Developing an effective internal audit plan profiling our experiences 10 December 2015 David Simpson, Head of Internal Audit, Ageas UK Michel Schurer, Ex Director Internal Audit EMEA AP, Crawford & Co Martin Robinson, IIA Alisdair McIntosh, IIA
Agenda 13:00-14:00 Registration and buffet lunch 14:00-14:10 Welcome and introduction Martin Robinson, Training Development Adviser, IIA 14.10-14.45 Developing a comprehensive assurance plan for the audit committee how does internal audit align themselves with other governance functions David Simpson, Head of Internal Audit, Ageas UK 14.45-15.10 Making our internal audit plans risk based and internal audit planning processes and auditee discussion 15.10-15.25 Tea break Michel Schurer, Ex Director, Internal Audit, EMEA AP, Crawford and Company 15.25-15.40 Update on IIA policy issues Alisdair McIntosh, Policy & External Relations Director, IIA 15.40 15.50 IIA EQA experiences of internal audit planning Martin Robinson 15.50-16.30 Facilitated discussion 16:30 Close
Developing a Comprehensive Assurance Plan: How Does Internal Audit Align Themselves With Other Governance Functions? David Simpson Head of Internal Audit
Who are ageas? 4
Why Integrated Assurance? Growing Maturity of Assurance Provision CIIA paper on Effective Internal Audit in the Financial Services Sector July 2013 Pressure from Non-Executive Directors Greater demands and requirements on NEDs SIMR and other regimes Looking for assurance outside of Executive Management Pressure from Audit Committees & Boards Consolidated view of risk and assurance Pressure from Regulators Focus on integration & skills Solvency II imap process Cost & Efficiency Pressures Effective alignment of governance functions Removal of duplication 5
3 Lines of Defence Model 1 st line of defence 2 nd line of defence 3 rd line of defence Business Risk Compliance Internal Audit Responsible for: Identifying and managing the full taxonomy of risks in their area of operations Ongoing assessment and monitoring of risks Implementation of effective controls to mitigate risks Implements and embeds policies, processes and procedures Ensuring risk aware culture and environment, with trained and capable staff Responsible for: Supporting the business in the identification, assessment and mitigation of current and emerging risks. Developing and maintaining appropriate risk appetites. Establishing a risk policy framework consistent with the defined risk appetites. Creating risk management tools that help management deliver on their responsibilities. Communicating and embedding risk strategy, risk awareness and risk management within the businesses. Aggregating and reporting on risk to Board, Audit Committee, Risk Committee and Management. Independent oversight and challenge on the risk profile and key business decisions Provision of support and technical risk advice. Responsible for: Providing independent reasonable assurance that compliance and conduct risks are effectively managed and that appropriate customer outcomes are being achieved. Delivery and completion of the annual Compliance Assurance programmes covering both the internal Ageas UK operating framework and ongoing third party arrangements. Evaluating the effectiveness of the call monitoring framework and associated controls. Undertaking ad-hoc thematic reviews as a result of internal incidents and/or increased regulatory focus. Completion of Group Compliance assurance deliverables. Conducting due diligence fitness and propriety assurance in relation to new third party arrangements. Ensuring appropriate internal policies are in place and are consistently applied in accordance with both business requirements and legal/regulatory standards. Reporting key assurance outputs to Board, Audit Committee, Risk and Management Committees across AIL, UK and Group. Responsible for: Evaluating the adequacy and effectiveness of the internal control system and other elements of the risk governance systems. Providing independent, reasonable assurance on the proper design, quality and implementation of the internal controls framework (both 1 st and 2 nd lines) and observance of guidelines, policies and processes. Reviewing management s reporting on internal controls and management s annual statements on the effectiveness of internal control. Reporting to management and the Board(s) on key areas of risk and control weakness with recommendations for improvement. 6
Linkages between Functions 7
Issues & Challenges Differing Planning & Universe Frameworks Risk based / Organisational Function / Thematic Differing Focus & Approach to Controls Assurance Timing & Duplication of Effort Consistency of Reporting Common report rating Efficient use of Resources & Skills Quality Assurance & Standards Business Over-reliance on 2 nd Line Scope of Functions Quality / Health & Safety / IT Security / External Audit Consultancy Reviews Projects & Change Management 8
Support processes Integrated Assurance Maps Area Risk Management Compliance Assurance Internal Audit Financial operations HR control evaluations: Annual control assurance activity including Risk Policy adherence reviews Transparency of Assets: UK review to seek assurance that the Group Policy is embedded and is being followed across the Ageas UK businesses. (Q4 2015) FATCA Self Assessment: UK review to confirm Ageas UK businesses' status in relation to FATCA regulation. (Q4 2015) Bordereaux Processing (2014 Audit): Processes associated with the accounting business administered via bordereaux arrangements. (Q1 2015) Business Information Reporting Processes (including QlikView and SAS Reporting Outputs) (2014 Audit): Processes relating to the governance and operation of the BI reporting function, via both QlikView and SAS. (Q1 2015) Reinsurance Processes: Review of the processes for arranging the reinsurance cover, paying the reinsurance premiums and lodging reinsurance claims. (Q2 2015) Financial Controls Suspense & Control Accounts: Review of the administration and control of te principal suspense and control accounts within AIL, including the clearance of outstanding items. (Q4 2015) Processing of Accounts Payable: Review of the processes and controls to ensure that all payments are completely and accurately processed on a timely basis. (Q4 2015) 9
Questions? 10
IIA Heads of Internal Audit Forum London, 10 December 2015. 1) Making our internal audit plans risk based 2) Dynamic internal audit planning processes and auditee discussion Michel Schurer 11
Career Summary: 25 years experience combining Internal Audit (15), Finance (5) and External Audit (5) Crawford and company. London, UK: Director Internal Audit, EMEA AP Koch Industries. London, UK: Director Internal Audit, Europe Eisai Europe Ltd, London, UK: Director Internal Audit Europe Russell Reynolds, London: International Financial Controller - Germany/Sweden Unilever/ Bestfoods, Germany / UK, Financial Controller/ Audit Manager Eaton Ltd, London, UK: International Internal Auditor Deloitte & Touche, Gothenburg, Sweden: External Auditor Education & Qualifications CMIIA Certified Oct 2007 (Institute of Internal Audit) ACCA / FCCA Qualified 2003. Elected Fellow May 2008 (Chartered accountant) University of Gothenburg/ Sweden - Bachelor of Science in Business Administration Options in Accounting and Finance Personal French / German dual nationality Married 3 children; Passionate Tennis player 12
1. Making our internal audit plans risk based 2. Dynamic internal audit planning processes and auditee discussion A Simple Bird s Eye View At the end of the day IA wants to help in the area of risk management, control, and governance. Hence, we need to understand who/what does what and how well, to avoid duplications and add value. To get there we would need to: Look at documents, systems and processes. Talk to people 13
1. Making our internal audit plans risk based 2. Dynamic internal audit planning processes and auditee discussion A Simple Bird s Eye View At the end of the day IA wants to help in the area of risk management, control, and governance. Hence, we need to understand who/what does what and how well, to avoid duplications and add value. To get there we would need to: Look at documents, systems and processes. Talk to people 14
1. Making our internal audit plans risk based 2. Dynamic internal audit planning processes and auditee discussion IIA definition of RBIA: Internal audit provide assurance that processes manage risks effectively, in relation to the risk appetite. 1 Assess risk maturity: Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. (To understand reliability of the risk register for audit planning purposes). 2 Periodic audit planning: Based on board (stakeholder) requirement, including RM process, key risks, recording and reporting of key risks. 3 Individual audit assignments: Audit process/framework and management of specific risks. https://www.iia.org.uk/resources/risk-management/risk-based-internal-auditing/ 15
Risk Maturity Model Naïve Aware Defined Managed Enabled OVERALL Informal Scattered/Silos Strategy/ Policy Full ERM Embedded Objectives May be Inconsistent Yes Yes Yes Trained on RM No Ltd. Yes Yes Yes Scoring system No Inconsistent Yes Yes Yes Defined appetite No No Yes Yes Yes RM process No No Inconsistent Yes Yes One list No Ltd. Not Complete Yes Yes All risks scored No Ltd. Not Complete Yes Yes Actioned No Ltd. Not Complete Yes Yes Monitoring controls No Ltd. Not Complete Yes Yes Regular up date No Ltd. Annually Quarterly Quarterly F-up No No Informal Yes Yes Routine going forward No No Mostly Yes Yes Roles assigned No No Ltd. Mostly Yes Certification process No No No Some Yes Mgrs. assessed No No No Some Yes IA Approach Promote RM - use alternatives Promote ERM - use alternatives Facilitate /use if appropriate Audit Audit Source: https://www.iia.org.uk/media/269137/appendix_a.pdf 16
Source: https://www.iia.org.uk/media/266012/rbia_overview.jpg 17
Example IA Strategy The IA Strategy: High Low Progressing towards an improved control environment and shaping the future European organisation Review Audit Strategic Result of IA Control non-changing Implementation efforts Environment Promote activities Review CSA/IC RM Promote Risk Mgmt process Activities 18
Example: Risk based IA 19
Thank You! https://www.iia.org.uk/resources/risk-management/risk-based-internal-auditing/ 20