Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing & Risk Management A Happy Couple or a Shotgun Marriage? Presented by Bruce Turner CGAP, FIIA (Aust), CISA, CFE, FFin, FPNA, MAICD, AFAIM Chief.

Similar presentations


Presentation on theme: "Auditing & Risk Management A Happy Couple or a Shotgun Marriage? Presented by Bruce Turner CGAP, FIIA (Aust), CISA, CFE, FFin, FPNA, MAICD, AFAIM Chief."— Presentation transcript:

1 Auditing & Risk Management A Happy Couple or a Shotgun Marriage? Presented by Bruce Turner CGAP, FIIA (Aust), CISA, CFE, FFin, FPNA, MAICD, AFAIM Chief Internal Auditor Australian Taxation Office 15 October 2010

2 Auditing & Risk Management Overview We’ll explore the pre-nuptials … how strong is the connection between internal audit and risk management … does it provide the foundation for a happy couple?

3 Auditing & Risk Management 3 Overview Internal Audit Governance Roles Integrating Internal Audit with Enterprise Risk Management

4 Auditing & Risk Management 4 Internal audit Fundamentals of professional auditing practices  Definition  Key elements  Professional standards

5 Auditing & Risk Management 5 Definition of internal auditing “Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

6 Auditing & Risk Management 6 Key elements Governance Risk management Control

7 Auditing & Risk Management 7 Auditing standards 1000 – Purpose, Authority, and Responsibility 1100 – Independence and Objectivity 1200 – Proficiency and Due Professional Care 1300 – Quality Assurance and Improvement Program 2000 – Managing the Internal Audit Activity 2100 – Nature of Work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Resolution of Management’s Acceptance of Risks

8 Auditing & Risk Management 8 Auditing standards - planning (2010) “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals.”

9 Auditing & Risk Management 9 Auditing standards – risk management (2120) “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”

10 Auditing & Risk Management 10 “Risk management remains at the heart of internal audit. It defines the focus as well as the effort of the internal audit staff. Getting it right through a comprehensive risk assessment will drive better results, achieve greater efficiencies, and cover the important things that either add or preserve value in an organisation.” * Financial Executive November Better Internal Audit Leads to Better Controls - by Robert B Hirth Jr – from Protiviti NewsAlert January 2009

11 Auditing & Risk Management 11 Risk elements in audit process Planning –Forward work program –Each audit engagement Fieldwork –Scope and work program Reporting –Each audit reported –Basis of prioritising recommendations –Consolidated high-level reporting Follow-up of recommendations

12 Auditing & Risk Management 12 Example - audit planning development process

13 Auditing & Risk Management 13 Example – ATO audit themes Core tax administrative activities Change Program Financial stewardship Strategic reviews Assurance activities

14 Auditing & Risk Management 14 Example – ATO audit themes cont’d Managing contracts Managing overheads Fraud control Non-financial management information Security and privacy

15 Auditing & Risk Management 15 Looks like a marriage …

16 Auditing & Risk Management 16 Governance The inter-relationships between the risk management players  Management  Risk management advisor  Auditors The effect of changing risk profiles

17 Auditing & Risk Management Internal auditors - Use risk based planning - Evaluate controls Risk management advisor - Develops the framework - Produces risk reporting Management - Owns the risks - Manages the risks

18 Auditing & Risk Management 18 Business Objectives Governance Risk Management Internal Controls Charts & oversights the business Heightens likelihood of achieving objectives

19 Auditing & Risk Management 19 The changing risk profile

20 Auditing & Risk Management 20 Change is inevitable Risk management activity must be dynamic Vital to embed risk management in organisational processes Both risk management framework and processes The organisation and its environment will change Auditors to be agile and flexible to accommodate changes

21 Auditing & Risk Management 21 Thinking about risks YesterdayTomorrow Managing known risksExploring emerging risks Avoiding unknown risksCapitalise emerging opportunities Register of known risksRadar of emerging risks Established risk toolsOptimised approaches to risk Individual risk responsesCollaborative risk mitigation * Based on thought leadership in a PwC Publication – Extending Enterprise Risk Management to address emerging risks (2009)

22 Auditing & Risk Management 22 Examples - emerging risk areas Increased competitive pressures Continued recessionary pressures Cost reduction pressures Talent risks Commodity prices

23 Auditing & Risk Management 23 Strategic change management Third party solvency Political trends Compliance Lack of investment in product innovation * Sourced from Audit Director Roundtable Publication – Top Ten Emerging Risks – Likelihood, Impact and Velocity (October 2009) Examples - emerging risk areas (cont’d)

24 Auditing & Risk Management 24 Examples - local government risk areas Developer contributions Water supply Culture centre development Asset maintenance Integrated planning Climate change Attract / retain staff Long-term finances Information management Fraud and corruption

25 Auditing & Risk Management 25 Examples - state government risk areas Shared services provision Information technology Security State plan delivery Specific reforms Attract / retain staff OH&S Major projects Reactive work Fiduciary controls

26 Auditing & Risk Management Major Tax Integrity Threats Law Interpretation Policy Advice & Design Tax Product Compliance Tax Revenue Transfers Compliance Product & Payment Processing Marketing & Communications Government Engagement International Engagement Supplier EngagementReputation Management Client Engagement Client Experience Business Continuity Facilities Legal Support Regulatory Compliance Finance Knowledge Innovation & Change Technology Security & Privacy Governance People External Environment Examples - enterprise risk categories.

27 Auditing & Risk Management 27 Internal auditing policy agenda Internal audit is fundamental to good governance Public entities need strong effective audit committees Appropriate reporting lines for head of internal audit Clear accountability for risk management and control Internal audit operates at consistently high standard

28 Auditing & Risk Management 28 Ticks along like a marriage …

29 Auditing & Risk Management Integrating internal audit and enterprise risk management Optimising the benefits of the risk management investment  A long engagement  Audit themes  Case studies

30 Auditing & Risk Management 30 A long engagement - case study - loan portfolio audit

31 Auditing & Risk Management 31 Routine auditing Broad coverage of personal loans Average loan $30,000 Thorough audit completed Appropriate sampling techniques well-constructed working papers well-written report

32 Auditing & Risk Management 32 Different loan product offering Foreign exchange loans introduced that year Average loan $750,000 Not part of ‘routine’ audit program No audit coverage of new product lines

33 Auditing & Risk Management 33 Adding value Narrow focus on ‘routine’ loan portfolio Changing risk profile not assessed Audit value diminished The audit and risk marriage is already over 25 years strong

34 Auditing & Risk Management 34 Case study – on time running

35 Auditing & Risk Management 35 Public information Objectives of entity articulated –Clean –Safe –Reliable Key measure of reliability – on time running KPI result updated daily on website

36 Auditing & Risk Management 36 End-to-end controls Well articulated policy and KPI commitment Counting rules clear and transparent High-level sign-offs for release to website and Minister Assertions on the collation of data and calculation of results Strong website security

37 Auditing & Risk Management 37 Data origination Grassroots collection of data Near enough is good enough approach Integrity of data severely tarnished Reputational damage Strong Auditor-General criticism

38 Auditing & Risk Management 38 Case study – security risks

39 Auditing & Risk Management 39 Emerging security risks (2008) More electronic records breached than 4 prior years Corporations fell victim to the largest cyber-crimes ever Motivated hackers know where and what to target 90% of records breaches involved organised crime Could avoid 9 out of 10 breaches with security basics Mistakes and oversights hindered security efforts * Australian Institute of Management, Management Today, July 2009, pp. 7-8, 37

40 Auditing & Risk Management 40 “In recent times, a number of events have occurred overseas resulting in the loss or disclosure of sensitive information. One particularly high public profile incident resulted in the resignation of the Chief Executive of Her Majesty’s Revenue and Customs (HMRC) in the UK.” * ATO, Information Security Practices Review, PricewaterhouseCoopers, April 2008, p. 2

41 Auditing & Risk Management 41 Example – ATO reporting on audit themes Consolidated high-level audit report on security Logical access provisions Managing client records Site visits – remote locations (physical security) Satellite audit – security classifications

42 Auditing & Risk Management 42 Risk management elements Sound governance structures A clear corporate stance Effective education and awareness programs A well-defined security classification framework Effective security monitoring incident response mechanisms Robust plans for IT incidents. * ATO, Information Security Practices Review, PricewaterhouseCoopers, April 2008, covering letter, p. 2

43 Auditing & Risk Management 43 Influences service standards Community perceptions strong –80% think the ATO is doing a good job* Business perceptions strong –89% think the ATO is doing a good job* Professional survey positive –79% are ‘satisfied’ or ‘very satisfied’ with the professionalism of ATO employees*

44 Auditing & Risk Management 44 Comes together like a marriage …

45 Auditing & Risk Management 45 Conclusion The pre-nuptials are sound: Internal audit and risk management have a strong inseparable connection Risk management provides the foundation for effective auditing In turn internal audit: Supports the risk management process Validates the effectiveness of internal controls that mitigate the risks

46 Auditing & Risk Management My vote … a happy couple!

47 Auditing & Risk Management 47 Questions? © COMMONWEALTH OF AUSTRALIA 2010 This presentation was current in July 2010

48 Auditing & Risk Management About the ATO Australian Government’s main revenue collection agency Administers main aspects of Australia’s super system Celebrates its centenary in 2010 Net revenue collection of billion* Operating budget of $3.1 billion** Average staffing level 21,720** 75 locations across all states and territories** 25 business and service lines* * end June 2008 ** end June 2009

49 Auditing & Risk Management Audit staff Around 40 full-time equivalent staff We employ specialist external staff for technical audits Four teams across 3 sites in ACT, NSW and Victoria Audit capability meets global benchmarks –Qualifications, certifications, experience Multi-disciplinary team Completes 60 to 70 audits per year

50 Auditing & Risk Management Our commitment to you We are committed to providing you with guidance you can rely on, so we make every effort to ensure that our presentations are correct.


Download ppt "Auditing & Risk Management A Happy Couple or a Shotgun Marriage? Presented by Bruce Turner CGAP, FIIA (Aust), CISA, CFE, FFin, FPNA, MAICD, AFAIM Chief."

Similar presentations


Ads by Google