Applying a risk model in state internal and external audits

Applying a risk model in state internal and external audits

Audit and Risk

Haven’t we, as auditors always considered risk within our audit

plans?

Roles and Responsibilities

Governing Body

Audit/Risk Committee

•Incorporating risk into the planning process for overall coverage.•Considered opinions on specific elementsof the organisation. •Overall opinion of control environment.•Assessment of completeness and effectiveness of the risk management process.•Assessment of the effectiveness of specificelements of the control environment.

•Promotes good practice•drives and monitors risk frameworkand action plans•maintains risk map and risk profile•Reviews risk profile.•Analyses emerging risks.•Tracks existing risks.•Co-ordinates RMSA•Co-ordinates risk reporting

Risk Workshops

•Managing specific risks• Apply risk management cycle

•Implement action plans• Develop capabilities, processes, Controls

•Monitor performance•Manage issues/breaches

•Efficiency reviews•Improvement programmes

•Process optimisation•Cost reduction

Risk ProfessionalInternal Audit

Business/Risk owners Organisational Improvement

Outputs•Socialising risk

•Identification of key risks•Decide on how to manage

risk•Measuring residual risk•Data for risk reporting

OutputsReviews of:

•Risk management methodology•Corporate Governance statements

•Statements on internal controls•Management responses to key

risks


•Promotes good practice•Drives and monitors risk frameworkand action plans•Maintains risk register•Analyses emerging risks.•Supports risk owners.•Co-ordinates Risk Reporting.

The Risk Professional.


•Managing specific risks• Apply risk management cycle

•Implement action plans• Develop capabilities, processes, Controls

•Monitor performance•Manage issues/breaches

•Tracks existing risks.

Business risk owners


•Efficiency reviews•Improvements programmes

•Process optimisation•Cost reduction

Organisational Improvement

•Incorporating risk into the planning process for overall audit coverage.•Considered opinions on specific elementsof the business. •Overall opinion of control environment.•Assessment of completeness and effectiveness of the risk management process.•Assessment of the effectiveness of specificelements of the control environment.


Internal Audit

Risk Management ReportingGoverning Body

Risk Register

SELF

CERTIFICATION

A UDIT

OPINIONS

Scrutiny/Audit Cttee

CHIEF EXECUTIVE

DIRECTORS

MANAGERS

OrganisationChief Internal Auditor

FUNCTIONS & OPERATIONS

INDIVIDUALAUDITS

AUDIT OPINIONS

Risk Management

Is Therefore More Than Just a Cyclical Audit or Insurance

Review and Report.

The Risk Management Process


• Risk management cannot be introduced in isolation.

• It has to be in partnership with all those other interested parties.

The Contribution of Internal Audit

• Role is changing

• Challenges of good Governance

• FD/CEO Expectations changing

• The need to evidence measurable added value

• IIA re-defining the role

IIA Definition

Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the organisation.

It assists an organisation in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organisations risk management ,control , and governance processes.

Definition of Audit

Auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts

Risk MatrixImportant risks –

might potentially affect provision of key

services or duties

Key risk- may potentially affect

provision of key services or duties

Immediate action needed - serious

threat to provision and/or achievement of key services or

duties

Monitor as necessary - less important but still could have a serious

effect on the


Monitor as necessary - less

important but still could have a serious

effect on the provision of key

services or duties

Key risks - may potentially affect


No action necessary

Monitor as necessary - ensure

being properly managed

Monitor as necessary

- less important but still could have a

serious effect on the provision of key

services or duties

Over £5 millionOR

Questions raised in Parliament

£2million-£5 million OR

Reported in National Press

£500,000 - £2 Million

OR

Reported in Local Paper

£100,000 - £500,000 OR

Unacceptable levels of Complaints

Under £100,000 OR

Some complaints from individuals.

Rare- once in 20 years

Unlikely-Once in 10-20 years

Possible- Once in 10

years

Likely-Once in 3years

Certain- Once a

year

Translating Key Risks Into the Assurance Programme

• Key risks as identified in the matrix should be the basis of the Audit programme

• Should form 60% approx of full programme

• Some risks not easily auditable

• Consider specialists, CSA etc

What Should The Audit Role Be In Establishing a Risk Management Process?

Audit Participation in Risk Programmes

OPTIONS• Manage the whole programme• Facilitate the workshops• Jointly facilitate the workshops• Coordinate responses etc • Attend the workshops as a participant• Monitor and report on the action plans• Review perceived versus actual controls

Audit Reporting

• Linking to key risks gives visibility• Perceived versus actual controls• Monitoring of action plans• Board, audit Cttee.Risk Cttee. Snr mgt.• Focus on achievements

– Monetary– Risk reduction (matrix movements– IT security, fraud ,reduction in surprises

Audit Reporting

• Refer to organisational objectives

• Specify the risk to their achievement

• Explain findings specifically related to those risks

• Specify actions to address the exposures or opportunities ( and what they will achieve )

Effectiveness of the Control Environment

Risk

Minus the cost of:

Transfer Control Recover

Equals

Exposure

+ +

Cascading the Techniques Into Project and Change

Management.

Projects & Improvement Programs

• Within the programs planned do you have objectives that you want to achieve?

• Amongst the action plans and recommendations that you have to introduce are there some that could stop or delay the overall program?

• Can the likelihood and impact of failing to achieve these recommendations and action plans be assessed?


• A program/project is therefore ideal for using risk management techniques to prioritise where you need to focus.

• You know your objectives.• You have already identified the issues (risks) that

you have to manage to successfully achieve:– Action Plans

– Recommendations.


• If we assess the likelihood of not successfully implementing each of the the action plans and recommendations

and

• If we assess the impact to the overall program of not successfully implementing them.


This gives us a simple method of categorizing and prioritising the steps that have to be

taken.


EXAMPLE


Objective.

To improve the the procurement systems of State Government.


Issue:

Make the External Auditors Office responsible for carrying out ex-post control of procurement , with the appropriate means to hire experts for independent audits.

Risk Matrix

6 8 9

3 5 7

1 2 4

HIGH

Impact

Of

Risk

LOW

Unlikely Likelihood of Occurrence Likely

Risk Matrix

HIGH

Impact

Of

Risk

LOW



Issue:

Enact a new public procurement laws based on Model Law being prepared used else where

Risk Matrix

HIGH

Impact

Of

Risk

LOW



Issue:

Issue Circular to improve procurement process with mandatory requirements for advertisement of all bidding opportunities in the Gazettes, local dailies and notice boards of procuring entities; public bid opening; publication of contract awards above a certain threshold.

Risk Matrix

HIGH

Impact

Of

Risk

LOW


Risk Management

Risk management is a journey.You can expend great effort and travel

miles

If, however you haven’t plotted your course in line with the organisations strategy you will do nothing but waste valuable time and resources.

Documents

Applying a risk model in state internal and external audits