Avaliac A o Risco Coso e Aviacao

CRM
CURSO
CRM
IPAI
Prof.ª Dr.ª Fátima Geada
O Valor da Auditoria Interna
Avaliar
Determinar a valia ou valor de; apreciar o merecimento de; reconhecer a
grandeza, força ou intensidade de; etc.
Dicionário da Língua Portuguesa, Porto Editora
Questão: Como se determina o Valor da Auditoria Interna?
1
A fórmula mágica:
Ri - Rr
VAI =
RAI
Legenda:
VAI = Valor da Auditoria Interna

Ri = Risco Inerente
Rr = Risco Residual
RAI = Recursos de Auditoria Interna
Aumentar o Valor da Auditoria Interna

=
“Aumentar” o Risco inerente
Reduzir o Risco residual
Reduzir os Recursos de Auditoria Interna
2
“Aumentar” o Risco inerente (no trabalho de auditoria):
Na fase de planeamento dos trabalhos:
Desenvolver trabalhos nas áreas de maior risco inerente;

Seleccionar para auditar os processos/unidades de maior risco.
Na fase de execução da auditoria:
Identificar em cada trabalho os riscos de maior impacto e frequência.
Reduzir o Risco residual:
Implementação de planos de acção consequentes e efectivos que

conduzam os riscos para níveis aceitáveis e toleráveis (Rr > 0);
Obter o compromisso dos “clientes”;
Monitorar os planos de acção.
3
Reduzir os Recursos de Auditoria Interna:
Utilização eficiente dos recursos disponíveis: pessoas e ferramentas;
Uma boa liderança e uma boa equipa;
Boa preparação geral e especializada;
Sólido conhecimento do negócio;
Desenvolvimento profissional contínuo: formação e certificações

internacionais (CIA, CCSA, CGAP, CFSA, CISA, etc.);
Análise custo - benefício: meios adequados aos resultados previstos;
Numerador maior que denominador.
Aumentar o Valor percebido:

Capacidade de relacionamento e comunicação com os interessados na
actividade de Auditoria Interna: órgãos de supervisão, gestão executiva
e gestão operacional;
Reporte eficaz: escrever não para ser lido mas para obter Resultados;
Dizer aos “clientes” o que eles precisam de saber, de um modo que
eles possam perceber e de uma forma que lhes permita actuar;
Os 5 C’s:
Informar: condição, critério
Persuadir: consequência
Obter resultados: causa e acção correctiva
4
Em resumo, o Valor da Auditoria Interna depende de:

Planeamento baseado nos principais riscos da organização;
Execução e reporte com foco nos riscos de maior impacto e frequência;
Recomendações e planos de acção efectivos e consequentes, que
conduzam os riscos para níveis aceitáveis e toleráveis;
Boa liderança e boa equipa, com sólido conhecimento do negócio,
formação contínua e certificações internacionais;
Uma eficiente utilização dos recursos disponíveis;
Bom relacionamento e comunicação eficaz.
A “Nova” Definição de Auditoria Interna
“Internal auditing is an independent, objective assurance and consulting

activity designed to add value and improve an organization’s operations. It
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.” (www.theiia.org)
“A auditoria interna é uma actividade independente, de avaliação objectiva e

de consultoria, destinada a acrescentar valor e a melhorar as operações de
uma organização. Assiste a organização na consecução dos seus
objectivos, através de uma abordagem sistemática e disciplinada, na
avaliação da eficácia da gestão de risco, do controlo e dos processos de
governação.” (www.ipai.pt)
10
5
O Foco da Auditoria Interna na Gestão dos Riscos do Negócio
A Gestão de Risco é uma responsabilidade chave da Gestão;

Para atingir os objectivos de negócio, a Gestão deve assegurar que existe e
está a funcionar um adequado processo de Gestão de Risco;
A Administração tem um papel de supervisão sobre a implementação e a

efectividade do processo de Gestão de Risco;
Os Auditores Internos devem apoiar quer a Gestão quer a Administração

no exame, avaliação, reporte e recomendações de melhoria na adequação
e efectividade do processo de Gestão de Risco;
11
O Foco da Auditoria Interna na Gestão dos Riscos do Negócio (cont.)
No papel de consultoria, os auditores internos podem apoiar a

organização na identificação, avaliação e implementação de metodologias
de gestão de risco e dos controlos para responder a esses riscos;
A “nova auditoria interna” deve alargar o seu enquadramento de serviço à

Gestão, à Administração e a outras partes interessadas na organização;
Os auditores internos efectivos servem como consciência da organização e

são os campeões da eficiência operacional, do controlo interno e da gestão
de risco.
12
6
Alto
Riscos “one-off”
catastróficos Riscos estratégicos
Gestão de Risco
Planeamento
Impacto
Riscos operacionais
Auditoria Interna
Controlo Interno
Baixo
Baixa Alta
Probabilidade
13
Ligação entre os processos de Auditoria Interna, Gestão de Risco e Planeamento
Processo de
Planeamento e
Processo de Processo de
Controlo de
Gestão de Risco Auditoria Interna
Gestão
Identificar Avaliação dos riscos

e planeamento da
Análise estratégica
auditoria
Avaliar
Avaliar alternativas Medir Execução da

Implementação Gerir Auditoria
Monitorar Monitorar Reporte
14
7
Auditoria baseada no risco
Planeamento Objectivos
do negócio
Avaliar os riscos dos

Gestão de Risco objectivos de
negócio
Avaliar como são geridos os riscos dos

Auditoria Interna processos, sistemas e unidades de
negócio
15
A oportunidade para construir valor
Substituir “controlo” por “risco” no vocabulário e nas acções com a Gestão;
A auditoria baseada no risco foca-se nos riscos materiais que a

organização enfrenta;
Ligar o processo de auditoria com o planeamento de gestão assegura que

a auditoria interna analisa temas de valor para a organização.
Fonte: David McNamee (RISK MANAGEMENT: Changing the Internal Auditor’s Paradigm, IIA)
16
8
A oportunidade para construir valor
Trabalhar com Riscos alinha a Auditoria Interna com a Gestão
Planeamento Programas Reporte VALOR

baseado baseados baseado ACRESCENTADO
no risco no risco no risco
Fonte: David McNamee (RISK MANAGEMENT: Changing the Internal Auditor’s Paradigm, IIA)
17
O Enquadramento de Práticas Profissionais

de Auditoria Interna
Emitidas pela IIA (www.theiia.org) e traduzidas pelo IPAI (www.ipai.pt)
Objectivos das Normas:

– Delinear princípios básicos que representem a prática de Auditoria
Interna tal como ela deverá ser;
– Proporcionar um enquadramento para o desempenho e promoção
de um vasto conjunto de actividades de Auditoria Interna;
– Estabelecer uma base para a avaliação do desempenho da Auditoria
Interna;
– Promover a melhoria dos processos e das operações das
organizações.
18
9
Indicadores Auditoria Interna
Modelos de Risk Assessment
COSO (Committee of Sponsoring Organizations of the Treadway Commission)

Em 1992, o comité das organizações patrocinadoras da Treadway Commission
(COSO), elaborou um relatório que ficaria como um marco para o controlo
interno - para o estabelecimento de sistemas de controlo interno e para a
determinação da sua eficácia.
De acordo com o COSO, os três principais objectivos de um sistema de

controlo interno são assegurar:
Operações eficientes e eficazes;
Relatórios financeiros correctos;
Conformidade com as leis e regulamentos
19
20
10

O COSO também destaca cinco componentes essenciais de um sistema de
controlo interno eficaz:
1. Ambiente de controlo Estabelece a base para o sistema de controlo
interno através do fornecimento de disciplina e estrutura fundamentais
(integridade, ética, competência, autoridade, responsabilidade, filosofia de
gestão, cultura organizacional, estrutura, politicas e práticas de RH)
2. Avaliação do risco Envolve a identificação e a análise pela gestão - não
pelo auditor interno - dos riscos relevantes para o alcance dos objectivos
predeterminados (compatibilidade dos objectivos, identificação dos riscos
de não atingir os objectivos, avaliação dos riscos mais críticos, definição de
acções para mitigar os riscos e riscos sobre as demonstrações financeiras
(riscos de existência, de completude, riscos sobre direitos e obrigações))
21

3. Actividades de controlo, ou políticas, procedimentos e práticas.
Asseguram que os objectivos de gestão são alcançados e que as
estratégias de mitigação dos riscos são implementadas (aprovações,
autorizações, verificações, reconciliações, circularizações, revisões da
performance operacional, revisões da salvaguarda dos activos, revisões da
segregação de funções)
4. Monitorização. Abarca a supervisão externa dos controlos internos por
parte da gestão ou de outras partes externas ao processo. Também pode
consistir na aplicação de metodologias independentes (como
procedimentos costumizados ou listas de verificação standard) por parte
dos empregados envolvidos num processo.
22
11

5. Informação e comunicação. Suporta todos os outros componentes de
controlo através da comunicação das responsabilidades de controlo aos
empregados e através do fornecimento de informação que permita às
pessoas o cumprimento das suas responsabilidades (identificação, recolha
e comunicação da informação, forma e tempestividade da comunicação,
relatórios dos sistemas de informação, a informação gerada interna e
externamente, mensagens da gestão de topo sobre a importância do
controlo).
23

Entre as vantagens das auditorias baseadas no COSO, podemos destacar:
• Eficácia - O teste de todas as cinco componentes de controlo COSO
fornece uma base sólida para determinar o grau de garantia fornecido pelos
controlos.
• Eficiência - O enfoque numa categoria de objectivos COSO protege contra
o problema de uma abrangência indefinida (algo que normalmente acarreta
custos elevados).
• Possibilidade de comparação - A utilização de uma framework de
auditoria e de um sistema de avaliação comum, permite a comparação
entre controlos de diferentes segmentos de negócio.
24
12
Cobit
O CobiT é um guia para a gestão de TI recomendado pelo ISACF (Information
Systems Audit and Control Foundation, www.isaca.org).
O CobiT inclui recursos, tais como, um sumário executivo, um framework,
controle de objectivos, mapas de auditoria, um conjunto de ferramentas de
implementação e um guia com técnicas de gestão.
As práticas de gestão do CobiT são recomendadas pelos peritos em gestão de
TI, que ajudam a optimizar os investimentos de TI e fornecem métricas para
avaliação dos resultados. O CobiT é independente das plataformas de TI
adoptadas nas empresas.
25
CobiT
O CobiT é orientado para o negócio, fornecendo informações detalhadas para
gestão de processos baseados em objetivos de negócios.
O CobiT é projectado para auxiliar três audiências distintas:

• A Gestão que necessita de avaliar o risco e controlar os investimentos de
TI numa organização;
• Os Usuários que precisam de ter garantia de que os serviços de TI que
dependem os seus produtos e serviços para os clientes internos e externos
estão a ser bem geridos;
• Os Auditores que se podem apoiar nas recomendações do CobiT para
avaliar o nível da gestão de TI e aconselhar o controle interno da
organização.
26
13
CobiT
Está dividido em 4 domínios:

1. Planeamento e organização;
2. Aquisição e implementação;
3. Entrega e suporte;
4. Monitorização.
27
CobiT
O CobiT recebe um conjunto de contribuições de várias empresas e
organismos internacionais, entre eles:
• Padrões técnicos da ISO, EDIFACT;
• Os códigos de conduta emitidos pelo Conselho de Europa, OECD, ISACA;
• Critérios de qualificação para TI e processos: ITSEC, TCSEC, ISO 9000,
SPICE, TickIT;
• Padrões profissionais para controle interno e auditoria: COSO, IFAC,
AICPA, CICA, ISACA, IIA, PCIE, GAO;
• Práticas e exigências dos fóruns da indústria (ESF, I4) e das plataformas
recomendadas pelos governos (IBAG, NIST, DTI);
• Exigências das indústrias emergentes como operação bancária, comércio
eletrónico e engenharia de software.
28
14
Novas Abordagens (Norma ISO 31000)

Norma ISO 31000:2009, Risk management - Principles and
Guidelines (Gestão de riscos - princípios e diretrizes)
Esta norma, publicada em 13/11/2009, recomenda às organizações a
elaboração e a colocação em práctica de um quadro de gestão de risco, que
se integrará no seu sistema de gestão da qualidade e será constantemente
melhorado.
Em paralelo a ISO publicou a norma 73:2009 – “Risk management –

Vocabulary”, que complementa a anterior, fornecendo um conjunto de termos e
definições neste âmbito.
29

A norma ISO 31000 oferece orientações genéricas para a gestão de riscos.
A ISO 31000 determina princípios, um framework de trabalho e um processo
para gestão dos diversos tipos de risco, incluindo meio ambiente e segurança,
em todas as organizações, independentemente da dimensão:
• estabelece Princípios para uma Gestão de Riscos eficaz
• recomenda uma Estrutura para integrar o processo em toda a organização
• recomenda a adopção de Processos de Gestão de Riscos consistentes
numa estrutura abrangente
Esta norma não obriga à utilização de uma abordagem única e rígida, mas
enfatiza a aplicação dos princípios e instruções dentro da estrutura e
necessidades específicas da organização.
30
15
31

Quando implementada e mantida em conformidade com a norma internacional
ISO 31000, a gestão de riscos possibilita à organização:
• Encorajar a gestão pró-activa ao invés da reactiva
• Estar ciente da necessidade de identificar e tratar riscos em toda a
organização
• Aprimorar a identificação de oportunidades e ameaças
• Estar em conformidade com os requerimentos legais e regulatórios e as
normas internacionais
• Aperfeiçoar os relatórios financeiros
• Aperfeiçoar a governança corporativa
• Melhorar a confiança dos stakeholders
32
16

• Estabelecer uma base confiável para o planeamento e a tomada de
decisão
• Aprimorar os controles
• Alocar e utilizar os recursos para o tratamento dos riscos de maneira eficaz
• Melhorar a eficácia e a eficiência operacional
• Aprimorar a gestão de incidentes e prevenção
• Minimizar perdas
33
Casos Práticos - Retalho

Gestão de Risco e Auditoria Interna
Âmbito da Gestão de Risco:

• Riscos físicos e seguráveis:
– Segurança das pessoas
– Danos patrimoniais
– Interrupção do negócio
• Riscos dos processos de negócio
• Riscos de conformidade:
– Legislação e contratos
– Políticas e procedimentos de controlo interno
– Políticas e procedimentos de Gestão Ambiental, Saúde e Segurança
(SHE)
34
17
Casos Práticos - Retalho
Âmbito da Gestão de Risco:

• Riscos financeiros:
– Caixa e bancos
– Cobranças e pagamentos
– Créditos
• Riscos dos sistemas e tecnologias de informação:

– Disponibilidade
– Integridade
– Segurança física
– Desempenho e qualidade
35
Casos Práticos - Aeronáutica

Workshop objectives
• Based on existing draft methods, define a method for risk assessment of:
– Current risks (based on hazard identification by safety tools)
– Future risks (“change management” or “safety case”)
• Address typical difficulties encountered using such methods and document
the recommended practices
• Test the methods using real test cases provided by the participants
• Document the methods, preferably with example cases
• Ultimate objective is to produce useful and well-documented methods which
can be shared with the rest of the industry
36
18
Casos Práticos – Aeronáutica
Remarks
• A very practical approach for this workshop is proposed
• The scope is “case-by-case”. We are refining methods for assessing a
single risk.
• The next workshop could be dedicated on methods for managing all
operational risks at the company level (e.g. Bowtie)
• Some draft methods are presented below. If you can contribute, please
send your method(s) to Jari.
• The methods for Current and Future risks should be quite similar, the main
difference being the data source
37

Remarks
• We need (hopefully real) test cases of all kinds to test the methods. Could
everyone bring at least one test case please. It could be based on any data
source.
• Typical difficulties are listed below. If you can contribute, please send your
inputs to Jari.
• Please look at the example material in advance
38
19
Typical difficulties / issues to solve

• Colors in the risk matrix
– For example, the corner of “extremely severe-extremely unlikely” should
probably not be red.
There are threats like ”mid-air collision” which will always be “extremely
severe” and all that can be done is to make them unlikely enough. If the
corner in question is red, there is no way to get out of the red zone.
– However, then it is equally important that the actual concrete definition
of “extremely unlikely” has to be so conservative that a major accident
is “acceptable” with that “frequency”.
39


• Phrasing of severity classes and likelihood classes on the axes of the matrix
– To reduce subjectivity, the definitions should not be only generic, e.g.
“occasional” or “severe”
– For likelihood classes, concrete time expressions are very helpful, e.g.
“max once a year” or “has happened in the industry”. However, such
expressions must be customized to each organization, calibrating them
with the volume of operation. A clear procedure for such calibration
would be most helpful.
– The severity class definitions cannot be only related to the actual
outcome of the event, otherwise potential outcomes would be ignored
– The class definitions must be calibrated with the colors on the matrix
(e.g. see previous slide)
40
20

• One part of risk assessment is to assess existing and potential risk controls.
– Should existing risk controls be taken into account in the initial risk
assessment? Ignoring all controls would probably create a very
“theoretical” case.
– At what point in the assessment sequence should the controls be taken
into account?
– How to assess the combined effect of several controls, both in the case
of real controls and in the case of potential controls? How to then
assess the residual risk?
41

Risk Mgt flow chart (ICAO SMS course)
R is k m a n a g e m e n t p r o c e s s a t a g la n c e
Feedback and
re c o rd th e h a z a rd A s a f e t y c o n c e r n i s p e r c e iv e d
i d e n ti f ic a ti o n a n d
assessm ent and Id e n t if y h a z a r d s / c o n s e q u e n c e s
r i s k m i ti g a t i o n a n d a s s e s s ris k s
D e f i n e th e l e v e l D e fin e th e le v e l
o f p r o b a b i l i ty o f s e v e r i ty
D e f i n e th e l e v e l o f r i s k
T a k e a c ti o n
a n d c o n ti n u e YES I s th e r is k le v e l a c c e p t a b l e ? NO
th e o p e r a t i o n
T a k e a c tio n
a n d c o n tin u e YES C a n th e r i s k b e e l im i n a t e d ? NO
t h e o p e r a ti o n
YES C a n th e r is k b e m i ti g a t e d ?
T a k e a c tio n C a n th e re s id u a l ris k b e C a n c e l th e
a n d c o n tin u e YES a c c e p te d ? (i f a n y ) NO
t h e o p e r a ti o n o p e ra tio n
42
21
Draft method 1 (for assessing Current Risks)

1. Define safety issue and scope
2. Combine and review relevant data
3. Study severity and likelihood to derive initial risk value
4. Assess acceptability of risk
5. Study current and potential risk controls/protections
6. Assess acceptability of risk with added controls/protections
7. Make decision on if the operation is continued and necessary conditions
and actions
• See Case study C1 in the ARMS SharePoint for a Case Study using this
method
43
DRAFT METHOD 2 (courtesy of ANZ)

1 1.1 1.2 1.3
Establish Determine the scope Identify key business objectives, Determine interrelationships
the for the review processes etc within the scope with other areas of the business
Context
2 2.1 2.2
Identify risks (threats & opportunities) Identify risk controls &
Identify the
relevant to the context of the review evaluate effectiveness
Risk
Consider external Consider internal risk •Strategie •Expertise

risks
•Political & Regulatory •Leadership s •IT systems
•Excellent
•Economic •Strategy & Planning •Very Good •Plans •Equipment
•Markets •Data & Information •Good •Policies •Documentation
•Community •People •Adequate •Standard •Audits
•Physical •Customer Management •Unacceptable s •Monitoring systems
•Technology •Processes, Services& •Non existent •SOPs •Reports
•Competition Products •Training •Validations
•Supply •Business Performance •Skills
3.1 3.2 3.4 Unacceptable 4

Determine Likelihood Determine Consequence Determine
•Almost •Catastrophic (Survival) acceptability of risk
3 certain (Days-Weeks) •Major (Continued operations)
•Likely (Weeks- Months) Acceptable 5
Analyse & •Moderate (Significant change)
Evaluate the •Possible (Months-Years) •Minor (Efficiency/effectiveness) 3.3
Risk •Unlikely (Years-Decades) •Insignificant (Negligible) Select priority risks
•Rare (Decades- 100yr) (Extreme/High/Significant)
Catastrophic
Consequence
Insignificant
Moderate
Major
Minor
Likelihood
4 4.1 Almost CertainSignificant Significant High Extreme Extreme

Treat the Risk Reduce or Avoid or Transfer
or Accept or Exploit risks Likely Medium Significant Significant High Extreme
in priority order
Possible Low Medium Significant High High
5
Monitor Unlikely Low Low Medium Significant High
2008the Risk Page 44
&Report Risk Analysis & Evaluation Process Rare Low Low Medium Significant Significant
22
•maximum mitigation
Completing the Risk Register Excellent
•controls optimum 0.95
Very Good •good mitigation
•small improvements in controls
0.80
Sequentially number List controls in terms of:
the risks •Organisational factors Good •majority of risk mitigated 0.70
•Environment & task factors •control improvements recommended
•Individual actions •mitigation occurs
Adequate
• significant control improvements needed
0.55
•Defensive systems & processes
Describe the consequences in terms of •poor mitigation
Unacceptable 0.45
the impact on: operational capability, people, •controls fail repeatedly
reputation, compliance, cost, customer loyalty etc •no mitigation
Non-existent 0.30
•controls incapable
Responsibility
Consequence
Effectiveness
Risk Rating
Likelihood
Risk Score
Risk Consequences
Risk Description Controls
Control
No
WHO?
Describe the risk as a scenario

based on a change in controls gives Use for quantitative assessments only
rise to an event with a specific impact Risk Rating X (1- Control Effectiveness)
Likelihood X Consequence
Almost certain • facing this issue now, occurs daily/ •threatens survival of the business ,> 10% of EBIT or cost > $100M
weekly 0.99 600
Catastrophic •Multiple fatalities or devastating customer/staff impact, long term effects
(A)
Likely • on balance of probabilities, will occur Major •threatens the continuity of the business, > 5% of EBIT or cost > $10M
at least monthly 0.50 •Fatality or major customer/staff impact, >1 week effects 300
(L)
Possible • may occur but against balance of probabilities •significant changes to operations, > 3% of EBIT or cost> $1Mr
(P) may occur annually 0.25 Moderate
•serious injury or customers/staff impact < 1 week effect 100
Unlikely • do not anticipate it will occur in forseeable future, •efficiency/effectiveness of processes, > 1% of EBIT or cost>$100,00030
0.10 Minor
(U) once in several years •injury or customers/staff impact <1 day
Rare • occurrence requires exceptional circumstances, •negligible effect, < 1% of EBIT or cost <$100,000
0.01 Insignificant •1st aid accident or negligible customer/staff impact 10
(R) 2008 occurs once in decades (hundred year event) Page 45

Draft method 3 (for assessing Future Risks) 6. If necessary,

study risk
reduction options.
• See Case study F1 in the ARMS
SharePoint for a Case Study using this 5. Estimate the
method overall risk. Place
on risk matrix.
4. Knowing the
threats and
controls, assess the
risk for each threat.
2.Brainstorm 3. Identify existing

1. Describe
Hazards and controls and assess how
activity and
Threats much you know about
scope
their robustness
46
23
Risk Matrix – example 1

Potential Consequence of the Incident Increasing Probability
A B C D E
Rating People Env'ment Assets Reputation Unknown but Known Happened Happene Happened
possible in in aviation in this d > 3 x in > 3 x in this
the aviation industry company the location
No Zero Zero industry Company
0 injury Effect damage
No Impact
Slight Slight Slight Slight

1 injury Effect damage < Impact
US$ 10K
Minor Minor Minor Local
2 injury Effect damage < Impact
US$ 50K
Serious Localised Local Industry
3 injury Effect
damage < Impact
US$ 250K
Single Major Major
National
4 fatality Effect damage <
Impact
US$ 1M
Multiple Massive Extensive International
5 fatality Effect damage > Impact
US$ 1M
Source: C.Edwards/SHELL
47

Risk Matrix – example 2
48
24
Risk control evaluation sheet

Hazard: _____________________ Threat: _______________________
Controls Robustness Remarks
Zero – not in place

Prevention
Medium
Recovery
Good
Poor
Mitigation
49
Page 49
Anexos
ANEXOS
50
25
Anexos – Practice Advisory
51
52
26
53
54
27
55
56
28
57
58
29
59
60
30
61
A Standard of
QUALITY
. . . key messages to CAEs and audit committees
www.theiia.org/Quality
31
Internal Auditing
• Independent
• Objective
• Assurance and consulting activity
• Adds value
• Improves operations
• Helps accomplish objectives
Internal Auditing
Brings a systematic
and disciplined approach
to evaluate and improve
the effectiveness
of the
risk management,
control,
and
governance processes.
32
Professionalism Means:
• Adherence to the Standards.
• Compliance with the Code of Ethics.
• Competency, evidenced by certification (CIA).
• Maintaining a “Quality Assurance and

Improvement Program.”
• Ongoing professional development.
Internal Auditing and Quality

Nobody in the organization better understands
the need for independent and objective
assessment of quality than do the internal
auditors.
They audit, review, and assess the work of

others on a daily basis. They understand the
great value this can bring to the entire
organization.
33
The International Standards for the Professional
Practice of Internal Auditing mandate that the
internal audit activity be assessed for quality.
This presentation explains why quality is so

important to internal audit professionalism and
performance.

Q. Why is a quality assurance and improvement
program necessary?
A. As an organization grows, its operations

undergo refinement, and its internal processes
change and evolve, its quality monitoring
process must keep pace.
34
Q. What does a quality assurance and
improvement program include?
A. The required elements of the program

are periodic internal and external quality
assessments, ongoing internal monitoring,
and assurance that the internal audit activity
is complying with the Standards and the Code of
Ethics.

Q. What is a quality assessment?
A. A quality assessment, or QA, evaluates

compliance with the Standards, the internal
audit and audit committee charters, the
organization’s risk and control assessment,
and the use of best practices.
35
Q. Which organizations should obtain QAs?
A. All internal audit departments, even those

outsourced or co-sourced, should undergo
quality assessments.

Q. If an organization has not yet established a
Quality Assurance and Improvement Program,
how can it start the process?
A. A good first-step on the path to quality is

to conduct an internal quality assessment.
36
Q. How do internal and external QAs differ?
A. Internal assessments comprise ongoing

internal evaluations of the internal audit
activity, coupled with periodic self-
assessments and/or reviews.

Q. How do internal and external QAs differ?
A. External assessments require an outside

team of independent reviewers to evaluate
compliance with the Standards,the use of best
practices and the efficiency and effectiveness
of the internal audit activity.
37
Q. What are the benefits of an independent
external QA?
A. It allows the internal auditors to state that

their activities are conducted “in accordance
with the International Standards for the
Professional Practice of Internal Auditing.”

Q. When should an internal audit shop have an
external QA?
A. It is mandatory that every internal audit

activity have an external quality assessment
every five years to be in compliance with the
Standards.
38
Q. How is an external QA conducted?
A. There are various acceptable methods of

performing external QAs. One typical
methodology includes preparation, on-site
activities, and reporting.

Q. What are appropriate external QA
approaches?
A. Regardless of an organization’s industry or

the internal audit activity’s complexity or size,
there are two approved approaches to
external QAs.
39
Q. What are the selection criteria for external
QA providers?
A. At a minimum, the QA provider should use

compliance with the Standards as the
benchmark for quality.

Q. How do peer reviews fit into the QA process?
A. External quality assessments or self

assessments can be conducted through peer
reviews instead of utilizing external service
providers.
40
Q. What are the repercussions of not acquiring an
external QA?
A. If the internal audit activity does not acquire

the external assessment every five years, it is
forbidden to use the phrase, “conducted in
accordance with the International Standards for
the Professional Practice of Internal Auditing,” in
reports or its internal audit charter.

Q. What if the results of an external QA are
negative?
A. The organization should create an action plan

that specifically addresses each opportunity for
improvement cited in the assessment.
41
Q. What is the next step to the process if the
results of an external QA are positive?
A. Once the QA has been completed; the CAE

should report the results to the audit committee.

Q. What QA resources are available?
A. The IIA provides free samples, models, and

other resources, based on quality assessment
best practices. Visit the QA section of
www.theiia.org to access and/or download
these valuable tools
42
This presentation
is from
The Institute of Internal Auditors

Global Headquarters
www.theiia.org
Questions? Contact pr@theiia.org
External Quality
Assessments
Frequently Occurring Findings

Observed by The IIA QA Teams
www.theiia.org
43
External Quality Assessments
This presentation is a sample of the

common observations and is not an
exhaustive list of all observations
resulting form the external quality
assessments (QAs) conducted by The IIA
Inc.
This list will be updated periodically to
reflect any new trends in Standards
conformance.
www.theiia.org
Standard 1000
Observation
The IA Activity charter is not updated on an annual basis.
The IA activity charter requires revision to consider The
IIA’s new definition of internal auditing, to reflect the
CAE’s responsibilities, and to obtain approval from the
Audit Committee.
Recommendation
Update the IA activity audit charter on an annual basis to
ensure it contains all the responsibilities of the IA Activity.
Obtain the Audit Committees approval of the revised
charter.
www.theiia.org
44
Standard 1110
Observation
The organization chart shows that the CAE has a direct
reporting relationship to the Executive Vice President and
Chief Operating Officer and a dotted line relationship to
the Audit Committee.
Recommendation
The Audit Committee should evaluate the CAE reporting
relationship to ensure the independence of the CAE is not
impaired.
www.theiia.org
Standard 1210
Observation
There is a perception on the part of clients, based on the
client survey results and management interviews, that the
IA Activity Staff does not possess the desired level of
business knowledge.
Recommendation
Increase auditor knowledge of business operations through
staff rotation programs and in house training on business
operations.
www.theiia.org
45
Standard 1210
Observation
The internal audit activity should possess or obtain the
knowledge, skills, and other competencies needed to
perform its responsibilities, including knowledge of key
information technology risks and controls.
Recommendation
Enhance information technology audit coverage by hiring
information technology audit specialists, providing
additional specialized IA staff training and/or engaging IT
audit contractors with appropriate qualifications.
www.theiia.org
Standard 1300
Observation
The IA Activity uses the Standards to generally define the
Profession’s audit quality, but has not set up a formalized
quality assurance and improvement program, as called for
In Standard 1300.
Recommendation
Establish and document a Quality Assurance and
Improvement Program as set forth in the Standards and
Practice Advisories.
www.theiia.org
46
Standard 1311
Observation
While several elements of the new Standards on quality
assurance have been implemented by the IA Activity, the
internal ongoing assessments could be strengthened by
additional monitoring and benchmarking.
Recommendation
Implement an ongoing internal quality assessment process
with the use of performance metrics (e.g., cycle time,
customer satisfaction, cost recovery, balanced scorecard)
which can be monitored on an ongoing basis.
www.theiia.org
Standard 2010
Observation
The IA Activity does not have a formal, documented risk
assessment model for audit planning.
Recommendation
Formalize the annual audit planning and risk assessment
process to more closely conform to IIA Standard 2010.
www.theiia.org
47
Standard 2010
Observation
While the audit universe has been identified, the annual
audit plan does not include all entities in the audit
universe.
Recommendation
Establish an internal audit risk assessment process to
determine the priorities of the IA activity, consistent with
the company’s goals and objectives.
www.theiia.org
Standard 2030
Observation
The CAE should implement use of metrics to measure
actual internal auditing performance against budget.
Recommendation
Use metrics to compare the actual use of resources to the
budget.
www.theiia.org
48
Standard 2040
Observation
There is no formal internal audit policies and procedures
manual governing the operating activities of the IA
activity.
Recommendation
Develop an IA activity audit policies and procedures
manual to help guide the operations of the audit
Department.
www.theiia.org
Standard 2330
Observation
A set of working paper standards needs to be developed
and formally defined in the IA activity policies and
procedures. A review of working papers indicated the
quality varied between audit staff.
Recommendation
Develop and enforce working paper standards, including
sample formats, documentation requirements, indexing,
and cross-referencing techniques with sufficient flexibility
to serve as guidance for all types of audits, reviews, and
evaluations.
www.theiia.org
49
Standard 2420
Observation
A review of work papers disclosed that the audit report for
80% were issued later than scheduled.
Recommendation
Improve the timeliness of audit reports by reducing the
current time gap between the audit closing and the
issuance of the report.
www.theiia.org
Standard 2420
Observation
Management interview comments indicate audit reports
are not perceived as timely.
Recommendation
Shorten the time taken to issue audit reports.
www.theiia.org
50
Leading Practice
Observation
A formal program of career development and use of
rotational employees has not been established and should
be considered in the long-term.
Recommendation
Institute an employee rotation program that would provide
opportunities for operating managers to gain experience
across the company and also provide the IA Activity with a
steady stream of fresh business knowledge for the audit
staff.
www.theiia.org
Leading Practice
Observation
The company lacks a management control policy
statement that clearly defines the responsibilities of the
audit committee, senior management, and the IA Activity.
Recommendation
Consider implementing a management control policy that
would provide a single statement on controlling the
activities of the organization to clarify the control
responsibilities of the Audit Committee, management and
the IA activity.
www.theiia.org
51
Practice Advisory 2060.2
Observation
The charter does not call for AC participation in the
selection or removal of the CAE, nor does the charter call
for AC approval of annual compensation and salary
treatment for the CAE.
Recommendation
Consider participating in the selection, removal and
compensation of the Chief Audit Executive (CAE).
www.theiia.org
Practice Advisory 2060-2

Observation
The current Audit Committee Charter does not mention
any role the Audit Committee may have in setting or
approving the CAE’s compensation.
Recommendation
Revise the Audit Committee Charter to require
concurrence on the CAE’s compensation and annual merit
increase.
www.theiia.org
52
Comments or questions?
Please contact Quality at The IIA:
quality@theiia.org
www.theiia.org
Internal Auditing
Leading Practices
Observations from
conducted by The IIA
www.theiia.org
53
Leading Practices
The IIA has conducted external quality
assessments for over 18 years. Along with
observations on Standards conformance,
The IIA also has observed leading practices.
Following is a brief list of some of The IIA QA
Team observations of leading practices.
Although not an exhaustive list, it does
provide insights into what other IA activities
are doing to make them “world class” in the
profession of internal auditing.
www.theiia.org
Leading Practices
Risk Assessment and Audit Planning
The IA Activity seeks management’s input to the Internal Audit

risk assessment process, both as part of the annual audit
planning and in the detailed audit planning for individual audits.
In planning individual audits, the IA Activity seeks
management’s input on both areas of risk and in suggestions for
audit scope.
Introduction of a new “process auditing” approach, coupled with
integrated audit work teams, to improve the effectiveness and
scope of audits and enhance Internal Audit’s value as a
business partner.
IA Activity brainstorming sessions, during the planning and
reporting phases of audit engagements, strengthen the audit
engagement planning and reporting processes.
www.theiia.org
54
Leading Practices
Governance
The CAE meets one on one with senior executives on a monthly basis
to increase management’s awareness about governance, risk
assessment, internal audit and the value of a strong control
environment.
The IA Activity facilitated Enterprise Risk Management (ERM) sessions
with each line of business, assisting each of them in developing the
basis for quarterly risk reports. Currently the business units are
responsible for ERM self-evaluations each quarter.
Use of technology, including the Issue Manager tracking tool, enhances
the efficiency of Internal Audit. Issue Manager is used to track
recommendations from Internal Audit, external auditors, and the
Financial Compliance Group Sarbanes-Oxley processes; these are
accessed by the Audit Committee, management, and the groups
making the recommendations.
www.theiia.org
Leading Practices
Quality Assurance and Improvement
The IA Activity has a quality assurance and improvement program that
includes external quality assessment and both periodic and ongoing
internal quality assessment. A variety of performance metrics are used to
monitor performance and these measures are communicated to the Audit
Committee.
The IA Activity has implemented internal quality assurance activities that
involve post-engagement reviews of execution and documentation, internal
reviews/external benchmarking of selected other internal audit processes,
and an array of metrics for measuring internal audit’s performance.
The IA Activity uses a balanced scorecard to periodically measure the IA
Activity’s performance. Results are tracked quarterly and reported to the
Audit Committee.
The IA Activity uses 6-Sigma in project development to assist in identifying
process improvements in the internal auditing activity.
www.theiia.org
55
Leading Practices
Professional Development
The IA Activity participates regularly in professional organizations related to
Internal Audit, also holding leadership positions from time to time. Additionally,
the IA Activity personnel have participated as volunteers for external quality
assessments through the peer review program in conjunction with The IIA. This
has yielded a network of professional contacts that are used for new ideas and
benchmarking purposes.
With regard to staff academic and professional qualifications, the IA Activity
holds an impressive record that is better than many other IA activities in the
profession. For example, 97% of the professional members of the IA Activity
have a Bachelor degree, 35% a Master of Science degree and 32% a Master in
Business Administration degree. The record of obtaining professional
certification is remarkable, as 50% of the 34 auditors in the IA Activity have
earned professional designations as CIA, CPA, CISA, CMA, CFE, CGA, etc.
The IA Activity has implemented successful Short-Term and Long-Term Audit
Rotation programs.
www.theiia.org
Leading Practices
Increasing Awareness of Internal Audit
The IA Activity has an audit brochure that contains a summary of its purpose,
services, responsibilities, deliverables and benefits. The IA Activity also has
a web page on the company Intranet. Such methods of advertising and
marketing audit services are successful practices for IA activities.
The IA Activity has a marketing brochure that includes a letter of support for
the IA Activity signed by the Audit Committee Chair, CEO and CFO.
The IA Activity has a Targeted Auditor Program (TAP). This is a one-week

training program for company employees on the importance of controls and
the audit process from start to finish. Participants work through a case study
as “auditors” and interview role players and write up audit issues. Top
performers are eligible to participate as TAP Auditors on IA Activity teams for
audits outside the TAP auditors’ operational areas. This program not only
helps train management and employees in the importance of control, it also
helps identify prospective candidates for rotation into the IA Activity.
www.theiia.org
56
Leading Practices
Value Added Services
The IA Activity provides consulting services to help management
implement internal controls on the front end of projects. This help is so
valued that management has recommended that the IA Activity staff be
expanded to make more consulting resources available.
The IA Activity has developed a secure Board of Director’s web page

that is accessible by only directors and other authorized management
personnel. The CAE posts her quarterly reports to the web page at
least one week before the related AC meetings, and AC members can
access them from anywhere in the world to prepare for the AC
meetings. This is an effective method to allow timely communication
between the CAE and the AC.
www.theiia.org
Leading Practices
Improving Audit Efficiency
The IA Activity uses an automated audit management information
system that includes automated work papers, issue tracking, time
reporting, audit planning, personnel administration, and business risk
profiles.
The IA Activity uses audit software tools such as Audit Command

Language to increase staff efficiency and to allow for the review of
large amounts of data and the selection of representative samples.
The Database of Audit Findings, which includes both internal and

external findings, is considered important by both customer
management and the IA Activity. The database is well maintained and
the status of findings is updated regularly.
www.theiia.org
57
Leading Practices
Innovative Audit Approach
The IA Activity introduced a new “process auditing” approach, coupled

with integrated audit work teams, to improve the effectiveness and
scope of audits and enhance the IA Activity’s value as a business
partner.
The IA Activity identifies “Red Action Items” and COSO control

attributes in audit reports, which is an effective means of
communicating important issues and control considerations.
www.theiia.org
Leading Practices
Does your IA Activity have a
leading practice that you would like
to share? If yes, please contact
Quality at The IIA:
quality@theiia.org
www.theiia.org
58

Avaliac A o Risco Coso e Aviacao

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Avaliac A o Risco Coso e Aviacao

Enviado por

Direitos autorais:

Formatos disponíveis

CRM

O Valor da Auditoria Interna

Dicionário da Língua Portuguesa, Porto Editora

Questão: Como se determina o Valor da Auditoria Interna?

VAI = Valor da Auditoria Interna

O Valor da Auditoria Interna

Aumentar o Valor da Auditoria Interna

“Aumentar” o Risco inerente (no trabalho de auditoria):

Na fase de planeamento dos trabalhos:

Desenvolver trabalhos nas áreas de maior risco inerente;

Na fase de execução da auditoria:

Identificar em cada trabalho os riscos de maior impacto e frequência.

O Valor da Auditoria Interna

Reduzir o Risco residual:

Implementação de planos de acção consequentes e efectivos que

Obter o compromisso dos “clientes”;

Monitorar os planos de acção.

Reduzir os Recursos de Auditoria Interna:

Utilização eficiente dos recursos disponíveis: pessoas e ferramentas;

Uma boa liderança e uma boa equipa;

Boa preparação geral e especializada;

Sólido conhecimento do negócio;

Desenvolvimento profissional contínuo: formação e certificações

Análise custo - benefício: meios adequados aos resultados previstos;

Numerador maior que denominador.

O Valor da Auditoria Interna

Aumentar o Valor percebido:

Informar: condição, critério

Obter resultados: causa e acção correctiva

Em resumo, o Valor da Auditoria Interna depende de:

A “Nova” Definição de Auditoria Interna

“Internal auditing is an independent, objective assurance and consulting

“A auditoria interna é uma actividade independente, de avaliação objectiva e

O Foco da Auditoria Interna na Gestão dos Riscos do Negócio

A Gestão de Risco é uma responsabilidade chave da Gestão;

A Administração tem um papel de supervisão sobre a implementação e a

Os Auditores Internos devem apoiar quer a Gestão quer a Administração

A “Nova” Definição de Auditoria Interna

O Foco da Auditoria Interna na Gestão dos Riscos do Negócio (cont.)

No papel de consultoria, os auditores internos podem apoiar a

A “nova auditoria interna” deve alargar o seu enquadramento de serviço à

Os auditores internos efectivos servem como consciência da organização e

A “Nova” Definição de Auditoria Interna

Ligação entre os processos de Auditoria Interna, Gestão de Risco e Planeamento

Identificar Avaliação dos riscos

Avaliar alternativas Medir Execução da

Monitorar Monitorar Reporte

Auditoria baseada no risco

Avaliar os riscos dos

Avaliar como são geridos os riscos dos

A “Nova” Definição de Auditoria Interna

A oportunidade para construir valor

Substituir “controlo” por “risco” no vocabulário e nas acções com a Gestão;

A auditoria baseada no risco foca-se nos riscos materiais que a

Ligar o processo de auditoria com o planeamento de gestão assegura que

A oportunidade para construir valor

Trabalhar com Riscos alinha a Auditoria Interna com a Gestão

Planeamento Programas Reporte VALOR

O Enquadramento de Práticas Profissionais

Emitidas pela IIA (www.theiia.org) e traduzidas pelo IPAI (www.ipai.pt)

Objectivos das Normas:

Modelos de Risk Assessment

COSO (Committee of Sponsoring Organizations of the Treadway Commission)