Professional Documents
Culture Documents
Calculating The Right Audit Coverage Part2 Rationalizing Audit Activities PDF
Calculating The Right Audit Coverage Part2 Rationalizing Audit Activities PDF
I 2 3
Prioritizing rationalizing engaging stakeholders
diverse risk inputs audit activities in the audit Planning Process
Risk Scenario Workshops ROI Challenge Sessions Executive Audit Planning Workshops
23
As the number of
possible audit activities
Seemingly Endless Possibilities
increases, so does the
number of possible audit Application of Permutations to Calculate Audit Plan Combinations
plan combinations.
24
Internal Audit can reduce
the numerous options
Prioritizing High-Value Work for the Audit
for the audit plan by
focusing on high-value
Department
work.
Solutions for Ensuring a High-Value Audit Plan
25
Assurance Contribution Map
OVERView
InterContinental Hotels Group’s combined assurance model uses an assessment of the appropriateness and
effectiveness of all existing assurance providers and their activities to best scope Internal Audit activities.
Solution highlights
Company Snapshot
Company Name
2011 Revenue: US$1.8 B InterContinental Hotels Group (IHG) is an international hotel company
whose goal is to create “Great Hotels Guests Love.” It is the world’s
2011 Total Employees: 7,956
largest hotel company by room count, with more than 658,000 rooms
Total Employees Across 345,000 in more than 4,480 hotels across nearly 100 countries. Guests make
Hotels with IHGs Brands:
more than 160 million stays in IHG hotels every year, in seven hotel
brands—InterContinental, Crowne Plaza, Hotel Indigo, Holiday Inn,
Holiday Inn Express, Staybridge Suites and Candlewood Suites.
26
Global Internal Audit
work is performed within
The Combined Assurance Framework
the context of a wider
assurance framework Overview of Assurance Providers at InterContinental Hotels Group
and considers where
alternative sources of
assurance may be relied
upon. Legal
–– Audit engagements
Compliance Regulators
–– One-to-one meetings
–– Specialist presentations
External
SOX
Audit
1. Global Internal Audit is the ultimate provider and coordinator of assurance to the Board.
2. To the extent that the assurance provided by the functional assurance groups is
considered sufficiently independent and robust, Global Internal Audit will not normally
duplicate work covered by these functions.
3. Global Internal Audit will draw on activities from other assurance providers to deliver an
integrated assurance opinion on IHG’s internal control framework to the Audit Committee.
27
Structured and continual
interaction with key
Stakeholder Mapping and Continuous
business stakeholders
provides continuous
Risk Assessment
information on prevailing
risks and the nature Global Internal Audit Relationship Map and Staff Responsibilities
and effectiveness of all
assurance activities. Global Internal Audit Relationship Map: Executive Committee and Direct Reports
Guidance Note:
The Executive Committee and Direct Reports Relationship Map defines the relationship owners and managers for executive management. Defining these
■■ These continual, one-on- relationships is the first priority in the stakeholder relationship initiative as they represent the senior layers of management.
activities.
President EMEA
EVP Global Human Resources
Head of Audit EVP Chief Marketing Officer
EVP General Counsel and Company Secretary
CEO CEO for AA
CEO CEO for GC
SVP Global Communications
President Americas
Comms
Director, Global
SVP Global Communications Officer
Internal Audit
28
Based on information
gathered through the
Leveraging the Three Lines of Defense
risk assessment process,
notable sources of Overview of the Three Lines of Defense Model
assurance are identified
and assessed across
each of the three lines
of defense.
Global
Functions Third Line:
■■ The strength of each
Independent/
successive line of defense
External
will help determine Global
Assurance
Internal Audit’s scope of
First Line:
activities. Second Line:
Geographic Management
Functional
Regions Control
Assurance
Framework
Internal Audit
Hotel Assurance
Operations
29
Assurance Mapping
InterContinental Hotels Group’s Assurance Map
Illustrative
An assurance mapping exercise is conducted to help determine the audit plan and establishes Group Internal Audit as the ultimate provider
and coordinator of assurance.
Minor Decrease
2 Component Risk 4 First Line/Second Line/Third Line of Defence 6 Planned Global Internal Audit Assurance
Risks are further broken down into Areas of assurance that mitigate the identified risks Having considered all risk information
specific, identifiable and auditable across the organization are mapped and assessed and the level/quality of the related
areas. based on the relative level and effectiveness known assurance activities across the
of assurance provided (i.e., Minor, Moderate, organization, the final column represents
Significant), color coded from light to dark. the Global Internal Audit Plan.
30
Sample Assurance Map
Illustrative, Not Actual Data
,*,1.!/*'++4-+!&++.!/*'++&<5*$&&!&*'+++
$!.*+,*'&*&+, , 8 ',$+'(&!&(*'++2!&!$!,1,'(*'(*$1'(& ',$+'%($!&,/!, *&+,&*+ +,*-,-* $'$*-*',,!'&&!,
%"'*
(*'",+
-+,+$'.&'/&*+ 8!$-*,'%'&!,'*&'&+!+,&,$1(($1*&+,&*+ -+,0(*!&'%%!,,
.$-3 8
&!$!,1,'.$'(&%!&,!&+,*'&*&!%/!, !&,*&$&0,*&$(*,!+ $'$1+,%-&+!&&
8
&)-,*-*!+ %&,4'/&**$-,&,'!&.+,+*+-$,'$'$'&'%!*!+!+ *&,&*+
&*+,*-,-**'",
8
&!$!,1,'%+-*& !.*)-!**,-*&'&!&.+,%&,'*%"'*%*#,!&0(&!,-*+
8!$-*,'%'&!,'*&$.*, !%(,'+'!$%!'-$&,!.$1!%(,+,# '$*+(*(,!'&!&
, %*#,($
,*,1.!/*'++4-+!&++.!/*'++&<5*$&&!&*'
$'$!&&*&+'*%,!'&*'*%%
"'*&(!,$0(&!,-*&((*'.$
'*('*,!&&&/&4+ ',$+ '%%!,,+
4!&&!$'.*&&
8!$-*,')-,$1'*+&*+('&,' &!&'&'%!'&!,!'&+ +,*-,-*''%%*!$&.$'(%&,-&*
;5'&+'$!,
8!$-*,')-,$1'*+&*+('&,'/&'+,!&$,!'& !&&
*'-*%&,&!,+
8!$-*'
&'/&*+,'+-*(!,$!&.+,%&,-,'$'$'&'%!'&!,!'&+ ;&!'&$*.!/'(!($!&(*',''$+
$'$(*,!'&+'-&!$
&.!*'&%&, !'&$!&&!$&$1+!+ 0,*&$-!,67
$'$!&&!$('*,!&
8!$-*,'$.*, **.!&,*,'.$'('&'%!+'+$ '&+'$!,!$$!&-&,!'&
!&&!$*,-*&+&', -,+'-*-&,!'&+633
8!$-*,'(*'.!,!%$1&-*,!&&!$*('*,!&', 0,*&$$1&!&,*&$$1 "'*0(&!,-*'%%!,,
,!.$1'*!!&,$1 (1*'$$2,0'%($!&7
8!$-*,'%0!%!+/'*#!&(!,$&%'(,!%$+ %&%&,(*'+++ *#,!&,!.&++,*!
'(,!%!+, *'- $'$*-*',,!'&
8!$-*,'((*'(*!,$1%'&!,'*&'&,*'$%"'*(!,$0(&!,-*(*'",+ !'&$'%($!&'%%!,,+&)-$!,1
'&,*'$+'.*#1 &!,6$,#!,14
8!$-*,'.$'(&-,!$!+&$1,!$,''$+&(*'-*+2,'&$*'-+,!&&!$&$1+!+''%(&1 +,*-,-*
'*&!+,!'&$(*'+++3 &!$+7
(*'*%&&%"'*(*'",+
-+,0(*!&'%%!,
© 2012 The Corporate Executive Board Company.
!*'*%%6*($%&,7
All Rights Reserved. ADR3638212SYN
32
ROI Challenge Sessions
Overview
Old Mutual Group needed to increase the value provided to the business by focusing their audit resources on ROI
activities. The internal audit department used challenge sessions, regulator engagement and executive buy-in to ensure
that the audit plan aligned to stakeholders’ needs and provided the greatest possible value to the business.
By doing this they were able to conduct fewer, more targeted audits.
Solution highlights
Challenge Sessions
The audit department held sessions to challenge and pressure test business unit audit plans to ensure that the Group
plan would provide as much value to the business as possible.
Company Snapshot
33
“Challenge sessions”
pressure test business
TESTING FOR HIGH ROI ACTIVITIES
unit audit plans and
ensure the master Key Characteristics of Old Mutual’s Audit Planning Challenge Sessions
Group plan provides the
greatest value to the
business.
Test for High ROI Impact
■■ Challenge sessions are 1. Defense of the Plan Ensures focus on the highest risk areas by
conducted every quarter as pressure testing the “risk reason” behind each
the department solidifies the Heads of Audit at the business unit level
audit activity.
audit plan for the upcoming present and defend against challenges to
quarter and builds out the their audit planning decisions.
pipeline for an additional
three quarters.
2. Above/Below the Line Resource Exercise By forcing teams to identify true “must have”
audits, the group avoids building a plan directly
Heads of Audit are asked how the plan
to resource capacity.
would change if they had 5% more or fewer
resources.
3. Searching for Risk and Control Themes Identifies potential group-wide audit activities
to be handled by the Centers of Excellence or
Representatives from the Centers of
conducted by audit teams across the entire
Excellence participate in the challenge
organization.
sessions to identify themes for cross-
business unit audits.
34
Old Mutual now
conducts fewer, but more
RESULTS: DOING BETTER WITH LESS
impactful audits to the
organization. Number of Audits Conducted per Calendar Average Hours for an Audit Engagement
Year
731
473 300
423
35
Targeted Risk Coverage
Overview
The Depository Trust & Clearing Corporation (DTCC) needed to ensure that the highest risks facing the company were
addressed appropriately through the audit plan. The internal audit department facilitated risk scenario workshops to
identify high impact risk events and subsequently redefined how these risk events were covered in the audit plan.
Solution highlights
Targeted Audits
Targeted audits cut out waste and allow for an intensive, multi-perspective focus on the highest risk areas. Through this
approach DTCC decreased the number of hours per audit and increased number of audits they conducted.
Calculating Audit Coverage
Overlapping coverage on high priority risks is encouraged by calculating how each risk is covered in the audit plan.
Company Snapshot
36
DTCC’s audit plan
covered the high risks,
Trying to Find the Right Time
but audit time spend
didn’t reflect the relative
for the Right Risks
importance of each
risk’s impact. Three Obstacles to Covering Top Risks
■■ Impact
An outage could have a devastating impact on both DTCC and financial markets as a whole.
■■ Audit Coverage
An annual audit review of Disaster Recovery tests, using a standard audit program.
■■ Time Spent
800 hours, representing just 1.2% of total available audit resources.
37
A variety of audit
activities are used to test
Tying Audit Activities to Hypothetical
the control environment
surrounding each
Risk Events
hypothetical risk event.
Example Audit Plan Spreadsheet
■■ Each risk event will have Hypothetical Risk Event Impact of Risk, If Realized Description of Work Type of Review
at least one audit activity
Reputational
associated with it. Some risk
Regulatory
Systematic
Monitoring
Horizontal
Proactive
Financial
Targeted
Business
events may have more than
Review
Review
Review
Impact
Impact
Impact
Impact
Cycled
a dozen activities link to it.
38
Targeted audits cut
out waste and allow
Targeting Risk Two Ways
for an intensive, multi-
perspective focus on the Demonstration of Change in Coverage Due to the Use of Targeted Audits
highest risk areas. Illustrative
■■ Through this approach DTCC 2010 Approach to Covering Business 2011–2012 Approach to Covering Business
decreased the number of Continuity Planning Continuity Planning
hours per audit and as a
result increased number Technology Nontechnology Third
of audits they conducted. People Premises Systems Parties
Process 2010 2010
Prevent 2011 2011 Future 2011
■■ BCP elements covered as part of each Detect Future 2011 2011 and 2011
cycled end-to-end audit and 2012
Diagnose
■■ Primary focus on Disaster Recovery Testing
Escalate 2012 2011 Future 2011
and overall Business Continuity (covering
process as well as technology and non Recover 2011 and 2011 2011 and 2011
and 2012 2012
technology components)
Resume
39
Overlapping coverage
on high priority risks is
Redefining Coverage to Maximize Impact
encouraged by showing
how each risk is covered. Typical Risk Coverage Approach
Illustrative
40
DTCC dramatically shifted
where and how it spent
Results: Targeting High-Impact Work
its time by emphasizing
targeted coverage on the Percent of Total Project Resources Spent in High Risk Areas
most severe risks.
∆ = 71% 70%
41%
2009 2012
41
Rationalizing Audit Activities
Key Takeaways
1. Assess the degree of and quality of assurance provided by other functions to determine
opportunities to provide the highest value assurance.
2. Challenge the audit team to articulate the value of audit activities as part of the audit planning
process to ensure high ROI activities are included in the plan.
3. Cut waste from audits by targeting only the highest risk parts of a process, location, business unit
or issue area.
4. Redefine audit coverage by calculating time spent in high risk areas, instead of blanket coverage
of a risk or area of the business.
42