Session 7: Internal Audit planning
advertisement
Session 7: Internal Audit planning Presented by: • Cathy Blunt Griffith University • Carol Brown Deaking University • Peter McGrath University of Melbourne Approaches to Audit Planning Cathy Blunt Manager Internal Audit Griffith University ANZUIAG 2010 Internal Audit Unit Assurance & Operational Audit Planning Step 1 – Update audit universe (organisation chart & processes) Step 2 – Risk assess business units and processes » Questionnaire based on risk & control factors » Risk factors – materiality, organisational structure, complexity, IT systems, products/services, change, volume, performance gap, compliance, risk assessment results. » Control factors – environment, risk assessment results, control activities, monitoring, ITC. » Heat Maps – risk factor by control effectiveness Internal Audit Unit Heat Map Example – Assurance & Operational Audits High Disaster Recovery Business Continuity Impact of Risk Effect Eskitis Institute Qld College of Art Tendering Payables Receivable Losses Insurance Parking Petty Cash Asset Mgt Capital Works Projects Mgt Workplace Health & Safety Corporate Credit Card School of Medicine Australian Rivers Institute Travel Mgt Low High Internal Audit Unit Control Effectiveness Low Assurance & Operational Audit Planning Step 3 – Compare highest risk activities to current strategic plan and immediate past plans Step 4 – Develop first draft of strategic & annual audit plans & budget Step 5 – Consult with senior management Step 6 – Audit Committee endorsement & budget discussion Step 7 – Vice Chancellor approval Step 8 – Distribute approved plan to management Internal Audit Unit IT Audit Planning Step 1 – Update audit universe (projects, applications, centres & processes) Step 2 – Risk assess projects, applications & processes » ISACA Procedure P1 – IS Risk Assessment Measurement » Meetings with INS to discuss & risk rate activities, etc » Update risk assessment spreadsheet with risk ratings and weighted risk factors » Charts for each projects, applications, centres & processes Internal Audit Unit IT Audit Planning Projects – 15 Factors » » » » » » » » » » » » » » » Project Budget Transaction Volume Project Duration Character of Activity Resource Effort Executive Mgt Interest Fallback Arrangements Level of Change Complexity Project Mgt & Build Project Governance Impact on Financial Reporting Impact on Revenue Impact on Customers Ongoing Support Arrangements Internal Audit Unit Applications – 9 Factors » » » » » » » » » Effect of System Failure Replacement Cost Scope of System Age of Application Type of Build/Maintenance Prior Audit Findings Changes in Environment/Staff Size of Application System Interfaces IT Audit Planning Processes – 7 Factors » » » » Effect of Process Failure Process Impact/Scope Process Performance Process Documentation & Training » Prior Audit Findings » Age of Process » Process Risk Internal Audit Unit Data Centres – 8 Factors » » » » » » » Number of Data Centre Staff Effected of Prolonged Outage Number of Applications Number of Users Prior Audit Findings Sophistication of Processing Changes in equipment, platform & staff » Number of platforms IT Audit Planning – Example Charts 140 120 100 80 Risk Ranked IT Processes 60 40 20 0 Risk Ranked IT Projects Internal Audit Unit 84 82 80 78 76 74 72 70 68 66 64 Deakin University Internal Audit Planning Process Overview Audit Universe Audit and Risk Planning Meeting Discuss the following: • What Internal Audit has done up to this point. • New audits/Merged audits/Removed audits to the Audit Universe. • High Residual Risk audits not planned to be covered in forthcoming year. • Proposed draft Plan for forthcoming year. • Assurance map (High Residual Risks based on Risk Registers). • ARC members concerns or areas they would like some focus. Example of Audits Added/New Master Ref Code Residual Risk 200 High Area / Audit Title IT Project's Implementation Status "Health Checks" Audit Objective To review the status of selected IT projects to ascertain whether the project development and implementation objectives are being achieved and whether project risks are being addressed. Comment The objective of this review is to assess whether significant IT projects being implemented are meeting their development objectives and timelines during the implementation process and whether the significant risks of the project are being addressed throughout the implementation. 2011 will focus on Learning Management System with possible other systems being CRM, DFMS Upgrade, Business Intelligence and Deakin at Your Doorstep -subject to progress on project. Draft IA Plan for Forthcoming Year CHIEF FINANCIAL OFFICER FBSD Financial and Business Services Division 181 Credit Card Transactions To review credit card transactions by cardholders related to selected areas of the University. 9 FBS-1 FBS-28 2 1 2010 Resource Reviewed Area/Audit Title/Objective/Scope Strategic Goal/ Risk Ref Last Master Ref Code Draft 2011 Annual Internal Audit Plan Internal Audit assessment of residual risk rating High Residual risk Medium Residual risk I Budget Days / Residual Risk 15 Quarter Comment Qtr 1 7.5 Qtr 2 Qtr 3 7.5 Qtr 4 2 areas per year are covered. This is a 100% transaction review for all cardholders within the nominated areas for a period of up to six months. Assurance Map Assurance Map This “Map” details the various assurance activities across the University for risks which have been rated high residual risk and above. Very High High Level of Assurance High Medium Level of Assurance Low Level of Assurance Faculty of Arts and Education A&E-1 The failure to maintain and improve the Faculty's research may impact on reputation both nationally and internationally which could lead to a detrimental effect on achieving the Faculty Top Third research aspirations. High High Audit Master Reference Code RSD-101, UNI196, RSD-203 Internal Audit Inherent Residual Risk Risk Rating Rating External Audit Assurance and Review Activities Risk Title Committee Oversight Area Risk Code Management Monitoring Master Audit Plan Submitted to ARC for Approval • Master Audit Plan is submitted at the November ARC meeting for approval. • Includes: – – – – – Overview of Planning methodology Overview on resources Draft Plan for forthcoming year Audit Universe Assurance Map ANZUIAG 2010 Host: University of the Sunshine Coast Queensland (Session 7) Internal Audit Panning (Balancing a risk based approach with core requirements and External Audit hopes.) Peter McGrath Director Internal Audit Audit Planning Core Requirements 1. Professional Obligations "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process." (1) 2. Stakeholder Expectations Audit and Risk Committee, Senior Executive, Operational Managers, VAGO, IA Team. (1) Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors Research Foundation, Florida USA, January 2009 Audit Planning Understand key customer expectations, issues & concerns - How? consult broadly - talk to them Develop a good knowledge of: - Key business objectives - Risk Management framework and risk profiles - Key risk mitigation strategies - What’s going on Align audit strategy to customer expectations and risk profiles Audit Planning Gathering business intelligence – what’s going on? - Discussions - Committee papers - Plans and budgets - Risk profiles and mitigation strategies - Management initiated reviews - Correspondence - AG’s management letter - Media reports - Rumours etc. No . Main Areas of Audit Interest – 2011 Plan 1 3 1 3 1 5 2 1 1 Major 8 Risk 1 1 0 7 3 9 Moderate 4 1 4 8 5 6 1 4 6 5 1 2 1 3 7 1 0 Insignificant Adequate Fair Poor Control Risk Level Low High Training 3 Research Management Failure of processes to effectively and efficiently coordinate the University’s research activity to meet strategic and compliance objectives. 4 Business Continuity Failure of Emergency Response, Crisis Management and Business Continuity strategies to appropriately respond to a major event 5 Budget Division Governance Failure of management, processes and systems to meet corporate objectives and compliance obligations within the RDM environment. 6 Records Management Failure to maintain corporate records to meeting compliance and reporting obligations, and corporate memory. 7 Themis Renewal Failure of the various related projects to deliver the promised business benefits. 8 ISIS (Student System) Failure of ISIS to deliver the promised business benefits. 9 IT Security & DRP Failure of IT systems. 2 Minor Excellent 2 Failure to provide appropriate training framework and programs increasing the risk of inappropriate staff behaviour , break of compliance obligations, and exposure to litigation. 1 2 1 5 1 1 Failure of project governance and management processes to deliver projects on time and on budget. 4 9 Moderate Significant Failure of procurement activity to be effectively Procurement and and efficiently implemented increasing the risk 10 Cost of wastage, fraud and non achievement of cost Containment containment targets. P&CS 11 Scheduling Ris k (1) Inherent (1) Risk (2) Failure of systems to provide appropriate coordination of maintenance, minor works and construction activity and for meeting contractual reporting obligations. 12 Marketing & Communications Failure of marketing and communications strategies to achieve key objectives. 13 Financial Assurance Failure of financial systems to process transactions and enable accurate reporting. Residual registers (2) Management assessment Primary Risk Capital Projects 1 Severe Auditable Area Failure to meet key compliance obligations Audit Planning Audit Resource Management System (ARMS) Audit universe Prioritised based on five risk factors using 1 – 5 score: - Inherent risk - Residual risk - Materiality - Prior audit results (assurance) - Audit judgement (gut feel informed by business intelligence) 15 % annual weighting Time budget and recording Report tracking Audit Planning Audit Assurance With a devolved organisational structure “assurance” is important. Divisional Audit Risk based Performed at the Budget Division level Analytical review of finance, HR and other systems data (Profiling) Review processes and controls for efficiency and effectiveness Business objectives being met? Where all the cultural issues play out - Consultative approach Audit Planning Financial and Administrative Systems Risk based Confirm effectiveness and efficiency of key controls and processes; Finance, Purchasing Card, HR/Payroll, Students, Advance. Information Technology (IT) Audit Risk based Database security controls reviews IT general controls reviews Pre- and post-implementation systems reviews Computer security reviews Audit Planning Performance and System Reviews Risk based Focus on efficiency and effectiveness of what and how activities are performed Confirm the overall focus of the operations is in line with the University's strategic and operational plans. Other Audits On request from management perform performance /management audits, special investigations or act in a consulting role. Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) Greater opportunity to be proactive! Where we need to move if we want to address cultural issues. New audit paradigm - meet stakeholder expectations - meet professional standards Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) cont Challenges How to better engage / partner with stakeholders / managers? Manage people and their egos Maintain the fine balance between being a colleague/consultant and policeman Remaining independent and objective Not assuming management responsibility but educating, cajoling and what ever else it may take to get managers and all staff to take responsibility to improve the effectiveness of risk management, control and governance processes. Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) cont Mindset Shift Leader & facilitator Coach Extrovert Creative / innovative and energetic Overriding caveat – independence Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) cont Establish relationships Get their attention Appeal to their personnel reputational risk Face to face discussions What are their issues? How can audit add value for them? Training / information deficits? What do they need to do to achieve their goals and those of their department? Audit Planning Consulting – Knowledge Transfer / Engagement (Cont) Planned Outcomes Managers and staff better placed to perform their roles and meet their responsibilities Proactively work with managers to address local issues Take learning and apply to University wide Communicate assurance to key stakeholders Audit Planning Summary - Operational Emphasis Alignment of audit plan with stakeholder expectations and the University’s strategic and operational risk profiles Identify and incorporate key risks and the value add proposition into each audit plan Establishing a resourcing model which incorporates staffing flexibility: cosourcing, agency staff, specialist expertise Increased use of data extraction and manipulation for analysis to establish business profiles and areas of interest Stakeholder engagement with emphasis on face to face interaction Consulting, coaching and supporting Stakeholder satisfaction Audit Planning Questions? © Copyright The University of Melbourne 2009
