1. Building Strategic Risk-Based Internal Audit Services Case Studies

2. RISK BASED AUDIT SERVICES Outline Two Universities - Two Approaches –Linkages between Internal Audit & Enterprise- Wide Risk Management (ERM) –ERM’s application in audit processes Participative – encourage everyone to share successful practices

3. RISK BASED AUDIT SERVICES The University of Alberta In 2007: – Over 36,500 students – Over 8100 degrees granted – Staff: 3493 Academic, 6233 Support (FTE) – Over $420 million in annual research – The current capital program is valued at more than $1 billion

4. RISK BASED AUDIT SERVICES New Internal Audit Strategy Conducted a Current State Analysis Supported by External Audit of Internal Audit (2005) Interviewed Senior Administration (34) & Audit Committee members (3 of 5) –“What would you like to see from internal audit?”

5. RISK BASED AUDIT SERVICES Board Audit Committee Responsibilities Leading Practices for Post-Secondary Institutions 1 Strategy Manage the Relationship with the External Auditor Ensure the Quality of Financial Reporting Oversee Regulatory Compliance Work with the Internal Audit Function Monitor Management’s Handling of Internal Controls & Risk Management Monitor the Ethics ProgramWhistleblowing 1 The Changing Role of the Audit Committee – Leading Practices for Colleges, Universities and Other Not-for-Profit Education Institutions, PricewaterhouseCoopers 2004

6. RISK BASED AUDIT SERVICES Strategic Business Plan Internal Auditing (Core Business) Examining Suspected Fraud and Irregularities (Secondary Business) Related Activities: –Liaison with External Auditors –Continuous Auditing –Risk Management –Institutional Compliance

7. RISK BASED AUDIT SERVICES Strategic Business Plan The Strategic Plan outlines: – Strategic initiatives – Objectives – Specific IA strategies – Performance measures Clear linkage to the U of A’s strategy documents Dare to Discover & Dare to Deliver –Report progress annually

8. RISK BASED AUDIT SERVICES Strategic Business Plan Stakeholder Satisfaction Committee & Senior Mgt Auditee Surveys # recommendations accepted/implemented Internal Audit Processes Completed vs. planned audits Time analysis Audit Cycle Time Compliance with Standards Innovation & Capability Training Hours Certified Staff Effective Use of Good Practices. Other: Budget and Benchmarks Reporting on IA strategic initiatives

9. RISK BASED AUDIT SERVICES Audit Linkage to ERM Separate Functions at U of A

10. RISK BASED AUDIT SERVICES History of ERM 2002/03 PWC hired to develop framework Accountability and Risk Management Steering Committee established (IA ex-officio) Risk Management Policy /Appetite statements ERM reviews in 2005 and 2007 Adoption of COSO ERM Integrated Framework New Associate Vice-President (Risk Management) position created in Dec 2007 Risk Management, Budgets, Emergency Preparedness, Insurance. Environmental Health & Safety, and Compliance

11. RISK BASED AUDIT SERVICES ERM & Internal Audit – The Institute of Internal Auditors. “The Role of Internal Auditing in Enterprise- wide Risk Management”, September 29, 2004.

12. RISK BASED AUDIT SERVICES Challenges –ERM is evolving –Roles & responsibilities Where should we be on the continuum? – Board of Governors oversight requirements

13. RISK BASED AUDIT SERVICES A Snapshot of Queen’s 20,566 students 2,374 faculty; 2,472 staff Fiscal 2006-07 revenue of $733M Largest ever capital expansion program with debt requirements Fiscally conservative governance

14. RISK BASED AUDIT SERVICES Internal Audit –Formerly Internal Audit, now Risk Management & Audit Services (“RMAS”) –First audit completed in 1991 –Averaged two to three staff members until reorganization to RMAS in 2004 –Presently three staff members and a student auditor

15. RISK BASED AUDIT SERVICES Internal Audit Strategy –New VP from New Zealand with ERM experience –Department name change to RMAS in 2004 –View to outsourcing internal audit function –After first year of revised mandate, agreed on strategy to provide audit services in-house with co- sourcing where expertise required (i.e. IT)

16. RISK BASED AUDIT SERVICES Revised Mandates –Audit Committee mandate revised May ’05 with best practice responsibilities, including oversight of effectiveness of risk management –RMAS Charter revised –Staff complement of 3 achieved April ’07 –No departmental strategic plan to date

17. RISK BASED AUDIT SERVICES ERM at Queen’s –Deloitte engaged in 2005 to perform initial risk assessment and advise on framework –RMAS leader of project with executive leadership support –Initial report to the Audit Committee –Further development of framework put on hold as University Strategic Plan developed –Recent update of current strategies and action plans

18. RISK BASED AUDIT SERVICES ERM and Internal Audit RMAS is the ERM “Champion” Included in RMAS’ Charter : Develop and maintain the ERM framework Coordinate and report on ERM activities Promote a strong risk management culture, monitor strategies and provide advice Develop the audit plan using risk-based methodology

19. RISK BASED AUDIT SERVICES ERM and Internal Audit Legitimate IA role per IIA

20. RISK BASED AUDIT SERVICES Challenges –ERM is still in relative infancy –Difficult to champion a process while building a department and delivering on a risk based audit plan –No internal risk management committee –Audit Committee concern

21. RISK BASED AUDIT SERVICES Group Discussion What are the ERM linkages to Internal Audit in your institution? What are the challenges?

22. RISK BASED AUDIT SERVICES ERM Application in Internal Audit –Audit Planning Two year plan (updated no less frequently that annually) Projects Mapped to risks identified through ERM. Inherent Risk assessment Section of plan deals with items highlighted and not covered in plan

23. RISK BASED AUDIT SERVICES Internal Audit Planning process Major IT Systems Projects Description Type Priority Timing Level of Effort Project 1 Project 2 Project 3 Project 4 Scope and Objective Audit - Assurance Audit - Consulting Audit - Assurance Quarter / Year Hours Scope and Objective Risk-Based Internal Audit Plan Universe Risks 124356879 Internal Audit Universe Risk Framework Unacceptable Institutional Risks (as identified through ARMSC processes) Academic Faculty Renewal Academic Reputation Enrolment Growth and Complexity HR Processes IT Infrastructure Safety and Security Research Growth, Complexity and Stewardship Leadership & Admin Structure Relationship with Key Supporters Base Funding Academic & Administrative Units, Centres Institutes Core Processes (e.g. Risk Management, Strategic Planning, Financial Reporting) Audit Universe Impa ct Inherent Risk Exposure Probability Acceptable Caution H M L HML Unacceptable

24. RISK BASED AUDIT SERVICES ERM Application in Internal Audit –Audit Engagements - Planning Strategic objectives – of U of A and area Potential risks – use the U of A risk appetite statements in the area to guide audit focus. Areas noted as risks are documented in Project terms of Reference

25. RISK BASED AUDIT SERVICES Narrow Example (Audit of Commercialization Governance) Business Objective 18: Ensure proper oversight of related party transactions and conflict of interest situations 1. Key Inherent Risks (Risks that could impact achievement of the business objective) Risk Ratings for Key In­herent Risks AuditabilitySummary of Key Considera­tions From Preliminary Survey Work Audit steps F.4 and F.5 ILE 1.Conflict of interest issues may arise due to the activities of TEC Edmonton. Possible causes:  The “conflict of interest” policy may not be followed or known. HM M H  Review how the University “Conflict of Interest” policy flows through to TEC Edmonton.  Review how conflict of interest issues are monitored and reported.  The application of the policy is unclear, however it is mentioned in both the joint venture agreement and the master secondment agreement.

26. RISK BASED AUDIT SERVICES ERM Application in Internal Audit –Audit Engagements – Reporting Table AttributesDescription Criteria Outlines the criteria used in the audit – what should be in place according to good practices. Current Environment and Potential Risks Highlights of what was found during the review. This includes the potential risk exposure with the current environment, as assessed based on the work conducted. Risk rating* The risk-rating framework used is that outlined below and is consistent with the University’s Risk Management policy. Opportunities for Improvement Recommendations to mitigate risks or improve operations where necessary.

27. RISK BASED AUDIT SERVICES ERM Application in Internal Audit –Audit Engagements – Reporting (cont.) RatingDescription High risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb Moderate risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb Low risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb

28. RISK BASED AUDIT SERVICES Results –Fewer – “red lights” –Focussed recommendations with a clear linkage to risk and strategy –Foundation for overall assessments –Good feedback from administration (increased use of audits in governance meetings and decisions) –Budget NOT PERFECT

29. RISK BASED AUDIT SERVICES Challenges –Striving to ensure committee members have sufficient information to fulfill their mandate –Interpretation of risk appetite –Financial vs. Strategic, Operations Risks –Coverage – Conclusion on Internal Control –Role in Fraud Prevention/Detection: – Fraud Policy and Protected Disclosure – New IIA position – Role in Institutional Compliance

30. RISK BASED AUDIT SERVICES ERM and Audit Planning –Previous audit universe was academic, administrative, ancillary and research units => audits were unit based –The top 13 critical risks are very high level (e.g. Human Resources, Reputation etc.) –Review audit universe in two ways: –Traditional general ledger units –Functional/operational processes

31. RISK BASED AUDIT SERVICES ERM and Audit Planning –Dual annual risk assessment processes for audit plan –Units (level of expenditures; complexity; management concerns etc.) –Functions/Processes –Governance –Finance and Administration –Programs and Services –Students –Human Resources –IT –External Relations Mapped to Enterprise risks ｝

32. RISK BASED AUDIT SERVICES Mapping Enterprise Risks

33. RISK BASED AUDIT SERVICES ERM and Audit Planning –Professional judgement –No risk appetite or policy to refer to –Balancing “low hanging fruit” and high-level risks in audit plan –Have not specifically ruled out review of certain risks NEEDS FURTHER WORK…An evolving process

34. RISK BASED AUDIT SERVICES ERM and Audit Reports Example: Research Grants & Contract Audit

35. RISK BASED AUDIT SERVICES ERM and Audit Reports –Have avoided rating findings to date –No standard risk rating –Will rate findings not implemented during follow-up audit (High, Medium, Low risk) –Subjective

36. RISK BASED AUDIT SERVICES Challenges –No risk policy or risk tolerances developed –No standard risk ratings –Subjective –Not all risks are easily auditable –Some keys risks under constant management review –Coverage of issues versus the high level risks –Addressing Audit Committee concerns

37. RISK BASED AUDIT SERVICES Group Discussion What other challenges do you see in integrating ERM practically with IA requirements? Success stories to share? Any other comments?