elal’s era model with focus on station audit - iaaia · elal’s era model with focus on station...
TRANSCRIPT
Chief Audit Office
ELAL’s ERA model with focus on ELAL’s ERA model with focus on Station AuditStation AuditIAAIA IAAIA -- Singapore workshopSingapore workshopAugust August 20112011
Gil Ber Gil Ber CPA, CIA, MACPA, CIA, MA
Participations Introduction
Tahir
GIL
Robert
Antony K. Musau
Priscilla Frichot
Jasmine Wong
Gil Ber
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 2
TahirMahmood
BasharAlqudah
Mohammed Al Mulla
Robert Engelbarts
Emmanuel RotimiRominy
BaranidharanSundaresan
PrasangiGajanayake
Kim Nehls
Chang Thai Yau
Joanna Zakrzewska Sheri Raines Tan Lee Ing
Presentation Objectives
� Understanding the benefit of using ERA as part of the audit process
� Describing the ERA process
� Share our experience using ERA in determining station audit scope
� Increase awareness to business risks
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 3
� Provide a window to a “different way of thinking”
Several facts about risk management
� We all manage risks
� Risk management is part of routine business conduct
� The 1:10:100 rule is always relevant (Prevention, Identification, Occurrence)
� There is no such thing as absolute protection – even when you manage your risks
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 5
� Risk management can create added value to the organization
Risk Assessment Definitions
What is Risk?
� Risk is defined as any event, action, or non-action, that could adversely affect
an organization’s ability to achieve its business objectives and execute its
strategies successfully.
How do we measure the risk? 2 parameters:
� Severity of the risk (Impact).
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 6
� Severity of the risk (Impact).
� Frequency of the risk appearance (likelihood)
What is the potential damage to the entity? (Risk Criteria)
� Financial (loss of revenue, increase in expenses)
� Human lives, Injuries
� Environment
� Compliance…etc
Risk Assessment Definitions (Cont’)
What are Management and Control Activities?
� Management and control activities include all actions taken by management level to mitigate/manage and monitor important risks facing the Entity.
What is Risk Management (RM) ?
� A process of identifying and analyzing exposure to risk and determining how to best handle the exposure.
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 7
What is a Risk Assessment (RA)?
� RA I is a step in a risk management process that includes identifying, mapping and prioritizing the key risks that impose a threat to the organization
What is a Key Risk Indicator (KRI) ?
� A Key Risk Indicator is a measure used in management to indicate how risky an activity is. It provides an alert which needs to be addressed
Common ways to handle a risk
� Ignoring – “won’t hear, won’t see, won’t speak”
� Passing responsibility over the risk on to another entity (Outsourcing, Insurance)
� Mitigating exposure to the risk through controls and changing of business processes
� Acceptance of the risk
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 8
� Acceptance of the risk
Risks example …….not only in theory
Risk Name Risk Description Risk Group
1. Tone at the Top
Senior management fails to establish an environment that encourages integrity, ethical values, and competence through management’s operating style, assignment of authority and responsibility, and development of employees.
Strategic
2. Organizational Structure
The overall structure of the branch does not support the achievement of strategic and business objectives in an efficient manner.
Strategic
3. Forecasting Inability to forecast financial and trade information to enable the allocation of resources to new and existing initiatives; and communicate earnings expectations to the market.
Strategic
4. Technology Implementation
Failure of the technology supporting a major initiative to meet the business need of the initiative and to meet the strategic objectives of the organization (i.e – internet sight, CRM
Strategic
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 9
Implementation objectives of the organization (i.e – internet sight, CRM system).
5. Competition
Actions of competitors or new entrants to the market affect the branch's competitive advantage and/or ability to survive. Inability to maintain and grow market share due to the failure to recognize and respond to competitive threats.
Strategic
6. Crisis Communication
Failure to communicate the right message in an effective manner to recover and maintain business operations in the event of a crisis or disruption due to physical or natural circumstances.
Strategic
7. Marketing
Inability to identify the particular wants and needs of target markets of customers, and going about to satisfy those customers better than the competitors. This includes centralized and regional/local marketing initiatives and loyalty programs.
Operational
8. Passengers Lounge
Inability to provide satisfying and cost effective lounge services in order to satisfy customers and optimize the Airline’s profitability.
Operational
Example of an airline “Risk Radar” 1. Cost management
2. Labor issues- union negotiations, pensions, productivity
3. Competition- high speed trains, trucking
4. Fleet- fleet mix, availability of new aircrafts, financing
5. Culture- managing, tone at the top, organizational
structure
6. Safety- compliance with SOP’s
7. Low cost
8. Foreign exchange- fluctuations in foreign exchange and
interest rates
9. Fuel- the airline failure to monitor fuel price volatility and
unpreparedness to respond to the return of high fuel
prices
10. Macroeconomic- reduced demand for air travel resulting
from global financial crisis and economic slow down
2. Labor issues
8. Foreign exchange
9. Fuel10. Macroeconomic
17. Vendor issues
18. Regulatory issues19. Cash flow
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA10
11. Merger and Alliances
12. IT - interruption, continuity, ageing legacy systems
13. Contract management and monitoring
14. Acts of God- volcano, earthquakes
15. Terrorism
16. Epidemics
17. Vendor issues- economic dependence
18. Regulatory changes- carbon emissions, cargo security,
food safety
19. Cash flow- cash flow that makes it impossible to manage
and fulfill airlines obligationsLower rating than last year
Higher rating than last year
New risk
1. Cost management
3. competition
4. Fleet
5. culture
6. safety
7. Low Cost
11. Merging and alliances
12. IT
13. Contract management
and monitoring
14. Acts of god
15. Terrorism
16. Epidemics
17. Vendor issues
Critical
High
9. Fuel
18. Regulatory issues
6. safety 19. Cash flow
Imp
act
Combining Between Impact and Likelihood
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 11
Low
Most Certain
LikelyRare Unlikely
Moderate
7. Low CostImp
act
Likelihood
8. Foreign exchange
17. Vendor issues
A comprehensive approach to risk management
ServiceServiceServiceService
Profitability / Cash Profitability / Cash Profitability / Cash Profitability / Cash
flowflowflowflow
Safety / SecuritySafety / SecuritySafety / SecuritySafety / Security
Helps us achieve our goals
Execu
tive
Man
ag
em
en
t
Organization’s goals /
objectives
Maintenance
Cargo
Commerce
Service
Operations
VP’s
VP’s
VP’s
VP’s
Workshops & Workshops & Workshops & Workshops &
logisticslogisticslogisticslogistics
A/C overhaulA/C overhaulA/C overhaulA/C overhaul
IT InfrastructureIT InfrastructureIT InfrastructureIT Infrastructure
Information systemsInformation systemsInformation systemsInformation systems
Quality controlQuality controlQuality controlQuality control
EngineeringEngineeringEngineeringEngineering
A/C A/C A/C A/C
maintenancemaintenancemaintenancemaintenance
International affairsInternational affairsInternational affairsInternational affairs
HRHRHRHR
Company treasurerCompany treasurerCompany treasurerCompany treasurer
Budget and controlBudget and controlBudget and controlBudget and control
AccountsAccountsAccountsAccounts
Training and Training and Training and Training and
organizational organizational organizational organizational
AdministrationAdministrationAdministrationAdministration
Israel branchIsrael branchIsrael branchIsrael branch
Operations controlOperations controlOperations controlOperations control
InInInIn----flight servicesflight servicesflight servicesflight services
Israel stationIsrael stationIsrael stationIsrael station
Ground operationsGround operationsGround operationsGround operations
Flight operationsFlight operationsFlight operationsFlight operations
Aircraft
maintenance
Collection
Advertisement
Payments
Recruitment
Business un
its / Processes
RisksVP’s / Division’sgoals / objectives
Business processes
Strategy
Strategy
Strategy
Strategy
Risk management
activitiesMonitoring activities / Management controls
Passing responsibility over the risk
Achieving Achieving Achieving Achieving
organizational organizational organizational organizational
goalsgoalsgoalsgoalsDivisions
Divisions
Divisions
Divisions
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 12
RegulationRegulationRegulationRegulation
Keeps us out of trouble
Execu
tive
Man
ag
em
en
t
National carrierNational carrierNational carrierNational carrier
Commerce
Global sales
Finance
IT
HR & Admin
Revenue Revenue Revenue Revenue
managementmanagementmanagementmanagement
Quality controlQuality controlQuality controlQuality control
Commercial Commercial Commercial Commercial
planningplanningplanningplanning
Schedule and dist. Schedule and dist. Schedule and dist. Schedule and dist.
Sys.Sys.Sys.Sys.
PaxPaxPaxPax marketingmarketingmarketingmarketing Security officerSecurity officerSecurity officerSecurity officer
Procurement and Procurement and Procurement and Procurement and
supplysupplysupplysupply
organizational organizational organizational organizational
developmentdevelopmentdevelopmentdevelopment
RepresentativesRepresentativesRepresentativesRepresentativesCorporate divisionCorporate divisionCorporate divisionCorporate division
Customer’s service Customer’s service Customer’s service Customer’s service
and salesand salesand salesand sales
Planning and Planning and Planning and Planning and
organizationorganizationorganizationorganization
Safety & qualitySafety & qualitySafety & qualitySafety & quality
SecuritySecuritySecuritySecurity
Flight operationsFlight operationsFlight operationsFlight operations
Sales
Financial
reporting
Backups
Fueling
Business un
its / Processes
Strategy
Strategy
Strategy
Strategy
risk
Acceptance of risk
Abandonment of business activities
goalsgoalsgoalsgoalsDivisions
Divisions
Divisions
Divisions
Why Use ERA as part of the Audit process
� Discussion of the risks the station is facing and the methods for handling them.
� Enable the management team (not only the manager in charge) to provide
inputs on the process and on what is important ”in their eyes”.
� Enable the Audit team to focus on the material issues.
� Market the audit in a different more friendly way.
� Putting the subject of risk management on the agenda, creating discussion
within management as to the ten (or more) most significant risks, and
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA
within management as to the ten (or more) most significant risks, and
beginning a process of change in management perception and thinking
method.
14
Defining the organization’s goals / objectives
Defining the Station goals / objectives
Identifying key business processes / business units in Station
Definitions
Purchase and
Replenish
Logistics
Network
Management
Inbound
Logistics
Management
Merchandising
Merchandise
Allocation
DC
Processing
Store Operations
Executive
Supplier
Coordination
Requirements
Store and DC
Orders Network
Strategy Merchandise
Marketing
Pricing
Guidelines
Strategy
Merchandising
Planogram
Pick List
Orders
Operating
Forecast
Inventory Status Reports
and Replenishment Orders
Outbound
Logistics
Management
Store Delivery
Schedule
Store
Shipments
Merchandising
Plan
Approved
Supplier
Promotional
Plans
Supplier
Supplier
Vendor
Proposals
Supplier
Supplier
Deliveries
Packaging
and Labeling
Requirements
Performance
Parameters
Prices
Orders
ERA Workshop/ Questionnaire …. � Impact
� Likelihood
� controls/ management
action
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 15
Identification of key risks – “What can go wrong”
Identification of management actions and controls to mitigate the risk
Presentation of the top 10 Risks
Rating impact and likelihood of each risk
Risk Impact criteria
Level of Impact
Financial– Risk which might
result in loss of income /
increase in expenses or inability
to fully achieve set goals of
income / savings / enhancement
Higher than ___$
million
___$ million to ___$
million
__ million$ to __
million$
Up to __million$
Reputation- adverse publicity
which may result in loss of
income, legal actions, drop in
share prices, ,loss of market
share, loss of key personnel and
cessation of business relations
A critical and
irreparable damage to
company and
shareholders
reputation
A significant yet
repairable damage to
company reputation
or credibility for a
time span of three to
six months
Limited yet repairable
damage to company
reputation or company
credibility for a time
span of one to three
months
Limited damage to
company reputation
for a time span of up
to one month
Compliance – Risk which might
result in non compliance to rules
A critical act of
incompliance which
Incompliance which
might result in major
Incompliance which
might result in
Incompliance which
might result in minor
Low Moderate High Critical
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 16
result in non compliance to rules
and regulations
incompliance which
might result in
cessation of business
activities
might result in major
restrictions on
business activities or
heavy financial
sanctions and
exposure of company
executives or
employees to criminal
actions
might result in
restrictions on business
activities or moderate
financial sanctions and
exposure of company
executives or employees
to civil actions
might result in minor
restrictions on
business activities or
minor financial
sanctions and will not
lead to legal actions
against company
executives or
employees
Human lives/Injuries – Risk
which might result in bodily
injuries or loss of human lives
Plane crash or
abduction or loss of
human lives
Damage to aircraft or
property or heavy
injuries
Damage to aircraft or
property or moderate
injuries
Damage to aircraft or
property or minor
injuries
Defining criteria for rating a risk
Likelihood - the likelihood of a risk is the probability of a risk to occur.
Ranking of the risk’s likelihood is based on several criteria:
� Complexity of an activity
� Volatility of products/assets
� Degree of experience of those involved in the activity
� Level of involvement of external parties
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 1717
� Past experience� Controls/ management activities.
Assessment of the likelihood of a risk is a qualitative assessment based upon self judgment of the assessor.
The “Net” or The “residual” LikelihoodThe “Gross” or the “Inherent” Likelihood
We will use the Net” / “residual” Method
Criteria for evaluating risk likelihood
Definition LikelihoodRating
May only occur in exceptional circumstances/ a non complex business process/no previous occurrences /a strong control environment in place
Rare1
Could occur at some time/ less than 25% chance of occurring/ a non complex business process/few previous incidents/ some checks and balances
Unlikely 2
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 18
25%-75% chance of occurring/ complex business process / some checks & balancesLikely3
High probability of occurrence –over 75% /complex business process / minimal checks and balancesMost certain 4
Criteria for evaluation of controls/ management action
Definition Level / controlRating
• Controls and management activities do not exist or very limited in nature/ poorly designed
• There is great potential for improvementVery Poor1
• Controls and management activities are designed to mitigate the risk only partially
• There is moderate potential for improvementPoor2
• Controls and management activities are designed to
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 19
• Controls and management activities are designed to mitigate the risk
• There is little potential for improvementSatisfactory3
• Controls and management activities are designed to fully mitigate the risk
• Mitigating activities are considered to be of thehighest standards and are considered as leading practice by other organizations.
Good Practice4
Defining the main business processes / business units-Catering-Fueling-Baggage Handling-Cabin Cleaning -Weight and balance
-Cargo Loading-Cargo Transportation
-Passengers’ Security-Cargo Security
-Non routine maintenance-Routine maintenance
-IT
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 20
-Cargo Security-Aircraft Security
- Ticket counters - Cashiers- Passengers’ Lounge- Gates / Boarding
-Crew transportation- Instructions to flight crew
-IT-Crisis management-HR management-Cash Management-Budgeting- Purchasing &cost control
Two basic approaches to identification of Risks
“Bottom Up” Approach
� Risks are approached through a comprehensive analysis of the work processes within the organization and identification of specific risks that derive from each process.
� The process begins from the process owners, working it’s way up towards the management.
“Top Down” Approach
� Focuses on identification and prioritization of only the key risks
� A two level approach –identification of risk areas and presentation of an action plan for mitigation
� Allows to “see the forest for the trees”
� Implemented over a shorter
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 21
management.
� Mostly results in identification detailed risks specific to each process
� Implemented over a long period of time
� Requires a significant amount of resources (comparing to TDA)
� Implemented over a shorter period of time
� Requires considerably less resources (comparing to BUA)
� Requires management commitment and involvement
Identifying the key risks in the Station
• Failure to properly plan and monitor cargo movement by plane and truck.
• Failure of the cargo unit to provide customer service to enable long-term customer loyalty.
• Ineffective cargo logistic processes lead to lost cargo business
• Inability to effectively deliver or obtain maintenance and repair services cost-effectively, reliably and timely.
• Lack of maintenance equipment makes it impossible to effectively deliver or obtain aircrafts maintenance and repair services on time.
• Inefficient process leads to excess costs
• Failure to attract, hire, and retain the qualified resources to optimize execution of the organization’s objectives.
• Inability to develop and enhance employee skills and provide performance management that ensures optimal achievement of organizational strategies, goals and objectives.
• Inability to effectively provide, obtain and manage all ground handling services needed to keep the Airline operating. Includes the inability to manage irregular operations, baggage handling, ramp, deicing, cabin grooming,, fueling, catering and other below the wing services.
• Inefficient processes lead to excess costs• Inadequate fuel quality, fuel shortage and/or inability to provide
fuel in reasonable cost.
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 22
• Inefficient processes lead to Terror and Malicious Acts
• Inability to develop and enhance employee skills and provide performance management that ensures optimal action
goals and objectives.
• Failure to consider purchasing/supply initiatives to maintain the cost of parts, products and services at acceptable levels.
• Inability of Technology to support the station process.
• Potential unethical acts committed by station employees or other stakeholders may negatively impact the Airline’s reputation.
• Failure to identify and prevent legal risks posed by non-compliance with local, national and international regulatory requirements
• Failure to provide effective and efficient check-in/boarding and self-kiosk services to customers including ticket processing, seat allocation, changes and upgrades, baggage handling, special needs customers and communication during irregular operations.
• Low customer satisfaction caused by excess waiting, late flights, lost or damaged baggage/cargo and unmet needs may lead to reduced customer loyalty and lower revenues
• Failure to effectively manage and control aspects of a flight including crew scheduling, irregular operations, communication with ground, flight and airport personnel, emergency response and other services.
• Inefficient process leads to excess costs
Rating impact and likelihood of the risk at the process level
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 23
Determining Audit Priority (Risk Level and Audit Info’)
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 24
Station Risk’s Map – Audit program
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 25
Lower rating than average
Summary - What have we learned today
� Introduction to risk management and basic definitions – RM, RA, KRI
� The benefit of using ERA as means of audit scoping
� ERA as a management tool
� Introduction to a simple model for implementation of a top down ERA at the
station level
� Its not all about deliverables - The most salient advantages of the using the
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA
� Its not all about deliverables - The most salient advantages of the using the ERA are putting the subject of risk management on the agenda, creating discussion within executive management as to the ten (or more) most significant risks, and beginning a process of change in management perception and thinking method.
26
TODA -Thank you
TODA -Thank you
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA
Additional Details and Contributing Factors:
Risk Name - Fraud
Business process / Business unit: Accounts / Sales / Res / Station / Management
Risk # :
Risk Owner - Management
Update date - 27/7/11
Potential unethical acts committed by Airline employees or other stakeholders may negatively impact the Airlines’ reputation.
Risk Description: Management Actions:
• Poor IT systems support• Lack of segregation of duties in the procurement process
• No user password required to the payment system.• Two fraud incidents in the past 3 years.
• Each financial transaction requires the signature of 2authorized representatives.
• Sales department use an anti fraud software.• Bank accounts are monitored by headquarters regularly.• A code of ethics is implemented and signed yearly by eachemployee
All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 28
Impact (Low/Moderate/High/Critical)
Likelihood (Rare/Unlikely/Likely/Most Certain)
Risk Level (Low/Moderate/High/Critical)
Management actions effectiveness(Good Practice/Satisfactory/Poor/Very Poor/Can’t say)
Risk rating
• Two fraud incidents in the past 3 years.• No legal procedures were taken against the involved employees and they’re still working at the station.
Moderate
Likely
Good Practice
Moderate