risk - internal audit - qa prentation 29 august
Post on 22-Jan-2018
203 Views
Preview:
TRANSCRIPT
Developing and implementing the audit
process to support your GRC program
Greg Saunders
Chief Risk Officer
Today’s presentation..
1. About CASA and what we do;
2. The evolution of internal audit methodologies and their effectiveness;
3. The importance of linkages between risk management, internal audit and quality systems;
4. Using audit outcomes to mitigate risk and drive continuous improvement.
5. Effectively managing adverse audit outcomes; and
6. Questions.
About CASA..
CASA is an independent statutory authority established in 1995;
Emphasis on prevention of aviation accidents and incidents;
Also provides safety education and training programs and
responsible for airspace regulation;
765 staff in 13 offices around Australia with annual budget in
excess of $150 million;
37,000 pilots, 13,000 aircraft owners, over 900 air operator
certificate holders;
6,400 aircraft maintenance engineers and 700 maintenance
organisations; and
Indirectly over 100,000 people in some way connected with the
aviation industry.
What CASA does..
Develops and promulgates appropriate aviation safety standards;
Provides effective oversight to ensure compliance with aviation safety standards;
Issues certificates, licences, regulations, permits;
Conducts comprehensive industry surveillance including that of industry management;
Conducts regular reviews of the aviation safety system to identify safety related trends and risk factors to promote development and improvement;
Assessing international safety developments;
Improving management of Australian administered airspace and the safety of airways aerodromes and associated services; and
Regulating drug and alcohol management plans and facilitate testing.
Is assurance difficult to navigate?..
Organisations have historically invested heavily in assurance
functions without a clear view of what potential benefits this
delivers for and organisation
The costs are significant…
…and the entire organisation is
being engaged
Resulting in a picture like
this…
Unclear
definition
and
objectivesStr
ate
gic
Reporting
Op
era
tion
al
Compliance
External
Legal
Risk
Appetite
Assurance
Bo
ard
Quality
HSE
Corp
ora
te
Resp
on
sib
ility
Com
plia
nce
Support for
Strategy
Incidents
Key
Strategic
TasksExternal
Costs
Internal
Costs
Business
Unit Costs
Operations
Technical
Corporate
Board
Executive
Board
Committees
Corporate
Functions
Audit
Committee
Internal
Audit
External
Audit
Internal audit has changed..
“Traditional”
• Reactive
• Pedantic
• Necessary Evil
• Demanding Control
at all Costs
• Career Dead End
“Empowered”
• Proactive
• Partnerships
• Process Improvement
• Value Driver
• People Development
• Risk Based
Control and Accountability..
Bo
ard
–E
xe
cu
tive
–A
ud
it C
om
mit
tee
1st Business Operations:
2nd Oversight Functions:
3rd: Independent Assurance
An established
risk and control
environment
Strategic
management, policy
and procedure,
functional oversight
Provide
independent
challenge and
assurance
First Level
Business
Operations
Second Level
Oversight
Functions
Third Level
Internal Audit,
External Audit,
Other Assurance
Providers
Understanding the total control costs..
Initial compliance,
Ongoing assessment
and monitoring
Business
Performance
Visible
Compliance
Cost
Largely
“Hidden”
Total
Cost of
Control
A strategic approach to planning & risk..
Risk Alignment, Assurance and Board Reporting
Stakeholder
Value
Strategic
Risks
Strategies /
Objectives
Key Value
Drivers
Best
Practice
Service
Delivery
Efficiency
Statutory
Responsibility
Risk mitigation
Strategies
Focus of change..
Engagement at the top;
Value creation for the organisation;
Evolving skill sets to meet new focus;
Participation in strategy development;
Integrated vs. silo approach;
New focus on partnerships; and
Integration of risk, audit and quality as key business
drivers.
Value creation in context..
Using the risk management process to
expand the internal audit focus, identify
control weakness and utilise a quality system
approach to strengthen control deficiencies..
An integrated process at CASA..
Strategic plan set by executive and endorsed by
CASA board, a 3 year plan updated annually;
Business planning directly aligned to CASA strategic
plan;
Risk management processes fully embedded in the
business planning cycle; and then
Audit plan formulated from planning and risk
identification process.
Internal audit planning..
How do we plan our Internal Audit Schedule?
Risk Based
Cyclical/Traditi
onal
Other
75%
20%
5%
Risk assessment to identify key
control concerns..
Business units identify key risks in line with objectives and
context of their operation;
Risk assessment conducted with existing controls - risk
rating identified;
Is risk within acceptable range?;
New controls implemented to mitigate risk;
New assessment conducted - target risk rating identified;
then
Key strategic and organisational risks included in annual
audit program.
Risk management, internal audit and
quality systems..
They should not exist in isolation;
The risk management process is a key driver in the
internal audit process;
Audit identified control weaknesses often identify
process deficiencies; and
Process deficiencies often are as a result of
undocumented or accepted deviation from accepted
policy / procedure.
Continuous improvement AS/NZS
ISO 31000:2009..
Risk management facilitates continual improvement
by an organisation.
“Organisations should develop and implement
strategies to improve their risk management maturity
alongside all other aspects of their organisation.”
Continuous improvement - ISO 9001:
2008
Continual improvement
“The organization shall continually improve the
effectiveness of the quality management system
through the use of the quality policy, quality
objectives, audit results, analysis of data, corrective
and preventive actions and management review.”
The link..
Internal audit provides the link between risk
management and the quality process;
Both the risk management standard and the quality
standard have specific reference to continuous
improvement in an organisation;
Risk drives audit program;
Audit identifies control weakness; and
Quality process rectifies control deficiencies.
Managing adverse audit outcomes..
Two categories of adverse outcomes;
Expected adverse outcomes
Unexpected adverse outcomes
Expected outcomes provide willing and accepted
opportunity for improvement;
Unexpected outcomes may involve confrontation,
unwillingness to accept findings, adverse criticism of
audit process and more.
Managing adverse audit outcomes at
CASA..
Audit discussion paper submitted to CRO for
endorsement prior to exit meeting;
Exit meeting attended by CRO or delegate – no
surprises and verification of meeting outcomes; and
CRO manages relationships with executive
managers and audit providers.
The future of internal audit..
Extensive use of data analytics – already happening;
Issues identified before they become problems;
Increased focus on “big picture” and key risks to better
allocate resources;
Better customistion of KPI’s and KRI’s.
Questions
top related