Strawman Best Practice IIA Change Forum June 2017

Slides:



Advertisements
Similar presentations
Project Quality Plans Gillian Sandilands Director of Quality
Advertisements

© Grant Thornton UK LLP. All rights reserved. Review of Partnership Working: Follow Up Review Vale of Glamorgan Council Final Report- November 2009.
Auditing, Assurance and Governance in Local Government
HR Manager – HR Business Partners Role Description
It’s Time to Talk About Risk and Control
Decision Making Tools for Strategic Planning 2014 Nonprofit Capacity Conference Margo Bailey, PhD April 21, 2014 Clarify your strategic plan hierarchy.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
By Saurabh Sardesai October 2014.
GTM for Product Leaders Project Overview A project that guides product leaders and their teams in developing a successful go-to-market strategy.
Information Technology Audit
Project Human Resource Management
IWRM PLAN PREPARED AND APPROVED. CONTENT Writing an IWRM plan The content of a plan Ensuring political and public participation Timeframe Who writes the.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
Equity Housing Group Risk Management. 05 August 2002 © MazarsEquity Housing Group: Risk Management 2 Agenda Introduction: what is Risk Management? The.
Certificate IV in Project Management Introduction to Project Management Course Number Qualification Code BSB41507.
S7: Audit Planning. Session Objectives To explain the need for planning To explain the need for planning To outline the essential elements of planning.
Audit Planning. Session Objectives To explain the need for planning To outline the essential elements of planning process To finalise the audit approach.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Xoserve Change Management: Guiding Principles. Context This deck details a set a guiding principles for future change management at Xoserve The principles.
Building our Future: Programme Board TOR PURPOSE To be the governing forum for the design & effective delivery of the Building our Future Programme To.
Portfolio Committee on Appropriations Audit of predetermined objectives 26 March 2013.
Practical Investment Assurance Framework PIAF Copyright © 2009 Group Joy Pty. Ltd. All rights reserved. Recommended for C- Level Executives.
Developing a Sustainable Procurement Policy and Strategy EAUC – EAF Programme.
Linking the learning to the National Standards for Safer Better Healthcare Joan Heffernan Inspector Manager Regulation – Healthcare Health Information.
Estates across STFC This presentation is to give PPD the opportunity to respond to proposals for the future management of Estates across STFC The proposals.
BSBPMG501A Manage Project Integrative Processes Manage Project Integrative Processes Project Integration Processes – Part 2 Diploma of Project Management.
PIC EU-28 Conference Paris, 26 – 27 November 2015 PIC An EU Approach Assurance Maps An Introductory workshop Nathan Paget United Kingdom.
CHANGE READINESS ASSESSMENT Measuring stakeholder engagement and attitude to change.
AssessPlanDo Review QuestionYesNo? Do I know what I want to evaluate and why? Consider drivers and audience Do I already know the answer to my evaluation.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
AGRO PARKS “The Policy Cycle” Alex Page Baku November 2014.
Torbay Council Partnerships Review August PricewaterhouseCoopers LLP Date Page 2 Torbay Council Partnerships Background The Audit Commission defines.
Coordination Performance Survey Validation workshop May 2016.
Procurement Development Programs
Embedding the golden threads that lead to quality care every time……
Maintenance BC - NZTA assessment in TIO
Solihull Review of Urgent Care Programme Approach And Governance 2013
Asset Management Accountability Framework
Well Trained International
Xoserve Change Management: Guiding Principles
ISO 14001: 2004 Environmental Management Review Presentation
3 steps to preparing for your talent review meeting
Audit & Risk Management
Hyper-V Cloud Proof of Concept Kickoff Meeting <Customer Name>
9/16/2018 The ACT Government’s commitment to Performance and Accountability – the role of Evaluation Presentation to the Canberra Evaluation Forum Thursday,
Project Roles and Responsibilities
Getting Started with Your Malnutrition Quality Improvement Project
Guidance notes for Project Manager
End of Year Performance Review Meetings and objective setting for 2018/19 This briefing pack is designed to be used by line managers to brief their teams.
Governance and leadership roles for equality and diversity in Colleges
Internal control - the IA perspective
Presentation to sell assurance maps to senior management
Draft OECD Best Practices for Performance Budgeting
Regional Forum for Capacity Development Graz, Austria, 5 November 2017
Recommendations for using this ‘framework’ template
Change Assurance Update
West Essex Business Planning Process
Regulation 4 - Elements of the Plan
Core Competencies of a World Class Customer Advisory Board
Overview of the Children and Families Act 2014
Gateway Approval – a guide v1.0
Employee engagement Delivery guide
Portfolio, Programme and Project
Generic Service Delivery Toolkit
Presentation: Audit of Predetermined Objectives
Investing in Data Management Capabilities
Briefing to the Portfolio Committee on Defence on the audit outcomes for the 2013/2014 financial year.
Professional Services Group Reform Programme GOVERNANCE
Briefing to the Portfolio Committee on Department of Correctional Services on the audit outcomes for the 2013/2014 financial year Presenter: Solly Jiyana.
Portfolio Committee on Communications
Presentation transcript:

Strawman Best Practice IIA Change Forum June 2017 Auditing Change Strawman Best Practice IIA Change Forum June 2017

IIA Guidance on Auditing Change The IIA Change Forum has developed this guide identifying a number of basic standards when auditing change and incorporating elements of best practice. This has been developed by professionals leading change portfolios in IA functions and is drawn from insights and a review of change audit strategies across participating organisations. The volume of Change introduced by organisations is increasing and is often high risk. Internal Audit needs to consider how this is reflected and incorporated into the Audit Universe and plans while taking account of the strategic outcomes and business objectives that it is trying to deliver. Although Internal Audit may be invited to review programmes, the Internal Audit planning process needs to understand the scale, volume, complexity of business Change and approach, including agile and waterfall, to ensure that audit coverage is provided where appropriate. The lifecycle of the programme will also vary what might be relevant to consider as part of audit engagements. This note provides guidance on the common practices identified and includes the following: Identifying and understanding the business change planned for an organisation Risk assessing programmes and identifying audit engagements Audit engagement types and approaches to auditing change Internal Audit Reporting in relation to Change We suggest that this is reviewed and considered in addition to the existing publications and resources available through the IIA.

1. Identify and understand the business change planned for the organisation A change audit plan will be a key element of the overall internal audit plan. Due to the nature of programme delivery, the audit plan for change needs to be aligned to the organisation’s business priorities, flexible and able to respond to change quickly. The timescales for audit delivery will need to align to the delivery timescales of the key programmes under review. Title Description Best Practice Intelligence gathered from stakeholders This is to support audit’s understanding of the overall change agenda for the organisation, areas of key risk within it and progress of individual programmes. Do Hold regular meetings with change stakeholders including business sponsors of key programmes and SME’s receiving the change, senior management responsible for Portfolio/Change delivery and Technology. Regularly review Audit and Risk Committee Board Packs for change related content and risks. Regularly review change portfolio level reporting/MI and minutes of change forums to understand progress, programme initiation, levels of investment, changes to the plan and risk and control environment of the business unit receiving the change. Consider Internal Audit attendance at change portfolio level meetings including oversight and approval boards. Cross Audit Team Intelligence sharing Share and leverage information gathered across change and business aligned Internal Audit resources with visibility of planned business change up to and including Audit Director level. Incorporate output from previous audit reports, co-source and external assurance if appropriate. Incorporate perspective on business change / assurance outcomes over business units receiving the change from across Internal Audit as part of Change Audit planning. Use the information gathered through stakeholder management with the business and previous audit reports. Strategic objectives and priority Identify and understand the business driver and organisational priority for the programme as part of the broader business strategy. Portfolios or programmes within them are often identified as regulatory, mandatory or discretionary. This may be based on the strategic or business plan importance of the programme or driven by regulatory or legislative requirements. Understand the rationale and strategic importance of the programmes considered as part of annual planning within the organisation. This should include a view of emerging and planned regulatory change.

1. Identify and understand the business change planned for the organisation Title Description Best Practice Lines of Defence (LoD), Regulator, external assurance , co-source arrangements & Third Party engagement Understand the priorities and focus areas for other lines of defence, Regulators, external assurance providers , co-source arrangements and other third party engaged on programmes. Do Schedule regular updates with LoD, third parties, and external assurance if appropriate to understand their engagement and perspective on key risks and progress of the programme. Ensure the Regulators perspective is considered if engaged. Dynamic Review of the change audit plan Programme delivery timescales can frequently change at short notice. Internal Audit need to be able to respond to this and ensure the audit plan is aligned to look at the high risks elements of the programme at the right time. Revisit the change audit plan on a regular basis to ensure that it remains aligned to programme delivery and is focused on the key risks. Audits can be added, postponed or removed from the plan as required.

2. Risk assess programmes and identify audit engagements Programmes should be risk assessed by internal audit to identify the key programmes for inclusion in the audit plan and a toolkit to conduct this can be developed. Risk assessments conducted by management can be used as an input to this process if they have been prepared and are available. The scoring basis will vary across organisations but an approach to identifying High, Medium and Lower risk programmes should be defined. Risk assessments should be reviewed regularly to ensure Internal Audit continues to be focused on high risk change and can adapt the plan if required. Change Portfolio Perform Risk Assessment Prioritise Results (H/M/L) Update Audit Plan Risk Assessment Areas -Complexity -Benefit -Cost -Business/Process Impact -Customer Impact -Regulatory/Strategic -Organisational Capacity

2. Risk assess programmes and identify audit engagements The following areas can be considered when risk assessing programmes: Title Description Best Practice Regulatory / Strategic priority The regulatory, legislative or strategic priority of the programme can impact the risk assessment based on the impact on the organisation if it does not deliver within the required timelines. Do Incorporate the regulatory or strategic impact of the change into the risk assessment. Customer Impact The customer impact of a programme can be considered in relation to the scale of the change visible to the customer and also the potential impact on the customer if the programme fails to deliver as anticipated. Conduct risk is also considered within this. Incorporate the impact of the change on the customer into the risk assessment. Complexity The complexity of a programme increases the risk associated with successful delivery and implementation in the business. There are different elements to consider when assessing the complexity of a programme. For example, size, scale, IT, customisation etc. Assess the complexity of individual programmes taking in to account the size, scale, level of IT change, extent of customisation, third party engagement etc. Benefits The benefits to be delivered by a programme and the strategic importance of the benefits will be a key driver for initiating a programme. Incorporate the level of benefits (financial, non-financial and key business outcomes) anticipated to be delivered by the programme into the risk assessment or the impact of failure to deliver. Cost The costs involved in delivering a programme are a useful indicator in assessing the size and scale of a programme. Incorporate the costs required to deliver the programme into the risk assessment and assess whether the on-going costs to support the deliverables post-implementation (e.g. maintenance/recurring costs) have been considered. Impact on Operational Functions The extent of the process, business or people change delivered will impact the risk profile of the programme. The risk profile of the business can also change where anticipated programme changes are not delivered, manual workarounds are introduced or enhanced controls are delivered as part of a revised operating model. Incorporate the scale of the process or business change into the risk assessment of the programme and the impact on the business unit risk profiles and controls, where known. Organisational capability and capacity The organisational capability and capacity to deliver change extends across business as usual ability to absorb the change as well as ability of programme resources to deliver it. Consider the level of change underway and the organisational capability to deliver and absorb additional work.

3. Audit engagement and approach to auditing Change Audit engagement in change programmes can take different forms depending on the scale and extent of the change and associated risk. Three of the key risk types considered by an audit engagement include strategic risk, deliverability risk and operability post implementation risk. All audit engagements should focus on the achievement of the intended business outcomes and consider the link to overall business strategy. They also need to consider the delivery approach adopted by the change initiative i.e. agile or waterfall. Audit engagement can include change initiative reviews, continuous monitoring and change process/thematic review. Programme A Thema t i c Continuous Monitoring Audit 1 Audit 2 Programme B Key Audit Activity Programme Activity

3. Audit engagement and approach to auditing Change Audit engagement can include the following: Title Description Best Practice Change Initiative Audits There are several approaches to auditing a programme that may be suitable depending on the stage it is at. Governance reviews focusing on the design and operation of programme level controls. E.g. oversight structure (including Steering Committees), MI & reporting, Planning, RAID Management. Stage Gate reviews as the programme moves from one stage into another and focused on key deliverables at that stage e.g. initiation into delivery. Targeted Reviews/Deep dives can be executed at different stages of the programme lifecycle and focused on a particular area of risk e.g. Testing. Post implementation reviews conducted at the end of a phase or implementation. Do Identify the key programmes that will deliver the strategic objectives for the organisation and agree the level of audit coverage to be provided. This should also identify any key programmes where audit is not planning to engage. Understand the key stages and timescales for the programme delivery and develop an engagement model for the programme focused on the areas of highest risk and key controls. Assess the delivery risk associated with the programme on a regular basis. Assess the business outcomes planned for the programme and business engagement. Assess the continued alignment of the programme to the organisation’s strategy and confirm it remains relevant e.g. it has taken account of any changes in the business or market since commencement. Develop a test plan toolkit focused on programme level risks and controls which can be reused. Continuous Monitoring Internal audit can have on-going engagement with a programme throughout the lifecycle. The programme audits in this case are complemented by on-going monitoring of the programme. This can be used to inform Board Reporting, assess the operation of programme oversight, risk assessment or audit planning for future phases. Examples include attendance at key forums including Steering Committees. Define Internal Audit’s role when attending key forums. Consider how Internal Audit independence will be maintained and clarify that the Internal Audit role is non decision making when attending the forums. Consider Defining a continuous monitoring strategy for key programmes to clarify audit engagement and outline reporting to be produced from this work. Define an approach to raise issues identified during continuous monitoring with management and ensure they are addressed. Change Process / Thematic Reviews There are a number of processes defined to support the delivery of change across an organisation and these should be considered within the audit plan. Process reviews can be conducted on a thematic basis over a sample of projects to assess the controls in place. E.g. Business case approval, benefits management or Governance and Steering Committee effectiveness. Include key change processes within the audit universe and review as appropriate.

4. Internal Audit Reporting Audit engagement in change programmes can take different forms depending on the scale and extent of the change and associated risk. These can include the following: Title Description Best Practice Final Reports Final report produced following the completion of an audit engagement and which contains the findings identified through the work. Do Develop templates for audit reporting. Real time updates throughout audit engagements Change programmes are delivery focused and need to address issues in a timely manner to prevent further impact on the programme. Regular discussion with key stakeholders including programme managers and sponsors throughout an audit engagement on the emerging issues will support audit understanding, confirm factual accuracy and provide management with an opportunity to start to take action. Note: This does not impact the inclusion of the findings in the final report. Schedule regular meetings with key programme stakeholders including programme manager and sponsor to discuss emerging issues from reviews or continuous monitoring where applicable. Consider reporting to Steering / Oversight Committee during Continuous Monitoring period and audit engagements. Audit Committee Reporting Regular reporting produced for the Audit Committee providing an update on audit and programme progress. Include update on the outcome of the audit engagements for key change programmes Providing a perspective on key risks or issues emerging from Change delivery and opinion on overall ‘health’ of change delivery portfolio.