View
221
Download
0
Category
Tags:
Preview:
Citation preview
Applying a risk model in state internal and external audits
Audit and Risk
Haven’t we, as auditors always considered risk within our audit
plans?
Roles and Responsibilities
Governing Body
Audit/Risk Committee
•Incorporating risk into the planning process for overall coverage.•Considered opinions on specific elementsof the organisation. •Overall opinion of control environment.•Assessment of completeness and effectiveness of the risk management process.•Assessment of the effectiveness of specificelements of the control environment.
•Promotes good practice•drives and monitors risk frameworkand action plans•maintains risk map and risk profile•Reviews risk profile.•Analyses emerging risks.•Tracks existing risks.•Co-ordinates RMSA•Co-ordinates risk reporting
Risk Workshops
•Managing specific risks• Apply risk management cycle
•Implement action plans• Develop capabilities, processes, Controls
•Monitor performance•Manage issues/breaches
•Efficiency reviews•Improvement programmes
•Process optimisation•Cost reduction
Risk ProfessionalInternal Audit
Business/Risk owners Organisational Improvement
Outputs•Socialising risk
•Identification of key risks•Decide on how to manage
risk•Measuring residual risk•Data for risk reporting
OutputsReviews of:
•Risk management methodology•Corporate Governance statements
•Statements on internal controls•Management responses to key
risks
Roles and Responsibilities
•Promotes good practice•Drives and monitors risk frameworkand action plans•Maintains risk register•Analyses emerging risks.•Supports risk owners.•Co-ordinates Risk Reporting.
The Risk Professional.
Roles and Responsibilities
•Managing specific risks• Apply risk management cycle
•Implement action plans• Develop capabilities, processes, Controls
•Monitor performance•Manage issues/breaches
•Tracks existing risks.
Business risk owners
Roles and Responsibilities
•Efficiency reviews•Improvements programmes
•Process optimisation•Cost reduction
Organisational Improvement
•Incorporating risk into the planning process for overall audit coverage.•Considered opinions on specific elementsof the business. •Overall opinion of control environment.•Assessment of completeness and effectiveness of the risk management process.•Assessment of the effectiveness of specificelements of the control environment.
Roles and Responsibilities
Internal Audit
Risk Management ReportingGoverning Body
Risk Register
SELF
CERTIFICATION
A UDIT
OPINIONS
Scrutiny/Audit Cttee
CHIEF EXECUTIVE
DIRECTORS
MANAGERS
OrganisationChief Internal Auditor
FUNCTIONS & OPERATIONS
INDIVIDUALAUDITS
AUDIT OPINIONS
Risk Management
Is Therefore More Than Just a Cyclical Audit or Insurance
Review and Report.
The Risk Management Process
Roles and Responsibilities
• Risk management cannot be introduced in isolation.
• It has to be in partnership with all those other interested parties.
The Contribution of Internal Audit
• Role is changing
• Challenges of good Governance
• FD/CEO Expectations changing
• The need to evidence measurable added value
• IIA re-defining the role
IIA Definition
Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the organisation.
It assists an organisation in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organisations risk management ,control , and governance processes.
Definition of Audit
Auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts
Risk MatrixImportant risks –
might potentially affect provision of key
services or duties
Key risk- may potentially affect
provision of key services or duties
Immediate action needed - serious
threat to provision and/or achievement of key services or
duties
Monitor as necessary - less important but still could have a serious
effect on the
provision of key services or duties
Monitor as necessary - less
important but still could have a serious
effect on the provision of key
services or duties
Key risks - may potentially affect
provision of key services or duties
No action necessary
Monitor as necessary - ensure
being properly managed
Monitor as necessary
- less important but still could have a
serious effect on the provision of key
services or duties
Over £5 millionOR
Questions raised in Parliament
£2million-£5 million OR
Reported in National Press
£500,000 - £2 Million
OR
Reported in Local Paper
£100,000 - £500,000 OR
Unacceptable levels of Complaints
Under £100,000 OR
Some complaints from individuals.
Rare- once in 20 years
Unlikely-Once in 10-20 years
Possible- Once in 10
years
Likely-Once in 3years
Certain- Once a
year
Translating Key Risks Into the Assurance Programme
• Key risks as identified in the matrix should be the basis of the Audit programme
• Should form 60% approx of full programme
• Some risks not easily auditable
• Consider specialists, CSA etc
What Should The Audit Role Be In Establishing a Risk Management Process?
Audit Participation in Risk Programmes
OPTIONS• Manage the whole programme• Facilitate the workshops• Jointly facilitate the workshops• Coordinate responses etc • Attend the workshops as a participant• Monitor and report on the action plans• Review perceived versus actual controls
Audit Reporting
• Linking to key risks gives visibility• Perceived versus actual controls• Monitoring of action plans• Board, audit Cttee.Risk Cttee. Snr mgt.• Focus on achievements
– Monetary– Risk reduction (matrix movements– IT security, fraud ,reduction in surprises
Audit Reporting
• Refer to organisational objectives
• Specify the risk to their achievement
• Explain findings specifically related to those risks
• Specify actions to address the exposures or opportunities ( and what they will achieve )
Effectiveness of the Control Environment
Risk
Minus the cost of:
Transfer Control Recover
Equals
Exposure
+ +
Cascading the Techniques Into Project and Change
Management.
Projects & Improvement Programs
• Within the programs planned do you have objectives that you want to achieve?
• Amongst the action plans and recommendations that you have to introduce are there some that could stop or delay the overall program?
• Can the likelihood and impact of failing to achieve these recommendations and action plans be assessed?
Projects & Improvement Programs
• A program/project is therefore ideal for using risk management techniques to prioritise where you need to focus.
• You know your objectives.• You have already identified the issues (risks) that
you have to manage to successfully achieve:– Action Plans
– Recommendations.
Projects & Improvement Programs
• If we assess the likelihood of not successfully implementing each of the the action plans and recommendations
and
• If we assess the impact to the overall program of not successfully implementing them.
Projects & Improvement Programs
This gives us a simple method of categorizing and prioritising the steps that have to be
taken.
Projects & Improvement Programs
EXAMPLE
Projects & Improvement Programs
Objective.
To improve the the procurement systems of State Government.
Projects & Improvement Programs
Issue:
Make the External Auditors Office responsible for carrying out ex-post control of procurement , with the appropriate means to hire experts for independent audits.
Risk Matrix
6 8 9
3 5 7
1 2 4
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
Risk Matrix
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
Projects & Improvement Programs
Issue:
Enact a new public procurement laws based on Model Law being prepared used else where
Risk Matrix
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
Projects & Improvement Programs
Issue:
Issue Circular to improve procurement process with mandatory requirements for advertisement of all bidding opportunities in the Gazettes, local dailies and notice boards of procuring entities; public bid opening; publication of contract awards above a certain threshold.
Risk Matrix
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
Risk Management
Risk management is a journey.You can expend great effort and travel
miles
If, however you haven’t plotted your course in line with the organisations strategy you will do nothing but waste valuable time and resources.
Recommended