Building Strategic RiskBased Internal Audit Services Case Studies - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Building Strategic RiskBased Internal Audit Services Case Studies

Description:

Linkages between Internal Audit & Enterprise-Wide Risk Management (ERM) ... Accountability and Risk Management Steering Committee established (IA ex-officio) ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 38
Provided by: linda461
Category:

less

Transcript and Presenter's Notes

Title: Building Strategic RiskBased Internal Audit Services Case Studies


1
Building StrategicRisk-Based Internal Audit
ServicesCase Studies
2
Outline
  • Two Universities - Two Approaches
  • Linkages between Internal Audit Enterprise-Wide
    Risk Management (ERM)
  • ERMs application in audit processes
  • Participative encourage everyone to share
    successful practices

3
The University of Alberta
  • In 2007
  • Over 36,500 students
  • Over 8100 degrees granted
  • Staff 3493 Academic, 6233 Support (FTE)
  • Over 420 million in annual research
  • The current capital program is valued at more
    than 1 billion

4
New Internal Audit Strategy
  • Conducted a Current State Analysis
  • Supported by External Audit of Internal Audit
    (2005)
  • Interviewed Senior Administration (34) Audit
    Committee members (3 of 5)
  • What would you like to see from internal audit?

5
Board Audit Committee Responsibilities
1 The Changing Role of the Audit Committee
Leading Practices for Colleges, Universities and
Other Not-for-Profit Education Institutions,
PricewaterhouseCoopers 2004
6
Strategic Business Plan
  • Internal Auditing (Core Business)
  • Examining Suspected Fraud and Irregularities
    (Secondary Business)
  • Related Activities
  • Liaison with External Auditors
  • Continuous Auditing
  • Risk Management
  • Institutional Compliance

7
Strategic Business Plan
  • The Strategic Plan outlines
  • Strategic initiatives
  • Objectives
  • Specific IA strategies
  • Performance measures
  • Clear linkage to the U of As strategy documents
    Dare to Discover Dare to Deliver
  • Report progress annually

8
Strategic Business Plan
9
Audit Linkage to ERM
  • Separate Functions at U of A

10
History of ERM
  • 2002/03 PWC hired to develop framework
  • Accountability and Risk Management Steering
    Committee established (IA ex-officio)
  • Risk Management Policy /Appetite statements
  • ERM reviews in 2005 and 2007
  • Adoption of COSO ERM Integrated Framework
  • New Associate Vice-President (Risk Management)
    position created in Dec 2007
  • Risk Management, Budgets, Emergency Preparedness,
    Insurance. Environmental Health Safety, and
    Compliance

11
ERM Internal Audit

The Institute of Internal Auditors. The Role of
Internal Auditing in Enterprise-wide Risk
Management, September 29, 2004.
12
Challenges
  • ERM is evolving
  • Roles responsibilities
  • Where should we be on the continuum?
  • Board of Governors oversight requirements

13
A Snapshot of Queens
  • 20,566 students
  • 2,374 faculty 2,472 staff
  • Fiscal 2006-07 revenue of 733M
  • Largest ever capital expansion program with debt
    requirements
  • Fiscally conservative governance

14
Internal Audit
  • Formerly Internal Audit, now Risk Management
    Audit Services (RMAS)
  • First audit completed in 1991
  • Averaged two to three staff members until
    reorganization to RMAS in 2004
  • Presently three staff members and a student
    auditor

15
Internal Audit Strategy
  • New VP from New Zealand with ERM experience
  • Department name change to RMAS in 2004
  • View to outsourcing internal audit function
  • After first year of revised mandate, agreed on
    strategy to provide audit services in-house with
    co-sourcing where expertise required (i.e. IT)

16
Revised Mandates
  • Audit Committee mandate revised May 05 with best
    practice responsibilities, including oversight of
    effectiveness of risk management
  • RMAS Charter revised
  • Staff complement of 3 achieved April 07
  • No departmental strategic plan to date

17
ERM at Queens
  • Deloitte engaged in 2005 to perform initial risk
    assessment and advise on framework
  • RMAS leader of project with executive leadership
    support
  • Initial report to the Audit Committee
  • Further development of framework put on hold as
    University Strategic Plan developed
  • Recent update of current strategies and action
    plans

18
ERM and Internal Audit
  • RMAS is the ERM Champion
  • Included in RMAS Charter
  • Develop and maintain the ERM framework
  • Coordinate and report on ERM activities
  • Promote a strong risk management culture, monitor
    strategies and provide advice
  • Develop the audit plan using risk-based
    methodology

19
ERM and Internal Audit
Legitimate IA role per IIA
20
Challenges
  • ERM is still in relative infancy
  • Difficult to champion a process while building a
    department and delivering on a risk based audit
    plan
  • No internal risk management committee
  • Audit Committee concern

21
Group Discussion
  • What are the ERM linkages to Internal Audit in
    your institution?
  • What are the challenges?

22
ERM Application in Internal Audit
  • Audit Planning
  • Two year plan (updated no less frequently that
    annually)
  • Projects Mapped to risks identified through ERM.
  • Inherent Risk assessment
  • Section of plan deals with items highlighted and
    not covered in plan

23
Internal Audit Planning process
24
ERM Application in Internal Audit
  • Audit Engagements - Planning
  • Strategic objectives of U of A and area
  • Potential risks use the U of A risk appetite
    statements in the area to guide audit focus.
  • Areas noted as risks are documented in Project
    terms of Reference

25
Narrow Example (Audit of Commercialization
Governance)

26
ERM Application in Internal Audit
  • Audit Engagements Reporting

27
ERM Application in Internal Audit
  • Audit Engagements Reporting (cont.)

28
Results
  • Fewer red lights
  • Focussed recommendations with a clear linkage to
    risk and strategy
  • Foundation for overall assessments
  • Good feedback from administration (increased use
    of audits in governance meetings and decisions)
  • Budget
  • NOT PERFECT

29
Challenges
  • Striving to ensure committee members have
    sufficient information to fulfill their mandate
  • Interpretation of risk appetite
  • Financial vs. Strategic, Operations Risks
  • Coverage Conclusion on Internal Control
  • Role in Fraud Prevention/Detection
  • Fraud Policy and Protected Disclosure
  • New IIA position
  • Role in Institutional Compliance

30
ERM and Audit Planning
  • Previous audit universe was academic,
    administrative, ancillary and research units gt
    audits were unit based
  • The top 13 critical risks are very high level
    (e.g. Human Resources, Reputation etc.)
  • Review audit universe in two ways
  • Traditional general ledger units
  • Functional/operational processes

31
ERM and Audit Planning
  • Dual annual risk assessment processes for audit
    plan
  • Units (level of expenditures complexity
    management concerns etc.)
  • Functions/Processes
  • Governance
  • Finance and Administration
  • Programs and Services
  • Students
  • Human Resources
  • IT
  • External Relations

Mapped to Enterprise risks

32
Mapping Enterprise Risks
33
ERM and Audit Planning
  • Professional judgement
  • No risk appetite or policy to refer to
  • Balancing low hanging fruit and high-level
    risks in audit plan
  • Have not specifically ruled out review of certain
    risks
  • NEEDS FURTHER WORKAn evolving process

34
ERM and Audit Reports
  • Example Research Grants Contract Audit

35
ERM and Audit Reports
  • Have avoided rating findings to date
  • No standard risk rating
  • Will rate findings not implemented during
    follow-up audit (High, Medium, Low risk)
  • Subjective

36
Challenges
  • No risk policy or risk tolerances developed
  • No standard risk ratings
  • Subjective
  • Not all risks are easily auditable
  • Some keys risks under constant management review
  • Coverage of issues versus the high level risks
  • Addressing Audit Committee concerns

37
Group Discussion
  • What other challenges do you see in integrating
    ERM practically with IA requirements?
  • Success stories to share?
  • Any other comments?
Write a Comment
User Comments (0)
About PowerShow.com