Internal Audit Strategic Plan 2015-2017
Table of Contents A. Introduction ................................................................................................................. 2 B. Roles, Responsibilities, and Standards adopted .......................................................... 2 C. Internal Audit Planning Framework, Methodology, and Process ............................... 3 D. External Environment ................................................................................................. 4 E. Internal Environment .................................................................................................. 5 F. University Key Business Risk .................................................................................... 6 G. High Level Assurance Mapping ................................................................................. 6 H. Principle of Coverage ................................................................................................. 7 I.
Internal Audit Focus Areas and Resourcing ............................................................... 8
Internal Audit Strategies ........................................................................................... 10
K. Key Risks to the Internal Audit Strategy .................................................................. 11 L. Performance Measure ............................................................................................... 12
Prepared by: Maria Mu, CPA, CMIIA, CISA, Manager, Internal Audit Date: 30/10/2014
Page 1 of 12
A. Introduction “Section 31 - Planning by internal audit function, Division 5 Internal audit and audit committees, (QLD) Financial and Performance Management Standard 2009” has the following requirements: “The internal audit function of a department or statutory body must undertake planning appropriate to the size and functions of the department or statutory body. The planning must include the preparation of: o a strategic audit plan that provides an overall strategy for the internal audit function for a period of at least 1 year; and o an audit plan, for each year, that sets out the audits intended to be carried out by the internal audit function during the year. The strategic audit plan and the annual audit plan of a department or statutory body must be approved by the department’s accountable officer or the statutory body”. Section 2010 – Planning, International Standards for the Professional Practice of Internal Auditing (Standards), also requires that the chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals. The standards require that: the chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization; If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management (University Executives) and the board (The Audit Committee of the University Council); and the chief audit executive must review and adjust the plan, as necessary, in response to changes in the organisation’s business, risks, operations, programs, systems, and controls. It is good practice for the Internal Audit function to align its focus and activities to the organisation’s risks. Within this context, internal audit planning generally involves: a strategic plan that relates the role of internal audit to the requirements of the organisation by outlining the broad direction of internal audit over the medium term, in the context of all the organisation’s assurance activities; and a detailed work plan, generally prepared on an annual basis. To provide context, the work plan might be supported by a schedule of potential audits and an indication of previous audit coverage. Together, these documents serve the purpose of setting out, in strategic and operational terms, the broad roles and responsibilities that are included in the Internal Audit Charter and identify key issues relating to internal audit capability, such as the required skills. This Strategic Plan covers a three year period in line with the University’s normal planning cycle. It is reviewed at least annually by the Manager, Internal Audit in consultation with the University Executives and the key assurance providers, with the preliminary approval provided by the Vice Chancellor, and the formal approval provided by the Audit Committee of the University Council. Any significant deviation from the formally approved Internal Audit Strategic Plan is communicated to the Audit Committee for its approval including any impact of resource limitations.
B. Roles, Responsibilities, and Standards adopted Subsequent to the change of the University headline structure and the relocation of Internal Audit to the Legal and Assurance Unit within the Office of Chief of Staff, the Chancellery, Manager, Internal Audit has performed a major review of the Internal Audit Charter in consultation with the key stakeholders. The Internal Audit Charter was formally approved by the Audit Committee of the University Council on 21 August 2014. The purpose, authority, and responsibilities of the Internal Audit activity have been formally and clearly defined in the Internal Audit Charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards.
Page 2 of 12
The primary role of the Internal Audit function is to provide objective and relevant assurance services to the University (and its stakeholders) in light of the University Plan and risk profile. One important component of the assurance services provided by Internal Audit is to conduct audits in the areas of interest to the Queensland Audit Office (QAO), so that QAO may potentially rely on the work of Internal Audit to reduce its direct audit effort, and in turn reducing the University’s external audit fee. The secondary role of the Internal Audit function is to provide objective and relevant consulting/ad hoc advisory services, without assuming management responsibility. Internal Audit advises University management on a range of matters, including: o development of new programs and processes; o risk management; and o fraud control. The tertiary role of the Internal Audit function is to conduct audit support activities including the following: Internal Audit strategic and operational planning; Internal Audit functional and administrative reporting; monitoring the implementation of audit recommendations made by Internal Audit and QAO; liaison with the Queensland Audit Office; assisting Audit Committee to discharge its responsibilities, including facilitating Audit Committee reports to the University Council; and managing the contracts with and assessing the performance of the co-sourced service partners.
C. Internal Audit Planning Framework, Methodology, and Process The former Internal Audit Planning Framework consists of the following documents: 1. Audit and Assurance Office Triennium Plan 2. Internal Audit Strategy 3. Internal Audit Strategy table 4. Audit and Assurance Office Annual Work Plan and Program 5. Audit and Assurance Office Annual Operational Plan 6. AAO External Assessment - Action Plan Changes to the Internal Audit Planning Framework have been made to: reinforce the link of the Internal Audit planning framework to the University risk management and assurance framework; strengthen the links between the Internal Audit strategic and operational plans; simplify the Internal Audit framework so that stakeholders can have an easy view of the Internal Audit planning structure; and eliminate the overlapping coverage with the previous years’ six planning documents. The Internal Audit planning framework at the functional level has: This Internal Audit Strategic Plan. This plan replaces documents 1, 2, and 3 mentioned above. It has a three year outlook, and aims to describe the role of Internal Audit within the University’s overall assurance processes and provides an important link between the Internal Audit Charter and the detailed Internal Audit Annual Work Plan. It sets out: o the contribution of the internal audit function to the University assurance framework over the next three years covered by the Strategic Plan; o the broad details of the audit, audit support and non-audit activities that internal audit will undertake; and o the proportion of resources that will be devoted to the different types of activities that will be undertaken.
Internal Audit Annual Work Plan. This plan replaces the documents 4, 5, and 6 above. It specifies the proposed internal audit coverage within a calendar year. Manager, Internal Audit reviews the Internal Audit Annual Work Plan on a quarterly basis in line with the Audit Committee meeting dates. Any significant changes required will be discussed with the Vice Chancellor and be approved the Audit Committee formally. The
Page 3 of 12
Internal Audit Annual Work Plan sets out the Internal Audit activities intended to be carried out within a calendar year. Internal Audit adopts a risk based methodology. The planning at both the functional and engagement levels is based on the risk assessment performed by Manager, Internal Audit to ensure that it is appropriate to the size, functions and risk profile of the University. In order to provide optimal audit coverage to the University and minimise duplication of assurance effort, due consideration is given to the following aspects: key University business risks; any key risks or control concerns identified by management; assurance gaps and emerging needs; and scope of work of other assurance providers, internal and external. Internal Audit maintains an open relationship with the University’s External Auditor and any other assurance providers. The planning process includes formal consultation with the following key stakeholders: The Vice Chancellor; The Chair of the Audit Committee; University Executives; Queensland Audit Office (QAO); and Other internal assurance providers such as o Chief of Staff; o University General Counsel and Head Legal and Assurance; o Director, Quality, Planning and Analytics; and o Associate Director, Workplace Health and Safety.
D. External Environment There have been fundamental shifts in Higher Education policy in recent years with a significant new focus on nation building, job-readiness and the utility of the educational investments. Selfregulation and self-accreditation is being challenged by stronger community views about curriculum standards and the transparent oversight of outcomes. An increased awareness of the importance of quality of learning, teaching and research by both students and academic staff has resulted in a higher education sector that is increasingly competitive, responsive, learner-centred and corporatised. The proposed Higher Education Standards Framework which is to replace the Tertiary Education Quality Standards Agency (TEQSA) Threshold Standards will change the compliance environment for the University again. It is expected that the proposed framework will better reflect the three Basic Principles for Regulation articulated in the TEQSA Act 2011: the principle of regulatory necessity; the principle of reflecting risk; and the principle of proportionate regulation. However, a degree of uncertainty remains in terms of how TEQSA will undertake both compliance assessments and quality assessments, which will become a significant driver of the University’s risk management and assurance frameworks. The 2014 Federal Budget outlined the Government’s intent to pursue the most sweeping reforms of the Higher Education system in decades. The proposed scheme would see major changes to higher education commencing in 2016 with funding cuts that would impose significant challenges to the University budget environment, funding and operation models. The proposed scheme includes: approximately 20 per cent reduction in CGS funding rates; freedom for universities to set the amount of the student contribution as long as it does not exceed the amount which the University charges international students in that same discipline; and reduction in the indexation rate of all Commonwealth grants to universities (this includes CGS and research grants). At present, such grants are indexed using the Higher
Page 4 of 12
Education grant index (presently 3.02 per cent). This will change to CPI (presently 2.9 per cent). At the time of writing, it appears the Government is prepared to compromise on elements of its proposed scheme, but the outcome for higher education policy and therefore for Australian universities is currently unknown.
E. Internal Environment The University commenced a process around two years ago to position the University to grow in an increasingly competitive higher-education market. The decision to reorganise the University was informed by recommendations provided in two separate reports released in March 2013, namely Crystallising our Purpose (providing greater clarity and focus to our learning and teaching and research), and the Review of Services and Operations undertaken by Ernst & Young. In November 2013, the Internal Audit function (formerly the Audit and Assurance Office) went through an external assessment by PriceWaterhouseCoopers (PwC).The assessment had two objectives: to satisfy section 6 of the former AAO Charter which requires ‘an external quality assurance assessment conducted at least once every five years’. (This section of the Charter is consistent with s1312 of the Standards); and additionally, to provide insight into the level of efficiency and effectiveness of the AAO compared to better practice and stakeholder expectations. The Report of the 2013 external assessment of the former Audit and Assurance Office by PriceWaterhouseCoopers (PwC) highlighted five opportunities for improvement: Internal audit strategy; Coordination with organisational governance, risk and compliance activities; Stakeholder engagement; Resource allocation; and Independence. The approval of a new headline structure by the University Council in February this year set in train a University-wide reorganisation. On 28/07/2014, the Internal Audit function became a part of the Legal and Assurance Unit within the Office of the Chief of Staff. The consolidation of the Legal, Internal Audit, Risk and Insurance functions in one work unit is consistent with other models within the sector and to address the issues raised by Ernst & Young and PwC that better coordination of governance, risk, assurance and compliance activities is required. Under the new structure, the Internal Audit function remains independent functionally, and Manager, Internal Audit is the nominated person for the University as the Head of the Internal Audit under Section 78, Queensland Financial Accountability Act 2009, and Chief Audit Executive under the Standards. Internal Audit, as an independent assurance provider, continues to provide objective assurance and consulting activity, to add value and improve the University's operations through a systematic and disciplined evaluation of risk management, control and governance processes. Over the next three years, the University’s assurance landscape will change and evolve significantly, with the planned activities in the following areas: the refreshment of the Risk Management framework including clarified ownership for insurance and business continuity planning management within the Chief of Staff Portfolio; the development of a new three pillar approach to the legislative compliance framework – inform, comply, and assure, by the Chief of Staff; the co-location of Quality, Standards and Business Review and Improvement teams within the Directorate of Quality, Planning, and Analytics; and relocation of the WHS unit within the Division of Services and Resources. Over the next three years, Internal Audit will focus on developing and implementing Internal Audit strategies in light of the roles and responsibilities of the Internal Audit as defined within the Internal Audit Charter, and the 2013 External Assessment Report. Internal Audit is committed to
Page 5 of 12
increase the collaboration and synergy with other internal assurance providers. However, care will be exercised to ensure that the effectiveness of the Internal Audit function is not unduly contingent on the effectiveness of the management assurance activities.
F. University Key Business Risk Internal Audit reviewed the University risks registered with the University Enterprise Risk Management system, Riskware. For Internal Audit to be able to place greater reliance on the University Risk Register, the quality of the risk information needs to be improved and the information on causal factor(s), existing control(s), and treatment plan(s) if applicable, needs to be consistently captured for each risk. The Chief of Staff is in the process of refreshing the University’s Enterprise Risk Register. It is expected that Divisions will have a better clarified responsibility for internal controls, mitigation strategies and identifying triggers or causal factors that would require a contingency plan to be enacted within the enterprise level risk. Within the above context, Internal Audit discussed the causal factors of the key University risks with the relevant University Executives and other internal assurance providers, with an aim to determine if a particular causal factor, control, or treatment plan is “auditable”. The external causal factor which is beyond the control of the University is excluded. The risk related to the controlled entities which is out of the scope of the Internal Audit activities is also excluded. The consultation process identified the following key business risks that will be subject to the Internal Audit activities within the next three year planning cycle: 1. Decline in student numbers (Domestic vs. International, coursework vs. research); 2. Ineffective oversight of the third party academic quality; 3. Poor student experience & retention; 4. Non-compliance with legislative and regulatory requirements; 5. Non-compliance with contractual obligations; 6. Uneconomic and non-complying asset management; 7. Ineffective project management; 8. Ineffective information and security management; 9. Ineffective risk management and business continuity management; and 10. Ineffective human resource management (appointment & performance management).
G. High Level Assurance Mapping High level assurance mapping is performed to map the identified 10 key business risks to the various assurance activities such as management controls, management committee(s) monitoring, and Internal Audit activities. The aim of this mapping is to identify, for the benefit of the Vice Chancellor and the Audit Committee, any risks that are not being addressed by either internal audit or another assurance or review activity. It is important to recognise the following: the activities of External Auditor do not form part of the University’s control framework and are therefore not considered; the overall assessment of level of assurance is based on the Internal Audit’s judgement on the adequacy of management controls in place to manage a particular business risk; and where the level of assurance is not considered to be adequate, it is expected that the Audit Committee will take action(s) to increase the level of assurance to an acceptable level, including providing advice to the Vice Chancellor and the University Council. The outcome of the high level assurance mapping is tabulated overleaf. More detailed assurance mapping can be performed in the future years depending on the maturity of the University risk management framework and the quality of the information in the University Risk Register. Manager, Internal Audit will work with the Chief of Staff to effect the improvements required.
Page 6 of 12
Table 1: Outcome of High Level Assurance Mapping
University Key Business Risk
Decline in student numbers (Domestic vs. International, coursework vs. research)
Ineffective oversight of the third party academic quality
Poor student experience & retention
Non-compliance with legislative and regulatory requirements
Non-compliance with contractual obligations
Uneconomic and noncomplying asset management
Ineffective project management
Ineffective information and security management
Ineffective risk management and business continuity management
10. Ineffective human resource management (appointment & performance management)
Source and Level of Assurance Provided Divisional Management Controls
Management Committee Monitoring
Internal Audit Activities
Overall assessment of level of assurance
Is level of assurance adequate? Yes/No
H. Principle of Coverage In developing this Strategic Plan, Internal Audit draws information from the following sources: University Enterprise Risk Registers; Input provided by the University Executive Group and the key internal assurance providers; Risks identified by Internal Audit; Significant audit findings made by Internal Audit and the External Auditor in the past; Request from the Audit Committee; Request from the Vice Chancellor;
Page 7 of 12
Request from the Queensland Audit Office; and Management assurance activities planned.
Identification and prioritisation of auditable areas is based on a combination of the following factors: Importance of the program or activity to the University’s objectives; Impact of the risks to the achievement of the University’s objectives; Impact of the risks to meeting legislative/regulatory compliance requirements; The potential or expected benefits of an audit; Auditability of the risks; The length of time since any previous internal or external audit; Vice Chancellor’s preference; and Audit Committee’s preference.
Internal Audit Focus Areas and Resourcing
In order to provide the University with the services expected of the Internal Audit, it is matter of principle that Manager, Internal Audit proposes all the activities that Internal Audit, the Audit Committee and other stakeholders consider should be included, before reflecting on the possible budget available. For this planning cycle, the following activity types are proposed. The level of effort planned to allocate to each category and the resourcing implications are tabulated below.
Table 2: Internal Audit Focus Areas and Resourcing Type of Activities
Power Up/ Sustain/ Power Down
Currently, there is not sufficient assurance in compliance with legislative and regulatory requirements (Risk 4)
A combination of in-house and outsourcing will be required; Assurance in areas which require specialist skills and subject knowledge will need to be provided by Management Assurance Providers such as the WHS office or outsourced should the management assurance activity fail.
To add more value in help preventing control weaknesses and breakdowns at the front end
Such tasks should not be undertaken at the expense of the assurance program and should be at the discretion of the Audit Committee.
Low risk audit such as Grant Audit will continue to be outsourced. Work conducted on behalf of QAO will be kept at a sustained level
New supplier for grant audit needs to be engaged from next year as the current service partner, Crowe Horwath, has been nominated for the next three years as the delegate of the Auditor General of the Queensland Audit Office, and shall conduct the external audit of JCU for the next three years. Depending on the outcome of the tender process, the cost of Grant Audit may increase. A co-sourcing model will continue with an aim to spread out the workload among service providers to obtain
Page 8 of 12
cost efficiency for grant audit while still providing timely services, if necessary. Work conducted on behalf of QAO will be kept at a sustained level, subject to consultation with the QAO contracted auditor.
Information Technology Governance
Internal Audit will continue to conduct audit over IT governance, general and application Control only.
Assurance in areas requires specialist skill such has security, and disaster recovery testing etc. is better sought from ICT management assurance activities, either in-house or by engaging external experts.
Audit Support Activities
Cost of implementing the strategies relating to the management of the internal audit activities will be sustained over the next few years It will take 2-3 years to completely implement and automate the process improvement activities within the TeamMate Audit Management System.
Most activities will need to be undertaken by Manager, Internal Audit which will need to be scheduled in such a manner so as to achieve a balance of audit and audit support activities.
This type of audit has been most valued by stakeholders. However, with the removal of the Director and Senior Internal Auditor position, Internal Audit no longer has the capacity to continue to conduct this type of audit in-house.
Routine outsourcing is also not the best option as performance improvement audit requires intimate corporate knowledge and in-depth process analysis which co-sourcing partners are less likely to be able to successfully provide, without consuming significant internal resources. Assurance can be sought from the Business Review and Improvement Team (BRIT) within the Directorate of Quality, Planning and Analytics. Independent operational reviews can be conducted from time to time and separately resourced as required.
Performance Improvement (Operational)
With advice of the Audit Committee, the Vice Chancellor determines the size of the investment that the University wishes to make in Internal Audit. The total value and mix of resources required will be influenced by a number of factors, especially the particular service delivery model chosen. From 2015, Internal Audit will continue to operate under a co-sourced service delivery model, with a greater proportion of services being sourced externally. Under the co-sourced model, Internal Audit activities are performed by a combination of in-house and contract resources. Manager, Internal Audit is responsible for managing relationship with co-sourcing partners and overseeing their performance, in particular, the quality assurance and improvement process. It is expected that the co-sourced serviced delivery model will help to address the difficulties that Internal Audit has been faced with to: attract and retain suitable staff, in particular at a senior level;
Page 9 of 12
further develop in-house staff with the full range of skills necessary to undertake a comprehensive Internal Audit plan; and respond quickly to new requests for audit without disrupting the planned program.
To mitigate the risk that the Internal Audit Plan will increasingly be determined by the skills of inhouse staff and contracted resources, rather than the assurance need of the University, the effectiveness of the co-sourced service delivery model will be monitored by Manager, Internal Audit and overseen by the Audit Committee. Any significant emerging issues will be brought to the Vice Chancellor’s attention. Once approved, this Internal Audit Strategic Plan will enable the Manager, Internal Audit to determine the skill mix that might usefully be maintained in-house by: creating a learning environment and maintaining a structured professional development program.
J. Internal Audit Strategies
Table 3: Revised Key Internal Audit Strategies for Approval by Audit Committee at Its Meeting 5-14 Key Internal Audit Strategies 1.
Enhance engagement with senior management and direct communication with key stakeholders
What will be achieved
Increase synergy and collaboration with other assurance providers
Increase advisory activities to add value in preventing control weaknesses and breakdowns
Reduce/automate administrative and reporting burden
Enhance efficiency of Internal Audit activities by investing in continuous process improvement, professional development, quality improvement and
Consultation with senior management and other assurance providers and key stakeholders such as the Chair of Audit Committee has been formalised in the current Internal Audit Charter. Formal consultation with senior management will be conducted in developing Internal Audit Strategic Plan and Annual Work Plan. Internal Audit website will be revamped to publish the information about the roles, services and process of the Internal Audit function. Dedicated resources will be allocated to increase the liaison and consultation with other assurance providers to avoid duplicated assurance effort during the Internal Audit annual and engagement planning processes. The approved Internal Audit Strategic Plan and Annual Work Plan will be shared with other assurance providers. Increase time budget allocation to formal consulting and ad-hoc advisory activities to add value in preventing control weaknesses and breakdowns. The proposed Internal Audit Protocol will have a dedicated section on advisory activities so that management can be better aware of the benefit and protocol to engage Internal Audit in project management and risk and control evaluation activities.
Review the Internal Audit planning framework to reduce the number of planning documents. Review the Internal Audit functional and administrative reporting mechanisms to focus on exception-based reporting and streamline the information collection for reporting purposes. A structured approach will be adopted to improve the efficiency of the audit process by developing an Internal Audit Protocol and an Internal Audit Manual; A structured professional development program with a three year outlook will be developed to support in-house staff performance management planning.
Page 10 of 12
K. Key Risks to the Internal Audit Strategy The major risks identified which may affect Internal Audit objectives and proposed mitigating strategies, are tabulated overleaf. The risks and mitigating strategies will be monitored by Manager, Internal Audit, and the outcome will be reported to the Vice Chancellor and the Audit Committee.
Table 4: Key Risks to the Internal Audit Strategy Risk Event
Description of Risk
Internal Audit’s Loss of status in fact or in appearance
This may lead to Internal Audit losing influence within the University community and weaken the governance and control effectiveness
Closely monitor the effectiveness of the Internal Audit function and provide timely advice to the Vice Chancellor regarding structure of the Internal Audit function and the funding level in light of the University’s assurance needs.
The position of Manager, Internal Audit being assessed at a lower remuneration level based on the scope of activities and responsibilities. (lower than other key internal assurance providers); and Reduction of number of inhouse auditor positions from three to two
Lack of sufficient supervision to the Internal Auditor position while Manager, Internal Audit is on leave
Lack of an Senior Internal Auditor position
This may lead to high stress level when supervisory support is not timely available, and potentially reduced quality of assurance provided.
Establish a panel of cosourcing service suppliers which can provide timely advice and supervisory review.
Manager, Internal Audit
Smaller Internal Audit unit
This may lead to loss of the highly desired expert software skill Audit Command Language (ACL) in which Internal Audit has invested in significantly.
Adjusting task allocation to the Internal Auditor and contract resources, to ensure that there is an opportunity for Internal Auditor to develop high level skills and future job re-evaluation
Manager, Internal Audit
Uncertainty regarding co-sourcing funding level
Lack of formalised long term budgeting model for the independent Internal
This may lead to ineffective strategic planning and staff development plan
Work with Chief of Staff and Division Finance team to establish a long term budgeting model for
Manager, Internal Audit
Page 11 of 12
Inability to achieve audit objective(s) for some engagements
and insufficient audit coverage
Poor performance of the contracted resources due to insufficient understanding of the University governances, risk and control frameworks and culture
This may lead to insufficient/incorrect assurance being provided to the Vice Chancellor and the Audit Committee
Establish clear selection criteria and deliverables in the request for quote and contract process; Active oversight of the contractor’s quality assurance and improvement measures.
Manager, Internal Audit
L. Performance Measure In keeping with the University planning and performance management framework, Internal Audit’s performance will be gauged by the following key performance indicators: 1. Percentage of completion of the programmed audits 2. Result of the University wide survey of the Internal Audit services 3. Feedback from the Vice Chancellor 4. Feedback from the Audit Committee 5. Feedback from Queensland Audit Office 6. Result of the external assessment
Version Prepared by: Consultation:
Date Preliminary Approval provided by the Vice Chancellor Date Formal Approval provided by the Audit Committee
2014-10-31 Draft for Approval by the Audit Committee Maria Mu, Manager, Internal Audit Prof. Sandra Harding, Vice Chancellor and President Mr Graham Kirkwood, Chair of Audit Committee Ms Tricia Brand, DVC, Services and Resources Prof. Ian Wronski AO, DVC, Tropical Health and Medicine Prof. Sally Kift, DVC, Academic Prof. Dale Anderson, DVC, JCUS Prof. Paul Gadek, Chair of Academic Board Ms. Vanessa Cannon, Chief of Staff Ms. Fiona Macdonald, University General Counsel and Head, Legal and Assurance Ms Vicki Hamilton, Director, Quality, Planning and Analytics Mr Blaise Allen, Associate Director, Workplace Health & Safety Queensland Audit Office 01/11/2014
Page 12 of 12