Session 9C (Panel) Building a quality-focused Internal Audit

function

David Tanner PMIIA, Director Audit and Risk, University of New EnglandBrian Densem FIIA(Aust), General Manager, Group Audit, Australian Unity Ltd

Facilitator: Andrew Cox PFIIA CIA CGAP, Manager, Quality Services, IIA-Australia

Today’s stories

Two top-notch Internal Audit functions. Recent 5-year Quality Assessment by the IIA–Australia. Conformance with the Internal Audit Standards. Leverage their quality to provide valued services. Constantly searching for innovation. Strong support from the top. Valued by their stakeholders. Continually evaluating and re-inventing themselves.

Brian DensemGeneral Manager, Group Audit

Australian Unity Ltd

Healthcare

• Retail Health Insurance Fund

• Corporate Health Insurance Fund

• Healthcare provider: A diverse range of services including hospital substitution, chronic disease self-management, risk factor management and health information services

• Dental Centres

Australian Unity’s Wellbeing Business Portfolio

Investments

• Funds Management

• Banking Services

• Real Estate Investments (Property Trusts)

• Investment Bond Products

• Mortgage Trusts

Australian Unity’s Wellbeing Business Portfolio

Australian Unity’s Wellbeing Business Portfolio

Independent & Assisted Living

• Retirement Communities/Villages

• Aged Care Facilities

• Home Care Services

Note: We operate, and Design & Construct Villages and Aged Care Facilities

Also, recently purchased NSW Home Care Services is currently being integrated

Australian Unity’s Wellbeing Business Portfolio

Personal Financial Services

• Financial Planning Dealership

• General Insurance Broking

• Finance Broking

Recently acquired and now integrating an estate planning business

Challenge for Group Audit

• Eleven different industries/business lines

• Don’t forget the support services: Finance, Technology, Human Resources, Marketing, etc

• A business not afraid of acquisition or divestment

• Heavily regulated businesses

• A mutual business with challenges on capital raising

Group Audit’s Reporting Line/Authority

• Group Audit is an independent assurance function reporting:

• Functionally to the Chair of the Board’s Audit & Compliance Committee

• Administratively to the Group Managing Director

2000

• 3 staff

• 6 or 7 reviews per annum

• Very “external audit” focused

• Primarily “financial” risk based

• Inappropriate reporting lines

• Low on the Quality Maturity scale

2016

• 11 qualified staff, with approval for 1 more

• ~ 60 reviews per annum

• Fully risk based

• Dynamic project coverage

• Developing data analytics capabilities

• Attend all major committees as observers

• Better practice reporting lines

• IT / Cyber Specialist in-house

• IIA assessed as Beyond Conforming / Leading

• Trusted advisor to the CEO

Where Group Audit came from

The Group Audit JourneyInternally (within the Team)

• Assessed capabilities

• Recruited qualified people

• Give team members exposure across industries to build their skills/CV’s

• Built an audit universe (this was later linked to the risk register/profile)

• Developed methodology

• Invested in tools / resources

• Revised all end product materials, after seeking feedback

• Established dynamic monitoring of project delivery

Externally (within the Organisation)

• Sought to understand the business:. Focused on: People; Products; Services; Localities; Industries; Channels & Key Processes, etc

• Understand the regulatory landscape

• Built rapport with executives and key line management. Develops trust & respect

• Tried to clearly communicate my “style” & approach (Collaboration v “Police”)

• Understand the Audit Committee’s needs & wants

• Set up regular Audit Committee Chair engagement

Our innovation

• We, as a team, are continually monitoring the internal and external environment and adjusting our audit strategy (we now have quarterly resets)

• Built the Audit Methodology based on the size, nature and approach of the team, then benchmarked to the standards

• Established dynamic major project monitoring

• Developed revised KPI performance monitoring

• Improved reporting at the Board level

• Recently recruited an in-house Security & Technology professional

What our customers say

• Professional, Supportive, Competent & Understanding of the role

• High in Integrity, Skill & Ethics

• Positive contributor to Australian Unity risk management culture

• Professional, Consultative, Know their Work & Transparent

• Been able to re-invent Group Audit & “keep it fresh”

• Seeks to help the business improve; not to impose process

• Recognition of what they can do in-house and what should be outsourced

Future challenges

• M&A integration of 2 businesses (Estate Planning & NSW Home Care Services) concurrently

• Skilling up the team in the trustee services industry

• Growing outsourcing, particularly in the IT space

• Cyber security management

• Making the next step change in data analytics capabilities to gain a greater value add

• Reviewing / revising our approach to retirement construction projects

What the future will look like

• A greater reliance on data analytics

• An increasing need to seek ongoing assurance in respect of 3rd party service providers

• Increasing focus on data security

• Data privacy considerations are only going to become more critical

• Quite possibly the skill mix with the Group Audit team will migrate to more IT focus

• Sourcing and maintaining the IT audit/security skills

Take-away message

• Recruit well & create career developing roles for the team

• Build credibility | Personally | Team Members | The Team as a Whole

• Gain their confidence | The Board | Audit Committee Chair | CEO

• Focus on Key Risks linked to strategy | Too low and you lose credibility and add little value

• Understand the Risk Appetite – It’s about balancing risk. Your role is not about blocking activity, rather its about ensuring activity is managed within the Board’s appetite

• Never accept where you’re at – REINVENT!

University of New England

David Tanner, Director Audit & Risk, University of New England

Facts and figures

• UNE is a regional university based in Armidale NSW• Facts and Figures based on the UNE 2014 Annual Report

• Revenue = $291M• Staff = 1,364 • Total Students = 21,872 (FTE = 11,643)• International Students = 1,035• 18,373 (79.9%) of students are off campus

Reporting

• Internal Audit is part of the Audit and Risk Directorate (ARD) • ARD also has responsibility for risk management and business continuity• The Director ARD is

• the ICAC liaison officer and • the Public Interest Disclosure Coordinator

• The Director ARD• reports administratively to the Chief Legal and Governance Officer• dotted line functional reporting to the Vice- Chancellor and • dotted line functional reporting to the Chair of the Audit and Risk Committee

Where we came from

• I commenced on 25 June 2012 and the issues at the time included:• January 2012 ICAC investigation and public enquiry• ICAC recommendations regarding the internal audit function• TEQSA conditions re Risk Management• NSW Audit Office recommendations re Internal Audit and Risk Management• Lack of Staff• Audit plan was poor and reporting to the Audit and Risk Committee was poor• No established audit methodology• Procedural issues around fraud, public interest disclosures, etc

Our journey

• Some considerations• Current urgent issues – What do I need to deal with straight away?• Staff mix and skills – what was required, - organisationally and audit methodology.• Audit methodology – alignment to the professional standards.• Needed to develop a structured audit program and strategy.• Needed to develop an Operational (Strategic) Audit Plan:-

• not a list of audits but a strategy that sets the objectives and KPI’s• must add value• Stakeholder engagement strategy

Our journey continued

• Risk Assessed annual audit plan that adds value and is approved by ARC

• Quality of reporting to the Audit Committee – Annual Operations Report, Assertions, KPI’s, achievements etc.

• Audit tools – data mining, audit work systems

• Oversight from internal and external stakeholders, e.g. Audit Committee, External Auditors, ICAC, TEQSA

• Evaluate Progress – Internal and External Quality Review

• November 2014 IIA external quality review results for IA function(two years later):

– Full conformance with all 12 IPPF standards (the highest rating possible)

– Maturity rating of 4 “beyond conforming” (maturity scale is 1 to 5)

– 4 was our lowest maturity rating across the 12 standards

• Note: At June 2012 our maturity level was one!

Our innovation

• Audit methodology built around and aligned to the IPPF. • Focus on providing assurance to the Audit Committee and senior executive• Focus on adding value• Reporting to the Audit Committee on where we added value• Reporting to the Audit Committee on our audit strategy• Reporting to the Audit Committee on our performance against KPI’s• Use of audit tools e.g. Continuous Controls Monitoring, PAWS• Stakeholder engagement strategy

What our customers say

Stakeholder comments from the IIA External Review Report:• Internal Audit (IA) has a consultative approach• IA is practical, pragmatic and effective• IA reports have been extremely useful for senior executives• IA reports are comprehensive, informative and insightful• A lot of University areas you would expect to resist IA actually value it• Many Senior Exec commented they would like to get more IA work done in their areas• Investigations are conducted thoroughly and forensically

What our customers say continued

• A number of Senior Executives commented that UNE IA operates better than they had seen at other Universities

• IA has really picked up in recent years with better information, better explanations, with responses to questions provided promptly and satisfactorily

• Audit recommendations are useful, concise, with sufficient detail, and presented in context.

Future challenges

• ARD is a team of 4.4 with very different skills, any loss of staff could impact significantly• Implementation of the Continuous Controls Monitoring tool• The impact of the corporate risk management database (CRMD) on our audit planning• The impact of the audit tools and CRMD on audit methodology and audit programs• Continuous quality improvement program

What the future will look like

• Service focussed and support orientated IA function valued by all stakeholders• IA function represents the best in contemporary practice• Established continuous quality improvement program

Take-away message

• Identify where you can add value • Stay focussed on your objectives• Get the right staff and staff mix for implementing your audit methodology• Engage with the senior executive and other senior managers• Report your achievements, strategies, risks and challenges to the Audit Committee• Look to continually improve