COMPANY A

1
COMPANY A Internal Audit Plan 2005/2006 15
November 2005
2
Contents

• SECTION Page
• 1. Executive Summary 2
• 2. Introduction 3
• 3. Internal Audit planning cycle 4
• 4. 2005/06 Internal Audit Plan 6
• Appendices
• Appendix 1 Heat Map showing Internal Audit
  coverage 2003/04 and 2004/05 17
• Appendix 2 Heat Map showing planned Internal
  Audit coverage for 2005/06 20
• Appendix 3 Candidate Audits 2006/ 07 23

This report is prepared in confidence for COMPANY
A and must not be disclosed to any third parties.
In carrying out our work and preparing our
report, we have worked in accordance with the
terms of our letter of engagement dated 1 July
2003. Our report may not have considered issues
relevant to any third parties. Accordingly, we
assume no responsibility or liability whatsoever
in relation to the contents of our report to any
third parties who are shown or gain access to our
report, and any use such third parties may choose
to make of our report is entirely at their own
risk.
1
Internal Audit Plan 2005/2006
3
1.Executive Summary
Over the past 2 years, the groups control
environment and risk management procedures have
improved significantly. Over the same period,
internal audit work with a financial controls
focus has been conducted at all material and
continuing business units. From 2005/06 the
planning of internal audit will revert to a
regular cycle. The 2005/06 audit plan has been
prepared on this basis.

• The Internal Audit Planning Cycle ( see Section
  3)
• Audit work is planned to address highest areas of
  risk
• High quality audits relevant to current business
  needs
• Coverage for the entire group over a 3 year cycle
• Continual emphasis on controls assurance
  reporting, issues resolution and effectiveness of
  risk management procedures
• Compliance with best practice in corporate
  governance

• The 2005/06 Internal Audit Plan (See section 4)
• 23 audits assignments planned with coverage for
  each division
• High level of management input into the plan
  which should lead to ownership of actions
• Financial control remains a key theme of the plan
  with all 23 audits addressing financial control
  performance. Furthermore, 13 audits focus on
  areas of opportunity for profit improvement or
  revenue growth
• 8 audits addressing control aspects of
  significant change initiatives that the group has
  planned or commenced in UK and North America

2
Internal Audit Plan 2005/2006
4
2. Introduction

• Background
• AAA have completed two years internal audit plans
  since appointment on 1st July 2003. 2005/06 is
  covered by the contract agreed at that date.
• During 2003/04 and 2004/05 a total of 46 internal
  audit assignments have been conducted. The
  primary focus of this work was to assess the
  quality of financial control across all the
  groups operations.
• Internal audit work has been conducted at all of
  the major (and continuing) business units in the
  UK, Northern Europe and North America at least
  once in the 2 year period (see Appendix 1).
• Over the past 2 years significant improvements
  have taken place in the groups control
  environment and risk management procedures.
• The group risk profile is significantly changed
  following completion of re-financing, disposals /
  re-structuring, outsourcing / off shoring and the
  implementation of common, Oracle based financial
  systems in the UK.

• Contents of this document
• Section 3 of this document sets out the changes
  we propose for deciding Internal Audit coverage
  from 2005/06 onwards.
• Section 4 sets out our proposed Internal Audit
  plan for 2005/06 and explains the basis of its
  preparation and the key business issues that
  underpin it.

3
5
3. Internal Audit Planning Cycle
For the 2005/ 06 plan onwards we propose to
change to the focus of Internal Audit work to one
that reflects the control improvements that have
taken place over the last 2 years.
2003/04 and 2004/05
2005/06 Onwards
The first 2 years of IA coverage has focused on
visiting all of the groups major, continuing
business units with the primary purpose of
assessing the adequacy of internal financial
controls.
Changes in the risk profile, together with
improvements in risk management procedures and
the internal control environment, mean that the
internal Audit plan can revert to a cyclical
approach whereby areas of higher risk receive
greater, more frequent coverage.

• The primary principles driving internal audit
  work to
• date have been
• Blanket coverage of material, continuing
  business units
• Financial controls focus
• Re-enforcing basic disciplines of internal
  control compliance
• Push through improvements in control where
  necessary and report progress accordingly

• The primary principles driving future internal
  audit work are
• High quality audits delivering business focused
  recommendations
• Risk focused plan
• Regular cycle of work (see page 5)
• Ensuring progress in the control environment is
  sustained and progressed
• Evolving needs of business are anticipated and
  addressed
• Developing regulatory needs associated with
  strong corporate governance are addressed

• This generated the following outputs
• Knowledge of whether appropriate controls exist
  and are being consistently applied and where
  necessary, improved to baseline standards
• External Audit acknowledgment of Internal Audit
  work

• The following outputs are intended
• Assurance over the operation of key controls
• Insights into improvements to process and control
  aimed at improved business performance
• Explicit External Audit reliance

4
Internal Audit Plan 2005/2006
6
3. Internal Audit Planning Cycle (continued)
From 2005/ 06 we propose to implement a regular
cycle of work. The approach we set out below is
in line with best practice and complies with
corporate governance requirements set out in the
Combined Code.
Key Principles driving the Audit Cycle
Proposed Audit Cycle

• Each years audit plan will be driven primarily
  by risk, with those parts of the business with
  higher inherent risk made subject to deeper, more
  frequent audit.
• Overall intention should be to provide coverage
  of all areas of the business (except immaterial),
  at least once in a 3 year cycle.
• The nature and extent of audit coverage will
  reflect the need for assurance and will take
  account of other sources such as controls
  assurance reporting (CAR) and management views.
• Important changes in the market or within the
  business (including to structure or process)
  create risk that audit plans will also address.
• The audit plan will be flexible to meet changing
  business needs.
• The annual plan will be approved by Audit
  Committee together with significant changes to
  plan.

Higher Risk Audited at least once each
year Medium Risk Audited once in 2
years Lower Risk Audited once in 3
years Note The level of risk (higher, medium
or lower) is primarily a matter of judgement and
is relative, not absolute. The assessment of risk
levels will take account of likelihood of control
issues of certain magnitudes occurring, the
magnitudes being those approved by Audit
Committee and used in issues reporting.
5
Internal Audit Plan 2005/2006
7
4. 2005/06 Internal Audit Plan

• How the Plan was prepared
• We have consulted a wide range of senior
  management across the group concerning areas they
  believe should receive audit coverage. In all 36
  interviews have been conducted covering all key
  business units.
• Revisited the Heat Map used in 2003/04 and
  2004/05 and, working with senior management
• Re-aligned the process model to match the
  evolving business structure and
• critically reassessed each process (see Appendix
  2)
• Designed the 2005/06 audit plan to build upon
  previous audit coverage and the results of
  previous audit work.
• Reviewed the Groups risk management report as
  presented to the November 2005 Board, to ensure
  that the plan appropriately reflects the key
  risks.
• Cross checked the plan to ensure it addresses
  developing regulatory requirements with
  particular reference to corporate governance.

In this section we set out the highlights of the
2005/06 Internal Audit Plan. The plan has been
prepared in accordance with the Planning Cycle
(see page 5) and reflects the principles that
support the revised cycle (see page 4).

• The 2005/06 plan calls for 660 days of auditor
  delivery time. A summary of the time allocations
  is set out on page 7.
• Page 8 highlights the major themes that the audit
  plan addresses and shows how these are responsive
  to key business issues facing the group.
• The proposed schedule of audits for 2005/06 is
  set out on pages 9-14.

6
Internal Audit Plan 2005/2006
8
4. 2005/06 Internal Audit Plan Highlights

• The number of audit delivery days proposed in
  2005/06 is 660, compared to a plan for 615 in
  2004/05 (and expected outturn of 640).
• The allocation of days by business for
  unit/division for 2005/06 and past 2 years is set
  out on the following diagram.

• The highlights of the 2005/06 internal audit plan
  are
• Reduced focus on
• the BSS following extensive work carried out in
  the previous 2 years. The focus of current year
  work is on project lion and on checking integrity
  and efficiency issues associates with key
  reconciliations.
• Airways in recognition of control improvements
  that have taken place and as manual intensive
  processes are replaced with IT systems that are
  anticipated to provide more robust controls.
• UK Charter and Non Charter. In 2003/04 extensive
  work was carried out on key financial control and
  key product offering processes.
• Additional focus on
• Group functions, specifically foreign exchange
  and cash management, coupled with the impact of
  IFRS.
• Subsidiary A and Subsidiary B following limited
  attention paid in last 2 years relative to their
  materiality.
• CHART HAS BEEN REMOVED

7
Internal Audit Plan 2005/2006
9
4. 2005/06 Internal Audit Plan Key Themes
The audit plan 2005/ 06 reflects the key issues
that are relevant in the business as at the point
of preparing the plan. We have categorised them
under the headings Market Factors, Internal
Factors and Regulatory/ Compliance.

• Market Factors
• Competitive market
• Oil price impacting margins
• Product substitution and impact on product
  offerings
• Climate change/unexpected events
• Internal Factors
• Wave 2 outsourcing
• Maintaining momentum - embed control improvements
  
• Partnerships and reliance on outsource providers
• Restructuring e.g. single UK tour operator
• Going Places retail estate rationalisation
• Strength of in-house IT support
• Regulatory/Compliance
• Combined code statement
• OFR requirements
• Emerging Risk Management process and other
  assurance activities
• Oversight of regulator

• Key themes that the Internal Audit
• plan addresses
• Profit Maximisation benefits of cost reduction
  programmes streamlining of the business
  increased focus on and ownership of process cost
  drivers improvements to MI
• Revenue Growth through established and new
  distribution channels effective yield management
• Working Capital improvements focus on cash
  management, hedging, AP and AR
• End to end process improvements including IT
  interfaces and the supporting manual processes
• Supplier Management including, outsourced
  service provision
• Legal regulatory meeting the requirements
• Improving IT infrastructure

8
Internal Audit Plan 2005/2006
10
4. 2005/06 Internal Audit Plan Going Places

• Plan Highlights
• Focus of internal audit effort is in areas of
  cost where discretion is high. No previous audit
  work carried out in these areas.
• Retail estate rationalisation and associated
  system/process implication remain on the watch
  list, but not on the current year plan.
• A further financial controls review is due in
  2006/07. Meanwhile, CAR review procedures
  performed by internal audit (and included in
  group plan) will be undertaken in GP.

9
Internal Audit Plan 2005/2006
11
4. 2005/06 Internal Audit Plan COMPANY A

• Plan Highlights
• The airline has been subject to a relatively high
  level of internal audit coverage in the prior 2
  years reflecting the then relatively weak
  internal financial controls.
• Improvements in control brought about by new
  management and better systems reduce the
  likelihood of future control issues and the
  plan for 2005/06 reflects this.
• The 2005/06 plan targets areas of relatively high
  expenditure around which no internal audit work
  has previously been conducted.

10
Internal Audit Plan 2005/2006
12
4. 2005/06 Internal Audit Plan Subsidiary C
Charters

• Plan Highlights
• Total days is planned to decline reflecting
  extensive audit work carried out in the previous
  2 years on both the key financial controls of
  tour operators and BSS.
• Audit work for 2005/06 will concentrate on the
  improvement initiatives underway to simplify
  processes and structures.
• We are also planning a series of spot check
  style audits on effectiveness and efficiency of
  key reconciliations carried out in BSS.

11
Internal Audit Plan 2005/2006
13
4. 2005/06 Internal Audit Plan Subsidiary C -
Non Charter

• Plan Highlights
• All business units within the UK non charter
  business have been the subject of finance control
  reviews.
• Planned audit focuses on post implementation of
  common BCT distribution channels.

12
Internal Audit Plan 2005/2006
14
4. 2005/06 Internal Audit Plan Subsidiary A

• Plan Highlights
• No internal work carried out in North America in
  2004/05.
• Audit work for 2005/06 will focus on key
  projects, including transfer of financial ledger
  to Oracle.

13
Internal Audit Plan 2005/2006
15
4. 2005/06 Internal Audit Plan Subsidiary B

• Plan Highlights
• Subsidiary B has had just one internal audit in
  the last 2 years this audit focusing on head
  office financial controls.
• The objective of the 2005/06 plan is to address
  in country financial controls, together with
  areas highlighted as higher risk.

14
Internal Audit Plan 2005/2006
16
4. 2005/06 Internal Audit Plan Group

• Plan Highlights
• The 2005/06 plan includes greater emphasis on
  group functions than 2004/05 largely attributable
  to increased focus on Treasury and process change
  brought about by by IFRS.
• The Group category also includes follow up work
  covering all control issues. This work is spread
  across the year to provide regular updates. It
  also includes all CAR work.
• Other areas within group scheduled for audit in
  2005/06 include areas that will be subject to
  audit for the first time.

15
Internal Audit Plan 2005/2006
17
4. 2005/06 Internal Audit Plan Group (continued)
16
Internal Audit Plan 2005/2006
18
Appendix 1 - Heat Map showing previous Internal
Audit coverage

• Pages 17 and 18 set out a matrix intended to show
  the coverage provided by the internal audit work
  performed in 2003/04 and 2004/05.
• The colours (red, amber, blue) indicate the
  relative importance from an internal audit
  perspective of particular business activities /
  process (rows) that take place within a
  particular business unit / division (columns).
• The numbers in the cells are the internal audit
  assignment numbers, where an audit assignment
  provided a degree of coverage for the
  process/business unit combination.
• The colour grey has been used to indicate not
  assessed process/business unit combinations.
  These are mainly non finance areas.
• The heat map shows that, taking 2003/04 and
  2005/06 together
• Internal audit coverage has been provided for all
  high importance processes with financial control
  significance
• The finance processes (shown on page 19) have
  received greatest internal audit attention

17
Internal Audit Plan 2005/2006
19
Appendix 1 - Heat Map showing previous Internal
Audit coverage (cont.)

• Chart has been removed because it could not be
  sanitized

18
Internal Audit Plan 2005/2006
20
Appendix 1 - Heat Map showing previous Internal
Audit coverage (cont.)

• Chart has been removed

19
Internal Audit Plan 2005/2006
21
Appendix 2 - Heat Map showing priorities for
2005/06

• The heat map set out on pages 22 and 23
  illustrate the coverage of the 2005/06 audit plan
  for the entire group.
• The format of the heat map is similar to Appendix
  1, except that
• We have added a colour (white) to indicate where
  processes do not exist in a particular location
  (and therefore coverage cannot be expected)
• The numbers in the cells refer to the audit
  number set out in the 2005/06 audit plan
• Given the principles behind the audit cycle (see
  page 5) those processes without planned coverage
  in 2005/06 would expect to be addressed in
  subsequent years.

20
Internal Audit Plan 2005/2006
22
Appendix 2 - Heat Map showing priorities for
2005/06 (cont.)
21
Internal Audit Plan 2005/2006
23
Appendix 2 - Heat Map showing priorities for
2005/06 (cont.)
22
Internal Audit Plan 2005/2006
24
Appendix 3 - Internal Audit planning for 2006/07
As part of our 2005/ 06 audit planning we have
identified additional audit needs the timing of
which would best be placed in the 2006/ 07 audit
plan, details of which are listed below.
Supplier Management
Working capital
Profit max
Legal regulatory
IT Infrastructure
Revenue growth
End to End process
23
Internal Audit Plan 2005/2006