Internal Audit Plan Preparation –

Providing Value for the Organization

Richard Arthurs CMA, MBA, CIA
 My Background
20+ Years of International Finance, Audit and Risk Management Experience
13 Years with General Mills Inc. in Canada, US and UK
Managed audits, investigations, and risk in over 40 countries.
Now CAE with AltaLink/Berkshire Hathaway Energy in Calgary

Chair of IIA Canada - National Thought Leadership Committee

Chair of Benchmarking Committee - Strategic Risk Council – Conference Board of Canada
ERM Facilitator - Institute of Corporate Directors
1. Your Internal Audit
Value Proposition
Value starts with the strategy
and objectives of the business
 Achieving Strategy =
Effective Controls + Risk Management
(Make the connection easy to see)
 Supporting Corporate Strategy
20xx Internal Audit
Company Strategy Supporting Strategies

Drive Profitable Growth in 1. World-Class Risk

Developed Markets Assessment and Insight

Aggressively Capture 2. Integrated Assurance

Growth Partnerships

Assure Organizational
3. Optimized Resource and
Readiness to Resource
Technology Utilization
Future Growth
 Addressing Accelerating Change
3yr. GIA LRP
Supporting Strategies

Acquisitions Globalization 1. World-Class Risk

Assessment and Insight

2. Integrated Assurance
Partnerships

Emerging Technology Accelerating Change Emerging Markets

3. Optimized Resource and

Technology Utilization

Economic Uncertainty 3rd Party Reliance

If you do not make it simple
for leaders to value Internal
Audit they probably won’t.
 Past Year Accomplishments
(Market Your Internal Audit Value)

• Recovered $M Due to 3rd Party Billing Errors

• Supported Key Strategic Decisions

• Reduced Work Time Required by # Hours/Month

• Significantly Enhanced Cyber Security Controls

• Identified & Investigated Fraud Cases

2. Optimize Your Continuous
Risk Assessment Agility
 Never before has the risk
universe of a business seen so
much constant change.

New emerging risk is

becoming very common.
 Key Strategy 1: World-Class Risk
Assessment & Insight

1. World-Class Risk
Assessment and Insight

2. Integrated Assurance
Partnerships

3. Optimized Resource and

Technology Utilization
Risk Universe (Excluding Fraud & IT)

* Ernst & Young

 Enterprise Risk Universe
Strategic Operational Compliance Financial

Governance Risk People Risk

Board Performance
Employee Fraud and Investigations
Code of Conduct Risk Rate Base and Cost Recovery Risk

Tone at the Top / Corporate Culture
Organizational Capacity & Capabilities
Ethics / Conflict of Interest
Regulated Tariff: Unapproved Costs/Prudency

Enterprise Risk Management – Risk Mitigations
Employee & labor relations
1-800 Ethics Line Management
Deferral (DACDA) and Reserve Accounts

Fraud (Anti Fraud Program)
Capital Budgeting and Cost Management (ABC)
Planning & Resource Allocation Risk
Contractor Management & Excessive Usage

Transmission and Miscellaneous Revenue

Organizational Structure Change
Health & Welfare & Safety Legal Risk

Excessive Recruitment and Turnover
Contracts
Customer Deposits

Strategic Planning

Long Term Planning
Timely & Effective Training and Development
Stranded Asset Issue Financial Accounting & Reporting Risk

JV’s, Alliances and Partnerships Project/Operations Management Risk
IP and Patents
Accounts Payable / Receivable

Decision Speed
Contract Commitments
Liability Protection, Regulation & Insurance
Inventory, Prepaid Expenses & Deposits

Anti-Corruption
Budget & Planning Forecasts
Technology change Risk– AMI, smart grid
Scheduling & Forecasting

Accounting/External Reporting - IFRS

Industry Changes (Gas Generation)
Documentation & Standards Regulatory Risk

Design, Mapping and Drafting
Due Diligence Process
Fund Investment & Evaluation
Customer Demand Changes Risk
GTA Hearing, IR & Processes
Management/Internal Reporting

Procurement / Competitive Bidding

Customer Demand Changes
Inter-affiliate Transactions (SNC-ATP)

Vendor Selection / Contract Management
AESO/AUC/Prudency Audits & Enforcement
Competition Risk
Vendor / Contractor Management
Alberta Reliability Standards
ICFR: C-SOX / Disclosure Controls

Client Services / Satisfaction
Project Execution (Stage Gate) & Management
Labor Standards
Payroll & Expense Reporting

Communication Strategy and Plan
Change Notice & Management
Engineering Standards
Capital Overhead Allocation (I.e. E&S)
Enterprise Portfolio Risk
New Technology: Smart Grid
Environment
Taxes and Insurance

Alliance/Partnerships
Client & Service Interaction
Quality, Health and Safety Liquidity, Credit, and Equity Risk

Trademark/Brand Name
Quality Assurance & Control
Data Protection, Availability, and Privacy
Corporate Funding / Equity Management

Wholly Owned Affiliates
Incident Management & Investigation
International Laws and Standards (I.e. FCPA)
Access to Capital Markets
Government Policy Risk
Safety & Reliability
Tax Compliance
Debt Maturity Profile

Fleet Purchases, Maintenance and Management
Customs
Flexibility in Capital Spending Budget

Regulatory Changes

Asset Management
Discriminatory Practices
Contingency Funding
Political Risk
Environment Management Strategy
Collateral Requirements

Political Changes
Land Management Strategy
Capital Availability
Lifecycle Risk
Performance Management Gaps/KPI’s
Fund Diversification

Industry & Demand (30+ Year Rate Base Projection)
Physical Security/Disturbance Analysis
Credit Risk Management/Credit Downgrade
Organizational Structure Risk
Privacy & Confidentiality Cash Flow Risk

Performance Management (STIP/LTIP)
Business Continuity / Disaster Recovery
Daily Operational Funding
Business Development Risk External Risk
Cash Flow Projections/Forecasting

Mergers and Acquisition and Divestiture
Catastrophic/Natural Disaster/Weather Profitability Risk

Opportunity Capture
Sabotage / Terrorist
Return on Capital / Debt

Executing Captured Opportunity
3rd Party Contractor Mgmt./Reporting (Earned Value) Market Sensitivity Risk

Due Diligence: Risk Assessment & Management
Customer/3rd Party/Land Manager Fraud

Commodity Price
Major Initiatives Risk
Supplier Performance

Commodity Volatility

Supplier Availability /Sole Source

Planning and Execution
Interest Rates

Availability of Goods and Services

Measurement and Monitoring
Security Prices

Technology Implementations IT & Control Center Risk
Foreign Exchange

Business Acceptance
Third Party Suppliers and Outsourcing Volume Risk
Communication/Investor Relation Risk
Control Center Operations

Attrition

Programs and Change Management

Government/Media/Public Relations
Economic Factors

Security and Privacy (Firewalls, Access Management)

Land Owner Consultation & Relations
Variable Load

Physical Environment

Stakeholder/Investor Relations Market Liquidity Risk

Staffing/Operations/Disaster Recovery

Reputation Management
Market Tightness, Depth, and Resilience

Data Security

Crisis Management

Regulatory/Legal Response Plan

Infrastructure Investment Performance Risk

Applications and Databases
Pension Fund

Employee Communication

Legal and Regulatory

Telecommunications

Load and Demand Balancing

Outage Scheduling & Management

Safety and Environmental Systems
 IT Risk Universe
• Poor service levels
• Data leakage
• Non-compliance with • Inadequate support
regulators • Lack of assurance
• Non-compliance with • Budget overruns
• Significant delays
software license
• Poor quality of deliverables
contracts • Ineffective change control
Third-party
Suppliers &
• Unsupported Legal & Outsourcing
applications Regulatory
• Critical system • Intrusion of malware
failures • Virus attacks
• Unable to handle Applications • Website attacks
load • Poor patch
• Configuration issues & Databases Security & management
IT Risk Privacy

• Damage to services Infrastructure

Universe
• Inflexible IT
architecture • Utilities failures
• Theft • Natural disasters
• Obsolete technology • Labour strikes
Data Staffing • Environmental
sanctions
Operations
• Disclosure of
sensitive data
• Corruption of data
• Unauthorized access • Loss of key resources
• Failure to mine • Inability to recruit IT
• Operator errors staff
information
during backup or • Mismatch skills
maintenance • Lack of business
• Breakdown of knowledge
operational processes

* Ernst & Young

 Audit Plan Development
Mgmt
Identify Risks Assess Risk Prioritize Risk
(Exec. & BU)

Strategic Survey
Knowledge and Prior Audit Results

Key
Strategic
Initiatives &
Changes in
Business O
Operations
perations
Interviews

Fraud & Compliance

Compliance
Geographic
Risks
Workshop
Financial
Financial
External /
Industry
Issues Value proposition:
• Demonstrate linkage between risk assessment and audit plans
External • Clear linkage to business strategy, ERM and IA priorities
Auditor
• Justifiable audit plan coverage to Audit Committee, External Auditors, etc.
• Provide proactive risk prevention & management advisory services

*Ernst & Young LLP

 Audit Plan Development
Finalize Audit Plan
Prioritized Projects
Risks from Prioritize Projects Allocate Against

Reconcile with Audit Committee

Risk
Assessment
Available Resources

Management
and Audit
Committee
Expectations

C-SOX/SOX
Compliance

Rotation
And
Follow-Up

Special
Projects or
Unplanned
Audits Not all risks are
covered in the Plan
* Ernst & Young
 3. Independent Risk Assessment
Top 10 Risks vs. ERM Top Risks
Internal Audit
Independent
Risk Assessment
Top 10 Risk Areas

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
3. Define Your Role as The
Trusted Strategic Advisor
It takes time to build trusting
relationships.

Becoming the Trusted

Strategic Advisor requires
consistent value delivery.
Align IA Strategy to Value Added Advisory
Value

Strategic &
Value-added
Advisory Strategic
Risk

Business
Insights Operational Risk

Control &
Compliance Financial and Compliance Risk

World-Class
IA Strategies:
1. World-Class Risk Assessment and Insight
2. Integrated and Specialized Assurance Partnerships
3. Optimized Resource & Technology Utilization
High Performing
 Utilize ERM Intelligence
 Emerging Risk Advisory Projects
 Comprehensive Audits and Data Analytics
 Operational Audits
Non-Negotiable
 Financial and Compliance Assurance
 Corporate Governance
 Maintain Independence
 Pipeline of Leadership Talent for Finance
A Trusted Strategic Advisor is
Aware of Risk Appetite,
Capacity and Tolerance.
Advise on Intelligent Risk Taking
 Being the Trusted Strategic
Advisor requires partnership
with all assurance providers.
Key Strategy 2: Integrated Assurance Partnerships

1. World-Class Risk
Assessment and Insight

2. Integrated Assurance
Partnerships

3. Optimized Resource and

Technology Utilization

26
4. Link Value and Risk, to Your
Planned Audit Activity
 Never Assume Anyone
Understands the Value an
Audit or Advisory Can Deliver
 Define Audit vs. Advisory
Non Traditional Assurance

• Undefined Risk and Controls

Emerging • High Level of Change / Future Focus
Risk • IA Focus: Risk Advisory
Internal Audit • Example: Cyber Security
Independent
Risk Assessment
Top 10 Risk Areas

1. New Risk • Moderately Defined Risk and Controls

2.
Focus or • Medium Level of Change / Present & Future Focus
3. • IA Focus: Assurance Audits & Risk Advisory
4. Process
5.
• Example: Integration
6.
7.
8.
9.
10.
• Highly Defined Risk and Controls
Standard • Medium to Low Level of Change / Past & Present Focus
Risk • IA Focus: Assurance Audits
Coverage • Example: Financial Audits

Traditional Assurance
Plan Every Audit to Ensure it
Will Deliver Obvious Value
 Internal Audit Plan
AUDIT
ADVISORY
Audits x Traditional Assurance Non Traditional Assurance
Advisory x
Standard Risk Coverage New Risk Focus or Process Emerging Risk

Risk Based Audits

& Advisory
AUDIT AUDIT ADVISORY
Internal Audit
Independent AUDIT AUDIT
Risk Assessment
Top 10 Risk Areas
AUDIT ADVISORY
1.
2.
3. AUDIT ADVISORY
4.
5.
6.
AUDIT ADVISORY
7.
8.
9.
10.

IT/Data Analytics AUDIT AUDIT ADVISORY

AUDIT AUDIT ADVISORY

AUDIT AUDIT
Compliance Activity
AUDIT

AUDIT

AUDIT ADVISORY
External Audits
AUDIT
 3 Year Audit Plan
20xx 20xx (Subject to Change) 20xx (Subject to Change)
AUDIT AUDIT

AUDIT AUDIT AUDIT

High – Med Risk
AUDIT AUDIT AUDIT

AUDIT AUDIT AUDIT

AUDIT AUDIT AUDIT

AUDIT AUDIT AUDIT

AUDIT AUDIT AUDIT

AUDIT AUDIT AUDIT

AUDIT AUDIT AUDIT

Med – Low Risk
AUDIT AUDIT AUDIT

ADVISORY ADVISORY ADVISORY ADVISORY

ADVISORY ADVISORY ADVISORY

Emerging or
New Risk Focus ADVISORY

ADVISORY ADVISORY ADVISORY

ADVISORY
4. Resource Optimization
Recruit Leaders & Help Them
Become Passionate About the
IA Value Proposition
 Key Strategy 3:
Optimized Resource and Technology Utilization

1. World-Class Risk
Assessment and Insight

2. Integrated Assurance
Partnerships

3. Optimized Resource and

Technology Utilization
The Best Internal Audit Shops
Only Recruit Future Leaders
Who Love to Learn
 6. Professional Development
Emphasize Professional Credentials

Undergraduate Degree:
MBA:
 If You Cannot Deliver Value
Efficiently then Consider Data
Analytics
Executive Dashboards
5. Continuous Improvement
 The Best Way to Manage
Audit Client Expectations is by
Gaining Alignment on a
Maturity Assessment
Maturity Maps
 New COSO Model
Control Environment 1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
Risk Assessment 7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities 10. Selects and develops control activities

11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & 13. Uses relevant information

Communication 14. Communicates internally
15. Communicates externally

Monitoring Activities 16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies
IIA Quality Assessment
6. Reporting & Grading
Great CAE’s Must Perfect the
Art of Managing Expectations
 Audits Completed - 2013
Tracking
Audit Tracking Audit Grade # of Audit Comments
Well Needs Audit Senior Continuous
Audit Focus Satisfactory Due Notes
Controlled Improvement Committee Management Improvement
Q1
Q1
Q1
Q1
Q1
Q2
Q2
Q3
Q3
Q3
Q3
Q4
Q4
Advisory
Q1
Q1
Q2
Q2
Q3
Q4

PMO OPS IT FIN LEGAL HR CUST SERV EXT REL BD

# AUDITS
# COMMENTS
 Audit Committee Update
20xx 20xx YTD
Well Needs Well Needs
Satisfactory Satisfactory
Controlled Improvement Controlled Improvement

5.5
6 5 4

5 4 4
3.5
4
3 2
3
2 1
2
1 1

0 0

31% 42% 29%

57%
14%
27%

• •
 A High Value
Audit Shop is a Development
Engine for Future Leaders
Questions ??