Session 2 Combined Assurance Mapping Presented by Wayne
Session 2: Combined Assurance Mapping Presented by: • Wayne Gorrie KPMG
INTERNAL AUDIT SERVICES Combined assurance Mapping October 2010 ADVISORY
Outline l Combined assurance mapping l Assurance providers l Coordination of assurance coverage l Five stage process l Assessment of assurance coverage © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 3
Drivers Focus on MANAGE RISKS: Sound risk governance based on the three lines of defense model, puts Risk as part of the daily conversation and views Risk from an enterprise-wide perspective. l Directors/Boards - Confidence in the assurance provided over key organisational risks - Informed in simple yet effective manner on effectiveness of the assurance provider © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 4
Combined assurance mapping l Considers the extent of assurance over business processes and business risks l Assurance provided by management and other assurance providers including internal audit, external audit, and third parties l A systematic way of allocating internal audit and other assurance effort l Identification of gaps and duplication of resources within a combined assurance framework © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 5
Assurance providers The focus and extent are largely discretionary; leading practice internal audit facilitates all aspects of assurance The primary source of assurance and the first line of defence Internal Audit Third Parties Specialist input, eg Health & Safety Management External Audit Largely driven by legislation but part of the approach is variable © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 6
Coordination of assurance coverage The Problem Unless the coverage of the four providers of assurance is coordinated there may be gaps or duplication Combined assurance mapping Combined ssurance mapping enables a systematic approach to assurance that is readily visible to the Board and Management © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 7
Five stage process 3. 1. Plot processes 2. Overlay risks Asc erta in assu ran ce typ es 5. 4. Asse ss assur ance cove rage © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. A c t i o n s 8
Five stage process 1. PLOT PROCESSES l Involves determining all processes and sub-process (financial and non- financial) at all locations. l This can be summarised at a high level as follows: Corporate BU 1 BU 2 Operations Financial IT Stakeholder Relations Value alignment Organisation effectiveness © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 9
2. OV ER LA Y RIS KS Five stage process l Involves drilling down from the risk profile the strategic and operating risks to the sub-processes which are impacted by those risks Corporate Operations BU 1 BU 2 N/A N/A Financial IT Stakeholder Relations Value alignment Organisation effectiveness Key Low risk Medium risk High risk Extreme risk © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 10
3. ASCE RTAI N ASSU RAN CE TYPE S Five stage process l Involves a high level look at sub-processes to ascertain who provides assurance, if any Corporate BU 1 BU 2 N/A M, 3 M, I, E M, I M M Stakeholder Relations M N/A Value alignment M M, I M M, E M, I, 3 M, 3 Operations Financial IT Organisation effectiveness Key M Management I Internal audit E External audit 3 Third party © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 11
4. ASSE SS ASSU RAN CE COV ERA GE Five stage process l Involves assessing the extent of the assurance coverage of each sub- process: Corporate BU 1 BU 2 Operations N/A M, 3 Financial M, I, E M, I M M Stakeholder Relations M N/A Value alignment M M, I M M, E M, I, 3 M, 3 IT Organisation effectiveness Key Low coverage Medium coverage © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. High coverage 12
Five stage process 5. AC TI O NS l Involves interpreting results and taking action. l Potential results include: M M, I, E 3 This may represent an assurance gap over a particular high risk process so actions could include: • Refocus of internal audit work • Specific management sign-offs in the certification process This may represent duplication of resources so actions could include: • Refocus of internal audit work • Reducing management involvement This may represent undue reliance by management on third parties so actions could include: • Increasing management involvement • Formalising third party assurance framework © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 13
5. Assurance coverage AC TI O NS Low coverage (L) Medium Coverage (M) High Coverage (H) Adhoc Within 2 years Annually Extent of independent coverage Overview Output review Detailed review Framework for coverage Informal Reactive Formal Frequency of coverage Description Coverage Low All aspects of the table are Low Medium All aspects of the table are neither Low nor High All aspects of the table are High © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 14
5. Consideration of coverage AC TI O NS %'s relate to the total number of processes 25% 52% 23% High 20% ? Medium Assurance tolerance 50% Assurance Level ? Low None 20% ? Low 10% Medium High Risk Level Actions: Immediate - assurance levels in all red boxes to be raised ? Consider - do assurance levels in orange boxes need to be raised Resourcing - why is there high assurance over some low risk processes © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 15
Discussion © 2010 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Australia. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. 16
Wayne Gorrie Senior Manager KPMG +61 7 3233 9381 wgorrie@kpmg. au www. kpmg. au
- Slides: 17