马上注册,结交更多财务经理人,享用更多功能,成就财务总监之路……
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
[Point=200][Point=200] Executive Summary
Universal process classification scheme > Conduct internal audits > Best practices
RINTERFRIENDLY=ON&KnowCatName=Best+practices&SchemeName=Universal+process+classification+scheme&ProcessName=Conduct+internal+audits#Overview">> Overview
> Best practices
Overview
The practice of internal auditing is evolving from a reactive process of fact checking and compliance reporting to a progressive, proactive discipline of risk assessment and business consulting. Internal auditors are astute business professionals whose analytical abilities produce independent, objective risk assessments that verify the effectiveness of the company's governance system, identify business risks, and suggest methods to mitigate them.
Companies that apply best practices develop their internal resources to create a knowledge base that enables management to make informed decisions in an increasingly volatile and unforgiving competitive global marketplace. Effective internal audit (IA) functions identify risk and propose methods to mitigate its effects before it strikes. In this way, IA takes a proactive stance of risk prevention that enables the company to maximize its resources and protects its tangible and intangible assets.
Best practices
Conducting internal audits is a process that varies among different companies. All companies can benefit from a robust internal audit function, although the company's needs determine the scope of audit activity. While these best practices encompass all aspects of conducting internal audits and address the needs of even the largest global companies, the basic premise of each of these practices is applicable to companies of any size.
Create a knowledge resource
Operate with flexibility
Assess companywide risk
Broaden audit scope
Advocate high ethics
Create a risk-sensitive information system - Create an internal knowledge resource by developing an experienced, diverse audit staff.
For assistance in confronting the challenges of the new economy, management increasingly is turning to the company's internal auditors to provide accurate and knowledgeable risk consulting and assurance services. Accordingly, internal auditors are broadening the scope of their professional expertise.
Companies that apply best practices invest in their audit shops by cultivating the professionalism of their audit staff. By hiring auditors with diverse business backgrounds and professional certifications and retaining their experienced staff members, leading companies are reducing the need for outside consultants by transforming their IA departments into value-adding knowledge resource centers.
Auditors who remain with the department build relationships with their audit customers. Building upon their business relationships, these veteran auditors facilitate the implementation of audit recommendations and encourage audit requests. Additionally, retaining organizational knowledge enables internal auditors to offer management additional insight into how external or internal changes will impact the organization.
Tosco Corporation, an oil refinery and marketing company headquartered in Old Greenwich, Connecticut, employs 25 auditors with an average of 18 years of business experience. Each auditor performs 10 audits per year and has for the past 10 years. Citing the monetary and administrative savings of not providing training, orientation, close supervision, and work paper reviews, Tosco credits its veteran audit team with exceptional productivity, noting its staff is roughly half the size of IA shops at comparable companies. - Structure the internal audit department on a fluid, flexible framework.
Today's most successful companies maintain a high degree of flexibility to allow them to adapt to change. Accordingly, these leading companies maintain a flexible audit department to effectively mitigate the risk posed by change. Flexibility allows IA to operate with a customer focus, ensuring that audit activities align with management priorities to produce an effective allocation of audit resources. These best practices companies empower their internal auditors to act as proactive consultants who participate in the early stages of major initiatives to identify control weaknesses, conflicts with other business units, and process gaps.
Effective IA departments also increase efficiency and maximize productivity by incorporating technology into all aspects of audit operations, eliminating burdensome paperwork, enabling instantaneous communication, and allowing access to a multitude of information unavailable with paper-based systems. Global companies also remain flexible by empowering their geographically dispersed audit teams with a high level of autonomy while tempering this independence with companywide audit methodologies that allow their auditors to render meaningful, uniform risk assessments and audit reports.
At Levi Strauss & Co., a global clothing manufacturer based in San Francisco, California, IA incorporates a proactive stance into its integrated audit process, regularly offering consulting services during the early stages of new projects. For example, before enacting one of its e-commerce business initiatives, auditors revealed a third-party logistics gap within the product fulfillment process. The company fine-tuned its e-commerce strategy and minimized its fulfillment risk. - Consult with management to create an enterprisewide risk management system.
Since companies face risk management issues far more complex than those of a few years ago, they enlist their internal auditors to play a proactive role in advising executive management on implementing an effective companywide risk management system.
Auditors at leading companies gather knowledge from all levels of management and from all business units to develop a solid risk model that encompasses the organization's overall risk exposure. Additionally, effective internal auditors use process mapping, control self-assessment (CSA), and other risk management tools to teach managers to assess their own risk and implement appropriate control frameworks.
Leading companies also assign their IA departments to facilitate two-way risk communication to ensure that the efforts of both process owners and upper management are complementary in managing the company's risk. Typically, one office within the organization owns the risk management system to ensure that it is coordinated throughout the organization.
E.I. du Pont de Nemours and Company, the global chemical company better known simply as DuPont, headquartered in Wilmington, Delaware, repositioned the company's auditors as business partners who offer risk consulting services. Today, IA teaches managers how to solve and avoid problems, effectively adopting a stance of risk prevention, which adds value throughout the organization. - Broaden audit scope to minimize third-party risk.
Companies that apply best practices mitigate downstream risk and liability by proactively performing risk assessments and audits of all their potential business partners. While these audit activities are not normally associated with internal audit, leading companies are expanding the scope of their IA departments to go beyond the company's borders.
When initiating mergers and acquisitions (M&As), companies that apply best practices assign their auditors a proactive role early in the process. Because internal auditors are familiar with the enterprisewide operations of the company, they are better able to identify any incompatibilities that could negate the merger's success.
Companies that depend upon third-party service providers not only expose themselves to the risk of relinquishing the service, but also assume liability for the actions of the providers' employees. Best practices companies evaluate their service providers, affiliates, and suppliers on a regular basis to safeguard the company's reputation, as well as the safety and welfare of its customers, employees, and shareholders.
Leading companies also agree beforehand on the structure of IA functions for all joint ventures (JVs). Effective JV agreements stipulate as many specifics of the venture's IA function as possible, including department budget, audit plan, staffing requirements, reporting relationships, performance metrics, and responsibility for implementing audit recommendations.
When NationsBank, now known as Bank of America, headquartered in Charlotte, North Carolina, acquired Boatmen's Bancshares Inc. of St. Louis, Missouri, the IA department acted as management advisers throughout the M&A process. Producing savings in both hard and soft dollars, IA helped Boatmen's line managers and NationsBank's transition teams institute key performance metrics to gauge Boatmen's customer satisfaction levels. The auditors also identified back-office inefficiencies at Boatmen's and implemented controls to align the operations of both banks. The proactive IA involvement facilitated the M&A process and produced considerable savings in external consulting fees. - Prevent fraud by advocating high ethics throughout the organization.
Fraudulent activities, usually perpetrated by insiders, not only cost global businesses billions each year, but invite further financial loss in the form of regulatory fines, reduced market share, diminished market capitalization, and a loss in reputation. Companies that apply best practices prevent fraud by supplementing their internal control system with a companywide ethics program that addresses the underlying reasons behind fraud. Robust ethics programs also protect the company from excessive regulatory fines by demonstrating the organization's serious commitment to corporate ethics.
Internal auditors in leading companies verify the effectiveness of the company's ethics program by conducting compliance audits, using computer-assisted audit tools, and promoting fraud awareness. Many companies designate their audit directors as ethics officers to coordinate the program and ensure it is enforced equally throughout the organization. This establishes the necessary "tone from the top" and lends the program credibility. Despite the deterrence benefits of strong ethics programs, however, leading companies still train their internal auditors to identify and discover fraud. By familiarizing themselves with all aspects of fraud, internal auditors at leading companies proactively position their departments to prevent fraud.
At Internet consulting company Cisco Systems Inc., San Jose, California, all new employees are required to sign the company's code of conduct on or before their first day of work. Thereafter, employees must read and electronically sign the company ethics statement annually, verifying that they understand it. The internal audit staff works with human resources to track compliance with the policy and to contact employees who do not respond. IA also monitors other high-risk areas within the company to measure compliance with the ethics code. Collaborate with the information technology department to create a risk-sensitive information systems infrastructure.
Leading companies enlist their IA departments to collaborate with information system directors and executive management in all facets of their e-business and information systems initiatives. While it is not the responsibility of internal auditors to manage IT risk, they assist executive and IT management in identifying and responding to it. With its companywide knowledge and risk assessment skills, IA is well suited to identify operational risks not always evident to IT managers, which reduces the expenses of retroactively implementing ad hoc solutions to underlying problems and ensures the system integrates with those of the organization's stakeholders.
As leading companies develop their IT and e-commerce projects, their internal auditors monitor schedules, test the system, recommend assignments for accountability, and address security and control issues before the project is finished. These companies also assign their internal auditors to continuously assess and test IT security to reduce the possibility of malicious attacks. Continuous testing allows the company to recognize any potential security lapses, track system penetration, and take proactive measures to lessen the likelihood of system intrusion. Leading companies complement security testing by developing an enterprisewide culture of security awareness. By making sure that employees possess the skills and knowledge to detect and prevent security breaches, companies give life to their technical security systems.
Additionally, leading companies calculate the value of their e-assets and protect them with appropriate insurance coverage. IA works with risk managers to valuate the potential financial losses the company would experience from a service disruption, web site defacement, or hijacking. The company uses this information to upgrade its existing insurance coverage or supplement it with cyber insurance.
The Federal Reserve Bank of Chicago (FRBC), one of 12 institutions making up the United States Federal Reserve System, keeps information security at the forefront of operations for its 1,500 employees who use personal computers. The FRBC created a culture of security awareness within the bank's workforce, empowering employees to be "information security crusaders." Through education, internal communications, and accountability, FRBC made its employees into a security asset that supplements the institution's already formidable security technology infrastructure. The bank's auditors work together with the IT department to monitor employee compliance and constantly assess risk.
[/Point] [/Point]
[此贴子已经被作者于2006-2-17 8:39:46编辑过] |
![](\"UPLOADFILE/2006-5/200651111245527439.bmp\")
提升卡
喧嚣卡
千斤顶
显身卡
