Auditing & Risk ManagementA Happy Couple or a Shotgun Marriage?
Presented byBruce Turner CGAP, FIIA (Aust), CISA, CFE, FFin, FPNA, MAICD, AFAIM
Chief Internal Auditor
Australian Taxation Office
15 October 2010
Auditing & Risk Management www.ato.gov.au
Overview
We’ll explore the pre-nuptials … how strong is the
connection between internal audit and risk management
… does it provide the foundation for a happy couple?
Auditing & Risk Management 3
Overview
Internal Audit
Governance Roles
Integrating Internal Audit with Enterprise Risk Management
Auditing & Risk Management 4
Internal auditFundamentals of professional auditing practices
Definition
Key elements
Professional standards
Auditing & Risk Management 5
Definition of internal auditing
“Internal audit is an independent, objective assurance and
consulting activity designed to add value and improve an
organisation’s operations. It helps an organisation accomplish
its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control and governance processes.”
Auditing & Risk Management 6
Key elements
Governance
Risk management
Control
Auditing & Risk Management 7
Auditing standards
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance of Risks
Auditing & Risk Management 8
Auditing standards - planning (2010)
“The chief audit executive must establish risk-based plans to
determine the priorities of the internal audit activity, consistent
with the organisation’s goals.”
Auditing & Risk Management 9
Auditing standards – risk management (2120)
“The internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management
processes.”
Auditing & Risk Management 10
“Risk management remains at the heart of internal audit. It
defines the focus as well as the effort of the internal audit
staff. Getting it right through a comprehensive risk
assessment will drive better results, achieve greater
efficiencies, and cover the important things that either add or
preserve value in an organisation.”
* Financial Executive November 2008 - Better Internal Audit Leads to Better Controls - by Robert B Hirth Jr – from Protiviti NewsAlert January 2009
Auditing & Risk Management 11
Risk elements in audit process
Planning– Forward work program
– Each audit engagement
Fieldwork– Scope and work program
Reporting– Each audit reported
– Basis of prioritising recommendations
– Consolidated high-level reporting
Follow-up of recommendations
Auditing & Risk Management 12
Example - audit planning development process
Plenary Governance Forum (including Commissioner)
Sub-plan Executives (including Second Commissioners, Chief Financial Officer, other Members of ATO Executive, and NPMs)
Audit Committee (at ‘In Camera’ session February 2009; One-on-one meetings with Chair and Some Other Members; Sub-committee Meeting April 2009)
Audit Liaison Officers (both SES and business support levels)
Scrutineers (ANAO)
Other Governance Specialists (Chief Knowledge Officer; Governance & Government Relations Executive including Assistant Commissioner Integrity Assurance)
Internal Audit Directors and Staff (at Internal Audit Conference November 2008 and Subsequently)
Co
nsu
ltat
ion
Pri
ori
ty ‘A
’ Au
dit
s
ATO Strategic Risk Register and Corporate Priorities
Fraud Control Planning
Audits Carried Forward from Prior Program/s
Audit Completion Summaries (ideas for future audits generated after each completed internal audit)
Cyclical Schedule of Information Technology Audits
Review of Prior Internal Audit Executive Summaries and Reports (for any commitments)
Systemic Issues Reporting (including Complaints analysis)
Follow-up Audits for External Scrutineers (including ANAO, Inspector General of Taxation, Ombudsman)
An
alys
is
Pri
ori
ty ‘B
’ Au
dit
s
Audit Director Roundtable ‘Global Hotspots 2009’
Institute of Internal Auditors (changes to Professional Practices Framework and auditing standards)
Scrutineer Forward Work Programs (including Inspector General of Taxation and ANAO)
Emerging Issues from Chief Audit Executive Network (Including counterparts in Major Agencies)
Other Areas (e.g. JCPAA briefings; Privacy Commissioner)
Res
earc
h
Schedule of Audit Themes, Potential Audit
Topics, and Scoping
Audit Themes
Core Tax Administration
Change Program
Security & Privacy
Contracts Management
Overheads Management
Fraud Control
Financial Stewardship
Strategic Reviews
Management Information
Assurance Activities
Apply Risk Factors – Risk
Priority Process Factors
Tax Administration o Complexity
o Importance
o Tone at the Top
o Legal / Regulatory
Stakeholder Engagement o Reputational Impact
o Supplier Engagement
o Client Engagement
o Government engagement
Enabling Capabilities o Importance of Technology
o Staffing
o Financial Management
o Volume of Transactions
External Threats o Economic Climate
o Security Breaches
o Business Continuity
Other Factors o Time Since Last Audit o Extent of Change
Pri
ori
ty ‘C
’ Au
dit
s
Forward Work
Program
Plans Eighteen Month
From Mid-2009 Through 2010
Three-year Through 2011 to Mid-2012
Auditing & Risk Management 13
Example – ATO audit themes
Core tax administrative activities
Change Program
Financial stewardship
Strategic reviews
Assurance activities
Auditing & Risk Management 14
Example – ATO audit themes cont’d
Managing contracts
Managing overheads
Fraud control
Non-financial management information
Security and privacy
Auditing & Risk Management 15
Looks like a marriage …
Auditing & Risk Management 16
GovernanceThe inter-relationships between the risk management players
Management
Risk management advisor
Auditors
The effect of changing risk profiles
Auditing & Risk Management www.ato.gov.au
Risk Drivers
Risk Drivers
Causes
Risk Consequences
Risk Consequences
Outcomes
Anatomy of a Risk
Risk Events
Risk Events
Manifestation
Risk Controls
Risk ControlsPreventative
Controls RecoveryMeasure
Control Environment
No Controls
Risk Drivers
Risk Drivers
Causes
Risk Consequences
Risk Consequences
Outcomes
Anatomy of a Risk
Risk Events
Risk Events
Manifestation
Risk Controls
Risk ControlsPreventative
Controls RecoveryMeasure
Control Environment
No Controls
Internal auditors
- Use risk based planning
- Evaluate controls
Risk management advisor
- Develops the framework
- Produces risk reporting
Management
- Owns the risks
- Manages the risks
Auditing & Risk Management 18
Business Objectives
Governance
Risk Management
Internal Controls
Charts & oversights the business
Heightens likelihood of achieving objectives
Auditing & Risk Management 19
The changing risk profile
Auditing & Risk Management 20
Change is inevitable
Risk management activity must be dynamic
Vital to embed risk management in organisational processes Both risk management framework and processes
The organisation and its environment will change
Auditors to be agile and flexible to accommodate changes
Auditing & Risk Management 21
Thinking about risks
Yesterday Tomorrow
Managing known risks Exploring emerging risks
Avoiding unknown risks Capitalise emerging opportunities
Register of known risks Radar of emerging risks
Established risk tools Optimised approaches to risk
Individual risk responses Collaborative risk mitigation
* Based on thought leadership in a PwC Publication – Extending Enterprise Risk Management to address emerging risks (2009)
Auditing & Risk Management 22
Examples - emerging risk areas
Increased competitive pressures
Continued recessionary pressures
Cost reduction pressures
Talent risks
Commodity prices
Auditing & Risk Management 23
Strategic change management
Third party solvency
Political trends
Compliance
Lack of investment in product innovation
* Sourced from Audit Director Roundtable Publication – Top Ten Emerging Risks – Likelihood, Impact and Velocity (October 2009)
Examples - emerging risk areas (cont’d)
Auditing & Risk Management 24
Examples - local government risk areas
Developer contributions
Water supply
Culture centre development
Asset maintenance
Integrated planning
Climate change
Attract / retain staff
Long-term finances
Information management
Fraud and corruption
Auditing & Risk Management 25
Examples - state government risk areas
Shared services provision
Information technology
Security
State plan delivery
Specific reforms
Attract / retain staff
OH&S
Major projects
Reactive work
Fiduciary controls
Auditing & Risk Management www.ato.gov.au
Major Tax Integrity Threats
Law Interpretation
Policy Advice & Design
Tax Product Compliance
Tax Revenue
Transfers Compliance
Product & Payment Processing
Marketing & Communications
Government Engagement
International Engagement
Supplier EngagementReputation Management
Client Engagement
Client Experience
Business Continuity
Facilities
Legal Support
Regulatory Compliance
Finance
Knowledge
Innovation & Change
Technology
Security & Privacy
Governance
People
Tax Administration
Stakeholder Engagement
Enabling Capabilities
External Threats/Opportunities
Tax Administration
Stakeholder Engagement
Enabling Capabilities
External Threats/Opportunities
External Environment
Examples - enterprise risk categories.
Auditing & Risk Management 27
Internal auditing policy agenda
Internal audit is fundamental to good governance
Public entities need strong effective audit committees
Appropriate reporting lines for head of internal audit
Clear accountability for risk management and control
Internal audit operates at consistently high standard
Auditing & Risk Management 28
Ticks along like a marriage …
Auditing & Risk Management www.ato.gov.au
Integrating internal audit and enterprise risk managementOptimising the benefits of the risk management investment
A long engagement
Audit themes
Case studies
Auditing & Risk Management 30
A long engagement - case study - loan portfolio audit
Auditing & Risk Management 31
Routine auditing
Broad coverage of personal loans
Average loan $30,000
Thorough audit completed Appropriate sampling techniques well-constructed working papers well-written report
Auditing & Risk Management 32
Different loan product offering
Foreign exchange loans introduced that year
Average loan $750,000
Not part of ‘routine’ audit program
No audit coverage of new product lines
Auditing & Risk Management 33
Adding value
Narrow focus on ‘routine’ loan portfolio
Changing risk profile not assessed
Audit value diminished
The audit and risk marriage is already over 25 years strong
Auditing & Risk Management 34
Case study – on time running
Auditing & Risk Management 35
Public information
Objectives of entity articulated – Clean
– Safe
– Reliable
Key measure of reliability – on time running
KPI result updated daily on website
Auditing & Risk Management 36
End-to-end controls
Well articulated policy and KPI commitment
Counting rules clear and transparent
High-level sign-offs for release to website and Minister
Assertions on the collation of data and calculation of results
Strong website security
Auditing & Risk Management 37
Data origination
Grassroots collection of data Near enough is good enough approach Integrity of data severely tarnished Reputational damage Strong Auditor-General criticism
Auditing & Risk Management 38
Case study – security risks
Auditing & Risk Management 39
Emerging security risks (2008)
More electronic records breached than 4 prior years
Corporations fell victim to the largest cyber-crimes ever
Motivated hackers know where and what to target
90% of records breaches involved organised crime
Could avoid 9 out of 10 breaches with security basics
Mistakes and oversights hindered security efforts
* Australian Institute of Management, Management Today, July 2009, pp. 7-8, 37
Auditing & Risk Management 40
“In recent times, a number of events have occurred overseas
resulting in the loss or disclosure of sensitive information.
One particularly high public profile incident resulted in the
resignation of the Chief Executive of Her Majesty’s Revenue
and Customs (HMRC) in the UK.”
* ATO, Information Security Practices Review, PricewaterhouseCoopers, April 2008, p. 2
Auditing & Risk Management 41
Example – ATO reporting on audit themes
Consolidated high-level audit report on security
Logical access provisions
Managing client records
Site visits – remote locations (physical security)
Satellite audit – security classifications
Auditing & Risk Management 42
Risk management elements
Sound governance structures
A clear corporate stance
Effective education and awareness programs
A well-defined security classification framework
Effective security monitoring incident response mechanisms
Robust plans for IT incidents.
* ATO, Information Security Practices Review, PricewaterhouseCoopers, April 2008, covering letter, p. 2
Auditing & Risk Management 43
Influences service standards
Community perceptions strong– 80% think the ATO is doing a good job*
Business perceptions strong– 89% think the ATO is doing a good job*
Professional survey positive– 79% are ‘satisfied’ or ‘very satisfied’ with the professionalism of
ATO employees*
Auditing & Risk Management 44
Comes together like a marriage …
Auditing & Risk Management 45
Conclusion
The pre-nuptials are sound: Internal audit and risk management have a strong inseparable connection
Risk management provides the foundation for effective auditing
In turn internal audit: Supports the risk management process
Validates the effectiveness of internal controls that mitigate the risks
Auditing & Risk Management www.ato.gov.au
My vote … a happy couple!
Auditing & Risk Management 47
Questions?
© COMMONWEALTH OF AUSTRALIA 2010
This presentation was current in July 2010
Auditing & Risk Management www.ato.gov.au
About the ATO
Australian Government’s main revenue collection agency Administers main aspects of Australia’s super system Celebrates its centenary in 2010 Net revenue collection of 270.8 billion* Operating budget of $3.1 billion** Average staffing level 21,720** 75 locations across all states and territories** 25 business and service lines*
* end June 2008 ** end June 2009
Auditing & Risk Management www.ato.gov.au
Audit staff
Around 40 full-time equivalent staff
We employ specialist external staff for technical audits
Four teams across 3 sites in ACT, NSW and Victoria
Audit capability meets global benchmarks
– Qualifications, certifications, experience
Multi-disciplinary team
Completes 60 to 70 audits per year
Auditing & Risk Management www.ato.gov.au
Our commitment to you
We are committed to providing you with guidance you can rely
on, so we make every effort to ensure that our presentations
are correct.
Top Related