factors, including the global economic crisis, heightened regulatory environment, continued significant reliance on manual processes and controls, growing conservatism among companies in order to maintain the status quo, or a belief among organizations that they already have implemented changes in response to these regulatory rulings and are not planning further adjustments. Primary Benefits of Rebalancing Internal audit being able to perform more traditional audits and more appropriate coverage of risk rank as the top benefits. Reduced Section 404 and 302 compliance costs is the third-highest ranked benefit, yet the response was down 7 percent from After 2005 (the first year of the survey), there is a clear trend showing more traditional audits to be a top benefit of rebalancing, which is understandable given the interest in shifting internal audit away from a Sarbanes-Oxley-only emphasis. Such a shift enables organizations to achieve more appropriate coverage of their risks. Sarbanes-Oxley Compliance: Current Status Most respondents are in or beyond their fourth year of Sarbanes-Oxley compliance, generally mirroring the compliance timeline since the act went into effect for large accelerated filers. These results are similar to those from the 2008 Rebalancing study. Of note, there was a year-over-year increase in the number of organizations identifying themselves as in either the first year or pre-first year of compliance. This is the result of the pending deadline for smaller companies to comply with the auditor attestation requirement of Section 404 (beginning for fiscal years ending on or after December 15, 2009). Rebalancing Status: One Year Ago Versus Today Nearly three out of four organizations have achieved or moved beyond rebalancing, or have rebalancing underway or in the planning stages. This is very consistent with results from the 2008 and 2007 Rebalancing surveys. These results clearly show that even with the ongoing requirements for Sarbanes-Oxley compliance, most companies view rebalancing the internal audit department as a key priority to ensure the long-term effectiveness of the internal audit function in helping management and the board identify, manage, mitigate and monitor key risks. 2 Moving Internal Audit Back into Balance

5 Strategies: Current Versus Planned As in 2008, reducing the number of key controls and using a risk-based testing approach were the top two strategies, but percentages for both were down year-over-year. Reduction in number of key controls leads the strategies that organizations are currently employing, followed by use of a risk-based testing approach, greater reliance on internal auditors by external auditors and reduction in total population of controls. However, when comparing this year s results to those from 2008, there was a consistent decrease in the percentage of responses for each category. This may be a signal that some companies believe they have completed making adjustments in response to the SEC s and PCAOB s pronouncements, or be further indication of an apparent hesitancy among organizations to fully implement practices based on the SEC s interpretive guidance and PCAOB AS5. It also could mean that some organizations believe they have applied a top-down, risk-based approach, consistent with the SEC s guidance. Based on our experience, we believe many organizations with this point of view continue to rely heavily on manual financial reporting processes and controls. Activities as Part of Rebalancing Risk-based testing and rescoping workloads are the top rebalancing activities. Implement risk-based testing, added to the Rebalancing survey this year, ranked as the top activity, with two out of three organizations including this as part of their rebalancing efforts. Rescope workloads has ranked first or second in the past three studies. Also of note, just one in five respondents cited add additional resources this year, continuing a downward trend from 2005 (62 percent). Moving Internal Audit Back into Balance 3

6 Overview of Rebalancing Initiatives Current Status of Sarbanes-Oxley Compliance: Most in their Fourth Year or Beyond A majority of respondents are in or beyond their fourth year of Sarbanes-Oxley compliance, generally mirroring the compliance timeline since the act went into effect for large accelerated filers. Similar to the results from the 2008 Rebalancing study, among all respondents, a majority are at least in their fourth year of Sarbanes-Oxley compliance, and 40 percent are beyond the fourth year. Of note, there was a yearover-year increase in the number of organizations identifying themselves as in either the first year or pre-first year of compliance (22 percent this year versus 16 percent in 2008). This could be the result of the pending deadline that smaller companies or nonaccelerated filers, as defined by the SEC must comply with the auditor attestation requirement of Section 404 beginning in fiscal years ending on or after December 15, This group of companies includes those that underwent initial public offerings in Year of Sarbanes-Oxley Compliance Year of Sarbanes-Oxley Compliance 4 Beyond 4th year of compliance 2 4th year of compliance 16% Pre-1st year of compliance 11% 3rd year of compliance 6% 1st year of compliance 7% 2nd year of compliance 4 Moving Internal Audit Back into Balance

7 State of Rebalancing Most organizations recognize the importance of rebalancing their internal audit departments to focus more on traditional responsibilities. Respondents were asked the following two questions: One year ago, how would you have described your organization s efforts to rebalance internal audit priorities away from Sarbanes-Oxley compliance projects? Today, how would you describe your organization s efforts to rebalance internal audit priorities away from Sarbanes-Oxley compliance projects? Nearly three out of four organizations today 73 percent have achieved or moved beyond rebalancing, or have rebalancing underway or in the planning stages. This is very consistent with results from the 2008 and 2007 Rebalancing surveys. These results clearly show that even with the ongoing requirements for Sarbanes-Oxley compliance, most companies view rebalancing the internal audit department as a key priority to ensure the long-term effectiveness of the internal audit function in helping management and the board identify, manage, mitigate and monitor key risks. State of Rebalancing State of Rebalancing 4 One year ago Today 3 32% 27% 2 21% 12% 15% 15% 13% 17% 13% 6% 8% 7% 7% 7% Beyond rebalancing Rebalancing achieved Rebalancing underway Rebalancing planned Haven t started planning, but intend to rebalance Doesn t apply not yet under first year of S-O Act compliance Not intending to rebalance Moving Internal Audit Back into Balance 5

8 Overview of Rebalancing Initiatives (cont.) Making Progress Most organizations consistently report moderate progress in their rebalancing efforts. Over the past three years of the Rebalancing study, results on the progress of rebalancing efforts have been very consistent, with 71 percent to 73 percent of respondents reporting their rebalancing projects are making significant or moderate progress. Results related to expectations also have been consistent, with a growing number of respondents noting progress has met or exceeded them. These trends show that once an organization initiates rebalancing efforts, it is likely to achieve significant or moderate progress toward its goals in other words, there is a strong chance of success. Rebalancing Progress Made So Far: Rebalancing Three-Year Progress Comparison Made So Far (Base: Rebalancing Underway) (Base: Rebalancing Underway) % 56% 53% % 17% 18% 27% 26% 26% Significant Moderate Minimal 1% 3% None Expectations of Rebalancing Progress to Date: Three-Year Comparison Expectations of Rebalancing Progress to Date (Base: Rebalancing Underway) (Base: Rebalancing Underway) % 54% % % 36% 2 24% 11% 11% 5% 5% 5% Much less than expected Somewhat less than expected About the same as expected Somewhat more than expected 1% 1% 1% Much more than expected 6 Moving Internal Audit Back into Balance

9 Primary Benefits Consistent with previous years results, the top two benefits of rebalancing are having internal audit perform more traditional audits and achieving more appropriate coverage of risk. The top responses for 2009 internal audit being able to perform more traditional audits and more appropriate coverage of risk have been relatively consistent over the four years of the Rebalancing study. However, one notable change this year was a drop in the benefit of having reduced Section 404 and 302 compliance costs. While this may be unexpected to some given that the SEC s interpretive guidance and PCAOB AS5 were intended to facilitate a reduction in efforts and costs for reporting companies, some organizations were of the view that they were already applying a top-down, risk-based approach when the 2007 guidance was issued, while other companies may have the view that they have completed their implementation of the new guidance and standard. Again, significant reliance on manual financial reporting processes and controls can limit the potential benefits from implementing the SEC interpretive guidance and PCAOB AS5. Primary Benefit of Rebalancing: 4-Year Comparison Primary Benefit of Rebalancing: Four-Year Comparison (Base: All respondents except those not engaged in or planning rebalancing) (Base: All respondents except those not engaged in or planning rebalancing) Internal audit able to perform more traditional (operational and nonfinancial reporting-related) audits 18% 36% 35% 47% More appropriate coverage of risk 15% 25% 25% 29% Reduced Section 404 and 302 compliance costs 12% 15% 19% 18% 2005 Increased reliance by external auditors on work of internal audit (PCAOB AS5) Increased effectiveness and efficiency of operations Increased objectivity of the internal audit department Other No benefit 1% 3% 3% 5% 2% 1% 3% 3% 3% 2% 9% 7% 8% 8% 4% 7% 12% 13% 12% 5% 15% 2 25% 3 35% 4 45% 5 Moving Internal Audit Back into Balance 7

10 Overview of Rebalancing Initiatives (cont.) Key Activities by Organizations Seeking to Rebalance Risk-based testing and rescoping workloads stand out as the top rebalancing activities. Implement risk-based testing was added to the Rebalancing survey this year and ranked as the top activity, with two out of three organizations including it as part of their rebalancing efforts. Rescope workloads has ranked first or second in the past three studies. Both application of (PCAOB) AS5 by the company s external auditors and increase testing and reliance on monitoring controls were cited by half of respondents. Of note, the latter activity coincides with the recent release of the new COSO Monitoring Guidance, which further indicates the higher priority being placed on the monitoring of controls. Notable four-year trends in the findings for this category include the following: Nearly two out of three respondents 62 percent cited add additional resources in 2005, but just 22 percent did so in 2009, continuing a four-year decline for this rebalancing activity. Reallocate existing resources received approximately half of the response in 2005 and 2007, but just 32 percent in Rescope workload has increased over the past four years as a rebalancing activity, from 41 percent in 2005 to 65 percent this year. Key Rebalancing Activities Key Rebalancing Activities (Base: all respondents except those not engaged in or planning rebalancing) (Base: All respondents except those not engaged in or planning rebalancing) Implement risk-based testing*** 66% Rescope workload 65% Increase testing and reliance on monitoring controls*** Application of AS5 (vs. AS2) by the company s external auditors* 5 49% Conduct an enterprisewide risk assessment Automating more controls (moving more controls from manual to automated)*** Increased ownership by process owners** 39% 41% 45% Utilize more self-assessment and self-audits by process owners and executives Reallocate existing resources 34% 32% Company s effort in applying the SEC s interpretive guidance* Add additional resources Use third parties to complete certain work to assist in the rebalancing effort Create a separate risk and controls function to focus primarily on Section % 22% 21% 18% * Not applicable in 2005 and 2007 surveys ** Not included in 2005 survey *** Not included in previous surveys Other 2% Moving Internal Audit Back into Balance

11 Addressing IT Audits Respondents specifically were asked how IT audits not related to Sarbanes-Oxley compliance were being addressed as part of their rebalancing efforts. Consistent with last year, the most common response was no change. However, collectively over half of all respondents reported they are increasing IT audits when it comes to rebalancing efforts. This year s results show that technology remains an important part of the rebalancing process. Now that organizations have more experience with Sarbanes-Oxley, IT audit efforts might be shifting toward maintaining compliance efforts while also working to lower compliance costs and improve the balance of audit coverage for other areas of risk. Protiviti s 2009 Internal Audit Capabilities and Needs Survey supports the continued importance of technology as a critical enabler of virtually all business processes and helping organizations achieve objectives and address risks. 1 In this study, technology skills hold a prominent place in the need to improve category of general technical knowledge. The recent changes to The IIA Standards also corroborate the importance of technology audits. For example, IIA Standard 2110.A2 now includes the word must when providing guidance to internal audit in its role related to assessing IT governance. As organizations adopt the new and revised Standards as of January 1, 2009, we will monitor whether IT audits continue to hold an important role in rebalancing efforts, and it is quite possible the survey results for this category will change next year. IT (IT audits not IT related (IT audits to not Sarbanes-Oxley) related to Sarbanes-Oxley) Assessed Assessed as Part of as Part Rebalancing: of Rebalancing: Four-Year Comparison Four-Year Comparison (Base: All respondents except those not engaged in or planning rebalancing) (Base: All respondents except those not engaged in or planning rebalancing) % 41% 37% 31% % 25% 26% 26% % 12% 13% 15% 15% Increase(d) It audits >25% Increase(d) It audits 10-25% Increase(d) It audits < no change 4% 5% 4% decrease(d) It audits 3% 1 For more information, read Protiviti s 2009 Internal Audit Capabilities and Needs Survey, available at Moving Internal Audit Back into Balance 9

12 Overview of Rebalancing Initiatives (cont.) Sarbanes-Oxley Compliance Strategies as Part of Rebalancing Efforts As in 2008, reducing the number of key controls and using a risk-based testing approach were the top two strategies, but percentages for both were down year-over-year. Similar to last year, reduction in number of key controls leads the strategies organizations are currently employing, followed by use of a risk-based testing approach, greater reliance on internal auditors by external auditors and reduction in total population of controls. For each of these strategies, there also was a significant increase compared to the percentage of respondents who reported in 2008 that they were planning to employ it in the coming year. This shows that, in one sense, the SEC s interpretive guidance and PCAOB AS5 are having their intended effect. However, when comparing the current results with the prior year, there was a consistent decrease in the percentage of responses for each category in In last year s survey, for example, 47 percent of respondents reported they were currently reducing the number of key controls, versus 33 percent this year. For use of a risk-based testing approach, the 2008 currently response was 45 percent versus 30 percent this year, and for reduction in total population of controls the numbers were 43 percent versus 26 percent. These findings could be a further indication that some organizations have already taken steps to reduce their control populations, and thus no longer see a need to incorporate these specific strategies as part of their rebalancing efforts. However, it is also possible that some organizations have an apparent hesitancy in 2009 to implement practices based on the SEC s interpretive guidance as well as PCAOB AS5. This could be attributed to a more conservative approach in order to preserve the status quo. Also of note, increase in number of automated controls leads the strategies organizations are planning to employ in 2009, followed by use of data mining and analytics to better understand process performance, reduction in manual controls, increase in number of monitoring controls and consolidation of redundant IT platforms and systems. These strategies are key because, for many organizations, they represent the last frontier for improving the cost-effectiveness of financial reporting controls, reducing financial reporting risks and streamlining Sarbanes-Oxley compliance. The notable increase in focus on these strategies indicates that some organizations understand their importance in this regard. 10 Moving Internal Audit Back into Balance

13 Strategies: Current vs. Planned Strategies: Current vs. Planned reduction in number of key controls use of a risk-based testing approach* greater reliance on internal auditing by external auditors reduction in total population of controls tightening of overall scope centralization of common processes and functions Increase in testing within key risk areas reduction in number of in-scope locations** consolidation of redundant It platforms and systems Increase in number of monitoring controls accelerate timing of selected control tests** Increase in number of automated controls reduction in manual controls use of self-assessment techniques Improvement in quality and compression of time in business processes affecting financial reporting reduction of independent tests of controls use of data mining and analytics to increase understanding of process performance other** no specific strategies considered or employed** * Not included in 2007 survey ** Not included in 2007 and 2008 surveys don't know** 2% 2% 4% 4% 9% 11% 13% 14% 14% 12% 14% 14% 21% 18% 12% 16% 18% 11% 13% 18% 9% 11% 9% 15% 13% 15% 14% 14% 14% 13% 12% 14% 12% 18% 18% 14% 16% 16% 13% 13% 18% 19% 21% 2 23% 26% 25% 27% 3 33% currently Employing 2009 Planning to Employ 2009 Planning to Employ % 27% 29% 5% 15% 2 25% 3 35% Moving Internal Audit Back into Balance 11

14 Overview of Rebalancing Initiatives (cont.) Addressing IT Audits When asked what percentage of IT audits were related to Sarbanes-Oxley for each year of compliance, respondents reported that most IT auditing activity occurs in Years Two and Four. Organizations continue to express that these audits do not have a prominent role in the first year of Sarbanes-Oxley compliance, even though their importance increases significantly in Year One when compared to the precompliance period. As organizations become more experienced with Sarbanes-Oxley, they come to realize the important role IT plays in managing related risks and processes. More than 60 percent of respondents whose organizations are beyond Year Four reported that they spend at least 20 percent of their time on IT audits. This is consistent with the 2008 study. Over the years, organizations have acknowledged the benefits of automating internal controls: increased reliability, lower error rates, and less time and effort required to test compared to manual controls. The bottom line is that technology, when used appropriately, improves risk coverage and test results, leading to an improved internal control environment and effective compliance strategy. This is in line with the intention of the SEC s interpretive guidance and PCAOB AS5. As noted earlier (see page 9), changes this year to IIA Standard 2110.A2, which states that internal audit functions must assess IT governance, reinforce the importance of technology audits. In next year s Rebalancing survey, there may be notable changes in the results for this category. Beyond 4 th year of compliance 4 th year of compliance 3 rd year of compliance 2 nd year of compliance 1 st year of compliance Pre-1 st year of compliance IT Audits Related to SOX Compliance Percentage of IT Audits Related to Sarbanes-Oxley Compliance 3% 4% 5% 4% 6% 5% 5% 4% 9% 9% 9% 9% 9% 9% 11% 13% 13% 12% 13% 13% 13% 17% 13% 17% 13% 13% 16% 23% 18% 21% 18% 18% 23% 26% 25% 29% % 35% Don t know None < 10-19% 20-49% 50-75% >75% 52% 12 Moving Internal Audit Back into Balance

15 Primary Ownership Internal audit owns the rebalancing process in most organizations. A review of Rebalancing survey results over the past three years shows that internal audit departments consistently have primary ownership of rebalancing activities in their organizations. This year, in fact, there was an even larger gap between internal audit and other business owners in the organization. Respondents also were asked to indicate, in terms of rebalancing efforts, the level of involvement of different groups and individuals in the organization. More than half reported that executive management, the audit committee, management and/or process owners, and the external auditor are involved to a significant or moderate extent. Primary Ownership for Rebalancing: Three-Year Primary Comparison Ownership of Rebalancing (Base: Beyond Rebalancing, Rebalancing (Base: Beyond Achieved, Rebalancing, Underway, Rebalancing Planned and Achieved, Intended) Underway, Planned and Intended) % 69% % Internal audit staff 7% 7% 5% Executive management 14% Management 6% 3% 9% 6% 8% Audit committee Other 12% 4% 5% 3% 3% 3% No one primary owner Don t know Moving Internal Audit Back into Balance 13

16 Impact of SEC s Interpretive Guidance and PCAOB AS5 Similar to results from the 2008 Rebalancing study, this year s response shows a continued positive impact as a result of PCAOB AS5 and the SEC s interpretive guidance for Section 404. However, across all sections in this category of the study, there is a noticeable decrease in the positive impact responses compared to These findings are interesting given that guidance from both organizations was intended to increase the emphasis on applying a top-down, risk-based approach and enable organizations to reduce the time and costs required for compliance. It also would be expected that rebalancing efforts would be sustained. Rebalancing Efforts Efforts have decreased, but less so than in While nearly 40 percent of respondents reported that the impact of the SEC s interpretive guidance is enabling them to increase rebalancing efforts significantly or moderately, the cumulative increase figures dropped from 60 percent in Similarly, while 56 percent of respondents last year said that, as a result of PCAOB AS5, they were increasing rebalancing Impact activities of SEC s significantly Interpretive or Guidance moderately, on Rebalancing the response dropped to 44 percent this year. Impact of SEC s Interpretive Guidance on Rebalancing: Two-Year Comparison % 14% Significantly increased rebalancing efforts 32% 46% Impact of PCAOB AS5 (vs. AS2) on Rebalancing Moderately increased rebalancing efforts 61% % No change 1% 3% Moderately decreased rebalancing efforts Impact of PCAOB AS5 (vs. AS2) on Rebalancing: Two-Year Comparison % 52% 42% % 14% Significantly increased rebalancing efforts Moderately increased rebalancing efforts No change 4% 4% Moderately decreased rebalancing efforts 1% *Sign decr rebalanc 14 Moving Internal Audit Back into Balance

17 Changes in Efforts/Hours Organizations are being more conservative in reducing hours and activities. A large percentage of respondents reported that as a result of the SEC s interpretive guidance and PCAOB AS5, external audit hours have decreased, as have the hours required of other external and internal resources. However, these charts do illustrate slight drops in the percentages of decrease in all three categories. For example, this year a combined 40 percent of respondents reported a decrease in external audit hours as a result of the SEC s guidance, whereas 50 percent reported such a decrease in Similar changes are evident in the other two categories. We will continue to monitor these trends and determine why these changes might be occurring. Changes in Efforts/Hours SEC s Interpretive Guidance SEC s Interpretive Guidance Change in External Audit Efforts (Hours) Between the Year in Effect and the SEC s Prior Interpretive Year: Two-Year Guidance: Comparison Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year 6 55% 5 49% % 2 16% 18% 2 4% 6% Decreased >25% Decreased 10-25% Decreased < No change 5% 1% Increased Moving Internal Audit Back into Balance 15

18 Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) SEC s Interpretive Guidance: Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year SEC s Interpretive Guidance Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison % 4 44% % 15% 17% 17% 14% 11% 5% Decreased >25% Decreased 10-25% Decreased < No change Increased SEC s Interpretive Guidance: Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year SEC s Interpretive Guidance Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison % 12% 8% 14% Decreased >25% Decreased 10-25% Decreased < No change 4% 4% Increased 16 Moving Internal Audit Back into Balance

19 Are Companies Failing to Take Full Advantage of Revised Regulations? This year s findings that suggest a diminished positive impact of PCAOB AS5 and the SEC s interpretive guidance on Section 404 are worth further commentary. Both of these standards relaxed previously stringent guidelines for companies and external auditors with regard to establishing and attesting to internal control over financial reporting, as mandated by Section 404. Among the new guidance from each of these regulatory bodies were opportunities to rely more heavily on the work of others, such as the internal audit function. For example, as detailed in Protiviti s Guide to Internal Audit: Frequently Asked Questions About Developing an Effective Internal Audit Function: The PCAOB encourages greater use of the work of others in AS5 by requiring auditors to (1) understand the relevant activities of others and determine how the results of that work may affect his or her audit, and (2) evaluate whether and how to use their work to reduce audit testing. There is no reason why the external auditor should not do this, particularly if an effectively functioning internal audit function is in place. AS5 emphasizes the importance of assessing the competency and objectivity of the persons who the (external) auditor plans to use to determine the extent to which the (external) auditor may use their work. The higher degree of competence and objectivity, the greater use the (external) auditor may make of the work. The guidance included in AS5 applies the principles in AU 322 to focus the auditor s use of the work of others more specifically on altering the nature, timing and extent of the external auditor s work than otherwise would have been performed to test the operating effectiveness of controls as part of an integrated audit of the financial statements and internal control over financial reporting (ICFR). The basic premise of AS5 is that the external auditor may use work performed by, or receive assistance from, internal auditors, other company personnel (in addition to internal auditors) and third parties working under the direction of management or the audit committee that provides evidence about ICFR effectiveness. In assessing the results from this year s Rebalancing study, it is possible that some companies are being too conservative. There could be a variety of reasons at play to explain why, among them: If it isn t broken, don t fix it Without question, achieving Sarbanes-Oxley compliance was an engrossing and time-consuming process for most reporting companies. Many failed to plan properly or begin their compliance efforts early enough, resulting in organizational fire drills. It is possible that as a result of these trials and tribulations, some companies may have little appetite to rescope workloads or otherwise change processes that currently have them in compliance. This, of course, defeats the purpose of the SEC s guidance and AS5. We have also seen circumstances where managers responsible for Sarbanes-Oxley compliance are rewarded for compliance and not for cost-effectiveness; therefore, there is little incentive for them to alter the status quo. Law of diminishing returns We see many companies continuing to rely heavily on manual processes and controls. The SEC interpretive guidance and PCAOB AS5 can only take a company and its auditors so far until the process reaches the point where there is a declining impact from applying the SEC guidance and the PCAOB standard. There is a strong linkage between (a) improving process quality, time and cost performance, and (b) strengthening the effectiveness of ICFR. A simple, more streamlined and automated process is easier to control than a complex, cumbersome and manual one. Many companies continue to have opportunities to improve their process performance by building in (versus inspecting in) quality, reducing costs and compressing time within their processes and all of this while simultaneously reducing financial reporting risks and the costs of Sarbanes-Oxley compliance. Still figuring it out The difference between this year s results and last year s could be a reflection of companies still determining exactly where and how to achieve time and cost savings by rescoping workloads, reducing controls (key and total number) and increasing their rebalancing efforts. If this year s results indicate a swing back as companies, through trial and error, continue to define how to accomplish these objectives, we might expect higher positive impact responses in the 2010 Rebalancing survey. Moving Internal Audit Back into Balance 17

20 Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) Changes in Efforts/Hours (cont.) Changes in Efforts/Hours PCAOB AS5 PCAOB AS5 Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior PCAOB Year: AS5: Two-Year Comparison Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year 5 48% % 35% % 23% 25% 5% 8% Decreased >25% Decreased 10-25% Decreased < No change 3% 2% Increased Are Companies Failing to Take Full Advantage of Revised Regulations? (cont.) More small companies beginning the compliance process Beginning for fiscal years ending on or after December 15, 2009, nonaccelerated filers must comply with the auditor attestation requirement of Section 404. It is possible that this year s results reflect the fact that 7 percent of respondents are in the smaller public company category and would not be initiating rebalancing or other cost- and time-saving activities as of yet. Lack of knowledge Despite the SEC s and PCAOB s well-publicized announcements of their respective actions in 2007, it could be that many companies are not fully aware of these new guidelines and the potential opportunities to reduce time and costs involved with compliance. It could be expected in most cases that the external auditor would provide such knowledge; however, there could be some hesitancy among the auditors to leverage the revised guidelines, which could be attributable to custom and habit, the perceived reporting risks, or lack of support for certain AS5 principles such as the use of the work of others to ascertain the effectiveness of an organization s ICFR. Regardless of the reasons, the bottom line is that it behooves any company to acquire a full understanding of the SEC s interpretive guidance and PCAOB AS5, and to talk to its external auditor about activities internal audit and other departments can perform to assist in the ICFR attestation process. 18 Moving Internal Audit Back into Balance

21 PCAOB AS5 Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior PCAOB Year: AS5: Two-Year Comparison Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year % % 17% 17% 17% 19% 15% 15% 5% Decreased >25% Decreased 10-25% Decreased < No change Increased PCAOB AS5 Change in Use of External Resources (Hours) Between the Year in Effect and the Prior PCAOB Year: AS5: Two-Year Comparison Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year 7 67% 6 59% % 11% 14% 12% Decreased >25% Decreased 10-25% Decreased < No change 4% 4% Increased Moving Internal Audit Back into Balance 19

22 Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) Quantity and Scope of Processes and Controls Decreases were reported, but not as much as in Respondents were asked about the impact of the SEC s guidance on numerous compliance-related processes and controls in the organization. They also were asked about the impact of the application of PCAOB AS5 by their external auditors on these same processes and controls. Similar to 2008, there are several positive trends, including a majority of respondents reporting decreases in key controls and total controls documented and tested. However, in most compliance-related process and control categories, the percentage of decreased Impact of SEC s Interpretive Guidance responses dropped compared to 2008, while the increased response percentages rose year-over-year. (Base: all respondents ) Impact of SEC s Interpretive Guidance: Two-Year Comparison 2009 Decreased No Change Increased 2008 Decreased No Change Increased 2009 Number of key controls documented and tested 2008 Number of key controls documented and tested 6 35% 5% 75% 23% 2% 2009 Number of total controls documented and tested 2008 Number of total controls documented and tested 56% 39% 5% 68% 3 2% 2009 Number of key in-scope processes 2008 Number of key in-scope processes 45% 5 5% 58% 4 2% 2009 Number of total risks identified 2008 Number of total risks identified 44% 5 6% 58% 38% 4% 2009 Number of in-scope locations 2008 Number of in-scope locations 24% 7 6% 36% 61% 3% 2009 Use of a risk-based testing approach 2008 Use of a risk-based testing approach 15% 5 35% 18% 41% 41% 2009 Increased reliance on monitoring and/or entity-level controls 2008 Increased reliance on monitoring and/or entity-level controls 15% 56% 29% 17% 41% 42% 2009 Reliance on the work of others by the external auditor 2008 Reliance on the work of others by the external auditor 15% 47% 38% 14% 4 46% *2009 Increased reliance on self-assessment techniques 9% 75% 16% * Not included in 2008 survey Moving Internal Audit Back into Balance

23 The Importance of Understanding Risk The real key in Year Four and beyond of Sarbanes-Oxley compliance is how to keep things fresh and keep people vigilant. The recent financial collapse of so many companies shows that Sarbanes-Oxley was not the be all and end all to prevent loss of shareholder wealth. While companies were spending significant time and money ensuring things were recorded properly, they lost sight of the business risks that could bring down a company or an industry, wiping out billions of dollars in shareholder wealth in the process. The real key for investors (and employees) is around understanding risk: What are the risks? Are they independent or dependent? If they are dependent, what are they dependent on? How can they impact the company? What is the magnitude and likelihood? Are they being monitored properly? This is where internal audit can best assist the audit committee and management, and where we must strengthen our skill set as a profession hence the importance to rebalance resources. Without understanding risk, we can be auditing the wrong areas at the wrong time. The bottom line is that businesses face far greater risks today than Sarbanes-Oxley, and internal audit must not only rebalance but also retool to meet the current requirements. There is going to be a sea change in internal audit, and each of us has a choice be ready, willing and able, or become obsolete. Impact of PCAOB AS5 (Base: all respondents ) Larry Harrington, Vice President, Internal Audit, Raytheon Company Impact of PCAOB AS5: Two-Year Comparison 2009 Decreased No Change Increased 2008 Decreased No Change Increased 2009 Number of key controls documented and tested 2008 Number of key controls documented and tested 55% 4 5% 64% 34% 2% 2009 Number of total controls documented and tested 2008 Number of total controls documented and tested 51% 44% 5% 6 39% 1% 2009 Number of total risks identified 2008 Number of total risks identified 39% 57% 4% 53% 46% 1% 2009 Number of key in-scope processes 2008 Number of key in-scope processes 42% 54% 4% 51% 48% 1% 2009 Number of in-scope locations 2008 Number of in-scope locations 24% 72% 4% 36% 62% 2% 2009 Use of a risk-based testing approach 2008 Use of a risk-based testing approach 12% 53% 35% 17% 44% 39% 2009 Increased reliance on monitoring and/or entity-level controls 2008 Increased reliance on monitoring and/or entity-level controls 12% 56% 32% 16% 45% 39% 2009 Reliance on the work of others by the external auditor 2008 Reliance on the work of others by the external auditor 48% 42% 15% 38% 47% *2009 Increased reliance on self-assessment techniques 7% 16% 77% * Not included in 2008 survey Moving Internal Audit Back into Balance 21

24 Impact of Rebalancing Initiatives Internal Audit Responsibilities in Sarbanes-Oxley Compliance Lead responsibility remains the most common role for internal audit. Findings regarding internal audit s role in Sarbanes-Oxley compliance have been consistent over the course of the Rebalancing studies. Of note, control design evaluation and testing of operational effectiveness decreases with each year of compliance, as do serving as members of compliance teams and steering committees, and developer of documentation. This could indicate that process owners are taking more direct ownership and responsibility for their processes and controls, as permitted under PCAOB AS5. (Please note that in the interest of simplicity, the chart below illustrates internal audit s primary roles in the first year of Sarbanes-Oxley compliance and beyond the fourth year of compliance. Percentages of responses for Years Two to Four consistently fall in the gap between these two trend lines.) Internal Audit Primary Roles Internal Audit Primary Roles 35% 3 25% 1st year of compliance Beyond 4th year of compliance 2 15% 5% Control design evaluation and testing of operational effectiveness Lead responsibility Member of compliance team/steering committee Developer of documentation Advisor to compliance team/steering committee Limited to testing of operational effectiveness Limited to control design evaluation None Don t know Other 22 Moving Internal Audit Back into Balance

25 Allocating Internal Audit Efforts for COSO Internal Control Objectives Consistent with the past three surveys, reliability of financial reporting remains the top COSO objective of focus for internal audit activities. The continued concentration on reliability of financial reporting is an interesting trend given that one in three respondents reported that they had achieved rebalancing or were beyond rebalancing. Remember, the purpose of rebalancing is to move internal audit activities away from Sarbanes-Oxley compliance toward broader coverage of the COSO framework. We would expect these rebalanced, or soon to be rebalanced, internal audit organizations to have established a better balance among all aspects of the COSO model by now. Organizations also should be aware that the internal audit landscape is changing. According to The IIA, financial reporting is only part of the internal control picture. As of January 1, 2009, the internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach (Standard 2100). Another Standard (2120.A1) notes that internal audit must evaluate risk exposures regarding reliability and integrity of financial and operational information; effectiveness and efficiency of operations; safeguarding of assets; and compliance with laws, regulations and contracts. Internal Audit Efforts Internal Allocated Audit Efforts Against Allocated COSO Objectives Against COSO of Internal Objectives Control of Internal Control st year of compliance 2nd year of compliance 3rd year of compliance 4th year of compliance Beyond 4th year of compliance 3 2 Effectiveness and efficiency of operations Reliability of financial reporting (including Sarbanes-Oxley compliance) Compliance with applicable laws and regulations Safeguarding of assets Note: Chart does not include Other and Don t know responses. Moving Internal Audit Back into Balance 23

26 Impact of Rebalancing Initiatives (cont.) Rebalancing the Skills Gap While down slightly from the 2008 results, a substantial percentage of this year s respondents perceive a significant or moderate skills gap among Sarbanes-Oxley-experienced auditors for other internal audit projects. Survey participants were asked to what extent there is a skills gap in their organizations among Sarbanes-Oxleyexperienced auditors for other internal audit projects, such as operational and nonfinancial reporting audits. Four out of 10 respondents perceive either a significant or moderate gap. This is consistent with Protiviti s Internal Audit Capabilities and Needs Survey. 2 Over the past three years, this study has identified traditional internal audit skills such as enterprise risk management and fraud risk management as competencies most in need of improvement. One troubling finding in this category is the 17 percent Don t know response. The revised IIA Standards (which became effective in January 2009) require the CAE to report any resource constraints to management and the board of directors. More definitive results in this category of the survey would be expected in light of this Standard, as there should not be a lack of knowledge about skills within the internal audit function. Also of note, 43 percent of respondents reported there is no skills gap in their departments with regard to Sarbanes-Oxley auditors performing other types of internal audit activities. Perceived or Real Skills Gap Sarbanes-Oxley-Experienced Auditors for Other Prerceived Internal or Audit Real Projects: Skills Gap: Two-Year Sarbanes-Oxley-Experienced Comparison Auditors for Other IA Projects (Base: All respondents) No skills gap 43% 49% Moderate skills gap 31% 36% Significant skills gap 9% 8% 2009 Don t know 7% 17% % 15% 2 25% 3 35% 4 45% 5 2 For more information, read Protiviti s 2009 Internal Audit Capabilities and Needs Survey, available at 24 Moving Internal Audit Back into Balance

27 Changes to The IIA Standards On January 1, 2009, The IIA formally released its revised International Professional Practices Framework, which includes revisions to the organization s International Standards for the Professional Practice of Internal Auditing. Key changes to the Standards include the following: Six new Standards have been added. In virtually all of the Standards, The IIA has revised its wording, replacing should with must. Additional requirements have been added to existing Standards. Interpretations have been added, incorporating components that previously were part of The IIA s practice advisories. With the change from should to must in most of the Standards and the addition of six new Standards, internal audit functions must take action to achieve or remain in compliance. For some, only minimal adjustments may be necessary. For others, however, there may be a need for substantial changes to their internal audit plans and structures. Without question, the internal audit rebalancing activities of organizations could be among the many areas affected by the new and revised Standards. Of particular note, IT governance and fraud risk management are key areas The IIA addresses in all-new Standards. We plan to monitor and report on key trends related to the Standards in next year s Rebalancing survey report. Internal Audit Staffing, Hours and Budget Allocations During Year One of Sarbanes-Oxley, most internal audit departments spend a majority of their time on compliancerelated activities. This year s results are consistent with previous Rebalancing surveys. After Year Two, there is a relative level of consistency in internal audit hours dedicated to Sarbanes-Oxley compliance, indicating that internal audit departments are planning or implementing rebalancing efforts to address more traditional responsibilities. Internal Audit Hours Dedicated to Each Year of Sarbanes-Oxley Compliance Internal Audit Hours Dedicated to Each Year of Sarbanes-Oxley Compliance st year of compliance 2nd year of compliance 3rd year of compliance 4th year of compliance Beyond 4th year of compliance 2 > 75% 50-75% 20-49% 10-19% < None Don t know Moving Internal Audit Back into Balance 25

2010 Sarbanes-Oxley Compliance Survey. Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes

2010 Sarbanes-Oxley Compliance Survey. Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes 2010 Sarbanes-Oxley Compliance Survey Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes Table of Contents Introduction... 1 Executive Summary... 2 I. Current State of Sarbanes-Oxley

More information

Survey of more than 1,500 Auditors Concludes that Audit Professionals are Not Maximizing Use of Available Audit Technology

Survey of more than 1,500 Auditors Concludes that Audit Professionals are Not Maximizing Use of Available Audit Technology Survey of more than 1,500 Auditors Concludes that Audit Professionals are Not Maximizing Use of Available Audit Technology Key findings from the survey include: while audit software tools have been available

More information

Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-SOX

Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-SOX FLASH REPORT Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and On February 15, 2007, the Business Accounting Council of the

More information

Internal Audit Practice Guide

Internal Audit Practice Guide Internal Audit Practice Guide Continuous Auditing Office of the Comptroller General, Internal Audit Sector May 2010 Table of Contents Purpose...1 Background...1 Definitions...2 Continuous Auditing Professional

More information

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall

More information

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director High Value Audits: An Update on Information Technology Auditing Robert B. Hirth Jr., Managing Director The technology landscape and its impact on internal audit Technology is playing an ever-growing role

More information

SHARED SERVICES. An Enabler for Managing Risk. Steve Tracy, Principal Consultant, ISG. www.isg-one.com

SHARED SERVICES. An Enabler for Managing Risk. Steve Tracy, Principal Consultant, ISG. www.isg-one.com SHARED SERVICES An Enabler for Managing Risk Steve Tracy, Principal Consultant, ISG www.isg-one.com INTRODUCTION During the last few years, companies have become increasingly focused on the need for effective

More information

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first

More information

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition 1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...

More information

Internal Auditing Guidelines

Internal Auditing Guidelines Internal Auditing Guidelines Recommendations on Internal Auditing for Lottery Operators Issued by the WLA Security and Risk Management Committee V1.0, March 2007 The WLA Internal Auditing Guidelines may

More information

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,

More information

FINANCIAL SERVICES FLASH REPORT

FINANCIAL SERVICES FLASH REPORT FINANCIAL SERVICES FLASH REPORT OCC Finalizes Its Heightened Standards for Large Financial Institutions September 15, 2014 Transforming Heightened Expectations to Minimum Standards On September 2, 2014,

More information

Auditing Standard 5- Effective and Efficient SOX Compliance

Auditing Standard 5- Effective and Efficient SOX Compliance Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the

More information

The Role of the Board in Enterprise Risk Management

The Role of the Board in Enterprise Risk Management Enterprise Risk The Role of the Board in Enterprise Risk Management The board of directors plays an essential role in ensuring that an effective ERM program is in place. Governance, policy, and assurance

More information

An overview of COSO s 2013 Internal Control-Integrated Framework

An overview of COSO s 2013 Internal Control-Integrated Framework An overview of COSO s 2013 Internal Control-Integrated Framework Prepared by: Sara Lord, Partner, National Professional Standards Group, McGladrey LLP sara.lord@mcgladrey.com May 2013 Introduction In 1992,

More information

The Role of Internal Audit in Risk Governance

The Role of Internal Audit in Risk Governance The Role of Internal Audit in Risk Governance How Organizations Are Positioning the Internal Audit Function to Support Their Approach to Risk Management Executive summary Risk is inherent in running any

More information

Agile Technology Controls for Startups a Contradiction in Terms or a Real Opportunity?

Agile Technology Controls for Startups a Contradiction in Terms or a Real Opportunity? Agile Technology Controls for Startups a Contradiction in Terms or a Real Opportunity? Implementing Dynamic, Flexible and Continuously Optimized IT General Controls POWERFUL INSIGHTS Issue It s not a secret

More information

Guide to Internal Control Over Financial Reporting

Guide to Internal Control Over Financial Reporting Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).

More information

Impact of New Internal Control Frameworks

Impact of New Internal Control Frameworks Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com

More information

Internal Auditing is an Asset for Small Companies as well as Large Ones

Internal Auditing is an Asset for Small Companies as well as Large Ones Internal Auditing is an Asset for Small Companies as well as Large Ones The term internal audit usually inspires two immediate responses. The first is fear: Is something wrong in our organization? Have

More information

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations Overview In late 2006 and 2007, Protiviti commissioned a study to gauge the fraud risk management (FRM)

More information

A SOX2007.com White Paper

A SOX2007.com White Paper A SOX2007.com White Paper SOX 404 and Small Companies: A Cost Effective Approach to 2007 Compliance Background The Sarbanes-Oxley Act (SOX) was passed by Congress in July 2002 to address corporate mismanagement

More information

The Impact of the SarbanesOxley Act and Similar Legislation: Lessons Learned and Considerations for the Future

The Impact of the SarbanesOxley Act and Similar Legislation: Lessons Learned and Considerations for the Future The Impact of the SarbanesOxley Act and Similar Legislation: Lessons Learned and Considerations for the Future Protiviti, together with the input of the Singapore Accountancy Commission, has developed

More information

Audit of the Test of Design of Entity-Level Controls

Audit of the Test of Design of Entity-Level Controls Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents

More information

Internal Control Strategies. A Mid to Small Business Guide

Internal Control Strategies. A Mid to Small Business Guide Brochure More information from http://www.researchandmarkets.com/reports/2325460/ Internal Control Strategies. A Mid to Small Business Guide Description: Praise for Internal Control Strategies A Mid to

More information

Guide to the Sarbanes-Oxley Act:

Guide to the Sarbanes-Oxley Act: Guide to the Sarbanes-Oxley Act: internal Control Reporting Requirements Frequently Asked Questions Regarding Section 404 Fourth Edition Table of Contents Page No. Introduction... 1 Applicability of Section

More information

[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06]

[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] SECURITIES AND EXCHANGE COMMISSION 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting

More information

Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd.

Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd. Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd. Call them the twin peaks of continuity continuous auditing and continuous monitoring. There are certainly similarities

More information

SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners

SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners The Institute of Internal Auditors

More information

The Committee of Sponsoring Organizations of the Treadway Commission

The Committee of Sponsoring Organizations of the Treadway Commission The Committee of Sponsoring Organizations of the Treadway Commission Request for Proposal to Develop Additional Application Guidance on Monitoring, Including Tools and Techniques October 17, 2006 The Committee

More information

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued

More information

Sarbanes-Oxley Control Transformation Through Automation

Sarbanes-Oxley Control Transformation Through Automation Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT New Internal Control Requirements for Companies with Operations in India November 9, 2015 In the aftermath of major global financial frauds, several countries enacted legislation

More information

Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations

Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Key Areas for Improvement Include Compliance, Information Security, Social Media and Quality Assurance INTRODUCTION Historic

More information

Guide to Internal Audit

Guide to Internal Audit Guide to Internal Audit Frequently Asked Questions About Developing and Maintaining an Effective Internal Audit Function Second Edition Table of Contents Introduction... 1 The Internal Audit Profession...

More information

Audit of the Policy on Internal Control Implementation

Audit of the Policy on Internal Control Implementation Audit of the Policy on Internal Control Implementation Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada February 18, 2013 1 TABLE OF

More information

FPO. 2012 Internal Audit Capabilities and Needs Survey. 1 2012 Internal Audit Capabilities and Needs Survey

FPO. 2012 Internal Audit Capabilities and Needs Survey. 1 2012 Internal Audit Capabilities and Needs Survey FPO 2012 Internal Audit Capabilities and Needs Survey 1 2012 Internal Audit Capabilities and Needs Survey Introduction Technology is crucial to administering and managing the audit process from the beginning

More information

Sarbanes-Oxley Compliance Workbook. From Zero to SOX. Sarbanes-Oxley Compliance Workbook. sensiba san filippo www.ssfllp.com sox@ssfllp.

Sarbanes-Oxley Compliance Workbook. From Zero to SOX. Sarbanes-Oxley Compliance Workbook. sensiba san filippo www.ssfllp.com sox@ssfllp. From Zero to SOX Zero to SOX An Overview The goals of a program to meet SOX 404 requirements go far beyond compliance. The process of building a sustainable, comprehensive internal control environment

More information

Capital Asset Management Framework. Overview

Capital Asset Management Framework. Overview Capital Asset Management Framework Overview Introduction Table of Contents Introduction 1 The Framework 2 Guiding Principles, Guidelines & Tools 3 Conclusion 6 Appendix The Capital Process 7 The government

More information

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Revised: October 2012 i Table of contents Attribute Standards... 3 1000 Purpose, Authority, and Responsibility...

More information

IIA Position Paper: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL

IIA Position Paper: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL IIA Position Paper: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL JANUARY 2013 TABLE OF CONTENTS Introduction... 1 Before the Three Lines: Risk Management Oversight and Strategy-Setting...

More information

CONTINUOUS CONTROLS MONITORING

CONTINUOUS CONTROLS MONITORING Clarity. Certainty. Confidence. CONTINUOUS CONTROLS MONITORING Support Regulatory Compliance Improve Cost Management Drive Operational Performance Executives today are more challenged than ever to make

More information

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Introduction to the International Standards Internal auditing is conducted in diverse legal and cultural environments;

More information

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions Industry Sound Practices for Financial and Accounting Controls at Financial Institutions Federal Reserve Bank of New York January 2006 FINANCIAL AND ACCOUNTING CONTROLS: INDUSTRY SOUND PRACTICES FOR FINANCIAL

More information

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, 2012. Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, 2012. Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, 2012 Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund There are different risk assessments prepared: Annual risk assessment

More information

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers Sarbanes-Oxley Section 404: Compliance s for Foreign Private Issuers Table of Contents Requirements of the Act.............................................................. 1 Accelerated Filer s...........................................................

More information

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL AUDIT REPORT JUNE 2010 TABLE OF CONTENTS EXCUTIVE SUMMARY... 3 1 INTRODUCTION... 5 1.1 AUDIT OBJECTIVE. 5 1.2 SCOPE...5 1.3 SUMMARY

More information

Sarbanes-Oxley (SOX) The Migration from Project to Process. Practical Actions for Getting Started. Jim DeLoach, Managing Director.

Sarbanes-Oxley (SOX) The Migration from Project to Process. Practical Actions for Getting Started. Jim DeLoach, Managing Director. Sarbanes-Oxley (SOX) The Migration from Project to Process Practical Actions for Getting Started Jim DeLoach, Managing Director November 7, 2006 The Results So Far? Source: AuditAnalytics.com May 2006

More information

Transforming risk management into a competitive advantage kpmg.com

Transforming risk management into a competitive advantage kpmg.com INSURANCE RISK MANAGEMENT ADVISORY SOLUTIONS Transforming risk management into a competitive advantage kpmg.com 2 Transforming risk management into a competitive advantage Assessing risk. Building value.

More information

Operational Risk Management Takes Hold

Operational Risk Management Takes Hold Operational Risk Management Takes Hold Findings from the Global Financial Services Industry Operational Risk Survey Conducted by Protiviti and Operational Risk Magazine TABLE OF CONTENTS Survey Demographics...2

More information

Control Self-Assessment. The Future of Store Audits in Retail Stores

Control Self-Assessment. The Future of Store Audits in Retail Stores Control Self-Assessment The Future of Store Audits in Retail Stores Introduction According to the 2003 National Retail Security Survey, produced by Richard Hollinger at the University of Florida, retailers

More information

Priorities for Internal Auditors in U.S. Healthcare Provider Organizations. Chief Concerns Include Cybersecurity, Regulatory Compliance and Fraud

Priorities for Internal Auditors in U.S. Healthcare Provider Organizations. Chief Concerns Include Cybersecurity, Regulatory Compliance and Fraud Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Chief Concerns Include Cybersecurity, Regulatory Compliance and Fraud INTRODUCTION Technology is a double-edged sword. From an

More information

RSA ARCHER AUDIT MANAGEMENT

RSA ARCHER AUDIT MANAGEMENT RSA ARCHER AUDIT MANAGEMENT Solution Overview INRODUCTION AT A GLANCE Align audit plans with your organization s risk profile and business objectives Manage audit planning, prioritization, staffing, procedures

More information

Sarbanes-Oxley Compliance: Section 404-Past, Present, and Future

Sarbanes-Oxley Compliance: Section 404-Past, Present, and Future Sarbanes-Oxley Compliance: Section 404-Past, Present, and Future BADM 590/395 IT Governance MS1 Professor Michael Shaw Submitted by: Amy Smith BA in MIS University of Illinois at Urbana-Champaign Smith

More information

Practice guide. quality assurance and IMProVeMeNt PrograM

Practice guide. quality assurance and IMProVeMeNt PrograM Practice guide quality assurance and IMProVeMeNt PrograM MarCh 2012 Table of Contents Executive Summary... 1 Introduction... 2 What is Quality?... 2 Quality in Internal Audit... 2 Conformance or Compliance?...

More information

STAFF AUDIT PRACTICE ALERT NO. 11 CONSIDERATIONS FOR AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING. October 24, 2013

STAFF AUDIT PRACTICE ALERT NO. 11 CONSIDERATIONS FOR AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING. October 24, 2013 1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 www.pcaobus.org STAFF AUDIT PRACTICE ALERT NO. 11 CONSIDERATIONS FOR AUDITS OF INTERNAL CONTROL OVER FINANCIAL

More information

Establishing a Quality Assurance and Improvement Program

Establishing a Quality Assurance and Improvement Program Chapter 2 Establishing a Quality Assurance and Improvement Program O v e rv i e w IIA Practice Guide, Quality Assurance and Improvement Program, states that Quality should be built in to, and not on to,

More information

Building Value in Your SOX Compliance Program. Highlights from Protiviti s 2013 Sarbanes-Oxley Compliance Survey

Building Value in Your SOX Compliance Program. Highlights from Protiviti s 2013 Sarbanes-Oxley Compliance Survey Building Value in Your SOX Compliance Program Highlights from Protiviti s 2013 Sarbanes-Oxley Compliance Survey THE MOST DAMAGING PHRASE IN THE LANGUAGE IS: IT S ALWAYS BEEN DONE THAT WAY. GRACE HOPPER,

More information

International Association of Credit Portfolio Managers

International Association of Credit Portfolio Managers International Association of Credit Portfolio Managers Principles and Practices: 2015 Expanding Role of Credit Portfolio Management Survey Goal IACPM Members share their views on the state of CPM today,

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity

More information

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners. Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international

More information

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.

More information

The Importance of IT Controls to Sarbanes-Oxley Compliance

The Importance of IT Controls to Sarbanes-Oxley Compliance Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers

More information

From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions. 2015 Internal Audit Capabilities and Needs Survey

From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions. 2015 Internal Audit Capabilities and Needs Survey From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions 2015 Internal Audit Capabilities and Needs Survey SECURITY IS, I WOULD SAY, OUR TOP PRIORITY BECAUSE FOR ALL

More information

2014 Financial Services Industry Compliance Benchmark Study

2014 Financial Services Industry Compliance Benchmark Study 2014 Financial Services Industry Compliance Benchmark Study Presented By: and Executive Summary Beginning in early December 2013, SAI Global Compliance conducted a survey among compliance professionals

More information

Integrated Risk Management:

Integrated Risk Management: Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)

More information

SARBANES-OXLEY SECTION 404

SARBANES-OXLEY SECTION 404 SARBANES-OXLEY SECTION 404 A TOOLKIT FOR MANAGEMENT AND AUDITORS VOLUME 2 Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (PCAOB) was established by Congress under

More information

Sarbanes-Oxley Section 404: Management s Assessment Process

Sarbanes-Oxley Section 404: Management s Assessment Process Sarbanes-Oxley Section 404: Management s Assessment Process Frequently Asked Questions ADVISORY Contents 1 Introduction 2 Providing a Road Map for Management 3 Questions and Answers 3 Section I. Planning

More information

G24 - SAS 70 Practices and Developments Todd Bishop

G24 - SAS 70 Practices and Developments Todd Bishop G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS

More information

Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect. A Smaller Public Company Perspective

Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect. A Smaller Public Company Perspective Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect A Smaller Public Company Perspective Smaller public companies were required to comply with the management assertion

More information

Enterprise Risk Management (ERM): In Action. January 2010. Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

Enterprise Risk Management (ERM): In Action. January 2010. Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport January 2010 Enterprise Risk Management (ERM): In Action Co-presented by: Michael Yip, Risk Consulting Norma Essary, DFW International Airport www.marsh.com Discussion Topics Enterprise Risk Management

More information

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE March 2012 Table of Contents Executive Summary... 1 Introduction... 1 Risk Management and Assurance (Assurance Services)... 1 Assurance Framework...

More information

Standards for the Professional Practice of Internal Auditing

Standards for the Professional Practice of Internal Auditing Standards for the Professional Practice of Internal Auditing THE INSTITUTE OF INTERNAL AUDITORS 247 Maitland Avenue Altamonte Springs, Florida 32701-4201 Copyright c 2001 by The Institute of Internal Auditors,

More information

Namibia Internal Audit Survey

Namibia Internal Audit Survey Namibia Internal Audit Survey October 2014 www.kpmg.com/na 1 Foreword KPMG in Namibia is proud to have conducted the first Internal Audit survey featuring only Namibian entities. This study aims to obtain

More information

When to Upgrade: Balancing Benefits of New Systems with Costs to Upgrade

When to Upgrade: Balancing Benefits of New Systems with Costs to Upgrade When to Upgrade: Balancing Benefits of New Systems with Costs to Upgrade 800.982.2388 1 Introduction The decision on when to upgrade computer systems, such as calibration and maintenance management systems,

More information

Auditing Standards Committee Auditing Section American Accounting Association

Auditing Standards Committee Auditing Section American Accounting Association November 2, 2010 Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C. 20006-2803 Via email to comments@pcaobus.org RE: PCAOB Rulemaking Docket Matter No.

More information

ENHANCING VALUE THROUGH COLLABORATION: A CALL TO ACTION GLOBAL REPORT JULY 2014

ENHANCING VALUE THROUGH COLLABORATION: A CALL TO ACTION GLOBAL REPORT JULY 2014 ENHANCING VALUE THROUGH COLLABORATION: A CALL TO ACTION GLOBAL REPORT JULY 2014 DISCLAIMER TABLE OF CONTENTS Introduction...1 Five Strategies for Internal Audit Success in the Year Ahead...5 Improve Upon

More information

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls ISAE 3402 and SSAE 16 defined Overview of service organisation control reports Service organisation

More information

Benefits and Burdens of Proposed Improvements to Delivering Financial Information One Small Public Company Business Executive s Perspective

Benefits and Burdens of Proposed Improvements to Delivering Financial Information One Small Public Company Business Executive s Perspective Benefits and Burdens of Proposed Improvements to Delivering Financial Information One Small Public Company Business Executive s Perspective Developed and Presented by: Gregory P. Hanson, CMA, MBA Presented

More information

DEFINING OUR ROLE IN A CHANGING LANDSCAPE

DEFINING OUR ROLE IN A CHANGING LANDSCAPE DEFINING OUR ROLE IN A CHANGING LANDSCAPE North American report October 2013 Disclaimer Table of Contents Introduction...1 Outlook for Internal Audit Remains Strong...3 Strategic Business Risk: Opportunity

More information

DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY

DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY SEPTEMBER 2012 DISCLAIMER Copyright 2012 by The Institute of Internal Auditors (IIA) located at 247 Maitland Ave., Altamonte Springs, Fla., 32701,

More information

Security Solutions in the Aerospace/Defense Industry A Pinkerton Government Services White Paper

Security Solutions in the Aerospace/Defense Industry A Pinkerton Government Services White Paper Security Solutions in the Aerospace/Defense Industry A Pinkerton Government Services White Paper Robert Maydoney Vice President Sales Pinkerton Government Services, Inc. 740 North Main Street Mansfield,

More information

Enhancing Audit Technology Effectiveness Key Insights from TeamMate s 2014 Global Technology Survey

Enhancing Audit Technology Effectiveness Key Insights from TeamMate s 2014 Global Technology Survey Key Insights from TeamMate s 0 Global Technology Survey Survey Results Portray Audit Committee Reporting Practices, Provide Useful Benchmarking Data This year s Internal Audit Technology Survey (IATS)

More information

September 12, Nancy M. Morris Secretary, Securities and Exchange Commission 100 F Street, NE Washington, DC

September 12, Nancy M. Morris Secretary, Securities and Exchange Commission 100 F Street, NE Washington, DC September 12, 2006 Nancy M. Morris Secretary, Securities and Exchange Commission 100 F Street, NE Washington, DC 20549-1090 Subject: File number S7-11-06 Dear Ms. Morris: American Electric Power Company,

More information

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION KEY FEATURES AND BENEFITS Manage multiple GRC initiatives on a single consolidated platform Support unique areas of operation with

More information

Internal Auditing: Assurance, Insight, and Objectivity

Internal Auditing: Assurance, Insight, and Objectivity Internal Auditing: Assurance, Insight, and Objectivity WHAT IS INTERNAL AUDITING? INTERNAL AUDITING business people all around the world are familiar with the term. But do they understand the value it

More information

Enterprise Risk Management: Concepts & Issues

Enterprise Risk Management: Concepts & Issues Enterprise Risk Management: Concepts & Issues Jacques Lapointe Internal Audit, Management Board Secretariat November 2003 1 The Basic Concept of Risk Management The active process of identifying risks,

More information

Metrics by design A practical approach to measuring internal audit performance

Metrics by design A practical approach to measuring internal audit performance Metrics by design A practical approach to measuring internal audit performance September 2014 At a glance Expectations of Internal Audit are rising. Regulatory pressure is increasing. Budgets are tightening.

More information

Overview and Key Provisions of Risk Assessment Standards

Overview and Key Provisions of Risk Assessment Standards Overview and Key Provisions of Risk Assessment Standards Keith Wilson Deputy Chief Auditor, Office of the Chief Auditor Risk Assessment Standards Overview Covers the entire audit process from initial planning

More information

GSK Vaccines: Easing Compliance with SAP Process Control

GSK Vaccines: Easing Compliance with SAP Process Control 2014 SAP AG or an SAP affiliate company. All rights reserved. GSK Vaccines: Easing Compliance with SAP Process Control GlaxoSmithKline Vaccines Industry Life sciences pharmaceuticals Products and Services

More information

MAKING INTERNAL AUDIT MORE CREDIBLE AND RELEVANT AUGUST 2011

MAKING INTERNAL AUDIT MORE CREDIBLE AND RELEVANT AUGUST 2011 MAKING INTERNAL AUDIT MORE CREDIBLE AND RELEVANT AUGUST 2011 DISCLAIMER Copyright 2011 by The Institute of Internal Auditors (IIA) located at 247 Maitland Ave., Altamonte Springs, FL, 32701, U.S.A. All

More information

Keeping watch over your best business interests.

Keeping watch over your best business interests. Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation

More information

Hedge fund launch considerations Reaching new boundaries. Investment Management

Hedge fund launch considerations Reaching new boundaries. Investment Management Hedge fund launch considerations Reaching new boundaries Investment Management There are people who make things happen, there are people who watch things happen, and there are people who wonder what happened.

More information

From Information Management to Information Governance: The New Paradigm

From Information Management to Information Governance: The New Paradigm From Information Management to Information Governance: The New Paradigm By: Laurie Fischer Overview The explosive growth of information presents management challenges to every organization today. Retaining

More information

PwC Advisory Internal Audit. PricewaterhouseCoopers State of the internal audit profession study: internal audit post Sarbanes-Oxley*

PwC Advisory Internal Audit. PricewaterhouseCoopers State of the internal audit profession study: internal audit post Sarbanes-Oxley* PwC Advisory Internal Audit PricewaterhouseCoopers State of the internal audit profession study: internal audit post Sarbanes-Oxley* Table of Contents Overview 02 As demands on internal audit escalate,

More information

Facing Durbin: Enhancing DDA Value with Check Based Solutions

Facing Durbin: Enhancing DDA Value with Check Based Solutions Facing Durbin: Enhancing DDA Value with Check Based Solutions Conducted by Javelin Strategy & Research September 2011 2011 Javelin Strategy & Research All Rights Reserved I. Overview The economics surrounding

More information

Internal Control over Financial Reporting Guidance for Smaller Public Companies

Internal Control over Financial Reporting Guidance for Smaller Public Companies Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked Questions Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked

More information

Compliance with Sarbanes-Oxley and Enterprise Risk Management Creates Best Practices in Remittance Processing for Treasury and Cash Management

Compliance with Sarbanes-Oxley and Enterprise Risk Management Creates Best Practices in Remittance Processing for Treasury and Cash Management Accelerating funds Minimizing risk Improving control Compliance with Sarbanes-Oxley and Enterprise Risk Management Creates Best Practices in Remittance Processing for Treasury and Cash Management Executive

More information

The Updated COSO Internal Control Framework

The Updated COSO Internal Control Framework The Updated COSO Internal Control Framework Frequently Asked Questions Second Edition Introduction The Committee of Sponsoring Organizations of the Treadway Commission (COSO) an organization providing

More information