(title of presentation)

Report
The Role and Benefits of a
State Audit Committee
Presented by:
Joe Bell, Chief Audit Executive, State of Ohio,
OBM Office of Internal Audit
Maria Jackson, Assistant Chief Auditor, Information Systems Audit
Office of Dave Yost, Ohio Auditor of State
Presentation ‘Kickoff’
2
Session Objectives
You will learn how:
• An effective audit committee improves overall
governance
• Coordinated monitoring/auditing improves
organizational controls
• Reducing repeat audit comments allows for
more efficient audits and enables auditors to
focus on emerging issues
3
Today’s Game Plan
4
Today’s Game Plan
•
•
•
•
•
5
An early Penalty – Impact of “Coingate”
The IIA’s 3 Lines of Defense
Reaching the End Zone – IA Capability Model
Building the Audit Team - OIA & SAC
Teamwork – AOS & OIA working together
Penalty Situation
6
“Coingate”
7
Evolution of Internal Audit in Ohio
8
IIA’s 3 Lines of Defense
9
IIA’s Three Lines of Defense
10
Risk
11
3 Groups Responsible
for Risk Management
1. Own & Manage Risks
2. Oversee Risks
3. Provide Independent Assurance
12
1st Line of Defense:
Operational Management
• Own and Manage Risks
• Day to Day Performance of Internal
controls
• Responsible for Corrective Actions
13
nd
2
Line of Defense: Risk
Management & Compliance
Functions
Ensures the 1st Line is properly designed,
in place, and operating effectively.
• Risk Management Function
• Compliance Function
• Controllership Function
14
3rd Line of Defense: Internal Audit
• Provides assurance on
effectiveness of governance, risk
management, & internal control.
• High level of independence &
objectivity.
• Broad scope.
15
External Audit & Regulators
• Outside the Organization
Structure
• Additional Line of Defense when
Coordinated Effectively
• Limited Scope
16
Coordinating the 3 Lines of
Defense
FIRST LINE OF DEFENSE SECOND LINE OF DEFENSE
THIRD LINE OF DEFENSE
Risk Owners/Managers
Risk Control and Compliance
Risk Assurance
• operating management
• limited independence
• internal audit
• reports primarily to
• greater independence
management
17
• reports to governing body
Building the Audit Team
18
Building the Audit Team in Ohio
19
Building the Audit Team in Ohio
Point A - 2007
Point B - 2014
• Decentralized, ad hoc
Internal Audit
functions in a few
agencies.
• No Audit Committee
• Many external audit
issues.
• Centralized Office of
Internal Audit, aligned
to IIA Standards
• Established State
Audit Committee
• Improvement in
Internal Control
20
Audit Landscape in Ohio
•
•
•
•
•
21
OBM Office of Internal Audit
State Audit Committee
Ohio Auditor of State
Ohio Inspector General
Federal Oversight Agencies
Ohio Reporting Relationships
22
OIA Team Composition
Team
23
Number
Certifications
Financial Auditors
14
CPA – 9
CISA – 7
CIA – 4
CGAP – 5
Information
Technology
Auditors
9
OIA Roles
• Assurance
– Internal and system control effectiveness
– Business process effectiveness
– Evaluate and improve effectiveness of risk
management, control and governance
• Consulting
– Document process maps
– New programs, IT systems, and process
consulting
– Training and education
– Business process and internal control design
24
Legal Authority for Office of
Internal Audit
• Ohio Revised Code Section 126.45 created OIA
within the Office of Budget and Management.
• Requires OIA to conduct internal audits of certain
state agencies
• Requires an annual audit plan
• Requires reporting audit recommendations to the
State Audit Committee.
25
State Audit Committee
• Five member committee meets quarterly
• Assists Governor and Director of the OBM in
oversight responsibilities:
– Financial Reporting,
– Internal Controls,
– Risk Assessment,
– Audit Processes,
– Compliance: Laws, Rules, & Regulations.
26
Independent State Audit Committee:
27
Audit Committee Composition
• Chairperson, Governor Appointed, external
to state management.
• Two appointed by the House Speaker,
• Two appointed by Senate President,
• Not More Than Two from Same Party
• Three-year Term, One Reappointment
28
Required SA Committee
Expertise
At least one member who is
• Financial Expert
• Certified Public Accountant
• Familiar with Governmental Accounting
• Representative of the Public
• Familiar with Information Technology
29
Key Functions of Audit
Committee
1. Review annual OIA plan
2. Review OIA preliminary reports
3. Review OIA conformance to IIA Standards
(Peer Review)
4. Review State of Ohio CAFR
5. Review financial statements with external
auditor (Auditor of State)
30
Audit Committee Continuous Improvement
•
•
•
•
•
Audit Charter – Annual Review
Event Calendar – Cover All Responsibilities
Meeting Evaluation – Assess content/adequacy
Annual Evaluation – OIA
Audit Committee Self-evaluation
–
–
–
–
31
Financial reporting
OIA
External Audit
Management and Other Reporting
OIA Continuous Improvement
32
Reaching the ‘Goal Line’
33
Capability Model: Governance
Examples in Practice for Key Process Areas
Level 5 - Optimizing


Strategic information and communication strategy
advocating independence & authority of internal audit
Legislation/policy requires independent oversight
committee
CAE reports directly to oversight committee

Legislation/policy requiring an oversight committee



Management supports internal audit funding
Organizational policy to allow internal auditors full access
to information, assets, and people
Approved internal audit charter

Not applicable; ad hoc and unstructured

Level 4 - Managed
Level 3 - Integrated
Level 2 - Infrastructure
Level 1 - Initial
Adapted from the IIA’s Internal Audit Capability Model (IA-CM) for the Public Sector
34
Teamwork
35
Dave Yost, Ohio Auditor
• One of five
independently
elected statewide
offices.
• Four year term, 2
consecutive terms
max
36
Ohio Auditor of State
• ORC 117.10 – The Auditor of State
shall audit all public offices as provided
in this chapter.
• Audits all public offices – 5800 entities
• 600 of 800 staff are financial auditors
• Performs financial audits of state
agencies, boards and commissions
37
37
AOS State Region
• Exclusively audits state agencies
• Performs financial audits of state
agencies, boards and commissions
• Includes the Information System Audit
group (ISA), which analyzes
information systems and performs
“SOC 1” audits
3
38
8
Ohio Auditor of State
Information Systems Audit
Group
• Section of Financial Audit
• 3 Groups (North, South, State)
• 26 Auditors
39
Working together
• Meet biannually to discuss audit plans
and to provide update on current audits.
• Rely on work completed by OIA.
• OIA consults with agencies to remediate
significant audit comments.
• OIA uses AOS work for background
information.
40
What Gets Measured Gets Done
• Audit Timelines established and
reported on quarterly
• Audit comment status
– Committee may request agency to appear
and report on remediation
• Number of Audit Comments
• Audit Progress and Difficulties
41
AOS State of Ohio Single Audit Findings Trend
79
77
75
73
71
69
67
65
63
61
59
57
55
53
51
49
47
45
43
41
39
37
35
33
31
29
27
25
23
21
19
17
15
13
11
9
7
5
3
1
78
79
62
59
53
55
49
44
Total Findings
40
37
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
YB Findings
35
2013
42
Trend for IT Comments from State Single Audit
20
18
16
14
12
10
Number of IT Comments
8
6
4
2
0
2009
2010
2011
2012
2013
43
Benefits
•
•
•
•
44
Increased Accountability
Audits are more timely.
Comments are remediated.
Controls are improved.
Benefits
• Controls built in to the process instead
of after the fact.
• Greater awareness of the importance
of financial reporting and the role of
audit.
• Improved cooperation among auditors.
45
Benefits
• Improved cooperation between clients
and auditors.
• Increased focus on emerging issues.
– ERM
– COSO
– Cyber Security
46
2 Minute Warning
47
Summary Points
• A well-designed audit committee enhances
effective governance
• Embracing the ‘3 Lines of Defense’ model
promotes an effective and coordinated focus
on continuous internal control improvement
• Transparency and accountability of audit
comment remediation leads to more effective
and value-added audits
48
Thank You!
49
Contact Information
Joe Bell, CPA, CIA, CGAP
Chief Audit Executive, State of Ohio
OBM Office of Internal Audit
[email protected]
614.466.1985
http://obm.ohio.gov/InternalAudit/
50
Information Systems Audit
State Region
88 East Broad Street
Columbus, Ohio 43215
Maria Jackson, CPA, CISA
Presenter Phone: (800) 282-0370
Presenter Fax: (614) 466-4490
E-mail: [email protected]
[email protected]
51

similar documents