Post on 22-Dec-2015
transcript
Seminar
Developing a robust internal audit plan
30 April 2014
Agenda
10.00-10.15 Welcome and introductionMartin Robinson, Training Development Adviser, IIA
10.15-10.50 What are current and leading and emerging practices for developing an Annual Audit Plan? Chris Spedding, Senior Manager, Ernst & Young
10.50-11.25 Mapping the business and risk fundamentals Alison Smith, Group Audit and Risk Management Director, Kingfisher Group
11.25-11.40 Coffee
11.40-12.15 Effective audit planning methodology and processGordon Craig, Director Internal Audit, 3i Group Plc
12.15-12.50 Focusing on budget, time and monitoring issuesRobert Tunstall, Head of Internal Audit, ED and F Man
12.50-13.50 Lunch
Agenda
13.50-14.25 Populating the plan with staff skill requirementsMatt Spano, Head of Internal Audit, Motability Operations
14.25-15.00 A current good practice example Scott Strachan, Global Head of Internal Audit, Aberdeen Asset Management
15.00-15.15 Coffee
15.15-15.30 IIA guidance and EQA experiencesMartin Robinson
15.30-16.00 Workshop discussionMartin Robinson
16.00 Feedback and close
Seminar objectives
• Deliver an overview of the key issues involved in developing robust internal audit plans
• Learn about recent experiences from an excellent panel of speakers
• Provide an opportunity to share knowledge with other delegates.
Current, leading and emerging practices for developing and annual audit plan
Page 6
Ernst & Young’s most recent Internal Audit Survey reported that 62% of internal audit functions believe their risk assessment and audit planning processes are in need of enhancement.
Constant challenge of audit planning
“Audit planning is about as tough as it gets for the internal auditor. Deciding which areas of the business make it to the plan, the resources required and the appropriate timing of audit work is a critical, yet complex task.”
“The primary driver for improvement of my function comes from my own Audit Committee, who constantly want our views on issues that concern them – and we simply have to respond speedily and reliably”.
Page 7
Agenda
1. Challenges to effective audit planning
2. Defining the audit universe
3. Progressive risk assessment
4. Dynamic audit planning
5. Conclusions / questions
Context
Page 9
The Internal Audit planning process has been largely unchanged for many years…
Audit UniverseAudit Universe
Risk Assessment
Risk Assessment
PrioritisationPrioritisation Selection and Sizing
Selection and Sizing
Audit Plan Approval
Audit Plan Approval
Risk ParametersRisk Parameters
Coverage ParametersCoverage Parameters
RequiredAuditsRequiredAudits
...with refinements to meet specific needs and improve sustainability and flexibility.
Page 10
The impact of the business environment on the internal audit risk assessment
...will result in significant change to internal audit plans
Economic Factors
Regulatory environment
Technology and other change
Rapid change in risk profile
Changes in Risk appetite
Fundamental business model
change Changes to IA remit / approach
Significant change to universe and Internal Audit priorities
Changes in Risk Management
Page 11
Changes to Business Models
► Major change programs to reshape the business and redefine the target operating model
► Increasing demand for ROE – profiles may change to achieve this► Increased potential for mergers, acquisitions and expansion► Affordability of reform and business change a major challenge with many
competing priorities► Constrained capital and liquidity availability► De-globalization/deleveraging (withdrawing from markets and business
lines)► Movement toward a sustainable cost base and future position (reduced
headcount, smaller bonus pools, new efficiency programs)► Ever increasing importance of technology across the business model
Page 12
Changes in Risk Management
► Continued improvements and changes in risk management approaches and structures
► Increased stakeholder pressure for more effective risk governance► Definition and embedding of risk appetite is cornerstone in risk management
processes but long way to go before truly embedded► Quality of data and systems remain impediments to effective risk
management► Identification and mitigation of emerging risks► Industry and regulator views that there is still a lot of work to be done► CRO relevance:
Increased enterprise wide influence End to end involvement in risk decisions Direct access to board or risk committees
Page 13
Changing Regulatory Expectations
New regulatory standard in financial services ►July 2013 Chartered Institute of Internal Auditors “Guidance for internal audit in financial services”►January 2013 Federal Reserve “Internal Audit and its outsourcing”►2012 Basel Committee “Internal Audit function in Banks”
Whilst focused on FS sector, the principles are applicable to all sectors►Need for stronger mandate around protection against key risks►Board level relevance and standing – “voice at the top table” crucial►Expected to completed robust assessment of the second line of defense i.e. governance, risk management, compliance►Responsive and flexible►Implications for resourcing strategies►Improve involvement, influence and impact
Defining the audit universe
Page 15
Defining the audit universe
►What is the Purpose of the Audit Universe? Can these purposes be achieved in other ways?
►What is the optimum structure of the Audit Universe? Business decomposition, organisational unit, process or a matrix?
►What is an appropriate level of detail? How many items is common?
►How can an audit universe be properly maintained?
►How can business acceptance of the universe be achieved?
Page 16
Defining the audit universe
The audit universe should be documented and reviews periodically (recommended annually, or as significant organisational, financial, risk or product changes occur).
Federal Reserve, 2013-01
Internal Audit should have effective processes to identify all auditable entities within the auditable universe. The number of auditable entities will depend upon whether entities are captured at individual department or at other aggregated organisational levels.
Factors to consider can include:
Progressive risk assessment
Page 18
►What is the purpose of the Risk Assessment? Is a standalone risk assessment required?
►To what extent can Internal Audit utilise other assessments made by other parts of the business?
►How can a risk assessment reflect the emerging needs?
►How can we best engage stakeholders with the risk assessment process?
►What weighting should internal audit apply to materiality, inherent risk and detect characteristics?
Progressive risk assessment
Page 19
Progressive risk assessment
Internal Audit must analyse the key risks, mitigating governance, risk management and control. Risk assessments should be:►Both qualitative and quantitative►Informed by, but not reliant upon Executive and Risk management input►Formally documented with written analysis/rationale to support assumptions►Approved by the audit committee at least annually / upon material changes
Page 20
Progressive risk assessment
Fully engaged with the organisation
Risk assessment and audit planning must involve real engagement with a range of stakeholders and inputs:
►Multiple layers of management (1st and 2nd lines of defence)►NED (both Audit and Risk Committees)►Regulators►External bodies / co-source providers / peer networks
“Real engagement” facilitates input, commitment and buy-in►Workshops►1-2-1 meetings and follow up sessions►Surveys – internal and external►Throughout the year, responsive to changes in stakeholders
Dynamic audit planning
Page 22
Internal Audit planning considerations
Clarity of purpose and role
Shape of Audit Plan
Improved impact in reporting
Substantive outcomes
Utilisation of resources
Importance of independence
Appropriate audit response
The annual plan should be developed with the ultimate objectives of internal audit at its core. The plan must generate the overall outcome required of internal audit – high impact reporting and sustainable improvements in the organisation.
Page 23
“Plan to Report”
The annual plan must be created with the “end goal” at its core► Overall assessments (at least annually) of risk management, governance
and control► Embed assessments of governance, culture, risk management etc into
every audit performed► Clear assessment against key risks► Prove or disprove hypotheses against each key risk ► Thematic issues - not just a consolidation of audit issues► Critical / high risk issues raised► Root cause analysis – action required of management to remediate the
issues► Clearly articulates management action required to bring issue back within
risk appetite
Page 24
Dynamic process for assessing and communicating audit needs
► Flexibility is key (3+9 / 6+6)
► Full re-performance of risk assessment is not always required – trigger events
► Continuous monitoring and engagement activities with pipelines of information constantly being assessed for audit planning implications
► Strong stakeholder engagement to inform changes, and be informed of them
► Change control over the audit plan (materiality of change)
Group RiskStrategyGroup RiskStrategy
Critical planning Inputs
Critical planning Inputs
Audit Needs AssessmentAudit Needs Assessment
Challenge and review
Challenge and review
Audit PlanAudit Plan
Reliability assessmentReliability assessment
Completeness checksCompleteness checks
Stakeholder key expectations / desired outcomes
Stakeholder key expectations / desired outcomes
Group Risk Appetite / Risk tolerances
Group Risk Appetite / Risk tolerances
Conclusions
Page 26
Key Principles to apply
► “Plan to Report”► Overall assessments of governance, risk management and control► Mandate on ► Key risk centric – move away from multi-year cyclical plans and the concept of the rigid Annual Audit
Plan► Top-down analysis focused on business process to avoid unnecessary detail and address silo
created risks► Group materiality and significance based
► Strong engagement with all stakeholders. Input provided by stakeholder groups using specifically designed forums ► Knowledge acquisition, capture and deployment underpins the assessment► Adoption and incorporation of group wide approaches (example risk assessment, control self
assessments)► Flexibility incorporated into the planning process by transforming it from a discrete (once or twice a year)
activity to an on-going process► Formal rationale for risk assessment and audit plan to the Audit Committee
Page 27
Questions?
Ernst & Young LLP
Assurance | Tax | Transactions | Advisory
www.ey.com/uk
The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global Limited.
Ernst & Young LLP, 1 More London Place, London SE1 2AF.
© Ernst & Young LLP 20112 Published in the UK. All rights reserved.
Developing a robust internal audit plan
Mapping the business and risk fundamentalsAlison SmithGroup Audit and Risk Management DirectorKingfisher plc
30
OpCo LogoToday
• My brief
• Understanding your business and organisation
• Exploring business processes
• Effective use of your risk database/register
• How
• Internal Audit team
• Kingfisher plc – who we are, strategy
• Understanding the business, organisation and process• Risk assessment process and the business planning process• Audit planning process – how we demonstrate the link to strategy
• Effective use of the risk register and the business• Challenges developing and maintaining the plan
31
OpCo LogoTeam Overview
• 65 in the team, based in 7 countries
• Each team covers store and corporate audit in the region
• IT is audited by a central team, UK based
• Audit work covers all areas – e.g. stores audits, customer complaints,
stock, multi channel project, stores training, waste management
• Responsible for facilitating the risk assessment/identification process
• My Background
• Retail, logistics, manufacturing
31
32
OpCo Logo
32
• Europe’s largest home improvement retailer
• 1,120 stores
• We employ 78,000 people
• Six million customers shop in our stores every week
• Turnover £11bn+
• 10 operating companies in 9 countries
• B&Q – 360 stores, 21000 employees
• Brico Depot Romania – 15 stores, 1000 employees
Kingfisher plc
33
OpCo Logo‘Creating the Leader’
1.Making it easier for customers to improve their home
2.Giving our customers more ways to shop
3. Building innovative common brands
4. Driving efficiency and effectiveness everywhere
5. Growing our presence in existing markets
6. Expanding in new and developing markets
7. Developing leaders and connecting people
8. Sustainability: becoming ‘Net Positive’
EasierEasier
CommoCommonn
ExpandExpand
One One TeamTeam
SalesSales
Cost Cost efficiencieefficiencie
ss
Gross Gross marginmargin
34
OpCo LogoUnderstanding the business, process and organisation
• Business planning process• Annually budget and reforecast• 3 year planning process• Addresses how we will achieve out strategic objectives and growth targets
• Risk Assessment process
• Internal Audit facilitate the risk assessment – formally updated twice a year.
• First Update• Coincide this exercise with the 3 year plan exercise carried out by the management teams• Update the risk assessment with Operating Company Boards and we review the 3 year
plans • Are the risks identified representative of the 3 year plan?• Each risk is linked to a strategic objective or an operational area
35
OpCo Logo
Alm
ost
Cer
tain
Hig
hly
Pro
bab
leP
rob
able
Fai
rly
Lik
ely
Un
likel
y
Oc
cu
rre
nc
e
Manageable Major Critical Catastrophic
Impact
Significant
Risk assessment matrix –linked to the strategic objectives
1: Change Management
(Easy)
2: Systems & supply chain
(Easy)
3: CombinedPurchasing(Common)
4: Like for likeGrowth
(Expand)
5: Global Economy(Expand)
6: Agility & capabilityto expand overseas
(Expand)
7: Investment inpeople
(One Team)
8: Price competitiveness
(Operational))
9: Supplier Resilience
(Operational)
10: Health & Safety
(Operational)11: Ethics &Compliance
(Operational)
36
OpCo LogoAudit Planning
• Second Update to the risk assessment• During the ‘annual’ audit planning exercise
• How we prepare the plan• Review the results of the previous year’s work – grades, complexity, change• Review the risk assessment – sometimes this only covers the risks which are ‘not well
controlled’• Strategic risks versus operational risk• Gross versus net risk?
• Discuss with management
• Prepare the plan and discuss with management
• Present to the local Audit Committee for approval
• Link each audit to a strategic objective or an operational area
37
OpCo LogoDo we make effective use of the risk register
• 80% of the Group risks relate to our strategic objectives
• At Operating Company level circa 50% relate to strategic areas, dependent on the Operating Company
• 37% of our work relates to our strategic objectives
• Do we have a risk based approach? Are we making effective use of the risks register?
38
OpCo Logo
Extending omnichannel capabilities across the Group
Best in class
Mass Rollout
Testing
Preparing
B&Q UK CP&C* rollout 2014; doubled
products for home delivery in 2013
France & Turkey CP&C* trials 2014;
Screwfix Germany trial
Mobilising in Poland, Russia, China & Spain incl. new & mobile friendly websites &
home delivery
Screwfix CP&C* up 32% YOY; now 10%
of total sales
* Click, Pay & Collect
EasieEasierr
Example of our Audit Approach
39
OpCo LogoControls
Complex control structures in place, mixture of electronic and manual
Systems
Bespoke legacy systems, difficult to change.
Change
High level of project activity to enhance the existing processes and systems and delivery on the strategy e.g. Multi channel, BI
Controls
Control structures not well developed. Heavy reliance on manual controls and some segregation of duties issues due to size.
Systems
Standard systems in place, complicated by manual/ paper processes in place alongside systems
Change
Business expansion and stabilisation of the business e.g. China
Controls
Simple control structures, more reliance on manual control
Systems
Standard systems in place, based on larger OpCo systems
Change
Change activity focussed on expanding the business, resulting in changes to existing infrastructure requirements e.g. Supply Chain (Casto Poland)
Audit Approach
The audits will focus on ensuring there is a strong financial and commercial control structure in place on which to take the business forward.
B&Q, Casto France
ScrewfixB&Q China
Russia, Spain, Romania
Casto Poland
Turkey, BD France
1 32
Audit Approach
Audit work to focus on the changes underway, more project audits undertaken. Some assurance work to ensure existing control level maintained.
Audit Approach
Assurance work to ensure existing control structures maintained. Some audit work on changes to existing processes being made to enable expansion.
What
How
Who
40
OpCo Logo
Questions?
IIA seminar
Developing a robust internal audit plan
30 April 2014
Gordon Craig
42
1. Introduction to 3i
IIA Seminar April, 2014
43
2. Agenda
Dynamic audit planning – what it means and why do it
Developing a rolling audit plan – approach and structure
Process and timing – adapting the plan and communicating changes
Final thoughts
IIA Seminar April, 2014
44
3. Dynamic audit planning
What is it?
Dynamic = not static
‘Annual plan’ is a thing of the past
Requires regular changes – weekly, monthly, quarterly
Draws, systematically and regularly, on multiple feeders incl. stakeholders views, risk analysis, strategy, external developments
Why?
Audit Committees (should) expect it
Circumstances and priorities change - sometimes very quickly
Need to be ‘front of foot’ e.g. hot topics; themes
Forward looking vs. ‘rear view’
Optimise resource allocationIIA Seminar April, 2014
45
4. Developing a rolling audit plan
APPROACH
Identify the main drivers of your plan
Identify and ensure access to key sources of information
• Strategic review / update• Board papers• Committee papers e.g. Risk• Attendance at meetings• Investment & project proposals • Project update reports / steer co.
minutes• Regular scheduled meetings with key
stakeholders e.g. Audit Co Chair; CEO; FD
• Performance reports (e.g. monthly management accounts)
Strategy
Risk analysis
Change managementStakeholders
Business performance
IIA Seminar April, 2014
46
4. Developing a rolling audit plan cont.
Structure
Establish and agree a clear ‘cascade’ of priorities which fits your organisation
Populate quarter by quarter
Clear focus on the current quarter
Planning should be ‘thinner’ as you move further along the time horizon
Category
• Change management support & reviews
• Investigations and special projects
• Thematic reviews
• Process reviews
• Cyclical audits
• Ad hoc advice and support
IIA Seminar April, 2014
47
5. Process and timing
Quarterly update
Should include:
• a review of current key group projects and planned audit approach
• review of longer-term cyclical audit planning, including a completeness check against historical audit coverage of operating units / key business processes
• review of audit coverage against the key risks and risk mitigation plans
• meetings with stakeholders to confirm priorities
Roll forward, and retain prior quarter plan for reference
Changes can and should be made between quarterly updates
A more in-depth review is recommended (e.g. annually aligned to the strategic review cycle)
48
5. Process and timing cont.
Communication
The quarterly rolling plan should be a ‘live’ document, communicated regularly e.g. in meetings; Committee updates etc
Recommend showing prior two quarters (combined), current quarter and next two quarters for context / reference
Audit Committee needs to understand the process, articulate its priorities and allow leeway to the head of audit to exercise judgement and flex the plan between Committee meetings
IIA Seminar April, 2014
49
6. Final thoughts
IIA Seminar April, 2014
Dynamic planning: requires and encourages greater engagement
involves regular judgement and is more professionally / intellectually challenging
delivers more transparent and efficient resource allocation
works in tandem with other key Group processes - e.g. strategic planning cycle; risk reviews - and, therefore, will feel more relevant
should not overlook the importance of routine, cyclical reviews, including areas of ‘lower’ risk
50
Internal Audit - BudgetingApril 30, 2014
51
Agenda
• Who are ED&F Man ?• Internal Audit Department• Developing a realistic budget• Incorporating “non-audit” activities• Monitoring and Reporting• Common Pitfalls• Any Questions
52
Who are ED & F Man ?
Established in 1783
53
Who are ED & F Man ?
Headquartered in London
3,700 people in around 60 countries
54
Internal Audit Team
• Internal Audit Team• Head of Internal Audit• Audit Manager• Auditors• Consultants• Secondees
• Functional reporting line to the Chair of the Audit Committee.• Administrative reporting line to the Group CFO.
55
Developing a realistic budget
• Budget: a mathematical confirmation of your suspicions." -A.A. Latimer
• Why do we need a budget ?
56
Developing a realistic budget
•What are the IA deliverables ?
•Articulated in a Strategic / Tactical Plan
•Approval of the Plan
•How are you going to achieve the Plan – Need for a BUDGET • People / Skillsets• Consultants• Ad-hoc• Fraud
57
Developing a realistic budget
• Other Cost Drivers ?
• Who owns the budget ? Accountability ?
58
Developing a realistic budget
• Other Cost Drivers ?
• Travel – Air, Train, Car, Hotel, Subsistence (Policy!)• Recruitment (Agencies, In-house)• Training• IT Hardware• IT Software• Subscriptions And Publications• Outsourced services• Corporate recharges / Overheads / Fixed Costs
59
Incorporating “non-audit” activities
• What are “non-audit” activities ?
• What percentage of time do they take ?
• How can they be factored into the budget ?
60
Monitoring and Reporting
• Cost Capture
• Cost Allocation
• Cost Reporting
• Cost Monitoring
• Forecasting
• Monthly Cycle
61
Monitoring and Reporting
No Surprises !
Monitoring month by month :
62
Monitoring and Reporting
No Surprises !
Monitoring year to date:
63
Monitoring and Reporting
Underspend and Overspend :
Communicated Timely ?
Approved ?
Forecast adjusted ?
64
Common Pitfalls
1.Planning based on last year’s budget.
Rushing through the planning process by tweaking last year’s budget instead of starting with this year’s goals and objectives.
Action : Clarify what internal audit objectives are for the coming year, and put in place a plan that supports those objectives. Focus investment where it makes sense in the coming year rather than spending in the same budget ‘buckets’ as last year.
65
Common Pitfalls
2. Descending into Spreadsheet Chaos !
Use of massive spreadsheets or workbooks with multiple tabs, unwieldy number of columns, macros and multiple versions. Only the person that created the spreadsheet can understand and navigate through the data.
Action : Adopt a disciplined approach with a spreadsheet that is from a single source (version control) and that is appropriately formatted with explanations in the spreadsheet.
66
Common Pitfalls
3. Planning the internal audit budget
within the Finance framework
Issues can arise when finance assigns a couple of line items to internal audit. Lack of correlation between IA plan and the overall finance plan. Risk of mistakes being exposed and lack of credibility.
Action : Boost confidence with the Finance team by having a detailed budget that aligns to any summary numbers in the overall Finance budget. Evidence that IA are budget conscious and supports company’s objectives and goals.
67
Common Pitfalls
4. Hiding the Plan, restricting
optimal decisions
Lack of visibility and execution makes even the best plan meaningless.
Action : Your IA plan needs to flow into the day-to-day execution of the internal audit function, including all activities granting relevant people visibility into their parts of the plan and budget.
68
Common Pitfalls
5.Ignorance of current spend
Lack of reliable data of amount spent in the current month and year-to-date.
Action : Obtain the granularity of data to be able to understand current expenditure versus budget.
69
Common Pitfalls
6. Lack of communication of plan and progress against the plan
Lack of grasp of budget by the various teams /groups within the internal audit function.
Action : Communicate plan to the entire team in order for all to execute the action items of the plan.
70
Common Pitfalls
7. Following the adage: “"Never base your budget requests on realistic assumptions, as this could lead to a decrease in your funding."
Excessive buffering and padding of the budget so as to minimize any questions or interference by Finance.
Action : Internal Audit need to be ethical, evidence sound judgment in behaviours and lead by example.
71
Any Questions ?
International Conference 2014
• London’s ExCel centre, 6–9 July
• World’s biggest internal audit event, with 2,000+ delegates and 200 speakers. People are travelling from over 100 countries!
• Fascinating keynote speakers include Alastair Campbell, Michael Woodford and Noreen Hertz
• Nine education streams to choose from
• A social programme will provide networking opportunities
• Members pay just £895 +VAT until 16 May
Book your place at www.iia.org.uk/london2014
IIA Heads of Internal Audit Service (HIAS)Join our exclusive network of 270 Heads of Internal Audit and benefit from…
1. Get ahead and stay up to dateReceive updates on the latest developments in the profession to help you respond to the demands of a competitive and increasingly regulated business climate
2. Build your networkMeet and share ideas with peers from a range of sectors, private and public
3. Lead the professionHelp influence current and future thinking on internal audit and IIA policy and strategy, HIAS members are at the forefront of the profession
4. Share best practiceCompare practices, benchmark your organisation and learn new ways of working
For more details of how to join visit www.iia.org.uk/hias
74
Agenda slide
Populating the plan with employee skill requirements
30 April 2014
Matt Spano – Head of Audit – Motability Operations
75
Agenda
Employee Skills Evaluation2
Matching Audit Plan Requirements with Current Skills
3
Identifying skills deficiencies & the need for co-sourcing / outsourcing
4
Introduction1
Conclusions / Questions5
76
Introduction
• MO is classified as a not-for-profit organisation, and is owned by the UK's four major banks - Barclays, HSBC, Lloyds and RBS.
• MO has over 600,000 customers and a turnover of around £3bn.• MO accounts for >10% of new car purchases in the UK every year.• MO resells >200,000 used cars to trade every year.
77
Introduction
• This presentation is based purely on how I manage my teams…..this will vary for you depending on the nature, structure and charter of your internal audit function as well as the type of organisation you work for.
• This presentation is merely common sense and could apply to any business function, not just internal audit…..it is about building and managing a team that is skilled to effectively do the job the organisation needs it to do.
• How many of your Internal Audit functions are:
• Outsourced?• Co-sourced?• Staffed completely with ‘internal auditors’.• Use ‘non’ audit specialists from within your own organisations?• Other?
78
Introduction• Survey of Heads of Internal Audit on CIIA website (May 2010) highlights a broad range of
qualifications and practical experience amongst internal auditors. • Despite this, nearly 60% of all internal audit departments bring in additional resources to
complete their internal audit plans. The key areas where additional skills are required were:
• Information Technology: 36%• Taxation: 19%• Finance: 15%• Health and Safety: 11%• Major Projects: 11%• Business Continuity: 7%• Telecoms: 5%• Governance: 4%• Third Party Activities: 2%
• Sources of additional resources:
• Purchased from specialist service providers: 30%• Co-sourcing with third party: 30%• Independent experts from within the business: 15%• Secondment from a third party: 6%• From other source: 6%
79
Employee Skills Evaluation
• How you do this is dependent on a number of factors...
• Size and scope of the Internal Audit team.
• Maturity of the control functions.
• Organisation size / Complexity and Geography.
• Stakeholder Expectations: Audit Committee / Board Members / Senior Management (to name but a few).
• At what stage should you evaluate the skills of internal audit?
• During recruitment.
• During employee lifetime.
• When people leave….(depending on team size).
• On-going during performance assessments / training and development / feedback from the business.
80
Matching Audit Plan requirements with current skills available
• Chicken and egg time……how do you develop a comprehensive audit plan if you don’t have the technical or cultural knowledge of a business to identity and understand its key risk areas?
• Whoever develops the audit plan needs sufficient skills to perform a robust risk assessment and build an comprehensive internal audit plan. This will involve utilising many people outside of the Internal Audit function.
• Assess the Audit team’s skills against an internal audit plan developed without any reference to what current technical skills it has – should never be tempted to ignore or downplay the risk in areas of the business you don’t fully understand.
• Develop basic scope documents for all audits identified on the audit plan / universe to enable a skills assessment to be undertaken.
• So…you have your audit plan…how do you match it to the current skills available?
• Skills Matrix: I include cultural / personality based skills as well as technical skills.
81
Employee Skills Evaluation : Example Skills Matrix
Internal Audit Function's Skills Matrix - 2012/2013
Name Job TitleYears Experience
Joe Bloggs Head of Audit 4 2 0 0Sheila Bloggs Senior Internal Auditor 7 3 1 3Matt Blogs Graduate Placement 1 0 0 2Everyone Blogs Trainee Auditor 0.5 1 0 1Joanne Blogs Secondment from Business Systems 15 0 3 0
Overall Score: 6 3 6Skills Gap:
Type of Gap:
n/a
KPS
n/a
Scoring Key:0 = No experience or understanding1 = Limited experience (or no recent experience)2 = Good experience (knowledge and recent experience)3 = Subject Matter Expert (skills equal or better than those within the business)
Emotional Control
Starter / Finisher
Actuarial Knowledge
Audit Plan Development
Risk Assesments
Team M
anaement
IT Security Audits
Insurance Captive Expertise
Financial Accounting Expertise
82
• Belbin Team Roles - Identify behavioural strengths and weaknesses in the workplace.
• Strengthscope - Helps individuals and teams to understand their standout strengths.
Employee Skills Evaluation
83
Identifying skills deficiencies and plugging the gaps
• Review the results of your skills analysis to highlight any gaps.
• Perform an assessment of the gaps and identify any actions you wish to take.
• May choose not to action some of the gaps – accept the risk or provide partial assurance etc.
• Look at your own organisation first:
• Skill up your existing team?• Recruit to fill any gaps?• Use Secondments from the business?• Graduates?• Use of networks?• Internal Specialists: language skills / cultural knowledge in specific
geographical locations?
• Use of technology to fill gaps – especially in areas such as IT.
84
Identifying skills deficiencies and plugging the gaps
• What do your key stakeholders expect? Do they want the ‘badge’ of an outsourced provider to deliver assurance on a function / product that is new or evolving?
• Have to be sure a co-sourcer / outsourcer can do a better job than your internal resources – you can’t outsource this risk!
• Understanding a business’s culture has a lot to do with success. • I have seen perfectly good audits from a co-sourcer rejected merely because of the
way it is conducted or results presented (if they lack buy-in or lose credibility – regardless of validity of findings it will not be accepted by the business).
• Effectiveness reviews – Use these periodically to validate your approach to planning and the resources used to complete the plan.
• Feedback from the business – to assess whether you have demonstrated the right level of skill and understanding and come to appropriate conclusions.
• Benchmark data.
85
Summary
• Apply a common sense approach.
• The skills of internal audit must be tailored to the needs of the organisation.
• Use of skills matrix of some form.
• Utilise the skills within your own organisation – both in planning and skilling the internal audit function.
• Continuously evaluate the skills of internal audit.
• Think about ‘cultural’ skills as well ‘technical’ skills.
• Can a co-sourcer / outsourcer do a better job than internal resources?
• Feedback, feedback, feedback!!!
For investment professional use only – Not for public distribution
Developing a robust internal audit planA current good practice example
April 2014
Scott Strachan, Global Head of Internal AuditAberdeen Asset Management
87
Goal
•To share how we conduct our planning process
•To share insights on:
– What we have developed
– Why we developed it so
– What we see as the key benefits and challenges
Introduction
88
Follow the KISS theory!
K – Keep
I – It
S – Simple
S – Stupid!
Best piece of advice!
89
And …
• Whilst there are pressures to make complex – regulation, stakeholder demand etc
• Dynamic and clear is always best!
90
• A singular functional and location view that fed a static audit plan
Planning – the ‘old’ method
Audit universe
Audit riskassessment
5 year (1 + 4) cyclicalaudit plan
Departments
Locations
91
• A process that incorporates input from multiple, ‘sophisticated’ information sources (leverage of the explosion of data required in FS!)
• Conducted continuously but formally once a quarter (co-ordinated with Audit Committee)
• Results in quarter’s plan (the 3) and a proposed plan coverage for the following three quarters (the +9)
Planning – the ‘new’ method
Audituniverse
3 + 9auditplan
Audit riskassessment
Risk mapping to multiple
sources
Intervention type
Total Assurance sources
Sword
Operationalprocesses
Departments
Multiplerisk
sources
92
Old New
Migration of assurance approach
Project
Continuous
Traditional
Traditional
Continuous
Project
93
• Risk ranking taking a holistic approach that includes culture, customer outcome, and fraud
• Residual scoring considers our view of the control structure and how much assurance is being provided by other groups (internal and external groups)
• MI used to show % inherent risk plan coverage and % residual risk coverage
The risk assessment
Coverage Status and change from
January
Description
Audit universe 353 (-5%) Revisions to the IT universe to simplify the structure and align it with standard industry practice
High residual risk/universe 9% (-)
High residual risk audit coverage
81% (+7%) Audit coverage activity levels have remained the same along with the consolidation of IT line items on the universe plus some risk rating decreases have led to a greater coverage of high rated areas
High inherent risk/universe 15% (-1%)
High inherent risk audit coverage
85% (+9%) Same dynamics as with the residual calculation
94
• Restrictions of the old method:
– It was administratively difficult to adjust to the constantly changing risk landscape
– Did little to keep the team engaged and focused on risk
– Cyclical planning resulted in low risk areas being covered at the expense of high risk ones – the emphasis was on that falsehood – total assurance!
– Actual work often bore no resemblance to what was previously planned and audit trail difficult to present
• Benefits of the new method:
– Allows greater flexibility in addressing developing and changing risks. Easy to implement and reflect change
– Keeps the team focused on continuously considering and assessing risk
– Allows directors and executive management to focus attention to the immediate body of work resulting in more robust oversight and challenge
– Allows for more real-time reaction to changing team needs (eg inter-regional secondments)
Old to new!
95
• Management concern over losing coverage
– Education and MI on the right risk coverage
– Closer interaction with management in forming the plan (COP) = easier to show them their requests have been incorporated
• ‘Perceived’ larger time commitment from the team
– Only on initial set up
– In aggregate the quarterly process leverages the repeated exposure to the process
• Change in the team’s thought process to a more risk based approach
– Suite of training, presentations, flowcharts and the use of automated tool (teammate – not essential – disciplines easily replicated!) to guide and ensure appropriate thematic risk thinking
• Consistency in execution
– MI and a fundamentally more manageable plan size facilitates improved QA and top down management oversight and challenge
Challenges … and solutions!
96
• Gained synergies with team management processes to facilitate:
– Empowerment
– Development
– Progression
– Subject matter specialism
• Regulator/external review
– Demonstrate dynamic, risk based, regulatory themed, strategic objective linked planning
• Stakeholder buy in
– Continuous engagement with business
– Built in education piece
– Management are living within the changing risk environment therefore appreciate/expect internal audit to be in tuned in too!
Additional benefits … good practice?
IIA guidance and EQA experiences
Martin Robinson
Training Development Adviser, IIA
30 April 2014
My topic areas
• Overview of outcomes of recent EQA reviews carried out by the IIA and some laudable examples
• The IIA view of effective internal planning.
Outcomes from recent IIA EQA reviews – key issues• Requirement for a clear link between the risks of an organisation
and the internal audit plan
• Ensure that most important areas are included
• Consider impact and value
• Ensure that careful consideration is given of all change initiatives when building a plan including projects, M&A and organisational restructure etc.
Cont’d…
• Review risk management processes and procedures either holistically or as part of each audit
• Consultancy work is good but need criteria for performing. Ensure adequate output and reporting. Consider value of each assignment
• Critical importance of talking regularly with your audit committee and executive/senior management on the focus of your plan and content
• Make sure your plan is fluid and dynamic and not ‘set in stone’.
Key issues – cont’d
The IIA view of effective internal audit planning• Focus attention upon the risk management process; its design,
application and reporting mechanisms.
• Build the audit plan around high priority risks, key areas of change and the assurance needs of stakeholders.
• Where possible, work with and rely upon other assurance providers.
The IIA view of effective internal audit planning• Work with external providers of assurance in a co-sourced
arrangement to fill skills and knowledge gaps.
• Consider the importance of routine processes and activities (audit universe) but keep this in tune with key business risks and developments.
• Make key choices, including what is not being done, transparent to key stakeholders to engage stakeholders in questions of risk appetite and the need for assurance.
Workshop discussion
Subjects for wider discussion
• What challenges do we face in developing risk based audit plans?
• What process do we use to ensure that there has been good engagement with all key auditees and/or stakeholders?
• How do we address skill and competency shortfalls?
Workshop discussion
• Do we have a robust prioritisation process?
• How do we “factor in” non audit work into our plans?
• How do we monitor the delivery of our audit plans?
Any questions?