Embed Size (px)
Citation preview
Session 7: Internal Audit planning
Presented by:• Cathy Blunt Griffith University• Carol Brown Deaking University• Peter McGrath University of Melbourne
Internal Audit Unit
Approaches to Audit Planning
Cathy BluntManager Internal Audit
Griffith University
ANZUIAG 2010
Assurance & Operational Audit Planning Step 1 – Update audit universe (organisation chart & processes)
Step 2 – Risk assess business units and processes» Questionnaire based on risk & control factors
» Risk factors – materiality, organisational structure, complexity, IT systems, products/services, change, volume, performance gap, compliance, risk assessment results.
» Control factors – environment, risk assessment results, control activities, monitoring, ITC.
» Heat Maps – risk factor by control effectiveness
Internal Audit Unit
Internal Audit Unit
Disaster Recovery
Business Continuity
Eskitis Institute
Qld College of Art
Tendering Asset Mgt
Capital Works Projects Mgt
Workplace Health & Safety
Payables
Receivable
Corporate Credit Card
Losses
Insurance
School of Medicine
Australian Rivers Institute
Parking
Petty Cash
Travel Mgt
Control Effectiveness
High
High
Low
Low
Heat Map Example – Assurance & Operational Audits
Assurance & Operational Audit Planning
Step 3 – Compare highest risk activities to current strategic plan and immediate past plans
Step 4 – Develop first draft of strategic & annual audit plans & budget
Step 5 – Consult with senior management
Step 6 – Audit Committee endorsement & budget discussion
Step 7 – Vice Chancellor approval
Step 8 – Distribute approved plan to management
Internal Audit Unit
IT Audit Planning
Step 1 – Update audit universe (projects, applications, centres & processes)
Step 2 – Risk assess projects, applications & processes» ISACA Procedure P1 – IS Risk Assessment Measurement
» Meetings with INS to discuss & risk rate activities, etc
» Update risk assessment spreadsheet with risk ratings and weighted risk factors
» Charts for each projects, applications, centres & processes
Internal Audit Unit
IT Audit Planning
Projects – 15 Factors» Project Budget» Transaction Volume» Project Duration» Character of Activity» Resource Effort» Executive Mgt Interest» Fallback Arrangements» Level of Change» Complexity» Project Mgt & Build» Project Governance» Impact on Financial Reporting» Impact on Revenue» Impact on Customers» Ongoing Support Arrangements
Applications – 9 Factors» Effect of System Failure» Replacement Cost» Scope of System» Age of Application» Type of Build/Maintenance» Prior Audit Findings» Changes in Environment/Staff» Size of Application» System Interfaces
Internal Audit Unit
IT Audit Planning
Processes – 7 Factors» Effect of Process Failure» Process Impact/Scope» Process Performance» Process Documentation &
Training» Prior Audit Findings» Age of Process» Process Risk
Data Centres – 8 Factors» Number of Data Centre Staff» Effected of Prolonged Outage» Number of Applications» Number of Users» Prior Audit Findings» Sophistication of Processing» Changes in equipment, platform
& staff» Number of platforms
Internal Audit Unit
IT Audit Planning – Example Charts
Internal Audit Unit
Risk Ranked IT Projects
Risk Ranked IT Processes
Deakin UniversityInternal Audit Planning ProcessOverview
Audit Universe
Audit and Risk Planning Meeting
Discuss the following:
• What Internal Audit has done up to this point.
• New audits/Merged audits/Removed audits to the Audit Universe.
• High Residual Risk audits not planned to be covered in forthcoming year.
• Proposed draft Plan for forthcoming year.
• Assurance map (High Residual Risks based on Risk Registers).
• ARC members concerns or areas they would like some focus.
Example of Audits Added/NewMaster
Ref Code
Residual Risk
Area / Audit Title Audit Objective Comment
200 High IT Project's Implementation Status "Health Checks"
To review the status of selected IT projects to ascertain whether the project development and implementation objectives are being achieved and whether project risks are being addressed.
The objective of this review is to assess whether significant IT projects being implemented are meeting their development objectives and timelines during the implementation process and whether the significant risks of the project are being addressed throughout the implementation. 2011 will focus on Learning Management System with possible other systems being CRM, DFMS Upgrade, Business Intelligence and Deakin at Your Doorstep -subject to progress on project.
Draft IA Plan for Forthcoming Year
Draft 2011 Annual Internal Audit PlanInternal Audit assessment of residual risk rating
High Residual riskMedium Residual risk
Strategic Goal/
Risk RefQtr 1 Qtr 2 Qtr 3 Qtr 4
FBSD Financial and Business Services Division181 Credit Card Transactions 9
To review credit card transactions by cardholders related to selected areas of the University.
FBS-1 FBS-28
2010 I 15 7.5 7.5 2 areas per year are covered. This is a 100% transaction review for all cardholders within the nominated areas for a period of up to six months.
Comment
Mas
ter R
ef
Cod
e
Area/Audit Title/Objective/Scope
Last
Rev
iew
ed1
Res
ourc
e2
Budget Days /
Residual Risk
CHIEF FINANCIAL OFFICER
Quarter
Assurance Map
Assurance Map
This “Map” details the various assurance activities across the University for risks which have been rated high residual risk and above. Very High High High Level of Assurance Medium Level of Assurance Low Level of Assurance
Area Assurance and Review Activities Risk Code
Risk Title Inherent Risk
Rating
Residual Risk
Rating
Audit Master Reference
Code
Man
agem
ent
Mon
itorin
g
Com
mitt
ee
Ove
rsig
ht
Exte
rnal
A
udit
Inte
rnal
Aud
it
Faculty of Arts and Education A&E-1 The failure to maintain and improve the Faculty's research may
impact on reputation both nationally and internationally which could lead to a detrimental effect on achieving the Faculty Top Third research aspirations.
High High RSD-101, UNI-196, RSD-203
Master Audit Plan Submitted to ARC for Approval
• Master Audit Plan is submitted at the November ARC meeting for approval.
• Includes:– Overview of Planning methodology– Overview on resources– Draft Plan for forthcoming year– Audit Universe– Assurance Map
ANZUIAG 2010
Host: University of the Sunshine Coast Queensland
(Session 7) Internal Audit Panning(Balancing a risk based approach with core requirements and External Audit hopes.)
Peter McGrathDirector Internal Audit
Audit Planning
Core Requirements
1. Professional Obligations
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process." (1)
2. Stakeholder Expectations
Audit and Risk Committee, Senior Executive, Operational Managers, VAGO, IA Team.
(1) Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors Research Foundation, Florida USA, January 2009
Understand key customer expectations, issues & concerns
- How? consult broadly - talk to them
Develop a good knowledge of:
- Key business objectives
- Risk Management framework and risk profiles
- Key risk mitigation strategies
- What’s going on
Align audit strategy to customer expectations and risk profiles
Audit Planning
Gathering business intelligence – what’s going on?
- Discussions
- Committee papers
- Plans and budgets
- Risk profiles and mitigation strategies
- Management initiated reviews
- Correspondence
- AG’s management letter
- Media reports
- Rumours etc.
Audit Planning
Main Areas of Audit Interest – 2011 Plan
Severe
Major
Moderate
Minor
Insignificant
Excellent Adequate Fair Poor
Control
Risk
(1) Inherent (2) Residual (1) Risk registers (2) Management assessment
Low Moderate Significant High
Risk Level
No.
Auditable Area Primary Risk
1 Capital ProjectsFailure of project governance and management processes to deliver projects on time and on budget.
2 Training
Failure to provide appropriate training framework and programs increasing the risk of inappropriate staff behaviour , break of compliance obligations, and exposure to litigation.
3Research Management
Failure of processes to effectively and efficiently coordinate the University’s research activity to meet strategic and compliance objectives.
4Business Continuity
Failure of Emergency Response, Crisis Management and Business Continuity strategies to appropriately respond to a major event
5Budget Division Governance
Failure of management, processes and systems to meet corporate objectives and compliance obligations within the RDM environment.
6Records Management
Failure to maintain corporate records to meeting compliance and reporting obligations, and corporate memory.
7 Themis Renewal Failure of the various related projects to deliver the promised business benefits.
8ISIS (Student System)
Failure of ISIS to deliver the promised business benefits.
9IT Security & DRP
Failure of IT systems.
10Procurement and Cost Containment
Failure of procurement activity to be effectively and efficiently implemented increasing the risk of wastage, fraud and non achievement of cost containment targets.
11P&CS Scheduling
Failure of systems to provide appropriate coordination of maintenance, minor works and construction activity and for meeting contractual reporting obligations.
12Marketing & Communications
Failure of marketing and communications strategies to achieve key objectives.
13Financial Assurance
Failure of financial systems to process transactions and enable accurate reporting.
14 ComplianceFailure to meet key compliance obligations resulting in legal sanctions and reputational damage.
15Risk Management
Failure of RM processes.
Risk
1
2
1
2
3
3
4
6
7
8
9
10
11
12
14
13
5
4
5
6
7
8
9
10
11
12
13
14
15
15
Audit Resource Management System (ARMS)Audit universePrioritised based on five risk factors using 1 – 5 score:
- Inherent risk
- Residual risk
- Materiality
- Prior audit results (assurance)
- Audit judgement (gut feel informed by business intelligence) 15 % annual weightingTime budget and recording Report tracking
Audit Planning
Audit Assurance
With a devolved organisational structure “assurance” is important.
Divisional Audit
Risk based
Performed at the Budget Division level
Analytical review of finance, HR and other systems data (Profiling)
Review processes and controls for efficiency and effectiveness
Business objectives being met?
Where all the cultural issues play out
- Consultative approach
Audit Planning
Financial and Administrative Systems
Risk basedConfirm effectiveness and efficiency of key controls and processes; Finance, Purchasing Card, HR/Payroll, Students, Advance.
Information Technology (IT) Audit
Risk basedDatabase security controls reviews IT general controls reviews Pre- and post-implementation systems reviews Computer security reviews
Audit Planning
Audit Planning
Performance and System Reviews
Risk basedFocus on efficiency and effectiveness of what and how activities are performedConfirm the overall focus of the operations is in line with the University's strategic and operational plans.
Other Audits
On request from management perform performance /management audits, special investigations or act in a consulting role.
Audit Consulting – (Knowledge Transfer / Engagement)
Greater opportunity to be proactive!
Where we need to move if we want to address cultural issues.
New audit paradigm
- meet stakeholder expectations
- meet professional standards
Audit Planning
Audit Consulting – (Knowledge Transfer / Engagement) cont
Challenges How to better engage / partner with stakeholders / managers?
Manage people and their egos
Maintain the fine balance between being a colleague/consultant and policeman Remaining independent and objective Not assuming management responsibility but educating, cajoling and
what ever else it may take to get managers and all staff to take responsibility to improve the effectiveness of risk management, control and governance processes.
Audit Planning
Audit Consulting – (Knowledge Transfer / Engagement) cont
Mindset Shift
Leader & facilitator
Coach
Extrovert
Creative / innovative and energetic
Overriding caveat – independence
Audit Planning
Audit Consulting – (Knowledge Transfer / Engagement) cont
Establish relationships
Get their attentionAppeal to their personnel reputational risk
Face to face discussions
What are their issues?
How can audit add value for them?
Training / information deficits?
What do they need to do to achieve their goals and those of their department?
Audit Planning
Consulting – Knowledge Transfer / Engagement (Cont)
Planned Outcomes
Managers and staff better placed to perform their roles and meet their responsibilities
Proactively work with managers to address local issues
Take learning and apply to University wide
Communicate assurance to key stakeholders
Audit Planning
Summary - Operational Emphasis
Alignment of audit plan with stakeholder expectations and the University’s strategic and operational risk profiles
Identify and incorporate key risks and the value add proposition into each audit plan
Establishing a resourcing model which incorporates staffing flexibility: co-sourcing, agency staff, specialist expertise
Increased use of data extraction and manipulation for analysis to establish business profiles and areas of interest
Stakeholder engagement with emphasis on face to face interaction
Consulting, coaching and supporting
Stakeholder satisfaction
Audit Planning
Questions?
Audit Planning
© Copyright The University of Melbourne 2009
