Title: Building Strategic RiskBased Internal Audit Services Case Studies
1Building StrategicRisk-Based Internal Audit
ServicesCase Studies
2Outline
- Two Universities - Two Approaches
- Linkages between Internal Audit Enterprise-Wide
Risk Management (ERM) - ERMs application in audit processes
- Participative encourage everyone to share
successful practices
3The University of Alberta
- In 2007
- Over 36,500 students
- Over 8100 degrees granted
- Staff 3493 Academic, 6233 Support (FTE)
- Over 420 million in annual research
- The current capital program is valued at more
than 1 billion
4New Internal Audit Strategy
- Conducted a Current State Analysis
- Supported by External Audit of Internal Audit
(2005) - Interviewed Senior Administration (34) Audit
Committee members (3 of 5) - What would you like to see from internal audit?
5Board Audit Committee Responsibilities
1 The Changing Role of the Audit Committee
Leading Practices for Colleges, Universities and
Other Not-for-Profit Education Institutions,
PricewaterhouseCoopers 2004
6Strategic Business Plan
- Internal Auditing (Core Business)
- Examining Suspected Fraud and Irregularities
(Secondary Business) - Related Activities
- Liaison with External Auditors
- Continuous Auditing
- Risk Management
- Institutional Compliance
7Strategic Business Plan
- The Strategic Plan outlines
- Strategic initiatives
- Objectives
- Specific IA strategies
- Performance measures
- Clear linkage to the U of As strategy documents
Dare to Discover Dare to Deliver - Report progress annually
8Strategic Business Plan
9Audit Linkage to ERM
- Separate Functions at U of A
10History of ERM
- 2002/03 PWC hired to develop framework
- Accountability and Risk Management Steering
Committee established (IA ex-officio) - Risk Management Policy /Appetite statements
- ERM reviews in 2005 and 2007
- Adoption of COSO ERM Integrated Framework
- New Associate Vice-President (Risk Management)
position created in Dec 2007 - Risk Management, Budgets, Emergency Preparedness,
Insurance. Environmental Health Safety, and
Compliance
11ERM Internal Audit
The Institute of Internal Auditors. The Role of
Internal Auditing in Enterprise-wide Risk
Management, September 29, 2004.
12Challenges
- ERM is evolving
- Roles responsibilities
- Where should we be on the continuum?
- Board of Governors oversight requirements
13A Snapshot of Queens
- 20,566 students
- 2,374 faculty 2,472 staff
- Fiscal 2006-07 revenue of 733M
- Largest ever capital expansion program with debt
requirements - Fiscally conservative governance
-
14Internal Audit
- Formerly Internal Audit, now Risk Management
Audit Services (RMAS) - First audit completed in 1991
- Averaged two to three staff members until
reorganization to RMAS in 2004 - Presently three staff members and a student
auditor
15Internal Audit Strategy
- New VP from New Zealand with ERM experience
- Department name change to RMAS in 2004
- View to outsourcing internal audit function
- After first year of revised mandate, agreed on
strategy to provide audit services in-house with
co-sourcing where expertise required (i.e. IT)
16Revised Mandates
- Audit Committee mandate revised May 05 with best
practice responsibilities, including oversight of
effectiveness of risk management - RMAS Charter revised
- Staff complement of 3 achieved April 07
- No departmental strategic plan to date
17ERM at Queens
- Deloitte engaged in 2005 to perform initial risk
assessment and advise on framework - RMAS leader of project with executive leadership
support - Initial report to the Audit Committee
- Further development of framework put on hold as
University Strategic Plan developed - Recent update of current strategies and action
plans
18ERM and Internal Audit
- RMAS is the ERM Champion
- Included in RMAS Charter
- Develop and maintain the ERM framework
- Coordinate and report on ERM activities
- Promote a strong risk management culture, monitor
strategies and provide advice - Develop the audit plan using risk-based
methodology
19ERM and Internal Audit
Legitimate IA role per IIA
20Challenges
- ERM is still in relative infancy
- Difficult to champion a process while building a
department and delivering on a risk based audit
plan - No internal risk management committee
- Audit Committee concern
21Group Discussion
- What are the ERM linkages to Internal Audit in
your institution? - What are the challenges?
22ERM Application in Internal Audit
- Audit Planning
- Two year plan (updated no less frequently that
annually) - Projects Mapped to risks identified through ERM.
- Inherent Risk assessment
- Section of plan deals with items highlighted and
not covered in plan
23Internal Audit Planning process
24ERM Application in Internal Audit
- Audit Engagements - Planning
- Strategic objectives of U of A and area
- Potential risks use the U of A risk appetite
statements in the area to guide audit focus. - Areas noted as risks are documented in Project
terms of Reference
25Narrow Example (Audit of Commercialization
Governance)
26ERM Application in Internal Audit
- Audit Engagements Reporting
27ERM Application in Internal Audit
- Audit Engagements Reporting (cont.)
28Results
- Fewer red lights
- Focussed recommendations with a clear linkage to
risk and strategy - Foundation for overall assessments
- Good feedback from administration (increased use
of audits in governance meetings and decisions) - Budget
- NOT PERFECT
29Challenges
- Striving to ensure committee members have
sufficient information to fulfill their mandate - Interpretation of risk appetite
- Financial vs. Strategic, Operations Risks
- Coverage Conclusion on Internal Control
- Role in Fraud Prevention/Detection
- Fraud Policy and Protected Disclosure
- New IIA position
- Role in Institutional Compliance
30ERM and Audit Planning
- Previous audit universe was academic,
administrative, ancillary and research units gt
audits were unit based - The top 13 critical risks are very high level
(e.g. Human Resources, Reputation etc.) - Review audit universe in two ways
- Traditional general ledger units
- Functional/operational processes
31ERM and Audit Planning
- Dual annual risk assessment processes for audit
plan - Units (level of expenditures complexity
management concerns etc.) - Functions/Processes
- Governance
- Finance and Administration
- Programs and Services
- Students
- Human Resources
- IT
- External Relations
Mapped to Enterprise risks
32Mapping Enterprise Risks
33ERM and Audit Planning
- Professional judgement
- No risk appetite or policy to refer to
- Balancing low hanging fruit and high-level
risks in audit plan - Have not specifically ruled out review of certain
risks - NEEDS FURTHER WORKAn evolving process
34ERM and Audit Reports
- Example Research Grants Contract Audit
35ERM and Audit Reports
- Have avoided rating findings to date
- No standard risk rating
- Will rate findings not implemented during
follow-up audit (High, Medium, Low risk) - Subjective
36Challenges
- No risk policy or risk tolerances developed
- No standard risk ratings
- Subjective
- Not all risks are easily auditable
- Some keys risks under constant management review
- Coverage of issues versus the high level risks
- Addressing Audit Committee concerns
37Group Discussion
- What other challenges do you see in integrating
ERM practically with IA requirements? - Success stories to share?
- Any other comments?