The RMC Advisors

Internal Audit Insight

2012-04-16T15:02:56-04:00

The IIA defines insight as an “end product or result from internal audit’s assurance and consulting work. Insight can involve ‘connecting the dots’ (i.e. identifying the entity-level root causes of control concerns, emerging risks, or significant opportunities to improve the entity’s governance process) to deliver value-added results to key internal audit stakeholders.”

The Institute of Internal Auditors Research Foundation (IIARF) surveyed and interviewed board members, audit committee members, executive management, and internal auditors on insight.

The results noted insight is important to stakeholders with 90% of survey respondents noting that internal audit should deliver insight. Unfortunately, only 72% of respondents agreed that internal audit functions provide insight identifying a gap between expectations and performance.

Respondents noted that internal auditors have significant finance and accounting experience but sometimes lack the operational experience to fully understand business strategies and challenges and provide insight. Also, respondents desired internal audit focus more on helping improve the business than catching mistakes.

A strong relationship was noted between certifications and insight delivery. Chief Audit Executives (CAEs) with more than 50 percent of their department holding certifications were more likely to agree that their internal audit team delivered insight.

Key Factors Enabling Insight Delivery

Respondents noted the following top five factors that help enable insight delivery:

Control Environment
Stakeholder Expectations
Reporting Relationship
Competent CAE
Significant Industry/Organization Knowledge

In addition, survey selections and write-in responses note the following factors are critical to internal audit providing insight:

Tone at the top
An internal audit team with skill and business/industry background
Independence of the internal audit function
Clearly communicated expectations from stakeholders and the CAE
Clear and constructive communication of issues identified and associated recommendations.

Activities Facilitating Insight Delivery

In addition, the following activities support insight delivery:

Senior level auditors and subject matter experts
Internal audit viewpoints in assessments and results reporting
Significant consultative time in the annual audit plan
Utilizing data analysis in assessments and results reporting
Including insight delivery in performance expectations and evaluations

In contrast, the factors noted below can hinder insight deliver:

Disconnect between board expectations and executive expectations.
- Board members value assurance on internal controls and risk management
- Executives value new information, a new way to approach an issue, or a useful recommendation.
- Focus on auditors’ financial background versus business experience
- Lack of leadership and communication skills
- Focusing more on generating findings than collaborating on business solutions.

What steps can you take to improve insight delivery in your internal audit function?

Meet with key stakeholders regularly and discuss expectations.
Align the internal audit mission to focus on agreed expectations.
Refocus your internal audit approach to agree with the audit mission
- Policies and Procedures
- Staffing
- Use of Technology and Tools
- Success metrics
- Ensure proper reporting relationships and sufficient organizational independence is in place
- Assess your leadership skills and communication style

Reference the full article at http://www.theiia.org/bookstore/product/insight-delivering-value-to-stakeholders-1587.cfm for more details on the survey results.

COSO Framework Draft Update

2012-02-28T16:27:38-05:00

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently updated its Internal Control Integrated Framework (Framework) to ensure it remains relevant in the changing business environment. A Draft for Public Exposure is currently available on COSO’s website.

Key items of the Framework have not changed in the updated version including the core definition of internal control, the three control objectives, and the five components of internal control. If your Company already has an effective internal control system, you will not need to make any significant updates under the updated Framework.

The updated Framework includes codification of the internal control concepts introduced in the original Framework. The codification occurs within the five (5) categories of control environment, risk assessment, control activities, information and communication and monitoring activities. The following is a summary of the seventeen (17) internal controls principles.

Control Environment

1. The organization demonstrates commitment to integrity and ethical values.
2. The Board of Directors demonstrates independence and exercises oversight responsibility for the development and performance of the system of internal controls.
3. Management establishes structure, authority and responsibility and the Board of Directors oversees this process.
4. The organization demonstrates commitment to competence in hiring and retaining individuals who are aligned with corporate objectives.
5. The organization enforces accountability for internal control responsibilities.

Risk Assessment

6. The organization facilitates the identification and assessment of risks by defining clear and specific organizational objectives.
7. Assessment of risks to achieving the organization’s objectives and determination of risk management strategies occurs across the entire entity.
8. The potential for fraud is a key component of the risk assessment process.
9. Risk assessment includes changes that could have a significant impact to the organization’s system of internal control.

Control Activities

10. The system of internal controls contributes to the mitigation of risks to the achievement of the organization’s objectives.
11. A system of Information Technology General Controls (ITGC) exists, which mitigates technological risks to the achievement of organizational objectives.
12. Policies and procedures exist to establish expectations for the system of internal controls.

Information and Communication

13. There is relevant and quality information to support the functioning of the system of internal controls.
14. Internal communication is sufficient to convey objectives and responsibilities to support efficient and effective functioning of the system of internal control.
15. There is effective communication with external parties, as appropriate, to convey matters relative to the functioning or other components of the system of internal controls.

Monitoring Activities

16. Ongoing and separate evaluations assess and determine if an adequate system of internal controls exists and is functioning as expected.
17. Timely evaluation and communication of internal control deficiencies occurs in a manner, which facilitates corrective action. Communication occurs at appropriate levels of the organization including senior management and the Board of Directors.

The Framework includes detailed discussion on the limitations of internal control. It also highlights the roles and responsibilities of internal and external personnel such as, the Board of Directors, management, auditors, service providers and business partners. In addition, there is an emphasis to reflect changes/trends in the business environment. These include:

Expectations for governance oversight
Globalization of markets and operations
Changes in business models
Demands and complexities in laws, rules, regulations, and standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and detecting fraud
Increased focus on non-financial reporting objectives and guidance.

COSO is currently seeking comments on the proposed Internal Control – Integrated Framework. Please go to COSO’s website if you would like to provide feedback.

Chief Audit Executives – Appointment, Performance Evaluation, and Termination

2012-02-01T11:34:20-05:00

This article covers the various factors senior management and the board of directors should consider when appointing, evaluating, or terminating the Chief Audit Executive (CAE). The position of the CAE is important and requires independence and objectivity while also partnering with the organization and adding value.

Appointing a CAE

CAEs should demonstrate the following soft skills:

Ability to accurately assess situations and instinctively do the right thing even under resistance
Good judgment and character strength
Integrity

In addition, effective CAEs possess the following attributes and skills:

Independence and objectivity
Intellectual curiosity
Quality focused
Business and technical skills
Communication and listening skills
People management

Evaluating the CAE

The internal audit activity is generally more effective when the board and senior management complete regular (at least annual) formal reviews of the CAE. The evaluation should include criteria related to the CAE’s required attributes and skills identified during appointment (reference above section).

Terminating the CAE

When the CAE voluntarily terminates, the board should complete an exit meeting or questionnaire with the CAE to identify the reasons for resignation and determine if anything requires further attention. Also, the Board should verify that the CAE is not facing pressure to quit and the termination is genuinely voluntary, not voluntary in appearance only.

The Board should oversee involuntary termination of the CAE and verify the termination is justified and appropriate. Valid reasons for termination include:

Failure to meet stipulated professional performance requirements
A breach of the IIA’s Code of Ethics or the organization’s Code of Conduct
Non-conformation with the IIA’s International Standards for the Professional Practices of Internal Auditing

Conclusion

Following appropriate guidelines when hiring, evaluating, and terminating a CAE leads to a more successful internal audit function.

McKonly & Asbury is available for consultation on this or other Internal Audit matters. Please do not hesitate to contact, Elaine Nissley, MBA, CISA, PMP, CRISC, Principal, in charge of the Risk Management Services group at ENissley@macpas.com.

[i] The Practice Guide – Chief Audit Executives – Appointment, Performance Evaluation, and Termination is located at http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/caes-appointment-evaluation-termination/

Assisting Small Internal Audit Activities in Implementing the Standards

2011-12-21T14:50:19-05:00

The International Professional Practices Framework (IPPF) and underlying International Standards for the Professional Practice of Internal Auditing (Standards) provide guidance to the internal audit activity. The Standards are applicable to all internal audit departments regardless of size, level of resources, complexity, or objectives and scope. Small audit activities face some unique challenges when implementing the Standards. Typically, a small audit activity has one or more of the following characteristics:

One to five auditors
Productive internal audit hours below 7,500 a year
Limited level of co-sourcing or out-sourcing

Standards with a High Degree of Challenge for Small Audit Activities

The Practice Guide notes the following standards for which small internal audit activities face a high level of challenge when implementing:

1100 – Independence and Objectivity
1300 – Quality Assurance/Improvement Program
2000 – Managing the Internal Audit Activity
2200 – Engagement Planning
2300 – Performing the Engagement

These challenges are most likely to affect small internal audit activities, but they may affect internal audit activities of any size. This paper will review each of these standards, identify challenges to meeting the standard, and provide guidance to mitigate these challenges.

1100 - Independence and Objectivity

Standard: The internal audit activity must be independent, and internal auditors must be objective in performing their work.

Challenge: Auditors may have operational responsibilities such as records management, compliance, IT security, risk management, or other finance and accounting activities. The Chief Audit Executive (CAE) may report to an individual who has direct responsibility for areas that are subject to audits.

Guidance: Internal audit should explain to the board the difficulties involved with auditing areas where operational responsibilities or chain of command cause independence issues. They should recommend alternatives for audits such as, using external resources, and verifying only auditors that are not involved with the operational activity complete and review the audit. The CAE should discuss any challenges relating to the reporting structure or operational duties with the board and/or senior management when establishing the audit plan. If internal audit issues a report where there is a lack of independence and objectivity, the audit report must disclose this condition along with the related impacts.

1300 – Quality Assurance/Improvement Program

Standard: The CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.

Challenge: Lack of financial resources may limit the ability to perform an external or internal quality assessment (QA) in accordance with the Standards. The performance of an internal QA may be challenging due to time and staff constraints.

Guidance: Small organizations may use peer organization reviews or self-assessment with external validation to satisfy the external QA requirement. These approaches will have a lower monetary cost but will require a larger amount of internal audit staff hours. Organizations may consider utilizing employees outside of the internal audit activity for internal assessments if they have prior audit experience or QA training.

2000 – Managing the Internal Audit Activity

Standard: The CAE must effectively manage the internal audit activity to ensure it adds value to the organization.

Challenge: It may be difficult for the CAE of a small internal audit activity to demonstrate that the activity adds value to the organization if the priorities of the department differ from management’s priorities. If the internal audit activity is overworked or has frequent management requests to perform ad hoc engagements, they may not have the resources to fulfill the internal audit charter requirements.

Guidance: The CAE should verify the internal audit charter clearly sets forth the mission of the department, senior management endorses the charter, and the board approves it. In addition, the CAE should obtain feedback to verify the internal audit activity continues to perform value-added audits and the audit plan remains aligned with the strategic objectives and key risks facing the organization.

2200 – Engagement Planning

Standard: Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations.

Challenge: Completing a risk assessment is a key component of planning an audit. Internal auditors may not have the skill level or available time to complete a risk assessment. In addition, they may not formally document their engagement planning.

Guidance: The CAE should develop planning checklists for common engagement types. Key components of the planning process include defining engagement objectives, scope, and audience. Internal audit should leverage any available risk documentation relevant to the audit including management’s own risk self-assessments, management’s risk tolerances or appetites, and findings from prior internal and external audit reports. The higher the associated risk of an engagement, the greater the level of formal documentation required.

2300 – Performing the Engagement

Standard: Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives. In addition, the CAE must assure proper supervision of engagements to achieve objectives, audit quality, and staff development.

Challenge: The CAE may not be able to supervise all engagements and they may perform some engagements. It may be a challenge for audit activities using manual workpapers to maintain appropriate evidence of engagement supervision.

Guidance: CAEs are encouraged to have a more involved role in high-risk or complex engagements. If the CAE or another staff member performs a lower risk engagement, an experienced audit staff can review the engagement. If the CAE performs a complex engagement, they should have a peer review performed by someone else in the organization with the suitable audit background and adequate independence. Engagement supervisors should sign off on engagement workpapers to document evidence of review.

Conclusion:

All CAEs should assess the current level of conformance with each standard and determine if there are any conformance gaps. They should incorporate elements of the Standards into the internal audit activity’s vision, mission, and charter.

Internal Auditing and Fraud

2011-11-17T10:52:55-05:00

This practice guide summary will discuss how Internal audit can add value to the organization through its role in helping to deter and identify fraud. Fraud results in negative financial, reputational, psychological, and social effects on an organization. To minimize the risk associated with fraud it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection programs.

Fraud Awareness

Fraud schemes are often ongoing and can last for months or years. Employees commit fraud when they have access to confidential information and internal controls are inadequate or management can override controls without question.

Most frauds have the following characteristics:

Pressure or incentive – need the fraudster is trying to satisfy by committing the fraud.
Opportunity – the fraudster’s ability to commit the fraud.
Rationalization – the fraudster’s ability to justify the fraud in his or her mind.

There are often red flags to indicate individuals might be committing fraud such as spending lavishly, becoming more secretive of their activities, and reluctance to take vacation or sick time. While none of these red flags means an employee is actually committing fraud, a combination of occurrences may indicate the need for inquiries and increased audit attention.

Internal Audit’s Role

The following Standards relate to internal audit’s responsibilities related to fraud detection:

Due Professional Care (Standard 1220)
Risk Management (Standard 2120)
Engagement Objectives (Standard 2210)

There are various ways the internal audit function can consider fraud in its activities including:

Auditing management’s controls over fraud
Auditing to detect likely fraud by testing high-risk processes
Considering fraud as part of every audit
Consulting assignments to help management identify, assess risk and determine the adequacy of the control environment

Internal audit’s main fraud responsibilities during an engagement include:

Consider fraud risks in the assessment of internal control design and determination of audit procedures
Identify red flags
Be alert to fraud opportunities
Evaluate if management is retaining responsibility for oversight of the fraud risk management program
Recommend investigation when appropriate

Tests performed by internal audit increase the likelihood of detection of fraud indicators providing opportunities for further testing.

Fraud Risk Assessment

Fraud risk assessment is a critical component or an organization’s enterprise risk management program. Fraud risk assessment can help identify where and how fraud may occur and who may be in a position to commit fraud.

There are five key steps to fraud risk assessment:

Identify relevant fraud risk factors
Identify potential fraud schemes and prioritize them based on risk
Map existing controls to potential fraud schemes and identify gaps
Test operating effectiveness of fraud prevention and detection controls
Document and report the fraud risk assessment

Fraud Prevention and Detection

Organizations can never eliminate the risk of fraud but they can increase the chances of preventing or detecting fraud. Combined use of preventive and detective internal controls enhances the effectiveness of a fraud risk management program.

Instilling a strong ethical culture, setting the correct tone at the top, providing fraud training, and establishing effective internal controls are essential elements in preventing fraud. Organizations detect fraud through employee tips, surprise audits, continuous monitoring of critical data and assessment of trends to identify unusual situations.

Fraud Investigation

Fraud Investigations occur when there is a suspicion of wrongdoing. Suspicions can result from a formal complaint process, informal complaint process such as tips, or an audit. Most fraud is uncovered via tips from a third party. In addition to having the means for people to report suspected fraud or abuse, the organization must encourage reporting and have an effective means to conduct the investigation.

Steps of the investigation include:

Gathering evidence
Documenting and preserving evidence
Determining the extent of the fraud
Determining the techniques used to perpetrate the fraud
Evaluating the cause of the fraud
Identifying the perpetrators
Reporting results
Analysis of lessons learned

Conclusion

Implementation of a fraud prevention and detection program is key to reducing the opportunities and uncovering fraud within an organization. This includes activities such as, providing means for reporting suspicions, raising fraud awareness, training in red flags, and ongoing monitoring via inclusion of fraud objectives in internal audits.

[1] The Practice Guide – Internal Auditing and Fraud is located at http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/internal-auditing-and-fraud-1/

Assessing the Adequacy of Risk Management

2011-10-25T10:37:39-04:00

Recently, there has been an increased focus on the importance of managing risk as part of an overall strong corporate governance and enterprise risk management (ERM) program. With this new emphasis comes a responsibility for Internal Audit to assess the effectiveness of the risk management strategy within the organization. Though there are multiple risk management frameworks, this guide uses ISO 31000 as the basis for the risk assessment. This article discusses management’s role and the types of approaches for Internal Audit to measure the effectiveness of risk management within their organization.

The organization should not conduct the ERM process in isolation. Instead, involve all key stakeholders and use the following control-based assurance framework:

Effectively identify and appropriately analyze risks.
Implement adequate and appropriate risk treatment and control.
Management effectively monitors and reviews processes to detect changes in risks and controls.

The organization’s ERM approach should change over time as internal and external factors change. For example, changes may occur due to the arrival of new personnel, changes in entity structure, new processes, and if the business objective changes. In the same way, the assessment of the ERM process must occur on an ongoing basis.

Responsibilities

Management is responsible for determining the organization’s risk attitude and the Board is responsible for determining if the risk attitude supports the best interests of stakeholders. Internal Audit should assess whether the company’s framework takes into consideration and defines risk management responsibilities and strategy, and whether the elements of the framework allow for building a risk-smart environment while still allowing for responsible risk-taking.

Monitoring and Assurance

Organizations must monitor risk management systems to ensure they are performing as intended. Most organizations accomplish monitoring through ongoing activities, separate evaluations, or a combination of these two methods. Ongoing monitoring is often most effective since it is completed on a real-time basis, can react dynamically to changing conditions, and is ingrained in the organization.

Line management, internal audit, risk management specialists, and the compliance function often share the monitoring responsibility. As a result, it is important for the organization to coordinate assurance activities to ensure it uses resources efficiently and effectively.

Internal Audit’s Role

IIA Standard 2100 states, “the internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”

Internal audit provides the following types of risk management assurance:

Assurance on the risk management process itself
Assurance on significant risks and management assertions
Follow-up of risk treatment plan status

These assurance services provide reasonable assurance to senior management and the board regarding the effectiveness of design, documentation and operation of the organization’s risk management program. The end goal is to have the risk management process achieve the organization’s objectives.

Internal audit can utilize one or more of the following approaches when assessing an organization’s risk management process:

Process elements approach – verifies specific elements of the risk management process are in place
Key principles approach – verifies the risk management process satisfies a minimum set of principles
Maturity model approach – assesses where the risk management process falls on the maturity curve.

Internal audit must obtain sufficient evidence to provide assurance on risk management processes. The following is a listing of some of the many audit procedures that internal audit can utilize:

Review corporate policies and board minutes to determine the organization’s business strategies, risk management philosophy, and risk appetite.
Conduct interviews with line and senior management to determine business unit objectives, related risk, and management’s risk mitigation and control monitoring activities.
Review the completeness of management’s risk analysis and remediation activities.

In general, this assurance review includes a combination of different audit techniques, such as observation, interviews, document reviews, analytical techniques, and surveys. These procedures must gather sufficient audit evidence to support any assurance provided by Internal Audit. It is important that internal audit tailor the assurance process to add the most value to their organization.

Generally, internal audit works closely with the risk management function. If the organization does not have a risk management function, risk management activities and consulting may fall under the purview of Internal Audit. In this case, Internal Audit should only perform this type of consulting service if the following conditions exist:

It remains clear that management is responsible for risk management and internal audit does not make risk management decisions.
Internal audit does not provide objective assurance for any parts of the risk management framework for which it is responsible.
Internal audit services are documented in the internal audit charter and consistent with other responsibilities.

As more stakeholders look for effective ERM processes within an organization, both management and Internal Audit must step up to the plate. Providing reasonable assurance can provide needed comfort to your key stakeholders in these turbulent times. For those organizations without an Internal Audit function, consider if there is value to outsourcing to provide independent assurance.

________________________________

[1] The Practice Guide – Assessing the Adequacy of Risk Management is located at http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/assessing-the-adequacy-of-risk-management/

Practice Guide Series - Introduction

2011-10-03T17:18:05-04:00

The IIA’s practice guides [i] provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques; programs; and step-by-step approaches, as well as examples of deliverables. This is the first in The RMC advisors series on the practice guides.

Formulating and Expressing Internal Audit Opinions[ii]

Internal auditors generally provide opinions for each audit and it can often be a challenging task to ensure the opinion provides all the necessary information to meet stakeholders’ objectives.

Planning

Auditors should determine stakeholder requirements for audit opinions including the level of assurance required before beginning an audit. Careful planning and development of an audit plan helps to ensure the auditor obtains sufficient evidence to support an opinion. Audit plans and opinions must consider the scope of work performed. Common elements to consider when defining the scope include:

Descriptions of the portions of the organization being covered;
Control components covered by the audit;
The point in time or the time period over which the opinion is expressed.

Types of Opinions

Opinions generally fall into one of the following categories:

Macro-level – broad level for the organization as a whole
Micro-level – individual components of the organization’s operations

Macro-level opinions are more complex and may require aggregation of findings from several audits, incorporation of evidence obtained through less formal means, and consideration of evidence obtained through reliance on the work of others. Recent surveys indicate that most audit organizations issue micro-level audit opinions.

Generally, stakeholders request that internal audit activities provide positive assurance opinions. A positive assurance opinion involves the auditor taking a definite position (i.e. internal controls are or are not effective), provides the highest level of assurance, and requires the highest level of evidence. Positive assurance opinions imply the auditor gathered sufficient evidence to provide reasonable assurance that they would identify evidence contrary to the opinion if it existed. Opinions can be qualified if there is an exception to the general opinion (i.e. controls were satisfactory with the exception of accounts payable controls, which require significant improvement).

In contrast, a negative assurance opinion is a statement that nothing came to the auditor’s attention about a particular objective (i.e. the effectiveness of a system of internal control). The internal auditor takes no responsibility for the sufficiency of the audit scope and procedures to find all significant concerns or issues. In general, this opinion is less valuable than positive assurance.

Results

Developing criteria framework can help achieve the objective of providing a valued opinion. This framework provides a baseline against which to apply measurement and judgment to evidence obtained in the course of the audit. When establishing suitable criteria, it is important to determine if the organization has established basic principles regarding what constitutes an appropriate governance, risk management, and control process. These criteria may include:

Definition of the control framework used by the organization (i.e. COSO or COBIT).
Management’s understanding of what constitutes a satisfactory level of control (i.e. 90% of transactions are conducted in accordance with control procedures).
Management’s risk tolerance

Auditors should base evaluation of results on an established methodology such as materiality and impact. Many internal audit activities use a grading system when issuing audit reports. Internal auditors must be careful with wording especially around defining “waterlines” such as adequate or inadequate. Auditors should ensure that the organization has a common understanding of terms such as satisfactory, effective, or unsatisfactory. Use a grading scale requires a well-defined evaluation structure.

When internal auditors consider relying on other assurance providers (OAPs) work in developing an opinion, they should consider the following:

The OAP’s knowledge, skill, and competencies
Organizational relationships and ability of OAP to develop an impartial opinion
Objectives and scope of the OAP’s work

Conclusion

Providing opinions in audit reports is one way Internal Audit can add more value to the organization. These opinions can result in the organization placing more reliance upon internal audit reports. This increased reliance can also increase the legal ramifications if there is a control failure. Therefore, the Chief Audit Executive (CAE) should include appropriate disclaimers relative to the limitations of the audit work. This generally takes the form of notification that the report provides reasonable assurance and that it is not possible to provide absolute assurance. The CAE should encourage management to consider legal ramifications of placing total reliance upon the audit report and opinion.

McKonly & Asbury is available for consultation on this or other Internal Audit matters. Please contact Elaine Nissley, MBA, CISA, PMP, CRISC, Principal, in charge of the Risk Management Services group at ENissley@macpas.com.

[i] The IIA Practice Guides are located at: http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/

[ii] The Practice Guide – Formulating and Expressing an Audit Opinion is located at http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/formulating-and-expressing-internal-audit-opinions/).

Fourth Annual TRENDS Symposium – June 3, 2011

2011-05-17T16:02:30-04:00

McKonly & Asbury, LLP and McConkey Insurance & Benefits are pleased to sponsor 2011 TRENDS IV. This symposium will take place at the Radisson Penn Harris Hotel & Convention Center at 1150Camp Hill Bypass in Camp Hill, PA on June 3rd! The $50 fee includes 6.5 CPE credits, a continental breakfast, breaks and lunch. To reserve a seat, please contact Erin Hench at ehench@macpas.com or by calling 717-761-7910.

We have an exciting array of speakers and topics planned which are based on comments we received from previous year participants. The following provides the agenda for the day and more information on the speakers and their presentations.

Session Agenda

Session Details

PA Insurance Department Update

Once again, we have the popular Stephen J. Johnson, CPA, Deputy Insurance Commissioner, Office of Corporate and Financial Regulation and David G. DelBiondo, CPA, Director, Bureau of Financial Examinations from the PA Insurance Department. They will provide updates on the current happenings in the insurance industry. The topics will be timely and cover relevant local and national insurance issues.

Professional Ethics

Covering the popular topic of Professional Ethics is Elaine Nissley, CISA, PMP, CRISC, Principal, McKonly & Asbury. Ms. Nissley leads McKonly & Asbury’s Risk Management group and has over 20 years experience in the insurance industry. She will cover the topic of Professional Ethics by highlighting the ethics requirements from several industry organizations followed by a review of ethical scenarios. This session will qualify for one ethics CPE credit.

Cloud Computing and Social Media

Samuel BowerCraft, MIS, CISA, Senior Manager, McKonly & Asbury will MC this seminar and present on, The Cloud, Internet Applications, & Social Media. He will cover the impact to the organization, key risks that the organization should be aware of, what auditors should look for, and what controls should be implemented to mitigate those risks.

Tax Update

Mark Heath, CPA, Partner and Carrie Booth, CPA, Tax Senior Manager, McKonly & Asbury, will present a tax update. They will present tax topics that will be timely and cover relevant local and national tax issues. This session will qualify for one tax CPE credit.

Reinsurance

Jane C. Taylor, FCAS, MAAA, J, Consulting Actuary, Huggins Actuarial is responding to the request for an update on reinsurance. Ms. Taylor is a Fellow of the Casualty Actuarial Society (CAS) and a Member of the American Academy of Actuaries (AAA). She has over thirty-seven years of experience in the reinsurance and insurance industry encompassing pricing and reserving for both primary and reinsurance companies.

Legislative Update

Senator Patricia H. Vance will cover the latest happenings on Capitol Hill. Senator Vance is the only member of the Legislature who is a professional nurse. She has been a member of the Senate since 2005 after serving 14 years in the Pennsylvania House of Representatives. In the Senate, she is chair of the Public Health and Welfare Committee and a member of the Appropriations, Banking and Insurance, Finance, Communications and Technology, and Policy committees. She also serves on the Capitol Preservation Committee and Intra-Governmental Council on Long Term Care.

Safeguarding Confidential Data

John V. Dormuth, CPCU, ARM, Account Executive, McConkey Insurance & Benefits has over 15 years of risk management and insurance experience. Mr. Dormuth is presenting on the timely topic of Network Liability and privacy breaches of personally identifiable data. He will answer the question, “Why do companies need to safeguard such data?” In addition, he will discuss methods of managing risks if a breach does occur.

McKonly & Asbury is an approved continuing professional education program sponsor through the Pennsylvania State Board of Accountancy. We look forward to seeing you on June 3rd!

Fourth Annual TRENDS Symposium – June 3, 2011

2011-03-29T12:37:36-04:00

Join McKonly & Asbury on Friday, June 3, 2011 for our fourth annual TRENDS symposium focusing on accounting and audit issues for the insurance industry. The session provides 6.5 CPE credits, which includes 1 tax credit and 1 ethics credit. McKonly & Asbury is an approved continuing professional education program sponsor through the Pennsylvania State Board of Accountancy.

We have an exciting array of speakers and topics planned, based on comments we received from previous participants.

Legislative Update - Patricia Vance, Pennsylvania State Senator and member of the Pennsylvania Banking & Insurance Committee.
Insurance Department Update - Stephen Johnson, Deputy Insurance Commissioner, and David DelBiondo, Director, Bureau of Financial Examinations.
Tax Update – McKonly & Asbury Tax Group
Business/Professional Ethics – Elaine Nissley, MBA, CISA, PMP, CCSA, CRISC, Principal, McKonly & Asbury Risk Management Services Group.
Cloud Computing & Social Media: Risks and Controls - Samuel BowerCraft, MIS, CISA, Senior Manager, McKonly & Asbury Risk Management Services Group.
Reinsurance –Jane Taylor, FCAS, MAAA, JD, Consulting Actuary, Huggins Actuarial Services.
Safeguarding Confidential Data – John Dormuth, MSIM, CPCU, ARM, Account Executive, McConkey Insurance & Benefits.

Sponsored by McKonly & Asbury and McConkey Insurance & Benefits, the symposium will take place at the Radisson Penn Harris Hotel & Convention Center at 1150 Camp Hill Bypass in Camp Hill, PA on June 3rd!

Agenda and Details

June 3 (Friday)
Registration starts at 7:30am
The seminar will run from 8:00am to no later than 4:00pm.
Radisson Penn Harris Hotel & Convention Center (Camp Hill)

The cost to attend is $50, which includes a continental breakfast and lunch.

To register, please contact Erin Hench at ehench@macpas.com or by calling 717-972-5814.

Five Court Cases Every Internal Auditor and Audit Committee Member Should Know

2011-01-31T10:09:00-05:00

Are your workpapers privileged? The Institute of Internal Auditors (IIA) recently presented a webinar entitled “Five Court Cases Every Internal Auditor and Audit Committee Member Should Know.” The webinar focused on court cases related to privileges that may protect internal audit workpapers and how to protect privileged information.

Four main privileges related to your workpapers include:

Work Product
- Protects work prepared in anticipation of litigation.
Self-Critical Analysis
- Protects self-evaluative materials and results of candid assessments of compliance with laws and regulations from discovery when the public interest in preserving the internal evaluations of organizations outweighs a plaintiff’s right to the evidence.
Attorney-Client
- Protects communications between client and attorney made for the purpose of obtaining professional legal advice or assistance. Generally, this implies an establishment of a relationship. Some jurisdictions only allow this privilege with external counsel.
Accountant-Client
- Protects information shared by a client and their accountant. The purpose of the accountant-client privilege is to create an atmosphere in which the client is able to provide all relevant information to an accountant without fear of subsequent disclosure.
- No confidential accountant-client privilege exists under federal law. Some states including Pennsylvania recognize Accountant-Client Privilege.
- Pennsylvania accountant-client privilege statute specifically notes “certified public accountant, public accountant or firm” but does specifically include internal audit.

Accountant-client, attorney-client, and work product privileges do not extend to matters disclosed to a third party. Reference IIA: Practice Advisory 2400-1: Legal Considerations in Communicating Results for additional information regarding privileges.

Some Relevant Court Cases

Case law regarding internal audit and their work has helped to shape the legal landscape in this area.

Cardinal, Inc. Case

Court held that turning over documents to the government does not automatically represent a waiver for attorney-client privilege or work product protection.

Chinn Case

Court denied work product privilege associated with an internal audit forensic accounting investigation. The court based the denial on the fact that the Audit Committee discussed the matter at two meetings with the external auditor present.

Specialties, Inc. Case

Court upheld work product privilege related to an Audit Committee Report written in response to suspected irregularities that was not prepared in the normal course of business.

Del Global Case

Court fined and permanently barred an Audit Committee member that allegedly knew a signed confirmation letter received as part of audit fieldwork was false from serving as an officer of a public company.

Moore Case

SEC barred an Audit Committee Member that allegedly knew of a failure to disclose a related-party transaction and a failure to discount receivables in accordance with GAAP.

These last three cases illustrate the importance of Audit Committee accountability.

What can you do to protect information?

To increase the likelihood of maintaining the privileged status of your internal audit information, consider taking the following steps.

Plan of Action

Before an event occurs, develop a plan of action for handling sensitive information.
Work with counsel to develop a clear method for handling information you consider privileged.

Comprehensive Policy

All organizations should have a clear policy on confidentiality and periodically remind employees of the policy.

Procedure

Establish clear steps on how to proceed in specific situations.
Internal Audit and Audit Committee procedures should be included.
Reference IIA Practice Advisory 2440-2: Communicating Sensitive Information Within and Outside the Chain of Command for additional information on communicating audit results and sensitive and information
Counsel should help develop and approve the steps.

Investigations

Immediately discuss with counsel.
Formally engage counsel.
Limit the number of personnel involved.

Maintaining the confidentiality of your work requires some forethought and planning, but with some preparation and understanding, you can be in compliance and on track.

If you have any questions or comments, contact Elaine Nissley at ENissley@macpas.com.