Managing Risks For Results – Internal Audit

Perspective

Managing Risks For Results – Internal Audit

Perspective

Planning & Performance Exchange (PPX) Learning Event

November 3, 2009

Planning & Performance Exchange (PPX) Learning Event

November 3, 2009

OverviewOverview

§ Why Focus on Risk Management?§ IA Risk Management Tools/Processes§ Risk-based Audit Planning§ Government-wide Audit Universe§ What Have We Learned?§ Key Strategies

§ Why Focus on Risk Management?§ IA Risk Management Tools/Processes§ Risk-based Audit Planning§ Government-wide Audit Universe§ What Have We Learned?§ Key Strategies

Why Risk Management?Why Risk Management?

§ TB Oversight support - OCG Mandate§ CG Annual Report on State of G o C Governance, Risk,

& Controls/TB IA Policy§ Audit Intelligence gathering/decision-making support§ Early Warning - Control Risks/Failures

§ Enhance Departmental Risk Management & Mitigation§ DH Accountability Officer Role§ Demonstrate effectiveness of Department’s controls

§ TB Oversight support - OCG Mandate§ CG Annual Report on State of G o C Governance, Risk,

& Controls/TB IA Policy§ Audit Intelligence gathering/decision-making support§ Early Warning - Control Risks/Failures

§ Enhance Departmental Risk Management & Mitigation§ DH Accountability Officer Role§ Demonstrate effectiveness of Department’s controls

IA Risk Management Tools/Processes

IA Risk Management Tools/Processes

§ Risk-Based Audit Plans & Guidelines§ OCG Horizontal Internal Audit Plan/ Risk

Assessment§ Departmental Internal Audit Liaison

Activities (CAEs, DAACs)§ Audit Intelligence (Trends, Gaps, Best

Practices)

§ Risk-Based Audit Plans & Guidelines§ OCG Horizontal Internal Audit Plan/ Risk

Assessment§ Departmental Internal Audit Liaison

Activities (CAEs, DAACs)§ Audit Intelligence (Trends, Gaps, Best

Practices)

Internal Audit : BackgroundInternal Audit : Background

§ The Policy on Internal Audit establishes standards and requirements for internal audit functions reinforcing Internal Audit across government and repositioning it in a key role supporting effective and credible governance.

§ The Policy requires the Comptroller General to report annually to the Treasury Board on:§ Significant issues of risk, control and management arising from

internal auditing across government; and§ Horizontal auditing

§ Internal Audit requires value-added, robust audit methodologies that support a credible and holistic assessment of departmental controls. One of the key methodologies is risk-based internal audit planning.

§ The Policy on Internal Audit establishes standards and requirements for internal audit functions reinforcing Internal Audit across government and repositioning it in a key role supporting effective and credible governance.

§ The Policy requires the Comptroller General to report annually to the Treasury Board on:§ Significant issues of risk, control and management arising from

internal auditing across government; and§ Horizontal auditing

§ Internal Audit requires value-added, robust audit methodologies that support a credible and holistic assessment of departmental controls. One of the key methodologies is risk-based internal audit planning.

The Assurance CycleThe Assurance Cycle

S c a n n i n g * R isk P e rsp e c tive *

P lan n in g

S e le c t ion o f A s s u r a n c eP r o d u c ts*

A s s u ran c e E n g a g e m e n ts

C rite ria S tud ies( C o n t in u o u s

D e ve lopm e n t)R e c o m m e n d a t i o n s

M o nito ri n gC o n tin u o u sA u dit in g

R iskS tud ies

Risk Based Audit PlanningRisk Based Audit Planning§ A systematic process where auditable entities are

identified, prioritized according to risk and scheduled for the conduct of internal audit activities.§ Four step process:§ Development of the Audit Universe§ Preliminary Risk Prioritization of the Audit Universe§ Final Prioritization of the Audit Universe§ Audit Plan Completion

§ A systematic process where auditable entities are identified, prioritized according to risk and scheduled for the conduct of internal audit activities.§ Four step process:§ Development of the Audit Universe§ Preliminary Risk Prioritization of the Audit Universe§ Final Prioritization of the Audit Universe§ Audit Plan Completion

Development of PS Risk Landscape

Development of PS Risk Landscape

Government Priorities (as expressed in the Speech from the Throne); Priorities of Clerk.

MAF AssessmentsDepartmental Performance Reports Auditor General Reports Reports by other Agents of ParliamentPSC Reports

Other sources of risk information including US GAO High Risks, Corporate Executive Board, Audit Executive’s Roundtable….

Reports on Plans and Priorities Corporate Risk Profiles Audit Risk Analyses, Reports and Plans Audit Monitoring & Follow-up

RISK

ANALYSIS

ConsultativeAnnual Review

Continuous

Public ServiceManagement Risk

Landscape

Bottom Up

Top Down

Step 1:Development of the Audit Universe

Step 1:Development of the Audit Universe§ Starting point for the organization’s audit planning process§ Represents the potential range of all audit activities and is

comprised of a number of auditable entities§ Entities include a range of programs, activities, functions,

structures and initiatives which collectively contribute to the achievement of the department’s strategic objectives (also typically captured in Corporate Risk Profile)

§ Ranked relative to one another to derive Internal Audit priorities and plans (focus on areas of highest risk)

§ Starting point for the organization’s audit planning process§ Represents the potential range of all audit activities and is

comprised of a number of auditable entities§ Entities include a range of programs, activities, functions,

structures and initiatives which collectively contribute to the achievement of the department’s strategic objectives (also typically captured in Corporate Risk Profile)

§ Ranked relative to one another to derive Internal Audit priorities and plans (focus on areas of highest risk)

Low Audit Priority Very High Audit PriorityModerate Audit Priority High Audit Priority

Auditability

Ris

kStewardship

People

Risk Management

Public Service Management Risk Landscape: Situating the Audit Universe

Government-wide Audit UniverseGovernment-wide Audit UniverseAudit Universe Element

Auditable Entity Description Topic Objective

Stewardship Financial Management and Controls

Financial systems and controls

Financial Administration Act (FAA) Compliance

Compliance with Sections 32/33/34 of the FAA

Accountability Alignment of Accountability Instruments

Application of authority, responsibility and accountability

Third Party Accountability

Effectiveness of MOU and other accountability instruments for partners

Governance and Strategic Directions

Corporate Performance Framework

Suite of management processes and controls in place

Federal Accountability Act

Compliance with legislative provisions

Results and Performance

Program Evaluation Function

Independent assessment function of program or policy results

Evaluation Policy Compliance

Compliance with TBS Evaluation Policy and associated standards

Risk Management Effectiveness of Corporate Risk Management

Management approach risks

Integrated Risk Management Framework

Adequacy and effectiveness of risk management regime

People Workforce Management

All aspects of human resource management

HR planning Adequacy and effectiveness of the controls for HR planning

Government-wide Audit UniverseGovernment-wide Audit UniverseAudit Universe Element

Auditable Entity Description Topic Objective

Policy and Programs Quality of Program and Policy Analysis

The processes for determining policy and program priorities

TB submission and Memoranda to Cabinet

Quality and consistency

Citizen-Focussed Services

Public communications and outreach

The process by which citizen/client needs and expectations are determined

Public Opinion Surveys

Management of surveys

Public Service Values

Organization’s values and ethics framework

The means of senior management establishment within organization

Values and Ethics Framework

Adequacy and effectiveness of organization’s documented corporate values and ethics

Learning, Innovation and Change Management

Managing Organizational Change

The organization’s change management processes and controls

Learning and Development

Adequacy and effectiveness of human resource learning and development approach

Step 2:Risk Prioritization of the Audit

Universe

Step 2:Risk Prioritization of the Audit

Universe§ Involves risk ranking of auditable entities based

on a series of prioritization criteria:§ Assessing risk exposure§ Assessing risk significance§ Determining the preliminary audit priority (ies)

§ Criteria are applied to each auditable entity based on information gathered through documentation review, consideration of past audit results, and consultation with senior management.

§ Involves risk ranking of auditable entities based on a series of prioritization criteria:§ Assessing risk exposure§ Assessing risk significance§ Determining the preliminary audit priority (ies)

§ Criteria are applied to each auditable entity based on information gathered through documentation review, consideration of past audit results, and consultation with senior management.

Chief Audit Executive InputsChief Audit Executive InputsAverage Risk & Auditability of MAF Elements

3.7 3.5 3.4 3.2 3.12.8

2.5

0

1

2

3

4

5

Peop

le

Steward

ship

Risk M

anag

emen

t

Public S

ervice

Valu

es

Govern

ance

and S

trateg

ic Obje

ctive

s

Learn

ing, In

nova

tion a

nd Cha

nge

Citiz

en fo

cuse

d Serv

ices

Ave

rage

Rat

ing

Step 3:Final Prioritization of the Audit

Universe

Step 3:Final Prioritization of the Audit

Universe§ Considerations for final audit priorities and

audit projects:§ Auditability§ Priorities of management and audit committee§ Priorities of OCG and TBS§ Priorities and plans of other assurance providers§ Time since last audit

§ Considerations for final audit priorities and audit projects:§ Auditability§ Priorities of management and audit committee§ Priorities of OCG and TBS§ Priorities and plans of other assurance providers§ Time since last audit

Step 4:Audit Plan Completion

Step 4:Audit Plan Completion

§ Key elements:§ Scoping and selection of audit type§ Coverage of risk management, controls and

governance in support of annual overall opinion§ Required resources/gaps assessment§ Planning for other activities§ Drafting the plan§ Approving the plan (DAAC & DH)§ Follow-up activities

§ Key elements:§ Scoping and selection of audit type§ Coverage of risk management, controls and

governance in support of annual overall opinion§ Required resources/gaps assessment§ Planning for other activities§ Drafting the plan§ Approving the plan (DAAC & DH)§ Follow-up activities

What Have We Learned?What Have We Learned?

§ Real Risk Management challenges/success opportunities exist – e.g. Economic Action Plan -Significant Gaps between emerging Threat/Risk areas & level of Management Focus (Governance, V&E)§ Risk Management Knowledge/Capacity is

improving but Processes still tend to heavily rely on:§ Today’s Policy/Program assumptions§ “Self-assessment” of Risk Mitigations

§ Involvement of Decision-makers is key

§ Real Risk Management challenges/success opportunities exist – e.g. Economic Action Plan -Significant Gaps between emerging Threat/Risk areas & level of Management Focus (Governance, V&E)§ Risk Management Knowledge/Capacity is

improving but Processes still tend to heavily rely on:§ Today’s Policy/Program assumptions§ “Self-assessment” of Risk Mitigations

§ Involvement of Decision-makers is key

Key StrategiesKey Strategies

§ Challenge Conventional Wisdom & Assumptions§ Position/integrate the Risk Management

Function as enabler of successful Corporate Strategy – the expected results§ Integrate Judgement with Process and Data

§ Challenge Conventional Wisdom & Assumptions§ Position/integrate the Risk Management

Function as enabler of successful Corporate Strategy – the expected results§ Integrate Judgement with Process and Data