BP Criteria: Audit and Internal Controls

Best Practices Process

Background & Purpose

Who Can Nominate

The Process

Best Practice Criteria

Application Form

Best Practices Forum

Co-Sponsors

Presenters

Best Practice Areas

Registration

Awards

BP Home

Best Practices Selection Criteria:
Integrating Audit and Internal Controls with Ethics and Compliance

Summary
Achievement in the integration of the company’s internal and external audit program assures that the ongoing efforts of the compliance or integrity program support strong internal controls.

Definition
An essential element of an effective compliance program is the ongoing audit of the company’s compliance with applicable laws, regulations, policies and procedures and the review of the necessary internal controls to assure that the company is complying with its commitment to ethical business practices. The results of such audit or review activity should be fully integrated into the company’s ongoing compliance program to assure that corporate wrongdoing, or potential compliance concerns, can be addressed and resolved in an appropriate and prompt manner.

Achievement to Warrant Finding of Best Practice
In evaluating whether a program has achieved a “Best Practice” in this element, look for the existence of the following criteria:

1. Policies and Procedures. There should be written policies and procedures that establish:

the role of external auditors and internal audits in the review of internal controls, and the conduct of financial audits, operational (e.g., management or performance based) reviews, and compliance audits;
an organizational relationship between the audit function (whether internal and/or external) and the integrity/compliance function, including the use of auditors to conduct internal investigations under the auspices of the compliance department
appropriate internal controls to monitor compliance with applicable laws, regulations, standards, and organizational policies and procedures. Processes to review the effectiveness of these internal controls should also be established
the accountabilities and responsibilities of the Board of Directors/governing body, Audit Committee (or compliance subcommittee) and senior corporate leaders in overseeing and monitoring the adequacy of internal controls
that appropriate business functions (e.g., accounting, coding, HR, purchasing, QA, etc.) have implemented their own procedures to govern their actions and roles in the monitoring of internal controls and ongoing review processes – OR – effective alternatives to self-monitoring methodologies have been established to achieve the same goals
a records retention protocol that provides for the collection, retention, archival and destruction of documents and records in accordance with applicable law and standards.

2. Documentary Evidence. There should be written evidence (e.g., signature attendance sheet for training, orientation materials for internal auditors, etc.) of the following:

the company has appropriately segregated job duties that reduce the likelihood of fraudulent actions and/or errors in key compliance risk areas (e.g., separation of custody of assets from accounting and finance; separation of operational and record-keeping responsibilities etc.);
a disciplined signature/discretionary authority process that provides for both the proper authorization of, and approval of transactions and activities;
independent checks and internal verifications within each business function to assure adequate segregation of duties, proper authorization of transactions and activities, adequate documents and records, and physical control over assets and records;
annual integrity/compliance training of employees which reinforces the company’s commitment to integrity in all its business and financial transactions and the importance of employee compliance with company policies and procedures;
targeted technical compliance training of appropriate individuals to reinforce the compliance obligations of Board members, senior management, and employees endowed with discretionary authority or fiduciary responsibility or who have responsibility for areas of significant compliance risk to the organization;
discipline-specific training for employees performing internal audit and internal control review functions.

3. Role of Compliance Function. The Compliance/Integrity Officer should be able to demonstrate that:

the organization periodically conducts risk assessments of the entire operation to identify specific risk areas that affects its compliance posture and internal control process. The risk assessment tool used by the compliance function or internal audit in this context should be documented and reviewed regularly;
identified compliance risk areas are included in the organization’s annual audit plan;
the organization has policies and procedures that govern the frequency, scope and conduct of internal audits, compliance reviews, and the reporting criteria for them. These policies and procedures need to provide latitude for reassessment of audit and review plans based on changing risks and priorities;
the organization has a process for modifying its annual audit plan to confirm implementation, and to determine the adequacy of, corrective actions required by reportable or disclosable issues;
the organization has a process for communicating key compliance related audit and review outcomes, and reportable or disclosable conditions to the Board, senior management and, where appropriate, outside agencies and/or enforcement bodies;
the organization has properly disclosed the results of internal audits, compliance reviews, or internal investigations when required by law.

download the complete best practice criteria