GUIDANCE PAPER ON REQUIREMENTS FOR

INTERNAL AND EXTERNAL AUDIT AND REVIEW OF

SECURITY PLANS
Purpose
The purpose of this guidance paper is to assist Maritime Industry Participants (MIPs) in
development of maritime security plans, ship security plans and offshore security plans, by
providing more detail on the measures and procedures that the Office of Transport Security
(OTS) considers best practice in meeting the regulatory requirements for audits and reviews.
The regulatory requirements are detailed below. The measures detailed in this guidance
paper are not mandatory and can be adjusted to meet local requirements.

Background
Regional Offices of OTS have identified the failure to undertake reviews and audits of
security plans by internal and external auditors as a recurring non-compliance by some
MIPs. Examination of existing security plans has revealed a widespread lack of
understanding of the differences between internal audit, external audit, and review.

Regulatory Requirements
The Maritime Transport and Offshore Facilities Security Regulations (2003) (MTOFSR) define
a security plan audit as:
An examination of security measures or procedures to determine if a maritime security plan
or ship security plan has been implemented correctly (Regulation 1.03).
MTOFSR defines a security plan review as:
An evaluation of security measures or procedures to determine if a maritime security plan
or ship security plan is effective and adequate (Regulation 1.03).
An audit, therefore, provides an understanding of whether a security plan in its current form
is being implemented. A review, on the other hand, is required to identify whether the
security measures outlined in the security plan are adequate. It is through the combination
of the two that quality of security plans is assured.

20 December 2010

1
UNCLASSIFIED

Under MTOFSR, all MIPs are required to include in their security plans a schedule of internal
and external audits, as well as a list of what would trigger a review of their security plans.
An internal audit is undertaken by someone within the organisation being audited. An
external audit is undertaken by someone outside of the organisation being audited.

Proposed Policy
The proposed policy for internal and external audits and reviews is set out below. It is
intended to be applicable to all security plan holders in the maritime environment, whether
they hold maritime security plans, ship security plans or offshore security plans.
Reviews
Security plans to be reviewed annually to ensure continual improvement, following a
security incident (as required under MTOFSR), and as soon as practicable after a change in
Maritime Security level. A security plan review may be carried out by those who developed
the security plan or by someone who was not involved in this process. A review conducted
as the result of a security incident or change in the Maritime Security level replaces the
regular review scheduled for that twelve month period.
Mandating an annual review is consistent with other regulatory regimes, such as the
maritime safety regime, and is also consistent with guidance from the International
Maritime Organisation. This would also provide synchronisation with the budget process
facilitating funding of any plan changes flowing from such a review. Analysis of current
security plans indicates that the majority of MIPs already undertake reviews at least once a
year.
Audits
Security plans to be audited annually alternating between internal and external audits and
commencing the cycle with an internal audit. Security plans should also be audited
internally as soon as practicable after a change in the Maritime Security Level. An audit
conducted as the result of a change in Maritime Security Level replaces the regular audit
scheduled for that twelve month period.
An internal audit is undertaken by someone within the organisation, who is not responsible
for the implementation of measures contained in the security plan.
An external audit must be undertaken by someone outside the organisation, who is also
independent of those responsible for implementing security measures. The audit may be
conducted by an external consultant who developed the security plan, as long as they are
not also responsible for the plans implementation. The requirement for external audits
may be dropped for simple low risk operations or operations in remote locations where
suitable external auditors are not available. This will be determined at the discretion of the
assessing Maritime Security Inspector.
An audit which is undertaken by OTS does not constitute an external audit. Industry could
not rely on OTS to conduct audits, as OTS compliance resources are redeployed to meet

20 December 2010

2
UNCLASSIFIED

changing vulnerabilities. This guidance reinforces the role of the MIP in maintaining quality
assurance of their security plan and of the security outcomes for which they are responsible.
Mandating an annual audit is consistent with other regulatory regimes such as financial
services. Analysis of current security plans indicates that the majority of MIPs already
undertake audits at least once a year and external audits at least once every two years.

Compliance
When assessing a MIPs compliance with this proposed policy, OTS will consider the
following factors:
1) The management systems that are in place to provide assurance that audits and
reviews have been conducted in accordance with the agreed schedules.
2) Objective quality evidence supporting the management systems identified at (1)
above that demonstrate the completion of audits and reviews, including
documentation such as audit plans, audit reports, meeting minutes and records of
follow up or remedial actions.
3) Reviews of security plans are expected to include a review of the supporting Security
Risk Assessment that takes into account the information contained in the most
recent Maritime Security Risk Context Statement and where relevant the Offshore
Oil and Gas Security Risk Context Statement.
4) For some operations where it is more practicable to audit or review the business by
segments all segments of the business should be reviewed or audited within a
twelve month period.
5) In considering the suitability of persons to conduct audits and reviews, OTS will draw
on the guidance provided earlier in this paper and consider the following factors:
a. Any formal qualifications;
b. Relevant past work undertaken; and
c. Examples of previous audit reports provided by the nominated auditor.
6) Use of an internal auditor may be accepted for remote locations where suitable
external auditors are not available. MIPs will need to demonstrate the unavailability
of external auditors before this substitution will be accepted.
7) Use of an internal auditor may be accepted for simple low risk operations where the
cost of suitable external auditors cannot be justified. The arrangements will need to
be agreed in consultation with OTS.
8) The annual cycle commences with the approval of the security plan. That is, the first
audit and review should take place within the twelve month period immediately
following the approval. A review or audit conducted as the result of a security
incident or change in Maritime Security Level replaces the regular audit or review
scheduled for that twelve month period.
20 December 2010

3
UNCLASSIFIED

Implementation
The recommended audit and review schedules will need to be implemented gradually over
time when current security plans expire, as security plans have already been approved with
various schedules and it would be problematic to require all MIPs to submit revisions
immediately. Security plans will also need to be varied to include revised procedures for
conducting audits and revised processes for selecting independent auditors.

20 December 2010

4
UNCLASSIFIED

Feedback Form
The Maritime, Identity and Surface Security (MISS) Branch welcomes comments from
industry participants to help strengthen its resources and the guidance provided to industry.
By completing and returning this feedback form you can assist the MISS Branch to achieve
this objective.
Question 1 How relevant is this guidance paper for you? (Tick one)
Not At All Relevant
Not Very Relevant
Somewhat Relevant
Relevant
Very Relevant
Question 2 How useful was the content of this publication for you? (Tick one)
Not At All Useful
Not Very Useful
Somewhat Useful
Useful
Very Useful
Question 3 Do you think that this guidance paper could be improved? (Tick one)
Yes
No
If yes, please indicate here how this guidance paper might be improved:

Question 4 Are there any other subject areas where you would find additional
guidance of use?
Yes
No
If yes, please indicate the subject for which you require additional guidance.

Question 5 What is your role within your organisation?

When completed, please return this form by:

Email: maritime.security@infrastructure.gov.au; or
Fax: 02 6274 7994; or
Mail:
Adrian Kohlhagen
Office of Transport Security
GPO Box 594
Canberra 2601

20 December 2010

5
UNCLASSIFIED