Managing Risks For Results – Internal Audit
Perspective
Managing Risks For Results – Internal Audit
Perspective
Planning & Performance Exchange (PPX) Learning Event
November 3, 2009
Planning & Performance Exchange (PPX) Learning Event
November 3, 2009
OverviewOverview
§ Why Focus on Risk Management?§ IA Risk Management Tools/Processes§ Risk-based Audit Planning§ Government-wide Audit Universe§ What Have We Learned?§ Key Strategies
§ Why Focus on Risk Management?§ IA Risk Management Tools/Processes§ Risk-based Audit Planning§ Government-wide Audit Universe§ What Have We Learned?§ Key Strategies
Why Risk Management?Why Risk Management?
§ TB Oversight support - OCG Mandate§ CG Annual Report on State of G o C Governance, Risk,
& Controls/TB IA Policy§ Audit Intelligence gathering/decision-making support§ Early Warning - Control Risks/Failures
§ Enhance Departmental Risk Management & Mitigation§ DH Accountability Officer Role§ Demonstrate effectiveness of Department’s controls
§ TB Oversight support - OCG Mandate§ CG Annual Report on State of G o C Governance, Risk,
& Controls/TB IA Policy§ Audit Intelligence gathering/decision-making support§ Early Warning - Control Risks/Failures
§ Enhance Departmental Risk Management & Mitigation§ DH Accountability Officer Role§ Demonstrate effectiveness of Department’s controls
IA Risk Management Tools/Processes
IA Risk Management Tools/Processes
§ Risk-Based Audit Plans & Guidelines§ OCG Horizontal Internal Audit Plan/ Risk
Assessment§ Departmental Internal Audit Liaison
Activities (CAEs, DAACs)§ Audit Intelligence (Trends, Gaps, Best
Practices)
§ Risk-Based Audit Plans & Guidelines§ OCG Horizontal Internal Audit Plan/ Risk
Assessment§ Departmental Internal Audit Liaison
Activities (CAEs, DAACs)§ Audit Intelligence (Trends, Gaps, Best
Practices)
Internal Audit : BackgroundInternal Audit : Background
§ The Policy on Internal Audit establishes standards and requirements for internal audit functions reinforcing Internal Audit across government and repositioning it in a key role supporting effective and credible governance.
§ The Policy requires the Comptroller General to report annually to the Treasury Board on:§ Significant issues of risk, control and management arising from
internal auditing across government; and§ Horizontal auditing
§ Internal Audit requires value-added, robust audit methodologies that support a credible and holistic assessment of departmental controls. One of the key methodologies is risk-based internal audit planning.
§ The Policy on Internal Audit establishes standards and requirements for internal audit functions reinforcing Internal Audit across government and repositioning it in a key role supporting effective and credible governance.
§ The Policy requires the Comptroller General to report annually to the Treasury Board on:§ Significant issues of risk, control and management arising from
internal auditing across government; and§ Horizontal auditing
§ Internal Audit requires value-added, robust audit methodologies that support a credible and holistic assessment of departmental controls. One of the key methodologies is risk-based internal audit planning.
The Assurance CycleThe Assurance Cycle
S c a n n i n g * R isk P e rsp e c tive *
P lan n in g
S e le c t ion o f A s s u r a n c eP r o d u c ts*
A s s u ran c e E n g a g e m e n ts
C rite ria S tud ies( C o n t in u o u s
D e ve lopm e n t)R e c o m m e n d a t i o n s
M o nito ri n gC o n tin u o u sA u dit in g
R iskS tud ies
Risk Based Audit PlanningRisk Based Audit Planning§ A systematic process where auditable entities are
identified, prioritized according to risk and scheduled for the conduct of internal audit activities.§ Four step process:§ Development of the Audit Universe§ Preliminary Risk Prioritization of the Audit Universe§ Final Prioritization of the Audit Universe§ Audit Plan Completion
§ A systematic process where auditable entities are identified, prioritized according to risk and scheduled for the conduct of internal audit activities.§ Four step process:§ Development of the Audit Universe§ Preliminary Risk Prioritization of the Audit Universe§ Final Prioritization of the Audit Universe§ Audit Plan Completion
Development of PS Risk Landscape
Development of PS Risk Landscape
Government Priorities (as expressed in the Speech from the Throne); Priorities of Clerk.
MAF AssessmentsDepartmental Performance Reports Auditor General Reports Reports by other Agents of ParliamentPSC Reports
Other sources of risk information including US GAO High Risks, Corporate Executive Board, Audit Executive’s Roundtable….
Reports on Plans and Priorities Corporate Risk Profiles Audit Risk Analyses, Reports and Plans Audit Monitoring & Follow-up
RISK
ANALYSIS
ConsultativeAnnual Review
Continuous
Public ServiceManagement Risk
Landscape
Bottom Up
Top Down
Step 1:Development of the Audit Universe
Step 1:Development of the Audit Universe§ Starting point for the organization’s audit planning process§ Represents the potential range of all audit activities and is
comprised of a number of auditable entities§ Entities include a range of programs, activities, functions,
structures and initiatives which collectively contribute to the achievement of the department’s strategic objectives (also typically captured in Corporate Risk Profile)
§ Ranked relative to one another to derive Internal Audit priorities and plans (focus on areas of highest risk)
§ Starting point for the organization’s audit planning process§ Represents the potential range of all audit activities and is
comprised of a number of auditable entities§ Entities include a range of programs, activities, functions,
structures and initiatives which collectively contribute to the achievement of the department’s strategic objectives (also typically captured in Corporate Risk Profile)
§ Ranked relative to one another to derive Internal Audit priorities and plans (focus on areas of highest risk)
Low Audit Priority Very High Audit PriorityModerate Audit Priority High Audit Priority
Auditability
Ris
kStewardship
People
Risk Management
Public Service Management Risk Landscape: Situating the Audit Universe
Government-wide Audit UniverseGovernment-wide Audit UniverseAudit Universe Element
Auditable Entity Description Topic Objective
Stewardship Financial Management and Controls
Financial systems and controls
Financial Administration Act (FAA) Compliance
Compliance with Sections 32/33/34 of the FAA
Accountability Alignment of Accountability Instruments
Application of authority, responsibility and accountability
Third Party Accountability
Effectiveness of MOU and other accountability instruments for partners
Governance and Strategic Directions
Corporate Performance Framework
Suite of management processes and controls in place
Federal Accountability Act
Compliance with legislative provisions
Results and Performance
Program Evaluation Function
Independent assessment function of program or policy results
Evaluation Policy Compliance
Compliance with TBS Evaluation Policy and associated standards
Risk Management Effectiveness of Corporate Risk Management
Management approach risks
Integrated Risk Management Framework
Adequacy and effectiveness of risk management regime
People Workforce Management
All aspects of human resource management
HR planning Adequacy and effectiveness of the controls for HR planning
Government-wide Audit UniverseGovernment-wide Audit UniverseAudit Universe Element
Auditable Entity Description Topic Objective
Policy and Programs Quality of Program and Policy Analysis
The processes for determining policy and program priorities
TB submission and Memoranda to Cabinet
Quality and consistency
Citizen-Focussed Services
Public communications and outreach
The process by which citizen/client needs and expectations are determined
Public Opinion Surveys
Management of surveys
Public Service Values
Organization’s values and ethics framework
The means of senior management establishment within organization
Values and Ethics Framework
Adequacy and effectiveness of organization’s documented corporate values and ethics
Learning, Innovation and Change Management
Managing Organizational Change
The organization’s change management processes and controls
Learning and Development
Adequacy and effectiveness of human resource learning and development approach
Step 2:Risk Prioritization of the Audit
Universe
Step 2:Risk Prioritization of the Audit
Universe§ Involves risk ranking of auditable entities based
on a series of prioritization criteria:§ Assessing risk exposure§ Assessing risk significance§ Determining the preliminary audit priority (ies)
§ Criteria are applied to each auditable entity based on information gathered through documentation review, consideration of past audit results, and consultation with senior management.
§ Involves risk ranking of auditable entities based on a series of prioritization criteria:§ Assessing risk exposure§ Assessing risk significance§ Determining the preliminary audit priority (ies)
§ Criteria are applied to each auditable entity based on information gathered through documentation review, consideration of past audit results, and consultation with senior management.
Chief Audit Executive InputsChief Audit Executive InputsAverage Risk & Auditability of MAF Elements
3.7 3.5 3.4 3.2 3.12.8
2.5
0
1
2
3
4
5
Peop
le
Steward
ship
Risk M
anag
emen
t
Public S
ervice
Valu
es
Govern
ance
and S
trateg
ic Obje
ctive
s
Learn
ing, In
nova
tion a
nd Cha
nge
Citiz
en fo
cuse
d Serv
ices
Ave
rage
Rat
ing
Step 3:Final Prioritization of the Audit
Universe
Step 3:Final Prioritization of the Audit
Universe§ Considerations for final audit priorities and
audit projects:§ Auditability§ Priorities of management and audit committee§ Priorities of OCG and TBS§ Priorities and plans of other assurance providers§ Time since last audit
§ Considerations for final audit priorities and audit projects:§ Auditability§ Priorities of management and audit committee§ Priorities of OCG and TBS§ Priorities and plans of other assurance providers§ Time since last audit
Step 4:Audit Plan Completion
Step 4:Audit Plan Completion
§ Key elements:§ Scoping and selection of audit type§ Coverage of risk management, controls and
governance in support of annual overall opinion§ Required resources/gaps assessment§ Planning for other activities§ Drafting the plan§ Approving the plan (DAAC & DH)§ Follow-up activities
§ Key elements:§ Scoping and selection of audit type§ Coverage of risk management, controls and
governance in support of annual overall opinion§ Required resources/gaps assessment§ Planning for other activities§ Drafting the plan§ Approving the plan (DAAC & DH)§ Follow-up activities
What Have We Learned?What Have We Learned?
§ Real Risk Management challenges/success opportunities exist – e.g. Economic Action Plan -Significant Gaps between emerging Threat/Risk areas & level of Management Focus (Governance, V&E)§ Risk Management Knowledge/Capacity is
improving but Processes still tend to heavily rely on:§ Today’s Policy/Program assumptions§ “Self-assessment” of Risk Mitigations
§ Involvement of Decision-makers is key
§ Real Risk Management challenges/success opportunities exist – e.g. Economic Action Plan -Significant Gaps between emerging Threat/Risk areas & level of Management Focus (Governance, V&E)§ Risk Management Knowledge/Capacity is
improving but Processes still tend to heavily rely on:§ Today’s Policy/Program assumptions§ “Self-assessment” of Risk Mitigations
§ Involvement of Decision-makers is key
Key StrategiesKey Strategies
§ Challenge Conventional Wisdom & Assumptions§ Position/integrate the Risk Management
Function as enabler of successful Corporate Strategy – the expected results§ Integrate Judgement with Process and Data
§ Challenge Conventional Wisdom & Assumptions§ Position/integrate the Risk Management
Function as enabler of successful Corporate Strategy – the expected results§ Integrate Judgement with Process and Data
Top Related