Post on 07-Mar-2018
Internal Audit Plan Preparation –
Providing Value for the Organization
Richard Arthurs CMA, MBA, CIA
My Background20+ Years of International Finance, Audit and Risk Management Experience
13 Years with General Mills Inc. in Canada, US and UK
Managed audits, investigations, and risk in over 40 countries.
Now CAE with AltaLink/Berkshire Hathaway Energy in Calgary
Chair of IIA Canada - National Thought Leadership Committee
Chair of Benchmarking Committee - Strategic Risk Council – Conference Board of Canada
ERM Facilitator - Institute of Corporate Directors
1. Your Internal Audit
Value Proposition
Value starts with the strategy
and objectives of the business
Achieving Strategy = Effective Controls + Risk Management
(Make the connection easy to see)
Supporting Corporate Strategy
20xx Company Strategy
Internal AuditSupporting Strategies
Drive Profitable Growth in
Developed Markets
Aggressively Capture
Growth
Assure Organizational
Readiness to Resource
Future Growth
1. World-Class Risk
Assessment and Insight
2. Integrated Assurance
Partnerships
3. Optimized Resource and
Technology Utilization
Addressing Accelerating Change
3yr. GIA LRP
Supporting Strategies
1. World-Class Risk
Assessment and Insight
2. Integrated Assurance
Partnerships
3. Optimized Resource and
Technology Utilization
Acquisitions Globalization
Emerging Technology
3rd Party RelianceEconomic Uncertainty
Emerging MarketsAccelerating Change
If you do not make it simple
for leaders to value Internal
Audit they probably won’t.
Past Year Accomplishments(Market Your Internal Audit Value)
• Recovered $M Due to 3rd Party Billing Errors
• Supported Key Strategic Decisions
• Reduced Work Time Required by # Hours/Month
• Significantly Enhanced Cyber Security Controls
• Identified & Investigated Fraud Cases
2. Optimize Your Continuous
Risk Assessment Agility
Never before has the risk
universe of a business seen so
much constant change.
New emerging risk is
becoming very common.
Key Strategy 1: World-Class Risk
Assessment & Insight
1. World-Class Risk
Assessment and Insight
2. Integrated Assurance
Partnerships
3. Optimized Resource and
Technology Utilization
Risk Universe (Excluding Fraud & IT)
* Ernst & Young
Governance Risk� Board Performance
� Tone at the Top / Corporate Culture
� Enterprise Risk Management – Risk Mitigations
Planning & Resource Allocation Risk� Organizational Structure Change
� Strategic Planning
� Long Term Planning
� JV’s, Alliances and Partnerships
� Decision Speed
Technology change Risk– AMI, smart grid
� Industry Changes (Gas Generation)
Customer Demand Changes Risk� Customer Demand Changes
Competition Risk� Client Services / Satisfaction
� Communication Strategy and Plan
Enterprise Portfolio Risk� Alliance/Partnerships
� Trademark/Brand Name
� Wholly Owned Affiliates
Government Policy Risk� Regulatory Changes
Political Risk� Political Changes
Lifecycle Risk� Industry & Demand (30+ Year Rate Base Projection)
Organizational Structure Risk� Performance Management (STIP/LTIP)
Business Development Risk� Mergers and Acquisition and Divestiture
� Opportunity Capture
� Executing Captured Opportunity
� Due Diligence: Risk Assessment & Management
Major Initiatives Risk� Planning and Execution
� Measurement and Monitoring
� Technology Implementations
� Business Acceptance
Communication/Investor Relation Risk� Government/Media/Public Relations
� Land Owner Consultation & Relations
� Stakeholder/Investor Relations
� Reputation Management
� Crisis Management
� Regulatory/Legal Response Plan
� Employee Communication
People Risk� Employee Fraud and Investigations
� Organizational Capacity & Capabilities
� Employee & labor relations
� Contractor Management & Excessive Usage
� Health & Welfare & Safety
� Excessive Recruitment and Turnover
� Timely & Effective Training and Development
Project/Operations Management Risk� Contract Commitments
� Scheduling & Forecasting
� Documentation & Standards
� Design, Mapping and Drafting
� Procurement / Competitive Bidding
� Vendor Selection / Contract Management
� Vendor / Contractor Management
� Project Execution (Stage Gate) & Management
� Change Notice & Management
� New Technology: Smart Grid
� Client & Service Interaction
� Quality Assurance & Control
� Incident Management & Investigation
� Safety & Reliability
� Fleet Purchases, Maintenance and Management
� Asset Management
� Environment Management Strategy
� Land Management Strategy
� Performance Management Gaps/KPI’s
� Physical Security/Disturbance Analysis
� Privacy & Confidentiality
� Business Continuity / Disaster Recovery
External Risk� Catastrophic/Natural Disaster/Weather
� Sabotage / Terrorist
� 3rd Party Contractor Mgmt./Reporting (Earned Value)
� Customer/3rd Party/Land Manager Fraud
� Supplier Performance
� Supplier Availability /Sole Source
� Availability of Goods and Services
IT & Control Center Risk� Third Party Suppliers and Outsourcing
� Control Center Operations
� Programs and Change Management
� Security and Privacy (Firewalls, Access Management)
� Physical Environment
� Staffing/Operations/Disaster Recovery
� Data Security
� Infrastructure
� Applications and Databases
� Legal and Regulatory
� Telecommunications
� Load and Demand Balancing
� Outage Scheduling & Management
� Safety and Environmental Systems
Strategic Operational
Enterprise Risk UniverseCompliance
Code of Conduct Risk� Ethics / Conflict of Interest
� 1-800 Ethics Line Management
� Fraud (Anti Fraud Program)
Legal Risk� Contracts
� Stranded Asset Issue
� IP and Patents
� Liability Protection, Regulation & Insurance
� Anti-Corruption
Regulatory Risk� Due Diligence Process
� GTA Hearing, IR & Processes
� AESO/AUC/Prudency Audits & Enforcement
� Alberta Reliability Standards
� Labor Standards
� Engineering Standards
� Environment
� Quality, Health and Safety
� Data Protection, Availability, and Privacy
� International Laws and Standards (I.e. FCPA)
� Tax Compliance
� Customs
� Discriminatory Practices
Financial
Rate Base and Cost Recovery Risk� Regulated Tariff: Unapproved Costs/Prudency
� Deferral (DACDA) and Reserve Accounts
� Capital Budgeting and Cost Management (ABC)
� Transmission and Miscellaneous Revenue
� Customer Deposits
Financial Accounting & Reporting Risk� Accounts Payable / Receivable
� Inventory, Prepaid Expenses & Deposits
� Budget & Planning Forecasts
� Accounting/External Reporting - IFRS
� Fund Investment & Evaluation
� Management/Internal Reporting
� Inter-affiliate Transactions (SNC-ATP)
� ICFR: C-SOX / Disclosure Controls
� Payroll & Expense Reporting
� Capital Overhead Allocation (I.e. E&S)
� Taxes and Insurance
Liquidity, Credit, and Equity Risk� Corporate Funding / Equity Management
� Access to Capital Markets
� Debt Maturity Profile
� Flexibility in Capital Spending Budget
� Contingency Funding
� Collateral Requirements
� Capital Availability
� Fund Diversification
� Credit Risk Management/Credit Downgrade
Cash Flow Risk� Daily Operational Funding
� Cash Flow Projections/Forecasting
Profitability Risk� Return on Capital / Debt
Market Sensitivity Risk� Commodity Price
� Commodity Volatility
� Interest Rates
� Security Prices
� Foreign Exchange
Volume Risk � Attrition
� Economic Factors
� Variable Load
Market Liquidity Risk� Market Tightness, Depth, and Resilience
Investment Performance Risk� Pension Fund
IT Risk
Universe
Operations
Security &
Privacy
Staffing
Third-party
Suppliers &
OutsourcingLegal &
Regulatory
Applications
& Databases
Infrastructure
Data
• Non-compliance with
regulators
• Non-compliance with
software license
contracts
• Poor service levels
• Data leakage
• Inadequate support
• Lack of assurance• Budget overruns
• Significant delays
• Poor quality of deliverables
• Ineffective change control
• Intrusion of malware
• Virus attacks
• Website attacks
• Poor patch
management
• Utilities failures
• Natural disasters
• Labour strikes
• Environmental
sanctions
• Loss of key resources
• Inability to recruit IT
staff
• Mismatch skills
• Lack of business
knowledge
• Operator errors
during backup or
maintenance
• Breakdown of
operational processes
• Disclosure of
sensitive data
• Corruption of data
• Unauthorized access
• Failure to mine
information
• Damage to services
• Inflexible IT
architecture
• Theft
• Obsolete technology
• Unsupported
applications
• Critical system
failures
• Unable to handle
load
• Configuration issues
* Ernst & Young
IT Risk Universe
Assess Risk Prioritize RiskK
no
wle
dg
e a
nd
Pri
or
Au
dit
Re
sult
s SurveySurvey
InterviewsInterviews
WorkshopWorkshop
SurveySurvey
InterviewsInterviews
WorkshopWorkshopFinancialFinancialFinancialFinancial
ComplianceComplianceComplianceCompliance
OperationsOperationsOperationsOperations
StrategicStrategicStrategicStrategic
Identify RisksMgmt
(Exec. & BU)
Key Initiatives & Changes in Business
Fraud & Geographic
Risks
External / IndustryIssues
External Auditor
Value proposition:
• Demonstrate linkage between risk assessment and audit plans
• Clear linkage to business strategy, ERM and IA priorities
• Justifiable audit plan coverage to Audit Committee, External Auditors, etc.
• Provide proactive risk prevention & management advisory services
*Ernst & Young LLP
Audit Plan Development
Prioritized
Risks from
Risk
Assessment
C-SOX/SOXCompliance
Managementand Audit
CommitteeExpectations
RotationAnd
Follow-Up
Prioritize Projects
SpecialProjects orUnplanned
Audits
Re
con
cile w
ith A
ud
it Co
mm
ittee
Not all risks are
covered in the Plan
Allocate Against
Available Resources
Finalize Audit Plan
Projects
* Ernst & Young
Audit Plan Development
3. Independent Risk Assessment
Internal Audit
Independent
Risk AssessmentTop 10 Risk Areas
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Top 10 Risks vs. ERM Top Risks
3. Define Your Role as The
Trusted Strategic Advisor
It takes time to build trusting
relationships.
Becoming the Trusted
Strategic Advisor requires
consistent value delivery.
Control &
Compliance
Business
Insights
Strategic &
Value-added
Advisory
Non-Negotiable
High Performing
World-Class
Value
� Financial and Compliance Assurance
� Corporate Governance
� Maintain Independence
� Pipeline of Leadership Talent for Finance
� Utilize ERM Intelligence
� Emerging Risk Advisory Projects
� Comprehensive Audits and Data Analytics
� Operational Audits
IA Strategies:
1. World-Class Risk Assessment and Insight
2. Integrated and Specialized Assurance Partnerships
3. Optimized Resource & Technology Utilization
Align IA Strategy to Value Added Advisory
Strategic
Risk
Operational Risk
Financial and Compliance Risk
A Trusted Strategic Advisor is
Aware of Risk Appetite,
Capacity and Tolerance.
Advise on Intelligent Risk Taking
Being the Trusted Strategic
Advisor requires partnership
with all assurance providers.
26
1. World-Class Risk
Assessment and Insight
2. Integrated Assurance
Partnerships
3. Optimized Resource and
Technology Utilization
Key Strategy 2: Integrated Assurance Partnerships
4. Link Value and Risk, to Your
Planned Audit Activity
Never Assume Anyone
Understands the Value an
Audit or Advisory Can Deliver
Standard
Risk
Coverage
New Risk
Focus or
Process
Emerging
Risk
Traditional Assurance
Non Traditional Assurance
• Undefined Risk and Controls
• High Level of Change / Future Focus
• IA Focus: Risk Advisory
• Example: Cyber Security
• Moderately Defined Risk and Controls
• Medium Level of Change / Present & Future Focus
• IA Focus: Assurance Audits & Risk Advisory• Example: Integration
• Highly Defined Risk and Controls
• Medium to Low Level of Change / Past & Present Focus
• IA Focus: Assurance Audits• Example: Financial Audits
Define Audit vs. Advisory
Internal Audit
Independent
Risk AssessmentTop 10 Risk Areas
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Plan Every Audit to Ensure it
Will Deliver Obvious Value
Internal Audit PlanAUDIT
ADVISORY
Standard Risk Coverage New Risk Focus or Process Emerging Risk
AUDIT
AUDIT
ADVISORYAUDIT
Traditional Assurance Non Traditional Assurance
Risk Based Audits
& Advisory
AUDIT
ADVISORY
ADVISORY
Compliance Activity
External AuditsAUDIT
AUDIT
AUDIT
AUDIT
Audits x
Advisory x
AUDIT
ADVISORY
IT/Data Analytics AUDIT AUDIT
AUDIT ADVISORY
ADVISORY
Internal Audit
Independent
Risk AssessmentTop 10 Risk Areas
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
AUDIT
AUDIT
ADVISORY
AUDIT
AUDIT
AUDIT
AUDIT
ADVISORY
20xx 20xx (Subject to Change) 20xx (Subject to Change)
AUDIT
AUDIT
AUDIT
AUDIT
AUDIT
ADVISORY
AUDIT
AUDIT
AUDIT
ADVISORY
ADVISORY
AUDIT
ADVISORY
ADVISORY
AUDIT AUDIT
AUDIT
AUDIT
AUDIT
AUDIT
AUDIT
AUDIT
ADVISORY ADVISORY
ADVISORY
AUDIT
AUDIT AUDIT
ADVISORY ADVISORY
AUDIT AUDIT AUDIT
ADVISORY
AUDIT
High – Med Risk
Med – Low Risk
Emerging or
New Risk Focus
AUDIT AUDIT
AUDIT AUDIT
3 Year Audit Plan
4. Resource Optimization
Recruit Leaders & Help Them
Become Passionate About the
IA Value Proposition
1. World-Class Risk
Assessment and Insight
2. Integrated Assurance
Partnerships
3. Optimized Resource and
Technology Utilization
Key Strategy 3:
Optimized Resource and Technology Utilization
The Best Internal Audit Shops
Only Recruit Future Leaders
Who Love to Learn
6. Professional Development
Undergraduate Degree:
MBA:
Emphasize Professional Credentials
If You Cannot Deliver Value
Efficiently then Consider Data
Analytics
Executive Dashboards
5. Continuous Improvement
The Best Way to Manage
Audit Client Expectations is by
Gaining Alignment on a
Maturity Assessment
Maturity Maps
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
New COSO Model
IIA Quality Assessment
6. Reporting & Grading
Great CAE’s Must Perfect the
Art of Managing Expectations
Audits Completed - 2013
Audit Tracking Audit Grade # of Audit Comments
Audit FocusWell
ControlledSatisfactory
Needs
Improvement
Audit
Committee
Senior
Management
Continuous
ImprovementDue Notes
Q1
Q1
Q1
Q1
Q1
Q2
Q2
Q3
Q3
Q3
Q3
Q4
Q4
Advisory
Q1
Q1
Q2
Q2
Q3
Q4
PMO OPS IT FIN LEGAL HR CUST SERV EXT REL BD
# AUDITS
# COMMENTS
Tracking
20xx 20xx YTD
Well
ControlledSatisfactory
Needs
Improvement
Well
ControlledSatisfactory
Needs
Improvement
42%
27%
31%
0
1
2
3
4
5
6
5.5
3.5
4
• •
57%14%
29%
0
1
2
3
4
5 4
1
2
Audit Committee Update
A High Value
Audit Shop is a Development
Engine for Future Leaders
Questions ??