Professional Documents
Culture Documents
Presented by: Cathy Blunt Griffith University Carol Brown Deaking University Peter McGrath University of Melbourne
Cathy Blunt
Manager Internal Audit Griffith University ANZUIAG 2010
Tendering
Asset Mgt Capital Works Projects Mgt Workplace Health & Safety
Payables Receivable
Losses Insurance
Travel Mgt
Control Effectiveness
Low
Step 4 Develop first draft of strategic & annual audit plans & budget
Step 5 Consult with senior management Step 6 Audit Committee endorsement & budget discussion Step 7 Vice Chancellor approval Step 8 Distribute approved plan to management
Internal Audit Unit
IT Audit Planning
Step 1 Update audit universe (projects, applications, centres & processes)
IT Audit Planning
Projects 15 Factors
Project Budget Transaction Volume Project Duration Character of Activity Resource Effort Executive Mgt Interest Fallback Arrangements Level of Change Complexity Project Mgt & Build Project Governance Impact on Financial Reporting Impact on Revenue Impact on Customers Ongoing Support Arrangements
Applications 9 Factors
Effect of System Failure Replacement Cost Scope of System Age of Application Type of Build/Maintenance Prior Audit Findings Changes in Environment/Staff Size of Application System Interfaces
IT Audit Planning
Processes 7 Factors
Effect of Process Failure Process Impact/Scope Process Performance Process Documentation & Training Prior Audit Findings Age of Process Process Risk
40
20 0
Audit Universe
200
High
To review the status of selected IT projects to ascertain whether the project development and implementation objectives are being achieved and whether project risks are being addressed.
The objective of this review is to assess whether significant IT projects being implemented are meeting their development objectives and timelines during the implementation process and whether the significant risks of the project are being addressed throughout the implementation. 2011 will focus on Learning Management System with possible other systems being CRM, DFMS Upgrade, Business Intelligence and Deakin at Your Doorstep -subject to progress on project.
Reviewed
Resource
Area/Audit Title/Objective/Scope
Last
CHIEF FINANCIAL OFFICER FBSD Financial and Business Services Division 181 Credit Card Transactions To review credit card transactions by cardholders related to selected areas of the University.
9 FBS-1 FBS-28
2010
15
7.5
7.5
2 areas per year are covered. This is a 100% transaction review for all cardholders within the nominated areas for a period of up to six months.
Assurance Map
Assurance Map This Map details the various assurance activities across the University for risks which have been rated high residual risk and above.
Very High High Level of Assurance High Medium Level of Assurance Low Level of Assurance
Faculty of Arts and Education A&E-1 The failure to maintain and improve the Faculty's research may impact on reputation both nationally and internationally which could lead to a detrimental effect on achieving the Faculty Top Third research aspirations.
High
High
Internal Audit
Management Monitoring
Committee Oversight
Assurance and Review Activities Risk Title Inherent Residual Risk Risk Rating Rating Audit Master Reference Code
External Audit
ANZUIAG 2010
Audit Planning
Audit Planning
Understand key customer expectations, issues & concerns - How? consult broadly - talk to them Develop a good knowledge of: - Key business objectives - Risk Management framework and risk profiles - Key risk mitigation strategies - Whats going on Align audit strategy to customer expectations and risk profiles
Audit Planning
Gathering business intelligence whats going on? - Discussions - Committee papers - Plans and budgets - Risk profiles and mitigation strategies - Management initiated reviews - Correspondence - AGs management letter - Media reports - Rumours etc.
No .
Auditable Area
Primary Risk Failure of project governance and management processes to deliver projects on time and on budget. Failure to provide appropriate training framework and programs increasing the risk of inappropriate staff behaviour , break of compliance obligations, and exposure to litigation. Failure of processes to effectively and efficiently coordinate the Universitys research activity to meet strategic and compliance objectives. Failure of Emergency Response, Crisis Management and Business Continuity strategies to appropriately respond to a major event Failure of management, processes and systems to meet corporate objectives and compliance obligations within the RDM environment. Failure to maintain corporate records to meeting compliance and reporting obligations, and corporate memory. Failure of the various related projects to deliver the promised business benefits. Failure of ISIS to deliver the promised business benefits. Failure of IT systems.
Capital Projects
Training
Research Management
Major
8 1 4 3
1 1 1 0
7
Business Continuity
Risk
1 2
5
Moderate
1 4
1 1
6
1 5
6 2
7 1 0 7 8 9
Records Management
Themis Renewal ISIS (Student System) IT Security & DRP
Minor
1 3
1 2
Insignificant
Excellent
Adequate
Fair
Poor
Failure of procurement activity to be effectively Procurement and and efficiently implemented increasing the risk 10 Cost of wastage, fraud and non achievement of cost Containment containment targets. P&CS 11 Scheduling Failure of systems to provide appropriate coordination of maintenance, minor works and construction activity and for meeting contractual reporting obligations. Failure of marketing and communications strategies to achieve key objectives. Failure of financial systems to process transactions and enable accurate reporting. Failure to meet key compliance obligations
Control
Risk Level
Low High Moderate Significant
Ris k
(1)
12
Inherent
(1) Risk
(2)
Residual
13
Audit Planning
Audit Resource Management System (ARMS) Audit universe Prioritised based on five risk factors using 1 5 score: - Inherent risk - Residual risk - Materiality - Prior audit results (assurance) - Audit judgement (gut feel informed by business intelligence) 15 % annual weighting Time budget and recording Report tracking
Audit Planning
Audit Assurance
Audit Planning
Financial and Administrative Systems Risk based Confirm effectiveness and efficiency of key controls and processes; Finance, Purchasing Card, HR/Payroll, Students, Advance. Information Technology (IT) Audit Risk based Database security controls reviews IT general controls reviews Pre- and post-implementation systems reviews Computer security reviews
Audit Planning
Performance and System Reviews Risk based Focus on efficiency and effectiveness of what and how activities are performed Confirm the overall focus of the operations is in line with the University's strategic and operational plans. Other Audits On request from management perform performance /management audits, special investigations or act in a consulting role.
Audit Planning
Greater opportunity to be proactive! Where we need to move if we want to address cultural issues. New audit paradigm - meet stakeholder expectations - meet professional standards
Audit Planning
Audit Consulting (Knowledge Transfer / Engagement) cont Challenges How to better engage / partner with stakeholders / managers? Manage people and their egos
Maintain the fine balance between being a colleague/consultant and policeman Remaining independent and objective Not assuming management responsibility but educating, cajoling and what ever else it may take to get managers and all staff to take responsibility to improve the effectiveness of risk management, control and governance processes.
Audit Planning
Coach
Extrovert Creative / innovative and energetic Overriding caveat independence
Audit Planning
Audit Planning
Audit Planning
Establishing a resourcing model which incorporates staffing flexibility: cosourcing, agency staff, specialist expertise
Increased use of data extraction and manipulation for analysis to establish business profiles and areas of interest Stakeholder engagement with emphasis on face to face interaction Consulting, coaching and supporting Stakeholder satisfaction
Audit Planning
Questions?