Context TfL ODA IOC/IPC GLA HOST BOROUGHS LOCOG HOME OFFICE GOE/ DCMS LONDON 2012 5
Lifetime Internal Audit Plan 1 April 2010 to 31 March 2013 Internal Audit aims and objectives: Provide independent assurance to the Audit Committee, the Chief Financial Officer and, where appropriate, LOCOG’s external stakeholders (BOA, DCMS, GLA), on the effectiveness of risk management, internal controls and governance arrangements Provide advice to management to assist it in identifying and addressing risk and controls related issues which may affect the achievement of LOCOG’s objectives
Lifetime Internal Audit Plan 1 April 2010 to 31 March 2013 The Audit Committee was asked how it wanted to use IA to obtain the assurance it wanted – ‘deep dives’ of a small number of areas or an audit plan that covered everything. The AC wanted IA to cover everything within LOCOG. IA therefore performed full audits of key risk areas, including anything requiring compliance with legislation or implementation and use of IT systems, and shorter, high level reviews elsewhere to gain comfort management were in control/managing Games preparations and readiness.
Lifetime Internal Audit Plan 1 April 2010 to 31 March 2013 The AC view of ‘everything’ included activity within the wider London 2012 programme, eg IA was asked why there were not more audits of transport or security. IA view of ‘everything’ was activity within LOCOG, although transport and security were two of the main risks for the Games overall. The Assurance Map was developed to help show that responsibility for much of transport and security was outside LOCOG with other parts of London 2012, and that there were a number of assurance providers over these activities. IA could then focus on LOCOG’s responsibilities and risks.
Lifetime Internal Audit Plan 1 April 2010 to 31 March 2013 IA must understand the business objectives, strategy, key risks, activities and milestones The IA plan should align to the business strategy/themes/objectives and risks so that the business understands the IA plan, its focus and the audits This will also help the business understand why the plan and audits change in response to changes in the business strategy, objectives or risks
Lifetime Internal Audit Plan 1 April 2010 to 31 March 2013 It was decided up front that IA would continue its work through Games time and the post-Games period. This required a completely different audit approach. It worked because it was talked about and planned from day one
Lifetime Internal Audit Plan 1 April 2010 to 31 March 2013 LOCOG was unusual compared to a ‘normal’ organisation in the level of work that was retimed/rescheduled because the business was not ready or milestones had changed This resulted in IA seeking efficient ways of working, such as merging audits (where they now fell due at the same time) or deciding not to audit an area at all as the best time for an audit had already passed With rapid business progress, there was only one chance to perform an audit so IA had to pick the right time to carry out the audit.
Lifetime Internal Audit Plan 1 April 2010 to 31 March 2013 There was constant communication during the audit cycle (planning, plan updates, audit reports/results, and AC/Annual Reporting), so there were ‘no surprises’ Requests for ad hoc audits or reporting was generally a good sign that the business valued IA, but also could be an indication that the focus of IA plan was wrong (the ad hoc work was filling gaps in the plan) or IA reporting/information was pitched incorrectly (did not meet needs of the reader).
Lifetime Internal Audit Plan 1 April 2010 to 31 March 2013 Audits in plan362 Audits added48 Audits merged34 Audits deferred28 Audits cancelled58 Total completed290
Internal Audit Budget and Resources Revenue £2.2bn IA budget £2.2m
Internal Audit Budget and Resources KPMG co-sourcing contract from 2007 Head of Risk Assurance from Sept 2007 to Jan 2009 Head of Risk Assurance from Nov 2009 Two in-house auditors from Oct 2010 and Oct 2011 At Games time we used the senior audit manager, one in-house auditor and three staff from Financial Control to deliver the audits
Internal Audit Budget and Resources The level and number of resources and skill sets must be ‘mixed and matched’ to the audits in the IA plan For LOCOG, the co-source resourcing model was most appropriate to achieve this and supplement the two inhouse auditors IA had a tight budget, but the benefit of the flexibility provided by co- sourcing outweighed the fact it is a more expensive resource option The key skill required from auditors was pragmatism, being able to adapt and change to situations and understanding what was important to LOCOG
Assurance mapping An assurance mapping exercise involves mapping assurance coverage against the key risks in an organisation The aim is to ensure there is a comprehensive assurance process with no duplicated effort or potential gaps
Assurance mapping Step 1 – identify your strategic risks
Assurance mapping Step 2 – think about any key operational risks that should be included
Assurance mapping Step 3 – identify your sources of assurance - Three lines of defence: 1 Management 2 Internal Corporate Governance 3 Independent Assurance Providers
Assurance mapping Step 4 - Assess strength of assurance
Changing audit and reporting processes As business activity increased, audits had to take less time as the business had less time to deal with IA, and the back ending of the audits meant IA had less time to complete more audits so we had to deliver more by delivering faster. We could not compromise on the quality of audit work, so we focused on simplifying audit reports and issuing them as quickly as possible For Games time and post Games planning we only produced a weekly report
Changing audit and reporting processes In a normal organisation, audit reports have to include a more detailed executive summary to set the context for the reader. In LOCOG this was not required as everyone understood the organisation. The tabular format detailing audit objectives, strengths and weaknesses against these was a simple, effective way to show that the audit covered the scope and objectives agreed in the terms of reference. It also provided a balanced view of the process/activity, and was easier and quicker to agree with business management.
Changing audit and reporting processes Even in a time and resource pressured situation like LOCOG, IA still completed follow up reviews to ensure all actions were completed and risks mitigated Follow up audits were carried out within a month of the last action date on the audit to allow enough time for the new process to be visibly operating
Changing audit and reporting processes Reporting should be tailored to reflect your audience: what do they want, what do they need, what does IA want to tell them and what does IA want them to do as a result. At LOCOG we provided short summaries of the results of each audit in the IA report to the Audit Committee, with only significant/ineffective reports provided in full to the Chair of the Audit Committee and CEO. We also kept the CEO informed of anything significant, contentious or likely to raise questions by the Audit Committee so that the could be prepared for any challenge from the Audit Committee.
Changing audit and reporting processes There was constant communication during the audit cycle so there were ‘no surprises’ Requests for ad hoc audits or reporting was generally a good sign that the business valued IA, but also could be an indication that the focus of IA plan was wrong (the ad hoc work was filling gaps in the plan) or IA reporting/information was pitched incorrectly (did not meet needs of the reader). Requests for audits or copies of audit reports often came from external stakeholders who had no right to see them.
Games time and post Games audits Games time audits focused on cash control, emergency purchasing, asset management, accreditation, revenue streams. Checklist approach, issues addressed immediately, weekly report on progress with the total plan. Post Games audits continued similar themes but added ensuring everyone was implementing their Dissolution plan including moving out of venues. Again we only issued weekly summary reports. Audit plan was completed by the end of October as there was hardly anyone left to audit!
Summary – probably applies to you! IA needs to have an overview or helicopter view of what matters to the organisation. It is crucial that the Head of IA ‘sits at the top/right table’, reports into the Board, and must have visibility and dialogue with Directors and top management to be taken seriously. Taking the time to plan properly and in advance (eg Games and Post Games plans) resulted in work going smoothly and according to plan Other than ticketing, we did not have to reconsider or change the focus of the plan and areas being audited IA was aware it would need to become slicker, quicker and change IA approach (eg checklists for Games time) – this was part of the upfront planning and thought leadership
Thank You Any questions Mary Hardy Head of Risk Assurance Mary.firstname.lastname@example.org