360 likes | 368 Views
Applying a risk model in state internal and external audits. Audit and Risk. Haven’t we, as auditors always considered risk within our audit plans?. Roles and Responsibilities. Governing Body. Audit/Risk Committee. Internal Audit. Risk Professional. Promotes good practice
E N D
Audit and Risk Haven’t we, as auditors always considered risk within our audit plans?
Governing Body Audit/Risk Committee Internal Audit Risk Professional • Promotes good practice • drives and monitors risk framework • and action plans • maintains risk map and risk profile • Reviews risk profile. • Analyses emerging risks. • Tracks existing risks. • Co-ordinates RMSA • Co-ordinates risk reporting • Incorporating risk into the planning process • for overall coverage. • Considered opinions on specific elements • of the organisation. • Overall opinion of control environment. • Assessment of completeness and effectiveness • of the risk management process. • Assessment of the effectiveness of specific • elements of the control environment. • Outputs • Reviews of: • Risk management methodology • Corporate Governance statements • Statements on internal controls • Management responses to key risks Risk Workshops Business/Risk owners Organisational Improvement • Managing specific risks • Apply risk management cycle • Implement action plans • Develop capabilities, processes, Controls • Monitor performance • Manage issues/breaches • Outputs • Socialising risk • Identification of key risks • Decide on how to manage risk • Measuring residual risk • Data for risk reporting • Efficiency reviews • Improvement programmes • Process optimisation • Cost reduction
Roles and Responsibilities The Risk Professional. • Promotes good practice • Drives and monitors risk framework • and action plans • Maintains risk register • Analyses emerging risks. • Supports risk owners. • Co-ordinates Risk Reporting.
Roles and Responsibilities Business risk owners • Managing specific risks • Apply risk management cycle • Implement action plans • Develop capabilities, processes, Controls • Monitor performance • Manage issues/breaches • Tracks existing risks.
Roles and Responsibilities Organisational Improvement • Efficiency reviews • Improvements programmes • Process optimisation • Cost reduction
Roles and Responsibilities Internal Audit • Incorporating risk into the planning process • for overall audit coverage. • Considered opinions on specific elements • of the business. • Overall opinion of control environment. • Assessment of completeness and effectiveness • of the risk management process. • Assessment of the effectiveness of specific • elements of the control environment.
Risk Management Reporting Governing Body S E L F C E R T I F I C A T I O N Scrutiny/Audit Cttee A U D I T O P I N I O N S CHIEF EXECUTIVE Organisation Chief Internal Auditor AUDIT OPINIONS FUNCTIONS & OPERATIONS DIRECTORS MANAGERS INDIVIDUAL AUDITS Risk Register
Risk Management The Risk Management Process Is Therefore More Than Just a Cyclical Audit or Insurance Review and Report.
Roles and Responsibilities • Risk management cannot be introduced in isolation. • It has to be in partnership with all those other interested parties.
The Contribution of Internal Audit • Role is changing • Challenges of good Governance • FD/CEO Expectations changing • The need to evidence measurable added value • IIA re-defining the role
IIA Definition Internal auditing is an independentand objectiveassurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the organisation. It assists an organisation in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organisations risk management,control , and governance processes.
Definition of Audit Auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts
Risk Matrix Over £5 million OR Questions raised in Parliament £2million-£5 million OR Reported in National Press £500,000 - £2 Million OR Reported in Local Paper £100,000 - £500,000 OR Unacceptable levels of Complaints Under £100,000 OR Some complaints from individuals. Unlikely-Once in 10-20 years Possible- Once in 10 years Likely-Once in 3years Certain- Once a year Rare- once in 20 years
Translating Key Risks Into the Assurance Programme • Key risks as identified in the matrix should be the basis of the Audit programme • Should form 60% approx of full programme • Some risks not easily auditable • Consider specialists, CSA etc
What Should The Audit Role Be In Establishing a Risk Management Process?
Audit Participation in Risk Programmes OPTIONS • Manage the whole programme • Facilitate the workshops • Jointly facilitate the workshops • Coordinate responses etc • Attend the workshops as a participant • Monitor and report on the action plans • Review perceived versus actual controls
Audit Reporting • Linking to key risks gives visibility • Perceived versus actual controls • Monitoring of action plans • Board, audit Cttee.Risk Cttee. Snr mgt. • Focus on achievements • Monetary • Risk reduction (matrix movements • IT security, fraud ,reduction in surprises
Audit Reporting • Refer to organisational objectives • Specify the risk to their achievement • Explain findings specifically related to those risks • Specify actions to address the exposures or opportunities ( and what they will achieve )
Effectiveness of the Control Environment Risk Minus the cost of: Transfer + Control + Recover Equals Exposure
Cascading the Techniques Into Project and Change Management.
Projects & Improvement Programs Yes • Within the programs planned do you have objectives that you want to achieve? • Amongst the action plans and recommendations that you have to introduce are there some that could stop or delay the overall program? • Can the likelihood and impact of failing to achieve these recommendations and action plans be assessed? Yes Yes
Projects & Improvement Programs • A program/project is therefore ideal for using risk management techniques to prioritise where you need to focus. • You know your objectives. • You have already identified the issues (risks) that you have to manage to successfully achieve: • Action Plans • Recommendations.
Projects & Improvement Programs • If we assess the likelihood of not successfully implementing each of the the action plans and recommendations and • If we assess the impact to the overall program of not successfully implementing them.
Projects & Improvement Programs This gives us a simple method of categorizing and prioritising the steps that have to be taken.
Projects & Improvement Programs EXAMPLE
Projects & Improvement Programs Objective. To improve the the procurement systems of State Government.
Projects & Improvement Programs Issue: Make the External Auditors Office responsible for carrying out ex-post control of procurement , with the appropriate means to hire experts for independent audits.
Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence
Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence
Projects & Improvement Programs Issue: Enact a new public procurement laws based on Model Law being prepared used else where
Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence
Projects & Improvement Programs Issue: Issue Circular to improve procurement process with mandatory requirements for · advertisement of all bidding opportunities in the Gazettes, local dailies and notice boards of procuring entities; · public bid opening; ·publication of contract awards above a certain threshold.
Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence
Risk Management Risk management is a journey. You can expend great effort and travel miles If, however you haven’t plotted your course in line with the organisations strategy you will do nothing but waste valuable time and resources.