The URL can be used to link to this page

Home My WebLink AboutCharter Review Commission Agenda Packet 11-27-17Jan TenBruggencate Members: Chair Isaac Cockett Galen Nakamura Virginia Kapali Carol Suzawa Ricky Watanabe Vice Chair COUNTY OF KAUA'I CHARTER REVIEW COMMISSION NOTICE OF MEETING AND AGENDA Monday, November 27, 2017 4:00 p.m. or shortly thereafter Mo'ikeha Building, Meeting Room 2 A/B 4444 Rice Street, L-1hu'e, HI 96766 CALL TO ORDER APPROVAL OF MINUTES Open Session Minutes of October 23, 2017 BUSINESS CRC 2017-05 Proposed Charter Amendment to Remove the Zoning Board of Appeals (Article XIV, Subsection 14.12 - 14.14 (deferred 10123117) 1. Letter to Planning Director Michael Dahilig dated October 27, 2017 requesting his presence CRC 2017-06 Proposed Charter Amendment to Amend Article XIII Relating to the Department of Public Works, Sections 13.01 - 13.03 by changing title from County Engineer to Director of Public Works, and changing job description to reflect title change (deferred 10123117) 1. Letter to State Department of Transportation Engineering Program Manager Lawrence Dill dated October 27, 2017 requesting his presence CRC 2017-07 Proposed Charter Amendment to Remove Article XXXII relating to the County Auditor (deferred 10123117) 1. Letter to Council Chair Mel Rapozo and Councilmembers dated October 27, 2017 requesting their presence 2. Letter from Councilmember JoAnn A. Yukimura dated November 9, 2017 relating to the County Auditor position a. The Role of Internal Auditing in Resourcing the Internal Audit Activity b. The Role of Internal Auditing in Enterprise -wide Risk Management c. The Three Lines of Defense in Effective Risk Management and Control An Equal Opportunity Employer d. Standard 2070 - External Service Provider and Organizational Responsibility for Internal Auditing e. Reliance by Internal Audit on Other Assurance Providers CRC 2017-08 Proposed Charter Amendment to Amend Article XIX, Financial Procedures, Section 19.15(C) by adding language to include corresponding maintenance of those lands or property entitlements 1. Kaua`i County Charter Section 19.15. Fund Administration CRC 2017-09 Proposed Charter Amendment Establishing Council Districting CRC 2017-10 Proposed Charter Amendment to Article III, County Council, Section 3.03 relating to terms 1. Councilmembers serve two (2) four-year terms beginning with the 2020 election year 2. Four (4) Councilmembers serve two (2) four-year terms full time (staggered), and three (3) Councilmembers serve two (2) two-year terms part time a. Email from Felicia Cowden dated October 24, 2017 regarding proposed amendment CRC 2017-11 Proposed Charter Amendment creating a new Farm Commission 1. Email from Felicia Cowden dated October 24, 2017 regarding proposed amendment EXECUTIVE SESSION Pursuant to Hawaii Revised Statutes §92-7(a), the Commission may, when deemed necessary, hold an executive session on any agenda item without written public notice if the executive session was not anticipated in advance. Any such executive session shall be held pursuant to HRS §92-4 and shall be limited to those items described in HRS §92-5(a). Discussions held in Executive Session are closed to the public. ES-001 Pursuant to Hawaii Revised Statutes §§92-4 and 92-5(a)(4), the Commission anticipates convening in executive session to receive and discuss the County Attorneys legal review of CRC 2017-03 — Proposed Charter Amendment to Remove Article IX Relating to the Public Defender. This briefing and consultation involves consideration of the powers, duties, privileges, immunities, and/or liabilities of the Commission as they relate to this agenda item. ES-002 Pursuant to Hawaii Revised Statutes §§92-4 and 92-5(a)(4), the Commission anticipates convening in executive session to receive and discuss the County Attorneys legal review of CRC 2017-04 — Proposed Charter Amendment to Remove Article XXX Relating to the Electrical Power Authority. This Charter Review Commission — November 27, 2017 2 1 P a g e briefing and consultation involves consideration of the powers, duties, privileges, immunities, and/or liabilities of the Commission as they relate to this agenda item. CRC 2017-12 Election of Chair and Vice Chair for calendar year 2018 ADJOURNMENT Cc: Deputy County Attorney Adam Roversi PUBLIC COMMENTS and TESTIMONY Persons wishing to offer comments are encouraged to submit written testimony at least 24-hours prior to the meeting indicating: 1. Your name and if applicable, your position/title and organization you are representing; 2. The agenda item that you are providing comments on; and 3. Whether you will be testifying in person or submitting written comments only; and 4. If you are unable to submit your testimony at least 24 hours prior to the meeting, please provide 10 copies of your written testimony at the meeting clearly indicating the name of the testifier; and 5. If testimony is based on a proposed Charter amendment, list the applicable Charter provision. While every effort will be made to copy, organize, and collate all testimony received, materials received on the day of the meeting or improperly identified may be distributed to the members after the meeting is concluded. The Charter Review Commission rules limit the length of time allocated to persons wishing to present verbal testimony to five (5) minutes. A speaker's time may be limited to three (3) minutes if, in the discretion of the chairperson or presiding member, such limitation is necessary to accommodate all persons desiring to address the Commission at the meeting. Send written testimony to: Charter Review Commission Attn: Lani Agoot Office of Boards and Commissions 4444 Rice Street, Suite 150 LThu`e, HI 96766 E-mail: lagoot(a,kaual. gov Phone: (808) 241-4917 Fax: (808) 241-5127 SPECIAL ASSISTANCE If you need an alternate format or an auxiliary aid to participate, please contact the Boards and Commissions Support Clerk at (808) 241-4917 at least five (5) working days prior to the meeting. Charter Review Commission — November 27, 2017 3 1 P a g e b o 03 o b4 °bn o U O U w "G U in 'C O O > to U try cd '. bbbeq C8 O O 4 U Q cs:,sl, 60 �4 ° O Q" O V] O cd al C, x-d o U. 20� „o�U� ri �o O +C� U to. o ° o Con cd? 03 Wto O o U° O b °tb>, 3 a �, a U a bh utD toao '' O 0 0U `�' 3 o U ti U d C7 F � o CAS Q V WWI Iff 0 U � v 4. v — p coy, o > :$ U Q) o v O v p p V .� ' U U o •rs 3 •� s� gip°Cd o o (D to Cd a0i U 3 v 0 UUN 4.4 v H v v py U44 o o o O Cd � o O o y,� o En C-1 0 o- Q u t NN u o 0 o u� v� °�' a H '> o O .� o � Ln o v u u° � `� °' v a a) CFJ u o o4s, O v v x o en cd .� cd —a o cd v 4 cis - N U O U G N U u N U cla3 cn c� 0 0 -a v � - m v H U ti C/� [ZW :10 v a o z O 0-4 E-+ U a� «3 O N ct3 bA s~ En -�4 O �+ p +- *� N 41 � cti L� a cn N U ct$ O p; N p p O Q O cn TJ O N p 143 cn CA rl U 'C3 r -c3 cd 0 U� F- O p ^,::3 ' O p to -, ct U Q o O cn s0- "O c'cn tD to ro to �acd v"s to 0 4.1 0 En V) U >~ c� bA N Ln 4-4 cd p U N U «3 ` O O O O O O N a O 03 U N U �1 � 3 . � o ,� ••c3 H U ti ZR, th Cd G•r 0 O � O ,.o � •� a ��33 + v C crs o v ccl to U C* f Q? LS TS p •— %- cd to to of U N + Q O s. p p U ctf Nf v U En cUco � - o a Q i o3 v off aU `d -0 an v := o v v` i— v — En cd v � o Q v vti' �.� 3 ° p as ° �Q v bb `� ai °�' to cu ; v "�3 c° `ti v to bA Mo y �, 0 � o °' p o O y U.— v �v-+ O �:� 3�CnaU�3vU Ci N N U�� UxUU H U ti a) z 0 H U o a3 cd Cd rA «3 Cd oct3 tD 0 d m mcn U Q O �. a) O �, cn v 71 a) U by Q GQ s, �" •y bpo +�+ N s, p a) s-. cd a) a) 4j ¢ Ste" �", O_ y O •r- N �, v� 43 o O O O z o~ °�' p— t� o o .o o °' tom-, 0ul , i% y a) W cd v bb pp N U to cn ed W rn UW OW bU4. o V) >,o rQA rO+ 0 +r O N cn cl UM cr ct Ln " T3 N to H U ti o JQ o�oy��3 o izo vi 3 U cd U ;j •� cc 3 cd Cd o U o tiQ rn � y, U 42,C� 4 4CS Jv U '+= •> 3 o C's •� U . to a) En bb C + bth + to bb 72 Rok O U � o , o Q � r o U v d U o 71 0 cd 0 to 0 Cd cj E C o c v s..i v vi O o T1 O �+ cn ^7' O Cd C3 N ti V w Cd v O k v HUH;° v tt h U E cd cn En O v CS O N v0 v +- rA y, Ov C13¢ O b�A .0 v U 41 at � Cd 40 ov cd f,. bA cn O U O bA -6 ^� p N U 7r c c v by by Ct +-p Q ;3 p p o O to a U ° v v +, a3i to to v° �, U o � 0 0 o o o r-+ ai O cad N '++ H o � C M 4, O ��tb °.° W r.. C),rAW U U U0.� t�.�v cd �� Q, o'jU H U W ti o O � o � Cd o � � 0 c'�t3 U U O � � O o � O cd N O O -O o ^C3C5to N N > +U N +- C/) U ,' O 3 qp cd ^O O •� > Uto U N N bA by `n ca �� , O to t0 Edo U _N U by Q cn O Q, U U ¢ v H. O cd 03 o, o >' o ° W ° � O � t� ,o O U O O O 4sti�71U p0 -- •� O U o o Cd En to 0 H U ti M cat Z O E� U d to th O ^CS = • — O O O V) +�cc3 vi +' + = 5 � O ct3 Cd to o~ to . ° O-r�'•, O tll o O En^d Q >, bA M «3 4 p cr3 u p O cd ,.,p ^�" IV. O N N N O v' O N "}py cn . O '-t:l + O TJ bOA O c� +-"+ U c? O 4- 4P O " S�, O ,o M u 4-4 N cd c� O O •. 3 too O p "C vpi p 40 +s N O paj N cj 5 .4, bA Q U a3 • �- O -(:1 O U rO' ai gyp+ O" 2 P 4 O N E 4p �� N Vi .-i � x., P.� � co).� � �.'� � S�, 'C1 H v ti O E~ U C�' 3 ° cn o O ' � bA � ^� N �, "L� O -� � � � "O •,~ � � � � � j cn c O ° Q O O a3 ^O 3 a ? °�' o'��'� u tin° i ° a, to Cd f�. 3 O O p -5 O tt ." to O "c3tD to a7 Id cd >, >Cd o �, . ° U o O a, a�i ,�' ° L7 a� `r' O TS C' C3 0 o M �' 5 p a) m p 0 ttO ObD t3 O N a) O CzA O .o — Rt a) O O pCjd p s; p O cd U 3 0 3 a' -al3 U o o o aon > U M U ,� a� F� as `d a H U W ti W 0 U � ° o o v v Y v HajU H 0 3 V v � 0 � o cd °• o N cd cn U C r y0 v r. Q 6.0 � ° �, ~ v 4� th N cc to O � y O H O c by m m v +-, r-+ .� ybD O O 0 v v N p 0 'l 00 cn 00 O H cl v U 'CJ UyyEn p c by U U t Q 'C3 p O •� U U cd tb bb O U «3 cd T3 '�3 4 ^�- U U v N N > -0' �� +'fir' >, 4-i a O �� En O � '44 0- 0 L� U m t v Os O U v U U �, �, U 4 r.P4o O 5b-�' bopa o i v tin �s, 3 H y Lg�g U o o abi v 0 v o °>' ° U U U c vQ �.. U C,3 Z U ti w S � o 0 0 mod' � bb N N tz 4- O U U U 10ZM Y 4 p_ Jan TenBruggencate wa Members: Chair Isaac Cockett Galen Nakamura Ricky Watanabe Virginia Kapali Vice Chair Carol Suzawa KAUA`I COUNTY CHARTER REVIEW COMMISSION c/o Office of Boards & Commissions 4444 Rice Street, Suite 150 Llhu'e, HI 96766 October 27, 2017 Michael Dahilig Director of Planning County of Kauai 4444 Rice Street, Suite A473 Lihue, Hawaii 96766 Dear Mr. Dahilig, The Charter Review Commission received your letter at its meeting on October 23, 2017 and appreciates your comments. The Commission requests your presence at their next Commission meeting scheduled on: Monday, November 27, 2017 4:00 pm Mo'ikeha Meeting Room 2A/2B As you know the Commission is currently considering a proposal to remove the Zoning Board of Appeals and would appreciate your input regarding possible options for handling contested case hearings, and whether modifying the language of the Charter may provide a solution if the Zoning Board of Appeals were to remain in the Charter. Please contact Paula M. Morikami in the Office of Boards and Commissions and let her know if you are able to attend. She can be reached at 241-4922 or by email: pmorikami(i0guai.gov. Thank you. Jan TenBruggencate Chair Ricky Watanabe Vice Chair October 27, 2017 Members: Isaac Cockett Galen Nakamura Virginia Kapali Carol Suzawa KAUA`I COUNTY CHARTER REVIEW COMNUSSION c/o Office of Boards & Commissions 4444 Rice Street, Suite 150 Llhu'e, HI 96766 Mr. Lawrence J. Dill Engineering Program Manager Kauai District Office 1720 Haleukana St. Lihue, HI 96766 Dear Mr. Dill, The Charter Review Commission requests your presence their next meeting scheduled on: Monday, November 27, 2017 4:00 p.m. Mo'ikeha Building, Meeting Room 2A/2B The Commission is discussing a possible Charter amendment to change the title of County Engineer to Director -of Public Works and removing the requirement that he/she be a registered engineer. As a former County Engineer, your input will be valuable to the Commission as it deliberates and considers this proposal. Please contact Paula M. Morikami in the Office of Boards and Commissions and let her know if you are able to attend. She can be reached at 241-4922 or by email: pmorikamiakauai.gov. Thank you. cRr' aa��J- (i) Jan TenBruggencate Members: Chair Isaac Cockett Galen Nakamura Ricky Watanabe Virginia Kapali Vice Chair Carol Suzawa KAUA`I COUNTY CHARTER REVIEW COMMUSSION c/o Office of Boards & Commissions 4444 Rice Street, Suite 150 Llhu'e, HI 96766 October 27, 2017 County of Kauai Office of the County Clerk Council Services Division 4396 Rice Street, Suite 209 Lihue, Hawaii 96766 Honorable Chair Mel Rapozo and Councilmembers, The Charter Review Commission requests your presence at their next meeting scheduled on: Monday, November 27, 2017 4:00 P.M. Mo'ikeha Meeting Room 2A/2B The Commission is considering a proposed Charter amendment to remove the County Auditor section from the Charter. Since the County Auditor falls under your jurisdiction we would appreciate your input as we discuss and deliberate this proposal. Please contact Paula M. Morikami in the Office of Boards and Commissions and let her know if you are able to attend. She can be reached at 241-4922 or by email: pmorikami(dkauai.gov. Thank you. Jan TenBruggencate Chair CftC ao l-1 - 0-7(l 11 COUNTY COUNCIL Mel Rapozo, Chair Ross Kagawa, Vice Chair Arthur Brun Mason K. Chock Arryl Kaneshiro Derek S.K. Kawakami JoAnn A. Yukimura Council Services Division 4396 Rice Street, Suite 209 Lihu`e, Kauai, Hawaii 96766 November 9, 2017 Jan Tenbruggencate, _Chair and Members of the Charter Review Commission c/o Office of Boards & Commissions 4444 Rice Street, Suite 150 Lihu`e, Hawaii 96766 OFFICE OF THE COUNTY CLERK Jade K. Fountain-Tanigawa, County Clerk Scott K. Sato, Deputy County Clerk Telephone: (808) 241-4188 Facsimile: (808) 241-6349 E-mail: cokcouncil@kauai.gov J NOV - 9 2017 u CCMM1S5101`!S Dear Chair Tenbruggencate and Members of the Charter Commission: Thank you for your invitation to discuss the County Auditor position and its role in County governance. I look forward to our conversation at the end of the month. In preparation for your meeting on November 27, 2017, I am transmitting the following documents which, hopefully, you will be able to read ahead of time. I trust they will be transmitted to you as soon as possible. 1. Institute of Internal Auditors (IIA) Position Paper: The Role of Internal Auditing in Resourcing the Internal Audit Activity 2. IIA Position Paper: The Role of Internal Auditing in Enterprise -Wide Risk Management. 3. IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control 4. IPPF Implementation Guide 2017: Standard 2070 - External Service Provider and Organizational Responsibility for Internal Auditing. 5. IIA Practice Guide: Reliance By Internal Audit on Other Assurance Providers These documents were transmitted by Kim Herrenkohl, CPA, CIA, CFE, a very experienced and highly credentialed internal auditor who is currently employed in Washington State. Ms. Herrenkohl graciously allowed me to informally consult with her on issues within her expertise because she knows how valuable a good internal auditing structure can be to an organization like the County of Kaua'i. AN EQUAL OPPORTUNITY EMPLOYER �iw 0s 1-1 Jan Tenbruggencate, Chair and Members of the Charter Review Commission RE: County Auditor Position November 9, 2017 Page 2 I would like to suggest that members of the Administration be invited to your November 27, 2017, meeting as well as the Council, since they are responsible for risk management and would be involved in any audits conducted within the County, whether they are done internally or externally. I hope you find these resource papers helpful. Sincerely, r V - OANN A. IMURA Councilmember, Kauai County Council JY:wa Enclosures cc: Ken M. Shimonishi, Director of Finance Wallace G. Rezentes, Jr., Managing Director Mauna Kea Trask, County Attorney Jade K. Fountain-Tanigawa, County Clerk iI a 0 The Institute of Internal Auditors IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN RESOURCING THE INTERNAL AUDIT ACTIVITY Issued: January 2009 Revised: © 2009 The Institute of Internal Auditors Resourcing PP Page 1 of 5 M aok-i —off Caw Introduction When considering the resourcing of the internal audit activity a question that often arises is, "Who or what resources can be utilized to provide internal auditing?" In practice, organizations utilize a number of different alternatives ranging from a fully resourced activity housed within the organization to external resources obtained from outside the organization, or any combination thereof. This diversity of practice raises a question in some organizations concerning the optimum balance of internally and externally supplied resources. The purpose of this paper is to provide guidance and clarify the roles of the board, management, and the chief audit executive on resourcing the internal audit activity and the various issues involved. Anecdotal evidence indicates most practitioners agree that utilization of some amount of external resources, or partial outsourcing, is appropriate. However, there is little consensus on what might be an appropriate amount of external resources, not to mention how to measure it. This is because it is not possible to answer such a question without understanding the size, nature, and complexity of the organization for which the internal audit activity is providing services. The practice of total outsourcing or obtaining 100 percent of internal audit resources from outside the organization generates additional questions about how to manage this arrangement. There are many considerations that should be evaluated in determining the optimal structure and source for internal audit resources. Those responsible for making such determinations should evaluate the additional guidance and considerations outlined in this Position Paper when considering outsourcing as an alternative. The optimal solution can be different for every organization and also may change over time as the variables that influence the evaluation change periodically. The Institute of Internal Auditors' (IIA) Perspective Internal auditing is defined as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." The IIA's principal interest is to promote internal audit activities that provide the maximum overall effectiveness in helping achieve the organization's strategic objectives. The IIA believes internal auditing best addresses management's strategic objectives when internal audits are performed by competent professionals in conformance with the International Standards for the Professional Practice of Internal Auditing (Standards) as promulgated by The IIA. Issued: January 2009 Resourcing PP Revised: Page 2 of 5 OO 2009 The Institute of Internal Auditors From The IIA's perspective, internal auditing, regardless of who provides the service, should be performed in conformance with the Standards. The IIA believes that a fully resourced and professionally competent staff that is a key part of the organization, whether in-house or outsourced, best provides internal audit services. The IIA recognizes that many "partnering" arrangements with outside providers have been effective in helping organizations obtain internal audit services that contribute to management's strategic objectives. In cases where total outsourcing is selected as the method for obtaining internal audit services, The IIA believes that oversight and responsibility for the internal audit activity cannot be outsourced. An in-house liaison, preferably an executive or senior management -level employee should be assigned responsibility for "management" of the internal audit activity. Consideration of the independence of the assigned in-house liaison must be evaluated if this individual has other (non -internal audit) responsibilities. The role of the board or equivalent governing body also is important in the oversight process and the level of active oversight should be considered. If a significant change to either outsourcing or in -sourcing, is being considered as the means of obtaining internal audit services the board should receive a written evaluation of the recommendation. The board's evaluation and approval should be noted in the minutes. Given the significance of internal auditing to the organization's governance process, any recommendation to totally outsource (or to outsource a significant portion of) the internal audit activity should require approval of the board. Considerations for Evaluating Outsourcing Alternatives Available Resources For a number of reasons, appropriate internal audit resources may be scarce or unavailable in certain situations. Whether selected as a temporary alternative or permanent solution, outsourcing may be necessary to acquire competent internal auditors and timely, professional internal auditing. Size of the Organization Both large and small organizations may need to take advantage of outsourcing alternatives. Common reasons include temporary staff shortages, specialty skill needs, coverage of remote business locations, special project work, and supplemental staff to meet tight deadlines. Also, small organizations may find it necessary to explore outsourcing due to the inability to hire permanent or full- time internal auditors. Issued: January 2009 Revised: © 2009 The Institute of Internal Auditors Resourcing PP Page 3 of 5 Types of Outsourcing Alternatives Organizations may need to define the types of outsourcing engagements or practices to be considered. Outsourcing alternatives include: • Total outsourcing where 100 percent of the internal audit services are obtained from external sources, usually on an ongoing basis. • Partial outsourcing where less than 100 percent of the internal audit services are obtained from external sources, usually on an ongoing basis. • Co -sourcing through which external resources participate on joint engagements with in-house internal audit staff. Engagements may be ongoing or for specific terms. • Subcontracting for a specific engagement or portion of some engagement is performed by an external party, typically for a limited time period. Management and oversight of the engagement normally is provided by in- house internal audit staff. Law, Statute, or Regulation Some companies may be prohibited by statute or regulation from outsourcing internal audit services to their external auditors. The IIA believes that even if allowed by law or statute, internal auditing should not be outsourced to the same external audit firm that audits the organization's financial statements as this would impair independence. Certain industries may be subject to regulatory guidance governing outsourcing arrangements. Appropriate research should be conducted in order to evaluate legal considerations related to outsourcing engagements. Advantages and Disadvantages of Outsourcing In addition to the considerations discussed above, an analysis of the advantages and disadvantages to outsourcing should be prepared. The extent and formality of the analysis, and subsequent reporting, should be commensurate with the degree or extent of outsourcing contemplated. Greater documentation and more formal reporting and approval should be obtained when a significant portion of the internal audit activities are outsourced. Although not all-inclusive, the following should be considered in the analysis: • Independence of the external service providers • Allegiance of in-house resources versus that of external service provider • Professional standards followed by the external service provider • Qualifications of the service provider • Staffing — training, turnover, rotation of staff, management • Flexibility in staffing resources to meet engagement needs or special requests • Availability of resources • Retention of institutional knowledge for future assignments Issued: January 2009 Revised: Resourcing PP Page 4 of 5 © 2009 The Institute of Internal Auditors • Access to best practice or insight to alternative approaches • Culture of the organization — receptiveness to external service providers • Insight into the organization by the external service provider • Coverage of remote locations • Coordination with in-house internal auditing • Coordination with external auditor • Use of internal auditing as a training ground for internal promotions • Retention, access to and ownership of workpapers • Acquisition and availability of specialty skills • Cost considerations • Good standing membership in an appropriate professional organization Contracts and Engagement Letters for Outsourcing Engagements Consideration should be given to the content of contracts and engagement letters for outsourcing engagements. Deliverables, such as workpapers, reports, recommendations, conclusions, opinions, ratings, benchmarking information, and analyses (such as value added), should be considered. Deadlines, progress reports, access to staff for discussion of results, and follow-up should be addressed. Ownership of workpapers and use of results should be addressed. Restrictions or limitations, as well as strengths and additional benefits, should be evaluated. Compensation issues should be clearly defined. Policy for Outsourcing Engagements Some organizations may find it beneficial to adopt a policy or formal guidelines for contracting outsourcing engagements. Documentation and approval requirements can be addressed to facilitate arrangements for outsourced services. Additionally, organizations may wish to adopt or designate preferred provider relationships to facilitate efficient selection and procurement processes for acquisition of internal auditing. IIA Guidance Organizations should follow related IIA guidance, such as Practice Advisory 1210.A1-1, when obtaining external services to support or complement the internal audit activity. The guidance contained in this Practice Advisory also should be reviewed when performing the analysis to consider outsourcing alternatives. Issued: January 2009 Revised: Resourcing PP Page 5 of 5 © 2009 The Institute of Internal Auditors F � The Institute of �Internal Auditors IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE -WIDE RISK MANAGEMENT Issued: January 2009 ERM PP Revised: Page 1 of 8 cRcaD V 1-o- 1(2.b) Introduction The importance to strong corporate governance of managing risk has been increasingly acknowledged. Organizations are under pressure to identify all the business risks they face; social, ethical and environmental as well as financial and operational, and to explain how they manage them to an acceptable level. Meanwhile, the use of enterprise -wide risk management frameworks has expanded, as organizations recognize their advantages over less coordinated approaches to risk management. Internal auditing, in both its assurance and its consulting roles, contributes to the management of risk in a variety of ways. What is Enterprise -wide Risk Management? People undertake risk management activities to identify, assess, manage, and control all kinds of events or situations. These can range from single projects or narrowly defined types of risk, e.g. market risk, to the threats and opportunities facing the organization as a whole. The principles presented in this paper can be used to guide the involvement of internal auditing in all forms of risk management but we are particularly interested in enterprise -wide risk management because this is likely to improve an organization's governance processes. Enterprise -wide risk management (ERM) is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Responsibility for ERM The board has overall responsibility for ensuring that risks are managed. In practice, the board will delegate the operation of the risk management framework to the management team, who will be responsible for completing the activities below. There may be a separate function that co-ordinates and project -manages these activities and brings to bear specialist skills and knowledge. Everyone in the organization plays a role in ensuring successful enterprise -wide risk management but the primary responsibility for identifying risks and managing them lies with management. Benefits of ERM ERM can make a major contribution towards helping an organization manage the risks to achieving its objectives. The benefits include: ■ Greater likelihood of achieving those objectives; ■ Consolidated reporting of disparate risks at board level; ■ Improved understanding of the key risks and their wider implications; • Identification and sharing of cross business risks; • Greater management focus on the issues that really matter; ■ Fewer surprises or crises; ■ More focus internally on doing the right things in the right way; Issued: January 2009 ERM PP Revised: Page 2 of 8 ■ Increased likelihood of change initiatives being achieved; ■ Capability to take on greater risk for greater reward and ■ More informed risk -taking and decision -making. The activities included in ERM ■ Articulating and communicating the objectives of the organization; ■ Determining the risk appetite of the organization; ■ Establishing an appropriate internal environment, including a risk management framework; ■ Identifying potential threats to the achievement of the objectives; ■ Assessing the risk (i.e. the impact and likelihood of the threat occurring); ■ Selecting and implementing responses to the risks; ■ Undertaking control and other response activities; ■ Communicating information on risks in a consistent manner at all levels in the organization; ■ Centrally monitoring and coordinating the risk management processes and the outcomes, and ■ Providing assurance on the effectiveness with which risks are managed. Providing assurance on ERM One of the key requirements of the board or its equivalent is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. It is likely that assurance will come from different sources. Of these, assurance from management is fundamental. This should be complemented by the provision of objective assurance, for which the internal audit activity is a key source. Other sources include external auditors and independent specialist reviews. Internal auditors will normally provide assurances on three areas: Risk management processes, both their design and how well they are working; Management of those risks classified as `key', including the effectiveness of the controls and other responses to them; and Reliable and appropriate assessment of risks and reporting of risk and control status. The role of internal auditing in ERM Internal auditing is an independent, objective assurance and consulting activity. Its core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management. Indeed, research has shown that board directors and internal auditors agree that the two most important ways that internal auditing provides value to the organization are in providing objective assurance that the major business risks are being managed appropriately and providing assurance that the risk management and internal control framework is operating effectively'. 1 The Value Agenda, Institute of Internal Auditors — UK and Ireland and Deloitte & Touche 2003 Issued: January 2009 ERM PP Revised: Page 3 of 8 Figure 1 presents a range of ERM activities and indicates which roles an effective professional internal audit activity should and, equally importantly, should not undertake. The key factors to take into account when determining internal auditing's role are whether the activity raises any threats to the internal audit activity's independence and objectivity and whether it is likely to improve the organization's risk management, control and governance processes. Figure 1 — Internal auditing's role in ERM Legitimate internal audit Roles internal audit roles with safeguards should not undertake The activities on the left of Figure 1 are all assurance activities. They form part of the wider objective of giving assurance on risk management. An internal audit activity complying with the International Standards for the Professional Practice of Internal Auditing can and should perform at least some of these activities. Issued: January 2009 ERM PP Revised: Page 4 of 8 Internal auditing may provide consulting services that improve an organization's governance, risk management, and control processes. The extent of internal auditor's consulting in ERM will depend on the other resources, internal and external, available to the board and on the risk maturity2 of the organization and it is likely to vary over time. Internal auditor's expertise in considering risks, in understanding the connections between risks and governance and in facilitation mean that the internal audit activity is well qualified to act as champion and even project manager for ERM, especially in the early stages of its introduction. As the organization's risk maturity increases and risk management becomes more embedded in the operations of the business, internal auditing's role in championing ERM may reduce. Similarly, if an organization employs the services of a risk management specialist or function, internal auditing is more likely to give value by concentrating on its assurance role, than by undertaking the more consulting activities. However, if internal auditing has not yet adopted the risk -based approach represented by the assurance activities on the left of Figure 9, it is unlikely to be equipped to undertake the consulting activities in the center. Consulting roles The center of Figure 1 shows the consulting roles that internal auditing may undertake in relation to ERM. In general the further to the right of the dial that internal auditing ventures, the greater are the safeguards that are required to ensure that its independence and objectivity are maintained. Some of the consulting roles that the internal audit activity may undertake are: ■ Making available to management tools and techniques used by internal auditing to analyze risks and controls; ■ Being a champion for introducing ERM into the organization, leveraging its expertise in risk management and control and its overall knowledge of the organization; ■ Providing advice, facilitating workshops, coaching the organization on risk and control and promoting the development of a common language, framework and understanding; ■ Acting as the central point for coordinating, monitoring and reporting on risks; and ■ Supporting managers as they work to identify the best way to mitigate a risk. The key factor in deciding whether consulting services are compatible with the assurance role is to determine whether the internal auditor is assuming any management responsibility. In the case of ERM, internal auditing can provide consulting services so long as it has no role in actually managing risks — that is management's responsibility — and so long as senior management actively endorses and supports ERM. We recommend that, whenever the internal audit activity acts to help the management team to set up or to improve risk management processes, its plan of work should include a clear strategy and timeline for migrating the responsibility for these services to members of the management team. 2 The IIA-UK and Ireland Position Statement on Risk Based Internal Auditing 2003 Issued: January 2009 ERM PP Revised: Page 5 of 8 Safeguards Internal auditing may extend its involvement in ERM, as shown in Figure 1, provided certain conditions apply. The conditions are: ■ It should be clear that management remains responsible for risk management. ■ The nature of internal auditor's responsibilities should be documented in the internal audit charter and approved by the audit committee. ■ Internal auditing should not manage any of the risks on behalf of management. ■ Internal auditing should provide advice, challenge and support to management's decision making, as opposed to taking risk management decisions themselves. ■ Internal auditing cannot also give objective assurance on any part of the ERM framework for which it is responsible. Such assurance should be provided by other suitably qualified parties. ■ Any work beyond the assurance activities should be recognized as a consulting engagement and the implementation standards related to such engagements should be followed. Skills and body of knowledge Internal auditors and risk managers share some knowledge, skills and values. Both, for example, understand corporate governance requirements; have project management, analytical and facilitation skills and value having a healthy balance of risk rather than extreme risk -taking or avoidance behaviors. However, risk managers as such serve only the management of the organization and do not have to provide independent and objective assurance to the audit committee. Nor should internal auditors who seek to extend their role in ERM underestimate the risk managers' specialist areas of knowledge (such as risk transfer and risk quantification and modeling techniques) which are outside the body of knowledge for most internal auditors. Any internal auditor who cannot demonstrate the appropriate skills and knowledge should not undertake work in the area of risk management. Furthermore, the head of internal audit should not provide consulting services in this area if adequate skills and knowledge are not available within the internal audit activity and cannot be obtained from elsewhere. Conclusion Risk management is a fundamental element of corporate governance. Management is responsible for establishing and operating the risk management framework on behalf of the board. Enterprise -wide risk management brings many benefits as a result of its structured, consistent and coordinated approach. Internal auditor's core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management. When internal auditing extends its activities beyond this core role, it should apply certain safeguards, including treating the engagements as consulting services and, therefore, applying all relevant Standards. In this way, internal auditing will protect its independence and the objectivity of its assurance services. Within these constraints, ERM can help raise the profile and increase the effectiveness of internal auditing. Issued: January 2009 ERM PP Revised: Page 6 of 8 Definition of terms Assurance Services: An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements. Board. A board is an organization's governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a non profit organization, or any other designated body of the organization, including the audit committee to whom the chief audit executive may functionally report. Champion: Someone who supports and defends a person or cause. Therefore, a champion of risk management will promote its benefits, educate an organization's management and staff in the actions they need to take to implement it and will encourage them and support them in taking those actions. Consulting Services: Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training. Control: Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Enterprise: Any organization established to achieve a set of objectives. Enterprise -wide risk management (ERM): A structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Facilitating: Working with a group (or individual) to make it easier for that group (or individual) to achieve the objectives that the group has agreed for the meeting or activity. This involves listening, challenging, observing, questioning and supporting the group and its members. It does not involve doing the work or taking decisions. Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk Appetite: The level of risk that an organization is willing to accept. Issued: January 2009 ERM PP Revised: Page 7 of 8 Risk Management Framework: The totality of the structures, methodology, procedures and definitions that an organization has chosen to use to implement its risk management processes. Risk Management Processes: Processes to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization's objectives. Risk Maturity: The extent to which a robust risk management approach has been adopted and applied, as planned, by management across the organization to identify, assess, decide on responses to and report on opportunities and threats that affect the achievement of the organization's objectives. Risk Responses: The means by which an organization elects to manage individual risks. The main categories are to tolerate the risk; to treat it by reducing its impact or likelihood; to transfer it to another organization or to terminate the activity creating it. Internal controls are one way of treating a risk. Copyright The copyright of this paper is jointly held. For permission to reproduce in the UK or Ireland, please contact IIA-UK and Ireland at technical@iia.org.uk. For permission to reproduce elsewhere, please contact The Institute of Internal Auditors at guidance@theiia.org. Issued: January 2009 ERM PP Revised: Page 8 of 8 JANUARY 2013 li&The Institute of Internal Auditors TABLE OF CONTENTS Introduction.................................................................... 1 Before the Three Lines: Risk Management Oversight and Strategy-Setting........................................................ 2 The First Line of Defense: Operational Management ............ 3 The Second Line of Defense: Risk Management and Compliance Functions ................................................ 4 The Third Line of Defense: Internal Audit ........................... 5 External Auditors, Regulators, and Other External Bodies............................................................... 6 Coordinating The Three Lines of Defense ........................... 6 THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL 'll i In twenty-first century businesses, it's not uncommon to find diverse teams of internal auditors, enterprise risk management specialists, compliance officers, internal control specialists, quality inspectors, fraud investiga- tors, and other risk and control professionals working together to help their organizations manage risk. Each of these specialties has a unique perspective and specific skills that can be invaluable to the organizations they serve, but because duties related to risk management and control are increasingly being split across multiple departments and divisions, duties must be coordinated carefully to assure that risk and control processes operate as intended. It's not enough that the various risk and control functions exist — the chal- lenge is to assign specific roles and to coordinate effectively and efficiently among these groups so that there are neither "gaps" in controls nor unneces- sary duplications of coverage. Clear responsibilities must be defined so that each group of risk and control professionals understands the boundaries of their responsibilities and how their positions fit into the organization's overall risk and control structure. The stakes are high. Without a cohesive, coordinated approach, limited risk and control resources may not be deployed effectively, and significant risks may not be identified or managed appropriately. In the worst cases, commu- nications among the various risk and control groups may devolve to little more than an ongoing debate about whose job it is to accomplish specific tasks. The problem can exist at any organization, regardless of whether a formal enterprise risk management framework is used. Although risk management frameworks can effectively identify the types of risks that modern businesses must control, these frameworks are largely silent about how specific duties should be assigned and coordinated within the organization. IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL ( 1 Fortunately, best practices are emerging that can help organizations delegate and coordinate essential risk management duties with a systematic approach. The Three Lines of Defense model provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties. It provides a fresh look at operations, helping to assure the ongoing success of risk management initiatives, and it is appropri- ate for any organization — regardless of size or complexity. Even in organiza- tions where a formal risk management framework or system does not exist, the Three Lines of Defense model can enhance clarity regarding risks and controls and help improve the effectiveness of risk management systems. BEFORE THE THREE LINES: RISK MANAGEMENT OVERSIGHT AND STRATEGY -SETTING In the Three Lines of Defense model, management control is the first line of defense in risk management, the various risk control and compliance over- sight functions established by management are the second line of defense, and independent assurance is the third. Each of these three "lines" plays a distinct role within the organization's wider governance framework. The Three Lines of Defense Model Senior Management Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41 Although neither governing bodies nor senior management are considered to be among the three "lines" in this model, no discussion of risk management systems could be complete without first considering the essential roles of both governing bodies (i.e., boards of directors or equivalent bodies) and senior management. Governing bodies and senior management are the primary stakeholders served by the "lines," and they are the parties best positioned to help ensure that the Three Lines of Defense model is reflected in the organization's risk management and control processes. 2 / IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL Senior management and governing bodies collectively have responsibility and accountability for setting the organization's objectives, defining strate- gies to achieve those objectives, and establishing governance structures and processes to best manage the risks in accomplishing those objectives. The Three Lines of Defense model is best implemented with the active support and guidance of the organization's governing body and senior management. THE FIRST LINE OF DEFENSE: OPERATIONAL MANAGEMENT The Three Lines of Defense model distinguishes among three groups (or lines) involved in effective risk management: Functions that own and manage risks. _ Functions that oversee risks. Functions that provide independent assurance. As the first line of defense, operational managers own and manage risks. They also are responsible for implementing corrective actions to address process and control deficiencies. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and proce- dures and ensuring that activities are consistent with goals and objectives. Through a cascading responsibility structure, mid -level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees. Operational management naturally serves as the first line of defense because controls are designed into systems and processes under their guidance of op- erational management. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes, and unexpected events. IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL / 3 THE SECOND LINE OF DEFENSE: RISK MANAGEMENT AND COMPLIANCE FUNCTIONS In a perfect world, perhaps only one line of defense would be needed to as- sure effective risk management. In the real world, however, a single line of defense often can prove inadequate. Management establishes various risk management and compliance functions to help build and/or monitor the first line -of -defense controls. The specific functions will vary by organization and industry, but typical functions in this second line of defense include: A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk -related information throughout the organization. A compliance function to monitor various specific risks such as noncompliance with applicable laws and regulations. In this capacity, the separate function reports directly to senior management, and in some business sectors, directly to the governing body. Multiple compliance functions often exist in a single organization, with responsibility for specific types of compliance monitoring, such as health and safety, supply chain, environmental, or quality monitoring. A controllership function that monitors financial risks and financial reporting issues. Management establishes these functions to ensure the first line of defense is properly designed, in place, and operating as intended. Each of these func- tions has some degree of independence from the first line of defense, but they are by nature management functions. As management functions, they may intervene directly in modifying and developing the internal control and risk systems. Therefore, the second line of defense serves a vital purpose but cannot offer truly independent analyses to governing bodies regarding risk management and internal controls. The responsibilities of these functions vary on their specific nature, but can include: Supporting management policies, defining roles and responsibilities, and setting goals for implementation. Providing risk management frameworks. Identifying known and emerging issues. Identifying shifts in the organization's implicit risk appetite. Assisting management in developing processes and controls to manage risks and issues. 4 / IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL Providing guidance and training on risk management processes. Facilitating and monitoring implementation of effective risk management practices by operational management. Alerting operational management to emerging issues and changing regulatory and risk scenarios. Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies. 111121111181 -■.1 1 1 Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. This high level of independence is not available in the second line of defense. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives. The scope of this assurance, which is reported to senior management and to the governing body, usually covers: A broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts. All elements of the risk management and internal control framework, which includes: internal control environment; all elements of an organization's risk management framework (i.e., risk identification, risk assessment, and response); information and communication; and monitoring. The overall entity, divisions, subsidiaries, operating units, and functions — including business processes, such as sales, production, marketing, safety, customer functions, and opera- tions — as well as supporting functions (e.g., revenue and expenditure accounting, human resources, purchasing, payroll, budgeting, infrastructure and asset management, inventory, and information technology). Establishing a professional internal audit activity should be a governance requirement for all organizations. This is not only important for larger and medium-sized organizations but also may be equally important for smaller entities, as they may face equally complex environments with a less formal, robust organizational structure to ensure the effectiveness of its governance and risk management processes. ter.:,-.l,J; [[,: s,"f_ U11")I 11 I 6 pmf - i onal I I 1 audit activitv should be { r e reqt-iiremient IJI' ail,_ organizations. T s lI_Q I nclt only innpoidtant for Pill meral! m- also nnay eqUally Impoi.a t br smaller enfitit;s, as ihey m f i _ y environments with a less + ,I. ai -, ro gist organizations, strukcl re to ensure its governance and risk Male 1 IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL / 5 Internal audit actively contributes to effective organizational governance providing certain conditions — fostering its independence and professional- ism — are met. Best practice is to establish and maintain an independent, adequately, and competently staffed internal audit function, which includes: Acting in accordance with recognized international standards for the practice of internal auditing. Reporting to a sufficiently high level in the organization to be able to perform its duties independently. Having an active and effective reporting line to the governing body. EXTERNAL AUDITORS, REGULATORS, AND OTHER EXTERNAL BODIES External auditors, regulators, and other external bodies reside outside the organization's structure, but they can have an important role in the organiza- tion's overall governance and control structure. This is particularly the case in regulated industries, such as financial services or insurance. Regulators sometimes set requirements intended to strengthen the controls in an organi- zation and on other occasions perform an independent and objective function to assess the whole or some part of the first, second, or third line of defense with regard to those requirements. When coordinated effectively, external auditors, regulators, and other groups outside the organization can be consid- ered as additional lines of defense, providing assurance to the organization's shareholders, including the governing body and senior management. Given the specific scope and objectives of their missions, however, the risk information gathered is generally less extensive than the scope addressed by an organization's internal three lines of defense. COORDINATING THE THREE LINES OF DEFENSE Because every organization is unique and specific situations vary, there is no one "right" way to coordinate the Three Lines of Defense. When assigning specific duties and coordinating among risk management functions, however, it can be helpful to keep in mind the underlying role of each group in the risk management process. Risk Owners/Managers Risk Control and Compliance Risk Assurance • operating management • limited independence • internal audit • reports primarily to • greater independence management • reports to governing body 6 / IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL All three lines should exist in some form at every organization, regardless of size or complexity. Risk management normally is strongest when there are three separate and clearly identified lines of defense. However, in exceptional situations that develop, especially in small organizations, certain lines of defense may be combined. For example, there are instances where internal audit has been requested to establish and/or manage the organization's risk management or compliance activities. In these situations, internal audit should communicate clearly to the governing body and senior management the impact of the combination. If dual responsibilities are assigned to a sin- gle person or department, it would be appropriate to consider separating the responsibility for these functions at a later time to establish the three lines. Regardless of how the Three Lines of Defense model is implemented, senior management and governing bodies should clearly communicate the should I g in expectation that information be shared and activities coordinated among each of the groups responsible for managing the organization's risks and controls. som T0rm aL Under the International Standards for the Professional Practice of Internal Auditing, chief audit executives are specifically required to "share informa- every ` rggani aLl n! tion and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize q cl' § $ S cif lz duplication of efforts." r C, 0 Mll, RECOMMENDED PRACTICES: isk 1 , iagemr normally aly Is strongest ; Risk and control processes should be structured in accordance with the Three Lines of Defense model. There are Each line of defense should be supported by appropriate policies and role definitions. three separaten There should be proper coordination among the separate lines of defense to foster efficiency and effectiveness. deal 1j, id.e fi,' I e d Risk and control functions operating at the different lines 'lines should appropriately share knowledge and information to assist tc`e of defense. all functions in better accomplishing their roles in an efficient manner. Lines of defense should not be combined or coordinated in a manner that compromises their effectiveness. In situations where functions at different lines are combined, the governing body should be advised of the structure and its impact. For organizations that have not established an internal audit activity, management and/or the governing body should be required to explain and disclose to their stakeholders that they have considered how adequate assurance on the effec- tiveness of the organization's governance, risk management, and control structure will be obtained. IIA POSITION PAPER; THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL / 7 About the Institute Established in 1941, The Institute of Internal Auditors( ILA) is an international professional association ca ith global headquarters in Altamonte Springs, Fla., USA. Tlie IIA is the internal audit acknoNN Icclged leader, chief advocate, and princi- pal educator. Position Papers Position Papers are part of The I IA's International Professional practices Frame«orl< (IPPh), the conceptual franleNwrk that organizes authoritative guidance promulgated IW The I1A. A trustvvOrtlw global, guidance -setting bode, The 11.E provides internal audit professionals orld«ide %%ith authoritative guidance organir_ec in the I PPF as nnandator-V guidance and strongly recommended guidance. Position papers are part ol' the Strongly- Recommended category of guidance, compliance is not mandatory, but it is strongly recommended, and the guidance is endorsed bc'Lhe IIA through formal rey,icvy and approval processes. Position Papers assist a wide range of* interested parties, including those not in the internal audit The Institute of Internal Auditors Global profession, in understanding significant gover- nance, risk, or control issues, and delineating; the related roles and responsibilities of internal auditing. For other authoritative guidance materials provided by The I[A, please visit our website at mv\\.globaliia.orgstandards-guidance. Disclaimer The I1A publishes this document for inforina- tional and educational purposes. This guidance material is not intended to prox-ide definitive answers to specific indi\ idual circumstances and as such is only intended to be used as a guide. The ILA recommends that 1ou al«ays seek independent expert advice relating directly- to any specific situation. The 11A accepts no responsibility for anyone placing sole reliance Oil this guidance. Copyright Copyright 2011 The Institute of Internal Auditors. For permission to reproduce, please contact The I IA at guidanceztheiia.org. Global Headquarters 247 Maitland Avenue Altamonte Springs, Florida 32701 USA T +1-407-937-1111 F +1-407-937-1101 W www.globaliia.org Getting Started When an external service provider is employed by an organization to serve as its internal audit activity, it is important that the external service provider understands the 1300 series of standards and can make the organization aware of its responsibility for maintaining a quality assurance and improvement program (QAIP) that covers all aspects of the internal audit activity. The external service provider should ensure that the QAIP encompasses all aspects of internal audit operations and management, in accordance with the mandatory elements of the International Professional Practices Framework (IPPF) and best practices of the internal audit CRC-' awn- o-t Ca The institute of Intemal Auditors ( Global 1 www.globaliia.org I www.theiia_org k Implementation Guide 2070 / External Service Provider and Organizational Responsibility profession. The QAIP concludes on the quality of the internal audit activity and its services within the organization and may lead to recommendations for continuous improvement. The QAIP must include ongoing monitoring, periodic self -assessments, and external assessments conducted by.a qualified independent party to support conformance with the International Standards for the Professional Practice of lnterna/Auditing (Standards) and The IIA's Code of Ethics. The implementation guides for the 1300 series of standards provide more information about QAIP requirements, including internal and external assessments, reporting results to the board and senior management, and use of "conforms with the International Standards for the Professional Practice of Internal Auditing." Considerations for Implementation When an organization outsources internal audit work, it is not released from the responsibility for maintaining an effective internal audit activity. Thus, even when the internal audit activity is outsourced, the organization maintains responsibility for ensuring that the internal audit activity performs its responsibilities effectively and efficiently and conforms with the Standards and that individual internal auditors conform with the Standards and the Code of Ethics. A QAIP, as required by Standard 1300 — Quality Assurance and Improvement Program, includes both internal and external assessments. When an organization hires an external service provider to serve as the chief audit executive (CAE), that service provider must make the organization aware that the organization is responsible for maintaining an effective internal audit activity, which includes ensuring that the QAIP includes both internal and external assessments in conformance with the Standards. The CAE — or the external service provider hired to serve in the CAE's role — should ensure that the organization is aware of its responsibilities related to the QAIP. Typically, a contract (i.e., engagement letter) between the organization and the external service provider specifies the service provider's responsibilities and deliverables related to the QAIP. An external service provider hired to serve as the CAE and operate as the organization's outsourced internal audit activity may also meet with senior management and the board to discuss the organization's The Institute of Intemal Auditors j Global 2 mm.global iia.org J ww+,v.theiia.org k Implementation Guide 2070 / External Service Provider and Organizational Responsibility responsibilities and the nature and requirements of a QAIP. These requirements are articulated in the 1300 series of standards. Standard 1300 — Quality Assurance and Improvement Program explains that the CAE must develop and maintain a QAIP that encompasses all aspects of the internal audit activity. Where an external service provider assumes the role of CAE, the service provider may actually develop and maintain the QAIP if this is part of the contractual agreement. However, the hiring organization still maintains ultimate responsibility for the quality of the internal audit activity. Standard 1310 —Requirements of the Quality Assurance and Improvement Program stipulates that the QAIP must include both internal and external assessments. Standard 1311 — Internal Assessments states that the mandatory internal assessments must include both ongoing monitoring and periodic self -assessments. Where an internal audit activity is outsourced completely to an external service provider, ongoing monitoring and periodic self -assessments may be performed by the external service provider, in accordance with the contract. Standard 1312 — External Assessments explains the requirements for external assessments, including their form and frequency (at least once every five years) as well as the qualification and independence requirements for the external assessor or assessment team. It's important to note that in cases where the entire internal audit activity is outsourced to an external service provider, the scope of external assessments is based solely on the work conducted for the hiring organization. Additionally, the organization should ensure that the external assessor or assessment team selected to perform the external assessment meets independence requirements. • Standard 1320 — Reporting on the Quality Assurance and Improvement Program outlines the CAE's responsibilities for communicating the results of the QAIP to senior management and the board. An external service provider hired to serve as the CAE and operate as the organization's outsourced internal audit activity typically meets with the board and senior management to discuss reporting requirements and expectations. The Institute of Internal Auditors ( Global www.globaliia.org I www.theiia.org & Implementation Guide 20701 External Service Provider and Organizational Responsibility 0 Standard 1321 —Use of "Conforms with the International Standards for the Professional Practice of IntemalAuditind' indicates that internal audit activity may only communicate — in writing or verbally — conformance with the Standards if results of the QAIP (including internal and external assessments) support such a statement. 0 Standard 1322 — Disclosure of Nonconformance requires the CAE — or the external service provider hired to serve as CAE — to disclose to senior management and the board any instances where the internal audit activity does not conform with the Standards or the Code of Ethics and how the lack of conformance impacts the overall scope or operation of the internal audit activity. Considerations for Demonstrating Conformance Multiple documents may indicate conformance with Standard 2070. First, the contract (i.e., engagement letter) between the organization and the external service provider may offer evidence of the organization's responsibility related to maintaining a QAIP. The two primary products of these responsibilities are the documented QAIP and the results of internal and external assessments. For internal assessments, documentation typically consists of the results of ongoing monitoring efforts, as well as findings, corrective action plans, and corrective actions taken as a result of periodic internal assessments to improve conformance with the mandatory elements of the IPPF. Additionally, any documentation of actions taken to improve internal audit efficiency and effectiveness may help demonstrate conformance with the standard. For external assessments, documentation from the external assessor or assessment team, or written independent validation of a self -assessment, may be used to indicate conformance. Agendas and minutes from meetings with senior management and the board may indicate that the external service provider communicated the organization's responsibilities related to maintaining an effective internal audit activity. Meeting records could also evidence that the CAE reported on QAIP results, as required by the Standards. Evidence of such communication could also include memos to file or other written documents. The Institute of Internal Auditors I Global 4 www-globalfia.org 1 �,,,Anw.theija.org Implementation Guide 2070 / External Service Provider and Organizational Responsibility The Institute of Intemal Auditors I Global 5 www.globaliia.org I www.theiia.org ■ International Standards \ f Code of Definition Ethics Ll�[� Table of Contents Executive Summary ........................................................................................1 Introduction...................................................................................................1 Principles for Relying on the Work of Internal or External Assurance Providers......................................................................................4 Relying on Internal Assurance Providers........................................................ 6 Relying on External Assurance Providers......................................................10 Appendix A: Services Provided by External Assurance Provider....................13 Appendix B: Guide for Internal Auditors to Assess the Reliability of Other Assurance Providers.......................................................17 Glossary.....................................................................................................21 About the Authors and Reviewers................................................................ 26 IVA www.globaIiia.org/standards-guidance / B Executive Summary Chief audit executives (CAEs) are charged with providing assurance on the adequacy of governance, risk manage- ment, and related internal controls. This gives manage- ment and an organization's governing body, including the audit committee, an assessment of risk, governance, and control processes and practices across the organization, rather than a series of audit reports on individual areas of the organization. Since the risk profile is in a perpetual state of change, internal audit functions are challenged in meeting this expectation using traditional, point -in -time, or cycle audit methods and resources. Ever-increasing compliance requirements and business complexity have driven companies to establish or procure other risk management and assurance functions. They are charged with measuring and reporting risk, identify- ing control gaps, tracking remediation, and concluding whether control processes are operating effectively in spe- cific areas. Examples of some internal assurance providers are identified as environmental compliance groups, qual- ity management functions that focus on manufacturing activities, internal control teams that assess controls over financial reporting, and IT governance groups. External assurance providers are often engaged to communicate an opinion to another auditor regarding specific control objectives operated by a service provider. These activities provide assurance on the areas they assessed and recom- mendations to strengthen the related controls, often in areas that are within the scope of internal audit's work. This practice guide provides guidance to the CAE and in- ternal audit leadership on an approach for relying on the assurance provided by other internal or external assurance functions. A continuum of five principles determines the extent of reliance: 1. Purpose. 2. Independence and Objectivity. 3. Competence. 4. Elements of Practice. 5. Communication of Results and Remediation. The principles are interdependent. To illustrate, the CAE would place higher value on assurance providers who commit to a common purpose, convey objective expertise, and practice rigor and monitoring to shorten the time to management action. The results of these other assurance providers can be integrated with the work of internal audit to communicate a comprehensive opinion to key stake- holders. The guidance gives a process for valuing the work of others and assessing the reliability of assurance pro- viders. In turn, good coordination attracts greater reliance on internal audit decreasing the cost of compliance and increasing the efficiency for providing assurance. Introduction 1.1 Introduction Internal audit is charged by the International Standards for Professional Practice of Internal Auditing (Standards) with providing assurance on the adequacy of governance, risk management, and related controls. In many organizations, management has established (or engaged a third party to provide) other assurance functions — such as in the ar- eas of IT projects, manufacturing quality, environmental health and safety, controls over financial reporting, and other regulatory compliance. The purpose of this practice guide is to provide ideas and ways to leverage the work of other assurance providers, whether the assurance is provided internally within the organization or externally to minimize duplication of work and disruption to the op- eration, provide enhanced coverage, and conserve audit resources for high -risk processes. STANDARD 2050: COORDINATION The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. www.globaIiia.org/standards-guidance / 1 An added value to the organization of coordinating the activities of the various assurance providers is limiting du- plicate work. Multiple audits or examinations of the same risks and testing of the same controls by multiple assur- ance providers is an unnecessary burden on process own- ers and an inefficient use of resources. If one assurance provider, such as internal audit, can rely on the work of another, the value is clear. 1.2 Who are assurance providers? IIA Practice Advisory 2050-2: Assurance Maps describes three classes of assurance providers, differentiated by the stakeholders they serve, their level of independence from the activities over which they provide assurance, and the robustness of that assurance: A. Those who report to management and/or are part of management (management assurance), including individuals who perform control self -assessments, quality auditors, environmental auditors, and other management- designated assurance personnel. B. Those who report to the board, including internal audit. C. Those who report to external stakeholders (such as external audit assurance, which is a role traditionally fulfilled by the independent/statutory auditor). The IIA defines assurance as an objective examination of evidence for the purpose of providing an independent as- sessment on governance, risk management, and control processes. The level of assurance desired, and who should provide that assurance, will vary depending on the risk and stakeholder expectations. The scope of the internal audit function covers the entire organization, including risk management processes (both their design and oper- ating effectiveness), and the management of those risks classified as "key" or significant (including the effective- ness of the related controls). 1.3 Benefits The IIA's Standards define an internal audit activity as: "A department, division, team of consultants, or other practitioner(s) that provides independent, objective assur- ance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk man- agement, and control processes." It is noteworthy that this definition emphasizes objective assurance and does not reference an expectation for de- livering audit reports or ensuring compliance. Tradition- ally, internal auditors spend a significant amount of time performing direct inspection audits, but there are other ways to provide assurance. The typical organization has a number of different groups who provide risk manage- ment, compliance, and assurance activities independently of one another. In many cases these groups are testing controls deeper and with greater frequency than the inter- nal auditor. Without effective coordination and reporting, work can be duplicated or key risks may be missed or mis- judged. By adopting a more integrated assurance model that includes the internal auditor relying on the work of others, several benefits accrue to the organization. These include: • More precise assurance by involving greater subject matter expertise in audit activities. For example, reliance on an environmental compliance group with specialized knowledge and certifications in the field of environmental regulations may improve the level of insight into operations and the quality of assur- ance provided. • Reduced redundancy of effort (audit once, audit well) and `audit fatigue' for the organization. • Expanded coverage of the enterprise without increas- ing direct audit hours. (Reliance on others may allow internal audit to reduce the hours spent in that area and allocate them to other risk areas.) • Shortened time to management action. For example, the other assurance provider may have continuous www.globaliia.org/standards-guidance / 2 monitoring methods in place, or management may have integrated responses to issues detected by other assurance groups into routine business processes. • Strategic collaboration, transparency, and better gov- ernance for meeting organizational objectives result- ing in predictable compliance. When all the groups involved in assurance cooperate and share informa- tion, insights, and best practices, the quality of the whole effort is likely to rise. Reliance on other assurance groups may enable the CAE to redirect scarce audit resources to other areas of sig- nificant risk to the enterprise. For example, the audit plan may be expanded to include additional strategic risks, or risks in connection with mergers and acquisitions, major IT and other initiatives and capital programs, and research and development processes. The IIA's Practice Guide, Coordinating Risk Management and Assurance, advises the CAE to help in the creation of an assurance map for the organization to create a more connected assurance and governance community. Assur- ance maps help identify duplication and overlap in assur- ance coverage, define scope boundaries and roles for vari- ous assurance providers and determine gaps in assurance coverage that need to be addressed. 1.4 Risk Relying on other assurance providers, however, can add audit risks such as: Missing a control weakness or deficiency and reach- ing the wrong conclusion due to defects in the work or coverage of the other assurance provider. Failing to identify issues that are not shared by the other assurance provider due to their lack of inde- pendence from management. • Raising as an exception and issuing a matter out of context that would not ordinarily be considered sig- nificant by internal audit, due to differences in risk assessment processes. Since external and internal assurance providers and the internal auditor may have different purposes, it is impor- tant to manage expectations beforehand regarding the purpose of the review, the objectivity and competence of the evaluator, the rigor of the assessment and testing pro- cesses, and the timeliness of the conclusion. 1.5 Opportunity Other sources or forms of assurance can advance innova- tive models for communicating assurance as an alterna- tive to the traditional inspect -and -report model. Practices such as continuous monitoring, self -reported issues, and macro -assurance planning are designed to assess and strengthen internal controls by identifying issues prompt- ly and reducing the time to management action: • Continuous Monitoring: Monitoring controls to de- tect potential failures, or transactions to identify pos- sible errors and defects, enables management to see and respond to risk early, as it emerges. Continuous monitoring reduces the time to action, sustains the resolution, and extends assurance. When manage- ment has continuous monitoring practices in place, internal audit may be able to assess the programs and then rely on them as part of a continuous auditing or assurance program. • Self -reported Issues: This practice empowers man- agement to raise issues and track remediation to advance corrective action. Internal auditors gain comfort when management promptly addresses root causes for the self -reported issues. • Macro -assurance: Pervasive themes can be high- lighted by comparing and trending common issues raised by the governance community. Coordinating principle -based assessments performed by other as- surance providers in sequence with internal audit en- gagements could give an over -arching macro -opinion across multiple entities or processes. In addition, efficiency and effectiveness of overall assur- ance activities may be improved when common tools are na www.globaIiia.org/standards-guidance / 3 used by the internal auditor and other assurance provid- ers. For example, multiple assurance functions can use an integrated platform to manage the assessment process, share results, and track remediation of significant issues. The sharing of schedules and plans, and the results of as- sessments, can avoid duplicate work. It also can highlight areas of increased risk. For example, multiple compliance issues raised by other assurance groups (such as noncom- pliance with trade compliance regulations) may indicate a need to address entity -level controls (such as the avail- ability of experts in trade compliance regulations). Principles for Relying on the Work of Internal or External Assurance Providers 2.1 Prior Guidance The CAE can look to several authoritative sources for guidance on how the internal auditor may rely on the work of others. The IIAs Practice Guide, Formulating and Expressing Internal Audit Opinions (April 2009), defines other assurance providers and provides guidance for a CAE to assess their competency, independence, and ob- jectivity. According to The IIAs Practice Advisory 2050-3: Relying on the Work of Other Assurance Providers, the decision to rely on the work of other assurance providers can be made for a variety of reasons: • To address areas falling outside of the competence of the internal audit activity. • To gain knowledge transfer from other assurance providers. • To efficiently enhance coverage of risk beyond the audit plan. 2.2 Five Principles in Determining Reliance The extent of reliance to be placed on the other internal or external assurance providers depends on the following five principles: 1. Purpose: The assurance provider is clear in purpose and committed to providing assurance on a specified risk area and their work is relevant to internal audit's objec- tives and scope. This is a fundamental principle which must be in place before proceeding further with an evalu- ation to determine reliability. For internal providers, the purpose should be established in a charter or other similar documentation. For external providers this should be pro- vided for in a contract or statement of work. 2. Independence & Objectivity: The professional judg- ment of the assurance provider is impartial, without in- appropriate interference from others. The assurance pro- vider should demonstrate a sufficient degree of objectivity in the course of its work. Although internal assurance providers often report to management and thus are not truly independent, they can be relied on when they dem- onstrate appropriate objectivity and competence. 3. Competence: The assurance provider is knowledge- able of the risks to the organizational processes, how con- trols are designed to operate in response to the risks, and what constitutes a weakness or deficiency. Characteristics of proficiency for internal or external assurance providers include organizational process expertise, education level, professional experience, relevant professional certifica- tions, continuing education, and the assurance provider's reputation for sound judgment. 4. Elements of Practice: The assurance provider has established policies, programs, and procedures and fol- lows them. In execution, assurance work is appropriately planned, supervised, documented, and reviewed. Results are based on persuasive evidence sufficient to support the level of assurance. They also should have the authority to access sufficient information to reach a conclusion. www.globaIiia.org/standards-guidance / 4 5. Communication of Results & Impactful Reme- diation: The assurance provider communicates results and ensures management takes timely action. Weak- nesses and deficiencies are reported to the person directly responsible for taking corrective actions and to the mem- bers of management that have oversight responsibilities. Ongoing monitoring ensures the resolution is sustained as intended. Rigorous process and persuasive and reliable communication results in prompt corrective action. In turn, management action validates an effective assurance process that internal audit can place greater reliance on. The application of these principles is further described in this diagram. The upward arrows depict a continuum. As the assurance provider puts these principles into practice, the CAE can place higher reliance on the provider's work. Purpose: When the assurance provider is committed and its purpose is aligned with internal audit's objectives, au- ditors will find the work more relevant. Objectivity: The assurance provider can demonstrate credibility and deliver value to the internal auditor even where independence is lacking. The assurance provider's competence, elements of practice and impact are key factors in balancing lower objectivity and establishing reliance. Competence: Assurance providers can bring a high level of expertise relevant to the specific business process while exercising sufficient objectivity. Although internal auditors provide a high degree of objectivity, they may not have the depth of knowledge needed to provide the desired level of assurance in certain organizational processes or technical areas. Elements of Practice: The external and internal assur- ance providers' discipline to practice standard procedures is directly related to their capability for timely and persua- sive conclusions. Consistency and rigor in practice should raise the internal auditor's confidence in the assurance provider's work. Impact: Internal assurance providers who are in close proximity to the business process may communicate risk and influence management to remediate control deficien- cies quickly, perhaps more quickly than would a tradi- tional internal audit. By monitoring risk and responding promptly, internal assurance providers may shorten the time to management action. These principles are interdependent and operate at differ- ent levels, proportionate to risk. The internal auditor must evaluate each of these principles in relation to each other and to the overall risk of the relevant processes to arrive at a decision on whether to and how much to rely on another source of assurance provided outside of internal audit. For example, an assurance activity that has a clear purpose and is found to be objective and competent, but does not effectively communicate results or affect constructive change, would likely lead the CAE to rely on it to a much lesser extent. It also is important to note the positive role the internal audit function can play in raising the perfor- mance bar for other assurance providers through sharing of best practices and insight into risk management, con- trols, and audit principles. www.globaIiia.org/standards-guidance / 5 Relying on Internal Assurance Providers 3.1 Who are Internal Assurance Providers? Internal assurance providers (other than the indepen- dent internal audit function) are groups that may report to the board, management, or are part of management. These members of the governance community may con- duct control self -assessments, continuous monitoring and compliance inspections, quality audits, or a variety of other activities by other names which are designed to provide assurance of achievement of some key organiza- tional objectives or requirements. Organizationally, these individuals and groups may report to the legal department (common for regulatory compliance functions); finance (common for financial reporting control focused or regu- latory compliance functions); information security (com- mon for security functions under the chief information officer); environmental, health and safety; or to any op- erational unit that has decided to invest in a compliance program. All of these are groups the CAE should consider when developing audit plans with the potential to rely on their work. 3.2 Considerations for Internal Assurance Provider The International Accounting Standards Board (IASB) is an independent accounting standard -setter with the ob- jective of establishing globally accepted financial report- ing standards based on clear accounting principles. The IASB gives guidance on using the work of component auditors, internal auditors, and auditor's experts in Inter- national Standard on Auditing (IAS) Nos. 600, 610, and 620, respectively. IAS 610 describes the following factors that primarily affect the external auditors' determination for using the work of internal auditors: • Objectivity. • Technical competence. • Due professional care. • Regular communication. IAS 620, Using the Work of an Auditor's Expert, names competence, capability, and objectivity as essential factors when considering reliance on the work of others' exper- tise. Competence relates to the nature and level of exper- tise of the auditor's expert. Capability relates to the ability to exercise that competence in carrying out the engage- ment. Objectivity relates to the possible effects that bias, conflict of interest, or the influence of others may have on the expert's judgment. Similarly, the U.S. Public Company Accounting Oversight Board (PCAOB), a private corporation that oversees the auditors of public companies in the United States, has provided guidance' to external auditors on relying on the work of others. The same principles and considerations should be applied in relation to internal audit relying on the work of others. The level of reliance should be based on a careful evaluation of the competence, practices, and objectivity of the persons whose work the auditor plans to rely. A higher degree of competence and objectivity results in greater reliance. For purposes of relying on the work of others, the PCAOB defines competence as the attainment and maintenance of a level of understanding and knowledge that enables a person to perform assigned tasks. Objectivity means the ability to perform those tasks impartially and with intel- lectual honesty. When assessing the internal assurance provider's competence, the CAE should evaluate such factors as: • Educational level and professional experience of staff. I Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements: PCAOR Release No. 2007-005A; AU Section 322 —The Auditor's Consideration ofthe Internal Audit Function in an Audit of Financial Statements www.theiia.org/guidance / 6 • Professional certification and continuing education. • Audit policies, programs, and procedures. • Supervision and review of staff activities. • Quality of workpaper documentation, reports, and recommendations. • Evaluation of staff performance. Assessing the objectivity of other assurance providers can be a challenge as most of these groups report to manage- ment and not an independent body such as the audit committee of the board of directors, supervisory board, or head of an agency. There are several factors the CAE may consider when determining if the assurance group dem- onstrates sufficient objectivity to be relied on: • The reporting lines for the other assurance group and the level of management to which they report. • Whether the scope of work, including the tests per- formed or the assessment and reporting of the other assurance provider are inappropriately influenced by management. • Policies and practices preventing the assurance provider from auditing areas where the individuals involved have current or recent operational responsi- bilities. • The internal auditor's assessment of the quality of work performed by the assurance function, including fact -based conclusions, reporting, and follow-up to identified issues. 3.3 Know When to Rely and Not to Rely Before investing any significant time in evaluating a par- ticular internal assurance function, the CAE can consider some key factors to determine the extent of potential reli- ance. These include: • A charter or similar statement of clear objectives and well-defined responsibilities. • Objective reporting relationships and/or conflicting operational duties. • Sufficient expertise regarding the organizational process and risk. • Disciplined, repeatable processes. • Communication of results, risks, or control concerns and remediation tracking. It also is critical to understand the scope of assurance work performed by an internal assurance provider and how it may fit into the internal auditor's assurance objectives and audit plans. Even though internal audit can bring value to the enterprise through objective quality reviews of inter- nal assurance and compliance functions, there is limited value if this work does not extend coverage and help the CAE provide greater assurance to its stakeholders. 3.4 A Process for Relying on the Work of Others The internal auditor should develop a consistent process for how it will place reliance on the work of others. The following is a basic approach that has been successful for some internal audit functions. It involves the basic steps of identification, evaluation, adjustment, and monitoring. Identify — Locate internal assurance groups and deter- mine maturity and priority based on preliminary assess- ment. In large, complex enterprises this can be a chal- lenge. If an organization has an enterprise risk management process, this can be a good single source for identifying additional groups. As other assurance providers are identi- 1I A www.globaIiia.org/standards-guidance / 7 fied, the internal auditor also must consider how their scope fits into internal audit's own view of the overall risk and control environment and the potential benefits for in- tegrating these assurance activities. Priorities should be based on a measurable value to the organization. This val- ue includes expanding coverage and minimizing fatigue caused by redundant audit activities. Evaluate — Perform an evaluation of individual groups to determine the extent the internal auditor can rely on the work of others. This is the most critical and time-con- suming phase of the reliance model, where internal au- dit carefully considers the competency and objectivity of the assurance work performed by others. This evaluation also can bring value to the enterprise by providing rec- ommendations to improve the effectiveness of assurance activities. As the evaluation is concluded, there should be a clear communication of how internal audit intends to use the assurance work on an ongoing basis. Additional guidance is provided below on how to evaluate the assur- ance provider. Adjust — Modify audit plans and scope to eliminate du- plicative testing and expand risk coverage. To realize the full value from a more integrated assurance model, careful consideration must be carried out to determine how these other activities can be used to bolster the independent as- surance internal audit provides management, and where there are opportunities to reduce internal audit's own test- ing. Internal audit should communicate expectations, ob- jectives, and responsibilities in a memo of understanding with other assurance providers regarding the portion of their work that will be relied on. Monitor — Maintain close communication with each group, sharing risk assessments, audit plans, and results. It is important to establish strong communication and sharing protocol following the evaluation of the assurance providers. This will help ensure the most efficient and ef- fective use of internal audit resources as well as maintain confidence in relying on the work of the other providers. A re-evaluation of the assurance providers should be per- formed on a periodic basis (see section 3.6). 3.5 Reliance Continuum: Levels of Value The value the internal auditor can derive from an effective partnership with other assurance groups will vary. There is a continuum of reliance moving from one side of the spectrum, where the auditor determines the work of the other assurance provider is useful but places little reli- ance, moving across the spectrum to where an assurance provider is fully relied on. www.globaIiia.org/standards-guidance / 8 At a minimum, an effective assurance or compliance function should be regularly assessing and communicat- ing risk for its area of responsibility. If the risk assessment process is determined to be sound, it can provide valu- able information to help the internal auditor develop audit plans and priorities. More robust assurance functions, which begin to incor- porate periodic testing of controls, may allow the internal auditor to rely on their conclusions at a particular point in time. As these assessments become more frequent and extensive, the internal auditor may be able to place more reliance and further reduce the depth or frequency of its own testing. Finally, where an effective assurance program is coupled with reliable monitoring mechanisms embedded at the control level, the internal auditor may place the maximum degree of reliance and confidence in the activity. 3.6 Importance of Periodic Evaluation of the Other Assurance Provider Where internal audit will rely to any measurable extent on the work of other assurance providers, regular assess- ments should be made of the assurance providers' pro- grams. This is a critical element for internal audit to in- clude in any reliance model to mitigate the risks described earlier (see section 1.4). These assessments should ad- dress the continued adequacy of the assurance providers': • Objectivity. • Competence. • Practices. • Communication that enacts change. The assessment should include performing tests suffi- cient to provide objective evidence supporting the reliance placed by internal audit. Opportunities for improving the work of the other assurance provider should be reported, consistent with standard internal audit practices. C�Insiderat�ons for thef CAE A Case Study Complex and business critical processes compel an approach for rely- ing on other assurance providers: A global provider of computer products and services relies on a ' complex and multichannel sales process involving thousands of third -party distributors around the world:Effectively managingthis mix of sales channels can be a competitive advantage and is es- sential for the long-term success of the business. Management has implemented numerous control processes to mitigate a range of risks inherent in this area. Some examples of risk include compliance (e.g., doing business with restricted parties), financial (e.g., unprofitable sales discounting), and operational (e.g., non-standard and inefficient processes). Based on management's assessment of the risks and identified control weaknesses, management has invested in a compliance program that includes regular self-assessmentsby trained, objective' assessors outside of internal audit, who test the operating effectiveness of key controls, report findings, and recommend corrective actions. Internal audit provided consultation to help management develop the control framework and key compliance program elements with the intent to rely on this work. This model promoted management ownership of risk and control and more frequent monitoring and testing of controls than the internal audit function could realistically provide due to resource constraints and other enterprise risks to be monitored. Once the compliance program was implemented and stabilized, internal audit performed a review to validate that it was operating as intended, providing factual and objective assurance and driving positive change in the business. As part of the review, internal audit also connected the compliance program scope with the audit plan and determined how and when the work would be leveraged, and agreed With management on how the two groups would communicate on a regular basis, share information, and collaborate to form a trusted partnership. Internal audit has significantly reduced the frequency and depth of their control testing, which is now covered by management's compli- ance process, and has been able to focus on other areas historically not audited such as product lifecycle management, strategic sourcing, and IT project management. www.globaIiia.org/standards-guidance / 9 Relying on the Work of External Assurance Providers 4.1 Introduction A wide variety of external groups provide assurance ser- vices to organizations worldwide to ensure that internal controls and risk management procedures are in place and operating effectively. External assurance providers also provide these services at third -party service organiza- tions for the benefit of the service organization and their respective business clients. The purpose of this section is to examine some of the services offered by external assur- ance providers and discuss key areas that the CAE should consider before placing reliance on their work. 4.2 Who Are External Assurance Providers? Common external assurance providers include public ac- counting firms, government auditor general offices, con- sulting companies, legal firms, security organizations, and internal audit departments of third -party service provid- ers. The following provides a description of each. Public accounting firms — provide many assurance services such as opining on the fairness and accuracy of financial statements; performing International Organiza- tion of Standards (ISO) certification reviews to ensure that an organization conforms to the requirements specified in an ISO standard; conducting reviews of compliance with laws and regulations; assessing the effectiveness of inter- nal controls over financial reporting; reporting on a service provider's privacy program and assessing the protection of personal information; and attest engagements covering system security, availability, processing integrity, confiden- tiality, and privacy. Government auditor general offices — provide ser- vices similar to public accounting firms; however, they are usually government appointed functions that report to the overall government rather than to shareholders. They provide many assurance services such as opining on the fairness and accuracy of financial statements; performing performance audits to give assurance that appropriate val- ue for money is being achieved from various activities and projects; conducting reviews of compliance with laws and regulations; assessing the effectiveness of internal con- trols over financial reporting; and attest to engagements covering system security, availability, processing integrity, confidentiality, and privacy. Consulting companies — provide many services simi- lar to those of public accounting firms mentioned above. However, they are not licensed or registered to issue an opinion on the fairness of financial statements. Legal firms — provide services to help organizations and third -party service providers to assess compliance with various laws and regulations in jurisdictions where they do business. Legal firms also bring a wealth of knowledge when assisting organizations in completing privacy and le- gal risk assessments. Security organizations — provide specialized assurance services such as validating compliance with requirements of the Payment Card Industry Data Security Standards (PCI-DSS) as a qualified security assessor (QSA), con- ducting network penetration assessments, and perform- ing system vulnerability assessments for security patches, viruses, and fixes. They also provide services related to fraud and IT risk assessments. The internal audit function of service providers — like other internal audit departments, provide many audit- ing and consulting services to ensure that internal con- trols are working effectively and efficiently, and verify that management has programs in place to address significant IT infrastructure risk, application risk, and business pro- cess risk relevant to the organization. Internal audit functions of user entities — often the service organization is contacted by internal audit func- tions of their customers, user entities, to provide assur- ance regarding a particular service or organizational pro- www.globaIiia.org/standards-guidance / 10 cess or to gain visibility throughout a specific time period. It's not unusual for the service organization to be audited by multiple user entities. Analyzing the audit results and issues raised through assessments conducted by user en- tities can provide the service organization with common themes providing a unique view to its capability for carry- ing out control activities consistently. Specific services provided by external assurance providers can be found in appendix A. 4.3 Considerations for the CAE When Relying on External Assurance Providers It is important for management and the CAE to under- stand the relevance of assurance work completed by ex- ternal assurance providers within the organization. It also is important for management and the CAE to have the same understanding if the organization is outsourcing key business processes to third -party service providers. The CAE also must assess the impact their assurance work may have on the internal audit function. For information on the role of the CAE in sharing information and coordinating activities with other providers of assurance and consulting services, refer to The IIA's Practice Guide on Co -coordinating Risk Management and Assurance. Some common questions are outlined below, along with points for consideration: Are the external assurance providers sufficiently qualified, objective, and independent to perform the necessary assurance work? How much reliance should the CAE place on the work of external assur- ance providers? The CAE should: • Determine if the external assurance provider is subject to professional performance standards and guidance such as those prescribed by The IIA, the International Federation of Accountants (IFAC), the International Organization of Supreme Audit Institutions (INTOSAI), and other similar govern- ing bodies. • Ensure that the external assurance provider is in good standing with their respective governing body and place greater reliance on the work of compliant external assurance providers compared to those not subject to professional standards. • Determine if the external assurance provider is subject to professional ethics requirements to en- sure the assurance work is performed by qualified individuals, and done in an objective and inde- pendent manner. • Confirm that due diligence was performed on the external assurance provider that includes background checks, financial stability, years in business, confidentiality agreement, references, and a review of resumes of provider's engagement employees. • Obtain evidence, as necessary, to confirm that the individuals performing the work meet competen- cy and experience requirements, that the work is performed and supervised consistent with quality standards, and that the assessment and report are free from inappropriate influence from manage- ment. Consideration should be given to whether the assurance provider performs other consult- ing work for management which might influence their assurance activities, including whether there is either a real or perceived independence and objectivity issue. 2. What is the impact to the annual internal audit plan if the CAE either places reliance or does not place reliance on the work of external assurance providers? The CAE should: • Be aware of the scope, objectives, and findings of the external assurance engagement to determine the impact to the annual audit plan. www.globaliia.org/standards-guidance / 11 • Determine if there is duplication of audit cover- age as a result of the engagement. Alternatively, the CAE should determine if there are coverage gaps in the engagement that may require addi- tional audit work by internal audit. • If the engagement is performed at the organization, determine if there is an opportunity to co source the engagement, or at a minimum, participate in the tracking of audit findings and resolutions. • If the engagement was conducted by the organiza- tion's third -party service provider, reach out to the service provider to obtain information about the engagement. • Consider the need for any preliminary audit work prior to the start of the engagement. Do the objectives and scope of work performed by external assurance providers address key risks of the organization? The CAE should: Carefully review and understand the scope and objectives of the external assurance engagement before determining the impact it may have on internal audit. • Keep in mind that an external assurance engage- ment typically will not cover all the business risks, key controls, and concerns. 4. Should internal audit complete additional assurance work to supplement the work of external assurance providers? An external assurance engagement typically will not cover all the risks and exposures related to the organization. As such, the CAE and internal audit may have to perform additional audit work based on its risk assessment. • Consider the scope, objectives, and results of the engagement before finalizing any additional audit work. Before additional audit work is planned by the organization's third -party service provider(s), identify the right -to -audit clauses contained in the service agreement with the service provider. Should internal audit reperform audit work com- pleted by external assurance providers? • The level of expertise brought to the engagement and the rigor practiced by the other assurance provider will determine the extent of diligence conducted by internal audit to accept their audit work. In most cases internal audit would not re - perform testing; rather, the CAE should conduct a suitable analysis to determine if the audit work completed was commensurate with the assertions as intended based on risk, scope, and competence of the external service providers. • For specialist reviews like penetration and net- work vulnerability engagements or income tax consulting, the CAE should understand that this area is technical in nature, so the skill set of each auditor should include a solid background in network and information security, income taxes, or the relevant specialty. 6. Should the CAE pursue co sourcing arrangements with external assurance providers? • The CAE should consider separate (from manage- ment) co sourcing arrangements with the external assurance provider that would provide the ap- propriate skill sets and add to the efficiency and effectiveness of the audit engagement. Co sourcing arrangements may include preliminary au- dit work prior to the start of the engagement, conduct- ing some audit work during the engagement under the supervision of the external service provider, and complet- ing post -audit work to validate on -going compliance and remediation efforts. www.globaIiia.org/standards-guidance / 12 Appendix Appendix A: Services Provided by External Assurance Provider The types of services offered by external assurance ser- vice providers include AICPA/CICA SysTrust, ISO/IEC 27002:2005 certifications, SSAE 16/ISAE 3402 reviews, internal audit cosourcing, PCI-DSS assessments, network penetration security assessments, vulnerability manage- ment reviews, and many other types of services. A descrip- tion of some of these common services follows: AICPA/CICA SysTrust For example, in North America, SysTrust is a branded as- surance service offering licensed by the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) Trust Servic- es Principles and Criteria (Trust Services). Trust Services are professional attestation and advisory services based on principles and criteria that address risks and opportuni- ties of I'T-enabled systems and privacy programs. Specific areas covered in Trust Services guidance include:2 • Security — the system is protected against unauthor- ized access (both physical and logical). • Availability — the system is available for operation and use as committed or agreed. • Processing integrity — system processing is complete, accurate, timely, and authorized. • Confidentiality — information designated as confi- dential is protected as committed or agreed. • Privacy — personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA. As a licensed offering, SysTrust engagements are con- ducted by certified public accountants (CPAs) or char- tered accountants (CAs). Many organizations, particularly third -party service providers, request this type of engage- ment to demonstrate to their clients that they are con- cerned about protecting the information assets entrusted to them, and addressing business risks and controls asso- ciated with complex IT systems. These reports also can be used by the service organization in marketing its services to potential clients/customers. ISO/IEC 27002:2005 The ISO/IEC 27002:2005 — Code of Practice for infor- mation security management is one of a set of Informa- tion Security Management System (ISMS) standards published by the International Organization for Stan- dardization (ISO) and the International Electrotechnical Commission (IEC). Through the use of these standards, organizations can develop and implement a framework for managing the security of their information assets such as financial information, intellectual property, and customer and employee personal information. The ISMS family of standards consists of the following international stan- dards, under the general title of Information technology — Security techniques:' • ISO/IEC 27000:2009, Information security manage- ment systems — Overview and vocabulary. • ISO/IEC 27001:2005, Information security manage- ment systems — Requirements. • ISO/IEC 27002:2005, Code of practice for informa- tion security management. • ISO/IEC 27003, Information security management system implementation guidance. • ISO/IEC 27004, Information security management — Measurement. 2 Trust Services Principles and Criteria — An Overview, January, 29, 2009, www.aicpa,org/InterestAreas/InformationTechnology/Resources- 3. ISO/IEC 27000:2009, Information technology— Security techniques — Information security management systems — Overview and vocabulary, First edition 2009-05-01, ISO/IEC. This material is reproduced from ISO/IEC 27000:2009 with permission from the American National Standards Institute (ANSI) on behalf of the International Organization for Standardization (ISO). No part of this material may be copied or reproduced in any form, electronic retrieval system or otherwise or made available on the Internet, a public network, by satellite or otherwise without the prior written consent of the ANSI. Copies of this standard may be purchased from ANSI, 25 west 43rd Street, New York, NY 10036, (212) 642- 4900, http://webstore.ansi.org. .JA www.globaIiia.org/standards-guidance / 13 • ISO/IEC 27005:2008, Information security risk management. • ISO/IEC 27006:2007, Requirements for bodies pro- viding audit and certification of information security management system. • ISO/IEC 27007, Guidelines for information security management systems auditing. • ISO/IEC 27011, Information security management guidelines for telecommunications organizations based on ISO/IEC 27002. ISO/IEC 27002 provides guidance on the implementa- tion of I I commonly accepted security control objectives along with best practice controls that can be applied to achieve the objectives. The standard also includes com- ments on risk assessment and treatment. Specific areas covered in the standard include: • Security policy. • Organization of information security. • Asset management. • Human resources security. • Physical and environmental security. • Communications and operations management. • Access control. • Information systems acquisition, development, and maintenance. • Information security incident management. • Business continuity management. • Compliance. Many organizations, particularly third -party service pro- viders, who have adopted the ISO/IEC 27002 informa- tion security management standard, choose to be certified compliant with the standard through a formal indepen- dent audit. Third -party service providers often use this certification to demonstrate to current and future business 4 2011 IAES3402.com, http://isae3402.com/ISAE3402_overview.html clients that they have good security practices in place to protect the information assets that are entrusted to them. ISO does not audit or assess an organization to validate that its standards are being implemented in conformity with the requirements. An external independent certifica- tion body or ISO registrar conducts the audit to deter- mine if the organization conforms to the requirements specified in the standard to obtain certification. There are numerous certification bodies (assurance service provid- ers) worldwide that carry out certification assessments. External service providers performing this type of service include public accounting firms, consulting companies, and sole practitioners. SSAE 16/ISAE 3402 Third party assurance reviews are normally performed for organizations that process financial transactions for their clients or customers. The resulting report is typically used by internal and external auditors and can potentially re- duce the amount of work required in their audits. The reports describe the service offerings and the control en- vironment surrounding the processing of customer trans- actions. ISAE 3402 The International Standard on Assurance Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board (IAASB) under the International Federation ofAc- countants (IFAC). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization's system of internal control over finan- cial reporting.' The effective date for this standard applies to periods ending on or after June 15, 2011. www.globaIiia.org/standards-guidance / 14 SSAE 16 Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Or- ganization, was finalized by the Auditing Standards Board of the AICPA in January 2010. SSAE 16 replaced State- ment on Auditing Standards (SAS) No. 70, Service Orga- nizations, as the authoritative guidance for reporting on controls at service organizations. SSAE 16 was formally issued in April 2010 with an effective date of June 15, 2011.5 SSAE 16 is based on the IAASB assurance stan- dard for service auditors ISAE 3402. It should be noted that the requirements for auditing the financial state- ments of entities that use service organizations remains in the auditing standards in a new SAS, Audit Consider- ations Relating to an Entity Using a Service Organization. The AICPA is establishing three reporting options to pro- vide a framework for CPAs to examine controls and to help management understand related risks. The Service Organization Control 1 (SOC 1) report addresses con- trols for financial statement audits with guidance pro- vided by SSAE 16. SOC 2 reports on controls related to compliance or operations with guidance provided by Attestation Standard (AT) Section 101, Attest Engage- ments. Both SOC 1 and SOC 2 reports are restricted use reports. SOC 3 reports are the same as a SOC 2 report but general use. The AICPA SSAE 16 or ISAE 3402 allows for two types of reports: Type I: Reports on controls placed in operation A service auditor's report on a service organization's de- scription of the controls that may be relevant to a user organization's internal controls, whether such were suit- ably designed to achieve specified control objectives, and whether they had been placed in operation as of a specific date. These reports may be useful in providing a user au- ditor with an understanding of the controls necessary to plan the audit, as well as design effective tests of controls 5 2011 SSAE16.com, http://ssael6.com/SSAE16_overview,htm] and substantive tests at the user organization. However, they are not intended to provide a basis for reducing as- sessments of control risk below the maximum. Type II: Reports on controls placed in operation and tests of operating effectiveness A service auditor's report on a service organization's de- scription of the controls that may be relevant to a user organization's internal controls, whether such controls were suitably designed to achieve specified control objec- tives, whether they had been placed in operation as of a specific date, and whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period speci- fied. Such reports may be useful in providing the user auditor with an understanding of the controls necessary to plan the audit and may also provide the user auditor with a basis for reducing his or her assessments of control risk below the maximum. Some common misconceptions about SSAE 16 reports the CAE should be aware of include: 1. All SOC reports contain the same control objec- tives. (Control objectives are defined specifically for the environment been attested.) 2. SOC reports are "forward -looking" documents. 3. Type I vs. Type II reports don't really make a dif- ference to my audit planning. (Type I only covers control design effectiveness and is point in time. Type II covers control operating effectiveness for an opinion period.) 4. Exceptions are not reported. (Any exceptions to the controls are clearly identified in the test tables even if it does not rise to the level of being a qualified report.) 5. Exceptions have no impact on my audit plan. www.globaIiia.org/standards-guidance / 15 (Further testing or compensating controls should be considered for exceptions.) 6. Since SOC reports are intended for external auditor - to -auditor communication, the report is not relevant to internal audit planning. (Using/relying/further testing of controls covered in the SOC report should be discussed at planning.) 7. As a professional courtesy, a copy of the SOC opinion need only be referenced in the audit plan- ning file. (A thorough understanding of the scope, coverage, nature, timing, and extent of testing within a SSAE 16 engagement is essential.) The CAE of the organization that utilizes third -party ser- N ice providers should consider adopting the following practices when evaluating the impact of SSAE 16 engage- ments to the organization and the audit plan: • Obtain all relevant SSAE 16 SOC reports. • Determine the exact nature of the environment in scope for the report as large service providers can potentially have many reports. • Understand "carve -outs" of environments as the standard allows service providers to exclude areas or parts of the environment from the scope of work and resulting audit opinion. • Review the independent service auditor's opinion type (qualified/unqualified). • Review the date of the report(s) and period(s) cov- ered. • Determine whether the report is a Type I or Type II. • If the SSAE 16 report is older than six months, a more current report should be requested. If a more current report is not yet available, then management and the CAE should consider the need to perform other audit procedures to obtain comfort over the controls at the service provider or request a letter from the service provider to bridge the interim. • Document the comfort level with the SOC report MA and the impact to the organization and the CAE's audit plans • Determine if control risk will be assessed as low, moderate, or high. • Gain an understanding and test user control consid- erations defined in the report. Payment Card Industry — Data Security Standard (PCI-DSS) The Payment Card Industry Data Security Standard (PCI- DSS) is a set of 12 technical and operational requirements established by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process, or transmit cardhold- er data. The PCI SSC also provides guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard, and VISA, Inc. The PCI-DSS Security Audit Procedures (SAPS) con- tains more than 230 comprehensive requirements. The auditing responsibility is distributed between merchants, qualified security assessors (QSAs), approved scanning vendors (ASVs), and acquirers. PCI SSC allows two ac- ceptable forms of auditing of the requirements by either a qualified security assessor (QSA) or internal security as- sessor (ISA). QSA companies are organizations that have been quali- fied by the PCI SSC to perform detailed SAP assessments and reports on compliance on behalf of the merchant. The primary reasons merchants may select a QSA rather than performing the assessment internally may include transaction volume, breadth of industry knowledge, depth of technical expertise, and an independent view of the en- vironment. Other reasons merchants may not use internal resources may include lack of technical competence, lack www.globaIiia.org/standards-guidance / 16 of resources, and to focus resources on more strategic vs. compliance efforts. ISA is a certification required for organizations performing internal assessments by their internal audit staff, begin- ning in 2011. The purpose of the ISA certification is to ensure internal auditors are provided the same training as the QSAs to improve the quality, consistency, and compe- tency of the assessments. Penetration Tests and Network Vulnerability Management Organizations continue to be impacted from malicious breaches resulting in compromised credit card informa- tion, social security numbers, medical information, and other loss of internal and external customer information at the hands of hacker attacks. Key to proactively com- bating these attacks within an organization is to ensure a strong program for penetration tests and vulnerability assessments. Penetration testing, sometimes called "ethical hacking," mimics the role of a hacker to deliberately attempt to break into the network infrastructure to determine vulner- abilities of key components of the company infrastructure that could lead to a compromise of critical/sensitive infor- mation. The penetration test should stop short of actually negatively impacting the environment. Penetration tests are not only an imperative practice for a strong information security program, but are required to comply with several regulations and requirements. For ex- ample, PCI-DSS requires third -party penetration tests to be performed annually. Some organizations require annual penetration testing as a key IT general control to meet the requirements of the U.S. Sarbanes-Oxley Act of 2002. External penetration testing provides organizations the opportunity to have an independent third party determine the risks (or weak links) in their network and systems. Vulnerability management is the processes and technolo- gies that an organization employs to identify, assess, and remediate IT vulnerabilities — weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk. One of the most common attack vectors today is via weak or insecure web application programs. Hackers exploit these weaknesses to gain access into the unsuspecting organization's network and systems environ- ment. Awareness and secure coding training is crucial to help mitigate this risk. All programmers, especially web application developers, should be properly trained on se- cure coding techniques. Penetration tests and vulnerability assessments could po- tentially disrupt an organization. Therefore, organizations should determine what is needed to adequately test with the potential of "breaking" or disrupting a component of the infrastructure. A strong program for penetration test- ing and vulnerability management is imperative for an or- ganization to mitigate internal and external threats. In conclusion, services offered by external assurance pro- viders can be leveraged to provide broader coverage of the organization's key risks when carefully considered be- forehand to be relevant to the enterprise. As outlined in the first principle of "purpose," both external and internal assurance providers are committed to reliance and their work is relevant to the objective of internal audit, which applies to operational, regulatory, or financial reporting. It is vital to communicate expectations, objectives, and re- sponsibilities with the other assurance provider regarding the portion of their work that will be relied upon. Appendix B: Guide for Internal Auditors to Assess the Reliability of Other Assurance Providers The following is a sample audit guide for internal audit to assess the reliability of another internal assurance pro- vider. These procedures should help the auditor evaluate the extent the assurance provider meets the principles for reliance described in section two of this practice guide. In evaluating the competency and objectivity of the assur- www.globaIiia.org/standards-guidance / 17 ance provider, the assessment process is organized around four major areas: Governance and Objectives — A charter or objective statement provides authority and scope of assurance ac- tivities and establishes intent for internal audit to rely on the work product of the assurance provider. Adequate staff is in place (numbers and competency) and objectiv- ity is provided for. Risk Assessment and Planning — Assurance activities are guided by appropriate policies and procedures and should include audit plans that incorporate an assessment of risk. Assurance Execution — The assurance provider has a demonstrated performance history of delivering to the established objectives and producing competent and reli- able results. Documentation should be maintained as evi- dence of performance to relevant professional standards. Reporting and Follow-up — The results of assurance activities are reported to an appropriate level of manage- ment and issues are tracked until they are mitigated. Characteristic Verification Procedures or Method of Demonstrating Charter 1. Does the assurance provider have a written charter that includes the following elements: mission and scope of work, accountability, roles and responsibilities, responsibility, and authority? 2. Is the charter published, easily accessible, and has been communicated to all applicable staff? 3. Is the charter periodically reviewed and updated in accordance with the changing risk environment and approved by an appropriate leadership level? Written policies and Does the assurance provider maintain documented policies and procedures that include the following: procedures 1. Procedures to identify, document, and evaluate the relevant risks and their associated controls. 2. Risk -based procedures to evaluate the effectiveness of internal controls. 3. Procedures to document internal control monitoring and testing procedures including supervisory review. 4. Procedures to report on the effectiveness of internal control to appropriate management. 5. Procedures to monitor and report actions to remediate control weaknesses. Personnel 1. Obtain staff bios and look for appropriate background, experience, and education to perform audit activities. Evidence performing may include formal education, direct experience, professional certifications, and relevant training courses. assurance activities 2. Review and evaluate the assurance provider's functions/responsibilities beyond their review activities and ensure that have appropriate these tasks do not impair their independence. skill and objectivity 3. Evaluate the management supervision process of staff and determine if there is appropriate oversight to ensure the quality of work. MA www.globaliia.org/standards-guidance / 18 Performance 1. Does the assurance provider measure its own performance? This could include use of a balanced scorecard, surveys of measurements key stakeholders, etc. 2. Identify key stakeholders of the assurance provider assurance activity and interview to understand their view of the value being provided, the areas of focus, quality, and timeliness of reporting, etc. Defined assurance 1. How has the assurance universe been defined? Determine the appropriateness of the size and number of the entities universe I making up the audit universe (e.g., too detailed or general, too many or too few, logical division, etc). Risk assessment 1 1. Review the risk assessment process. Understand the key risk components considered. Evaluate if these are reasonable M www.globaIiia.org/standards-guidance / 19 Documentation 1. Are work programs documented to achieve engagement objectives? These should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. 2. Is the work performed documented? Review the workpapers and assess whether they are sufficient, relevant, and reliable in meeting IIA standards. 3. Assess if it is feasible for a third party to re -perform the work based on the audit work papers. 4. Are appropriate samples selected for the controls tested? 5. Are issues or findings adequately documented, with root cause clearly identified? 6. Is there evidence of an appropriate review and approval of assurance work? 7. Are workpapers appropriately secured and retained according to company record retention requirements? IT considerations 1. Review for evidence of appropriate use of technology in assurance activities, i.e., use of analytical review techniques, computer aided audit tools (CAATS), etc. 2. Are IT risks and controls adequately considered and addressed in the assurance/audit activities? Reporting 1. Are the results of assurance activities formally reported? Select a sample of assurance reviews completed in the past 12 months and review for the following: - Are they documented and presented in a standard format? - Are they provided to an appropriate distribution of leadership? - Are findings presented in a reasonable time following the review activities? - Are issues and recommendations clearly presented and rated according to assurance provider procedures? 2. Do findings include elements of effective issues (5 C's — criteria, condition, cause, consequence, corrective action)? 3. Do all issues have an appropriate owner identified? Issues are identified 1. Is there a process to monitor issues and status of corrective actions? Is status regularly reported to appropriate and tracked leadership? 2. Is there a process to validate corrective actions taken in response to audit issues? www.globaIiia.org/standards-guidance / 20 Glossary The American Institute of Certified Public Ac- countants (AICPA) — the voice of the accounting pro- fession since 1887. The AICPA prides itself on its serv- ing the certified public accounting (CPA) profession and the public interest to which it is profoundly committed. AICPA members work in all sectors of the business and financial services profession, including public account- ing, financial planning, tax, business and industry, law, consulting, education, and government. http://www.aicpa.org/About/Pages/About.aspx Assessment — the act of assessing; appraisal; evaluation Auditing Standard No. 5 (AS No. 5): An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements — Issued by the PCAOB, the report is based on PCAOB inspections that examined portions of approximately 250 audits of internal control over financial reporting (ICFR) by the eight largest domestic registered firms in 2007 and 2008. AS No. 5 became effective for audits for fiscal years ending on or after Nov 15, 2007, and replaced the PCAOB's previous ICFR standard, AS No. 2. http://pcaobus.org/News/Releases/Pages/09242009— AS5—Report.aspx Board —A board is an organization's governing body, such as the board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee to whom the chief audit executive may functionally report. Chief Audit Executive (CAE) — describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal au- dit charter and the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). The CAE or others reporting to the CAE will have appro- priate professional certifications and qualifications. The specific job title of the CAE may vary across organiza- tions. https://www.globaliia.org/standards-guidance/mandatory- guidance/Pages/Standards-Glossaryaspx The Canadian Institute of Chartered Accountants (CICA) — represents Canada's chartered accountants (CA) profession both nationally and internationally. CAs are Canada's internationally recognized profession of leaders in senior management, advisory, financial, tax, and assurance roles. http://www.cica.ca/about-the-profession/cica/index.aspx Compliance Community Member — an individual or group with responsibility for developing, administering, and monitoring internal programs to ensure compliance with applicable federal and state laws and regulations. Al- ternate titles: compliance manager, risk and compliance officer. Continuous Auditing — Continuous auditing is a meth- od used to perform control and risk assessments auto- matically on a more frequent basis. Technology is key to enabling a continuous auditing approach. Traditionally, internal audit's testing of controls has been performed on a retrospective and cyclical basis, often many months after business activities have occurred. The testing pro- cedures have often been based on a sampling approach and included activities such as reviews of policies, proce- dures, approvals, and reconciliations. Today, however, it is recognized that this approach only affords internal au- ditors a narrow scope of evaluation, and is often too late LLB www.globaliia.org/standards-guidance / 21 to be of real value to business performance or regulatory compliance. See GTAG 3: Continuous Auditing: Impli- cations for Assurance, Monitoring, and Risk Assessment. Continuous Monitoring — encompasses the processes that management puts in place to be sure that the policies, procedures, and business processes are operating effec- tively. It addresses management's responsibility to assess the adequacy and effectiveness of controls. This involves identifying the control objectives and assurance assertions and establishing automated tests to highlight activities and transactions that fail to comply. See GTAG 3. Co -sourcing — Many CAEs must confront the possibil- ity of outsourcing some of their work to ensure everything with which they are tasked is completed in a timely and competent manner. Co sourcing presents a CAE with a broad range of outside capabilities to supplement in- house talent. Chartered Accountant (CA) — Professional member of a country's Institute Of Chartered Accountants. He or she must work (and be trained) in the office of a practicing chartered accountant for three years, and pass exhaustive written tests to qualify. On completing the requirements, the trainee is awarded the Associate of the Institute of Chartered Accountants (ACA). http://ivww.businessdictionary.com/definition/chartered- accountant-CA.html Certified Public Accountant (CPA) — a statutory title of qualified accountants in the United States for one who has passed the CPA examination administered by the li- censing body of the AICPA. AICPA Board of Examiners (BOE) — a senior com- mittee of the AICPA that sets policy for the Uniform CPA Examination in accordance with legal and psychometric standards as they apply to licensure examinations. Mem- bers of the BOE are CPA volunteers from every segment of the profession — public accounting, business and in- dustry, and the academic community — the majority of whom currently also have regulatory (state board) experi- ence. h ttp : //www. ai cp a. org/B E C O M EAC PA/C PAEXAM/EX- AMOVERVIE W/GOVERNANCE/Pages/default.aspx Internal Security Assessor (ISA) — A certification program offered by the Payment Card Industry Securi- ty Standard Council (PCI SSC), an international orga- nization that manages the Payment Card Industry Data Security Standard (PCI-DSS). ISA is designed to help companies comply with their continually evolving rules and regulations. The ISA program offers training to mer- chants, banks, and processors. This certification program trains select individuals on the basics of implementing an ongoing security discipline, and works to remove the "check the box" mentality that can sometimes arise with compliance programs. ISA program benefits include: an opportunity for internal auditors to learn the same tech- niques taught to QSAs; the chance for merchants to verify their internal staff have a common understanding of the PCI-DSS requirements; the ability for merchants to hear the intent of the requirements directly from the Council; and a potential reduction in compliance costs by teaching ISAs to develop security strategies before and beyond the annual PCI-DSS validation. http://www.scmagazineus.com/how-you-are-changing- the-pci-standards-in-2010/article/170374/ International Organization of Supreme Audit In- stitutions (INTOSAI) - a worldwide affiliation of gov- ernmental entities. Its members are the Chief Financial Controller/Comptroller General Offices of nations. www.globaIiia.org/standards-guidance / 22 International Standard on Assurance Engagements (ISAE) 3402 —deals with assurance engagements un- dertaken by a professional accountant in public practice to provide a report for user entities and their auditors on the controls at a service organization. The service is likely to be relevant to user entities' internal control as it relates to financial reporting. http://web.ifac.org/download/bO 14-2010-iaasb-hand- book-isae-3402.pdf Information technology —Security techniques — Code of practice for information security manage- ment (ISO/IEC 27002:2005) — an information secu- rity standard published by the International Organization for Standardization (ISO) and the International Elec- tro-technical Commission (IEC) originally as ISO/IEC 17799:2000. ISO/IEC 27002 provides best practice rec- ommendations on information security management for use by those responsible for initiating, implementing, or maintaining Information Security Management Systems (ISMS). The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word- for-word copy of the British Standard (BS) 7799-1:1999. Key Performance Indicators (KPIs) — KPIs are im- portant measures of a business's performance and prog- ress toward goals (dictionarycom). They are metrics re- lated to critical success factors. Key Risk Indicator (KRI) — a measure used in manage- ment to indicate how risky an activity is. According to The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Guidance on Monitoring Inter- nal Control Systems, key risk indicators are forward -look- ing metrics that seek to identify potential problems, thus enabling an organization to take timely action, if neces- sary. Reprinted with permission from COSO, copyright 2004-2011. COSO. All rights reserved. Macro Assurance — Pervasive themes can be highlight- ed by comparing and trending common issues raised by the compliance community. Planning principle -based assessments performed by other assurance providers in sequence with internal audit engagements to provide an overarching macro -opinion across multiple entities or processes. Other Assurance Provider (internal/external fac- ing) — Internal Other Assurance Providers are evaluators who report to management and/or are part of manage- ment (management assurance), including individuals who perform control self -assessments, quality auditors, environmental auditors, and other management -designat- ed assurance personnel. External Other Assurance Pro- viders are evaluators who report to external stakeholders (external audit assurance), a role traditionally fulfilled by the independent/statutory auditor. U.S. Public Company Accounting Oversight Board (PCAOB) — The PCAOB is a nonprofit corporation es- tablished by the U.S. Congress in 2002 to oversee the audits of public companies to protect the interests of in- vestors and further the public interest in the preparation of informative, accurate, and independent audit reports. The PCAOB also oversees the audits of broker -dealer compliance reports under federal securities laws. http://pcaobus.org/Pages/default.aspx Payment Card Industry Data Security Standard (PCI-DSS) — created by the leading credit card compa- nies to ensure customer data is safeguarded. Payment Card Industry Security Standards Council (PCI SSC) — offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of speci- fications, tools, measurements and support resources to LL�A 7 www.globaIiia.org/standards-guidance / 23 help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI-DSS, which provides an actionable framework for developing a robust payment card data security process — including prevention, detection, and appropriate reaction to secu- rity incidents. https://www.pcisecuritystandards.org/security—standards/ index.php Penetration Testing —A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerability that could result from poor or im- proper system configuration, from known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. The intent of a penetration test is to determine the feasibility of an at- tack and the amount of business impact of a successful exploit, if discovered. Qualified Security Assessor (QSA) — The Payment Card Industry (PCI) QSA designation is conferred by the PCI Security Standards Council to those individu- als that meet specific information security education re- quirements, have taken the appropriate training from the PCI Security Standards Council, are employees of an Ap- proved PCI Security and Auditing Firm, and will be per- forming PCI compliance assessments as they relate to the protection of credit card data. The term QSA also may be implied to identify an individual qualified to perform PCI compliance auditing and consulting. The primary goal of an individual with the PCI QSA certification is to per- form an assessment of a firm that handles credit card data against the high-level control objectives of the PCI Data Security Standard (PCI-DSS). Reliance — confident or trustful dependence (dictionary. com). Statement of Auditing Standards No. 70 (SAS 70) — SAS 70 is an internationally recognized auditing standard developed by the American Institute of Certi- fied Public Accountants (AICPA). SAS 70 demonstrates that data centers have adequate controls and safeguards in place to host or process data related to their customer base. SAS 70 is not a certificate, but an opinion on the nature of those controls. http://www.c7dc.com/articles/sas-70-faq.htm. Self -reported Issues — This practice empowers man- agement to raise issues and track remediation to advance corrective action. Auditors gain comfort when manage- ment promptly address root causes related to the self - reported issues. Service Provider — any company that provides the fol- lowing services to another organization: executes and maintains accountability of transactions, records transac- tions and processes information, and impacts the client's financial reporting. Typical service companies include application service providers, claims processors, clear- inghouses, credit processing companies, and data center hosting facilities. http://www.c7dc.com/articles/sas-70-faq.htm Statement on Standards for Attestation Engage- ments (SSAE) No. 16 — In April 2010 the AICPA Au- diting Standards Board (ASB) issued SSAE 16, Reporting on Controls at a Service Organization. The SSAEs also are known as attestation standards. SSAE 16 is applicable when an entity outsources a business task or function to another entity (usually one that specializes in that task or function) and the data resulting from that task or function is incorporated in the outsourcer's financial statements. In SSAE 16 an entity that performs a specialized task or function for other entities is known as a service organiza- tion and an entity that outsources the task or function to www.globaIiia.org/standards-guidance / 24 a service organization is known as a user entity. http://www.aicpa.org/InterestAreas/Accountin- gAndAuditing/Resources/SOC/DownloadableDocu- ments/QAs_S erv_Orgs_Apr_26_201 O.p df User Entity (Client Organization) — an entity that outsources a business task or function to another entity (usually one that specializes in that task or function) and the data resulting from that task or function is incorpo- rated in the outsourcer's financial statements. In SSAE 16 an entity that performs a specialized task or function for other entities is known as a service organization and an entity that outsources the task or function to a service organization is known as a user entity. http://www.aicpa.org/InterestAreas/Accountin- gAndAuditing/Resources/SOC/DownloadableDocu- men is/QAs_S erv_Orgs_Apr_26_2010. pdf Vulnerability Management — the cyclical practice of identifying, classifying, remediating, and mitigating vul- nerabilities. This practice generally refers to software vul- nerabilities in computing systems. QA IVA www.globaIiia.org/standards-guidance / 25 Authors: Bradley C. Ames, CPA, CISA Ken Askelson, CPA, CITP, CIA Hussain T. Hasan, CISSP, CISM, CGEIT, PCI-QSA David Strealy, CIA David Williams, CISA Reviewers and Contributors Gary E. Eymer, CIA Carrie Gilstrap, CISA Mark Harrison Steve Hunt, CIA Steve Jameson, CIA, CCSA, CFSA, CRMA Donald E. Sparks, CIA, CISA Steven Stein, CIA, PMP, CISA, CISSP, CFE, CGEIT www.globaIiia.org/standards-guidance / 26 About the Institute l stabllshed in 1941, '111e Institute of Internal .Auditors (IIV is an international professional association viitli global headquarters in Altamonte Springs, Fla., US.A. ` lic 11,A is the internal audit profession's global voice, recognised authoritt: acknovv ledged leader, chief ack ovate, and princi- pal educator. About Practice Guides Practice Guides provide detailed guidance for conducting; internal audit activities. `I"hey include detailed processes and procedures, such as tools and technigLies, programs, and step-by-step ap- proaches, as vx ell as examples of deliverables. Practice Guides are part of `l'he i1:Vs IPPF. ,As part of the: Strongly Reconunernded cmegor of guidance, compliance is not mandatoil, but it is strongly recommended, and the guidance is en- dorsed IW'I`he ILA through formal revievtip and ap- proval processes. For other authoritative guidance materials provided by ` lie f I -A, please visit our «ebsite at Iobahia.ORV'standards-guidance. IWThe Institute of Global Internal Auditors Disclaimer The ILA publishes this document for informa- tional and educational purposes. This guidance material is not intended to prov-ide definitive an- swers to specific individual circumstances and as such is only intended to be used as a guide. The IIaA recommends that you always seek indepen- dent expert advice relating directly to any specific situation. The I ]A accepts no responsibility for anyone placing sole reliance on this guidance. Copyright Copyright - 2011 The Institute of Internal ,Auditors. For permission to reproduce, please contact The II:A at guidanceidtheiia.org. GLOBAL HEADQUARTERS 247 Maitland Ave. Altamonte Springs, FL 32701 USA +1-407-937-1111 +1-407-937-1101 W: www.theiia.org OFFICE OF THE COUNTY CLERK 2002 AMENDMENT The Charter of the County of Kauai "Section 19.15. Fund Administration. A. Deposit of Funds. Money received by officers and employees shall be deposited promptly to the county's account in depositories authorized by law. B. Creation of Funds. In addition to the funds established by this charter, the mayor, with the approval of the council, may establish other funds when necessary and when no appropriate class of funds exists. Nothing in this section shall preclude the council from introducing and adopting other funds by ordinance. C. Public Access, Open Space. Natural Resources Preservation Fund. (1) In adopting each fiscal year's budget and capital program, the council shall appropriate a minimum of one-half of one percent of the certified real property tax revenues to a fund known as the public access, open space, natural resources preservation fund. The moneys in this fund shall be utilized for purchasing or otherwise acquiring lands or property entitlements —and the corresponding maintenance of those lands or property entitlements —for land conservation purposes in the county of Kauai for the following purposes: public outdoor recreation and education, including access to beaches and mountains; preservation of historic or culturally important land areas and sites; protection of significant habitats or ecosystems, including buffer zones; preserving forests, beaches, coastal areas and agricultural lands; protecting watershed lands to preserve water quality and water supply; conserving land in order to reduce erosion, floods, landslides, and- runoff, improving disabled and public access to, and enjoyment of, public land, and open space; acquiring disabled and public access to public land, and open space. (2) The moneys in this fund may also be used for the payment of interest, principal, and premium, if any, due with respect to bonds issued pursuant to Sections 3.13, 3.14, or 3.15, Charter, in whole or in part — for the purposes enumerated in paragraph (1) of this section and for the payment of costs associated with the purchase, redemption or refunding of such bonds. (3) At any given time, no more than five percent (5%) of this fund shall be used for administrative expenses. C 0C aottt - 08 (► (4) Any balance remaining in this fund at the end of any fiscal year shall not lapse, but shall remain in the fund, accumulating from year to year. The moneys in this fund shall not be used for any purpose except those listed in this section. The Council shall by ordinance establish procedures for the administration and priorities for the expenditure of moneys in this fund." "Section 19.08. Administration and Enforcement of the Annual Budget Ordinance. A. The enactment of the annual budget ordinance shall constitute an appropriation of the sums specified therein for the purposes and from the funds indicated. Such appropriation shall be considered valid only for the fiscal year for which made, and any part of such appropriation which is not encumbered or expended shall lapse at the end of the fiscal year, except that appropriations to the fund established by paragraph C of section 19.15 shall not lapse, but shall remain in the fund, accumulating from year-to-year. Agencies authorized to make expenditures under the annual budget ordinance may proceed without other authority from the council to incur obligations or make expenditures for proper purposes to the extent that the moneys are available and as allotted. B. Immediately following the enactment of the annual budget ordinance, the heads of all agencies shall submit to the director of finance schedules showing the expenditures anticipated for each quarter of the fiscal year. C. The approval of an expenditure schedule by the mayor shall constitute a budgetary allotment which shall, unless a revision thereof is approved by the mayor, be binding upon such agencies and the director of finance shall approve or issue no requisition, purchase order,.Jvoucher or warrant that is not in accordance with such allotment. D. The allotment herein provided may be altered at any time by the mayor. The mayor shall direct appropriate revisions in allotments to keep expenditures within the revenues received or anticipated. E. Any part of an allotment which is not expended or encumbered shall be deemed re -allotted for the next allotment period. F. The mayor may at any time transfer an unencumbered appropriation balance or portion thereof within a division or between divisions in the same department. Transfers between departments, boards or commissions shall be made only by the council by ordinance adopted pursuant to Section 19.07B, upon the recommendations of the mayor." "Section 19.12. Lapse of Appropriations. Every appropriation shall lapse at the close of the fiscal year to the extent that it has not been expended or encumbered, except appropriations to the fund established by paragraph C of section 19.15 and appropriations for capital budget items where any portion of said appropriation has been expended." These Amendments to Sections 19.15, 19.08, and 19.12 of The Charter of the County of Kauai were duly adopted by the voters at the November 2002 General Election. Lihue, Hawaii Peter A. Nakamura November 26, 2002 County Clerk, County of Kauai Paula Morikami From: Felicia Alongi Cowden <akamaimom@gmail.com> Sent: Tuesday, October 24, 2017 12:13 PM To: Paula Morikami Subject: Charter Amendment suggestions Here are some suggested discussion directions that I feel are important for the Charter: Aloha Paula, Here were the examples of Charter Amendments I sent in my e-mail to Marissa that have never gotten any response in the past. Article III: County Council Terms: Four council member terms to be four-year, full-time positions that do not allow for another job position. These are to be staggered by two member positions, every two years. (The council responsibilities are a full-time job at full-time pay. It is important for council members to be attending community and government meetings, as well as to be available for committed research and development of the legislative needs of the island, as well as time to sleep and spend with theirfamilies. This also eliminates the routine conflicts of interest with employers of the council. The other three positions could be two-year terms with part-time pay to allow the continuance of a talent pool that is either fresh to government or unwilling to release a passionate career. This will ensure there are at least two experienced council people in every term while allowing for a super -majority to be voted into office on every election. Having four council members without competitive employment creates a majority of un-compromised legislators in every term. The Council Chair would be required to be in a full-time position.) Article VII on Administrator of boards and commissions: The application process shall be transparent where applications can be accepted on-line through the Kauai.gov website and all applications would be entered for public review. (This allows the county council and the people to see the talent that is being over-lookedldenied for positions where more appropriate matches may be seen and the pool of possible talent is expanded.) Training for context on all boards needs to be implemented with a written outline of expectations, experience, and previous minutes, with a questionnaire to reveal their understanding, to be supplied to potential commission members before they are interviewed and confirmed. More of the commissions need to have Hoike Public Television coverage, certainly the Charter Review Commission. Article XI role of Police Commission and Police Department: Broaden the control network regarding the police department which is a specialized para-militarized force and one of the largest single expenses on our island budget with a relatively non-violent population. Currently, the chair of the police commission is responsible for giving the police chief complaints about members of the police force. That is a critical bottle -neck that has proved problematic in the past, placing a tremendous amount of responsibility a volunteer against an armed force of people. The police are not accountable to the elected officials and the Chief of Police is responsible for everyone underneath. My suggestion is for the existing structure to remain the norm but to allow for a stronger process to be invoked when concern is raised either through petition or three or more, similar complaints; such that Investigations on complaints against officers, including the police chief, can be invoked if two or more of the following offices raise concern: Office of the Mayor, Prosecuting Attorney, County Council Resolution, Police Commission. Article XXXIII: Creation of a Farm Commission - A farm commission of a mix of large, conventional, and diversified farmers (preferably 9 commissioners) to moderate and regulate farming concerns working most directly with an Office of Economic Development staff member and a Planning Department staff member to guide appropriate farming methods and farmer housing issues. (Currently, we have contention from all the areas of farming that are brought before the council, planners, and administrators that do not hold the necessary focus to be able to manage the chaos that can occur when state and general county policy do not meet the needs of our changing agriculture systems. This is consistent with reaching our food sustainability goals. ) These are suggestions I have given in the past (the farm commission is a new one) with no acknowledgement, encouragement or response. Respectfully, Felicia Cowden 652-4363 ( �n r, CFkCam-10 Q C_ R-n _0arx-1 VA