elal’s era model with focus on station audit - iaaia · elal’s era model with focus on station...

28
Chief Audit Office ELAL’s ERA model with focus on ELAL’s ERA model with focus on Station Audit Station Audit IAAIA IAAIA - Singapore workshop Singapore workshop August August 2011 2011 Gil Ber Gil Ber CPA, CIA, MA CPA, CIA, MA

Upload: nguyenthu

Post on 30-Apr-2018

216 views

Category:

Documents


1 download

TRANSCRIPT

Chief Audit Office

ELAL’s ERA model with focus on ELAL’s ERA model with focus on Station AuditStation AuditIAAIA IAAIA -- Singapore workshopSingapore workshopAugust August 20112011

Gil Ber Gil Ber CPA, CIA, MACPA, CIA, MA

Participations Introduction

Tahir

GIL

Robert

Antony K. Musau

Priscilla Frichot

Jasmine Wong

Gil Ber

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 2

TahirMahmood

BasharAlqudah

Mohammed Al Mulla

Robert Engelbarts

Emmanuel RotimiRominy

BaranidharanSundaresan

PrasangiGajanayake

Kim Nehls

Chang Thai Yau

Joanna Zakrzewska Sheri Raines Tan Lee Ing

Presentation Objectives

� Understanding the benefit of using ERA as part of the audit process

� Describing the ERA process

� Share our experience using ERA in determining station audit scope

� Increase awareness to business risks

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 3

� Provide a window to a “different way of thinking”

Introduction to Risk Introduction to Risk Management Management

Several facts about risk management

� We all manage risks

� Risk management is part of routine business conduct

� The 1:10:100 rule is always relevant (Prevention, Identification, Occurrence)

� There is no such thing as absolute protection – even when you manage your risks

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 5

� Risk management can create added value to the organization

Risk Assessment Definitions

What is Risk?

� Risk is defined as any event, action, or non-action, that could adversely affect

an organization’s ability to achieve its business objectives and execute its

strategies successfully.

How do we measure the risk? 2 parameters:

� Severity of the risk (Impact).

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 6

� Severity of the risk (Impact).

� Frequency of the risk appearance (likelihood)

What is the potential damage to the entity? (Risk Criteria)

� Financial (loss of revenue, increase in expenses)

� Human lives, Injuries

� Environment

� Compliance…etc

Risk Assessment Definitions (Cont’)

What are Management and Control Activities?

� Management and control activities include all actions taken by management level to mitigate/manage and monitor important risks facing the Entity.

What is Risk Management (RM) ?

� A process of identifying and analyzing exposure to risk and determining how to best handle the exposure.

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 7

What is a Risk Assessment (RA)?

� RA I is a step in a risk management process that includes identifying, mapping and prioritizing the key risks that impose a threat to the organization

What is a Key Risk Indicator (KRI) ?

� A Key Risk Indicator is a measure used in management to indicate how risky an activity is. It provides an alert which needs to be addressed

Common ways to handle a risk

� Ignoring – “won’t hear, won’t see, won’t speak”

� Passing responsibility over the risk on to another entity (Outsourcing, Insurance)

� Mitigating exposure to the risk through controls and changing of business processes

� Acceptance of the risk

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 8

� Acceptance of the risk

Risks example …….not only in theory

Risk Name Risk Description Risk Group

1. Tone at the Top

Senior management fails to establish an environment that encourages integrity, ethical values, and competence through management’s operating style, assignment of authority and responsibility, and development of employees.

Strategic

2. Organizational Structure

The overall structure of the branch does not support the achievement of strategic and business objectives in an efficient manner.

Strategic

3. Forecasting Inability to forecast financial and trade information to enable the allocation of resources to new and existing initiatives; and communicate earnings expectations to the market.

Strategic

4. Technology Implementation

Failure of the technology supporting a major initiative to meet the business need of the initiative and to meet the strategic objectives of the organization (i.e – internet sight, CRM

Strategic

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 9

Implementation objectives of the organization (i.e – internet sight, CRM system).

5. Competition

Actions of competitors or new entrants to the market affect the branch's competitive advantage and/or ability to survive. Inability to maintain and grow market share due to the failure to recognize and respond to competitive threats.

Strategic

6. Crisis Communication

Failure to communicate the right message in an effective manner to recover and maintain business operations in the event of a crisis or disruption due to physical or natural circumstances.

Strategic

7. Marketing

Inability to identify the particular wants and needs of target markets of customers, and going about to satisfy those customers better than the competitors. This includes centralized and regional/local marketing initiatives and loyalty programs.

Operational

8. Passengers Lounge

Inability to provide satisfying and cost effective lounge services in order to satisfy customers and optimize the Airline’s profitability.

Operational

Example of an airline “Risk Radar” 1. Cost management

2. Labor issues- union negotiations, pensions, productivity

3. Competition- high speed trains, trucking

4. Fleet- fleet mix, availability of new aircrafts, financing

5. Culture- managing, tone at the top, organizational

structure

6. Safety- compliance with SOP’s

7. Low cost

8. Foreign exchange- fluctuations in foreign exchange and

interest rates

9. Fuel- the airline failure to monitor fuel price volatility and

unpreparedness to respond to the return of high fuel

prices

10. Macroeconomic- reduced demand for air travel resulting

from global financial crisis and economic slow down

2. Labor issues

8. Foreign exchange

9. Fuel10. Macroeconomic

17. Vendor issues

18. Regulatory issues19. Cash flow

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA10

11. Merger and Alliances

12. IT - interruption, continuity, ageing legacy systems

13. Contract management and monitoring

14. Acts of God- volcano, earthquakes

15. Terrorism

16. Epidemics

17. Vendor issues- economic dependence

18. Regulatory changes- carbon emissions, cargo security,

food safety

19. Cash flow- cash flow that makes it impossible to manage

and fulfill airlines obligationsLower rating than last year

Higher rating than last year

New risk

1. Cost management

3. competition

4. Fleet

5. culture

6. safety

7. Low Cost

11. Merging and alliances

12. IT

13. Contract management

and monitoring

14. Acts of god

15. Terrorism

16. Epidemics

17. Vendor issues

Critical

High

9. Fuel

18. Regulatory issues

6. safety 19. Cash flow

Imp

act

Combining Between Impact and Likelihood

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 11

Low

Most Certain

LikelyRare Unlikely

Moderate

7. Low CostImp

act

Likelihood

8. Foreign exchange

17. Vendor issues

A comprehensive approach to risk management

ServiceServiceServiceService

Profitability / Cash Profitability / Cash Profitability / Cash Profitability / Cash

flowflowflowflow

Safety / SecuritySafety / SecuritySafety / SecuritySafety / Security

Helps us achieve our goals

Execu

tive

Man

ag

em

en

t

Organization’s goals /

objectives

Maintenance

Cargo

Commerce

Service

Operations

VP’s

VP’s

VP’s

VP’s

Workshops & Workshops & Workshops & Workshops &

logisticslogisticslogisticslogistics

A/C overhaulA/C overhaulA/C overhaulA/C overhaul

IT InfrastructureIT InfrastructureIT InfrastructureIT Infrastructure

Information systemsInformation systemsInformation systemsInformation systems

Quality controlQuality controlQuality controlQuality control

EngineeringEngineeringEngineeringEngineering

A/C A/C A/C A/C

maintenancemaintenancemaintenancemaintenance

International affairsInternational affairsInternational affairsInternational affairs

HRHRHRHR

Company treasurerCompany treasurerCompany treasurerCompany treasurer

Budget and controlBudget and controlBudget and controlBudget and control

AccountsAccountsAccountsAccounts

Training and Training and Training and Training and

organizational organizational organizational organizational

AdministrationAdministrationAdministrationAdministration

Israel branchIsrael branchIsrael branchIsrael branch

Operations controlOperations controlOperations controlOperations control

InInInIn----flight servicesflight servicesflight servicesflight services

Israel stationIsrael stationIsrael stationIsrael station

Ground operationsGround operationsGround operationsGround operations

Flight operationsFlight operationsFlight operationsFlight operations

Aircraft

maintenance

Collection

Advertisement

Payments

Recruitment

Business un

its / Processes

RisksVP’s / Division’sgoals / objectives

Business processes

Strategy

Strategy

Strategy

Strategy

Risk management

activitiesMonitoring activities / Management controls

Passing responsibility over the risk

Achieving Achieving Achieving Achieving

organizational organizational organizational organizational

goalsgoalsgoalsgoalsDivisions

Divisions

Divisions

Divisions

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 12

RegulationRegulationRegulationRegulation

Keeps us out of trouble

Execu

tive

Man

ag

em

en

t

National carrierNational carrierNational carrierNational carrier

Commerce

Global sales

Finance

IT

HR & Admin

Revenue Revenue Revenue Revenue

managementmanagementmanagementmanagement

Quality controlQuality controlQuality controlQuality control

Commercial Commercial Commercial Commercial

planningplanningplanningplanning

Schedule and dist. Schedule and dist. Schedule and dist. Schedule and dist.

Sys.Sys.Sys.Sys.

PaxPaxPaxPax marketingmarketingmarketingmarketing Security officerSecurity officerSecurity officerSecurity officer

Procurement and Procurement and Procurement and Procurement and

supplysupplysupplysupply

organizational organizational organizational organizational

developmentdevelopmentdevelopmentdevelopment

RepresentativesRepresentativesRepresentativesRepresentativesCorporate divisionCorporate divisionCorporate divisionCorporate division

Customer’s service Customer’s service Customer’s service Customer’s service

and salesand salesand salesand sales

Planning and Planning and Planning and Planning and

organizationorganizationorganizationorganization

Safety & qualitySafety & qualitySafety & qualitySafety & quality

SecuritySecuritySecuritySecurity

Flight operationsFlight operationsFlight operationsFlight operations

Sales

Financial

reporting

Backups

Fueling

Business un

its / Processes

Strategy

Strategy

Strategy

Strategy

risk

Acceptance of risk

Abandonment of business activities

goalsgoalsgoalsgoalsDivisions

Divisions

Divisions

Divisions

ELAL’s ERA model with focus ELAL’s ERA model with focus on Station Auditon Station Audit

Why Use ERA as part of the Audit process

� Discussion of the risks the station is facing and the methods for handling them.

� Enable the management team (not only the manager in charge) to provide

inputs on the process and on what is important ”in their eyes”.

� Enable the Audit team to focus on the material issues.

� Market the audit in a different more friendly way.

� Putting the subject of risk management on the agenda, creating discussion

within management as to the ten (or more) most significant risks, and

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA

within management as to the ten (or more) most significant risks, and

beginning a process of change in management perception and thinking

method.

14

Defining the organization’s goals / objectives

Defining the Station goals / objectives

Identifying key business processes / business units in Station

Definitions

Purchase and

Replenish

Logistics

Network

Management

Inbound

Logistics

Management

Merchandising

Merchandise

Allocation

DC

Processing

Store Operations

Executive

Supplier

Coordination

Requirements

Store and DC

Orders Network

Strategy Merchandise

Marketing

Pricing

Guidelines

Strategy

Merchandising

Planogram

Pick List

Orders

Operating

Forecast

Inventory Status Reports

and Replenishment Orders

Outbound

Logistics

Management

Store Delivery

Schedule

Store

Shipments

Merchandising

Plan

Approved

Supplier

Promotional

Plans

Supplier

Supplier

Vendor

Proposals

Supplier

Supplier

Deliveries

Packaging

and Labeling

Requirements

Performance

Parameters

Prices

Orders

ERA Workshop/ Questionnaire …. � Impact

� Likelihood

� controls/ management

action

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 15

Identification of key risks – “What can go wrong”

Identification of management actions and controls to mitigate the risk

Presentation of the top 10 Risks

Rating impact and likelihood of each risk

Risk Impact criteria

Level of Impact

Financial– Risk which might

result in loss of income /

increase in expenses or inability

to fully achieve set goals of

income / savings / enhancement

Higher than ___$

million

___$ million to ___$

million

__ million$ to __

million$

Up to __million$

Reputation- adverse publicity

which may result in loss of

income, legal actions, drop in

share prices, ,loss of market

share, loss of key personnel and

cessation of business relations

A critical and

irreparable damage to

company and

shareholders

reputation

A significant yet

repairable damage to

company reputation

or credibility for a

time span of three to

six months

Limited yet repairable

damage to company

reputation or company

credibility for a time

span of one to three

months

Limited damage to

company reputation

for a time span of up

to one month

Compliance – Risk which might

result in non compliance to rules

A critical act of

incompliance which

Incompliance which

might result in major

Incompliance which

might result in

Incompliance which

might result in minor

Low Moderate High Critical

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 16

result in non compliance to rules

and regulations

incompliance which

might result in

cessation of business

activities

might result in major

restrictions on

business activities or

heavy financial

sanctions and

exposure of company

executives or

employees to criminal

actions

might result in

restrictions on business

activities or moderate

financial sanctions and

exposure of company

executives or employees

to civil actions

might result in minor

restrictions on

business activities or

minor financial

sanctions and will not

lead to legal actions

against company

executives or

employees

Human lives/Injuries – Risk

which might result in bodily

injuries or loss of human lives

Plane crash or

abduction or loss of

human lives

Damage to aircraft or

property or heavy

injuries

Damage to aircraft or

property or moderate

injuries

Damage to aircraft or

property or minor

injuries

Defining criteria for rating a risk

Likelihood - the likelihood of a risk is the probability of a risk to occur.

Ranking of the risk’s likelihood is based on several criteria:

� Complexity of an activity

� Volatility of products/assets

� Degree of experience of those involved in the activity

� Level of involvement of external parties

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 1717

� Past experience� Controls/ management activities.

Assessment of the likelihood of a risk is a qualitative assessment based upon self judgment of the assessor.

The “Net” or The “residual” LikelihoodThe “Gross” or the “Inherent” Likelihood

We will use the Net” / “residual” Method

Criteria for evaluating risk likelihood

Definition LikelihoodRating

May only occur in exceptional circumstances/ a non complex business process/no previous occurrences /a strong control environment in place

Rare1

Could occur at some time/ less than 25% chance of occurring/ a non complex business process/few previous incidents/ some checks and balances

Unlikely 2

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 18

25%-75% chance of occurring/ complex business process / some checks & balancesLikely3

High probability of occurrence –over 75% /complex business process / minimal checks and balancesMost certain 4

Criteria for evaluation of controls/ management action

Definition Level / controlRating

• Controls and management activities do not exist or very limited in nature/ poorly designed

• There is great potential for improvementVery Poor1

• Controls and management activities are designed to mitigate the risk only partially

• There is moderate potential for improvementPoor2

• Controls and management activities are designed to

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 19

• Controls and management activities are designed to mitigate the risk

• There is little potential for improvementSatisfactory3

• Controls and management activities are designed to fully mitigate the risk

• Mitigating activities are considered to be of thehighest standards and are considered as leading practice by other organizations.

Good Practice4

Defining the main business processes / business units-Catering-Fueling-Baggage Handling-Cabin Cleaning -Weight and balance

-Cargo Loading-Cargo Transportation

-Passengers’ Security-Cargo Security

-Non routine maintenance-Routine maintenance

-IT

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 20

-Cargo Security-Aircraft Security

- Ticket counters - Cashiers- Passengers’ Lounge- Gates / Boarding

-Crew transportation- Instructions to flight crew

-IT-Crisis management-HR management-Cash Management-Budgeting- Purchasing &cost control

Two basic approaches to identification of Risks

“Bottom Up” Approach

� Risks are approached through a comprehensive analysis of the work processes within the organization and identification of specific risks that derive from each process.

� The process begins from the process owners, working it’s way up towards the management.

“Top Down” Approach

� Focuses on identification and prioritization of only the key risks

� A two level approach –identification of risk areas and presentation of an action plan for mitigation

� Allows to “see the forest for the trees”

� Implemented over a shorter

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 21

management.

� Mostly results in identification detailed risks specific to each process

� Implemented over a long period of time

� Requires a significant amount of resources (comparing to TDA)

� Implemented over a shorter period of time

� Requires considerably less resources (comparing to BUA)

� Requires management commitment and involvement

Identifying the key risks in the Station

• Failure to properly plan and monitor cargo movement by plane and truck.

• Failure of the cargo unit to provide customer service to enable long-term customer loyalty.

• Ineffective cargo logistic processes lead to lost cargo business

• Inability to effectively deliver or obtain maintenance and repair services cost-effectively, reliably and timely.

• Lack of maintenance equipment makes it impossible to effectively deliver or obtain aircrafts maintenance and repair services on time.

• Inefficient process leads to excess costs

• Failure to attract, hire, and retain the qualified resources to optimize execution of the organization’s objectives.

• Inability to develop and enhance employee skills and provide performance management that ensures optimal achievement of organizational strategies, goals and objectives.

• Inability to effectively provide, obtain and manage all ground handling services needed to keep the Airline operating. Includes the inability to manage irregular operations, baggage handling, ramp, deicing, cabin grooming,, fueling, catering and other below the wing services.

• Inefficient processes lead to excess costs• Inadequate fuel quality, fuel shortage and/or inability to provide

fuel in reasonable cost.

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 22

• Inefficient processes lead to Terror and Malicious Acts

• Inability to develop and enhance employee skills and provide performance management that ensures optimal action

goals and objectives.

• Failure to consider purchasing/supply initiatives to maintain the cost of parts, products and services at acceptable levels.

• Inability of Technology to support the station process.

• Potential unethical acts committed by station employees or other stakeholders may negatively impact the Airline’s reputation.

• Failure to identify and prevent legal risks posed by non-compliance with local, national and international regulatory requirements

• Failure to provide effective and efficient check-in/boarding and self-kiosk services to customers including ticket processing, seat allocation, changes and upgrades, baggage handling, special needs customers and communication during irregular operations.

• Low customer satisfaction caused by excess waiting, late flights, lost or damaged baggage/cargo and unmet needs may lead to reduced customer loyalty and lower revenues

• Failure to effectively manage and control aspects of a flight including crew scheduling, irregular operations, communication with ground, flight and airport personnel, emergency response and other services.

• Inefficient process leads to excess costs

Rating impact and likelihood of the risk at the process level

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 23

Determining Audit Priority (Risk Level and Audit Info’)

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 24

Station Risk’s Map – Audit program

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 25

Lower rating than average

Summary - What have we learned today

� Introduction to risk management and basic definitions – RM, RA, KRI

� The benefit of using ERA as means of audit scoping

� ERA as a management tool

� Introduction to a simple model for implementation of a top down ERA at the

station level

� Its not all about deliverables - The most salient advantages of the using the

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA

� Its not all about deliverables - The most salient advantages of the using the ERA are putting the subject of risk management on the agenda, creating discussion within executive management as to the ten (or more) most significant risks, and beginning a process of change in management perception and thinking method.

26

TODA -Thank you

TODA -Thank you

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA

Additional Details and Contributing Factors:

Risk Name - Fraud

Business process / Business unit: Accounts / Sales / Res / Station / Management

Risk # :

Risk Owner - Management

Update date - 27/7/11

Potential unethical acts committed by Airline employees or other stakeholders may negatively impact the Airlines’ reputation.

Risk Description: Management Actions:

• Poor IT systems support• Lack of segregation of duties in the procurement process

• No user password required to the payment system.• Two fraud incidents in the past 3 years.

• Each financial transaction requires the signature of 2authorized representatives.

• Sales department use an anti fraud software.• Bank accounts are monitored by headquarters regularly.• A code of ethics is implemented and signed yearly by eachemployee

All copyrights reserved to Gil Ber. It is prohibited to use this document or part of it without prior permission from the author of this document. Gil Ber, CPA, CIA, MA 28

Impact (Low/Moderate/High/Critical)

Likelihood (Rare/Unlikely/Likely/Most Certain)

Risk Level (Low/Moderate/High/Critical)

Management actions effectiveness(Good Practice/Satisfactory/Poor/Very Poor/Can’t say)

Risk rating

• Two fraud incidents in the past 3 years.• No legal procedures were taken against the involved employees and they’re still working at the station.

Moderate

Likely

Good Practice

Moderate