Session 7 Internal Audit planning Presented by Cathy

Session 7: Internal Audit planning Presented by: • Cathy Blunt Griffith University • Carol Brown Deaking University • Peter Mc. Grath University of Melbourne

Approaches to Audit Planning Cathy Blunt Manager Internal Audit Griffith University ANZUIAG 2010 Internal Audit Unit

Assurance & Operational Audit Planning § Step 1 – Update audit universe (organisation chart & processes) § Step 2 – Risk assess business units and processes » Questionnaire based on risk & control factors » Risk factors – materiality, organisational structure, complexity, IT systems, products/services, change, volume, performance gap, compliance, risk assessment results. » Control factors – environment, risk assessment results, control activities, monitoring, ITC. » Heat Maps – risk factor by control effectiveness Internal Audit Unit

Heat Map Example – Assurance & Operational Audits Disaster Recovery Business Continuity High Impact of Risk Effect Eskitis Institute Qld College of Art Tendering Payables Receivable Losses Insurance Parking Petty Cash Asset Mgt Capital Works Projects Mgt Workplace Health & Safety Corporate Credit Card School of Medicine Australian Rivers Institute Travel Mgt Low High Internal Audit Unit Control Effectiveness Low

Assurance & Operational Audit Planning § Step 3 – Compare highest risk activities to current strategic plan and immediate past plans § Step 4 – Develop first draft of strategic & annual audit plans & budget § Step 5 – Consult with senior management § Step 6 – Audit Committee endorsement & budget discussion § Step 7 – Vice Chancellor approval § Step 8 – Distribute approved plan to management Internal Audit Unit

IT Audit Planning § Step 1 – Update audit universe (projects, applications, centres & processes) § Step 2 – Risk assess projects, applications & processes » ISACA Procedure P 1 – IS Risk Assessment Measurement » Meetings with INS to discuss & risk rate activities, etc » Update risk assessment spreadsheet with risk ratings and weighted risk factors » Charts for each projects, applications, centres & processes Internal Audit Unit

IT Audit Planning § Projects – 15 Factors » » » » Project Budget Transaction Volume Project Duration Character of Activity Resource Effort Executive Mgt Interest Fallback Arrangements Level of Change Complexity Project Mgt & Build Project Governance Impact on Financial Reporting Impact on Revenue Impact on Customers Ongoing Support Arrangements Internal Audit Unit § Applications – 9 Factors » » » » » Effect of System Failure Replacement Cost Scope of System Age of Application Type of Build/Maintenance Prior Audit Findings Changes in Environment/Staff Size of Application System Interfaces

IT Audit Planning § Processes – 7 Factors » » Effect of Process Failure Process Impact/Scope Process Performance Process Documentation & Training » Prior Audit Findings » Age of Process » Process Risk Internal Audit Unit § Data Centres – 8 Factors » » » » Number of Data Centre Staff Effected of Prolonged Outage Number of Applications Number of Users Prior Audit Findings Sophistication of Processing Changes in equipment, platform & staff » Number of platforms

Internal Audit Unit ci Fa M gt y lit ng an ni e ur e g ni n ct ite Pl y er ov ec R ch Ar an Pl s ge nc na er ov G ha n 40 IT ks is 60 C e ar R Risk Ranked IT Projects ftw IT ge an a M 0 S o eb W G op riffit h le Pe Po So op rta f t le l So S Pe tu ft de - op H nt le R So /P ay ft - ro AD Fi ll n VA an G rif ci N fit al C h s E W Li eb br ar si te Le y S ys G ar t rif ni fit ng ems h @ R G es Pe rif ea op fit r h c le En h S O ab of n t lin - R line g & es D ea is rc co St h ve af f E ry - SF ma il X/ M et a. . . Pe IT Audit Planning – Example Charts 140 120 100 80 Risk Ranked IT Processes 20 84 82 80 78 76 74 72 70 68 66 64

Deakin University Internal Audit Planning Process Overview

Audit Universe

Audit and Risk Planning Meeting Discuss the following: • What Internal Audit has done up to this point. • New audits/Merged audits/Removed audits to the Audit Universe. • High Residual Risk audits not planned to be covered in forthcoming year. • Proposed draft Plan forthcoming year. • Assurance map (High Residual Risks based on Risk Registers).

Example of Audits Added/New

Draft IA Plan for Forthcoming Year

Assurance Map

Master Audit Plan Submitted to ARC for Approval • Master Audit Plan is submitted at the November ARC meeting for approval. • Includes: – – – Overview of Planning methodology Overview on resources Draft Plan forthcoming year Audit Universe Assurance Map

ANZUIAG 2010 Host: University of the Sunshine Coast Queensland (Session 7) Internal Audit Panning (Balancing a risk based approach with core requirements and External Audit hopes. ) Peter Mc. Grath Director Internal Audit

Audit Planning Core Requirements 1. Professional Obligations "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process. " (1) 2. Stakeholder Expectations Audit and Risk Committee, Senior Executive, Operational Managers, VAGO, IA Team. (1) Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors Research Foundation, Florida USA, January 2009

Audit Planning § Understand key customer expectations, issues & concerns - How? consult broadly - talk to them § Develop a good knowledge of: - Key business objectives - Risk Management framework and risk profiles - Key risk mitigation strategies - What’s going on § Align audit strategy to customer expectations and risk profiles

Audit Planning § Gathering business intelligence – what’s going on? - Discussions - Committee papers - Plans and budgets - Risk profiles and mitigation strategies - Management initiated reviews - Correspondence - AG’s management letter - Media reports - Rumours etc.

No. Main Areas of Audit Interest – 2011 Plan Severe 1 3 1 5 2 1 1 8 Risk 1 1 0 7 3 9 Moderate 4 1 4 8 5 6 1 4 6 5 1 2 1 3 7 1 0 Insignificant Adequate Fair Poor Training 3 Research Management Failure of processes to effectively and efficiently coordinate the University’s research activity to meet strategic and compliance objectives. 4 Business Continuity Failure of Emergency Response, Crisis Management and Business Continuity strategies to appropriately respond to a major event 5 Budget Division Governance Failure of management, processes and systems to meet corporate objectives and compliance obligations within the RDM environment. 6 Records Management Failure to maintain corporate records to meeting compliance and reporting obligations, and corporate memory. 7 Themis Renewal Failure of the various related projects to deliver the promised business benefits. 8 ISIS (Student System) Failure of ISIS to deliver the promised business benefits. 9 IT Security & DRP Failure of IT systems. Risk Level Moderate Significant Failure of procurement activity to be effectively Procurement and efficiently implemented increasing the risk 10 Cost of wastage, fraud and non achievement of cost Containment containment targets. Failure of systems to provide appropriate coordination of maintenance, minor works and 11 P&CS Scheduling construction activity and for meeting contractual reporting obligations. Control Low High 2 Failure to provide appropriate training framework and programs increasing the risk of inappropriate staff behaviour , break of compliance obligations, and exposure to litigation. 2 Minor Excellent Failure of project governance and management processes to deliver projects on time and on budget. 1 2 1 5 1 1 Primary Risk Capital Projects 1 4 9 Major Auditable Area Ris k (1) Inherent (1) Risk (2) 12 Marketing & Communications Failure of marketing and communications strategies to achieve key objectives. 13 Financial Assurance Failure of financial systems to process transactions and enable accurate reporting. Residual registers (2) Management assessment Failure to meet key compliance obligations

Audit Planning § Audit Resource Management System (ARMS) Ø Audit universe Ø Prioritised based on five risk factors using 1 – 5 score: - Inherent risk - Residual risk - Materiality - Prior audit results (assurance) - Audit judgement (gut feel informed by business intelligence) Ø 15 % annual weighting Ø Time budget and recording Ø Report tracking

Audit Planning Audit Assurance With a devolved organisational structure “assurance” is important. Divisional Audit § Risk based § Performed at the Budget Division level § Analytical review of finance, HR and other systems data (Profiling) § Review processes and controls for efficiency and effectiveness § Business objectives being met? Where all the cultural issues play out - Consultative approach

Audit Planning Financial and Administrative Systems § Risk based § Confirm effectiveness and efficiency of key controls and processes; Finance, Purchasing Card, HR/Payroll, Students, Advance. Information Technology (IT) Audit § § § Risk based Database security controls reviews IT general controls reviews Pre- and post-implementation systems reviews Computer security reviews

Audit Planning Performance and System Reviews § Risk based § Focus on efficiency and effectiveness of what and how activities are perform § Confirm the overall focus of the operations is in line with the University's strategic and operational plans. Other Audits On request from management performance /management audits, special investigations or act in a consulting role.

Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) Greater opportunity to be proactive! Where we need to move if we want to address cultural issues. New audit paradigm - meet stakeholder expectations - meet professional standards

Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) cont Challenges § How to better engage / partner with stakeholders / managers? § Manage people and their egos § Maintain the fine balance between being a colleague/consultant and policeman § Remaining independent and objective § Not assuming management responsibility but educating, cajoling and what ever else it may take to get managers and all staff to take responsibility to improve the effectiveness of risk management, control and governance processes.

Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) Mindset Shift § Leader & facilitator § Coach § Extrovert § Creative / innovative and energetic Overriding caveat – independence cont

Audit Planning Audit Consulting – (Knowledge Transfer / Engagement) cont Establish relationships § Get their attention § Appeal to their personnel reputational risk Face to face discussions § What are their issues? § How can audit add value for them? § Training / information deficits? § What do they need to do to achieve their goals and those of their department?

Audit Planning Consulting – Knowledge Transfer / Engagement (Cont) Planned Outcomes § Managers and staff better placed to perform their roles and meet their responsibilities § Proactively work with managers to address local issues § Take learning and apply to University wide § Communicate assurance to key stakeholders

Audit Planning Summary - Operational Emphasis § Alignment of audit plan with stakeholder expectations and the University’s strategic and operational risk profiles § Identify and incorporate key risks and the value add proposition into each audit plan § Establishing a resourcing model which incorporates staffing flexibility: cosourcing, agency staff, specialist expertise § Increased use of data extraction and manipulation for analysis to establish business profiles and areas of interest § Stakeholder engagement with emphasis on face to face interaction § Consulting, coaching and supporting § Stakeholder satisfaction

Audit Planning Questions?

© Copyright The University of Melbourne 2009