1 / 50

Auditing & Risk Management

Auditing & Risk Management. A Happy Couple or a Shotgun Marriage?. Presented by Bruce Turner CGAP, FIIA (Aust), CISA, CFE, FFin, FPNA, MAICD, AFAIM Chief Internal Auditor Australian Taxation Office 15 October 2010. Overview.

tavon
Download Presentation

Auditing & Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Auditing & Risk Management A Happy Couple or a Shotgun Marriage? Presented by Bruce Turner CGAP, FIIA (Aust), CISA, CFE, FFin, FPNA, MAICD, AFAIM Chief Internal Auditor Australian Taxation Office 15 October 2010

  2. Overview We’ll explore the pre-nuptials … how strong is the connection between internal audit and risk management … does it provide the foundation for a happy couple?

  3. Overview • Internal Audit • Governance Roles • Integrating Internal Audit with Enterprise Risk Management

  4. Internal audit • Fundamentals of professional auditing practices • Definition • Key elements • Professional standards

  5. Definition of internal auditing • “Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

  6. Key elements • Governance • Risk management • Control

  7. Auditing standards • 1000 – Purpose, Authority, and Responsibility • 1100 – Independence and Objectivity • 1200 – Proficiency and Due Professional Care • 1300 – Quality Assurance and Improvement Program • 2000 – Managing the Internal Audit Activity • 2100 – Nature of Work • 2200 – Engagement Planning • 2300 – Performing the Engagement • 2400 – Communicating Results • 2500 – Monitoring Progress • 2600 – Resolution of Management’s Acceptance of Risks

  8. Auditing standards - planning (2010) • “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals.”

  9. Auditing standards – risk management (2120) • “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”

  10. “Risk management remains at the heart of internal audit. It defines the focus as well as the effort of the internal audit staff. Getting it right through a comprehensive risk assessment will drive better results, achieve greater efficiencies, and cover the important things that either add or preserve value in an organisation.” • * Financial Executive November 2008 - Better Internal Audit Leads to Better Controls - by Robert B Hirth Jr – from Protiviti NewsAlert January 2009

  11. Risk elements in audit process • Planning • Forward work program • Each audit engagement • Fieldwork • Scope and work program • Reporting • Each audit reported • Basis of prioritising recommendations • Consolidated high-level reporting • Follow-up of recommendations

  12. Example - audit planning development process

  13. Example – ATO audit themes • Core tax administrative activities • Change Program • Financial stewardship • Strategic reviews • Assurance activities

  14. Example – ATO audit themes cont’d • Managing contracts • Managing overheads • Fraud control • Non-financial management information • Security and privacy

  15. Looks like a marriage …

  16. Governance • The inter-relationships between the risk management players • Management • Risk management advisor • Auditors • The effect of changing risk profiles

  17. Management • Owns the risks • Manages the risks • Risk management advisor • Develops the framework • Produces risk reporting • Internal auditors • Use risk based planning • Evaluate controls

  18. Business Objectives Governance Heightens likelihood of achieving objectives Risk Management Charts & oversights the business Internal Controls

  19. The changing risk profile

  20. Change is inevitable • Risk management activity must be dynamic • Vital to embed risk management in organisational processes • Both risk management framework and processes • The organisation and its environment will change • Auditors to be agile and flexible to accommodate changes

  21. Thinking about risks * Based on thought leadership in a PwC Publication – Extending Enterprise Risk Management to address emerging risks (2009)

  22. Examples - emerging risk areas • Increased competitive pressures • Continued recessionary pressures • Cost reduction pressures • Talent risks • Commodity prices

  23. Examples - emerging risk areas (cont’d) • Strategic change management • Third party solvency • Political trends • Compliance • Lack of investment in product innovation • * Sourced from Audit Director Roundtable Publication – Top Ten Emerging Risks – Likelihood, Impact and Velocity (October 2009)

  24. Developer contributions Water supply Culture centre development Asset maintenance Integrated planning Climate change Attract / retain staff Long-term finances Information management Fraud and corruption Examples - local government risk areas

  25. Shared services provision Information technology Security State plan delivery Specific reforms Attract / retain staff OH&S Major projects Reactive work Fiduciary controls Examples - state government risk areas

  26. Examples - enterprise risk categories. Policy Advice & Design External Environment Security & Privacy Law Interpretation Innovation & Change Tax Product Compliance Knowledge Major Tax Integrity Threats Transfers Compliance Technology People Product & Payment Processing Governance Tax Revenue Finance Marketing & Communications Client Experience Legal Support Client Engagement Facilities Regulatory Compliance Government Engagement Business Continuity International Engagement Reputation Management Supplier Engagement

  27. Internal auditing policy agenda • Internal audit is fundamental to good governance • Public entities need strong effective audit committees • Appropriate reporting lines for head of internal audit • Clear accountability for risk management and control • Internal audit operates at consistently high standard

  28. Ticks along like a marriage …

  29. Integrating internal audit and enterprise risk management • Optimising the benefits of the risk management investment • A long engagement • Audit themes • Case studies

  30. A long engagement - case study - loan portfolio audit

  31. Routine auditing • Broad coverage of personal loans • Average loan $30,000 • Thorough audit completed • Appropriate sampling techniques • well-constructed working papers • well-written report

  32. Different loan product offering • Foreign exchange loans introduced that year • Average loan $750,000 • Not part of ‘routine’ audit program • No audit coverage of new product lines

  33. Adding value • Narrow focus on ‘routine’ loan portfolio • Changing risk profile not assessed • Audit value diminished • The audit and risk marriage is already over 25 years strong

  34. Case study – on time running

  35. Public information • Objectives of entity articulated • Clean • Safe • Reliable • Key measure of reliability – on time running • KPI result updated daily on website

  36. End-to-end controls • Well articulated policy and KPI commitment • Counting rules clear and transparent • High-level sign-offs for release to website and Minister • Assertions on the collation of data and calculation of results • Strong website security

  37. Data origination • Grassroots collection of data • Near enough is good enough approach • Integrity of data severely tarnished • Reputational damage • Strong Auditor-General criticism

  38. Case study – security risks

  39. Emerging security risks (2008) • More electronic records breached than 4 prior years • Corporations fell victim to the largest cyber-crimes ever • Motivated hackers know where and what to target • 90% of records breaches involved organised crime • Could avoid 9 out of 10 breaches with security basics • Mistakes and oversights hindered security efforts • * Australian Institute of Management, Management Today, July 2009, pp. 7-8, 37

  40. “In recent times, a number of events have occurred overseas resulting in the loss or disclosure of sensitive information. One particularly high public profile incident resulted in the resignation of the Chief Executive of Her Majesty’s Revenue and Customs (HMRC) in the UK.” • * ATO, Information Security Practices Review, PricewaterhouseCoopers, April 2008, p. 2

  41. Logical access provisions Managing client records Consolidated high-level audit report on security Site visits – remote locations (physical security) Satellite audit – security classifications Example – ATO reporting on audit themes

  42. Risk management elements • Sound governance structures • A clear corporate stance • Effective education and awareness programs • A well-defined security classification framework • Effective security monitoring incident response mechanisms • Robust plans for IT incidents. * ATO, Information Security Practices Review, PricewaterhouseCoopers, April 2008, covering letter, p. 2

  43. Influences service standards • Community perceptions strong • 80% think the ATO is doing a good job* • Business perceptions strong • 89% think the ATO is doing a good job* • Professional survey positive • 79% are ‘satisfied’ or ‘very satisfied’ with the professionalism of ATO employees*

  44. Comes together like a marriage …

  45. Conclusion • The pre-nuptials are sound: • Internal audit and risk management have a strong inseparable connection • Risk management provides the foundation for effective auditing • In turn internal audit: • Supports the risk management process • Validates the effectiveness of internal controls that mitigate the risks

  46. My vote … a happy couple!

  47. Questions? • © COMMONWEALTH OF AUSTRALIA 2010 • This presentation was current in July 2010

  48. About the ATO • Australian Government’s main revenue collection agency • Administers main aspects of Australia’s super system • Celebrates its centenary in 2010 • Net revenue collection of 270.8 billion* • Operating budget of $3.1 billion** • Average staffing level 21,720** • 75 locations across all states and territories** • 25 business and service lines* • * end June 2008 ** end June 2009

  49. Audit staff • Around 40 full-time equivalent staff • We employ specialist external staff for technical audits • Four teams across 3 sites in ACT, NSW and Victoria • Audit capability meets global benchmarks • Qualifications, certifications, experience • Multi-disciplinary team • Completes 60 to 70 audits per year

  50. Our commitment to you • We are committed to providing you with guidance you can rely on, so we make every effort to ensure that our presentations are correct.

More Related