Ensuring your compliance program is on the mark - IIA Australia
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Ensuring your compliance program is on the mark - IIA Australia
Session 7B Compliance auditing – Ensuring your compliance program is on the mark
Peter Sheville PMIIA, Director, Vincents Audit and Assurance
Compliance AuditingEnsuring your compliance program is on the mark
7 January 2016
Session 7.B
Peter Sheville PMIIA, Director, Vincents Audit & Assurance
01A WORLD WITHOUT
COMPLIANCEWhy is compliance
auditing important?
02ITS BEGINNING AND
PURPOSEWhen did it begin and
what is trying to be
achieved?
03COMPLIANCE
OBLIGATIONSIdentifying and assessing
your key compliance
obligations
04COMPLIANCE RISKRisk-based approach in
managing and mapping
compliance risk
05COMPLIANCE
MANAGEMENTEnsuring appropriateness of
processes, documentation
and reporting
06ROLE AND
RESPONSIBILITIESKey role and
responsibilities of the
organization and Internal
Audit
07COMPLIANCE AUDIT
PLANEssentials in preparing an
effective regulatory
compliance audit plan
08SUMMARYKey items revisited
09QUESTIONS
Agenda
WORLD WITHOUT COMPLIANCE:
Why is compliance auditing important?
5
https://www.youtube.com/watch?v=LH8ZSuVOPfc
WORLD WITHOUT COMPLIANCE:
Why is compliance auditing important? (cont’d)
6
Organisation What Happened How They Got Caught
Waste Management $1.7 billion in fake earnings New CEO and management team
Enron $74 billion shareholder loss Turned in by internal whistle-blower
WorldCom $180 billion in losses for investors Internal Audit department
Lehman Brothers $50 billion in loans disguised as sales Went bankrupt
Freddie Mac $5 billion in misstated earnings SEC investigation
Queensland Health $16.7 million in fraudulent transactions One large transaction raised alarms
Queensland Health $40k in timesheet fraud CCC investigation
http://www.accounting-degree.org/scandals and http://www.ccc.qld.gov.au/
02. ITS BEGINNING AND PURPOSE:
When did auditing begin and what is it trying to achieve?
• Dates back as far as 4,000 B.C. and can be traced to the
Zhao dynasty in China as well as to finance systems in
Babylonia, Greece, the Roman Empire, etc1
• Used by governments and businesses to manage concerns of
incompetent and opportunistic officials
• The development of the joint-stock company concept in 19th
century led to auditing being a necessity in modern day
business2
8
1 (Bailey, Gramling & Ramamoorti, 2003) 2(Encyclopedia Britannica) 3 (ISSAI 400 Fundamental Principles of Compliance Auditing) 4 (Gleim, n.d.)
Pu
rpo
se
Transparency
Accountability
Good Governance
02. ITS BEGINNING AND PURPOSE:
When did auditing begin and what is it trying to achieve? (cont’d)
9
• Internal audit first began as a means of protection against payroll
fraud, loss of cash and other assets
• Need for independent verification of accounting errors, asset
misappropriation and fraud drove its scope to almost all financial
transactions
• Moved from an “audit for management” emphasis to an “audit of
management” approach1
• This laid the foundation for what Internal Audit has become today,
“… an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations.
It helps an organization accomplish its objectives…”4
1 (Bailey, Gramling & Ramamoorti, 2003) 2(Encyclopedia Britannica) 3 (ISSAI 400 Fundamental Principles of Compliance Auditing) 4 (Gleim, n.d.)
Image acknowledgement to haan249.
03. Compliance Obligations:
Identifying and assessing your key compliance obligations
Identifying who you are as an organization:
• What is your structure and size?
• Who is held accountable for performance?
• Where are you located geographically?
• Who are your stakeholders?
• Who do you do business with?
• What industry does your organization form part of?
• What type of licenses/permits do you hold?
• What type of products/services do you offer?
• Do you trade, import or export?
• What are your future growth expectations?
11
Assessing where your organization is in its journey to where it
wants to be:
• Where are you now and where do you want to be?
• What drives your organization and will is this likely to change?
• What are your offerings and is change expected in the future?
• Is the organization expanding from its current setting?
• Where is the industry in its lifecycle and where is it trending to?
• Who are your stakeholders and will they change as your journey
progresses?
04. COMPLIANCE RISK
Risk-based approach in managing and mapping compliance risk
13
5 (Curtis & Carey, 2012)
• Traditional view of risk management was to make an attempt
at removing or eliminating risk
• Negatively impacts organization’s pursuit of value
• Balancing the level of acceptable risk and expected return,
results in optimal risk-taking5
• Optimal risk-taking, largely related to an organization’s risk
appetite, is identified through risk assessment
• Variety of methods exist to assess risks, however,
fundamentally, they are aligned
Optimal Risk-Taking
Expected Return
Acceptable Risk
04. COMPLIANCE RISK
Risk-based approach in managing and mapping compliance risk (cont’d)
14
4 (Gleim, n.d.) 5 (Curtis & Carey, 2012)
• Risk is the possibility that an event will occur and adversely affect the achievement
of organizational objectives
• Identifying risks precedes the risk assessment process and produces a list of risks
that have the potential to negatively impact the organization
• Key risks are those that have the potential to adversely impact the organization’s
objectives; clarity in understanding organizational objectives is a must for
successful risk management4
• The assessment process includes the development of assessment criteria, the
assessment of the specific risks, assessment of risk interactions, and prioritization
of risks5
• The final element is the risk response and how the identified risks will be managed
• Converse to traditional means, managing risks is achieved through response
techniques that typically result in avoiding, accepting, mitigating, sharing or
exploiting the risk4
Identify Risks
Assess Risks
Respond to Risks
05. COMPLIANCE MANAGMENT
Ensuring appropriateness of process, documentation and reporting
16
6 ("New compliance standard: AS/ISO 19600:2015", n.d.)
• Compliance management – where has your organization set
its benchmark?
• Is the underlying process of how the organization manages its
compliance obligations and compliance risks systematically
• International Organization of Standardization (ISO) released
ISO 19600:2015 Compliance Management Systems
• Adopted in Australia as AS/ISO 19600:2015 and acts as a
guideline to the development and implementation of a sound
compliance management system6
• A key focus is to embed compliance within the organization’s
culture and integrate it with the organization’s management
processes
Compliance Management
Compliance Risks
Compliance Obligations
05. COMPLIANCE MANAGMENT
Ensuring appropriateness of process, documentation and reporting (cont’d)
17
6 ("New compliance standard: AS/ISO 19600:2015", n.d.)
• Communication is integral in ensuring successful compliance
management and should be driven by board and senior
management
• It should be evident in the culture, policies and procedures,
individual responsibilities and reporting of the organization
• Performance evaluation and improvement is the final element
of the process and identifies areas in which the system in
place can become better
• Compliance management is not a one off process – it is a
cyclical process that restarts upon its final step of performance
evaluation and improvement6
Risk Assessment
Risk Response
Communication
Performance Evaluation and Improvement
Establishing Context
06. ROLE AND RESPONSIBILITY
Key role and responsibility of the organization and Internal Audit
19
7 (Compliance Management System, n.d.)
• Compliance management systems help organizations:
• Learn about their compliance responsibilities
• Ensure personnel are aware of requirements
• Embed requirements into culture and processes
• Continuously review and improve risks
• Respond to risks prior to them occurring
• Three key elements to a successful compliance management
system:
• Board and management oversight
• Compliance program
• Compliance audit
• If all elements are strong and cooperate, compliance
responsibilities and risks should be managed appropriately7
Board and Management Oversight
Compliance Program
Compliance Audit
06. ROLE AND RESPONSIBILITY
Key role and responsibility of the organization and Internal Audit (cont’d)
20
7 (Compliance Management System, n.d.)
• Board and Management Oversight:
• Hold ultimate responsibility of organizational compliance
• Lay foundation for organization’s success of compliance through
demonstrating clear expectations formally and informally
• Tone at the top drives culture and it is communicated directly or indirectly
through to all levels of the organization
• Compliance Program:
• The policies and procedures of an organization
• Training and education of personnel
• Response to internal and external complaints
• Monitoring and identification of risks7
Board and Management Oversight
Compliance Program
Compliance Audit
06. ROLE AND RESPONSIBILITY
Key role and responsibility of the organization and Internal Audit (cont’d)
21
7 (Compliance Management System, n.d.)
• Compliance Audits:
• Independent, objective review of compliance
• Assists Board and Senior Management in maintaining compliance
and identifying potential risks
• Complements compliance program through additional monitoring
• Cooperation with Board in determining scope and frequency
• Cooperation with organization in identification of risks and
maintaining compliance
• Communication of compliance audits to Board and Senior
Management ensuring opportunities for improvement flow through
organization
Board and Management Oversight
Compliance Program
Compliance Audit
07. COMPLIANCE AUDIT PLAN
Essentials in preparing an effective regulatory compliance audit plan
23
• Knowing the key stakeholders and their relationships as
well as understanding the roles and responsibilities of
the audit engagement team
• Documenting the expected and agreed upon timeframes
for the audit
• Understanding the internal and external regulatory
requirements as well as other key stakeholder requirements
• Gaining and developing an understanding of the organization,
its purpose, objectives and strategies
• Incorporating objectives and strategies of the organization
when preparing audit’s scope and objectives
• Develop understanding of organization’s control environment,
control activities and risk assessment process through
interviews, data and information gathering techniques
• Reviewing potential industry analysis to determine key risk
areas that may exist within the external environment
• Addressing the objective and scope through the testing
approach that will be taken
Performing
Communicating
Planning
08. Summary
Key items revisited
25
• What happens when compliance is removed from the picture?
• The need for compliance and auditing remains aligned to why
it was needed many years ago – transparency, accountability
and good governance
• To identify and assess your obligations, you need to know
who your organization is are and where it is going
• Optimal risk-taking is a result of the organization’s expected
return and acceptable risk levels
• Effectively managing and mapping risks is a result of
identifying risks, assessing risks and responding to risks
• Compliance management should be embedded in the culture
of an organization
• Compliance management is achieved through evaluating,
improving and communicating risks
• Compliance management is a continuous process
• Board and management hold the ultimate responsibility for
compliance and set the tone at the top
• A compliance program is an essential element of a
compliance management system along with board and
management oversight and compliance auditing
• Understanding the organization, its purpose, strategy and
objectives are essential in effectively establishing a
compliance audit plan
References
27
5 (Curtis & Carey, 2012)
• Bailey, A., Gramling, A., & Ramamoorti, S. (2003). Research opportunities in internal auditing. Altamonte Springs, Fla.: Institute
of Internal Auditors Research Foundation.
• Curtis, D., & Carey, M. (2012). Risk Assessment in Practice (1st ed., pp. 1 - 18). Durham, NC: The Committee of Sponsoring
Organizations of the Treadway Commission (COSO). Retrieved from http://www2.deloitte.com/ie/en/pages/deloitte-
private/articles/risk-compliance-management-assurance-mapping.html
• Encyclopedia Britannica,. (2016). auditing | accounting. Retrieved 8 February 2016, from
http://www.britannica.com/topic/auditing-accounting
• Fundamental Principles of Compliance Auditing. (2014) (p. 4). Vienna.
• Gleim, I. CIA review Part 1.
• New compliance standard: AS/ISO 19600:2015. Retrieved from https://complispace.wordpress.com/2015/07/31/new-
compliance-standard-asiso-196002015/
• Compliance Management System (1st ed.). Retrieved from
https://www.fdic.gov/news/news/financial/2006/2cep_compliance.pdf