Title: COMPANY A
1COMPANY A Internal Audit Plan 2005/2006 15
November 2005
2Contents
- SECTION Page
- 1. Executive Summary 2
- 2. Introduction 3
- 3. Internal Audit planning cycle 4
- 4. 2005/06 Internal Audit Plan 6
- Appendices
- Appendix 1 Heat Map showing Internal Audit
coverage 2003/04 and 2004/05 17 - Appendix 2 Heat Map showing planned Internal
Audit coverage for 2005/06 20 - Appendix 3 Candidate Audits 2006/ 07 23
This report is prepared in confidence for COMPANY
A and must not be disclosed to any third parties.
In carrying out our work and preparing our
report, we have worked in accordance with the
terms of our letter of engagement dated 1 July
2003. Our report may not have considered issues
relevant to any third parties. Accordingly, we
assume no responsibility or liability whatsoever
in relation to the contents of our report to any
third parties who are shown or gain access to our
report, and any use such third parties may choose
to make of our report is entirely at their own
risk.
1
Internal Audit Plan 2005/2006
31.Executive Summary
Over the past 2 years, the groups control
environment and risk management procedures have
improved significantly. Over the same period,
internal audit work with a financial controls
focus has been conducted at all material and
continuing business units. From 2005/06 the
planning of internal audit will revert to a
regular cycle. The 2005/06 audit plan has been
prepared on this basis.
- The Internal Audit Planning Cycle ( see Section
3) - Audit work is planned to address highest areas of
risk - High quality audits relevant to current business
needs - Coverage for the entire group over a 3 year cycle
- Continual emphasis on controls assurance
reporting, issues resolution and effectiveness of
risk management procedures - Compliance with best practice in corporate
governance
- The 2005/06 Internal Audit Plan (See section 4)
- 23 audits assignments planned with coverage for
each division - High level of management input into the plan
which should lead to ownership of actions - Financial control remains a key theme of the plan
with all 23 audits addressing financial control
performance. Furthermore, 13 audits focus on
areas of opportunity for profit improvement or
revenue growth - 8 audits addressing control aspects of
significant change initiatives that the group has
planned or commenced in UK and North America
2
Internal Audit Plan 2005/2006
42. Introduction
- Background
- AAA have completed two years internal audit plans
since appointment on 1st July 2003. 2005/06 is
covered by the contract agreed at that date. - During 2003/04 and 2004/05 a total of 46 internal
audit assignments have been conducted. The
primary focus of this work was to assess the
quality of financial control across all the
groups operations. - Internal audit work has been conducted at all of
the major (and continuing) business units in the
UK, Northern Europe and North America at least
once in the 2 year period (see Appendix 1). - Over the past 2 years significant improvements
have taken place in the groups control
environment and risk management procedures. - The group risk profile is significantly changed
following completion of re-financing, disposals /
re-structuring, outsourcing / off shoring and the
implementation of common, Oracle based financial
systems in the UK.
- Contents of this document
- Section 3 of this document sets out the changes
we propose for deciding Internal Audit coverage
from 2005/06 onwards. - Section 4 sets out our proposed Internal Audit
plan for 2005/06 and explains the basis of its
preparation and the key business issues that
underpin it.
3
53. Internal Audit Planning Cycle
For the 2005/ 06 plan onwards we propose to
change to the focus of Internal Audit work to one
that reflects the control improvements that have
taken place over the last 2 years.
2003/04 and 2004/05
2005/06 Onwards
The first 2 years of IA coverage has focused on
visiting all of the groups major, continuing
business units with the primary purpose of
assessing the adequacy of internal financial
controls.
Changes in the risk profile, together with
improvements in risk management procedures and
the internal control environment, mean that the
internal Audit plan can revert to a cyclical
approach whereby areas of higher risk receive
greater, more frequent coverage.
- The primary principles driving internal audit
work to - date have been
- Blanket coverage of material, continuing
business units - Financial controls focus
- Re-enforcing basic disciplines of internal
control compliance - Push through improvements in control where
necessary and report progress accordingly
- The primary principles driving future internal
audit work are - High quality audits delivering business focused
recommendations - Risk focused plan
- Regular cycle of work (see page 5)
- Ensuring progress in the control environment is
sustained and progressed - Evolving needs of business are anticipated and
addressed - Developing regulatory needs associated with
strong corporate governance are addressed
- This generated the following outputs
- Knowledge of whether appropriate controls exist
and are being consistently applied and where
necessary, improved to baseline standards - External Audit acknowledgment of Internal Audit
work
- The following outputs are intended
- Assurance over the operation of key controls
- Insights into improvements to process and control
aimed at improved business performance - Explicit External Audit reliance
4
Internal Audit Plan 2005/2006
6 3. Internal Audit Planning Cycle (continued)
From 2005/ 06 we propose to implement a regular
cycle of work. The approach we set out below is
in line with best practice and complies with
corporate governance requirements set out in the
Combined Code.
Key Principles driving the Audit Cycle
Proposed Audit Cycle
- Each years audit plan will be driven primarily
by risk, with those parts of the business with
higher inherent risk made subject to deeper, more
frequent audit. - Overall intention should be to provide coverage
of all areas of the business (except immaterial),
at least once in a 3 year cycle. - The nature and extent of audit coverage will
reflect the need for assurance and will take
account of other sources such as controls
assurance reporting (CAR) and management views. - Important changes in the market or within the
business (including to structure or process)
create risk that audit plans will also address. - The audit plan will be flexible to meet changing
business needs. - The annual plan will be approved by Audit
Committee together with significant changes to
plan.
Higher Risk Audited at least once each
year Medium Risk Audited once in 2
years Lower Risk Audited once in 3
years Note The level of risk (higher, medium
or lower) is primarily a matter of judgement and
is relative, not absolute. The assessment of risk
levels will take account of likelihood of control
issues of certain magnitudes occurring, the
magnitudes being those approved by Audit
Committee and used in issues reporting.
5
Internal Audit Plan 2005/2006
74. 2005/06 Internal Audit Plan
- How the Plan was prepared
- We have consulted a wide range of senior
management across the group concerning areas they
believe should receive audit coverage. In all 36
interviews have been conducted covering all key
business units. - Revisited the Heat Map used in 2003/04 and
2004/05 and, working with senior management - Re-aligned the process model to match the
evolving business structure and - critically reassessed each process (see Appendix
2) - Designed the 2005/06 audit plan to build upon
previous audit coverage and the results of
previous audit work. - Reviewed the Groups risk management report as
presented to the November 2005 Board, to ensure
that the plan appropriately reflects the key
risks. - Cross checked the plan to ensure it addresses
developing regulatory requirements with
particular reference to corporate governance.
In this section we set out the highlights of the
2005/06 Internal Audit Plan. The plan has been
prepared in accordance with the Planning Cycle
(see page 5) and reflects the principles that
support the revised cycle (see page 4).
- The 2005/06 plan calls for 660 days of auditor
delivery time. A summary of the time allocations
is set out on page 7. - Page 8 highlights the major themes that the audit
plan addresses and shows how these are responsive
to key business issues facing the group. - The proposed schedule of audits for 2005/06 is
set out on pages 9-14.
6
Internal Audit Plan 2005/2006
84. 2005/06 Internal Audit Plan Highlights
- The number of audit delivery days proposed in
2005/06 is 660, compared to a plan for 615 in
2004/05 (and expected outturn of 640). - The allocation of days by business for
unit/division for 2005/06 and past 2 years is set
out on the following diagram.
- The highlights of the 2005/06 internal audit plan
are - Reduced focus on
- the BSS following extensive work carried out in
the previous 2 years. The focus of current year
work is on project lion and on checking integrity
and efficiency issues associates with key
reconciliations. - Airways in recognition of control improvements
that have taken place and as manual intensive
processes are replaced with IT systems that are
anticipated to provide more robust controls. - UK Charter and Non Charter. In 2003/04 extensive
work was carried out on key financial control and
key product offering processes. - Additional focus on
- Group functions, specifically foreign exchange
and cash management, coupled with the impact of
IFRS. - Subsidiary A and Subsidiary B following limited
attention paid in last 2 years relative to their
materiality. - CHART HAS BEEN REMOVED
7
Internal Audit Plan 2005/2006
94. 2005/06 Internal Audit Plan Key Themes
The audit plan 2005/ 06 reflects the key issues
that are relevant in the business as at the point
of preparing the plan. We have categorised them
under the headings Market Factors, Internal
Factors and Regulatory/ Compliance.
- Market Factors
- Competitive market
- Oil price impacting margins
- Product substitution and impact on product
offerings - Climate change/unexpected events
- Internal Factors
- Wave 2 outsourcing
- Maintaining momentum - embed control improvements
- Partnerships and reliance on outsource providers
- Restructuring e.g. single UK tour operator
- Going Places retail estate rationalisation
- Strength of in-house IT support
- Regulatory/Compliance
- Combined code statement
- OFR requirements
- Emerging Risk Management process and other
assurance activities - Oversight of regulator
- Key themes that the Internal Audit
- plan addresses
- Profit Maximisation benefits of cost reduction
programmes streamlining of the business
increased focus on and ownership of process cost
drivers improvements to MI - Revenue Growth through established and new
distribution channels effective yield management - Working Capital improvements focus on cash
management, hedging, AP and AR - End to end process improvements including IT
interfaces and the supporting manual processes - Supplier Management including, outsourced
service provision - Legal regulatory meeting the requirements
- Improving IT infrastructure
8
Internal Audit Plan 2005/2006
104. 2005/06 Internal Audit Plan Going Places
- Plan Highlights
- Focus of internal audit effort is in areas of
cost where discretion is high. No previous audit
work carried out in these areas. - Retail estate rationalisation and associated
system/process implication remain on the watch
list, but not on the current year plan. - A further financial controls review is due in
2006/07. Meanwhile, CAR review procedures
performed by internal audit (and included in
group plan) will be undertaken in GP.
9
Internal Audit Plan 2005/2006
114. 2005/06 Internal Audit Plan COMPANY A
- Plan Highlights
- The airline has been subject to a relatively high
level of internal audit coverage in the prior 2
years reflecting the then relatively weak
internal financial controls. - Improvements in control brought about by new
management and better systems reduce the
likelihood of future control issues and the
plan for 2005/06 reflects this. - The 2005/06 plan targets areas of relatively high
expenditure around which no internal audit work
has previously been conducted.
10
Internal Audit Plan 2005/2006
124. 2005/06 Internal Audit Plan Subsidiary C
Charters
- Plan Highlights
- Total days is planned to decline reflecting
extensive audit work carried out in the previous
2 years on both the key financial controls of
tour operators and BSS. - Audit work for 2005/06 will concentrate on the
improvement initiatives underway to simplify
processes and structures. - We are also planning a series of spot check
style audits on effectiveness and efficiency of
key reconciliations carried out in BSS.
11
Internal Audit Plan 2005/2006
134. 2005/06 Internal Audit Plan Subsidiary C -
Non Charter
- Plan Highlights
- All business units within the UK non charter
business have been the subject of finance control
reviews. - Planned audit focuses on post implementation of
common BCT distribution channels.
12
Internal Audit Plan 2005/2006
144. 2005/06 Internal Audit Plan Subsidiary A
- Plan Highlights
- No internal work carried out in North America in
2004/05. - Audit work for 2005/06 will focus on key
projects, including transfer of financial ledger
to Oracle.
13
Internal Audit Plan 2005/2006
154. 2005/06 Internal Audit Plan Subsidiary B
- Plan Highlights
- Subsidiary B has had just one internal audit in
the last 2 years this audit focusing on head
office financial controls. - The objective of the 2005/06 plan is to address
in country financial controls, together with
areas highlighted as higher risk.
14
Internal Audit Plan 2005/2006
164. 2005/06 Internal Audit Plan Group
- Plan Highlights
- The 2005/06 plan includes greater emphasis on
group functions than 2004/05 largely attributable
to increased focus on Treasury and process change
brought about by by IFRS. - The Group category also includes follow up work
covering all control issues. This work is spread
across the year to provide regular updates. It
also includes all CAR work. - Other areas within group scheduled for audit in
2005/06 include areas that will be subject to
audit for the first time.
15
Internal Audit Plan 2005/2006
174. 2005/06 Internal Audit Plan Group (continued)
16
Internal Audit Plan 2005/2006
18Appendix 1 - Heat Map showing previous Internal
Audit coverage
- Pages 17 and 18 set out a matrix intended to show
the coverage provided by the internal audit work
performed in 2003/04 and 2004/05. - The colours (red, amber, blue) indicate the
relative importance from an internal audit
perspective of particular business activities /
process (rows) that take place within a
particular business unit / division (columns). - The numbers in the cells are the internal audit
assignment numbers, where an audit assignment
provided a degree of coverage for the
process/business unit combination. - The colour grey has been used to indicate not
assessed process/business unit combinations.
These are mainly non finance areas. - The heat map shows that, taking 2003/04 and
2005/06 together - Internal audit coverage has been provided for all
high importance processes with financial control
significance - The finance processes (shown on page 19) have
received greatest internal audit attention
17
Internal Audit Plan 2005/2006
19Appendix 1 - Heat Map showing previous Internal
Audit coverage (cont.)
- Chart has been removed because it could not be
sanitized
18
Internal Audit Plan 2005/2006
20Appendix 1 - Heat Map showing previous Internal
Audit coverage (cont.)
19
Internal Audit Plan 2005/2006
21Appendix 2 - Heat Map showing priorities for
2005/06
- The heat map set out on pages 22 and 23
illustrate the coverage of the 2005/06 audit plan
for the entire group. - The format of the heat map is similar to Appendix
1, except that - We have added a colour (white) to indicate where
processes do not exist in a particular location
(and therefore coverage cannot be expected) - The numbers in the cells refer to the audit
number set out in the 2005/06 audit plan - Given the principles behind the audit cycle (see
page 5) those processes without planned coverage
in 2005/06 would expect to be addressed in
subsequent years.
20
Internal Audit Plan 2005/2006
22Appendix 2 - Heat Map showing priorities for
2005/06 (cont.)
21
Internal Audit Plan 2005/2006
23Appendix 2 - Heat Map showing priorities for
2005/06 (cont.)
22
Internal Audit Plan 2005/2006
24Appendix 3 - Internal Audit planning for 2006/07
As part of our 2005/ 06 audit planning we have
identified additional audit needs the timing of
which would best be placed in the 2006/ 07 audit
plan, details of which are listed below.
Supplier Management
Working capital
Profit max
Legal regulatory
IT Infrastructure
Revenue growth
End to End process
23
Internal Audit Plan 2005/2006