Escolar Documentos
Profissional Documentos
Cultura Documentos
CURSO
CRM
IPAI
Prof.ª Dr.ª Fátima Geada
Avaliar
Determinar a valia ou valor de; apreciar o merecimento de; reconhecer a
grandeza, força ou intensidade de; etc.
1
O Valor da Auditoria Interna
A fórmula mágica:
Ri - Rr
VAI =
RAI
Legenda:
2
O Valor da Auditoria Interna
3
O Valor da Auditoria Interna
Persuadir: consequência
4
O Valor da Auditoria Interna
10
5
A “Nova” Definição de Auditoria Interna
11
12
6
A “Nova” Definição de Auditoria Interna
Alto
Riscos “one-off”
catastróficos Riscos estratégicos
Gestão de Risco
Planeamento
Impacto
Riscos operacionais
Auditoria Interna
Controlo Interno
Baixo
Baixa Alta
Probabilidade
13
Processo de
Planeamento e
Processo de Processo de
Controlo de
Gestão de Risco Auditoria Interna
Gestão
14
7
A “Nova” Definição de Auditoria Interna
Planeamento Objectivos
do negócio
15
Fonte: David McNamee (RISK MANAGEMENT: Changing the Internal Auditor’s Paradigm, IIA)
16
8
A “Nova” Definição de Auditoria Interna
Fonte: David McNamee (RISK MANAGEMENT: Changing the Internal Auditor’s Paradigm, IIA)
17
18
9
Indicadores Auditoria Interna
19
20
10
Indicadores Auditoria Interna
22
11
Indicadores Auditoria Interna
23
24
12
Indicadores Auditoria Interna
Cobit
O CobiT é um guia para a gestão de TI recomendado pelo ISACF (Information
Systems Audit and Control Foundation, www.isaca.org).
O CobiT inclui recursos, tais como, um sumário executivo, um framework,
controle de objectivos, mapas de auditoria, um conjunto de ferramentas de
implementação e um guia com técnicas de gestão.
As práticas de gestão do CobiT são recomendadas pelos peritos em gestão de
TI, que ajudam a optimizar os investimentos de TI e fornecem métricas para
avaliação dos resultados. O CobiT é independente das plataformas de TI
adoptadas nas empresas.
25
CobiT
O CobiT é orientado para o negócio, fornecendo informações detalhadas para
gestão de processos baseados em objetivos de negócios.
13
Indicadores Auditoria Interna
CobiT
27
CobiT
O CobiT recebe um conjunto de contribuições de várias empresas e
organismos internacionais, entre eles:
• Padrões técnicos da ISO, EDIFACT;
• Os códigos de conduta emitidos pelo Conselho de Europa, OECD, ISACA;
• Critérios de qualificação para TI e processos: ITSEC, TCSEC, ISO 9000,
SPICE, TickIT;
• Padrões profissionais para controle interno e auditoria: COSO, IFAC,
AICPA, CICA, ISACA, IIA, PCIE, GAO;
• Práticas e exigências dos fóruns da indústria (ESF, I4) e das plataformas
recomendadas pelos governos (IBAG, NIST, DTI);
• Exigências das indústrias emergentes como operação bancária, comércio
eletrónico e engenharia de software.
28
14
Indicadores Auditoria Interna
29
Esta norma não obriga à utilização de uma abordagem única e rígida, mas
enfatiza a aplicação dos princípios e instruções dentro da estrutura e
necessidades específicas da organização.
30
15
Indicadores Auditoria Interna
31
32
16
Modelos de Risk Assessment
33
• Riscos de conformidade:
– Legislação e contratos
– Políticas e procedimentos de controlo interno
– Políticas e procedimentos de Gestão Ambiental, Saúde e Segurança
(SHE)
34
17
Casos Práticos - Retalho
Gestão de Risco e Auditoria Interna
35
Workshop objectives
• Based on existing draft methods, define a method for risk assessment of:
– Current risks (based on hazard identification by safety tools)
– Future risks (“change management” or “safety case”)
• Address typical difficulties encountered using such methods and document
the recommended practices
• Test the methods using real test cases provided by the participants
• Document the methods, preferably with example cases
• Ultimate objective is to produce useful and well-documented methods which
can be shared with the rest of the industry
36
18
Casos Práticos – Aeronáutica
Gestão de Risco e Auditoria Interna
Remarks
• A very practical approach for this workshop is proposed
• The scope is “case-by-case”. We are refining methods for assessing a
single risk.
• The next workshop could be dedicated on methods for managing all
operational risks at the company level (e.g. Bowtie)
• Some draft methods are presented below. If you can contribute, please
send your method(s) to Jari.
• The methods for Current and Future risks should be quite similar, the main
difference being the data source
37
Remarks
• We need (hopefully real) test cases of all kinds to test the methods. Could
everyone bring at least one test case please. It could be based on any data
source.
• Typical difficulties are listed below. If you can contribute, please send your
inputs to Jari.
• Please look at the example material in advance
38
19
Casos Práticos - Aeronáutica
Gestão de Risco e Auditoria Interna
39
40
20
Casos Práticos - Aeronáutica
Gestão de Risco e Auditoria Interna
41
R is k m a n a g e m e n t p r o c e s s a t a g la n c e
Feedback and
re c o rd th e h a z a rd A s a f e t y c o n c e r n i s p e r c e iv e d
i d e n ti f ic a ti o n a n d
assessm ent and Id e n t if y h a z a r d s / c o n s e q u e n c e s
r i s k m i ti g a t i o n a n d a s s e s s ris k s
D e f i n e th e l e v e l D e fin e th e le v e l
o f p r o b a b i l i ty o f s e v e r i ty
D e f i n e th e l e v e l o f r i s k
T a k e a c ti o n
a n d c o n ti n u e YES I s th e r is k le v e l a c c e p t a b l e ? NO
th e o p e r a t i o n
T a k e a c tio n
a n d c o n tin u e YES C a n th e r i s k b e e l im i n a t e d ? NO
t h e o p e r a ti o n
YES C a n th e r is k b e m i ti g a t e d ?
T a k e a c tio n C a n th e re s id u a l ris k b e C a n c e l th e
a n d c o n tin u e YES a c c e p te d ? (i f a n y ) NO
t h e o p e r a ti o n o p e ra tio n
42
21
Casos Práticos - Aeronáutica
Gestão de Risco e Auditoria Interna
• See Case study C1 in the ARMS SharePoint for a Case Study using this
method
43
Consequence
Insignificant
Moderate
Major
Minor
Likelihood
22
•maximum mitigation
Completing the Risk Register Excellent
•controls optimum 0.95
Very Good •good mitigation
•small improvements in controls
0.80
Sequentially number List controls in terms of:
the risks •Organisational factors Good •majority of risk mitigated 0.70
•Environment & task factors •control improvements recommended
•Individual actions •mitigation occurs
Adequate
• significant control improvements needed
0.55
•Defensive systems & processes
Describe the consequences in terms of •poor mitigation
Unacceptable 0.45
the impact on: operational capability, people, •controls fail repeatedly
reputation, compliance, cost, customer loyalty etc •no mitigation
Non-existent 0.30
•controls incapable
Responsibility
Consequence
Effectiveness
Risk Rating
Likelihood
Risk Score
Risk Consequences
Risk Description Controls
Control
No
WHO?
Likelihood X Consequence
Almost certain • facing this issue now, occurs daily/ •threatens survival of the business ,> 10% of EBIT or cost > $100M
weekly 0.99 600
Catastrophic •Multiple fatalities or devastating customer/staff impact, long term effects
(A)
Likely • on balance of probabilities, will occur Major •threatens the continuity of the business, > 5% of EBIT or cost > $10M
at least monthly 0.50 •Fatality or major customer/staff impact, >1 week effects 300
(L)
Possible • may occur but against balance of probabilities •significant changes to operations, > 3% of EBIT or cost> $1Mr
(P) may occur annually 0.25 Moderate
•serious injury or customers/staff impact < 1 week effect 100
Unlikely • do not anticipate it will occur in forseeable future, •efficiency/effectiveness of processes, > 1% of EBIT or cost>$100,00030
0.10 Minor
(U) once in several years •injury or customers/staff impact <1 day
Rare • occurrence requires exceptional circumstances, •negligible effect, < 1% of EBIT or cost <$100,000
0.01 Insignificant •1st aid accident or negligible customer/staff impact 10
(R) 2008 occurs once in decades (hundred year event) Page 45
4. Knowing the
threats and
controls, assess the
risk for each threat.
46
23
Casos Práticos - Aeronáutica
Gestão de Risco e Auditoria Interna
A B C D E
Rating People Env'ment Assets Reputation Unknown but Known Happened Happene Happened
possible in in aviation in this d > 3 x in > 3 x in this
the aviation industry company the location
No Zero Zero industry Company
0 injury Effect damage
No Impact
48
24
Casos Práticos - Aeronáutica
Gestão de Risco e Auditoria Interna
Medium
Recovery
Good
Poor
Mitigation
49
Page 49
Anexos
ANEXOS
50
25
Anexos – Practice Advisory
51
52
26
Anexos – Practice Advisory
53
54
27
Anexos – Practice Advisory
55
56
28
Anexos – Practice Advisory
57
58
29
Anexos – Practice Advisory
59
60
30
Anexos – Practice Advisory
61
A Standard of
QUALITY
www.theiia.org/Quality
31
Internal Auditing
• Independent
• Objective
• Assurance and consulting activity
• Adds value
• Improves operations
• Helps accomplish objectives
www.theiia.org/Quality
Internal Auditing
Brings a systematic
and disciplined approach
to evaluate and improve
the effectiveness
of the
risk management,
control,
and
governance processes.
www.theiia.org/Quality
32
Professionalism Means:
• Adherence to the Standards.
www.theiia.org/Quality
www.theiia.org/Quality
33
Internal Auditing and Quality
The International Standards for the Professional
Practice of Internal Auditing mandate that the
internal audit activity be assessed for quality.
www.theiia.org/Quality
www.theiia.org/Quality
34
Internal Auditing and Quality
Q. What does a quality assurance and
improvement program include?
www.theiia.org/Quality
www.theiia.org/Quality
35
Internal Auditing and Quality
Q. Which organizations should obtain QAs?
www.theiia.org/Quality
www.theiia.org/Quality
36
Internal Auditing and Quality
Q. How do internal and external QAs differ?
www.theiia.org/Quality
www.theiia.org/Quality
37
Internal Auditing and Quality
Q. What are the benefits of an independent
external QA?
www.theiia.org/Quality
www.theiia.org/Quality
38
Internal Auditing and Quality
Q. How is an external QA conducted?
www.theiia.org/Quality
www.theiia.org/Quality
39
Internal Auditing and Quality
Q. What are the selection criteria for external
QA providers?
www.theiia.org/Quality
www.theiia.org/Quality
40
Internal Auditing and Quality
Q. What are the repercussions of not acquiring an
external QA?
www.theiia.org/Quality
www.theiia.org/Quality
41
Internal Auditing and Quality
Q. What is the next step to the process if the
results of an external QA are positive?
www.theiia.org/Quality
www.theiia.org/Quality
42
This presentation
is from
www.theiia.org/Quality
External Quality
Assessments
www.theiia.org
43
External Quality Assessments
Standard 1000
Observation
The IA Activity charter is not updated on an annual basis.
The IA activity charter requires revision to consider The
IIA’s new definition of internal auditing, to reflect the
CAE’s responsibilities, and to obtain approval from the
Audit Committee.
Recommendation
Update the IA activity audit charter on an annual basis to
ensure it contains all the responsibilities of the IA Activity.
Obtain the Audit Committees approval of the revised
charter.
www.theiia.org
44
Standard 1110
Observation
The organization chart shows that the CAE has a direct
reporting relationship to the Executive Vice President and
Chief Operating Officer and a dotted line relationship to
the Audit Committee.
Recommendation
The Audit Committee should evaluate the CAE reporting
relationship to ensure the independence of the CAE is not
impaired.
www.theiia.org
Standard 1210
Observation
There is a perception on the part of clients, based on the
client survey results and management interviews, that the
IA Activity Staff does not possess the desired level of
business knowledge.
Recommendation
Increase auditor knowledge of business operations through
staff rotation programs and in house training on business
operations.
www.theiia.org
45
Standard 1210
Observation
The internal audit activity should possess or obtain the
knowledge, skills, and other competencies needed to
perform its responsibilities, including knowledge of key
information technology risks and controls.
Recommendation
Enhance information technology audit coverage by hiring
information technology audit specialists, providing
additional specialized IA staff training and/or engaging IT
audit contractors with appropriate qualifications.
www.theiia.org
Standard 1300
Observation
The IA Activity uses the Standards to generally define the
Profession’s audit quality, but has not set up a formalized
quality assurance and improvement program, as called for
In Standard 1300.
Recommendation
Establish and document a Quality Assurance and
Improvement Program as set forth in the Standards and
Practice Advisories.
www.theiia.org
46
Standard 1311
Observation
While several elements of the new Standards on quality
assurance have been implemented by the IA Activity, the
internal ongoing assessments could be strengthened by
additional monitoring and benchmarking.
Recommendation
Implement an ongoing internal quality assessment process
with the use of performance metrics (e.g., cycle time,
customer satisfaction, cost recovery, balanced scorecard)
which can be monitored on an ongoing basis.
www.theiia.org
Standard 2010
Observation
The IA Activity does not have a formal, documented risk
assessment model for audit planning.
Recommendation
Formalize the annual audit planning and risk assessment
process to more closely conform to IIA Standard 2010.
www.theiia.org
47
Standard 2010
Observation
While the audit universe has been identified, the annual
audit plan does not include all entities in the audit
universe.
Recommendation
Establish an internal audit risk assessment process to
determine the priorities of the IA activity, consistent with
the company’s goals and objectives.
www.theiia.org
Standard 2030
Observation
The CAE should implement use of metrics to measure
actual internal auditing performance against budget.
Recommendation
Use metrics to compare the actual use of resources to the
budget.
www.theiia.org
48
Standard 2040
Observation
There is no formal internal audit policies and procedures
manual governing the operating activities of the IA
activity.
Recommendation
Develop an IA activity audit policies and procedures
manual to help guide the operations of the audit
Department.
www.theiia.org
Standard 2330
Observation
A set of working paper standards needs to be developed
and formally defined in the IA activity policies and
procedures. A review of working papers indicated the
quality varied between audit staff.
Recommendation
Develop and enforce working paper standards, including
sample formats, documentation requirements, indexing,
and cross-referencing techniques with sufficient flexibility
to serve as guidance for all types of audits, reviews, and
evaluations.
www.theiia.org
49
Standard 2420
Observation
A review of work papers disclosed that the audit report for
80% were issued later than scheduled.
Recommendation
Improve the timeliness of audit reports by reducing the
current time gap between the audit closing and the
issuance of the report.
www.theiia.org
Standard 2420
Observation
Management interview comments indicate audit reports
are not perceived as timely.
Recommendation
Shorten the time taken to issue audit reports.
www.theiia.org
50
Leading Practice
Observation
A formal program of career development and use of
rotational employees has not been established and should
be considered in the long-term.
Recommendation
Institute an employee rotation program that would provide
opportunities for operating managers to gain experience
across the company and also provide the IA Activity with a
steady stream of fresh business knowledge for the audit
staff.
www.theiia.org
Leading Practice
Observation
The company lacks a management control policy
statement that clearly defines the responsibilities of the
audit committee, senior management, and the IA Activity.
Recommendation
Consider implementing a management control policy that
would provide a single statement on controlling the
activities of the organization to clarify the control
responsibilities of the Audit Committee, management and
the IA activity.
www.theiia.org
51
Practice Advisory 2060.2
Observation
The charter does not call for AC participation in the
selection or removal of the CAE, nor does the charter call
for AC approval of annual compensation and salary
treatment for the CAE.
Recommendation
Consider participating in the selection, removal and
compensation of the Chief Audit Executive (CAE).
www.theiia.org
Recommendation
Revise the Audit Committee Charter to require
concurrence on the CAE’s compensation and annual merit
increase.
www.theiia.org
52
External Quality Assessments
Comments or questions?
Please contact Quality at The IIA:
quality@theiia.org
www.theiia.org
Internal Auditing
Leading Practices
Observations from
External Quality Assessments
conducted by The IIA
www.theiia.org
53
Leading Practices
The IIA has conducted external quality
assessments for over 18 years. Along with
observations on Standards conformance,
The IIA also has observed leading practices.
Following is a brief list of some of The IIA QA
Team observations of leading practices.
Although not an exhaustive list, it does
provide insights into what other IA activities
are doing to make them “world class” in the
profession of internal auditing.
www.theiia.org
Leading Practices
Risk Assessment and Audit Planning
www.theiia.org
54
Leading Practices
Governance
The CAE meets one on one with senior executives on a monthly basis
to increase management’s awareness about governance, risk
assessment, internal audit and the value of a strong control
environment.
The IA Activity facilitated Enterprise Risk Management (ERM) sessions
with each line of business, assisting each of them in developing the
basis for quarterly risk reports. Currently the business units are
responsible for ERM self-evaluations each quarter.
Use of technology, including the Issue Manager tracking tool, enhances
the efficiency of Internal Audit. Issue Manager is used to track
recommendations from Internal Audit, external auditors, and the
Financial Compliance Group Sarbanes-Oxley processes; these are
accessed by the Audit Committee, management, and the groups
making the recommendations.
www.theiia.org
Leading Practices
Quality Assurance and Improvement
The IA Activity has a quality assurance and improvement program that
includes external quality assessment and both periodic and ongoing
internal quality assessment. A variety of performance metrics are used to
monitor performance and these measures are communicated to the Audit
Committee.
The IA Activity has implemented internal quality assurance activities that
involve post-engagement reviews of execution and documentation, internal
reviews/external benchmarking of selected other internal audit processes,
and an array of metrics for measuring internal audit’s performance.
The IA Activity uses a balanced scorecard to periodically measure the IA
Activity’s performance. Results are tracked quarterly and reported to the
Audit Committee.
The IA Activity uses 6-Sigma in project development to assist in identifying
process improvements in the internal auditing activity.
www.theiia.org
55
Leading Practices
Professional Development
The IA Activity participates regularly in professional organizations related to
Internal Audit, also holding leadership positions from time to time. Additionally,
the IA Activity personnel have participated as volunteers for external quality
assessments through the peer review program in conjunction with The IIA. This
has yielded a network of professional contacts that are used for new ideas and
benchmarking purposes.
With regard to staff academic and professional qualifications, the IA Activity
holds an impressive record that is better than many other IA activities in the
profession. For example, 97% of the professional members of the IA Activity
have a Bachelor degree, 35% a Master of Science degree and 32% a Master in
Business Administration degree. The record of obtaining professional
certification is remarkable, as 50% of the 34 auditors in the IA Activity have
earned professional designations as CIA, CPA, CISA, CMA, CFE, CGA, etc.
The IA Activity has implemented successful Short-Term and Long-Term Audit
Rotation programs.
www.theiia.org
Leading Practices
Increasing Awareness of Internal Audit
The IA Activity has an audit brochure that contains a summary of its purpose,
services, responsibilities, deliverables and benefits. The IA Activity also has
a web page on the company Intranet. Such methods of advertising and
marketing audit services are successful practices for IA activities.
The IA Activity has a marketing brochure that includes a letter of support for
the IA Activity signed by the Audit Committee Chair, CEO and CFO.
www.theiia.org
56
Leading Practices
Value Added Services
The IA Activity provides consulting services to help management
implement internal controls on the front end of projects. This help is so
valued that management has recommended that the IA Activity staff be
expanded to make more consulting resources available.
www.theiia.org
Leading Practices
Improving Audit Efficiency
The IA Activity uses an automated audit management information
system that includes automated work papers, issue tracking, time
reporting, audit planning, personnel administration, and business risk
profiles.
www.theiia.org
57
Leading Practices
Innovative Audit Approach
www.theiia.org
Leading Practices
Does your IA Activity have a
leading practice that you would like
to share? If yes, please contact
Quality at The IIA:
quality@theiia.org
www.theiia.org
58