Seminar Developing a robust internal audit plan 30

Seminar Developing a robust internal audit plan 30 April 2014

Agenda 10. 00 -10. 15 Welcome and introduction Martin Robinson, Training Development Adviser, IIA 10. 15 -10. 50 What are current and leading and emerging practices for developing an Annual Audit Plan? Chris Spedding, Senior Manager, Ernst & Young 10. 50 -11. 25 Mapping the business and risk fundamentals Alison Smith, Group Audit and Risk Management Director, Kingfisher Group 11. 25 -11. 40 Coffee 11. 40 -12. 15 Effective audit planning methodology and process Gordon Craig, Director Internal Audit, 3 i Group Plc 12. 15 -12. 50 Focusing on budget, time and monitoring issues Robert Tunstall, Head of Internal Audit, ED and F Man 12. 50 -13. 50 Lunch

Agenda 13. 50 -14. 25 Populating the plan with staff skill requirements Matt Spano, Head of Internal Audit, Motability Operations 14. 25 -15. 00 A current good practice example Scott Strachan, Global Head of Internal Audit, Aberdeen Asset Management 15. 00 -15. 15 Coffee 15. 15 -15. 30 IIA guidance and EQA experiences Martin Robinson 15. 30 -16. 00 Workshop discussion Martin Robinson 16. 00 Feedback and close

Seminar objectives • Deliver an overview of the key issues involved in developing robust internal audit plans • Learn about recent experiences from an excellent panel of speakers • Provide an opportunity to share knowledge with other delegates.

Current, leading and emerging practices for developing and annual audit plan

Constant challenge of audit planning Ernst & Young’s most recent Internal Audit Survey reported that 62% of internal audit functions believe their risk assessment and audit planning processes are in need of enhancement. “Audit planning is about as tough as it gets for the internal auditor. Deciding which areas of the business make it to the plan, the resources required and the appropriate timing of audit work is a critical, yet complex task. ” Page 6 “The primary driver for improvement of my function comes from my own Audit Committee, who constantly want our views on issues that concern them – and we simply have to respond speedily and reliably”.

Agenda 1. Challenges to effective audit planning 2. Defining the audit universe 3. Progressive risk assessment 4. Dynamic audit planning 5. Conclusions / questions Page 7

Context

The Internal Audit planning process has been largely unchanged for many years… Audit Universe Risk Assessment Prioritisation Selection and Sizing Risk Parameters Coverage Parameters Audit Plan Approval Required Audits . . . with refinements to meet specific needs and improve sustainability and flexibility. Page 9

The impact of the business environment on the internal audit risk assessment Economic Factors Regulatory environment Technology and other change Fundamental business model change Rapid change in risk profile Changes in Risk Management Changes to IA remit / approach Changes in Risk appetite Significant change to universe and Internal Audit priorities . . . will result in significant change to internal audit plans Page 10

Changes to Business Models ► ► ► ► Major change programs to reshape the business and redefine the target operating model Increasing demand for ROE – profiles may change to achieve this Increased potential for mergers, acquisitions and expansion Affordability of reform and business change a major challenge with many competing priorities Constrained capital and liquidity availability De-globalization/deleveraging (withdrawing from markets and business lines) Movement toward a sustainable cost base and future position (reduced headcount, smaller bonus pools, new efficiency programs) Ever increasing importance of technology across the business model Page 11

Changes in Risk Management ► ► ► ► Continued improvements and changes in risk management approaches and structures Increased stakeholder pressure for more effective risk governance Definition and embedding of risk appetite is cornerstone in risk management processes but long way to go before truly embedded Quality of data and systems remain impediments to effective risk management Identification and mitigation of emerging risks Industry and regulator views that there is still a lot of work to be done CRO relevance: § Increased enterprise wide influence § End to end involvement in risk decisions § Direct access to board or risk committees Page 12

Changing Regulatory Expectations New regulatory standard in financial services ► July 2013 Chartered Institute of Internal Auditors “Guidance for internal audit in financial services” ► January 2013 Federal Reserve “Internal Audit and its outsourcing” ► 2012 Basel Committee “Internal Audit function in Banks” Whilst focused on FS sector, the principles are applicable to all sectors ► Need for stronger mandate around protection against key risks ► Board level relevance and standing – “voice at the top table” crucial ► Expected to completed robust assessment of the second line of defense i. e. governance, risk management, compliance ► Responsive and flexible ► Implications for resourcing strategies ► Improve involvement, influence and impact Page 13

Defining the audit universe

Defining the audit universe ► What is the Purpose of the Audit Universe? Can these purposes be achieved in other ways? ► What is the optimum structure of the Audit Universe? Business decomposition, organisational unit, process or a matrix? ► What is an appropriate level of detail? How many items is common? ► How can an audit universe be properly maintained? ► How can business acceptance of the universe be achieved? Page 15

Defining the audit universe Internal Audit should have effective processes to identify all auditable entities within the auditable universe. The number of auditable entities will depend upon whether entities are captured at individual department or at other aggregated organisational levels. Factors to consider can include: ► ► ► Departments/ functions/ geographies Organisation charts Management listings General ledger Cost centres ► ► ► Major operating systems Major product lines Significant laws/regulation Key risks Other data points The audit universe should be documented and reviews periodically (recommended annually, or as significant organisational, financial, risk or product changes occur). Federal Page 16 Reserve, 2013 -01

Progressive risk assessment

Progressive risk assessment ► What is the purpose of the Risk Assessment? Is a standalone risk assessment required? ► To what extent can Internal Audit utilise other assessments made by other parts of the business? ► How can a risk assessment reflect the emerging needs? ► How can we best engage stakeholders with the risk assessment process? ► What weighting should internal audit apply to materiality, inherent risk and detect characteristics? Page 18

Progressive risk assessment Internal Audit must analyse the key risks, mitigating governance, risk management and control. Risk assessments should be: ► Both qualitative and quantitative ► Informed by, but not reliant upon Executive and Risk management input ► Formally documented with written analysis/rationale to support assumptions ► Approved by the audit committee at least annually / upon material changes Internal factors ► ► ► External factors Organisational strategies ► Macro economic conditions Thematic control/ governance issues ► Changing market conditions Changes to systems, processes or ► Changes to laws/regulation business model ► Competitor events / analysis Risk appetite/tolerance levels ► Key vendor dependency Date of last audit Page 19

Progressive risk assessment Fully engaged with the organisation Risk assessment and audit planning must involve real engagement with a range of stakeholders and inputs: ► Multiple layers of management (1 st and 2 nd lines of defence) ► NED (both Audit and Risk Committees) ► Regulators ► External bodies / co-source providers / peer networks “Real engagement” facilitates input, commitment and buy-in ► Workshops ► 1 -2 -1 meetings and follow up sessions ► Surveys – internal and external ► Throughout the year, responsive to changes in stakeholders Page 20

Dynamic audit planning

Internal Audit planning considerations The annual plan should be developed with the ultimate objectives of internal audit at its core. The plan must generate the overall outcome required of internal audit – high impact reporting and sustainable improvements in the organisation. Clarity of purpose and role Substantive outcomes Importance of independence Shape of Audit Plan Utilisation of resources Appropriate audit response Improved impact in reporting Page 22

“Plan to Report” The annual plan must be created with the “end goal” at its core ► Overall assessments (at least annually) of risk management, governance and control ► Embed assessments of governance, culture, risk management etc into every audit performed ► Clear assessment against key risks ► Prove or disprove hypotheses against each key risk ► Thematic issues - not just a consolidation of audit issues ► Critical / high risk issues raised ► Root cause analysis – action required of management to remediate the issues ► Clearly articulates management action required to bring issue back within risk appetite Page 23

Dynamic process for assessing and communicating audit needs Group Risk Strategy Stakeholder key expectations / desired outcomes Group Risk Appetite / Risk tolerances Completeness checks Critical planning Inputs Audit Needs Assessment Challenge and review Audit Plan Reliability assessment ► Flexibility is key (3+9 / 6+6) ► Full re-performance of risk assessment is not always required – trigger events ► Continuous monitoring and engagement activities with pipelines of information constantly being assessed for audit planning implications ► Strong stakeholder engagement to inform changes, and be informed of them ► Change control over the audit plan (materiality of change) Page 24

Conclusions

Key Principles to apply “Plan to Report” ► Overall assessments of governance, risk management and control ► Mandate on ► Key risk centric – move away from multi-year cyclical plans and the concept of the rigid Annual Audit Plan ► Top-down analysis focused on business process to avoid unnecessary detail and address silo created risks ► Group materiality and significance based ► Strong engagement with all stakeholders. Input provided by stakeholder groups using specifically designed forums ► Knowledge acquisition, capture and deployment underpins the assessment ► Adoption and incorporation of group wide approaches (example risk assessment, control self assessments) ► Flexibility incorporated into the planning process by transforming it from a discrete (once or twice a year) activity to an on-going process ► Formal rationale for risk assessment and audit plan to the Audit Page 26 Committee ►

Questions? Page 27

Ernst & Young LLP Assurance | Tax | Transactions | Advisory www. ey. com/uk The UK firm Ernst & Young LLP is a limited liability partnership registered in England Wales with registered number OC 300001 and is a member firm of Ernst & Young Global Limited. Ernst & Young LLP, 1 More London Place, London SE 1 2 AF. © Ernst & Young LLP 20112 Published in the UK. All rights reserved.

Developing a robust internal audit plan Mapping the business and risk fundamentals Alison Smith Group Audit and Risk Management Director Kingfisher plc

Today • My brief • Understanding your business and organisation • Exploring business processes • Effective use of your risk database/register • How • Internal Audit team • Kingfisher plc – who we are, strategy • Understanding the business, organisation and process • • Risk assessment process and the business planning process Audit planning process – how we demonstrate the link to strategy • Effective use of the risk register and the business • 30 Challenges developing and maintaining the plan Op. Co Logo

Team Overview Op. Co Logo • 65 in the team, based in 7 countries • Each team covers store and corporate audit in the region • IT is audited by a central team, UK based • Audit work covers all areas – e. g. stores audits, customer complaints, stock, multi channel project, stores training, waste management • Responsible for facilitating the risk assessment/identification process • My Background • Retail, logistics, manufacturing 31 31

Kingfisher plc • Op. Co Logo Europe’s largest home improvement retailer • 1, 120 stores • We employ 78, 000 people • Six million customers shop in our stores every week • Turnover £ 11 bn+ • 10 operating companies in 9 countries • B&Q – 360 stores, 21000 employees • Brico Depot Romania – 15 stores, 1000 employees 32 32

‘Creating the Leader’ Easier Commo n Expand One Team 33 Op. Co Logo 1. Making it easier for customers to improve their home 2. Giving our customers more ways to shop 3. Building innovative common brands 4. Driving efficiency and effectiveness everywhere 5. Growing our presence in existing markets 6. Expanding in new and developing markets 7. Developing leaders and connecting people 8. Sustainability: becoming ‘Net Positive’ Sales Gross margin Cost efficiencie s

Understanding the business, process and organisation Op. Co Logo • Business planning process • Annually budget and reforecast • 3 year planning process • Addresses how we will achieve out strategic objectives and growth targets • Risk Assessment process • Internal Audit facilitate the risk assessment – formally updated twice a year. • First Update • • 34 Coincide this exercise with the 3 year plan exercise carried out by the management teams Update the risk assessment with Operating Company Boards and we review the 3 year plans Are the risks identified representative of the 3 year plan? Each risk is linked to a strategic objective or an operational area

Almost Certain Probable 1: Change Management (Easy) 7: Investment in people (One Team) 10: Health & Safety (Operational) 8: Price competitiveness (Operational)) 2: Systems & supply chain (Easy) 6: Agility & capability to expand overseas (Expand) 4: Like for like Growth (Expand) 3: Combined Purchasing (Common) 9: Supplier Resilience (Operational) Manageable Impact 35 5: Global Economy (Expand) Op. Co Logo 11: Ethics & Compliance (Operational) Unlikely Occurrence Fairly Likely Probable Highly Risk assessment matrix –linked to the strategic objectives Major Significant Critical Catastrophic

Audit Planning Op. Co Logo • Second Update to the risk assessment • During the ‘annual’ audit planning exercise • How we prepare the plan • • Review the results of the previous year’s work – grades, complexity, change Review the risk assessment – sometimes this only covers the risks which are ‘not well controlled’ Strategic risks versus operational risk Gross versus net risk? • Discuss with management • Prepare the plan and discuss with management • Present to the local Audit Committee for approval • Link each audit to a strategic objective or an operational area 36

Do we make effective use of the risk register Op. Co Logo 15% • 80% of the Group risks relate to our strategic objectives • At Operating Company level circa 50% relate to strategic areas, dependent on the Operating Company • 37% of our work relates to our strategic objectives • Do we have a risk based approach? Are we making effective use of the risks register? 9% Easier Common Expand 6% One Team Operations 6% 63% 37

Example of our Audit Approach Op. Co Logo Extending omnichannel capabilities across the Group Be ss Ma ng ti es T g Pre rin pa * 38 Click, Pay & Collect ut llo Ro Easier cla in t ss s Screwfix CP&C* up 32% YOY; now 10% of total sales B&Q UK CP&C* rollout 2014; doubled products for home delivery in 2013 France & Turkey CP&C* trials 2014; Screwfix Germany trial Mobilising in Poland, Russia, China & Spain incl. new & mobile friendly websites & home delivery

Controls What Control structures not well developed. Heavy reliance on manual controls and some segregation of duties issues due to size. Systems Standard systems in place, complicated by manual/ paper processes in place alongside systems Change Business expansion and stabilisation of the business e. g. China 3 2 1 Controls Op. Co Logo Simple control structures, more reliance on manual control Complex control structures in place, mixture of electronic and manual Systems Standard systems in place, based on larger Op. Co systems Bespoke legacy systems, difficult to change. Change High level of project activity to enhance the existing processes and systems and delivery on the strategy e. g. Multi channel, BI Change activity focussed on expanding the business, resulting in changes to existing infrastructure requirements e. g. Supply Chain (Casto Poland) Change Who 39 Audit Approach The audits will focus on ensuring there is a strong financial and commercial control structure in place on which to take the business forward. How Assurance work to ensure existing control structures maintained. Some audit work on changes to existing processes being made to enable expansion. Audit work to focus on the changes underway, more project audits undertaken. Some assurance work to ensure existing control level maintained. B&Q China Russia, Spain, Romania Casto Poland B&Q, Casto France Turkey, BD France Screwfix

Op. Co Logo Questions? 40

IIA seminar Developing a robust internal audit plan 30 April 2014 Gordon Craig

1. Introduction to 3 i IIA Seminar April, 2014 42

2. Agenda § Dynamic audit planning – what it means and why do it § Developing a rolling audit plan – approach and structure § Process and timing – adapting the plan and communicating changes § Final thoughts IIA Seminar April, 2014 43

3. Dynamic audit planning What is it? § Dynamic = not static § ‘Annual plan’ is a thing of the past § Requires regular changes – weekly, monthly, quarterly § Draws, systematically and regularly, on multiple feeders incl. stakeholders views, risk analysis, strategy, external developments Why? § Audit Committees (should) expect it § Circumstances and priorities change - sometimes very quickly § Need to be ‘front of foot’ e. g. hot topics; themes § Forward looking vs. ‘rear view’ IIA Seminar April, 2014 § Optimise resource allocation 44

4. Developing a rolling audit plan APPROACH § Identify the main drivers of your plan Strategy § Identify and ensure access to key sources of information Business Strategic review / update performance Board papers Committee papers e. g. Risk Attendance at meetings Investment & project proposals Project update reports / steer co. minutes Stakeholders • Regular scheduled meetings with key stakeholders e. g. Audit Co Chair; CEO; FD • Performance reports (e. g. monthly management accounts) • • • IIA Seminar April, 2014 Risk analysis Change management 45

4. Developing a rolling audit plan cont. Structure Category § Establish and agree a clear ‘cascade’ of priorities which fits your organisation • Change management support & reviews § Populate quarter by quarter § Clear focus on the current quarter § Planning should be ‘thinner’ as you move further along the time horizon IIA Seminar April, 2014 • Investigations and special projects • Thematic reviews • Process reviews • Cyclical audits • Ad hoc advice and support 46

5. Process and timing Quarterly update § Should include: • a review of current key group projects and planned audit approach • review of longer-term cyclical audit planning, including a completeness check against historical audit coverage of operating units / key business processes • review of audit coverage against the key risks and risk mitigation plans • meetings with stakeholders to confirm priorities § Roll forward, and retain prior quarter plan for reference § Changes can and should be made between quarterly updates § A more in-depth review is recommended (e. g. annually aligned to the strategic review cycle) 47

5. Process and timing cont. Communication The quarterly rolling plan should be a ‘live’ document, communicated regularly e. g. in meetings; Committee updates etc Recommend showing prior two quarters (combined), current quarter and next two quarters for context / reference Audit Committee needs to understand the process, articulate its priorities and allow leeway to the head of audit to exercise judgement and flex the plan between Committee meetings IIA Seminar April, 2014 48

6. Final thoughts Dynamic planning: § requires and encourages greater engagement § involves regular judgement and is more professionally / intellectually challenging § delivers more transparent and efficient resource allocation § works in tandem with other key Group processes - e. g. strategic planning cycle; risk reviews - and, therefore, will feel more relevant § should not overlook the importance of routine, cyclical reviews, including areas of ‘lower’ risk IIA Seminar April, 2014 49

Internal Audit - Budgeting April 30, 2014 50

Agenda • • 51 Who are ED&F Man ? Internal Audit Department Developing a realistic budget Incorporating “non-audit” activities Monitoring and Reporting Common Pitfalls Any Questions

Who are ED & F Man ? Established in 1783 52

Who are ED & F Man ? Headquartered in London 3, 700 people in around 60 countries 53

Internal Audit Team • • • Head of Internal Audit Manager Auditors Consultants Secondees • Functional reporting line to the Chair of the Audit Committee. • Administrative reporting line to the Group CFO. 54

Developing a realistic budget • Budget: a mathematical confirmation of your suspicions. " -A. A. Latimer • Why do we need a budget ? 55

Developing a realistic budget • What are the IA deliverables ? • Articulated in a Strategic / Tactical Plan • Approval of the Plan • How are you going to achieve the Plan – Need for a BUDGET • • 56 People / Skillsets Consultants Ad-hoc Fraud

Developing a realistic budget • Other Cost Drivers ? • Who owns the budget ? Accountability ? 57

Developing a realistic budget • Other Cost Drivers ? • • 58 Travel – Air, Train, Car, Hotel, Subsistence (Policy!) Recruitment (Agencies, In-house) Training IT Hardware IT Software Subscriptions And Publications Outsourced services Corporate recharges / Overheads / Fixed Costs

Incorporating “non-audit” activities • What are “non-audit” activities ? • What percentage of time do they take ? • How can they be factored into the budget ? 59

Monitoring and Reporting • Cost Capture • Cost Allocation • Cost Reporting • Cost Monitoring • Forecasting • Monthly Cycle 60

Monitoring and Reporting No Surprises ! Monitoring month by month : 61

Monitoring and Reporting No Surprises ! Monitoring year to date: 62

Monitoring and Reporting Underspend and Overspend : Communicated Timely ? Approved ? Forecast adjusted ? 63

Common Pitfalls 1. Planning based on last year’s budget. Rushing through the planning process by tweaking last year’s budget instead of starting with this year’s goals and objectives. Action : Clarify what internal audit objectives are for the coming year, and put in place a plan that supports those objectives. Focus investment where it makes sense in the coming year rather than spending in the same budget ‘buckets’ as last year. 64

Common Pitfalls 2. Descending into Spreadsheet Chaos ! Use of massive spreadsheets or workbooks with multiple tabs, unwieldy number of columns, macros and multiple versions. Only the person that created the spreadsheet can understand navigate through the data. Action : Adopt a disciplined approach with a spreadsheet that is from a single source (version control) and that is appropriately formatted with explanations in the spreadsheet. 65

Common Pitfalls 3. Planning the internal audit budget within the Finance framework Issues can arise when finance assigns a couple of line items to internal audit. Lack of correlation between IA plan and the overall finance plan. Risk of mistakes being exposed and lack of credibility. Action : Boost confidence with the Finance team by having a detailed budget that aligns to any summary numbers in the overall Finance budget. Evidence that IA are budget conscious and supports company’s objectives and goals. 66

Common Pitfalls 4. Hiding the Plan, restricting optimal decisions Lack of visibility and execution makes even the best plan meaningless. Action : Your IA plan needs to flow into the day-to-day execution of the internal audit function, including all activities granting relevant people visibility into their parts of the plan and budget. 67

Common Pitfalls 5. Ignorance of current spend Lack of reliable data of amount spent in the current month and year-to-date. Action : Obtain the granularity of data to be able to understand current expenditure versus budget. 68

Common Pitfalls 6. Lack of communication of plan and progress against the plan Lack of grasp of budget by the various teams /groups within the internal audit function. Action : Communicate plan to the entire team in order for all to execute the action items of the plan. 69

Common Pitfalls 7. Following the adage: “"Never base your budget requests on realistic assumptions, as this could lead to a decrease in your funding. " Excessive buffering and padding of the budget so as to minimize any questions or interference by Finance. Action : Internal Audit need to be ethical, evidence sound judgment in behaviours and lead by example. 70

Any Questions ? 71

International Conference 2014 • London’s Ex. Cel centre, 6– 9 July • World’s biggest internal audit event, with 2, 000+ delegates and 200 speakers. People are travelling from over 100 countries! • Fascinating keynote speakers include Alastair Campbell, Michael Woodford and Noreen Hertz • Nine education streams to choose from • A social programme will provide networking opportunities • Members pay just £ 895 +VAT until 16 May Book your place at www. iia. org. uk/london 2014

IIA Heads of Internal Audit Service (HIAS) Join our exclusive network of 270 Heads of Internal Audit and benefit from… 1. Get ahead and stay up to date Receive updates on the latest developments in the profession to help you respond to the demands of a competitive and increasingly regulated business climate 2. Build your network Meet and share ideas with peers from a range of sectors, private and public 3. Lead the profession Help influence current and future thinking on internal audit and IIA policy and strategy, HIAS members are at the forefront of the profession 4. Share best practice Compare practices, benchmark your organisation and learn new ways of working For more details of how to join visit www. iia. org. uk/hias

Agenda slide Populating the plan with employee skill requirements 30 April 2014 Matt Spano – Head of Audit – Motability Operations 74

Agenda 1 Introduction 2 Employee Skills Evaluation 3 Matching Audit Plan Requirements with Current Skills 4 Identifying skills deficiencies & the need for co-sourcing / outsourcing 5 Conclusions / Questions 75

Introduction • MO is classified as a not-for-profit organisation, and is owned by the UK's four major banks - Barclays, HSBC, Lloyds and RBS. • MO has over 600, 000 customers and a turnover of around £ 3 bn. • MO accounts for >10% of new car purchases in the UK every year. • MO resells >200, 000 used cars to trade every year. 76

Introduction • This presentation is based purely on how I manage my teams…. . this will vary for you depending on the nature, structure and charter of your internal audit function as well as the type of organisation you work for. • This presentation is merely common sense and could apply to any business function, not just internal audit…. . it is about building and managing a team that is skilled to effectively do the job the organisation needs it to do. • How many of your Internal Audit functions are: • • • Outsourced? Co-sourced? Staffed completely with ‘internal auditors’. Use ‘non’ audit specialists from within your own organisations? Other? 77

Introduction • Survey of Heads of Internal Audit on CIIA website (May 2010) highlights a broad range of qualifications and practical experience amongst internal auditors. • Despite this, nearly 60% of all internal audit departments bring in additional resources to complete their internal audit plans. The key areas where additional skills are required were: • • • Information Technology: Taxation: Finance: Health and Safety: Major Projects: Business Continuity: Telecoms: Governance: Third Party Activities: 36% 19% 15% 11% 7% 5% 4% 2% Sources of additional resources: • • • Purchased from specialist service providers: Co-sourcing with third party: Independent experts from within the business: Secondment from a third party: From other source: 30% 15% 6% 6% 78

Employee Skills Evaluation • How you do this is dependent on a number of factors. . . • Size and scope of the Internal Audit team. • Maturity of the control functions. • Organisation size / Complexity and Geography. • Stakeholder Expectations: Audit Committee / Board Members / Senior Management (to name but a few). • At what stage should you evaluate the skills of internal audit? • During recruitment. • During employee lifetime. • When people leave…. (depending on team size). 79 • On-going during performance assessments / training and development / feedback from the business.

Matching Audit Plan requirements with current skills available • Chicken and egg time……how do you develop a comprehensive audit plan if you don’t have the technical or cultural knowledge of a business to identity and understand its key risk areas? • Whoever develops the audit plan needs sufficient skills to perform a robust risk assessment and build an comprehensive internal audit plan. This will involve utilising many people outside of the Internal Audit function. • Assess the Audit team’s skills against an internal audit plan developed without any reference to what current technical skills it has – should never be tempted to ignore or downplay the risk in areas of the business you don’t fully understand. • Develop basic scope documents for all audits identified on the audit plan / universe to enable a skills assessment to be undertaken. • So…you have your audit plan…how do you match it to the current skills available? 80

Employee Skills Evaluation : Example Skills Matrix 81

Employee Skills Evaluation • Belbin Team Roles - Identify behavioural strengths and weaknesses in the workplace. • Strengthscope - Helps individuals and teams to understand their standout strengths. 82

Identifying skills deficiencies and plugging the gaps • Review the results of your skills analysis to highlight any gaps. • Perform an assessment of the gaps and identify any actions you wish to take. • May choose not to action some of the gaps – accept the risk or provide partial assurance etc. • Look at your own organisation first: • • • Skill up your existing team? Recruit to fill any gaps? Use Secondments from the business? Graduates? Use of networks? Internal Specialists: language skills / cultural knowledge in specific geographical locations? • Use of technology to fill gaps – especially in areas such as IT. 83

Identifying skills deficiencies and plugging the gaps • What do your key stakeholders expect? Do they want the ‘badge’ of an outsourced provider to deliver assurance on a function / product that is new or evolving? • Have to be sure a co-sourcer / outsourcer can do a better job than your internal resources – you can’t outsource this risk! • Understanding a business’s culture has a lot to do with success. • I have seen perfectly good audits from a co-sourcer rejected merely because of the way it is conducted or results presented (if they lack buy-in or lose credibility – regardless of validity of findings it will not be accepted by the business). • Effectiveness reviews – Use these periodically to validate your approach to planning and the resources used to complete the plan. • Feedback from the business – to assess whether you have demonstrated the right level of skill and understanding and come to appropriate conclusions. 84 • Benchmark data.

Summary • Apply a common sense approach. • The skills of internal audit must be tailored to the needs of the organisation. • Use of skills matrix of some form. • Utilise the skills within your own organisation – both in planning and skilling the internal audit function. • Continuously evaluate the skills of internal audit. • Think about ‘cultural’ skills as well ‘technical’ skills. • Can a co-sourcer / outsourcer do a better job than internal resources? • Feedback, feedback!!! 85

Developing a robust internal audit plan A current good practice example April 2014 Scott Strachan, Global Head of Internal Audit Aberdeen Asset Management For investment professional use only – Not for public distribution

Introduction Goal • To share how we conduct our planning process • To share insights on: – What we have developed – Why we developed it so – What we see as the key benefits and challenges 87

Best piece of advice! Follow the KISS theory! K – Keep I – It S – Simple S – Stupid! 88

And … • Whilst there are pressures to make complex – regulation, stakeholder demand etc • Dynamic and clear is always best! 89

Planning – the ‘old’ method • A singular functional and location view that fed a static audit plan Locations Audit universe Departme nts 90 Audit risk assessment 5 year (1 + 4) cyclical audit plan

Planning – the ‘new’ method • A process that incorporates input from multiple, ‘sophisticated’ information sources (leverage of the explosion of data required in FS!) • Conducted continuously but formally once a quarter (co-ordinated with Audit Committee) • Results in quarter’s plan (the 3) and a proposed plan coverage for the following three quarters (the +9) Audit risk assessment Sword Operational processes Department s Audit universe Total Assurance sources Multiple risk sources 91 Risk mapping to multiple sources Intervention type 3+9 audit plan

Migration of assurance approach Old New Projec t Continuou s Tradition al 92 Continuou s Tradition al

The risk assessment • Risk ranking taking a holistic approach that includes culture, customer outcome, and fraud • Residual scoring considers our view of the control structure and how much assurance is being provided by other groups (internal and external groups) • MI used to show % inherent risk plan coverage and % residual risk coverage Coverage Audit universe High residual risk/universe Status and change from January 353 (-5%) Description Revisions to the IT universe to simplify the structure and align it with standard industry practice 9% (-) High residual risk audit coverage 81% (+7%) High inherent risk/universe 15% (-1%) High inherent risk audit coverage 85% (+9%) 93 Audit coverage activity levels have remained the same along with the consolidation of IT line items on the universe plus some risk rating decreases have led to a greater coverage of high rated areas Same dynamics as with the residual calculation

Old to new! • Restrictions of the old method: – It was administratively difficult to adjust to the constantly changing risk landscape – Did little to keep the team engaged and focused on risk – Cyclical planning resulted in low risk areas being covered at the expense of high risk ones – the emphasis was on that falsehood – total assurance! – Actual work often bore no resemblance to what was previously planned and audit trail difficult to present • Benefits of the new method: – Allows greater flexibility in addressing developing and changing risks. Easy to implement and reflect change – Keeps the team focused on continuously considering and assessing risk – Allows directors and executive management to focus attention to the immediate body of work resulting in more robust oversight and challenge – Allows for more real-time reaction to changing team needs (eg inter-regional secondments) 94

Challenges … and solutions! • Management concern over losing coverage – Education and MI on the right risk coverage – Closer interaction with management in forming the plan (COP) = easier to show them their requests have been incorporated • ‘Perceived’ larger time commitment from the team – Only on initial set up – In aggregate the quarterly process leverages the repeated exposure to the process • Change in the team’s thought process to a more risk based approach – Suite of training, presentations, flowcharts and the use of automated tool (teammate – not essential – disciplines easily replicated!) to guide and ensure appropriate thematic risk thinking • Consistency in execution – MI and a fundamentally more manageable plan size facilitates improved QA and top down management oversight and challenge 95

Additional benefits … good practice? • Gained synergies with team management processes to facilitate: – Empowerment – Development – Progression – Subject matter specialism • Regulator/external review – Demonstrate dynamic, risk based, regulatory themed, strategic objective linked planning • Stakeholder buy in – Continuous engagement with business – Built in education piece – Management are living within the changing risk environment therefore appreciate/expect internal audit to be in tuned in too! 96

IIA guidance and EQA experiences Martin Robinson Training Development Adviser, IIA 30 April 2014

My topic areas • Overview of outcomes of recent EQA reviews carried out by the IIA and some laudable examples • The IIA view of effective internal planning.

Outcomes from recent IIA EQA reviews – key issues • Requirement for a clear link between the risks of an organisation and the internal audit plan • Ensure that most important areas are included • Consider impact and value • Ensure that careful consideration is given of all change initiatives when building a plan including projects, M&A and organisational restructure etc. Cont’d…

Key issues – cont’d • Review risk management processes and procedures either holistically or as part of each audit • Consultancy work is good but need criteria for performing. Ensure adequate output and reporting. Consider value of each assignment • Critical importance of talking regularly with your audit committee and executive/senior management on the focus of your plan and content • Make sure your plan is fluid and dynamic and not ‘set in stone’.

The IIA view of effective internal audit planning • Focus attention upon the risk management process; its design, application and reporting mechanisms. • Build the audit plan around high priority risks, key areas of change and the assurance needs of stakeholders. • Where possible, work with and rely upon other assurance providers.

The IIA view of effective internal audit planning • Work with external providers of assurance in a co-sourced arrangement to fill skills and knowledge gaps. • Consider the importance of routine processes and activities (audit universe) but keep this in tune with key business risks and developments. • Make key choices, including what is not being done, transparent to key stakeholders to engage stakeholders in questions of risk appetite and the need for assurance.

Workshop discussion Subjects for wider discussion • What challenges do we face in developing risk based audit plans? • What process do we use to ensure that there has been good engagement with all key auditees and/or stakeholders? • How do we address skill and competency shortfalls?

Workshop discussion • Do we have a robust prioritisation process? • How do we “factor in” non audit work into our plans? • How do we monitor the delivery of our audit plans?

Any questions?