Add to collection(s) Add to saved
  1. Business
  2. Management

Developing the internal audit strategic plan

advertisement 
Developing the internal audit strategic plan
6 June 2013
Martin Robinson, Chartered Institute of Internal Auditors
David Butler, Head of Internal Audit, Unum
James Paterson, Director, Risk and Assurance, Insights
Setting the scene – IIA guidance and
October 2012 benchmarking survey
Martin Robinson
Training Development Adviser,
Chartered Institute of Internal Auditors
Definition of strategy
Strategy is a means of establishing the
organisation’s purpose and determining the nature
of the contribution it intends to make while
predefining choices that will shape decisions and
actions. Strategy for the internal audit activity
enables the allocation of financial and human
resources to help achieve these objectives as
defined in the activity’s vision and mission
statements.
Steps to be used to develop the internal audit
strategic plan
Factors influencing the frequency of
reviewing the strategic plan
Performing a SWOT analysis
The key variables when developing a
sourcing model
Heads of internal audit benchmarking
report – Internal audit strategic plans
August/September 2012
Key issues
Developing an internal audit strategic plan
Some practical tips and experiences
IIA Heads of Audit Forum
June 2013
David Butler
9
Developing the internal audit strategic plan
TOPIC AREAS
˜
Introduction
˜
The importance of communication
● Understand the importance and reliance placed upon a modern Internal audit function through the
stakeholders eyes
● Ensuring that you are receiving clear messaging from your stakeholders?
˜
Understand the complexity of the matrix management of dealing with diverse and
increasing stakeholder expectations
˜
Elements of the strategic plan:
● What are the top priorities for the Internal audit function?
● Build an internal audit strategy that focuses on stakeholder raising expectations
10
IPPF Practice Guide – Developing the Internal Audit Strategic Plan
CRITICAL SUCCESS FACTORS
The Three P’s
Positioning – Is the internal audit activity strategically positioned and supported?
Processes – Are the internal audit activity’s processes enabling and dynamic in
meeting business needs?
People – Does the internal audit activity have the right people strategy to deliver its
mission?
11
Understand the importance and reliance placed upon a
modern Internal audit function through the stakeholders eyes
THE FOUNDATION STONES
˜
Do you have a stakeholder map for Internal Audit?
˜
Are your team aware of the stakeholder needs or purely focussed upon delivery of the
plan?
˜
Do you and your team understand the different needs of the varying stakeholders?
˜
What does Internal Audit deliver is it assurance or is it protection as has been suggested
by the recent UK IIA consultation document?
˜
How do we maintain credibility with each of these stakeholders – their needs seem to
conflict at one level?
12
Unum UK Stakeholder Map and Offerings
2012 MODEL
13
Ensuring that you are receiving clear messaging from your
stakeholders?
BALANCING YOUR STAKEHOLDERS
˜
Is there strong engagement between the Chief Auditor and the Audit Committee
Chairman and Audit Committee generally?
˜
What role does Internal Audit play in your organisation with the regulator(s)?
˜
Who is responsible for defining and agreeing the Audit Plan?
˜
Are we forward looking or purely retrospective?
˜
Do the stakeholder requirements conflict – which areas are a priority for us to review?
˜
How is that changing or may change?
14
Understand the complexity of the matrix management of
dealing with diverse and increasing stakeholder expectations
CAN AND SHOULD WE ADDRESS ALL STAKEHOLDER REQUIREMENTS?
15
Audit function status and positioning?
ASSESSING THE CURRENT STATE
˜
What is the status of the Chief Auditor and the audit function?
● Organisationally
● By reputation
● Through engagement
˜
Are stakeholders?
● Advocates
● Neutral
● Negative
˜
What style of internal audit does your function deploy?
● Collaborative
● Adversarial
● Combination
˜
Does that style vary depending upon the maturity of the organisation?
16
What methods and techniques will enable you to improve
engagement?
HOW PLUGGED IN IS INTERNAL AUDIT TO THE CORPORATE DNA?
˜
Is the Internal Audit function appropriately engaged with the business and direction of
the business
● Who in the IA function considers their role as stakeholder champions
˜
What is the Internal Audit’s circle of influence ?
● Board and Audit Committee
● Risk Committee
● Executive Committee
● Executive Risk Committee
● Senior management
● Regulator(s)
● Others?
17
What are the top priorities for the Internal audit function?
SCOPE AND IMPACT OF WORK
˜
Are there any audit no go areas
● These can result from management resistance
● Lack of appropriate skills or resources
˜
Is audit engaged in evaluation of all processes?
● Strategy
● Major projects
● Mergers and acquisitions
● Financial reporting
● Operational areas
● Marketing and sales
● IT
˜
Are agreed management action plan promises delivered?
● Does anyone or everyone care?
18
Build an internal audit strategy that focuses on stakeholder
raising expectations
RESPONSIVENESS OF PLAN
˜
What is the time horizon that Internal Audit operates to?
● 3 months
● Annual
● Two year
● Longer than two years
˜
What inputs do you have to help define and assess the areas that audit will operate?
● Dynamic audit universe
● Mature risk management
● Trusted compliance and risk monitoring
● SOX or other assurance feeds
● Industrial networking and feeds of emerging issues
˜
Does your plan feel predictable or responsive?
19
Build an internal audit strategy that focuses on stakeholder
raising expectations
DELIVERY ENABLERS
˜
How does the resource model refine and match the longer term needs of the function
and the organisation?
˜
Is outsourcing or co-sourcing the answer to the resource squeeze?
˜
What skills does your function have available to it on a day to day basis?
● Qualified accountants / auditors
● IT capability
● Actuarial
● Marketing and sales
● Deep operational experience
˜
How strong are the information feeds within the organisation to Internal Audit?
20
Hierarchy of audit positioning documentation
OFFICIAL DOCUMENTATION
˜
Audit Committee Terms of Reference
˜
Internal Audit Charter
˜
Vision and Values Statement
˜
Mission Statement
˜
Strategic Plan
˜
Audit Manual
● Annual Plan
o Technology and tools
o Resourcing model
o What’s in and what’s not
● Audit Engagements
But …… it never stops………..
21
Continuing evolution not revolution
CURRENT WORK IN PROGRESS
Enterprise Audit 2013
Workstreams
Relationship
Management
People and
Talent
Performance
Management
Internal
Communications
Internal Audit
Process
22
David Butler
david.butler@unum.co.uk
Tel : 0044 1306 874270
Contact via LinkedIN
Twitter @DJBAudit
Questions
23
Other Materials
Developing the Internal Audit Strategic Plan – July 2012 Guidance
http://www.iia.org.uk/media/56050/developing_the_internal_audit_stra
tegic_plan.pdf
24
Other Materials
DEVELOPING THE INTERNAL AUDIT STRATEGIC PLAN – JULY 2012 GUIDANCE (EXTRACT)
The following steps can be used to develop the internal audit strategic plan:
1. Understand the relevant industry(ies) and the organization’s objectives.
2. Consider the International Professional Practices Framework (IPPF).
3. Understand stakeholder expectations.
4. Update the internal audit vision and mission.
5. Define the critical success factors.
6. Perform a strengths, weaknesses, opportunities, and threats (SWOT) analysis.
7. Identify key initiatives.
25
Other Materials
ERNST AND YOUNG
Ernst and Young Survey
Develop a well aligned internal audit strategy
˜
http://www.ey.com/GL/en/Services/Advisory/The-future-of-internal-audit-is-now--Develop-a-well-aligned-internal-audit-strategy
˜
Unlocking the strategic value of Internal Audit - 2010
˜
http://www.ey.com/Publication/vwLUAssets/Unlocking_the_strategic_value_of_Internal_
Audit/$FILE/Unlocking%20the%20strategic%20value%20of%20Internal%20Audit.pdf
26
Other Materials
CHARTERED INSTITUTE OF INTERNAL AUDITORS
Heads of Internal Audit Benchmarking Report
Internal Audit Strategic Plans
http://www.iia.org.uk/media/195007/2._benchmarking_report_internal_audit_strategic_plan
ning_oct_2012_1_.pdf
27
“Because….”
Developing an audit strategy
Experiences in AZ and to date
What the future might hold..
James C Paterson
Director, Risk & Assurance Insights Ltd.
AZ experiences
Many customers, limited supply = problem
Latest research ~ Booz & Co - 2013
AZ Strategy – Mark 1 ingredients
Sources of value destruction
Audit Directors Roundtable
Key risks and IA plan
Auditing harder to audit areas
Improving skills mix
Benchmarking /EQA
AZ Strategy – Outputs
IA plan vs risks and assurances
IA development
Governance
& Risk
Operational
controls
Compliance
& IT controls
Financial
controls
1980s
1990s
2000s
Developed from ADR idea
Today
Strategy for what IA covers
Year 1
Year 2
Year 3
Year 4
Financial
Controls
35
30
25
20
Compliance
35
35
30
25
Operational
Controls
20
20
20
25
Strategic risks
10
15
25
30
TOTAL
100
100
100
100
Setting out, in broad terms the likely shape of the plan
IA planning ~ Lean / Assurance approach
2*
11
1
5*
4*
3
7
6
8
10
9
12
1 – SR
2 – CR
3 – SR
4 – OR
5 – FC
6 – OR
7 – OR
8 – CR
9 – OR
10 – OR
11- OR
12 – OR
IA Coverage (initial views) = Red
2*
11
1
5*
4*
3
7
6
8
10
9
12
1 – SR
2 – CR
3 – SR
4 – OR
5 – FC
6 – OR
7 – OR
8 – CR
9 – OR
10 – OR
11- OR
12 – OR
Who is looking at the other areas?
2*
11
1
5*
4*
3
7
6
8
10
9
12
1 – SR
2 – CR
3 – SR
4 – OR
5 – FC
6 – OR
7 – OR
8 – CR
9 – OR
10 – OR
11- OR
12 – OR
Capture Other Assurances +
2*
11
1
5*
4*
+3
+7
6
8
+10
9
12
1 – SR
2 – CR
3 – SR
4 – OR
5 – FC
6 – OR
7 – OR
8 – CR
9 – OR
10 – OR
11- OR
12 – OR
Past coverage?
2*
11
1
5*
4*
+3
+7
6
8
+10
9
12
1 – SR
2 – CR
3 – SR
4 – OR
5 – FC
6 – OR
7 – OR
8 – CR
9 – OR
10 – OR
11- OR
12 – OR
Where do you draw the line?
2*
11
1
5*
4*
+3
+7
6
8
+10
9
12
1 – SR
2 – CR
3 – SR
4 – OR
5 – FC
6 – OR
7 – OR
8 – CR
9 – OR
10 – OR
11- OR
12 – OR
Where do you draw the line?
2*
11
1
5*
4*
+3
+7
6
8
+10
9
12
1 – SR
2 – CR
3 – SR
4 – OR
5 – FC
6 – OR
7 – OR
8 – CR
9 – OR
10 – OR
11- OR
12 – OR
Do you have enough resource?
2*
11
1
5*
4*
+3
+7
6
8
+10
9
12
1 – SR
2 – CR
3 – SR
4 – OR
5 – FC
6 – OR
7 – OR
8 – CR
9 – OR
10 – OR
11- OR
12 – OR
ADR ~ Common misconceptions
Thanks to the ADR
“Because….”
Skills & experience – before
Experience
Minimal
2-5 years
5-10 years
10+ years
Potential
Highest
Senior
Management
J Redmond
Middle
management
Line
management
D Winter
E Godwin
F James
A Brown
C Jones
G Halliwell
H Smithers
“Because….”
Skills & experience – new world?
Experience
Minimal
2-5 years
5-10 years
10+ years
F Johnson
J Smith
G Heldon
E Goodwood
H Smythe
K Alwyn
Potential
Highest
Senior
Management
C Jakes
D Wales
Middle
management
A Brown
Line
management
AZ Strategy – Mark 2 ingredients
GRC strategy
Compliance and responsible business scorecard
Assurance Mapping
Lean auditing
New Key Performance Indicators
“Because….”
Experience with clients..
“Because….”
Experience with clients.. over the past 3 years ..
qLean auditing
q Kano techniques on IA customer and value add
q Speeding up delivery / streamlining reporting
q Better use of technology
qClarifying IA role
q Anti-fraud etc.
q Creating a GRC strategy
q Continuous monitoring
q Educating management and the audit committee
qBudget / HC cuts
q Use of
q audit universe
q Overall opinion
….to counter challenges
Lean Internal Audit: Methodology on one page
Review Phase
Process
Assignment Planning
Scoping
Audit
Remit
Fieldwork
Opening
Meeting
Process
Mapping
& Key Control
Testing
Reporting
Closing
Meeting
Draft
Report
Feedback & Monitoring
Final
Report
Customer
Survey
Learning
Review &
Personal
Feedback
Mandatory Steps
Framework
Time Line
End of Fieldwork – Personal learning review
All work papers to be documented in XXX
End of assignment– Overall project learning review
IIA ~ 3 lines of defence in relation to effective risk
governance ~ 2013
3 lines of defense
Source: Berendsen
Accountability framework example
Global Level Accountability Framework
Specialist
Compliance
Functions
Group Legal &
Compliance
Specialist
Compliance Audit
Functions
GIA
External Audit &
Regulators
A
R
R
C
C
O
I
C
Iᴱ
2. Determine Group Level policies*
A
S
S
R
C/R
O
I
C/I
Iᴱ
3. Communicate Policies*
A
R
R
C/S
C/S
O
S
I
Iᴱ
O
A
R
C/I
C/I
Iᴱ
I
I
Iᴱ
O
A
R
C/S
C/S
I/C
I
I
-
I Informed
Iᴱ Informed (by
exception)
Company
Secretary
General/Factory
Manager
3rd Line of Defence
Assurance Providers
Division / Region
2nd Line of Defence
Compliance Functions
Function
Heads
Key:
R Responsible
A Accountable
S Support
C Consulted
O Oversight
1st Line of Defence
Business Area Management
Ethical Culture (Control Environment)
1.
Establish Roles & Responsibilities
Delivery of procedures, training and action
4. Maintenance of detailed standards and processes
5.
Training – development and delivery
Monitoring business as usual &
Reporting issues upwaards
6.
Monitoring of activities
O
A
R
C
C
I/C
Iᴱ
I
-
7.
Reporting issues or risks
O
A
R
I
I/C
I/C
I
I
Iᴱ
O
A
R
CS
C/S
I
C/S
C/I
Iᴱ
C
A
R
S
O
C
A/C
I/C
Iᴱ
S
S
S
C
C/I
C/I
A/R
O/R
Iᴱ
Improvement actions and investigations
8.
Management of issues & Corrective Actions
9. Ethics Investigation & Disciplinary Action
Audit & Assurance
10
Compliance Auditing
Plan example ~ Fraud
We will carry out a high level framework
review at a selection of key sites and
support the implementation of CAATs
and fraud awareness within Finance and
Purchasing in key locations
Example ~ Planning
From
To
Based on processes
Greater risk focus
Largely Financial and compliance
Informal discussions of value add
More explicit discussions of value
add contribution
Little contribution to key risks
Greater contribution to key risks
Example ~ Planning
Essential to consider other lines of defense
From (Business)
From IA
To (Business)
To (IA)
Risk and process
thinking not embedded
Process approach
More robust risk and
control thinking
Greater risk focus
Finance and
Compliance monitoring
mixed
Largely Financial and
compliance
Strengthen Finance
and compliance
monitoring
Less need for IA to
look at these areas
Role and value add
from IA not well
understood
IIA responding to
requests in an informal
way
Deeper understanding
of the unique role &
contribution of IA
More explicit
discussions of value
add contribution
Culture of trust around
key risk management
but some suprises
Limited work on key
risks
Greater assurance
mindset around key
risks to avoid surprises
and disappointments
Greater contribution to
key risks
“Because….”
Audit Universe – before
Where
•Processes
•Locations
•Departments
What
•Compliance
•Financial Controls
•Operational controls
•Business continuity
“Because….”
Audit Universe – developing
Where
•Processes
Projects
•Locations
3rd party providers
•Departments
Governance
What
•Compliance
•Financial Controls
•Operational controls
•Business continuity
Value for Money
Controls design
Data quality
“Because….”
Audit Universe – enhanced
Where
•Processes
•Locations
•Departments
•Systems
•Customer relations
•Government / regulator returns
•New markets
•Networks/Applications
Projects
3rd party providers
Governance
Sales force
Non Financial reporting
New business areas
Emerging risks
Other assurance functions
What
•Compliance
•Financial Controls
•Operational controls
•Business continuity
•Cost/control trade offs
•Crisis management
Value for Money
Controls design
Data quality
Accountabilities
Strategy implementation
Reputation management
Enhance audit universe will often reveal
coverage issues
IA effectiveness framework
Remit & scope
Strategy
& Plan
Sponsorship
Supporting tools – IA & other
Intelligence & Knowledge management
Capability, expertise & influencing
Team/management culture / style
Resource management
Scorecard / tracking
Developed after a PwC idea
Independence
“Because….”
Future thoughts
IIA / FSA guidance
Use of Assurance mapping techniques
“Because….”
The future? ~ FSA / IIA guidance
Recommendations for IA coverage
•
The design and operating effectiveness of governance structures and
processes of the organisation
•
The strategic and management information presented to the Board
•
The setting of, and adherence to, risk appetite
•
The risk and control culture of the organisation
•
Risks of poor customer outcomes, giving rise to conduct or reputational risk
•
Key Corporate Events
•
Outcomes of processes
“Because….”
Conclusions
qIA strategy an invaluable tool – engaging stakeholders / Value add
qWhat you are doing / how you do this and with who
qIA role ~ 3 lines of defence typically very helpful
qDon’t shy away from sensitive topics – this may be the only way to get on the table:
q Plan coverage
q Staff skills
q Coverage / resources
q Common issues
q Benchmark / EQA
qUse this to flag wider GRC strategy
qDevelop an assurance approach ~ share the assurance load
qDeveloping political savvy to influence key stakeholders in “must win” encounters
J Paterson: Publications / Citations
Topic
Publication
Month / Year
Internal Audit ~ New rock and
roll
Accountancy Magazine, UK
January 2005
Forbidden Territory (auditing no
go areas)
IA & BR UK
December 2006
Meeting the people challenge
IA & BR UK
February 2007
Garbage in, garbage out
Internal Auditor
June 2007
The power of priorisation
Audit Director Roundtable
December 2007
Getting the most from your IA
function
ACCA e-bulletin
June 2008
Lighting up your blind spots
IA & BR Magazine UK
March 2010
Mixed Messages
Strategic Risk Magazine
March 2010
68
J Paterson: Publications / Citations
Topic
Publication
Month / Year
Know your business
Internal Auditor, US
June 2010
Help or hindrance?
Risk Management
Professional
June 2010
A problem shared (Action
Learning)
IA & BR Magazine UK
June 2010
Culture & behavior
IA & BR Magazine
March 2011
Assurance Mapping
CFO World
March 2011
Assurance Mapping
IA & BR Magazine UK
April 2011
Psychology of risk and audit
ACCA UK e-bulletin
June 2011
Lean Auditing
CIPFA Audit Viewpoint
August 2011
Lean Auditing
Audit & Risk W/S UK
September 2011
69
J Paterson: Publications / Citations
Topic
Publication
Month / Year
HIA career paths
Symmetry
November 2011
Boards and Risk
Risk Management Professional, UK
December 2011
Audit Planning
theiia.org/chapters/500
December 2011
New year new plan
Audit & Risk Magazine, UK
January 2012
Risk assurance and
assurance mapping
CIPFA Audit Committee up-date
February 2012
IA KPIs
IIA Denmark
April 2012
Coordinating assurance
Audit & Risk Magazine, UK
May 2012
70
J Paterson: Publications / Citations
Topic
Publication
Month / Year
Eight things you need to
know as a new HIA
www.auditandrisk.org.uk
July 2012
Dear Audit Committee
Chair
Linked In ~ CAE sub-group
www.riskai.co.uk
September 2012
Lean Auditing
Internal Auditor, US
December 2012
Audit Committee
Effectiveness
ACCA IA Newsletter
April 12
Assurance for the Audit
Committee
ACCA IA Newsletter
June/July 12
71
These slides have been developed for the exclusive use of those attending the
HIAS workshop on 6/6/13 by James Paterson, Risk & Assurance Insights Ltd.
This presentation has been prepared solely for educational and illustrative
purposes. Whilst every effort has been made to ensure the factual accuracy of the
content herein, no representation or warranty is given as to its accuracy.
This presentation should not be relied upon as the basis for making any investment
or other decision and it is not claimed that any of the content or views contained
herein, whether expressly made or implied, represents the views of management.
The slides should not be reproduced or circulated further without permission from
James Paterson:
E-mail: jcp@riskai.co.uk
Web: www.riskai.co.uk
Phone: +44 7802 868914
7
2
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Fetal Medicine Foundation - FMF
Fetal Medicine Foundation - FMF
Job Title: IT Audit Senior
Job Title: IT Audit Senior
Download
advertisement