Session 7: Internal Audit planning

Presented by: Cathy Blunt Griffith University Carol Brown Deaking University Peter McGrath University of Melbourne

Approaches to Audit Planning

Cathy Blunt
Manager Internal Audit Griffith University ANZUIAG 2010

Internal Audit Unit

Assurance & Operational Audit Planning

Step 1 Update audit universe (organisation chart & processes) Step 2 Risk assess business units and processes
Questionnaire based on risk & control factors Risk factors materiality, organisational structure, complexity, IT systems, products/services, change, volume, performance gap, compliance, risk assessment results. Control factors environment, risk assessment results, control activities, monitoring, ITC. Heat Maps risk factor by control effectiveness

Internal Audit Unit

Heat Map Example Assurance & Operational Audits

High Disaster Recovery Business Continuity

Eskitis Institute Qld College of Art

Tendering

Impact of Risk Effect

Asset Mgt Capital Works Projects Mgt Workplace Health & Safety

Payables Receivable

Corporate Credit Card

Losses Insurance

School of Medicine Australian Rivers Institute

Parking Petty Cash Low High Internal Audit Unit

Travel Mgt

Control Effectiveness

Low

Assurance & Operational Audit Planning

Step 3 Compare highest risk activities to current strategic plan and immediate past plans

Step 4 Develop first draft of strategic & annual audit plans & budget
Step 5 Consult with senior management Step 6 Audit Committee endorsement & budget discussion Step 7 Vice Chancellor approval Step 8 Distribute approved plan to management
Internal Audit Unit

IT Audit Planning
Step 1 Update audit universe (projects, applications, centres & processes)

Step 2 Risk assess projects, applications & processes

ISACA Procedure P1 IS Risk Assessment Measurement Meetings with INS to discuss & risk rate activities, etc Update risk assessment spreadsheet with risk ratings and weighted risk factors Charts for each projects, applications, centres & processes

Internal Audit Unit

IT Audit Planning
Projects 15 Factors
Project Budget Transaction Volume Project Duration Character of Activity Resource Effort Executive Mgt Interest Fallback Arrangements Level of Change Complexity Project Mgt & Build Project Governance Impact on Financial Reporting Impact on Revenue Impact on Customers Ongoing Support Arrangements

Applications 9 Factors
Effect of System Failure Replacement Cost Scope of System Age of Application Type of Build/Maintenance Prior Audit Findings Changes in Environment/Staff Size of Application System Interfaces

Internal Audit Unit

IT Audit Planning
Processes 7 Factors
Effect of Process Failure Process Impact/Scope Process Performance Process Documentation & Training Prior Audit Findings Age of Process Process Risk

Data Centres 8 Factors

Number of Data Centre Staff Effected of Prolonged Outage Number of Applications Number of Users Prior Audit Findings Sophistication of Processing Changes in equipment, platform & staff Number of platforms

Internal Audit Unit

IT Audit Planning Example Charts

140 120 100 80 60

Risk Ranked IT Processes

84 82 80 78 76 74 72 70 68 66 64

40
20 0

Risk Ranked IT Projects

Internal Audit Unit

Deakin University Internal Audit Planning Process

Overview

Audit Universe

Audit and Risk Planning Meeting

Discuss the following: What Internal Audit has done up to this point. New audits/Merged audits/Removed audits to the Audit Universe. High Residual Risk audits not planned to be covered in forthcoming year. Proposed draft Plan for forthcoming year.

Assurance map (High Residual Risks based on Risk Registers).

ARC members concerns or areas they would like some focus.

Example of Audits Added/New

Master Ref Code Residual Risk Area / Audit Title Audit Objective Comment

200

High

IT Project's Implementation Status "Health Checks"

To review the status of selected IT projects to ascertain whether the project development and implementation objectives are being achieved and whether project risks are being addressed.

The objective of this review is to assess whether significant IT projects being implemented are meeting their development objectives and timelines during the implementation process and whether the significant risks of the project are being addressed throughout the implementation. 2011 will focus on Learning Management System with possible other systems being CRM, DFMS Upgrade, Business Intelligence and Deakin at Your Doorstep -subject to progress on project.

Draft IA Plan for Forthcoming Year

Draft 2011 Annual Internal Audit Plan Internal Audit assessment of residual risk rating High Residual risk Medium Residual risk

Master Ref Code

Reviewed

Resource

Area/Audit Title/Objective/Scope

Strategic Goal/ Risk Ref

Last

Budget Days / Residual Risk

Quarter Comment Qtr 1 Qtr 2 Qtr 3 Qtr 4

CHIEF FINANCIAL OFFICER FBSD Financial and Business Services Division 181 Credit Card Transactions To review credit card transactions by cardholders related to selected areas of the University.

9 FBS-1 FBS-28

2010

15

7.5

7.5

2 areas per year are covered. This is a 100% transaction review for all cardholders within the nominated areas for a period of up to six months.

Assurance Map
Assurance Map This Map details the various assurance activities across the University for risks which have been rated high residual risk and above.

Very High High Level of Assurance High Medium Level of Assurance Low Level of Assurance

Faculty of Arts and Education A&E-1 The failure to maintain and improve the Faculty's research may impact on reputation both nationally and internationally which could lead to a detrimental effect on achieving the Faculty Top Third research aspirations.

High

High

RSD-101, UNI196, RSD-203

Internal Audit

Management Monitoring

Committee Oversight

Area Risk Code

Assurance and Review Activities Risk Title Inherent Residual Risk Risk Rating Rating Audit Master Reference Code

External Audit

Master Audit Plan Submitted to ARC for Approval

Master Audit Plan is submitted at the November ARC meeting for approval. Includes:
Overview of Planning methodology Overview on resources Draft Plan for forthcoming year Audit Universe Assurance Map

ANZUIAG 2010

Host: University of the Sunshine Coast Queensland

(Session 7) Internal Audit Panning

(Balancing a risk based approach with core requirements and External Audit hopes.)

Peter McGrath Director Internal Audit

Audit Planning

Core Requirements 1. Professional Obligations

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process." (1) 2. Stakeholder Expectations Audit and Risk Committee, Senior Executive, Operational Managers, VAGO, IA Team.
(1) Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors Research Foundation, Florida USA, January 2009

Audit Planning

Understand key customer expectations, issues & concerns - How? consult broadly - talk to them Develop a good knowledge of: - Key business objectives - Risk Management framework and risk profiles - Key risk mitigation strategies - Whats going on Align audit strategy to customer expectations and risk profiles

Audit Planning

Gathering business intelligence whats going on? - Discussions - Committee papers - Plans and budgets - Risk profiles and mitigation strategies - Management initiated reviews - Correspondence - AGs management letter - Media reports - Rumours etc.

No .

Auditable Area

Primary Risk Failure of project governance and management processes to deliver projects on time and on budget. Failure to provide appropriate training framework and programs increasing the risk of inappropriate staff behaviour , break of compliance obligations, and exposure to litigation. Failure of processes to effectively and efficiently coordinate the Universitys research activity to meet strategic and compliance objectives. Failure of Emergency Response, Crisis Management and Business Continuity strategies to appropriately respond to a major event Failure of management, processes and systems to meet corporate objectives and compliance obligations within the RDM environment. Failure to maintain corporate records to meeting compliance and reporting obligations, and corporate memory. Failure of the various related projects to deliver the promised business benefits. Failure of ISIS to deliver the promised business benefits. Failure of IT systems.

Main Areas of Audit Interest 2011 Plan

Severe
1
3 9 2 4 1 3 1 5 5 6 1 4

Capital Projects

Training

Research Management

Major
8 1 4 3

1 1 1 0
7

Business Continuity

Risk

1 2
5

Moderate

1 4

1 1
6

1 5

Budget Division Governance

6 2
7 1 0 7 8 9

Records Management
Themis Renewal ISIS (Student System) IT Security & DRP

Minor
1 3

1 2

Insignificant

Excellent

Adequate

Fair

Poor

Failure of procurement activity to be effectively Procurement and and efficiently implemented increasing the risk 10 Cost of wastage, fraud and non achievement of cost Containment containment targets. P&CS 11 Scheduling Failure of systems to provide appropriate coordination of maintenance, minor works and construction activity and for meeting contractual reporting obligations. Failure of marketing and communications strategies to achieve key objectives. Failure of financial systems to process transactions and enable accurate reporting. Failure to meet key compliance obligations

Control
Risk Level
Low High Moderate Significant

Ris k
(1)

12

Marketing & Communications Financial Assurance

Inherent
(1) Risk

(2)

Residual
13

registers (2) Management assessment

Audit Planning

Audit Resource Management System (ARMS) Audit universe Prioritised based on five risk factors using 1 5 score: - Inherent risk - Residual risk - Materiality - Prior audit results (assurance) - Audit judgement (gut feel informed by business intelligence) 15 % annual weighting Time budget and recording Report tracking

Audit Planning

Audit Assurance

With a devolved organisational structure assurance is important.

Divisional Audit Risk based

Performed at the Budget Division level

Analytical review of finance, HR and other systems data (Profiling) Review processes and controls for efficiency and effectiveness

Business objectives being met?

Where all the cultural issues play out - Consultative approach

Audit Planning

Financial and Administrative Systems Risk based Confirm effectiveness and efficiency of key controls and processes; Finance, Purchasing Card, HR/Payroll, Students, Advance. Information Technology (IT) Audit Risk based Database security controls reviews IT general controls reviews Pre- and post-implementation systems reviews Computer security reviews

Audit Planning

Performance and System Reviews Risk based Focus on efficiency and effectiveness of what and how activities are performed Confirm the overall focus of the operations is in line with the University's strategic and operational plans. Other Audits On request from management perform performance /management audits, special investigations or act in a consulting role.

Audit Planning

Audit Consulting (Knowledge Transfer / Engagement)

Greater opportunity to be proactive! Where we need to move if we want to address cultural issues. New audit paradigm - meet stakeholder expectations - meet professional standards

Audit Planning

Audit Consulting (Knowledge Transfer / Engagement) cont Challenges How to better engage / partner with stakeholders / managers? Manage people and their egos

Maintain the fine balance between being a colleague/consultant and policeman Remaining independent and objective Not assuming management responsibility but educating, cajoling and what ever else it may take to get managers and all staff to take responsibility to improve the effectiveness of risk management, control and governance processes.

Audit Planning

Audit Consulting (Knowledge Transfer / Engagement) cont

Mindset Shift Leader & facilitator

Coach
Extrovert Creative / innovative and energetic Overriding caveat independence

Audit Planning

Audit Consulting (Knowledge Transfer / Engagement) cont Establish relationships

Get their attention Appeal to their personnel reputational risk

Face to face discussions

What are their issues? How can audit add value for them? Training / information deficits? What do they need to do to achieve their goals and those of their department?

Audit Planning

Consulting Knowledge Transfer / Engagement (Cont)

Planned Outcomes Managers and staff better placed to perform their roles and meet their responsibilities Proactively work with managers to address local issues Take learning and apply to University wide

Communicate assurance to key stakeholders

Audit Planning

Summary - Operational Emphasis

Alignment of audit plan with stakeholder expectations and the Universitys strategic and operational risk profiles Identify and incorporate key risks and the value add proposition into each audit plan

Establishing a resourcing model which incorporates staffing flexibility: cosourcing, agency staff, specialist expertise
Increased use of data extraction and manipulation for analysis to establish business profiles and areas of interest Stakeholder engagement with emphasis on face to face interaction Consulting, coaching and supporting Stakeholder satisfaction

Audit Planning

Questions?

 Copyright The University of Melbourne 2009