Auditing Internal Challenges

Text einsetzen Text einsetzen Text einsetzen Text einsetzen Text einsetzen
The challenges for the internal auditor
Rodoljub Kajganić, Wiener Osiguranje Vienna Insurance Group
VIG Internal Audit Group Workshop
November 2015

Agenda
Introduction
Successful internal auditor
Compliance
Case study: How to audit compliance with group policies
Information system audit
Case study: How to do a project audit
Fraud
Case study: How to do fraud investigation
Observations
Q&A

Introduction
Experienced Insurance/Banking Internal Auditor,
Information Systems Auditor, Compliance Specialist,
Fraud Investigator, AML Professional
Head of Security&Compliance&AML department
Professional Certificate of Competency in the field of
Compliance ALCO, IFBL: L'Institut, ATTF Luxembourg
Management Program, IEDC Bled School of Management
Audit Committee, IT Steering Committee, Outsourcing
Committee member, FATCA, ISMS project team member...
ISACA member
Enjoy road and mountain biking, traveling, reading,
practice Krav maga
Presenter biography:

“Success always comes when
preparation meets opportunity”
Henry Hartman
Introduction - personal mission statement
Change. Adapt. Grow. Learn.
Repeat process.

Knowledge
Lifelong Learning, Regulatives, Market Rules

Company
Strategy
Legal
Framework
Audit
Resources
Value and risk based auditing
Find balance between control and
productivity
From compliance to risk management
Learn to speak the language of
business

COMPLIANCE

Compliance-definition
Compliance means adherence to, or conformance
with, rules, laws, standards, and policies. It also
implies a sense of accountability and an obligation
to uphold pertinent codes of conduct.
Corporate compliance entails devising a formal
internal system of policies, procedures, controls,
and actions to detect and prevent violations of
laws, regulations, rules, standards, and policies.

Audit legality,
propriety,
expediency
InternalAudit
Forecast,
plans,
measure
risk
Controlling,
Actuary
Evaluating
insurance
portfolio
EnterpriseRisk
Management
Manage
regulatory
obligations
Compliance Third line
of defence
ExternalAudit
Board
Risk Management

Compliance with laws and regulations-policies and
procedures
Structuring the compliance deptment- independence,
reporting lines
Compliance program- risk assessment, mitigating
risk, monitoring, reporting, training
Tone at the top and whistle-blowing (hot line)
Dealing with ethical challenges - compliance with
laws/local regulations, non-discrimination, corruption
and bribery, data privacy, insider trading, AML,
protection of the environment
Compliance

Compliance audit – compliance audit deals with the degree to which the audited
entity follows rules, laws and regulation, policies, established codes, standards.
Compliance
Potential threats:
Legal impact: regulatory or legal action brought against the organization or its
employees that could result in fines, penalties, litigation...
Financial impact: negative impacts with regard to share price, potential future
earnings, or loss of investor confidence.
Reputational impact: damage to the organization’s reputation or brand (bad press
or social media discussion, loss of customer trust, decreased employee morale).
To succeed you must know what success looks like, to succeed you must
measure success, to succeed you must verify you measures.

How to audit compliance with group policies
Applicable for all types of audits
Risk based approach
Compliance - case study issue

Compliance - case study analysis
The up-to-date version of all Group guidelines is
available in the VIG Intranet:
https://intranet.vig.com/en/infos-guidelines/guidelines.html
Upon request the guidelines can be provided in
paper form or via email.
Contact: Sabine Stiller (sabine.stiller@vig.com)

Prepare an audit plan
Make a compliance risk assessments
Collect evidence by using interviews,
questionnaires,review of documents
Obtain copies of departmental procedures for
each area you intend to audit
Cross-reference internal procedures with
group regulations
Verify compliance with local regulations, best
practice and relevant standards
Check reports from regulators, inspections,
external auditor

Possibilities for improving efficiency and effectiveness in
implementation of regulations.
The effectiveness of internal controls.
Is there a system for monitoring new regulations?
Is information communicated on a timely basis in the organisation?
Deviation from Group guidelines need a reasonable legal ground.
If activities are outsourced, how is compliance and performance
monitored?
Consider materiality for reporting purpose (amount of potential fines).
The final goal is to determine whether the internal procedures compliant and
properly implemented in the processes

INFORMATION SYSTEM AUDIT

Any audit that encompasses review and
evaluation (wholly or partly) of automated
information processing systems, related
non-automated processes and the interfaces
between them.
Information system audit - definition

Information system audit:
General control examination or facility audit
Application audit
System development audit
Technical or special topic audit
Information system audit

Compliance with legal and regulatory requirements
Confidentiality
Integrity
Reliability
Availability
Information system audit - goals

Governance:
Responsibility and accountability for risk
Risk appetite and tolerance
Awareness and communication
Risk culture
Risk Evaluation:
Risk scenarios
Business impact descriptions
Risk Response
Key risk indicators (KRIs)
Risk response definition and prioritisation
Information system audit - IT risk
IT risk:
The business risk
associated with the use,
ownership, operation,
involvement, influence and
adoption of IT within an
enterprise.

Information system audit - Internal controls
Administrative
Technical
Physical

Understanding of the audit area
Risk assessment/audit plan
Evaluating audit area
Verifying and evaluating controls
Compliance testing/substantive testing
Reporting/follow-up
Information system audit - audit procedures

Auditing security checklist
IS audit - resources
Auditing systems development

IS audit - case study issue
How to do a project audit
Projects related to information system
Purchase or own development
New service or new products

Audit project areas:
Intergation
Scope,time&cost
Quality, procurement
Risk management
Human resources, communication
IS audit - case study analysis
Project risk:
Never be delivered or be delivered late
Exceed budget
Not deliver the required functionality
Contain errors, fail frequently
Be unfriendly, difficult and costly to operate

Success criterion Relative importance
User involvement 19%
Executive management support 16%
Clear statement of requirements 15%
Proper planning 11%
Realistic expectations 10%
Smaller project milestones 9%
Competent staff 8%
Ownership 6%
Clear visions and objectives 3%
Hardworking, focused staff 3%
Total 100%

Audit plan:
Identify the audit scope, determine audit objectives, gather basic information
about project, determine materiality, assess risk, and evaluate internal
controls.
Check:
IT strategies, plans and budgets
Feasibility study, requirements, RFP
Security policy
Organization charts, job descriptions
Steering committee reports
Program change procedures
Operations procedures, quality assurance
procedures

Feasibility study
Well documented and clear?
Have departments recommendations been included?
Has the feasibility analysis report been submitted to the management steering
committee for action?
User Requirement Analysis
Efficiency/Effectiveness
Have the user executives approved the requirements?
Is the new system compatible with other applications/systems?
Could the new system recover after failure?
Do user requirements include security, controls and privacy measures?
Is there clear segregation of duties among those who build, test and operate the
system?

Purchased software
Are there vendor evaluation criteria/selection procedures?
Contract – remedy, backup and recovery controls, user manuals, audit trail
Does the contract provide how the user will request changes to software?
Can the organisation terminate the contract at any time?
Does vendor have a high probability of being in business during the duration of the
contract?
Is the level of internal controls satisfactory?
Has all data been transferred to the new system in a controlled manner?

The optimal way to ensure a successful IT project is to do an effective
analysis of the risks associated with that particular project and develop a plan
to manage the identified and substantial risks.
IT risks are managed, IT delivers value to the business
Postimplementation phase
Review of the project success
Financial review of the feasibility study vs. results
Lessons learned and improvements for the future

FRAUD

Fraud - definition
Fraud is generally defined in the law as an
intentional misrepresentation of material
existing fact made by one person to
another with knowledge of its falsity and
for inducing the other person to act, and
upon which the other person relies with
resulting injury or damage.
Which is the biger risk?
External attacker vs. employee frauds

Fraud - statistics

Fraud – cyber attacks

General red flags
Often first in and last out of the office
Lots of unused holiday
Changes in lifestyle –spending, socializing,
married status
Resigned,working out redundancy
Passed over for promotion or pay review
Pending HR disciplinary
Fraud - statistics

Fraud - resources
Red flags of insurance fraud

Anti-fraud policy is most effective when applied with a clear methodology
and implementation plan as opposed to random reviews which seek to rely
primarily on a chance discovery of fraud or wrongdoing.
Anti-fraud policy proactively look for fraud (rather than focussing on specific
known types or incidents).
Anti-fraud policy
Roles&responsibilities
Fraud risk assessment
Prevention, detection, investigation
Fraud - anti fraud framework

Fraud - case study issue
How to do fraud investigation
Fraud risk assessments
Checking transaction accounts of employees
Investigation

Do we have internal controls?
Are they are sufficient and effective?
Fraud – internal controls

Risk based audit-follow the money
Appoint a fraud protection officer
Regular fraud risk assessments
Enforce separation of duties
Four eyes controls, use red flags, black list
Automatic preventive controls in the information system
Fraud - case study analysis

Perform background checks
Institute a policy of job rotation, mandatory vacation policy
Have employees bonded with the proper insurance policies
Create annual financial disclosure policies for the people in the organizational
process
Separate the authorization of the transactions from their recording
Require multiple signatures-formal signatures!
Define the trust levels with the appropriate checks
Whistle-blowing — make sure you hear the bad news first
Fraud - case study analysis

Work on attitude,
knowledge
and skills
Change, adapt,
grow, learn,
repeat process.
Consider whether IT
risks are managed, IT
delivers value to the
business. Analyze
project risks, ensure
you have a plan to
manage the identified
and significant risks.
Ensure you have a Anti-
fraud policy, fraud
protection officer and
fraud risk assessments,
follow the money.
Determine whether the internal
procedures compliant and properly
implemented in the processes.

QUESTIONS & ANSWERS
rkajganic@wiener.ba
+387 (0)65 422 242
https://ba.linkedin.com/in/rodoljubkajganic

Thank you for your attention

Auditing Internal Challenges

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Auditing Internal Challenges

Similar to Auditing Internal Challenges (20)

Auditing Internal Challenges