Transcript An Olympian Challenge Mary Hardy 2013

London 2012
An Olympian Challenge
Mary Hardy
Head of Risk Assurance
2 March 2013
Agenda
It’s Project Auditing really
Context
Lifetime internal audit plan
Budget and resources
Assurance mapping
Changing audit process and reporting
Games and post Games audits
Summary
Context
LOCOG
3
Context
London 2012
LOCOG
Lon
4
Context
LONDON 2012
IOC/IPC
GOE/
DCMS
ODA
HOME
OFFICE
LOCOG
TfL
HOST
BOROUGHS
GLA
5
Lifetime Internal Audit Plan
1 April 2010 to 31 March 2013
Internal Audit aims and objectives:
Provide independent assurance to the
Audit Committee, the Chief Financial
Officer and, where appropriate,
LOCOG’s external stakeholders (BOA,
DCMS, GLA), on the effectiveness of
risk management, internal controls and
governance arrangements
Provide advice to management to assist
it in identifying and addressing risk and
controls related issues which may affect
the achievement of LOCOG’s objectives
Lifetime Internal Audit Plan
1 April 2010 to 31 March 2013
The Audit Committee was asked how it
wanted to use IA to obtain the
assurance it wanted – ‘deep dives’ of a
small number of areas or an audit plan
that covered everything.
The AC wanted IA to cover everything
within LOCOG.
IA therefore performed full audits of key
risk areas, including anything requiring
compliance with legislation or
implementation and use of IT systems,
and shorter, high level reviews
elsewhere to gain comfort
management were in control/managing
Games preparations and readiness.
Lifetime Internal Audit Plan
1 April 2010 to 31 March 2013
The AC view of ‘everything’ included
activity within the wider London 2012
programme, eg IA was asked why
there were not more audits of transport
or security. IA view of ‘everything’ was
activity within LOCOG, although
transport and security were two of the
main risks for the Games overall.
The Assurance Map was developed to
help show that responsibility for much
of transport and security was outside
LOCOG with other parts of London
2012, and that there were a number of
assurance providers over these
activities. IA could then focus on
LOCOG’s responsibilities and risks.
Lifetime Internal Audit Plan
1 April 2010 to 31 March 2013
IA must understand the business
objectives, strategy, key risks,
activities and milestones
The IA plan should align to the business
strategy/themes/objectives and risks
so that the business understands the
IA plan, its focus and the audits
This will also help the business
understand why the plan and audits
change in response to changes in the
business strategy, objectives or risks
Lifetime Internal Audit Plan
1 April 2010 to 31 March 2013
It was decided up front that IA would
continue its work through Games time
and the post-Games period.
This required a completely different audit
approach.
It worked because it was talked about
and planned from day one
Lifetime Internal Audit Plan
1 April 2010 to 31 March 2013
LOCOG was unusual compared to a
‘normal’ organisation in the level of work
that was retimed/rescheduled because
the business was not ready or
milestones had changed
This resulted in IA seeking efficient ways
of working, such as merging audits
(where they now fell due at the same
time) or deciding not to audit an area at
all as the best time for an audit had
already passed
With rapid business progress, there was
only one chance to perform an audit so
IA had to pick the right time to carry out
the audit.
Lifetime Internal Audit Plan
1 April 2010 to 31 March 2013
There was constant communication
during the audit cycle (planning, plan
updates, audit reports/results, and
AC/Annual Reporting), so there were
‘no surprises’
Requests for ad hoc audits or reporting
was generally a good sign that the
business valued IA, but also could be
an indication that the focus of IA plan
was wrong (the ad hoc work was filling
gaps in the plan) or IA
reporting/information was pitched
incorrectly (did not meet needs of the
reader).
Lifetime Internal Audit Plan
1 April 2010 to 31 March 2013
Audits in plan
Audits added
Audits merged
Audits deferred
Audits cancelled
Total completed
362
48
34
28
58
290
Internal Audit Budget and Resources
Revenue £2.2bn
IA budget £2.2m
Internal Audit Budget and Resources
KPMG co-sourcing contract from
2007
Head of Risk Assurance from Sept
2007 to Jan 2009
Head of Risk Assurance from Nov
2009
Two in-house auditors from Oct
2010 and Oct 2011
At Games time we used the senior
audit manager, one in-house auditor
and three staff from Financial
Control to deliver the audits
Internal Audit Budget and Resources
The level and number of resources
and skill sets must be ‘mixed and
matched’ to the audits in the IA
plan
For LOCOG, the co-source
resourcing model was most
appropriate to achieve this and
supplement the two inhouse
auditors
IA had a tight budget, but the benefit
of the flexibility provided by cosourcing outweighed the fact it is a
more expensive resource option
The key skill required from auditors
was pragmatism, being able to
adapt and change to situations
and understanding what was
important to LOCOG
Assurance mapping
An assurance mapping exercise involves mapping assurance
coverage against the key risks in an organisation
The aim is to ensure there is a comprehensive assurance process with
no duplicated effort or potential gaps
Assurance mapping
Step 1 – identify your strategic risks
Assurance mapping
Step 2 – think about any key operational risks that should be included
Assurance mapping
Step 3 – identify your sources of assurance
- Three lines of defence:
1 Management
2 Internal Corporate Governance
3 Independent Assurance Providers
Assurance mapping
Step 4 - Assess strength of assurance
Changing audit and reporting processes
As business activity increased,
audits had to take less time as
the business had less time to
deal with IA, and the back ending
of the audits meant IA had less
time to complete more audits so
we had to deliver more by
delivering faster.
We could not compromise on the
quality of audit work, so we
focused on simplifying audit
reports and issuing them as
quickly as possible
For Games time and post Games
planning we only produced a
weekly report
Changing audit and reporting processes
In a normal organisation, audit
reports have to include a more
detailed executive summary to
set the context for the reader.
In LOCOG this was not
required as everyone
understood the organisation.
The tabular format detailing
audit objectives, strengths and
weaknesses against these
was a simple, effective way to
show that the audit covered
the scope and objectives
agreed in the terms of
reference.
It also provided a balanced view
of the process/activity, and
was easier and quicker to
agree with business
management.
Changing audit and reporting processes
Even in a time and resource
pressured situation like LOCOG,
IA still completed follow up
reviews to ensure all actions
were completed and risks
mitigated
Follow up audits were carried out
within a month of the last action
date on the audit to allow enough
time for the new process to be
visibly operating
Changing audit and reporting processes
Reporting should be tailored to reflect
your audience: what do they want,
what do they need, what does IA
want to tell them and what does IA
want them to do as a result.
At LOCOG we provided short
summaries of the results of each
audit in the IA report to the Audit
Committee, with only
significant/ineffective reports
provided in full to the Chair of the
Audit Committee and CEO.
We also kept the CEO informed of
anything significant, contentious or
likely to raise questions by the Audit
Committee so that the could be
prepared for any challenge from the
Audit Committee.
Changing audit and reporting processes
There was constant
communication during the audit
cycle so there were ‘no
surprises’
Requests for ad hoc audits or
reporting was generally a good
sign that the business valued IA,
but also could be an indication
that the focus of IA plan was
wrong (the ad hoc work was
filling gaps in the plan) or IA
reporting/information was
pitched incorrectly (did not meet
needs of the reader).
Requests for audits or copies of
audit reports often came from
external stakeholders who had
no right to see them.
Games time and post Games audits
Games time audits focused on cash
control, emergency purchasing,
asset management , accreditation,
revenue streams.
Checklist approach, issues
addressed immediately, weekly
report on progress with the total
plan.
Post Games audits continued similar
themes but added ensuring
everyone was implementing their
Dissolution plan including moving
out of venues. Again we only issued
weekly summary reports.
Audit plan was completed by the
end of October as there was hardly
anyone left to audit!
Summary – probably applies to you!
IA needs to have an overview or helicopter view of what matters to the
organisation.
It is crucial that the Head of IA ‘sits at the top/right table’, reports into
the Board, and must have visibility and dialogue with Directors and
top management to be taken seriously.
Taking the time to plan properly and in advance (eg Games and Post
Games plans) resulted in work going smoothly and according to plan
Other than ticketing, we did not have to reconsider or change the focus
of the plan and areas being audited
IA was aware it would need to become slicker, quicker and change IA
approach (eg checklists for Games time) – this was part of the
upfront planning and thought leadership
Thank You
Any questions
Mary Hardy
Head of Risk Assurance
[email protected]