360 likes | 938 Views
COMPANY A Internal Audit Plan 2005/2006 15 November 2005. SECTION Page 1. Executive Summary 2 2. Introduction 3 3. Internal Audit planning cycle 4 4. 2005/06 Internal Audit Plan 6 Appendices:
E N D
COMPANY A • Internal Audit Plan 2005/2006 • 15 November 2005
SECTION Page 1.Executive Summary 2 2. Introduction 3 3. Internal Audit planning cycle 4 4. 2005/06 Internal Audit Plan 6 Appendices: Appendix 1 Heat Map showing Internal Audit coverage 2003/04 and 2004/05 17 Appendix 2 Heat Map showing planned Internal Audit coverage for 2005/06 20 Appendix 3 Candidate Audits 2006/ 07 23 Contents This report is prepared in confidence for COMPANY A and must not be disclosed to any third parties. In carrying out our work and preparing our report, we have worked in accordance with the terms of our letter of engagement dated 1 July 2003. Our report may not have considered issues relevant to any third parties. Accordingly, we assume no responsibility or liability whatsoever in relation to the contents of our report to any third parties who are shown or gain access to our report, and any use such third parties may choose to make of our report is entirely at their own risk. 1 Internal Audit Plan 2005/2006
1.Executive Summary Over the past 2 years, the group’s control environment and risk management procedures have improved significantly. Over the same period, internal audit work with a financial controls focus has been conducted at all material and continuing business units. From 2005/06 the planning of internal audit will revert to a regular cycle. The 2005/06 audit plan has been prepared on this basis. The Internal Audit Planning Cycle( see Section 3) • Audit work is planned to address highest areas of risk • High quality audits relevant to current business needs • Coverage for the entire group over a 3 year cycle • Continual emphasis on controls assurance reporting, issues resolution and effectiveness of risk management procedures • Compliance with best practice in corporate governance The 2005/06 Internal Audit Plan(See section 4) • 23 audits assignments planned with coverage for each division • High level of management input into the plan which should lead to ownership of actions • Financial control remains a key theme of the plan with all 23 audits addressing financial control performance. Furthermore, 13 audits focus on areas of opportunity for profit improvement or revenue growth • 8 audits addressing control aspects of significant change initiatives that the group has planned or commenced in UK and North America 2 Internal Audit Plan 2005/2006
Background AAA have completed two years internal audit plans since appointment on 1st July 2003. 2005/06 is covered by the contract agreed at that date. During 2003/04 and 2004/05 a total of 46 internal audit assignments have been conducted. The primary focus of this work was to assess the quality of financial control across all the group’s operations. Internal audit work has been conducted at all of the major (and continuing) business units in the UK, Northern Europe and North America at least once in the 2 year period (see Appendix 1). Over the past 2 years significant improvements have taken place in the group’s control environment and risk management procedures. The group risk profile is significantly changed following completion of re-financing, disposals / re-structuring, outsourcing / off shoring and the implementation of common, Oracle based financial systems in the UK. Contents of this document Section 3 of this document sets out the changes we propose for deciding Internal Audit coverage from 2005/06 onwards. Section 4 sets out our proposed Internal Audit plan for 2005/06 and explains the basis of its preparation and the key business issues that underpin it. 2. Introduction 3
3. Internal Audit Planning Cycle For the 2005/ 06 plan onwards we propose to change to the focus of Internal Audit work to one that reflects the control improvements that have taken place over the last 2 years. 2003/04 and 2004/05 2005/06 Onwards The first 2 years of IA coverage has focused on visiting all of the groups major, continuing business units with the primary purpose of assessing the adequacy of internal financial controls. Changes in the risk profile, together with improvements in risk management procedures and the internal control environment, mean that the internal Audit plan can revert to a cyclical approach whereby areas of higher risk receive greater, more frequent coverage. The primary principles driving internal audit work to date have been: • ‘Blanket’ coverage of material, continuing business units • Financial controls focus • Re-enforcing basic disciplines of internal control compliance • Push through improvements in control where necessary and report progress accordingly The primary principles driving future internal audit work are: • High quality audits delivering business focused recommendations • Risk focused plan • Regular cycle of work (see page 5) • Ensuring progress in the control environment is sustained and progressed • Evolving needs of business are anticipated and addressed • Developing regulatory needs associated with strong corporate governance are addressed This generated the following outputs: • Knowledge of whether appropriate controls exist and are being consistently applied – and where necessary, improved to baseline standards • External Audit acknowledgment of Internal Audit work The following outputs are intended: • Assurance over the operation of key controls • Insights into improvements to process and control aimed at improved business performance • Explicit External Audit reliance 4 Internal Audit Plan 2005/2006
3. Internal Audit Planning Cycle (continued) From 2005/ 06 we propose to implement a regular cycle of work. The approach we set out below is in line with best practice and complies with corporate governance requirements set out in the Combined Code. Key Principles driving the Audit Cycle Proposed Audit Cycle • Each years’ audit plan will be driven primarily by risk, with those parts of the business with higher inherent risk made subject to deeper, more frequent audit. • Overall intention should be to provide coverage of all areas of the business (except immaterial), at least once in a 3 year cycle. • The nature and extent of audit coverage will reflect the need for assurance and will take account of other sources such as controls assurance reporting (CAR) and management views. • Important changes in the market or within the business (including to structure or process) create risk that audit plans will also address. • The audit plan will be flexible to meet changing business needs. • The annual plan will be approved by Audit Committee together with significant changes to plan. Higher Risk Audited at least once each year Medium Risk Audited once in 2 years Lower Risk Audited once in 3 years Note: The level of risk (higher, medium or lower) is primarily a matter of judgement and is relative, not absolute. The assessment of risk levels will take account of likelihood of control issues of certain magnitudes occurring, the magnitudes being those approved by Audit Committee and used in issues reporting. 5 Internal Audit Plan 2005/2006
The 2005/06 plan calls for 660 days of auditor delivery time. A summary of the time allocations is set out on page 7. Page 8 highlights the major themes that the audit plan addresses and shows how these are responsive to key business issues facing the group. The proposed schedule of audits for 2005/06 is set out on pages 9-14. 4. 2005/06 Internal Audit Plan How the Plan was prepared • We have consulted a wide range of senior management across the group concerning areas they believe should receive audit coverage. In all 36 interviews have been conducted covering all key business units. • Revisited the Heat Map used in 2003/04 and 2004/05 and, working with senior management; • Re-aligned the process model to match the evolving business structure; and • critically reassessed each process (see Appendix 2) • Designed the 2005/06 audit plan to build upon previous audit coverage and the results of previous audit work. • Reviewed the Group’s risk management report as presented to the November 2005 Board, to ensure that the plan appropriately reflects the key risks. • Cross checked the plan to ensure it addresses developing regulatory requirements with particular reference to corporate governance. In this section we set out the highlights of the 2005/06 Internal Audit Plan. The plan has been prepared in accordance with the Planning Cycle (see page 5)and reflects the principles that support the revised cycle (see page 4). 6 Internal Audit Plan 2005/2006
The highlights of the 2005/06 internal audit plan are: Reduced focus on: the BSS following extensive work carried out in the previous 2 years. The focus of current year work is on project lion and on checking integrity and efficiency issues associates with key reconciliations. Airways in recognition of control improvements that have taken place and as manual intensive processes are replaced with IT systems that are anticipated to provide more robust controls. UK Charter and Non Charter. In 2003/04 extensive work was carried out on key financial control and key product offering processes. Additional focus on: Group functions, specifically foreign exchange and cash management, coupled with the impact of IFRS. Subsidiary A and Subsidiary B following limited attention paid in last 2 years relative to their materiality. CHART HAS BEEN REMOVED The number of audit delivery days proposed in 2005/06 is 660, compared to a plan for 615 in 2004/05 (and expected outturn of 640). The allocation of days by business for unit/division for 2005/06 and past 2 years is set out on the following diagram. 4. 2005/06 Internal Audit Plan – Highlights 7 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – Key Themes The audit plan 2005/ 06 reflects the key issues that are relevant in the business as at the point of preparing the plan. We have categorised them under the headings “Market Factors”, “Internal Factors” and “Regulatory/ Compliance”. • Market Factors • Competitive market • Oil price impacting margins • Product substitution and impact on product offerings • Climate change/unexpected events • Internal Factors • Wave 2 outsourcing • Maintaining momentum - embed control improvements • Partnerships and reliance on outsource providers • Restructuring e.g. single UK tour operator • Going Places retail estate rationalisation • Strength of in-house IT support Regulatory/Compliance • Combined code statement • OFR requirements • Emerging Risk Management process and other assurance activities • Oversight of regulator Key themes that the Internal Audit plan addresses: • Profit Maximisation – benefits of cost reduction programmes; streamlining of the business; increased focus on and ownership of process cost drivers; improvements to MI • Revenue Growth – through established and new distribution channels; effective yield management • Working Capital improvements – focus on cash management, hedging, AP and AR • End to end process improvements – including IT interfaces and the supporting manual processes • Supplier Management – including, outsourced service provision • Legal & regulatory – meeting the requirements • Improving IT infrastructure 8 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – Going Places • Plan Highlights • Focus of internal audit effort is in areas of cost where discretion is high. No previous audit work carried out in these areas. • Retail estate rationalisation and associated system/process implication remain on the watch list, but not on the current year plan. • A further financial controls review is due in 2006/07. Meanwhile, CAR review procedures performed by internal audit (and included in group plan) will be undertaken in GP. 9 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – COMPANY A • Plan Highlights • The airline has been subject to a relatively high level of internal audit coverage in the prior 2 years reflecting the then relatively weak internal financial controls. • Improvements in control brought about by new management and better systems reduce the likelihood of future control issues – and the plan for 2005/06 reflects this. • The 2005/06 plan targets areas of relatively high expenditure around which no internal audit work has previously been conducted. 10 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – Subsidiary C Charters • Plan Highlights • Total days is planned to decline reflecting extensive audit work carried out in the previous 2 years on both the key financial controls of tour operators and BSS. • Audit work for 2005/06 will concentrate on the improvement initiatives underway to simplify processes and structures. • We are also planning a series of “spot check” style audits on effectiveness and efficiency of key reconciliations carried out in BSS. 11 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – Subsidiary C - Non Charter • Plan Highlights • All business units within the UK non charter business have been the subject of finance control reviews. • Planned audit focuses on post implementation of common BCT distribution channels. 12 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – Subsidiary A • Plan Highlights • No internal work carried out in North America in 2004/05. • Audit work for 2005/06 will focus on key projects, including transfer of financial ledger to Oracle. 13 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – Subsidiary B • Plan Highlights • Subsidiary B has had just one internal audit in the last 2 years – this audit focusing on head office financial controls. • The objective of the 2005/06 plan is to address “in country” financial controls, together with areas highlighted as higher risk. 14 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – Group • Plan Highlights • The 2005/06 plan includes greater emphasis on group functions than 2004/05 largely attributable to increased focus on Treasury and process change brought about by by IFRS. • The “Group” category also includes follow up work covering all control issues. This work is spread across the year to provide regular updates. It also includes all CAR work. • Other areas within group scheduled for audit in 2005/06 include areas that will be subject to audit for the first time. 15 Internal Audit Plan 2005/2006
4. 2005/06 Internal Audit Plan – Group (continued) 16 Internal Audit Plan 2005/2006
Appendix 1 - Heat Map showing previous Internal Audit coverage • Pages 17 and 18 set out a matrix intended to show the coverage provided by the internal audit work performed in 2003/04 and 2004/05. • The colours (red, amber, blue) indicate the relative importance from an internal audit perspective of particular business activities / process (rows) that take place within a particular business unit / division (columns). • The numbers in the cells are the internal audit assignment numbers, where an audit assignment provided a degree of coverage for the process/business unit combination. • The colour grey has been used to indicate not assessed process/business unit combinations. These are mainly non finance areas. The heat map shows that, taking 2003/04 and 2005/06 together: • Internal audit coverage has been provided for all high importance processes with financial control significance • The finance processes (shown on page 19) have received greatest internal audit attention 17 Internal Audit Plan 2005/2006
Appendix 1 - Heat Map showing previous Internal Audit coverage (cont.) • ***Chart has been removed because it could not be sanitized 18 Internal Audit Plan 2005/2006
Appendix 1 - Heat Map showing previous Internal Audit coverage (cont.) • ***Chart has been removed 19 Internal Audit Plan 2005/2006
Appendix 2 - Heat Map showing priorities for 2005/06 • The heat map set out on pages 22 and 23 illustrate the coverage of the 2005/06 audit plan for the entire group. • The format of the heat map is similar to Appendix 1, except that: • We have added a colour (white) to indicate where processes do not exist in a particular location (and therefore coverage cannot be expected) • The numbers in the cells refer to the audit number set out in the 2005/06 audit plan Given the principles behind the audit cycle (see page 5) those processes without planned coverage in 2005/06 would expect to be addressed in subsequent years. 20 Internal Audit Plan 2005/2006
Appendix 2 - Heat Map showing priorities for 2005/06 (cont.) 21 Internal Audit Plan 2005/2006
Appendix 2 - Heat Map showing priorities for 2005/06 (cont.) 22 Internal Audit Plan 2005/2006
Appendix 3 - Internal Audit planning for 2006/07 As part of our 2005/ 06 audit planning we have identified additional audit needs the timing of which would best be placed in the 2006/ 07 audit plan, details of which are listed below. Supplier Management Working capital IT Infrastructure Profit max Legal & regulatory Revenue growth End to End process 23 Internal Audit Plan 2005/2006