P3 Strategic (Macro) Planning 1.4

Strategic planning is important - The first part of macro audit planning - set the mission and value of IA aligned to stakeholder needs and org's risk maturity.  The second is period planning whic is a list of assignmentes carried out within an assigned period.   IA PUT TOGETHER  and  BOARD FINAL APPROVAL

Purpose

• - support RM and governance thru alignment of IA with long term goal
• - identification of long tern goal and activity to support IA progress
• IA approach & method fit org risk maturity

Considerations

• requires effort and resource as est 2-3yr cycles to coincie with corporate cycle SOLUTION - IA review strategy annually to meet stakeholder need.  Also HIA used plan to negotiate long term resource to AC to approve, including EA reliance on IA work.

HIA responsilble for IA strategy and annual plan.  Important as list assignments carried our by IA in defined period usually annual, but also  or 6 mthly as biz operates in uncertain environment

Purpose

• to agree risk repsonse and RM process on assurance required
• produce plans of all assignments in specified period
• but also enable HIA opinion on effectiveness of RM framework aligned to assurance req by A/C

Consideration

• strong control enviornment can influence effectiveness - thus assessment of this will inform periodic pland and engagement scope

Intro - Annual plan based on assessment risk and risk appetite. More risk matures, more reliance HIA place on assessment of risk and use (as corporate rr) to direct audit work- alternatively IA dev own tools and methodologies for assessing org risks to derive annual place

process agreeing start with puting together an approach which include the activities and the way the process is handled to produce a quality final plan. Open and inclusive This involves engagment with stakeholder. discussin of key area with SM/Directors to 1) get views & possible areas for audit and 2) ensure IA remains organisationally aware to draft a relevant and useful. To do his IA:

• anticipate and manage stakeholder expectations to ensure tranparancey and obj of audit work - assurance or consultancy
• to carry out analysis require information through:
• consult other assurance funcition thus IA work complementar & not duplicate maintaining integrity of profession and assurance map, which set out other assurance functions and considers any overlap in requirement of IA. 
• HIA to consider resources to deliver annual plans e.g such where insufficient resoure to meet demand Plan include resource allocation and approval of budgets - if addition resource or specialist required
• Once SM and other stakeholders input HIA draft written annual plan for comment  prior issue to A/C for endorsement and then Board approval. A/C challeng to ensure level of coverage of systems and that IA had resources to deliver.

gathering information about the organisational environment. The four key activities that will be involved are:

1. Understanding organisational objectives

This usually means understanding the organisation's strategic objectives and its long-term plans as set out in the strategic plan. 

2. Assessing the organisation's risk maturity 

This entails getting an overview of the extent to which risk management processes have been adopted and embedded in the organisations. This is critical as risk maturity determines the internal auditing methodology, and the potential focus of assurance and consultancy work. 

3. Assessing the control environment

A consideration of the high-level control environment will indicate areas of potential weakness and risk. So, as part of strategic analysis, 'hard' and 'soft' elements of the control environment should be assessed.

4. Understanding the organisation's assurance map

Assurance maps part of the risk management framework of which internal audit provides independent assurance.

Where there is one available, internal audit should review it as part of strategic analysis. If internal audit is doing its own assurance mapping it should be clear that is using the information for planning purposes and not as part of a wider organisational assurance strategy.

approval important to protect IA  status and resources

• If approved by SM  - IA profile raised
• level of engagement added credibility, profile and enhances independence
• IA contract it will deliver assurace opinons to AC and Board and approved by same
• HIA can publish plan in prominent place e.g. intranet in case of dispute
• means SM are engaged and update, promoting audit work and role ensure independence
• help if IA short on resouces - HIA to justifiy to AC
• maintain integrity of asssurance statements
• process ensure force on key risk and adding to auditor personal value 
• SM approval hel reduce risk audit work duplicates assurance work and value to EAs
• SM buy in increases likelihood less dispute on timing and audit scope and likelihood recs accepted and implemented
• 
  

As structured planning approach that involved key stakeholders held build relation that implemen a relevant and effective audit plan 

Operational plans focus on magm and adminsitration of IA function

Cyclical is one that places importance on reviews of key area or risk thus high, medium, low risk may be reviewed the following intervals, 1,2,3 years respectively

R maturity is defined as:

RM adopted and applied by management to identify, assess, respond to risk that affect an org's obj.

5 levels of maturity 

• Naive - no formal process in place
• Aware - silo with some risk management working in isolation
• Defined - RM framework in place with est strategy, policy and appettie but not implemented consistently 
• Managed - ERM is developed
• Enabled - fully embedded

Key to planning 

• determines type of assurance
• IA planning framework relies on risk register,, if not identified use own assessment
• inform type of consultancy work

How

Gathering information 

• Interview A/C to understand maturity
• SM - is risk register comprehensive? embedded owned by those responsible
• Risk Manager - determine RM process and improve maturity e.g. training, workshop/Questionnaire/CRSA

Catergorise

• Risk response by size of inherent risk, contribution, other assurance 

Risks

• by unit /function depends on structure - finance and customer service
• system - key ones non current assets e.g.payroll, inventory, info mgmt
• organisational obj

Summary

The internal audit strategic plan sets out the internal audit activity's long-term objectives and the activities that will enable them to fulfil those objectives. 

Strategic planning ensures that internal audit's services, processes and systems are aligned with the organisation's long-term goals and fit with the level of the organisation's risk maturity. 

The three key stages of planning are strategic analysis, understanding stakeholders' requirements and agreeing the plan with the audit committee.

2020 Communication and Approval

The chief audit executive must communicate the internal audit activity's plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.

2030 Resource Management

KEY - PEOPLE,INFORMATION, TECHNOLOGY AND FINANCES

The chief audit executive must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan2120 Risk Management

2120 Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. 

Fraud is a major business risk for all organisations - public, private and third sector, and is estimated to cost the UK economy over £73 billion each year. 

Part of the internal auditor's role is to give independent assurance to management on the effectiveness of the processes put in place to manage the risk of fraud. Understanding both traditional and new fraud risks and their potential impact upon the organisation, can help internal auditors to do this. 

For example

• payroll fraud
• financial sttatement
• asseet misappropriation
• Information
• Skimming
• Expense
• Disbursement
• Bribery & Corruption

MOHICAN

Intro

Need to manage risks has become recognised as an essential part of good corporate governance practice.

Responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed.

IIA believe that a professional internal audit activity can best achieve its mission as a cornerstone of governance by positioning its work in the context of the organisation's own risk management framework. 

A defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. 

Management has identified, assessed and responded to risks above and below the risk appetite

The responses to risks are effective but not excessive in managing inherent risks within the risk appetite

Where residual risks are not in line with the risk appetite, action is being taken to remedy that

Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively

Risks, responses and actions are being properly classified and reported. 

This enables internal audit to provide the board with assurance that it needs on three areas:

Risk management processes, both their design and how well they are working

Management of those risks classified as 'key', including the effectiveness of the controls and other responses to them 

Complete, accurate and appropriate reporting and classification of risks

RBIA is a challenging prospect. Organisations with a poor level of risk maturity may be that way because the managers and directors do not accept that a good risk management framework is an essential element of a sound system of internal control.

Internal audit may need to undertake a longer term programme of activity to champion risk management. 

RBIA can be implemented fully only in risk enabled and risk managed organisations. One characteristic of this level of risk maturity is that managers have to take responsibility for managing risks.

Achieving targets

RBIA is an effective way to achieve targets set for the internal audit activity, such as:

• The compilation of an audit plan which ensures the internal audit activity fulfils its charter
• Gaining acceptance from management that it takes appropriate action to manage risks within the risk appetite;
• Provision of objective assurance in the three areas of risk management normally required; and
• Keeping within the budget set for the activity.

Source - http://www.wipo.int/export/sites/www/about-wipo/en/oversight/iaod/audit/pdf/internal_audit_strategy.pdf

Background - statement on reason for document in relative to company that Internal audit provide assurance for

Purpose - put in place strategic approach relative to org long term goal - enable IA provide independent object review on assurance to SM Board on effectivess of RM, control & governance

Aim - align IA priorities with org strategic goals to produce quality review in line with professional stds

Strageic obj - add value on effectiveness of RM, ctrol and governance in operation by 

• aligning work plans and oversight activities
• adequate coverage of busines obj and high level risk e.g audit very high risk 2 yr or - high areas 3 yr/ increase quality using latest technology, cost effective (SMART), co-ordinate other assurance functions for + coverage & reduce overlaps, Communicate results to SM/Board/ promote continuous development of staff

.http://www.wipo.int/export/sites/www/about-wipo/en/oversight/iaod/audit/pdf/internal_audit_strategy.pdf

BACKGROUND - strategic doc with framework for IA activities in relation to org

2. THE PURPOSE OF THE INTERNAL AUDIT STRATEGY - put strategic approach enable IA to provide stakeholder with independent review or org biz obj system and process rm control and governance process

define priorities of IA aligned to org strategic goal for high quality in line std, best practice, regs

3. STRATEGIC OBJECTIVES OF INTERNAL AUDIT - increase value thru audit to structure, system, process to improve effectiveness and efficiency of operation in\;

• align work plans and other assurance activities/ co-operation with others
• provide adequate coverage as per risk assesment exercise - v high 2 yr high 3 yr
• improve quality report using technology, format that is useful and timely
• cost effective - SMART
• Communicate effectively with SM and Board
• Promote continued staff devel and profession service

• AUDIT PLANNING PROCESS - RM process relates to how org set objectives, identify risk to achive, assess impact and likelihood, evaluate risk priorities and respons to risk that impact on meeting objs
• est sound system for SM which performs risk assessment embedded in day to day course
• if mature, process enabled/defined/managed than IA places reliance of  org RM process
• If not, process is aware or naive, then IA should undertake own assessment - IA conduct audit need assessment to determine coverage of operational areas, priority given to high risk.  ANA helps determinue IA audit resource to effectively mandate requirements to work plans
• based on ANA, IA prepares Risk based work plans to determine audits and other assurance activity
• Plan revised as needed annual and consider change to org structure, business process system, RM, control 
•  in revising EA, SM, Board, other assurance, regulation taken into accont
• QUALITY CONTROL AND ASSURANCE - to folloow procedure for review as per IIA and std with external assesment at least every 5 years and self assessment exercise every year with quality assurance improvement programme as per international std.
• REVISION - statement that subject to review either 3 or 5 year or as required

4. Understanding the organisation's assurance map

Assurance maps part of the risk management framework of which internal audit provides independent assurance.

Where there is one available, internal audit should review it as part of strategic analysis. If internal audit is doing its own assurance mapping it should be clear that is using the information for planning purposes and not as part of a wider organisational assurance strategy.