Managing Risks For Results Internal Audit Perspective Planning & Performance Exchange (PPX) Learning Event November 3, 2009
Overview Why Focus on Risk Management? IA Risk Management Tools/Processes Risk-based Audit Planning Government-wide Audit Universe What Have We Learned? Key Strategies
Why Risk Management? TB Oversight support - OCG Mandate CG Annual Report on State of G o C Governance, Risk, & Controls/TB IA Policy Audit Intelligence gathering/decision-making support Early Warning - Control Risks/Failures Enhance Departmental Risk Management & Mitigation DH Accountability Officer Role Demonstrate effectiveness of Department s controls
IA Risk Management Tools/Processes Risk-Based Audit Plans & Guidelines OCG Horizontal Internal Audit Plan/ Risk Assessment Departmental Internal Audit Liaison Activities (CAEs, DAACs) Audit Intelligence (Trends, Gaps, Best Practices)
Internal Audit : Background The Policy on Internal Audit establishes standards and requirements for internal audit functions reinforcing Internal Audit across government and repositioning it in a key role supporting effective and credible governance. The Policy requires the Comptroller General to report annually to the Treasury Board on: Significant issues of risk, control and management arising from internal auditing across government; and Horizontal auditing Internal Audit requires value-added, robust audit methodologies that support a credible and holistic assessment of departmental controls. One of the key methodologies is risk-based internal audit planning.
The Assurance Cycle Scanning* Risk Perspective* Planning Risk Studies Selection of Assurance Products* Criteria Studies (Continuous Development) Assurance Engagements Recommendations Continuous Auditing Monitoring
Risk Based Audit Planning A systematic process where auditable entities are identified, prioritized according to risk and scheduled for the conduct of internal audit activities. Four step process: Development of the Audit Universe Preliminary Risk Prioritization of the Audit Universe Final Prioritization of the Audit Universe Audit Plan Completion
Development of PS Risk Landscape Government Priorities (as expressed in the Speech from the Throne); Priorities of Clerk. Top Down MAF Assessments Departmental Performance Reports Auditor General Reports Reports by other Agents of Parliament PSC Reports Reports on Plans and Priorities Corporate Risk Profiles Audit Risk Analyses, Reports and Plans Audit Monitoring & Followup R I S K A N A L Y S I S Consultative Annual Review Continuous Public Service Management Risk Landscape Other sources of risk information including US GAO High Risks, Corporate Executive Board, Audit Executive s Roundtable. Bottom Up
Step 1: Development of the Audit Universe Starting point for the organization s audit planning process Represents the potential range of all audit activities and is comprised of a number of auditable entities Entities include a range of programs, activities, functions, structures and initiatives which collectively contribute to the achievement of the department s strategic objectives (also typically captured in Corporate Risk Profile) Ranked relative to one another to derive Internal Audit priorities and plans (focus on areas of highest risk)
Public Service Management Risk Landscape: Situating the Audit Universe Stewardship Risk Management People Risk Auditability Low Audit Priority Moderate Audit Priority High Audit Priority Very High Audit Priority
Government-wide Audit Universe Audit Universe Element Stewardship Accountability Governance and Strategic Directions Results and Performance Risk Management People Auditable Entity Description Topic Objective Financial Management and Controls Alignment of Accountability Instruments Corporate Performance Framework Program Evaluation Function Effectiveness of Corporate Risk Management Workforce Management Financial systems and controls Application of authority, responsibility and accountability Suite of management processes and controls in place Independent assessment function of program or policy results Management approach risks All aspects of human resource management Financial Administration Act (FAA) Compliance Third Party Accountability Federal Accountability Act Evaluation Policy Compliance Integrated Risk Management Framework HR planning Compliance with Sections 32/33/34 of the FAA Effectiveness of MOU and other accountability instruments for partners Compliance with legislative provisions Compliance with TBS Evaluation Policy and associated standards Adequacy and effectiveness of risk management regime Adequacy and effectiveness of the controls for HR planning
Government-wide Audit Universe Audit Universe Element Policy and Programs Citizen-Focussed Services Public Service Values Learning, Innovation and Change Management Auditable Entity Description Topic Objective Quality of Program and Policy Analysis Public communications and outreach Organization s values and ethics framework Managing Organizational Change The processes for determining policy and program priorities The process by which citizen/client needs and expectations are determined The means of senior management establishment within organization The organization s change management processes and controls TB submission and Memoranda to Cabinet Public Opinion Surveys Values and Ethics Framework Learning and Development Quality and consistency Management of surveys Adequacy and effectiveness of organization s documented corporate values and ethics Adequacy and effectiveness of human resource learning and development approach
Step 2: Risk Prioritization of the Audit Universe Involves risk ranking of auditable entities based on a series of prioritization criteria: Assessing risk exposure Assessing risk significance Determining the preliminary audit priority (ies) Criteria are applied to each auditable entity based on information gathered through documentation review, consideration of past audit results, and consultation with senior management.
Chief Audit Executive Inputs Average Risk & Auditability of MAF Elements 5 Average Rating 4 3 2 1 3.7 3.5 3.4 3.2 3.1 2.8 2.5 0 People Stewardship Risk Management Public Service Values Governance and Strategic Objectives Learning, Innovation and Change Citizen focused Services
Step 3: Final Prioritization of the Audit Universe Considerations for final audit priorities and audit projects: Auditability Priorities of management and audit committee Priorities of OCG and TBS Priorities and plans of other assurance providers Time since last audit
Key elements: Step 4: Audit Plan Completion Scoping and selection of audit type Coverage of risk management, controls and governance in support of annual overall opinion Required resources/gaps assessment Planning for other activities Drafting the plan Approving the plan (DAAC & DH) Follow-up activities
What Have We Learned? Real Risk Management challenges/success opportunities exist e.g. Economic Action Plan - Significant Gaps between emerging Threat/Risk areas & level of Management Focus (Governance, V&E) Risk Management Knowledge/Capacity is improving but Processes still tend to heavily rely on: Today s Policy/Program assumptions Self-assessment of Risk Mitigations Involvement of Decision-makers is key
Key Strategies Challenge Conventional Wisdom & Assumptions Position/integrate the Risk Management Function as enabler of successful Corporate Strategy the expected results Integrate Judgement with Process and Data