Planning the audit scope The fundamentals

Transcription

1 Concurrent Session 4A Planning the audit scope The fundamentals Tracey Lawrance MIIA(Aust) Chief Auditor, Airservices Australia Michael del Castillo CIA MIIA(Aust) Audit Manager, Airservices Australia

2 SCOPING RISK BASED AUDITS THE FUNDAMENTALS SOPAC 2012 Tracey Lawrance Chief Auditor Michael del Castillo Audit Manager

3 Purpose of Session To provide practical insights into how Airservices Internal Audit conducts risk based audits with focus on: effective planning effective scoping engaging the business adding value whilst maintaining independence

4 Who is Airservices? Commonwealth Authority established by the Airservices Act 1995 International civil aviation (ICAO) rules and Civil Aviation Safety Authority (CASA) regulations Provides: air traffic control services to 11 % of world s airspace aviation fire fighting services at major airports maintains technical airways systems infrastructure Corporate support business groups Annual revenue of $850 m 5 year capital expenditure plan of $1b

5 Internal Audit at Airservices Branch within the Safety & Assurance business group Reports to General Manager S&A Dotted line to CEO and Chair of Board Audit & Risk Committee Team of 14 based in Brisbane, Melbourne and Canberra Implemented electronic work papers in Nov 2009 the start of our risk based auditing journey Busy team 59 audits on 11/12 plan

6 Risk Based Auditing Annual risk based audit planning versus risk based audits 2010 Planning Annual The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization s goals Engagement Objectives Individual Audits Objectives must be established for each engagement A1 Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

7 Risk Based Auditing Commenced journey late 2009 Three year audit strategic plan Risk assessment completed as part of planning for every audit Identify the business objective of the area being audited Identify the major processes Identify the risks for each major process Identify the KEY controls in place (confirmed during planning) or expected (to be confirmed during field work)

8

9

10 Risk Based Auditing - Tips Strategic view Why is the audit on the annual audit plan? Effective communication with Executive Manage and build relationships in the business Risk assessment is iterative build as you go Operational view Engage with line business to identify risks and controls Importance of good flowcharts White board / Brain storm risks as a team Don t test everything - work smart

11 Building the Succinct Audit Brief 2200 Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement s objectives, scope, timing, and resource allocations. Planning is the key to a quality audit

12 Building the Succinct Audit Brief Tips Strategic view Audit Terms of Reference is a communication tool Don t reinvent the wheel direct link between risk assessment and TOR Key assurance mechanism provide feedback to risk owners Identify opportunities for efficient use of resources Operational view Understand the business environment Business objective Audit objective Scope Criteria

13 Major processes Key controls to be tested

14 Risks from Enterprise or group risk registers

15 Engaging with Stakeholders 2400 Communicating Results Internal auditors must communicate the results of engagements Criteria for Communicating Communications must include the engagement s objectives and scope as well as applicable conclusions, recommendations, and action plans.

16 Engaging with Stakeholders - Tips Strategic view CAE needs to champion audits at the Executive table Agree timing of audits to maximise business engagement Regular meetings with Executive management Operational view Audit managers to attend key meetings with business Engagement model it s all about relationships! Focus on face to face meetings escalate issues to CAE Deliver on the TOR meet expectations

17

18

19 Adding Value vs Independence 1100 Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work 2030 Resource Management The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan What is adding value? Auditing versus consultancy service

20 Adding Value vs Independence - Tips Strategic view Need right skills mix in Audit team Use of Subject Matter Experts (SMEs) Challenges of providing a consulting service Challenges of auditing our business group Operational view SME s are not auditors Need the right SME SME independence

21 .the benefits For the Business: Closes the ERM loop Strategic assurance Board confidence For Internal Audit: Credibility in the business Effective use of internal audit resources Logical and structured approach to audits

22 Contacts Tracey Michael