SFC Plan of engagement

Presentation to the Audit Committee Internal Audit Overview

September 2009

2

AGENDA

Internal audit organization, mission statement & responsibilities

Internal control responsibilities

Audit approach & 2009/10 audit plan

Audit reports & rating system

Quality assurance

3

SFC GOVERNANCE MODEL

MD//GM/CFO/others

set policies & operating

principles

Depts. adheres to policies

and operating principles

SFC/IFRS. directs

compliance of controls

over financial reporting

Internal Audit evaluates

compliance against policies

& reports non-compliance

Board of Directors evaluates

risk& dictates organization

to review, evaluate,

monitor & control risk

GM evaluate risks &

compliance

with laws

Treasury evaluates

credit/treasury risks &

develops policies to

minimize risks

IT evaluates technology

risks & develops policies

to minimize risk Legal assures compliance

With laws

FC establishes reporting

Mechanism to assure

compliance to law & policy

4 Shareholders

INTERNAL AUDIT

PKF

Board

Senior Management

Departments

Inte

rnal

sta

kehold

ers

Exte

rnal

sta

ke

hold

ers

• Objective Assurance

• Consulting & value-add

• Best practice sharing

• Evaluate & improve effectiveness of risk management, control & governance processes

• Proactive communications to improve controls

• Consulting assistance to key initiatives (e.g. Sarbanes-Oxley, acquisitions)

• Objective Assurance

• Improve organization's operations

Independent

VALUE OF IAD TO SFC

5

KEY CUSTOMERS, PRODUCTS & METRICS KEY PRODUCTS PRIMARY CUSTOMERS SECONDARY

CUSTOMERS

METRICS

Audit Assurance Audit Committee

Bassem

Niall

Depts. FC

Entity receiving audit

Completion of audit plan

Quality of audit reports

Timeliness of audit reports

Successful external assurance

review

Talent Depts. receiving talent

Greater finance & IT

organizations

Attrition rates below benchmark

Quality of talent placed

Consulting Services Entity/Depts. receiving

consulting service

(Dependent upon the nature

of services provided)

Depts. Heads

Acct & Control

GM

Quality of services provided

Quantity of services provided

IAD Structure and Function

Audit Committee

Internal

Auditor

Finance Audit

Internal Control Audit

Information Systems

Audit

Compliance

Audit

Other

MISSION AND SCOPE OF WORK • The mission of the internal audit department is to provide independent, objective and

reasonable assurance and consulting services designed to add value and to assist

management in monitoring a system of internal control. The scope and frequency of these

evaluations are determined through an assessment of risks, including the effectiveness of

management’s ongoing monitoring procedures.

The scope of work of the internal audit department is to determine whether the organization’s

network of risk management, control, and governance processes, as designed and

represented by management, is adequate and functioning in a manner to ensure:

Risks are appropriately identified and managed

Interaction with the various governance groups occurs as needed

Significant financial, managerial, and operating information is accurate, reliable, and

timely

Employees’ actions are in compliance with policies, standards, procedures, and

applicable laws and regulations

Resources are acquired economically, used efficiently, and adequately protected

Programs, plans, and objectives are achieved

Quality and continuous improvement are fostered in the organization’s control process

Significant legislative or regulatory issues impacting the organization are recognized and

addressed appropriately

8

INTERNAL AUDIT RESPONSIBILITIES

Responsibilities include:

Independently assess internal controls at SFC departments

Maintain an annual cyclical audit plan

Perform compliance audits of contracts with the JVs

Perform IT system audits

Conduct control reviews at acquisitions generally within a year of purchase

Assist the organization in select investigations

Test compliance with policies & procedures

Review selected transactions for possible improper payments

9

MANAGEMENT RESPONSIBILITIES

Responsibilities include:

Establish internal control systems to provide safeguarding of assets, proper financial reporting and accomplish business objectives

Perform on-going management control reviews and control self-assessment activities

Maintain a system to track completion of control issues & recommendations

Comply with IFRS and local accounting requirements

AUDIT APPROACH

Input-Process-Output

Inputs

Audit Staff

Dept Staff

IS e.g. Final Accounts

Customers/ Suppliers

Processes

Work Programs

Control Reviews

Compliance/Substantive Tests

Walk through Tests

Outputs

Audit Reports

-Observations

-Recommendations

Management Action

Audit Universe 2009/2010

32%

19% 16%

11%

22%

Auditable areas

Accounts Operations Sales & Mktg HR Other

Audit Approach

Annual

Audit

Plan

Audit Risk

Assessment

Audit Execution

Identify critical risks

Measure objective

achievement

Capture known issues

quickly

Drill down into known issues,(dimension the issue and determine underlying cause) Measure, Test and Evaluate design of controls over critical objectives & risks

Annual Process cyclical and risk based Approach

Audit Methodology

Risk and Audit Universe (RAU)

planning

Details of planned audit

Quarterly plan for IA activity

Database for individual Audit

Monitoring and review

SFC risk register

Individual Audits

Define draft audit scope

Feedback results into risk and audit universe

Set up an audit database to record the audit details,

or update the Risk and Audit Universe

Agreed scope

Audit report

Test the monitoring and proper operation of controls

Audit plan

Meetings to determine objectives, risks and agree

scope

Draw preliminary conclusions and discuss them

Obtain relevant documentation on processes

Audit database

Examine the risk management process for the

area audited

Decide on audit approach

Conclude on risk maturity for the

area audited

Risk and audit universe

Key Criteria For Identifying Risk:

• Size

• Likelihood/impact

• Departmental risk

• Date and result of last audit

• Degree of changes (Management, organization, systems)

• Awareness of risks/control issues

Audit Reports

• Audit reports recommend control improvements and assess the adequacy of corrective actions taken or planned

• Ratings are given to conclude on the control environment:

Large Audit areas: -Unsatisfactory/Fail -Marginal/Some improvements -Acceptable/Pass

Small Audit areas: Pass Fail • Unsatisfactory and Fail reports are presented in detail to the audit

committee.

Large Depts. Small Depts.

Unsatisfactory Marginal Acceptable Fail Pass

Definition Controls substantially

below SFC standards

Controls do not fully meet

SFC standards

Controls meet

SFC standards

Controls substantially

below SFC standards

Controls generally

meet SFC standards

Key

Indicators

Fundamental weaknesses

exposing the company to

substantial risks.

Documentation for

financial reporting controls

does not exist, and key

controls not tested.

Weaknesses exist that

expose the SFC to

unnecessary risks.

Documentation for most

financial reporting controls

does not meet SFC

minimum standards, and

many key controls not

adequately tested.

No critical

process

breakdown or

policy violations.

Key financial

reporting controls

documented and

tested.

Fundamental weaknesses

exposing the company to

substantial risks

Weaknesses may

exist that expose the

company to

unnecessary risks

Deficiencies

identified

Number and nature of

observations indicate

clearly unsatisfactory

situations such as a

breakdown of critical

procedures and controls or

performance

Pertain to the design or

function of internal controls

Process

improvement

opportunities

Number and nature of

observations indicate

clearly unsatisfactory

situations such as a

exposure to fraud and

breakdown of critical

controls and procedures

May pertain to design

or function of internal

controls, or process

improvement

opportunities

Audit

Committee

Involvement

Each report discussed in

detail with the audit

committee

Presented to audit

committee on a summary

level – some discussed in

detail

Presented to

audit committee

on a summary

level only

Each report discussed in

detail with the audit

committee

Presented to audit

committee on a

summary level only

IAD

Follow-Up

Corrective action status

updates reviewed semi-

annually with the audit

committee.

A follow-up audit is

scheduled within a year.

Corrective action status

updates reviewed semi-

annually with the audit

committee

Corrective action status of

high risk findings reviewed

semi-annually with the

audit committee.

A follow-up audit is

scheduled within a year.

Corrective action

status of high risk

findings reviewed

semi-annually with

the audit committee

RATING SYSTEM DEFINITION & INDICATORS

AUDIT QUALITY ASSURANCE PROCESS

Determine

skills requirements

Develop &

execute plan

Hire

individuals &

assess

training

Schedule one

week

Orientation1

Scheduling process (New

joiner assigned with more

experienced staff)

Attend three-

day auditing

training

With audit experience²

Audit

engagement

quality

review

process

Engagement

staff evaluation

(Identity

development

needs)

Specialized training (For needs

identified or specific types of

audits)

General training (2 times a year) -

trends, Dept leaders, IIA training,

audit process, technical updates,

etc.

Audit plan

Determine

staffing

levels

Res

ou

rce

Pla

nn

ing

On

bo

ard

ing

(w

her

e n

eces

sary

)

Qu

alit

y re

view

, tr

ain

ing

&

dev

elo

pm

ent

1 Survey new hire on process & adjust if necessary

2 New standard 3 3 years average financial experience

On the job

training

Performance Evaluation

Internal Review

• A sample of the audit work papers reviewed each year by head of internal audit • Standard work (work program, templates) • Lessons learned communicated to department • Plans or in process for the following year audits.

• External Review

• Objective • Assess effectiveness • Validate conformance to IIAs standards and code of Ethics • Identify opportunities for improvement

• Scope • Risk assessment and audit planning processes • Audit tools and methodologies • Engagement and staff management process • Sample review of working papers and reports

• Benchmaking

SUMMARY - IAD OPERATING SYSTEM

Feedback/

interviews

Prioritization

Improvement

projects & activities

Current state

Achieve future

state(becomes current state)

Measure, control,

IAD will use IIA tools in support of this system

Survey data

Impact/maturity

Sustaining teams

Turnbacks process

&

Process certification

Performance

monitoring

Benefits

• Adherence to corporate policies, rules and regulations.

• Ongoing management control activities.

• Translates operational strategy and aligns it to the corporate mission.

• Serves as a motivational tool to employees.

***need for establishing IAD*** • Scale , diversity and complexity of company activities

• Number of employees – more employees increase need • Increase in unacceptable events • Problems with internal control systems • Amount of changes in information systems • Changes in key risks • Cost-benefit of department