6. Integrating Risks in Audit Work Program€¦ · Relevant Facts & Figures RIAS 2015 -Risk...
Transcript of 6. Integrating Risks in Audit Work Program€¦ · Relevant Facts & Figures RIAS 2015 -Risk...
Integrating Risks in Audit Work Programs
2015 RIAS Manila, 10 – 11 September 2015
Contents
• Relevant Facts & Figures
• IAEA Approach
• FAO Approach
• Similarities and Differences
• Survey Results (2011 vs. 2015)
• Q & A
2RIAS 2015 - Risk Assessment for Work Plan Preparation
Relevant Facts & Figures
3RIAS 2015 - Risk Assessment for Work Plan Preparation
• IAEA
• Established in 1957 – Independent
Org. (Statute)
• Promotes peaceful use of nuclear
energy
• 2 300 Staff Members
• Centralised Management of Activities
• 2015: RB - MEUR 344; EB - MEUR 157
• OIOS
• Audit, Advisory, Investigation and
Evaluation
• 17 Staff Members (5 Auditors)
• 20 IA projects p.a.
• Reports directly to the DG
• Annual report on activities to MS
• FAO
• Established in 1945 – Specialized
Agency of the United Nations
• Eradication of hunger
• 3 450 Staff Members
• HQ in Rome and presence in +130
countries
• 2014-15: assessed contributions
MUSD 2 400; voluntary
contributions MUSD 1 400
• OIG
• Audit, Advisory and Investigation
• 25 Staff (13 Auditors)
• 30 IA projects p.a.
• Reports to the DG
• Public annual report
IAEA Approach
• Annual Risk Assessment based on four inputs:
• Interactions with (Senior) Management
• Corporate Risk Register
• Independent Risk Assessment of Audit Universe
• Auditors’ judgement and proposals
• Required Level of Assurance• High-risk areas must be covered every 5 years
4RIAS 2015 - Risk Assessment for Work Plan Preparation
5
IAEA Approach
RIAS 2015 - Risk Assessment for Work Plan Preparation
Interactions with Management
• Informal discussions with management (DDsG and
Directors)
• Formal request of depart. / divisional exposures;
areas of concern; significant changes; specific
project proposals
Risk Assessment of Audit Universe (Heat Maps)
• Audit Entities: Business Processes; Organizational
Chart (DDSU); Agency’s Programmes; Chart of
Accounts; ‘One-off’ Projects; IT; Country Portfolio
• Rating (impact & likelihood) based on Risk Factors:
Fin. Magnitude; Level of Change and Complexity;
Reputation Loss; WB Gov. Index (Inherent Risk) /
State of IC & results of previous OIOS or Ext.
Auditor’s work (Residual Risk)
Auditors’ Judgement
• Based on the auditors’ expertise; previously
completed projects; knowledge of the organization
Corporate Risk Register
• Corp. Risk Mgmt. Policy issued in 2009 (Rev. 2012)
• Owned by Senior Strategy Officer in DGOC
• Risk Register: 440 risks (H/M/L)
• ‘WIP’: duplications; inconsistent ratings; unfiltered
(strategic / tactical / operational – corporate /
project); ‘non-auditable’; integration with RBM & ICF
FINAL PROJECT SELECTION
12 Proposals from Clients 31 Risks
27 Entities / Areas 22 Proposals from Audit
6
IAEA Approach
RIAS 2015 - Risk Assessment for Work Plan Preparation
14 IA Projects & 3 Country Level Assessments (combined IA / Evaluation) included in the 2015 Plan
Final Project Selection:
• Consolidation and filtering of 92 inputs;
• Final assessment and rating;
• Consideration of other factors: carry-forwards; internal meetings; discussion with
External Auditors; coordination with other OIOS functions; available resources
7
IAEA Approach
RIAS 2015 - Risk Assessment for Work Plan Preparation
Interactions with Management
Risk Assessment of Audit Universe (Heat Maps) Auditors’ Judgement
Corporate Risk Register
FINAL PROJECT SELECTION
31 Risks
27 Entities / Areas 22 Proposals from Audit
12 Proposals from Clients
Final Project Selection:
8
IAEA Approach
RIAS 2015 - Risk Assessment for Work Plan Preparation
14 IA Projects & 3 Country Level Assessments (combined IA / Evaluation) included in the 2015 Plan
FAO Approach
• Rolling audit plan updated provisionally on an
annual basis and more fully each biennium; inputs:
• Interaction with Management and Audit Committee
• OIG risk register (corporate ERM under development)
• OIG assessment of Audit Universe
• Auditors’ judgement
• …..
• Required Level of Assurance• Coverage of corporate high risks over three biennia
9RIAS 2015 - Risk Assessment for Work Plan Preparation
10
FAO Approach
RIAS 2015 - Risk Assessment for Work Plan Preparation
Interaction with Management and Audit
Committee
• Discussion and pro-active requests
• Audit work plan includes provision for additional
work outside the risk-based priorities, i.a. to
conduct inspections of specific issues at
management request
Audit Universe
• Audit Entities: by function, process or location, e.g.
Governance; Financial Management; Decentralized
Offices Management; Field Programme Cycle
• Scoring and Prioritizing risks:
1. Risk assessment – five dimensions:
Achievement of objectives, Financial,
Reputation, Personnel, Operations
2. Impact (5 criteria), Likelihood (judgement)
Auditors’ Judgement
• Based on the auditors’ expertise; previously
completed projects; knowledge of the organization
OIG Risk Register
• Owned by OIG
• Originally developed in 2009 in partnership with
Deloitte regularly updated to reflect emerging risks
and changing risk priorities
• 265 risks (H/M/L)
• Corporate ERM is currently under development in
cooperation with Office of Strategy, Planning and
Resource Management
FINAL PROJECT SELECTION
6 Inspections/Audit Memoranda
70 High Risks
59 Processes/ Functions
11
FAO Approach
RIAS 2015 - Risk Assessment for Work Plan Preparation
29 IA Projects – 9 core processes and 20 decentralized activities audits included in the 2015 Plan
Final Project Selection:
• Final assessment and ranking
• Rolling plan, audit history
• Coverage of multiple risks through individual assignments
• Available resources versus estimated resource requirements
• 50-60% of resources to review decentralized operations
12
FAO Approach
RIAS 2015 - Risk Assessment for Work Plan Preparation
Interactions with Management
Risk Assessment of Audit Universe Auditors’ Judgement
Corporate Risk Register
FINAL PROJECT SELECTION
70
70 High Risks
59 Processes/Functions
6 Inspections/Audit Memoranda
Final Project Selection:
13
FAO Approach
RIAS 2015 - Risk Assessment for Work Plan Preparation
29 IA Projects – 9 core processes and 20 decentralized activities audits included in the 2015 Plan
Similarities and Differences
14RIAS 2015 - Risk Assessment for Work Plan Preparation
• Vey similar inputs used for the
identification of priorities
• Similar required level of
assurance (5 to 6 years)
• Frequency (yearly assessment vs. biannual with
yearly update)
• Use of inputs for risk assessment driven by level of
maturity of the organization’s governance (i.e.
existence of audit committee; stage of development
of corporate risk management tools)
• Differences in focus on Decentralized Offices Network
Has your organization implemented ERM or any other risk management tool?
Use of ERM & Corporate Risk Registers
Survey Results (2011 vs. 2015)
15RIAS 2015 - Risk Assessment for Work Plan Preparation
2011 2015
RESPONSES TO SURVEY 20 27
ORG. WITH IMPLEMENTED ERM SYSTEM (Abs.) 5 22
ORG. WITH IMPLEMENTED ERM SYSTEM (%) 25% 81%
9
2
11
20
0
5
10
15
20
25
2011 2015
USE OF CORPORATE RISK MANAGEMENT TOOLS
WHEN PREPARING THE ANNUAL AUDIT WORK PLAN
NO
YES
14
66
16
0
5
10
15
20
25
2011 2015
USE OF CORPORATE RISK MANAGEMENT TOOLS
WHEN DEVELOPING AUDIT PROGRAMS
NO
YES
Integrating Risks in Audit Work Programs
16RIAS 2015 - Risk Assessment for Work Plan Preparation
Q & A