Annual Internal Plan 2013-14 UU Final

Internal Audit Plan

INTERNAL AUDIT DEPARTMENT

Year

2014

VERSION 1.0/2014

Year 2014 INTERNAL AUDIT PLAN

Urban Sector Planning & Management Services Unit (Pvt) Limited 1

T

AB

LE O

F C

ON

TEN

TS

CONTENTS PAGE

1. Introduction... 01

2. Purpose of Internal Audit Plan.. 02

3. Internal Audit Approach.. 03

4. Internal Audit Process.. 03

5. Annual Enterprise Risk Assessment. 03

6. Development of Internal Audit Plan.. 06

7. Allocation of Internal Audit Resources. 07

8. Internal Audit Plan 2014 Matrix 08

9. Internal Audit Plan 2014 Timelines. 12

10. Pre-payment Audit (Pre-audit). 13

11. Auxiliary Internal Audit services. 13

12. Internal Audit Plan Revision. 13

13. Internal Audit Reports. 13

14. Internal Audit Follow-up.. 14

15. Coordination with External Auditors.. 14

16. Professional Standards.. 14

17. Appendices.. 15



1. Introduction

Urban Sector Planning & Management Services Unit (Pvt) Limited (hereinafter called the Urban Unit)

was incorporated under the Companies Ordinance 1984 on June 18, 2012.The core areas of operations

include Urban Planning, Urban Transport, Solid Waste Management, Urban Water & Sanitation, GIS &

Spatial Planning, and Municipal Finance etc. The support services activities comprised of human

resource, procurement, information technology, communication, financial management, internal audit

and administration etc. The organogram of the company splits up the human resources into three broad

categories namely Specialists, corporate and administrative positions.

The Board of Directors comprised of seven members. The authorized share capital of the company is divided into 1000 shares of Rs.10,000 each. P&D Department Punjab is the majority shareholder. The objectives of the company are articulated in the memorandum of association. The business of the company is governed by its articles, policies & procedures, Companies Ordinance 1984 & subordinate regulations and government laws & directives. The accountability is ensured through external and internal assurance. The external audit is conducted by a chartered accountant firm appointed by the BOD as well as by the auditors of the Auditor General Department under the provisions of Auditor Generals Ordinance 2001. The internal assurance is provided by the Internal Audit Department of the company which is responsible to the Audit Committee of the BOD. The terms of reference for the Internal Audit of the company are laid down in the Internal Audit Charter of the Company. The charter requires an annual internal audit plan to be approved by the Audit Committee.

2. Purpose of the Internal Audit Plan

The annual internal audit plan is intended to plan for internal audit engagements to evaluate, determine and opine whether the organizations risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure:

Risks are appropriately identified and managed. Significant financial, managerial, and operating information is accurate, reliable, and timely. Employees actions are in compliance with policies, standards, procedures, and applicable laws

and regulations. Resources are acquired economically, used efficiently, and adequately protected. Programs, plans, and objectives are achieved. Quality and continuous improvement are fostered in the organizations control process. Significant legislative or regulatory issues impacting the organization are recognized and

addressed appropriately.



It is our intent to convey a current sense of the Company's internal control environment and the extent to which institutional risk mitigation is being assessed by regular audit activities, addressed proactively through advisory services, or investigated as a result of issues raised.

3. Internal Audit Approach

At the Urban Unit, Internal Audit Department is striving to dispel the notion of an audit as something done to the management, in a stand-alone activity. Rather, we are promoting the concept that an audit is something we accomplish with the management. This is what we call participatory auditing, and we are convinced that the product of this approach will be far superior to any audit completed without active involvement of the management and the process owner. Why are we so confident of this? The answer is simple: nobody knows the process better than its owner.

A step forward to participatory audit, our audit approach is risk based and demand driven to provide independent, objective assurance &review, aimed to add value to the Companys governance, risk management and control processes.

4. Internal Audit Process

In all phases of the audit we not only welcoming, but requesting the managements active involvement throughout the audit cycle, in all phases - starting before the entrance conference, and continuing through planning, testing, and reporting. Following are the audit process steps we normally follow:

Planning - The Internal Auditor meets with the senior management, department heads and process owners- the staff responsible for the function to be audited. This enables the auditor to understand the process being audited and the control environment. The Internal Auditor develops an audit program to outline the testing that will be performed to ensure controls are designed to function as management expects. The Internal Auditor will often develop flowcharts to document the process of being audited.

Testing - The Internal Auditor will test a sample of transactions and processes during field audit and express an opinion on the controlled environment. As a result of testing, the Internal Auditor will recommend audit improvements when noted.

Communication and Reporting - An informal summary of findings is shared with department heads or process owners directly involved in the audit for their comments. A draft audit report is prepared and communicated with management and their response is incorporated. The final report is presented to the Audit Committee for review and discussion. Afterwards, the final report is distributed to the Board and management.

Follow-up - The Internal Auditor generally performs a follow-up on corrective action plans or management response to address audit recommendations.

5. Annual Enterprise Risk Assessment

The Internal Audit department continues to utilize a formalized risk assessment methodology in selecting functions/processes/units/systems for inclusion in the annual audit plan. Relative risk



assessment is necessary to provide a basis for the rational deployment of our limited resources for audit engagements across the Company.

The risk assessment comprised of internal & external assessments of existing and emerging risks within or outside the organization.

5.1 Internal Risk Assessment

As part of the annual risk assessment and audit planning process, we held risk discussions with the senior management, sectoral heads and process owners to identify risks of concern at the functional and organizational level. For internal risk assessment, a series of interviews & discussions with the functional heads were conducted and a personally administered risk assessment questionnaire was shared and response was recorded. On the basis of assessment, risks were rated. The risk areas & factors evaluated during annual internal risk assessment include:

The overall governance framework of the company and its functions Control environment Designing and implementation of adequate functional processes Functional significance & impact A well-defined futuristic business plan and revenue stream of the company Developing and implementation of sectoral/functional plans, targets and quantified KPIs Human resources planning, management, appraisals and capacity building Service delivery efficiency, effectiveness & impact Financial management Procurement planning and financial plans /budgets and their implementation Periodic operational and financial reporting and its reviews and access to information Documentation management, updation & data security Assets management & safeguarding

We also held discussions with heads from core and support services to solicit input on the Companys institutional risks and any specific areas of concern. We also used these meetings as an opportunity to obtain feedback on the priority & frequency of audit services we plan to provide.

Our internal risk assessment covered the assessment of 20 individual auditable functions/activities of the company including 9 Core services and 11 support services as listed below.

Core Services Support Services

Urban Planning Information Technology

Solid Waste Management Procurement management

Water & Sanitation Finance & Accounts

Urban Transport Human Resource Management

Geographical Information Systems Admin & logistics

Municipal & Local Government Finance Communication Management

Urban Economic services Monitoring & Evaluation

Program/Project Management (High value projects)

Office documentation & mail management

Business Development services Corporate Compliance

Assets & inventory management (stores)



Library/Learning resource center

5.2 External Risk Assessment/Scan

The formal and informal discussions and scan of external environment of the company was undertaken. The external risks identified are:

The expectations of stakeholders and level of achievement of company objectives

The companys reputation in external environment

The effectiveness of services of the company

Adherence to corporate social responsibility

Future growth & sustainability of the company

5.3 Overall Risk Assessment Findings

The risk factors that we considered significant in prioritizing audit engagements and frequency (cycle) are:

Impact on the Companys mission & goodwill Impact on Company finances Impact on safeguarding assets & resources Assessment of the activitys control environment Level of compliance concerns Impact of information technology Complexity and/or diversity of the activity Changes in the organization or leadership Social responsibility & uplift

Our annual risk assessment 2014 resulted that out of the total 20 individual auditable functions/ activities of the company including 9 Core services and 11 support services (listed above), 6 functions/services are considered to be high risk, 7 moderate risk, and 7 low risk. A rating of high-risk does not mean that the activity is perceived to have control problems, but rather reflects the criticality or centrality of the activity to the Companys mission.

The overall risk assessments of the functions/services of the company is depicted in the following TL diagram showing High Risk (red light), Medium Risk (blue light) and Low Risk (green light) bars listing functions/activities of the company in each bar. The numbering of functions has nothing to do with risk rankings.



It is again clarified that a rating of High-Risk does not mean that the activity/function is perceived to have severe control weaknesses & problems prone to its failure, rather it reflects the criticality, centrality or significance of the activity to the Companys mission bearing high risks.

6. Development of Annual Internal Audit Plan

The development of the annual audit plan is based on information gathered through broad consultation across the Company and annual risk assessment findings. Taking into account the information we obtained in our risk assessment process and its analysis, the Companys increased focus on introducing new and upgrading its major management systems/processes, paradigm shift in organizational mode, expanding and changing business spread and induction of fresh sectoral management is occurring within the Company, we believe that a back to the basics audit plan is most appropriate for 2014.

Finally, our annual planning process includes re-examining the audit universe to ensure that all Company activities are considered when determining how audit resources will be allocated. We also consider new regulatory developments, new business processes, institutional priorities and strategic initiatives.

1. Solid Waste Management

2. Geographical Information Systems

3. Project Management

(High Value projects)

4. HR management

5. Procurement management

6. Finance & Accounts

1. Urban Planning

2. Water & Sanitation

3. Urban Transport

4. Corporate Compliance

5. Admin & logistics

6. Information Technolgy

7. Assets & inventory Management

1. Urban economic Services

2. Municipal & LG Finance

3. Communication Management

4. Monitoring & Evaluation

5. Business Development

6. Library/LRC

7. Office documentation & mail

management



7. Allocation of Audit Resources

The audit plan timelines are based on human resources available in Internal Audit Department. Internal audit resources have been allocated on activities required to be performed efficiently to discharge its responsibilities as per charter and to achieve IA objectives.

Approximately 63% of the Internal Audits resources are committed to the completion of planned audit engagements. Keeping in view the commencing stage of the Company, 10% resources are estimated to be consumed in consulting and advisory services while 12% are estimated for pre-audit. The remainder of our FY 2014 audit resources is reserved as follows:

5% has been reserved to accommodate requests from the Board, audit committee or executives for audit investigations.

3% has been reserved for follow-up procedures performed on behalf of the Audit Committee. 7% has been set aside for internal administrative functions, annual reporting and trainings

including continuous improvement efforts.

These allocations are based on risk assessment findings, activities level & current scenario in the company and are subject revision/modification as Audit plan is a living document and changes are usually envisaged.

The Internal Audit Department will be provided requisite budgetary resources and logistical support by the management and a free access to all information, documents, records, properties and employees in order to facilitate the implementation of the plan. The management will also provide additional human resources, if so required by the Internal Audit Department during the year, for efficient discharging of its responsibilities and execution of the plan.

Scheduled Audits 63% Special

Audits/Investigations

5%

Consulting/advisory services

10%

Pre-audit 12%

Internal Audit Plan 2014 Resource Allocation

48

12

3

68

19

7

High Risk Med Risk Low Risk

Internal Audit Plan 2014 Time Allocation for Scheduled Audits

(in days)

Core Services Support Serivces



8. 2014 Internal Audit Plan Matrix



URBAN SECTOR PLANNING & MANAGEMENT SERVICES UNIT (PVT) LIMITED

Internal Audit Plan Matrix Year 2014 (20th Feb 31st Dec 2014)

Audits Process Owner/ Functional Head

Audit Frequency

Budgeted diem p.a

Scope of audit Type of audit Risk Area(s) Covered

High Risk Audits

Support Services

Human Resource Management

Senior HR Manager Quarterly 16 Functional & Process

Compliance Governance, HR process, service delivery, internal controls, documentation, financial

Procurement management

Procurement Manager Quarterly 16 Functional & Process

Compliance Governance, HR process, service delivery, internal controls, documentation, financial

Finance & Accounts Chief Financial Officer Quarterly 36 Functional & Process

Compliance & assurance

Governance, internal controls, documentation, financial

Core Services

Solid waste management

Sr. SWM Specialist Quarterly 8 Functional Performance & Compliance

Governance, service delivery, internal controls, documentation, financial

Geographic information system

Sr. GIS Specialist Quarterly 8 Functional Performance & Compliance


Program/Project Management

Project Manager/Team Leader

Quarterly 32 Functional & Process

Performance, Compliance & assurance


Medium Risk Audits

Core services

Urban Planning Sr. Urban Planner Annually 3 Functional Performance & Compliance

Governance, service delivery, documentation

Water & Sanitation Sr. W&S Specialist Annually 3 Functional Performance & Compliance


Urban Transport Sr. Transport Specialist Annually 3 Functional Performance & Compliance


Support services

Corporate Compliance Company Secretary Annually 3 Functional Performance & Compliance




Admin & logistics Admin Manager Annually 5 Functional & Process

Performance & Compliance

Governance, service delivery, internal controls, documentation

Assets & inventory Management

Admin Manager & IT Annually 6 Functional & Process



Information Technology

IT Specialist Annually 5 Functional & Process


Governance, service delivery, internal controls, documentation, information system

Low Risk Audits Library, M&E, Communication, Office documentation & other low risk functions

Annually 10 Functional Performance & Compliance


Auxiliary Audit activities

Consulting & advisory services

CIA On demand

25

Pre-audit CIA Concurrent 30

Annual Audit Report CIA Annual 5

Audit Follow-up CIA Concurrent 8

Special Audit Investigations

CIA On demand

12

IA Management & trainings

CIA Concurrent 8



9. Internal Audit Plan 2014 Timelines

Following is the proposed timelines (schedule) for Internal Audit Plan 2014

Quarter

Month

Week 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

Planned Audits Cycle

Annual Risk

AssessmentAnnual

Annual Internal

Audit PlanAnnual

High Risk Audits

Support Services

Human Resource

ManagementQuarterly

Procurement

managementQuarterly

Finance & Accounts Quarterly

Q1 Audit Report Q1

Core Services

Sol id waste

managementQuarterly

Geographic

information systemQuarterly

Program/Project

ManagementQuarterly

Q2 Audit Report Q2

Medium Risk

Audits

Support services

Assets & inventory

ManagementAnnual

Information

Technology Annual

Admin & logis tics Annual

Corporate

Compl ianceAnnual

Core services

Urban Planning Annual

Water & Sanitation Annual

Urban Transport Annual

Q3 Audit Report Q3

Low Risk Audits Annual

Annual Audit

ReportQ4

Q1 Q2 Q3 Q4

July Aug Sep Oct Nov DecJan Feb Mar Apr May Jun



10. Pre-payment Audit (Pre-audit)

During the year, the Internal Audit Department will carry out pre-payment audit (pre-audit) of financial

transactions in accordance with its mandate given in Internal Audit Charter and decisions of the Audit

Committee of the Company. The pre-payment audit is a concurrent activity that will remain continue

during the year.

The materiality of the financial transaction of the company for pre-audit is determined as under:

i. All financial transactions of above Rs.500,000/- (five hundred thousand) involving procurement

of goods, services or works.

ii. Every financial transaction involving salary & salary supplements

iii. All financial transactions of above Rs. 100,000 relating to operating expenses including repair &

maintenance, advances and all other expenses.

Vouchers & cheques along with all supporting documents of all the financial transactions which are

subject to pre-audit, shall invariably be presented to internal audit department before making payments

by allowing a reasonable time for pre-audit. The internal audit officer will signed and stamp the

vouchers or otherwise furnish his observations on the transaction(s) for management response.

11. Auxiliary Internal Audit Services

The Internal Audit department will also continue to perform auxiliary services relating to internal audit

such as consulting services or special investigations on the request of management or the Board subject

to availability of resources and expertise. However, no member of the Internal Audit department will

assume or perform management responsibilities.

12. Internal Audit Plan Revision

The Internal Audit Plan 2014 may be revised during the year as the need arises or due to operational or

external exigencies with the prior approval of the Audit Committee.

13. Internal Audit Reports

The internal Audit Department will submit the plan status reports and internal audit reports periodically

in accordance with the plan at least quarterly to the audit committee regarding the progress of the

implementation of the Internal Audit Plan 2014 and audit findings along with management response, if

available.



14. Internal Audit Follow-up

The Internal audit department will continue follow-up of the audit recommendations and management

action plan thereupon during the year.

15. Coordination with external auditors

The Internal Audit Department will coordinate its audit plan and reports with the Companys external auditors to ensure appropriate coverage is achieved through the internal and external audit plans and to leverage the collective efforts of both assurance providers.

16. Internal Auditing Standards

The Internal Audit Department will perform its audit activities in accordance with the Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing. All members of the internal audit department are also required to comply with the Institutes Code of Conduct for Internal Auditors.



17. Appendices

APPENDIX A

ANNUAL ENTERPRISE RISK PROFILE 2014



APPENDIX B

ENTERPRISE RISK ASSESSMENT QUESTIONAIRE

Documents

Annual Internal Plan 2013-14 UU Final