Upload
ethan-thornton
View
233
Download
0
Tags:
Embed Size (px)
Citation preview
RISK BASED AUDIT SERVICES
Outline
• Two Universities - Two Approaches– Linkages between Internal Audit & Enterprise-
Wide Risk Management (ERM) – ERM’s application in audit processes
• Participative – encourage everyone to share successful practices
RISK BASED AUDIT SERVICES
The University of AlbertaIn 2007:
– Over 36,500 students
– Over 8100 degrees granted
– Staff: 3493 Academic, 6233 Support (FTE)
– Over $420 million in annual research
– The current capital program is valued at more than $1 billion
RISK BASED AUDIT SERVICES
New Internal Audit Strategy
• Conducted a Current State Analysis• Supported by External Audit of Internal Audit
(2005)• Interviewed Senior Administration (34) & Audit
Committee members (3 of 5)– “What would you like to see from internal
audit?”
RISK BASED AUDIT SERVICES
Board Audit Committee Responsibilities
Leading Practices for Post-Secondary Institutions 1 Strategy
Manage the Relationship with the External Auditor
Ensure the Quality of Financial Reporting
Oversee Regulatory Compliance
Work with the Internal Audit Function
Monitor Management’s Handling of Internal Controls & Risk Management
Monitor the Ethics Program Whistleblowing
1 The Changing Role of the Audit Committee – Leading Practices for Colleges, Universities and Other Not-for-Profit Education Institutions, PricewaterhouseCoopers 2004
RISK BASED AUDIT SERVICES
Strategic Business Plan
• Internal Auditing (Core Business)• Examining Suspected Fraud and Irregularities
(Secondary Business)• Related Activities:
– Liaison with External Auditors – Continuous Auditing – Risk Management – Institutional Compliance
RISK BASED AUDIT SERVICES
Strategic Business Plan
• The Strategic Plan outlines:– Strategic initiatives– Objectives – Specific IA strategies– Performance measures
• Clear linkage to the U of A’s strategy documents Dare to Discover & Dare to Deliver
– Report progress annually
RISK BASED AUDIT SERVICES
Strategic Business PlanStakeholder Satisfaction• Committee & Senior Mgt
• Auditee Surveys
• # recommendations accepted/implemented
Internal Audit Processes•Completed vs. planned audits
• Time analysis
• Audit Cycle Time
• Compliance with Standards
Innovation & Capability• Training Hours
• Certified Staff
• Effective Use of Good Practices.
Other:• Budget and Benchmarks
• Reporting on IA strategic initiatives
RISK BASED AUDIT SERVICES
History of ERM• 2002/03 PWC hired to develop framework • Accountability and Risk Management Steering
Committee established (IA ex-officio) • Risk Management Policy /Appetite statements • ERM reviews in 2005 and 2007• Adoption of COSO ERM Integrated Framework• New Associate Vice-President (Risk
Management) position created in Dec 2007• Risk Management, Budgets, Emergency
Preparedness, Insurance. Environmental Health & Safety, and Compliance
RISK BASED AUDIT SERVICES
ERM & Internal Audit
–
The Institute of Internal Auditors. “The Role of Internal Auditing in Enterprise-wide Risk Management”, September 29, 2004.
RISK BASED AUDIT SERVICES
Challenges
– ERM is evolving
– Roles & responsibilities
Where should we be on the continuum?
– Board of Governors oversight requirements
RISK BASED AUDIT SERVICES
A Snapshot of Queen’s
• 20,566 students• 2,374 faculty; 2,472 staff• Fiscal 2006-07 revenue of $733M• Largest ever capital expansion program with debt
requirements• Fiscally conservative governance
RISK BASED AUDIT SERVICES
Internal Audit
– Formerly Internal Audit, now Risk Management & Audit Services (“RMAS”)
– First audit completed in 1991– Averaged two to three staff members until
reorganization to RMAS in 2004– Presently three staff members and a student auditor
RISK BASED AUDIT SERVICES
Internal Audit Strategy
– New VP from New Zealand with ERM experience– Department name change to RMAS in 2004– View to outsourcing internal audit function– After first year of revised mandate, agreed on
strategy to provide audit services in-house with co-sourcing where expertise required (i.e. IT)
RISK BASED AUDIT SERVICES
Revised Mandates
– Audit Committee mandate revised May ’05 with best practice responsibilities, including oversight of effectiveness of risk management
– RMAS Charter revised– Staff complement of 3 achieved April ’07– No departmental strategic plan to date
RISK BASED AUDIT SERVICES
ERM at Queen’s
– Deloitte engaged in 2005 to perform initial risk assessment and advise on framework
– RMAS leader of project with executive leadership support
– Initial report to the Audit Committee
– Further development of framework put on hold as University Strategic Plan developed
– Recent update of current strategies and action plans
RISK BASED AUDIT SERVICES
ERM and Internal Audit
RMAS is the ERM “Champion”
Included in RMAS’ Charter :• Develop and maintain the ERM framework• Coordinate and report on ERM activities• Promote a strong risk management culture, monitor
strategies and provide advice• Develop the audit plan using risk-based
methodology
RISK BASED AUDIT SERVICES
Challenges
– ERM is still in relative infancy– Difficult to champion a process while building a
department and delivering on a risk based audit plan– No internal risk management committee– Audit Committee concern
RISK BASED AUDIT SERVICES
Group Discussion
• What are the ERM linkages to Internal Audit in your institution?
• What are the challenges?
RISK BASED AUDIT SERVICES
ERM Application in Internal Audit
– Audit Planning
Two year plan (updated no less frequently that annually)
Projects Mapped to risks identified through ERM.
Inherent Risk assessment
Section of plan deals with items highlighted and not covered in plan
RISK BASED AUDIT SERVICES
Internal Audit Planning process
Major IT Systems
Projects Description Type Priority Timing Level of Effort
Project 1
Project 2Project 3Project 4
Scope and Objective Audit - AssuranceAudit - Assurance
Audit - Consulting
Audit - Assurance
Quarter / Year
Quarter / YearQuarter / Year
Quarter / Year
HoursHours
Hours
Hours
Scope and Objective
Scope and ObjectiveScope and Objective
Risk-Based Internal Audit Plan
Universe Risks1 2 43 5 6 87 9
Internal Audit Universe Risk FrameworkUnacceptable
Institutional Risks (as identified through ARMSC processes)
Academic Faculty Renewal
Academic Reputation
Enrolment Growth and Complexity
HR ProcessesIT
InfrastructureSafety and
Security
Research Growth,
Complexity and
Stewardship
Leadership &
Admin Structure
Relationship with Key
Supporters
Base Funding
Academic & Administrative Units, Centres Institutes
Core Processes (e.g. Risk Management, Strategic Planning, Financial Reporting)
Audit Universe
Imp
act
Inherent Risk Exposure
Probability
Acceptable
Caution
H
M
L
HML
Unacceptable
RISK BASED AUDIT SERVICES
ERM Application in Internal Audit
– Audit Engagements - Planning
Strategic objectives – of U of A and area
Potential risks – use the U of A risk appetite statements in the area to guide audit focus.
Areas noted as risks are documented in Project terms of Reference
RISK BASED AUDIT SERVICES
Narrow Example (Audit of Commercialization Governance)
Business Objective 18: Ensure proper oversight of related party transactions and
conflict of interest situations1.
Key Inherent Risks (Risks that could impact
achievement of the business objective)
Risk Ratings for Key In herent Risks
Auditability Summary of Key Considera tions
From Preliminary Survey Work
Auditsteps
F.4 and F.5
I L E
1. Conflict of interest issues may arise due to the activities of TEC Edmonton.
Possible causes: The “conflict of interest”
policy may not be followed or known.
H M MH
Review how the University “Conflict of Interest” policy flows through to TEC Edmonton.
Review how conflict of interest issues are monitored and reported.
The application of the policy is unclear, however it is mentioned in both the joint venture agreement and the master secondment agreement.
RISK BASED AUDIT SERVICES
ERM Application in Internal Audit
– Audit Engagements – Reporting
Table Attributes Description
Criteria Outlines the criteria used in the audit – what should be in place according to good practices.
Current Environment and Potential Risks
Highlights of what was found during the review. This includes the potential risk exposure with the current environment, as assessed based on the work conducted.
Risk rating* The risk-rating framework used is that outlined below and is consistent with the University’s Risk Management policy.
Opportunities for Improvement
Recommendations to mitigate risks or improve operations where necessary.
RISK BASED AUDIT SERVICES
ERM Application in Internal Audit
– Audit Engagements – Reporting (cont.)Rating Description
High risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb
Moderate risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb
Low risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb
RISK BASED AUDIT SERVICES
Results– Fewer – “red lights”– Focussed recommendations with a clear linkage
to risk and strategy– Foundation for overall assessments– Good feedback from administration (increased
use of audits in governance meetings and decisions)
– Budget
NOT PERFECT
RISK BASED AUDIT SERVICES
Challenges– Striving to ensure committee members have
sufficient information to fulfill their mandate– Interpretation of risk appetite– Financial vs. Strategic, Operations Risks– Coverage – Conclusion on Internal Control– Role in Fraud Prevention/Detection:
– Fraud Policy and Protected Disclosure– New IIA position
– Role in Institutional Compliance
RISK BASED AUDIT SERVICES
ERM and Audit Planning
– Previous audit universe was academic, administrative, ancillary and research units => audits were unit based
– The top 13 critical risks are very high level (e.g. Human Resources, Reputation etc.)
– Review audit universe in two ways:– Traditional general ledger units– Functional/operational processes
RISK BASED AUDIT SERVICES
ERM and Audit Planning
– Dual annual risk assessment processes for audit plan– Units (level of expenditures; complexity;
management concerns etc.)– Functions/Processes
– Governance
– Finance and Administration
– Programs and Services
– Students
– Human Resources
– IT
– External Relations
Map
ped
to E
nterp
rise risk
s}
RISK BASED AUDIT SERVICES
Mapping Enterprise Risks
Process maps to > 70% of key risks
Process maps to > 30% and < 70% of key risks
Process maps to < 30% of key risks
Enterprise Risks
Audit Universe Processes
Gov
ernm
ent P
olic
y
Aca
dem
ic Q
uali
ty
Str
ateg
ic P
lann
ing
Infr
astr
uctu
re
Hum
an R
esou
rces
Info
rmat
ion
Tec
hnol
ogy
Rep
utat
ion
Cha
nge
Rea
dine
ss
Com
peti
tor
Fin
anci
al
Lea
ders
hip
Qua
lity
Stu
dent
Sat
isfa
ctio
n
Hea
lth
and
Saf
ety
Tot
al
GovernanceVision and Strategy development/review X X X X X X X X X 9Fiduciary and academic oversight X X X X X X 6
Finance and AdministrationPlanning and resource allocation process X X X X X X X X X X X X 12Expenditure controls/ budget management X X 2Capital plan and projects/expenditures X X X X X X X X X 9Cash management X X X X 4
RISK BASED AUDIT SERVICES
ERM and Audit Planning
– Professional judgement– No risk appetite or policy to refer to– Balancing “low hanging fruit” and high-level risks
in audit plan– Have not specifically ruled out review of certain
risks
NEEDS FURTHER WORK…An evolving process
RISK BASED AUDIT SERVICES
ERM and Audit Reports
Example: Research Grants & Contract AuditAudit Risk Enterprise Risk
Research activity and expenditures are not in compliance with legislative requirements or terms of the contract or grant, jeopardizing future grants and contracts and impacting the reputation of Queen’s University;
There are project delays and cost
overruns leaving the University exposed to contractual defaults and funding shortfalls; and
Existing processes result in ineffective
management of grants and contracts and/or use of resources and the potential for lost opportunities.
Competitor Risk (i.e. actions of competitors affect Queen’s ability to meet enrolment targets, obtain high levels of research funding and hire the best faculty and staff)
Reputation Risk (i.e. communicating,
maintaining and enhancing Queen’s reputation)
Change Readiness Risk (i.e. being
responsive to external and internal funding changes)
Financial Risk (i.e. not meeting goals
and objectives due to insufficient funds, cost overruns or project management issues)
RISK BASED AUDIT SERVICES
ERM and Audit Reports
– Have avoided rating findings to date– No standard risk rating – Will rate findings not implemented during follow-up
audit (High, Medium, Low risk)– Subjective
RISK BASED AUDIT SERVICES
Challenges
– No risk policy or risk tolerances developed– No standard risk ratings– Subjective– Not all risks are easily auditable– Some keys risks under constant management
review– Coverage of issues versus the high level risks – Addressing Audit Committee concerns