Seminar Developing a robust internal audit plan 30 April 2014.

Seminar

Developing a robust internal audit plan

30 April 2014

Agenda

10.00-10.15 Welcome and introductionMartin Robinson, Training Development Adviser, IIA

10.15-10.50 What are current and leading and emerging practices for developing an Annual Audit Plan? Chris Spedding, Senior Manager, Ernst & Young

10.50-11.25 Mapping the business and risk fundamentals Alison Smith, Group Audit and Risk Management Director, Kingfisher Group

11.25-11.40 Coffee

11.40-12.15 Effective audit planning methodology and processGordon Craig, Director Internal Audit, 3i Group Plc

12.15-12.50 Focusing on budget, time and monitoring issuesRobert Tunstall, Head of Internal Audit, ED and F Man

12.50-13.50 Lunch

Agenda

13.50-14.25 Populating the plan with staff skill requirementsMatt Spano, Head of Internal Audit, Motability Operations

14.25-15.00 A current good practice example Scott Strachan, Global Head of Internal Audit, Aberdeen Asset Management

15.00-15.15 Coffee

15.15-15.30 IIA guidance and EQA experiencesMartin Robinson

15.30-16.00 Workshop discussionMartin Robinson

16.00 Feedback and close

Seminar objectives

• Deliver an overview of the key issues involved in developing robust internal audit plans

• Learn about recent experiences from an excellent panel of speakers

• Provide an opportunity to share knowledge with other delegates.

Current, leading and emerging practices for developing and annual audit plan

Ernst & Young’s most recent Internal Audit Survey reported that 62% of internal audit functions believe their risk assessment and audit planning processes are in need of enhancement.

Constant challenge of audit planning

“Audit planning is about as tough as it gets for the internal auditor. Deciding which areas of the business make it to the plan, the resources required and the appropriate timing of audit work is a critical, yet complex task.”

“The primary driver for improvement of my function comes from my own Audit Committee, who constantly want our views on issues that concern them – and we simply have to respond speedily and reliably”.

Agenda

1. Challenges to effective audit planning

2. Defining the audit universe

3. Progressive risk assessment

4. Dynamic audit planning

5. Conclusions / questions

Context

The Internal Audit planning process has been largely unchanged for many years…

Audit UniverseAudit Universe

Risk Assessment

Risk Assessment

PrioritisationPrioritisation Selection and Sizing

Selection and Sizing

Audit Plan Approval

Audit Plan Approval

Risk ParametersRisk Parameters

Coverage ParametersCoverage Parameters

RequiredAuditsRequiredAudits

...with refinements to meet specific needs and improve sustainability and flexibility.

The impact of the business environment on the internal audit risk assessment

...will result in significant change to internal audit plans

Economic Factors

Regulatory environment

Technology and other change

Rapid change in risk profile

Changes in Risk appetite

Fundamental business model

change Changes to IA remit / approach

Significant change to universe and Internal Audit priorities

Changes in Risk Management

Changes to Business Models

► Major change programs to reshape the business and redefine the target operating model

► Increasing demand for ROE – profiles may change to achieve this► Increased potential for mergers, acquisitions and expansion► Affordability of reform and business change a major challenge with many

competing priorities► Constrained capital and liquidity availability► De-globalization/deleveraging (withdrawing from markets and business

lines)► Movement toward a sustainable cost base and future position (reduced

headcount, smaller bonus pools, new efficiency programs)► Ever increasing importance of technology across the business model

Changes in Risk Management

► Continued improvements and changes in risk management approaches and structures

► Increased stakeholder pressure for more effective risk governance► Definition and embedding of risk appetite is cornerstone in risk management

processes but long way to go before truly embedded► Quality of data and systems remain impediments to effective risk

management► Identification and mitigation of emerging risks► Industry and regulator views that there is still a lot of work to be done► CRO relevance:

Increased enterprise wide influence End to end involvement in risk decisions Direct access to board or risk committees

Changing Regulatory Expectations

New regulatory standard in financial services ►July 2013 Chartered Institute of Internal Auditors “Guidance for internal audit in financial services”►January 2013 Federal Reserve “Internal Audit and its outsourcing”►2012 Basel Committee “Internal Audit function in Banks”

Whilst focused on FS sector, the principles are applicable to all sectors►Need for stronger mandate around protection against key risks►Board level relevance and standing – “voice at the top table” crucial►Expected to completed robust assessment of the second line of defense i.e. governance, risk management, compliance►Responsive and flexible►Implications for resourcing strategies►Improve involvement, influence and impact

Defining the audit universe


►What is the Purpose of the Audit Universe? Can these purposes be achieved in other ways?

►What is the optimum structure of the Audit Universe? Business decomposition, organisational unit, process or a matrix?

►What is an appropriate level of detail? How many items is common?

►How can an audit universe be properly maintained?

►How can business acceptance of the universe be achieved?


The audit universe should be documented and reviews periodically (recommended annually, or as significant organisational, financial, risk or product changes occur).

Federal Reserve, 2013-01

Internal Audit should have effective processes to identify all auditable entities within the auditable universe. The number of auditable entities will depend upon whether entities are captured at individual department or at other aggregated organisational levels.

Factors to consider can include:

Progressive risk assessment

►What is the purpose of the Risk Assessment? Is a standalone risk assessment required?

►To what extent can Internal Audit utilise other assessments made by other parts of the business?

►How can a risk assessment reflect the emerging needs?

►How can we best engage stakeholders with the risk assessment process?

►What weighting should internal audit apply to materiality, inherent risk and detect characteristics?



Internal Audit must analyse the key risks, mitigating governance, risk management and control. Risk assessments should be:►Both qualitative and quantitative►Informed by, but not reliant upon Executive and Risk management input►Formally documented with written analysis/rationale to support assumptions►Approved by the audit committee at least annually / upon material changes


Fully engaged with the organisation

Risk assessment and audit planning must involve real engagement with a range of stakeholders and inputs:

►Multiple layers of management (1st and 2nd lines of defence)►NED (both Audit and Risk Committees)►Regulators►External bodies / co-source providers / peer networks

“Real engagement” facilitates input, commitment and buy-in►Workshops►1-2-1 meetings and follow up sessions►Surveys – internal and external►Throughout the year, responsive to changes in stakeholders

Dynamic audit planning

Internal Audit planning considerations

Clarity of purpose and role

Shape of Audit Plan

Improved impact in reporting

Substantive outcomes

Utilisation of resources

Importance of independence

Appropriate audit response

The annual plan should be developed with the ultimate objectives of internal audit at its core. The plan must generate the overall outcome required of internal audit – high impact reporting and sustainable improvements in the organisation.

“Plan to Report”

The annual plan must be created with the “end goal” at its core► Overall assessments (at least annually) of risk management, governance

and control► Embed assessments of governance, culture, risk management etc into

every audit performed► Clear assessment against key risks► Prove or disprove hypotheses against each key risk ► Thematic issues - not just a consolidation of audit issues► Critical / high risk issues raised► Root cause analysis – action required of management to remediate the

issues► Clearly articulates management action required to bring issue back within

risk appetite

Dynamic process for assessing and communicating audit needs

► Flexibility is key (3+9 / 6+6)

► Full re-performance of risk assessment is not always required – trigger events

► Continuous monitoring and engagement activities with pipelines of information constantly being assessed for audit planning implications

► Strong stakeholder engagement to inform changes, and be informed of them

► Change control over the audit plan (materiality of change)

Group RiskStrategyGroup RiskStrategy

Critical planning Inputs

Critical planning Inputs

Audit Needs AssessmentAudit Needs Assessment

Challenge and review

Challenge and review

Audit PlanAudit Plan

Reliability assessmentReliability assessment

Completeness checksCompleteness checks

Stakeholder key expectations / desired outcomes

Stakeholder key expectations / desired outcomes

Group Risk Appetite / Risk tolerances

Group Risk Appetite / Risk tolerances

Conclusions

Key Principles to apply

► “Plan to Report”► Overall assessments of governance, risk management and control► Mandate on ► Key risk centric – move away from multi-year cyclical plans and the concept of the rigid Annual Audit

Plan► Top-down analysis focused on business process to avoid unnecessary detail and address silo

created risks► Group materiality and significance based

► Strong engagement with all stakeholders. Input provided by stakeholder groups using specifically designed forums ► Knowledge acquisition, capture and deployment underpins the assessment► Adoption and incorporation of group wide approaches (example risk assessment, control self

assessments)► Flexibility incorporated into the planning process by transforming it from a discrete (once or twice a year)

activity to an on-going process► Formal rationale for risk assessment and audit plan to the Audit Committee

Questions?

Ernst & Young LLP

Assurance | Tax | Transactions | Advisory

www.ey.com/uk

The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global Limited.

Ernst & Young LLP, 1 More London Place, London SE1 2AF.

© Ernst & Young LLP 20112 Published in the UK. All rights reserved.


Mapping the business and risk fundamentalsAlison SmithGroup Audit and Risk Management DirectorKingfisher plc

30

OpCo LogoToday

• My brief

• Understanding your business and organisation

• Exploring business processes

• Effective use of your risk database/register

• How

• Internal Audit team

• Kingfisher plc – who we are, strategy

• Understanding the business, organisation and process• Risk assessment process and the business planning process• Audit planning process – how we demonstrate the link to strategy

• Effective use of the risk register and the business• Challenges developing and maintaining the plan

31

OpCo LogoTeam Overview

• 65 in the team, based in 7 countries

• Each team covers store and corporate audit in the region

• IT is audited by a central team, UK based

• Audit work covers all areas – e.g. stores audits, customer complaints,

stock, multi channel project, stores training, waste management

• Responsible for facilitating the risk assessment/identification process

• My Background

• Retail, logistics, manufacturing

31

32

OpCo Logo

32

• Europe’s largest home improvement retailer

• 1,120 stores

• We employ 78,000 people

• Six million customers shop in our stores every week

• Turnover £11bn+

• 10 operating companies in 9 countries

• B&Q – 360 stores, 21000 employees

• Brico Depot Romania – 15 stores, 1000 employees

Kingfisher plc

33

OpCo Logo‘Creating the Leader’

1.Making it easier for customers to improve their home

2.Giving our customers more ways to shop

3. Building innovative common brands

4. Driving efficiency and effectiveness everywhere

5. Growing our presence in existing markets

6. Expanding in new and developing markets

7. Developing leaders and connecting people

8. Sustainability: becoming ‘Net Positive’

EasierEasier

CommoCommonn

ExpandExpand

One One TeamTeam

SalesSales

Cost Cost efficiencieefficiencie

ss

Gross Gross marginmargin

34

OpCo LogoUnderstanding the business, process and organisation

• Business planning process• Annually budget and reforecast• 3 year planning process• Addresses how we will achieve out strategic objectives and growth targets

• Risk Assessment process

• Internal Audit facilitate the risk assessment – formally updated twice a year.

• First Update• Coincide this exercise with the 3 year plan exercise carried out by the management teams• Update the risk assessment with Operating Company Boards and we review the 3 year

plans • Are the risks identified representative of the 3 year plan?• Each risk is linked to a strategic objective or an operational area

35

OpCo Logo

Alm

ost

Cer

tain

Hig

hly

Pro

bab

leP

rob

able

Fai

rly

Lik

ely

Un

likel

y

Oc

cu

rre

nc

e

Manageable Major Critical Catastrophic

Impact

Significant

Risk assessment matrix –linked to the strategic objectives

1: Change Management

(Easy)

2: Systems & supply chain

(Easy)

3: CombinedPurchasing(Common)

4: Like for likeGrowth

(Expand)

5: Global Economy(Expand)

6: Agility & capabilityto expand overseas

(Expand)

7: Investment inpeople

(One Team)

8: Price competitiveness

(Operational))

9: Supplier Resilience

(Operational)

10: Health & Safety

(Operational)11: Ethics &Compliance

(Operational)

36

OpCo LogoAudit Planning

• Second Update to the risk assessment• During the ‘annual’ audit planning exercise

• How we prepare the plan• Review the results of the previous year’s work – grades, complexity, change• Review the risk assessment – sometimes this only covers the risks which are ‘not well

controlled’• Strategic risks versus operational risk• Gross versus net risk?

• Discuss with management

• Prepare the plan and discuss with management

• Present to the local Audit Committee for approval

• Link each audit to a strategic objective or an operational area

37

OpCo LogoDo we make effective use of the risk register

• 80% of the Group risks relate to our strategic objectives

• At Operating Company level circa 50% relate to strategic areas, dependent on the Operating Company

• 37% of our work relates to our strategic objectives

• Do we have a risk based approach? Are we making effective use of the risks register?

38

OpCo Logo

Extending omnichannel capabilities across the Group

Best in class

Mass Rollout

Testing

Preparing

B&Q UK CP&C* rollout 2014; doubled

products for home delivery in 2013

France & Turkey CP&C* trials 2014;

Screwfix Germany trial

Mobilising in Poland, Russia, China & Spain incl. new & mobile friendly websites &

home delivery

Screwfix CP&C* up 32% YOY; now 10%

of total sales

* Click, Pay & Collect

EasieEasierr

Example of our Audit Approach

39

OpCo LogoControls

Complex control structures in place, mixture of electronic and manual

Systems

Bespoke legacy systems, difficult to change.

Change

High level of project activity to enhance the existing processes and systems and delivery on the strategy e.g. Multi channel, BI

Controls

Control structures not well developed. Heavy reliance on manual controls and some segregation of duties issues due to size.

Systems

Standard systems in place, complicated by manual/ paper processes in place alongside systems

Change

Business expansion and stabilisation of the business e.g. China

Controls

Simple control structures, more reliance on manual control

Systems

Standard systems in place, based on larger OpCo systems

Change

Change activity focussed on expanding the business, resulting in changes to existing infrastructure requirements e.g. Supply Chain (Casto Poland)

Audit Approach

The audits will focus on ensuring there is a strong financial and commercial control structure in place on which to take the business forward.

B&Q, Casto France

ScrewfixB&Q China

Russia, Spain, Romania

Casto Poland

Turkey, BD France

1 32

Audit Approach

Audit work to focus on the changes underway, more project audits undertaken. Some assurance work to ensure existing control level maintained.

Audit Approach

Assurance work to ensure existing control structures maintained. Some audit work on changes to existing processes being made to enable expansion.

What

How

Who

40

OpCo Logo

Questions?

IIA seminar


30 April 2014

Gordon Craig

42

1. Introduction to 3i

IIA Seminar April, 2014

43

2. Agenda

Dynamic audit planning – what it means and why do it

Developing a rolling audit plan – approach and structure

Process and timing – adapting the plan and communicating changes

Final thoughts


44

3. Dynamic audit planning

What is it?

Dynamic = not static

‘Annual plan’ is a thing of the past

Requires regular changes – weekly, monthly, quarterly

Draws, systematically and regularly, on multiple feeders incl. stakeholders views, risk analysis, strategy, external developments

Why?

Audit Committees (should) expect it

Circumstances and priorities change - sometimes very quickly

Need to be ‘front of foot’ e.g. hot topics; themes

Forward looking vs. ‘rear view’

Optimise resource allocationIIA Seminar April, 2014

45

4. Developing a rolling audit plan

APPROACH

Identify the main drivers of your plan

Identify and ensure access to key sources of information

• Strategic review / update• Board papers• Committee papers e.g. Risk• Attendance at meetings• Investment & project proposals • Project update reports / steer co.

minutes• Regular scheduled meetings with key

stakeholders e.g. Audit Co Chair; CEO; FD

• Performance reports (e.g. monthly management accounts)

Strategy

Risk analysis

Change managementStakeholders

Business performance


46

4. Developing a rolling audit plan cont.

Structure

Establish and agree a clear ‘cascade’ of priorities which fits your organisation

Populate quarter by quarter

Clear focus on the current quarter

Planning should be ‘thinner’ as you move further along the time horizon

Category

• Change management support & reviews

• Investigations and special projects

• Thematic reviews

• Process reviews

• Cyclical audits

• Ad hoc advice and support


47

5. Process and timing

Quarterly update

Should include:

• a review of current key group projects and planned audit approach

• review of longer-term cyclical audit planning, including a completeness check against historical audit coverage of operating units / key business processes

• review of audit coverage against the key risks and risk mitigation plans

• meetings with stakeholders to confirm priorities

Roll forward, and retain prior quarter plan for reference

Changes can and should be made between quarterly updates

A more in-depth review is recommended (e.g. annually aligned to the strategic review cycle)

48

5. Process and timing cont.

Communication

The quarterly rolling plan should be a ‘live’ document, communicated regularly e.g. in meetings; Committee updates etc

Recommend showing prior two quarters (combined), current quarter and next two quarters for context / reference

Audit Committee needs to understand the process, articulate its priorities and allow leeway to the head of audit to exercise judgement and flex the plan between Committee meetings


49

6. Final thoughts


Dynamic planning: requires and encourages greater engagement

involves regular judgement and is more professionally / intellectually challenging

delivers more transparent and efficient resource allocation

works in tandem with other key Group processes - e.g. strategic planning cycle; risk reviews - and, therefore, will feel more relevant

should not overlook the importance of routine, cyclical reviews, including areas of ‘lower’ risk

50

Internal Audit - BudgetingApril 30, 2014

51

Agenda

• Who are ED&F Man ?• Internal Audit Department• Developing a realistic budget• Incorporating “non-audit” activities• Monitoring and Reporting• Common Pitfalls• Any Questions

52

Who are ED & F Man ?

Established in 1783

53

Who are ED & F Man ?

Headquartered in London

3,700 people in around 60 countries

54

Internal Audit Team

• Internal Audit Team• Head of Internal Audit• Audit Manager• Auditors• Consultants• Secondees

• Functional reporting line to the Chair of the Audit Committee.• Administrative reporting line to the Group CFO.

55

Developing a realistic budget

• Budget: a mathematical confirmation of your suspicions." -A.A. Latimer

• Why do we need a budget ?

56


•What are the IA deliverables ?

•Articulated in a Strategic / Tactical Plan

•Approval of the Plan

•How are you going to achieve the Plan – Need for a BUDGET • People / Skillsets• Consultants• Ad-hoc• Fraud

57


• Other Cost Drivers ?

• Who owns the budget ? Accountability ?

58


• Other Cost Drivers ?

• Travel – Air, Train, Car, Hotel, Subsistence (Policy!)• Recruitment (Agencies, In-house)• Training• IT Hardware• IT Software• Subscriptions And Publications• Outsourced services• Corporate recharges / Overheads / Fixed Costs

59

Incorporating “non-audit” activities

• What are “non-audit” activities ?

• What percentage of time do they take ?

• How can they be factored into the budget ?

60

Monitoring and Reporting

• Cost Capture

• Cost Allocation

• Cost Reporting

• Cost Monitoring

• Forecasting

• Monthly Cycle

61


No Surprises !

Monitoring month by month :

62


No Surprises !

Monitoring year to date:

63


Underspend and Overspend :

Communicated Timely ?

Approved ?

Forecast adjusted ?

64

Common Pitfalls

1.Planning based on last year’s budget.

Rushing through the planning process by tweaking last year’s budget instead of starting with this year’s goals and objectives.

Action : Clarify what internal audit objectives are for the coming year, and put in place a plan that supports those objectives. Focus investment where it makes sense in the coming year rather than spending in the same budget ‘buckets’ as last year.

65

Common Pitfalls

2. Descending into Spreadsheet Chaos !

Use of massive spreadsheets or workbooks with multiple tabs, unwieldy number of columns, macros and multiple versions. Only the person that created the spreadsheet can understand and navigate through the data.

Action : Adopt a disciplined approach with a spreadsheet that is from a single source (version control) and that is appropriately formatted with explanations in the spreadsheet.

66

Common Pitfalls

3. Planning the internal audit budget

within the Finance framework

Issues can arise when finance assigns a couple of line items to internal audit. Lack of correlation between IA plan and the overall finance plan. Risk of mistakes being exposed and lack of credibility.

Action : Boost confidence with the Finance team by having a detailed budget that aligns to any summary numbers in the overall Finance budget. Evidence that IA are budget conscious and supports company’s objectives and goals.

67

Common Pitfalls

4. Hiding the Plan, restricting

optimal decisions

Lack of visibility and execution makes even the best plan meaningless.

Action : Your IA plan needs to flow into the day-to-day execution of the internal audit function, including all activities granting relevant people visibility into their parts of the plan and budget.

68

Common Pitfalls

5.Ignorance of current spend

Lack of reliable data of amount spent in the current month and year-to-date.

Action : Obtain the granularity of data to be able to understand current expenditure versus budget.

69

Common Pitfalls

6. Lack of communication of plan and progress against the plan

Lack of grasp of budget by the various teams /groups within the internal audit function.

Action : Communicate plan to the entire team in order for all to execute the action items of the plan.

70

Common Pitfalls

7. Following the adage: “"Never base your budget requests on realistic assumptions, as this could lead to a decrease in your funding."

Excessive buffering and padding of the budget so as to minimize any questions or interference by Finance.

Action : Internal Audit need to be ethical, evidence sound judgment in behaviours and lead by example.

71

Any Questions ?

International Conference 2014

• London’s ExCel centre, 6–9 July

• World’s biggest internal audit event, with 2,000+ delegates and 200 speakers. People are travelling from over 100 countries!

• Fascinating keynote speakers include Alastair Campbell, Michael Woodford and Noreen Hertz

• Nine education streams to choose from

• A social programme will provide networking opportunities

• Members pay just £895 +VAT until 16 May

Book your place at www.iia.org.uk/london2014

IIA Heads of Internal Audit Service (HIAS)Join our exclusive network of 270 Heads of Internal Audit and benefit from…

1. Get ahead and stay up to dateReceive updates on the latest developments in the profession to help you respond to the demands of a competitive and increasingly regulated business climate

2. Build your networkMeet and share ideas with peers from a range of sectors, private and public

3. Lead the professionHelp influence current and future thinking on internal audit and IIA policy and strategy, HIAS members are at the forefront of the profession

4. Share best practiceCompare practices, benchmark your organisation and learn new ways of working

For more details of how to join visit www.iia.org.uk/hias

74

Agenda slide

Populating the plan with employee skill requirements

30 April 2014

Matt Spano – Head of Audit – Motability Operations

75

Agenda

Employee Skills Evaluation2

Matching Audit Plan Requirements with Current Skills

3

Identifying skills deficiencies & the need for co-sourcing / outsourcing

4

Introduction1

Conclusions / Questions5

76

Introduction

• MO is classified as a not-for-profit organisation, and is owned by the UK's four major banks - Barclays, HSBC, Lloyds and RBS.

• MO has over 600,000 customers and a turnover of around £3bn.• MO accounts for >10% of new car purchases in the UK every year.• MO resells >200,000 used cars to trade every year.

77

Introduction

• This presentation is based purely on how I manage my teams…..this will vary for you depending on the nature, structure and charter of your internal audit function as well as the type of organisation you work for.

• This presentation is merely common sense and could apply to any business function, not just internal audit…..it is about building and managing a team that is skilled to effectively do the job the organisation needs it to do.

• How many of your Internal Audit functions are:

• Outsourced?• Co-sourced?• Staffed completely with ‘internal auditors’.• Use ‘non’ audit specialists from within your own organisations?• Other?

78

Introduction• Survey of Heads of Internal Audit on CIIA website (May 2010) highlights a broad range of

qualifications and practical experience amongst internal auditors. • Despite this, nearly 60% of all internal audit departments bring in additional resources to

complete their internal audit plans. The key areas where additional skills are required were:

• Information Technology: 36%• Taxation: 19%• Finance: 15%• Health and Safety: 11%• Major Projects: 11%• Business Continuity: 7%• Telecoms: 5%• Governance: 4%• Third Party Activities: 2%

• Sources of additional resources:

• Purchased from specialist service providers: 30%• Co-sourcing with third party: 30%• Independent experts from within the business: 15%• Secondment from a third party: 6%• From other source: 6%

79

Employee Skills Evaluation

• How you do this is dependent on a number of factors...

• Size and scope of the Internal Audit team.

• Maturity of the control functions.

• Organisation size / Complexity and Geography.

• Stakeholder Expectations: Audit Committee / Board Members / Senior Management (to name but a few).

• At what stage should you evaluate the skills of internal audit?

• During recruitment.

• During employee lifetime.

• When people leave….(depending on team size).

• On-going during performance assessments / training and development / feedback from the business.

80

Matching Audit Plan requirements with current skills available

• Chicken and egg time……how do you develop a comprehensive audit plan if you don’t have the technical or cultural knowledge of a business to identity and understand its key risk areas?

• Whoever develops the audit plan needs sufficient skills to perform a robust risk assessment and build an comprehensive internal audit plan. This will involve utilising many people outside of the Internal Audit function.

• Assess the Audit team’s skills against an internal audit plan developed without any reference to what current technical skills it has – should never be tempted to ignore or downplay the risk in areas of the business you don’t fully understand.

• Develop basic scope documents for all audits identified on the audit plan / universe to enable a skills assessment to be undertaken.

• So…you have your audit plan…how do you match it to the current skills available?

• Skills Matrix: I include cultural / personality based skills as well as technical skills.

81

Employee Skills Evaluation : Example Skills Matrix

Internal Audit Function's Skills Matrix - 2012/2013

Name Job TitleYears Experience

Joe Bloggs Head of Audit 4 2 0 0Sheila Bloggs Senior Internal Auditor 7 3 1 3Matt Blogs Graduate Placement 1 0 0 2Everyone Blogs Trainee Auditor 0.5 1 0 1Joanne Blogs Secondment from Business Systems 15 0 3 0

Overall Score: 6 3 6Skills Gap:

Type of Gap:

n/a

KPS

n/a

Scoring Key:0 = No experience or understanding1 = Limited experience (or no recent experience)2 = Good experience (knowledge and recent experience)3 = Subject Matter Expert (skills equal or better than those within the business)

Emotional Control

Starter / Finisher

Actuarial Knowledge

Audit Plan Development

Risk Assesments

Team M

anaement

IT Security Audits

Insurance Captive Expertise

Financial Accounting Expertise

82

• Belbin Team Roles - Identify behavioural strengths and weaknesses in the workplace.

• Strengthscope - Helps individuals and teams to understand their standout strengths.

Employee Skills Evaluation

83

Identifying skills deficiencies and plugging the gaps

• Review the results of your skills analysis to highlight any gaps.

• Perform an assessment of the gaps and identify any actions you wish to take.

• May choose not to action some of the gaps – accept the risk or provide partial assurance etc.

• Look at your own organisation first:

• Skill up your existing team?• Recruit to fill any gaps?• Use Secondments from the business?• Graduates?• Use of networks?• Internal Specialists: language skills / cultural knowledge in specific

geographical locations?

• Use of technology to fill gaps – especially in areas such as IT.

84

Identifying skills deficiencies and plugging the gaps

• What do your key stakeholders expect? Do they want the ‘badge’ of an outsourced provider to deliver assurance on a function / product that is new or evolving?

• Have to be sure a co-sourcer / outsourcer can do a better job than your internal resources – you can’t outsource this risk!

• Understanding a business’s culture has a lot to do with success. • I have seen perfectly good audits from a co-sourcer rejected merely because of the

way it is conducted or results presented (if they lack buy-in or lose credibility – regardless of validity of findings it will not be accepted by the business).

• Effectiveness reviews – Use these periodically to validate your approach to planning and the resources used to complete the plan.

• Feedback from the business – to assess whether you have demonstrated the right level of skill and understanding and come to appropriate conclusions.

• Benchmark data.

85

Summary

• Apply a common sense approach.

• The skills of internal audit must be tailored to the needs of the organisation.

• Use of skills matrix of some form.

• Utilise the skills within your own organisation – both in planning and skilling the internal audit function.

• Continuously evaluate the skills of internal audit.

• Think about ‘cultural’ skills as well ‘technical’ skills.

• Can a co-sourcer / outsourcer do a better job than internal resources?

• Feedback, feedback, feedback!!!

For investment professional use only – Not for public distribution

Developing a robust internal audit planA current good practice example

April 2014

Scott Strachan, Global Head of Internal AuditAberdeen Asset Management

87

Goal

•To share how we conduct our planning process

•To share insights on:

– What we have developed

– Why we developed it so

– What we see as the key benefits and challenges

Introduction

88

Follow the KISS theory!

K – Keep

I – It

S – Simple

S – Stupid!

Best piece of advice!

89

And …

• Whilst there are pressures to make complex – regulation, stakeholder demand etc

• Dynamic and clear is always best!

90

• A singular functional and location view that fed a static audit plan

Planning – the ‘old’ method

Audit universe

Audit riskassessment

5 year (1 + 4) cyclicalaudit plan

Departments

Locations

91

• A process that incorporates input from multiple, ‘sophisticated’ information sources (leverage of the explosion of data required in FS!)

• Conducted continuously but formally once a quarter (co-ordinated with Audit Committee)

• Results in quarter’s plan (the 3) and a proposed plan coverage for the following three quarters (the +9)

Planning – the ‘new’ method

Audituniverse

3 + 9auditplan

Audit riskassessment

Risk mapping to multiple

sources

Intervention type

Total Assurance sources

Sword

Operationalprocesses

Departments

Multiplerisk

sources

92

Old New

Migration of assurance approach

Project

Continuous

Traditional

Traditional

Continuous

Project

93

• Risk ranking taking a holistic approach that includes culture, customer outcome, and fraud

• Residual scoring considers our view of the control structure and how much assurance is being provided by other groups (internal and external groups)

• MI used to show % inherent risk plan coverage and % residual risk coverage

The risk assessment

Coverage Status and change from

January

Description

Audit universe 353 (-5%) Revisions to the IT universe to simplify the structure and align it with standard industry practice

High residual risk/universe 9% (-)

High residual risk audit coverage

81% (+7%) Audit coverage activity levels have remained the same along with the consolidation of IT line items on the universe plus some risk rating decreases have led to a greater coverage of high rated areas

High inherent risk/universe 15% (-1%)

High inherent risk audit coverage

85% (+9%) Same dynamics as with the residual calculation

94

• Restrictions of the old method:

– It was administratively difficult to adjust to the constantly changing risk landscape

– Did little to keep the team engaged and focused on risk

– Cyclical planning resulted in low risk areas being covered at the expense of high risk ones – the emphasis was on that falsehood – total assurance!

– Actual work often bore no resemblance to what was previously planned and audit trail difficult to present

• Benefits of the new method:

– Allows greater flexibility in addressing developing and changing risks. Easy to implement and reflect change

– Keeps the team focused on continuously considering and assessing risk

– Allows directors and executive management to focus attention to the immediate body of work resulting in more robust oversight and challenge

– Allows for more real-time reaction to changing team needs (eg inter-regional secondments)

Old to new!

95

• Management concern over losing coverage

– Education and MI on the right risk coverage

– Closer interaction with management in forming the plan (COP) = easier to show them their requests have been incorporated

• ‘Perceived’ larger time commitment from the team

– Only on initial set up

– In aggregate the quarterly process leverages the repeated exposure to the process

• Change in the team’s thought process to a more risk based approach

– Suite of training, presentations, flowcharts and the use of automated tool (teammate – not essential – disciplines easily replicated!) to guide and ensure appropriate thematic risk thinking

• Consistency in execution

– MI and a fundamentally more manageable plan size facilitates improved QA and top down management oversight and challenge

Challenges … and solutions!

96

• Gained synergies with team management processes to facilitate:

– Empowerment

– Development

– Progression

– Subject matter specialism

• Regulator/external review

– Demonstrate dynamic, risk based, regulatory themed, strategic objective linked planning

• Stakeholder buy in

– Continuous engagement with business

– Built in education piece

– Management are living within the changing risk environment therefore appreciate/expect internal audit to be in tuned in too!

Additional benefits … good practice?

IIA guidance and EQA experiences

Martin Robinson

Training Development Adviser, IIA

30 April 2014

My topic areas

• Overview of outcomes of recent EQA reviews carried out by the IIA and some laudable examples

• The IIA view of effective internal planning.

Outcomes from recent IIA EQA reviews – key issues• Requirement for a clear link between the risks of an organisation

and the internal audit plan

• Ensure that most important areas are included

• Consider impact and value

• Ensure that careful consideration is given of all change initiatives when building a plan including projects, M&A and organisational restructure etc.

Cont’d…

• Review risk management processes and procedures either holistically or as part of each audit

• Consultancy work is good but need criteria for performing. Ensure adequate output and reporting. Consider value of each assignment

• Critical importance of talking regularly with your audit committee and executive/senior management on the focus of your plan and content

• Make sure your plan is fluid and dynamic and not ‘set in stone’.

Key issues – cont’d

The IIA view of effective internal audit planning• Focus attention upon the risk management process; its design,

application and reporting mechanisms.

• Build the audit plan around high priority risks, key areas of change and the assurance needs of stakeholders.

• Where possible, work with and rely upon other assurance providers.

The IIA view of effective internal audit planning• Work with external providers of assurance in a co-sourced

arrangement to fill skills and knowledge gaps.

• Consider the importance of routine processes and activities (audit universe) but keep this in tune with key business risks and developments.

• Make key choices, including what is not being done, transparent to key stakeholders to engage stakeholders in questions of risk appetite and the need for assurance.

Workshop discussion

Subjects for wider discussion

• What challenges do we face in developing risk based audit plans?

• What process do we use to ensure that there has been good engagement with all key auditees and/or stakeholders?

• How do we address skill and competency shortfalls?

Workshop discussion

• Do we have a robust prioritisation process?

• How do we “factor in” non audit work into our plans?

• How do we monitor the delivery of our audit plans?

Any questions?

Seminar Developing a robust internal audit plan 30 April 2014.

Documents

Transcript of Seminar Developing a robust internal audit plan 30 April 2014.