Developing and implementing the audit

process to support your GRC program

Greg Saunders

Chief Risk Officer

Today’s presentation..

1. About CASA and what we do;

2. The evolution of internal audit methodologies and their effectiveness;

3. The importance of linkages between risk management, internal audit and quality systems;

4. Using audit outcomes to mitigate risk and drive continuous improvement.

5. Effectively managing adverse audit outcomes; and

6. Questions.

About CASA..

CASA is an independent statutory authority established in 1995;

Emphasis on prevention of aviation accidents and incidents;

Also provides safety education and training programs and

responsible for airspace regulation;

765 staff in 13 offices around Australia with annual budget in

excess of $150 million;

37,000 pilots, 13,000 aircraft owners, over 900 air operator

certificate holders;

6,400 aircraft maintenance engineers and 700 maintenance

organisations; and

Indirectly over 100,000 people in some way connected with the

aviation industry.

What CASA does..

Develops and promulgates appropriate aviation safety standards;

Provides effective oversight to ensure compliance with aviation safety standards;

Issues certificates, licences, regulations, permits;

Conducts comprehensive industry surveillance including that of industry management;

Conducts regular reviews of the aviation safety system to identify safety related trends and risk factors to promote development and improvement;

Assessing international safety developments;

Improving management of Australian administered airspace and the safety of airways aerodromes and associated services; and

Regulating drug and alcohol management plans and facilitate testing.

Is assurance difficult to navigate?..

Organisations have historically invested heavily in assurance

functions without a clear view of what potential benefits this

delivers for and organisation

The costs are significant…

…and the entire organisation is

being engaged

Resulting in a picture like

this…

Unclear

definition

and

objectivesStr

ate

gic

Reporting

Op

era

tion

al

Compliance

External

Legal

Risk

Appetite

Assurance

Bo

ard

Quality

HSE

Corp

ora

te

Resp

on

sib

ility

Com

plia

nce

Support for

Strategy

Incidents

Key

Strategic

TasksExternal

Costs

Internal

Costs

Business

Unit Costs

Operations

Technical

Corporate

Board

Executive

Board

Committees

Corporate

Functions

Audit

Committee

Internal

Audit

External

Audit

Internal audit has changed..

“Traditional”

• Reactive

• Pedantic

• Necessary Evil

• Demanding Control

at all Costs

• Career Dead End

“Empowered”

• Proactive

• Partnerships

• Process Improvement

• Value Driver

• People Development

• Risk Based

Control and Accountability..

Bo

ard

–E

xe

cu

tive

–A

ud

it C

om

mit

tee

1st Business Operations:

2nd Oversight Functions:

3rd: Independent Assurance

An established

risk and control

environment

Strategic

management, policy

and procedure,

functional oversight

Provide

independent

challenge and

assurance

First Level

Business

Operations

Second Level

Oversight

Functions

Third Level

Internal Audit,

External Audit,

Other Assurance

Providers

Understanding the total control costs..

Initial compliance,

Ongoing assessment

and monitoring

Business

Performance

Visible

Compliance

Cost

Largely

“Hidden”

Total

Cost of

Control

A strategic approach to planning & risk..

Risk Alignment, Assurance and Board Reporting

Stakeholder

Value

Strategic

Risks

Strategies /

Objectives

Key Value

Drivers

Best

Practice

Service

Delivery

Efficiency

Statutory

Responsibility

Risk mitigation

Strategies

Focus of change..

Engagement at the top;

Value creation for the organisation;

Evolving skill sets to meet new focus;

Participation in strategy development;

Integrated vs. silo approach;

New focus on partnerships; and

Integration of risk, audit and quality as key business

drivers.

Value creation in context..

Using the risk management process to

expand the internal audit focus, identify

control weakness and utilise a quality system

approach to strengthen control deficiencies..

An integrated process at CASA..

Strategic plan set by executive and endorsed by

CASA board, a 3 year plan updated annually;

Business planning directly aligned to CASA strategic

plan;

Risk management processes fully embedded in the

business planning cycle; and then

Audit plan formulated from planning and risk

identification process.

Internal audit planning..

How do we plan our Internal Audit Schedule?

Risk Based

Cyclical/Traditi

onal

Other

75%

20%

5%

Risk assessment to identify key

control concerns..

Business units identify key risks in line with objectives and

context of their operation;

Risk assessment conducted with existing controls - risk

rating identified;

Is risk within acceptable range?;

New controls implemented to mitigate risk;

New assessment conducted - target risk rating identified;

then

Key strategic and organisational risks included in annual

audit program.

Risk management, internal audit and

quality systems..

They should not exist in isolation;

The risk management process is a key driver in the

internal audit process;

Audit identified control weaknesses often identify

process deficiencies; and

Process deficiencies often are as a result of

undocumented or accepted deviation from accepted

policy / procedure.

Continuous improvement AS/NZS

ISO 31000:2009..

Risk management facilitates continual improvement

by an organisation.

“Organisations should develop and implement

strategies to improve their risk management maturity

alongside all other aspects of their organisation.”

Continuous improvement - ISO 9001:

2008

Continual improvement

“The organization shall continually improve the

effectiveness of the quality management system

through the use of the quality policy, quality

objectives, audit results, analysis of data, corrective

and preventive actions and management review.”

The link..

Internal audit provides the link between risk

management and the quality process;

Both the risk management standard and the quality

standard have specific reference to continuous

improvement in an organisation;

Risk drives audit program;

Audit identifies control weakness; and

Quality process rectifies control deficiencies.

Managing adverse audit outcomes..

Two categories of adverse outcomes;

Expected adverse outcomes

Unexpected adverse outcomes

Expected outcomes provide willing and accepted

opportunity for improvement;

Unexpected outcomes may involve confrontation,

unwillingness to accept findings, adverse criticism of

audit process and more.

Managing adverse audit outcomes at

CASA..

Audit discussion paper submitted to CRO for

endorsement prior to exit meeting;

Exit meeting attended by CRO or delegate – no

surprises and verification of meeting outcomes; and

CRO manages relationships with executive

managers and audit providers.

The future of internal audit..

Extensive use of data analytics – already happening;

Issues identified before they become problems;

Increased focus on “big picture” and key risks to better

allocate resources;

Better customistion of KPI’s and KRI’s.

Questions