On December 20th, the Australian Department of Infrastructure and Transport posted a Guidance Paper on Requirements for Internal and External Audit and Review of Security Plans for Maritime Industry Participants (MIPs). The Paper provides “more detail on the measures and procedures that the Office of Transport Security (OTS) considers best practice in meeting the regulatory requirements for audits and reviews.” This guidance is to be used in preparing revised maritime security plans, ship security plans, and offshore security plans as they come up for renewal. As a result, the promulgated audit and review schedules will be implemented gradually over time, as existing security plans have been approved with various schedules. Revised security plans will also need to reflect revised procedures for conducting audits and revised processes for selecting independent auditors.
The issuance of the Guidance Paper was prompted by recurring failure of some MIPs to undertake reviews and audits of security plans by internal and external auditors, as well as a review of existing security plans that revealed a widespread lack of understanding of the differences between internal audit, external audit, and security plan review.
Under Australian regulations, an audit examines “security measures or procedures to determine if a maritime security plan or ship security plan has been implemented correctly.” In a review, the examination determines whether the security plan is “effective and adequate.” Internal audits are performed by someone in the organization who is not responsible for the implementation of the plan’s security measures. External audits must be done by someone outside the organization who is independent of those responsible for implementing security measures. A security plan review may be carried out by internal personnel or external resources. (A security consultant who prepared the security plan is eligible to perform either function, provided that the necessary independence exists.)
The Guidance Paper establishes the following regarding audits:
They are to be conducted annually, alternating between internal and external auditsâ€”starting with an internal audit within 12 months of security plan approval
An internal audit is to be conducted as soon as practicable after a change in the Maritime Security Level (this audit replaces the required annual audit)
The requirement for external audits may be waived for “simple low risk operations” and “operations in remote locations where suitable external auditors are not available,” if the affected MIPS can prove their case to the Government
an audit by the Government does not count as an external audit
With regard to security plan reviews, the Guidance Paper provides:
They are to be performed:
â€” Annually â€¢to ensure continual improvement,” starting within 12 months of security plan approval
– Following a security incident; and
â€” As soon as practicable after a change in Maritime Security level.
A review conducted as the result of a security incident or a change in the Maritime Security level substitutes for the regular annual review
Reviews of security plans are to include a review of the supporting Security Risk Assessment and take into account most recent relevant ] Risk Context Statements
The Guidance Paper also provides criteria for the selection of suitable auditors and reviewers, although, from the language, it appears that the Government will determine who is suitable, by considering the following factors in the light of other guidance in the Paper:
“a. Any formal qualifications;
b. Relevant past work undertaken; and
c. Examples of previous audit reports provided by the nominated auditor”
All in all, the Guidance Paper, which also includes a Feedback Form for industry input, represents a solid step for better ISPS Code implementation. The formal alternation of internal and external audits promises enhanced assessment of maritime security plan implementation. The clarification of the purpose of an annual security plan review will ensure that the process extends beyond concern over implementation and addresses adequacy, and thereby lead to improvement in overall maritime security. The US definition of an audit in 33 CFR 101.105 is far less clear than the Australian one, but incorporates the purpose of a maritime security plan review, a concept not mentioned in the US maritime security regulations, by calling for identification of things that render the plan “insufficient.” Separating the two processes seems desirable, as that better delineates and preserves the two different focuses.
NOTE: This post may be copied, distributed, and displayed and derivative works may be based on it, provided it is attributed to Maritime Transportation Security News and Views by John C. W. Bennett, http://mpsint.com