Seminar
Developing a robust internal audit plan
30 April 2014
Agenda
10.00-10.15
Welcome and introduction
Martin Robinson, Training Development Adviser, IIA
10.15-10.50
What are current and leading and emerging practices for developing an
Annual Audit Plan?
Chris Spedding, Senior Manager, Ernst & Young
10.50-11.25
Mapping the business and risk fundamentals
Alison Smith, Group Audit and Risk Management Director, Kingfisher Group
11.25-11.40
Coffee
11.40-12.15
Effective audit planning methodology and process
Gordon Craig, Director Internal Audit, 3i Group Plc
12.15-12.50
Focusing on budget, time and monitoring issues
Robert Tunstall, Head of Internal Audit, ED and F Man
12.50-13.50
Lunch
Agenda
13.50-14.25
Populating the plan with staff skill requirements
Matt Spano, Head of Internal Audit, Motability Operations
14.25-15.00
A current good practice example
Scott Strachan, Global Head of Internal Audit, Aberdeen Asset Management
15.00-15.15
Coffee
15.15-15.30
IIA guidance and EQA experiences
Martin Robinson
15.30-16.00
Workshop discussion
Martin Robinson
16.00
Feedback and close
Seminar objectives
• Deliver an overview of the key issues involved in developing
robust internal audit plans
• Learn about recent experiences from an excellent panel of
speakers
• Provide an opportunity to share knowledge with other delegates.
Current, leading and emerging
practices for developing and
annual audit plan
Constant challenge of audit planning
Ernst & Young’s most recent Internal Audit Survey reported that 62% of internal
audit functions believe their risk assessment and audit planning processes are in
need of enhancement.
“Audit planning is about as tough
as it gets for the internal auditor.
Deciding which areas of the
business make it to the plan, the
resources required and the
appropriate timing of audit work is
a critical, yet complex task.”
Page 6
“The primary driver for
improvement of my function comes
from my own Audit Committee, who
constantly want our views on
issues that concern them – and we
simply have to respond speedily
and reliably”.
Agenda
1. Challenges to effective audit planning
2. Defining the audit universe
3. Progressive risk assessment
4. Dynamic audit planning
5. Conclusions / questions
Page 7
Context
The Internal Audit planning process has been largely unchanged for
many years…
Audit
Universe
Risk
Assessmen
t
Prioritisation
Selection
and
Sizing
Risk
Parameters
Coverage
Parameters
Required
Audits
Audit
Plan
Approval
...with refinements to meet specific needs and improve sustainability and
flexibility.
Page 9
The impact of the business environment on the
internal audit risk assessment
Economic
Factors
Regulatory
environment
Fundamental
business model
change
Rapid change in
risk profile
Technology
and other
change
Changes in
Risk
Management
Changes to
IA remit /
approach
Changes in
Risk appetite
Significant change
to universe and
Internal Audit
priorities
...will result in significant change to internal audit plans
Page 10
Changes to Business Models
►
►
►
►
►
►
►
►
Major change programs to reshape the business and redefine the target
operating model
Increasing demand for ROE – profiles may change to achieve this
Increased potential for mergers, acquisitions and expansion
Affordability of reform and business change a major challenge with many
competing priorities
Constrained capital and liquidity availability
De-globalization/deleveraging (withdrawing from markets and business
lines)
Movement toward a sustainable cost base and future position (reduced
headcount, smaller bonus pools, new efficiency programs)
Ever increasing importance of technology across the business model
Page 11
Changes in Risk Management
►
►
►
►
►
►
►
Continued improvements and changes in risk management approaches and
structures
Increased stakeholder pressure for more effective risk governance
Definition and embedding of risk appetite is cornerstone in risk management
processes but long way to go before truly embedded
Quality of data and systems remain impediments to effective risk
management
Identification and mitigation of emerging risks
Industry and regulator views that there is still a lot of work to be done
CRO relevance:
 Increased enterprise wide influence
 End to end involvement in risk decisions
 Direct access to board or risk committees
Page 12
Changing Regulatory Expectations
New regulatory standard in financial services
► July 2013 Chartered Institute of Internal Auditors “Guidance for internal
audit in financial services”
► January 2013 Federal Reserve “Internal Audit and its outsourcing”
► 2012 Basel Committee “Internal Audit function in Banks”
Whilst focused on FS sector, the principles are applicable to all sectors
► Need for stronger mandate around protection against key risks
► Board level relevance and standing – “voice at the top table” crucial
► Expected to completed robust assessment of the second line of defense
i.e. governance, risk management, compliance
► Responsive and flexible
► Implications for resourcing strategies
► Improve involvement, influence and impact
Page 13
Defining the audit universe
Defining the audit universe
► What is the Purpose of the Audit Universe? Can these purposes be
achieved in other ways?
► What is the optimum structure of the Audit Universe?
decomposition, organisational unit, process or a matrix?
Business
► What is an appropriate level of detail? How many items is common?
► How can an audit universe be properly maintained?
► How can business acceptance of the universe be achieved?
Page 15
Defining the audit universe
Internal Audit should have effective processes to identify all auditable entities
within the auditable universe. The number of auditable entities will depend
upon whether entities are captured at individual department or at other
aggregated organisational levels.
Factors to consider can include:
►
►
►
►
►
Departments/ functions/
geographies
Organisation charts
Management listings
General ledger
Cost centres
►
►
►
►
►
Major operating systems
Major product lines
Significant laws/regulation
Key risks
Other data points
The audit universe should be documented and reviews periodically
(recommended annually, or as significant organisational, financial, risk or
product changes occur).
Federal
Page
16
Reserve,
2013-01
Progressive risk assessment
Progressive risk assessment
► What is the purpose of the Risk
assessment required?
Assessment?
Is a standalone risk
► To what extent can Internal Audit utilise other assessments made by other
parts of the business?
► How can a risk assessment reflect the emerging needs?
► How can we best engage stakeholders with the risk assessment process?
► What weighting should internal audit apply to materiality, inherent risk and
detect characteristics?
Page 18
Progressive risk assessment
Internal Audit must analyse the key risks, mitigating governance, risk
management and control. Risk assessments should be:
► Both qualitative and quantitative
► Informed by, but not reliant upon Executive and Risk management input
► Formally documented with written analysis/rationale to support
assumptions
► Approved by the audit committee at least annually / upon material
changes
Internal
factors
►
►
►
►
►
Organisational strategies
External factors
Thematic control/ governance
► Macro economic conditions
issues
► Changing market conditions
Changes to systems, processes or ► Changes to laws/regulation
business model
► Competitor events / analysis
Risk appetite/tolerance levels
► Key vendor dependency
Date of last audit
Page 19
Progressive risk assessment
Fully engaged with the organisation
Risk assessment and audit planning must involve real engagement with a
range of stakeholders and inputs:
► Multiple layers of management (1st and 2nd lines of defence)
► NED (both Audit and Risk Committees)
► Regulators
► External bodies / co-source providers / peer networks
“Real engagement” facilitates input, commitment and buy-in
► Workshops
► 1-2-1 meetings and follow up sessions
► Surveys – internal and external
► Throughout the year, responsive to changes in stakeholders
Page 20
Dynamic audit planning
Internal Audit planning considerations
The annual plan should be developed with the ultimate objectives of internal
audit at its core. The plan must generate the overall outcome required of
internal audit – high impact reporting and sustainable improvements in the
organisation.
Clarity of purpose
and role
Substantive
outcomes
Importance of
independence
Shape of Audit
Plan
Utilisation of
resources
Appropriate audit
response
Improved impact
in reporting
Page 22
“Plan to Report”
The annual plan must be created with the “end goal” at its core
► Overall assessments (at least annually) of risk management, governance
and control
► Embed assessments of governance, culture, risk management etc into
every audit performed
► Clear assessment against key risks
► Prove or disprove hypotheses against each key risk
► Thematic issues - not just a consolidation of audit issues
► Critical / high risk issues raised
► Root cause analysis – action required of management to remediate the
issues
► Clearly articulates management action required to bring issue back within
risk appetite
Page 23
Dynamic process for assessing and
communicating audit needs
Completeness
checks
Group Risk
Strategy
Stakeholder key
expectations /
desired outcomes
Group Risk
Appetite / Risk
tolerances
Critical
planning
Inputs
Audit Needs
Assessment
Challenge
and review
Audit Plan
Reliability
assessment
►
Flexibility is key (3+9 / 6+6)
►
Full re-performance of risk assessment is not always required – trigger events
►
Continuous monitoring and engagement activities with pipelines of information
constantly being assessed for audit planning implications
►
Strong stakeholder engagement to inform changes, and be informed of them
►
Change control over the audit plan (materiality of change)
Page 24
Conclusions
Key Principles to apply
► “Plan to Report”
► Overall assessments of governance, risk management and control
► Mandate on
► Key risk centric – move away from multi-year cyclical plans and the
concept of the rigid Annual Audit Plan
► Top-down analysis focused on business process to avoid unnecessary
detail and address silo created risks
► Group materiality and significance based
► Strong engagement with all stakeholders. Input provided by stakeholder
groups using specifically designed forums
► Knowledge acquisition, capture and deployment underpins the
assessment
► Adoption and incorporation of group wide approaches (example risk
assessment, control self assessments)
► Flexibility incorporated into the planning process by transforming it from a
discrete (once or twice a year) activity to an on-going process
► Formal rationale for risk assessment and audit plan to the Audit
Page 26 Committee
Questions?
Page 27
Ernst & Young LLP
Assurance | Tax | Transactions | Advisory
www.ey.com/uk
The UK firm Ernst & Young LLP is a limited liability
partnership registered in England and Wales
with registered number OC300001 and is a member firm
of Ernst & Young Global Limited.
Ernst & Young LLP, 1 More London Place, London SE1 2AF.
© Ernst & Young LLP 20112 Published in the UK.
All rights reserved.
Developing a robust internal
audit plan
Mapping the business and risk
fundamentals
Alison Smith
Group Audit and Risk Management Director
Kingfisher plc
Today
• My brief
• Understanding your business and organisation
• Exploring business processes
• Effective use of your risk database/register
• How
• Internal Audit team
• Kingfisher plc – who we are, strategy
• Understanding the business, organisation and process
•
•
Risk assessment process and the business planning process
Audit planning process – how we demonstrate the link to strategy
• Effective use of the risk register and the business
•
30
Challenges developing and maintaining the plan
OpCo Logo
Team Overview
OpCo Logo
• 65 in the team, based in 7 countries
• Each team covers store and corporate audit in the region
• IT is audited by a central team, UK based
• Audit work covers all areas – e.g. stores audits, customer complaints,
stock, multi channel project, stores training, waste management
• Responsible for facilitating the risk assessment/identification process
• My Background
• Retail, logistics, manufacturing
31
31
Kingfisher plc
•
OpCo Logo
Europe’s largest home improvement retailer
• 1,120 stores
• We employ 78,000 people
• Six million customers shop in our stores every week
• Turnover £11bn+
•
10 operating companies in 9 countries
• B&Q – 360 stores, 21000 employees
• Brico Depot Romania – 15 stores, 1000 employees
32
32
‘Creating the Leader’
Easier
OpCo Logo
1. Making it easier for customers to improve their home
2. Giving our customers more ways to shop
Sales
Commo
n
Expand
One
Team
33
3. Building innovative common brands
4. Driving efficiency and effectiveness everywhere
5. Growing our presence in existing markets
6. Expanding in new and developing markets
7. Developing leaders and connecting people
8. Sustainability: becoming ‘Net Positive’
Gross
margin
Cost
efficiencie
s
Understanding the business, process
and organisation
OpCo Logo
• Business planning process
• Annually budget and reforecast
• 3 year planning process
• Addresses how we will achieve out strategic objectives and growth targets
• Risk Assessment process
• Internal Audit facilitate the risk assessment – formally updated twice a
year.
• First Update
•
•
•
•
34
Coincide this exercise with the 3 year plan exercise carried out by the management teams
Update the risk assessment with Operating Company Boards and we review the 3 year
plans
Are the risks identified representative of the 3 year plan?
Each risk is linked to a strategic objective or an operational area
Almost
Certain
Probable
1: Change
Management
(Easy)
7: Investment in
people
(One Team)
10: Health &
Safety
(Operational)
8: Price
competitiveness
(Operational))
2: Systems &
supply chain
(Easy)
6: Agility & capability
to expand overseas
(Expand)
4: Like for like
Growth
(Expand)
3: Combined
Purchasing
(Common)
9: Supplier
Resilience
(Operational)
Manageable
Impact
35
5: Global Economy
(Expand)
OpCo Logo
11: Ethics &
Compliance
(Operational)
Unlikely
Occurrence
Fairly
Likely
Probable
Highly
Risk assessment matrix
–linked to the strategic objectives
Major
Significant
Critical
Catastrophic
Audit Planning
OpCo Logo
• Second Update to the risk assessment
•
During the ‘annual’ audit planning exercise
• How we prepare the plan
•
•
•
•
Review the results of the previous year’s work – grades, complexity, change
Review the risk assessment – sometimes this only covers the risks which are ‘not well
controlled’
Strategic risks versus operational risk
Gross versus net risk?
• Discuss with management
• Prepare the plan and discuss with management
• Present to the local Audit Committee for approval
• Link each audit to a strategic objective or an operational area
36
Do we make effective use of the risk register
OpCo Logo
16%
•
80% of the Group risks relate to
our strategic objectives
•
At Operating Company level
circa 50% relate to strategic
areas, dependent on the
Operating Company
•
37% of our work relates to our
strategic objectives
•
Do we have a risk based
approach? Are we making
effective use of the risks
register?
9%
Easier
Common
Expand
6%
One Team
Operations
6%
63%
37
Example of our Audit Approach
OpCo Logo
Extending omnichannel capabilities
across the Group
Easier
Screwfix CP&C* up
32% YOY; now 10%
of total sales
B&Q UK CP&C*
rollout 2014; doubled
products for home
delivery in 2013
France & Turkey
CP&C* trials 2014;
Screwfix Germany trial
*
38
Click, Pay & Collect
Mobilising in Poland, Russia,
China & Spain incl. new &
mobile friendly websites &
home delivery
Controls
What
Control structures not well
developed. Heavy reliance
on manual controls and
some segregation of duties
issues due to size.
Systems
Standard systems in place,
complicated by manual/
paper processes in place
alongside systems
Change
Business expansion and
stabilisation of the business
e.g. China
How
Audit Approach
The audits will focus on
ensuring there is a strong
financial and commercial
control structure in place on
which to take the business
forward.
Who
39
B&Q China
Russia, Spain, Romania
3
2
1
OpCo Logo
Controls
Controls
Simple control
structures, more reliance
on manual control
Complex control structures
in place, mixture of
electronic and manual
Systems
Systems
Standard systems in
place, based on larger
OpCo systems
Bespoke legacy systems,
difficult to change.
Change
High level of project
activity to enhance the
existing processes and
systems and delivery on
the strategy e.g. Multi
channel, BI
Change activity
focussed on expanding
the business, resulting in
changes to existing
infrastructure
requirements e.g.
Supply Chain (Casto
Poland)
Audit Approach
Assurance work to
ensure existing control
structures maintained.
Some audit work on
changes to existing
processes being made
to enable expansion.
Change
Audit Approach
Audit work to focus on the
changes underway, more
project audits undertaken.
Some assurance work to
ensure existing control
level maintained.
Casto Poland
B&Q, Casto France
Turkey, BD France
Screwfix
OpCo Logo
Questions?
40
IIA seminar
Developing a robust internal audit plan
30 April 2014
Gordon Craig
1. Introduction to 3i
IIA Seminar
April, 2014
42
2. Agenda
 Dynamic audit planning – what it means and why do it
 Developing a rolling audit plan – approach and structure
 Process and timing – adapting the plan and communicating changes
 Final thoughts
IIA Seminar
April, 2014
43
3. Dynamic audit planning
What is it?
 Dynamic = not static
 ‘Annual plan’ is a thing of the past
 Requires regular changes – weekly, monthly, quarterly
 Draws, systematically and regularly, on multiple feeders incl. stakeholders
views, risk analysis, strategy, external developments
Why?
 Audit Committees (should) expect it
 Circumstances and priorities change - sometimes very quickly
 Need to be ‘front of foot’ e.g. hot topics; themes
 Forward looking vs. ‘rear view’
IIA Seminar
April, 2014
 Optimise resource allocation
44
4. Developing a rolling audit plan
APPROACH
 Identify the main drivers of your plan
Strategy
 Identify and ensure access to key sources of
information
Business
Strategic review / update
performance
Board papers
Committee papers e.g. Risk
Attendance at meetings
Investment & project proposals
Project update reports / steer co.
minutes
Stakeholders
• Regular scheduled meetings with key
stakeholders e.g. Audit Co Chair; CEO;
FD
• Performance reports (e.g. monthly
management accounts)
•
•
•
•
•
•
IIA Seminar
April, 2014
Risk analysis
Change
management
45
4. Developing a rolling audit plan cont.
Structure
Category
 Establish and agree a clear ‘cascade’ of
priorities which fits your organisation
• Change management support & reviews
 Populate quarter by quarter
 Clear focus on the current quarter
 Planning should be ‘thinner’ as you move
further along the time horizon
IIA Seminar
April, 2014
• Investigations and special projects
• Thematic reviews
• Process reviews
• Cyclical audits
• Ad hoc advice and support
46
5. Process and timing
Quarterly update
 Should include:
• a review of current key group projects and planned audit approach
• review of longer-term cyclical audit planning, including a completeness
check against historical audit coverage of operating units / key business
processes
• review of audit coverage against the key risks and risk mitigation plans
• meetings with stakeholders to confirm priorities
 Roll forward, and retain prior quarter plan for reference
 Changes can and should be made between quarterly updates
 A more in-depth review is recommended (e.g. annually aligned to the
strategic review cycle)
47
5. Process and timing cont.
Communication
The quarterly rolling plan should be a ‘live’ document, communicated regularly
e.g. in meetings; Committee updates etc
Recommend showing prior two quarters (combined), current quarter and next
two quarters for context / reference
Audit Committee needs to understand the process, articulate its priorities and
allow leeway to the head of audit to exercise judgement and flex the plan
between Committee meetings
IIA Seminar
April, 2014
48
6. Final thoughts
Dynamic planning:
 requires and encourages greater engagement
 involves regular judgement and is more
professionally / intellectually challenging
 delivers more transparent and efficient resource
allocation
 works in tandem with other key Group
processes - e.g. strategic planning cycle; risk
reviews - and, therefore, will feel more relevant
 should not overlook the importance of routine,
cyclical reviews, including areas of ‘lower’ risk
IIA Seminar
April, 2014
49
Internal Audit - Budgeting
April 30, 2014
50
Agenda
•
•
•
•
•
•
•
51
Who are ED&F Man ?
Internal Audit Department
Developing a realistic budget
Incorporating “non-audit” activities
Monitoring and Reporting
Common Pitfalls
Any Questions
Who are ED & F Man ?
Established in 1783
52
Who are ED & F Man ?
Headquartered in London
3,700 people in around
60 countries
53
Internal Audit Team
• Internal Audit Team
•
•
•
•
•
Head of Internal Audit
Audit Manager
Auditors
Consultants
Secondees
• Functional reporting line to the Chair of the Audit Committee.
• Administrative reporting line to the Group CFO.
54
Developing a realistic budget
• Budget: a mathematical confirmation of your
suspicions." -A.A. Latimer
• Why do we need a budget ?
55
Developing a realistic budget
• What are the IA deliverables ?
• Articulated in a Strategic / Tactical Plan
• Approval of the Plan
• How are you going to achieve the Plan – Need for a BUDGET
•
•
•
•
56
People / Skillsets
Consultants
Ad-hoc
Fraud
Developing a realistic budget
• Other Cost Drivers ?
• Who owns the budget ? Accountability ?
57
Developing a realistic budget
• Other Cost Drivers ?
•
•
•
•
•
•
•
•
58
Travel – Air, Train, Car, Hotel, Subsistence (Policy!)
Recruitment (Agencies, In-house)
Training
IT Hardware
IT Software
Subscriptions And Publications
Outsourced services
Corporate recharges / Overheads / Fixed Costs
Incorporating “non-audit” activities
• What are “non-audit” activities ?
• What percentage of time do they take ?
• How can they be factored into the budget ?
59
Monitoring and Reporting
• Cost Capture
• Cost Allocation
• Cost Reporting
• Cost Monitoring
• Forecasting
• Monthly Cycle
60
Monitoring and Reporting
No Surprises !
Monitoring month by month :
61
Monitoring and Reporting
No Surprises !
Monitoring year to date:
62
Monitoring and Reporting
Underspend and Overspend :
Communicated Timely ?
Approved ?
Forecast adjusted ?
63
Common Pitfalls
1. Planning based on last year’s budget.
Rushing through the planning process by tweaking last
year’s budget instead of starting with this year’s goals and
objectives.
Action : Clarify what internal audit objectives are for
the coming year, and put in place a plan that supports
those objectives. Focus investment where it makes
sense in the coming year rather than spending in the
same budget ‘buckets’ as last year.
64
Common Pitfalls
2. Descending into Spreadsheet Chaos !
Use of massive spreadsheets or workbooks with multiple
tabs, unwieldy number of columns, macros and multiple
versions. Only the person that created the spreadsheet can
understand and navigate through the data.
Action : Adopt a disciplined approach with a
spreadsheet that is from a single source (version
control) and that is appropriately formatted with
explanations in the spreadsheet.
65
Common Pitfalls
3. Planning the internal audit budget
within the Finance framework
Issues can arise when finance assigns a couple of line items to
internal audit. Lack of correlation between IA plan and the overall
finance plan. Risk of mistakes being exposed and lack of
credibility.
Action : Boost confidence with the Finance team by having
a detailed budget that aligns to any summary numbers in
the overall Finance budget. Evidence that IA are budget
conscious and supports company’s objectives and goals.
66
Common Pitfalls
4. Hiding the Plan, restricting
optimal decisions
Lack of visibility and execution makes even the best plan
meaningless.
Action : Your IA plan needs to flow into the day-to-day
execution of the internal audit function, including all
activities granting relevant people visibility into their
parts of the plan and budget.
67
Common Pitfalls
5. Ignorance of current spend
Lack of reliable data of amount spent in the current month
and year-to-date.
Action : Obtain the granularity of data to be able to
understand current expenditure versus budget.
68
Common Pitfalls
6. Lack of communication of plan and progress against the
plan
Lack of grasp of budget by the various teams /groups
within the internal audit function.
Action : Communicate plan to the entire team in order
for all to execute the action items of the plan.
69
Common Pitfalls
7. Following the adage: “"Never base your budget requests on
realistic assumptions, as this could lead to a decrease in your
funding."
Excessive buffering and padding of the budget so as to minimize
any questions or interference by Finance.
Action : Internal Audit need to be ethical, evidence sound
judgment in behaviours and lead by example.
70
Any Questions ?
71
International Conference 2014
• London’s ExCel centre, 6–9 July
• World’s biggest internal audit event, with 2,000+ delegates and 200
speakers. People are travelling from over 100 countries!
• Fascinating keynote speakers include Alastair Campbell, Michael
Woodford and Noreen Hertz
• Nine education streams to choose from
• A social programme will provide networking opportunities
• Members pay just £895 +VAT until 16 May
Book your place at www.iia.org.uk/london2014
IIA Heads of Internal Audit Service (HIAS)
Join our exclusive network of 270 Heads of Internal Audit and benefit from…
1. Get ahead and stay up to date
Receive updates on the latest developments in the profession to help you respond to the
demands of a competitive and increasingly regulated business climate
2. Build your network
Meet and share ideas with peers from a range of sectors, private and public
3. Lead the profession
Help influence current and future thinking on internal audit and IIA policy and strategy, HIAS
members are at the forefront of the profession
4. Share best practice
Compare practices, benchmark your organisation and learn new ways of working
For more details of how to join visit www.iia.org.uk/hias
Agenda slide
Populating the plan with employee skill requirements
30 April 2014
Matt Spano – Head of Audit – Motability Operations
74
Agenda
1
Introduction
2
Employee Skills Evaluation
3
Matching Audit Plan Requirements with Current Skills
4
Identifying skills deficiencies & the need for co-sourcing /
outsourcing
5
Conclusions / Questions
75
Introduction
• MO is classified as a not-for-profit organisation, and is owned by the UK's four
major banks - Barclays, HSBC, Lloyds and RBS.
• MO has over 600,000 customers and a turnover of around £3bn.
• MO accounts for >10% of new car purchases in the UK every year.
• MO resells >200,000 used cars to trade every year.
76
Introduction
• This presentation is based purely on how I manage my teams…..this will vary
for you depending on the nature, structure and charter of your internal audit
function as well as the type of organisation you work for.
• This presentation is merely common sense and could apply to any business
function, not just internal audit…..it is about building and managing a team
that is skilled to effectively do the job the organisation needs it to do.
• How many of your Internal Audit functions are:
•
•
•
•
•
Outsourced?
Co-sourced?
Staffed completely with ‘internal auditors’.
Use ‘non’ audit specialists from within your own organisations?
Other?
77
Introduction
•
Survey of Heads of Internal Audit on CIIA website (May 2010) highlights a broad range of
qualifications and practical experience amongst internal auditors.
•
Despite this, nearly 60% of all internal audit departments bring in additional resources to complete
their internal audit plans. The key areas where additional skills are required were:
•
•
•
•
•
•
•
•
•
•
Information Technology:
Taxation:
Finance:
Health and Safety:
Major Projects:
Business Continuity:
Telecoms:
Governance:
Third Party Activities:
36%
19%
15%
11%
11%
7%
5%
4%
2%
Sources of additional resources:
•
•
•
•
•
Purchased from specialist service providers:
Co-sourcing with third party:
Independent experts from within the business:
Secondment from a third party:
From other source:
30%
30%
15%
6%
6%
78
Employee Skills Evaluation
• How you do this is dependent on a number of factors...
• Size and scope of the Internal Audit team.
• Maturity of the control functions.
• Organisation size / Complexity and Geography.
• Stakeholder Expectations: Audit Committee / Board Members / Senior Management
(to name but a few).
• At what stage should you evaluate the skills of internal audit?
• During recruitment.
• During employee lifetime.
• When people leave….(depending on team size).
79
• On-going during performance assessments / training and development / feedback
from the business.
Matching Audit Plan requirements with current skills available
• Chicken and egg time……how do you develop a comprehensive audit plan if
you don’t have the technical or cultural knowledge of a business to identity
and understand its key risk areas?
• Whoever develops the audit plan needs sufficient skills to perform a robust
risk assessment and build an comprehensive internal audit plan. This will
involve utilising many people outside of the Internal Audit function.
• Assess the Audit team’s skills against an internal audit plan developed without
any reference to what current technical skills it has – should never be
tempted to ignore or downplay the risk in areas of the business you don’t fully
understand.
• Develop basic scope documents for all audits identified on the audit plan /
universe to enable a skills assessment to be undertaken.
• So…you have your audit plan…how do you match it to the current skills
available?
80
Employee Skills Evaluation : Example Skills Matrix
Starter / Finisher
Emotional Control
Actuarial Knowledge
Financial Accounting
Expertise
Insurance Captive
Expertise
Years
Experience
Overall Score:
Skills Gap:
Type of Gap:
2
3
0
1
0
0
1
0
0
3
0
3
2
1
0
6
3
6
n/a
4
7
1
0.5
15
KPS
Head of Audit
Senior Internal Auditor
Graduate Placement
Trainee Auditor
Secondment from Business Systems
IT Security Audits
Joe Bloggs
Sheila Bloggs
Matt Blogs
Everyone Blogs
Joanne Blogs
Team Manaement
Job Title
n/a
Name
Risk Assesments
Audit Plan Development
Internal Audit Function's Skills Matrix - 2012/2013
Scoring Key:
0 = No experience or understanding
1 = Limited experience (or no recent experience)
2 = Good experience (knowledge and recent experience)
3 = Subject Matter Expert (skills equal or better than those within the business)
81
Employee Skills Evaluation
• Belbin Team Roles - Identify behavioural strengths and weaknesses in the
workplace.
• Strengthscope - Helps individuals and teams to understand their standout
strengths.
82
Identifying skills deficiencies and plugging the gaps
• Review the results of your skills analysis to highlight any gaps.
• Perform an assessment of the gaps and identify any actions you wish to take.
• May choose not to action some of the gaps – accept the risk or provide partial
assurance etc.
• Look at your own organisation first:
•
•
•
•
•
•
Skill up your existing team?
Recruit to fill any gaps?
Use Secondments from the business?
Graduates?
Use of networks?
Internal Specialists: language skills / cultural knowledge in specific geographical
locations?
• Use of technology to fill gaps – especially in areas such as IT.
83
Identifying skills deficiencies and plugging the gaps
• What do your key stakeholders expect? Do they want the ‘badge’ of an
outsourced provider to deliver assurance on a function / product that is new
or evolving?
• Have to be sure a co-sourcer / outsourcer can do a better job than your
internal resources – you can’t outsource this risk!
• Understanding a business’s culture has a lot to do with success.
• I have seen perfectly good audits from a co-sourcer rejected merely because of the
way it is conducted or results presented (if they lack buy-in or lose credibility –
regardless of validity of findings it will not be accepted by the business).
• Effectiveness reviews – Use these periodically to validate your approach to
planning and the resources used to complete the plan.
• Feedback from the business – to assess whether you have demonstrated the
right level of skill and understanding and come to appropriate conclusions.
84
• Benchmark data.
Summary
• Apply a common sense approach.
• The skills of internal audit must be tailored to the needs of the organisation.
• Use of skills matrix of some form.
• Utilise the skills within your own organisation – both in planning and skilling
the internal audit function.
• Continuously evaluate the skills of internal audit.
• Think about ‘cultural’ skills as well ‘technical’ skills.
• Can a co-sourcer / outsourcer do a better job than internal resources?
• Feedback, feedback, feedback!!!
85
Developing a robust internal audit plan
A current good practice example
April 2014
Scott Strachan, Global Head of Internal Audit
Aberdeen Asset Management
For investment professional use only – Not for public distribution
Introduction
Goal
• To share how we conduct our planning process
• To share insights on:
– What we have developed
– Why we developed it so
– What we see as the key benefits and challenges
87
Best piece of advice!
Follow the KISS theory!
K – Keep
I – It
S – Simple
S – Stupid!
88
And …
• Whilst there are pressures to make complex –
regulation, stakeholder demand etc
• Dynamic and clear is always best!
89
Planning – the ‘old’ method
• A singular functional and location view that fed a static audit plan
Locations
Audit
universe
Departme
nts
90
Audit risk
assessment
5 year (1 +
4) cyclical
audit plan
Planning – the ‘new’ method
• A process that incorporates input from multiple, ‘sophisticated’ information sources (leverage of the
explosion of data required in FS!)
• Conducted continuously but formally once a quarter (co-ordinated with Audit Committee)
• Results in quarter’s plan (the 3) and a proposed plan coverage for the following three quarters (the +9)
Audit risk
assessment
Sword
Risk mapping
to multiple
sources
Operational
processes
3+9
audit
plan
Audit
universe
Department
s
Total Assurance
sources
Multiple
risk
sources
91
Intervention
type
Migration of assurance approach
Old
New
Projec
t
Projec
t
Continuou
s
Tradition
al
92
Continuou
s
Tradition
al
The risk assessment
• Risk ranking taking a holistic approach that includes culture, customer outcome, and fraud
• Residual scoring considers our view of the control structure and how much assurance is being provided by
other groups (internal and external groups)
• MI used to show % inherent risk plan coverage and % residual risk coverage
Coverage
Audit universe
High residual risk/universe
Status and
change from
January
353 (-5%)
Revisions to the IT universe to simplify the structure and align it with standard industry practice
9% (-)
High residual risk audit
coverage
81% (+7%)
High inherent risk/universe
15% (-1%)
High inherent risk audit
coverage
85% (+9%)
93
Description
Audit coverage activity levels have remained the same along with the consolidation of IT line
items on the universe plus some risk rating decreases have led to a greater coverage of high
rated areas
Same dynamics as with the residual calculation
Old to new!
• Restrictions of the old method:
– It was administratively difficult to adjust to the constantly changing risk landscape
– Did little to keep the team engaged and focused on risk
– Cyclical planning resulted in low risk areas being covered at the expense of high risk ones – the
emphasis was on that falsehood – total assurance!
– Actual work often bore no resemblance to what was previously planned and audit trail difficult to
present
• Benefits of the new method:
– Allows greater flexibility in addressing developing and changing risks. Easy to implement and reflect
change
– Keeps the team focused on continuously considering and assessing risk
– Allows directors and executive management to focus attention to the immediate body of work resulting
in more robust oversight and challenge
– Allows for more real-time reaction to changing team needs (eg inter-regional secondments)
94
Challenges … and solutions!
• Management concern over losing coverage
– Education and MI on the right risk coverage
– Closer interaction with management in forming the plan (COP) = easier to show them their requests
have been incorporated
• ‘Perceived’ larger time commitment from the team
– Only on initial set up
– In aggregate the quarterly process leverages the repeated exposure to the process
• Change in the team’s thought process to a more risk based approach
– Suite of training, presentations, flowcharts and the use of automated tool (teammate – not essential –
disciplines easily replicated!) to guide and ensure appropriate thematic risk thinking
• Consistency in execution
– MI and a fundamentally more manageable plan size facilitates improved QA and top down
management oversight and challenge
95
Additional benefits … good practice?
• Gained synergies with team management processes to facilitate:
– Empowerment
– Development
– Progression
– Subject matter specialism
• Regulator/external review
– Demonstrate dynamic, risk based, regulatory themed, strategic objective linked planning
• Stakeholder buy in
– Continuous engagement with business
– Built in education piece
– Management are living within the changing risk environment therefore appreciate/expect internal audit
to be in tuned in too!
96
IIA guidance and EQA experiences
Martin Robinson
Training Development Adviser, IIA
30 April 2014
My topic areas
• Overview of outcomes of recent EQA reviews carried out by the
IIA and some laudable examples
• The IIA view of effective internal planning.
Outcomes from recent IIA EQA reviews – key
issues
• Requirement for a clear link between the risks of an organisation
and the internal audit plan
• Ensure that most important areas are included
• Consider impact and value
• Ensure that careful consideration is given of all change initiatives
when building a plan including projects, M&A and organisational
restructure etc.
Cont’d…
Key issues – cont’d
• Review risk management processes and procedures either
holistically or as part of each audit
• Consultancy work is good but need criteria for performing. Ensure
adequate output and reporting. Consider value of each
assignment
• Critical importance of talking regularly with your audit committee
and executive/senior management on the focus of your plan and
content
• Make sure your plan is fluid and dynamic and not ‘set in stone’.
The IIA view of effective
internal audit planning
• Focus attention upon the risk management process; its design,
application and reporting mechanisms.
• Build the audit plan around high priority risks, key areas of change
and the assurance needs of stakeholders.
• Where possible, work with and rely upon other assurance
providers.
The IIA view of effective
internal audit planning
• Work with external providers of assurance in a co-sourced
arrangement to fill skills and knowledge gaps.
• Consider the importance of routine processes and activities (audit
universe) but keep this in tune with key business risks and
developments.
• Make key choices, including what is not being done, transparent to
key stakeholders to engage stakeholders in questions of risk
appetite and the need for assurance.
Workshop discussion
Subjects for wider discussion
• What challenges do we face in developing risk based audit plans?
• What process do we use to ensure that there has been good
engagement with all key auditees and/or stakeholders?
• How do we address skill and competency shortfalls?
Workshop discussion
• Do we have a robust prioritisation process?
• How do we “factor in” non audit work into our plans?
• How do we monitor the delivery of our audit plans?
Any questions?