building strategic risk-based internal audit services case studies

Building StrategicRisk-Based Internal Audit Services

Case Studies

RISK BASED AUDIT SERVICES

Outline

• Two Universities - Two Approaches– Linkages between Internal Audit & Enterprise-

Wide Risk Management (ERM) – ERM’s application in audit processes

• Participative – encourage everyone to share successful practices


The University of AlbertaIn 2007:

– Over 36,500 students

– Over 8100 degrees granted

– Staff: 3493 Academic, 6233 Support (FTE)

– Over $420 million in annual research

– The current capital program is valued at more than $1 billion


New Internal Audit Strategy

• Conducted a Current State Analysis• Supported by External Audit of Internal Audit

(2005)• Interviewed Senior Administration (34) & Audit

Committee members (3 of 5)– “What would you like to see from internal

audit?”


Board Audit Committee Responsibilities

Leading Practices for Post-Secondary Institutions 1 Strategy

Manage the Relationship with the External Auditor

Ensure the Quality of Financial Reporting

Oversee Regulatory Compliance

Work with the Internal Audit Function

Monitor Management’s Handling of Internal Controls & Risk Management

Monitor the Ethics Program Whistleblowing

1 The Changing Role of the Audit Committee – Leading Practices for Colleges, Universities and Other Not-for-Profit Education Institutions, PricewaterhouseCoopers 2004


Strategic Business Plan

• Internal Auditing (Core Business)• Examining Suspected Fraud and Irregularities

(Secondary Business)• Related Activities:

– Liaison with External Auditors – Continuous Auditing – Risk Management – Institutional Compliance


Strategic Business Plan

• The Strategic Plan outlines:– Strategic initiatives– Objectives – Specific IA strategies– Performance measures

• Clear linkage to the U of A’s strategy documents Dare to Discover & Dare to Deliver

– Report progress annually


Strategic Business PlanStakeholder Satisfaction• Committee & Senior Mgt

• Auditee Surveys

• # recommendations accepted/implemented

Internal Audit Processes•Completed vs. planned audits

• Time analysis

• Audit Cycle Time

• Compliance with Standards

Innovation & Capability• Training Hours

• Certified Staff

• Effective Use of Good Practices.

Other:• Budget and Benchmarks

• Reporting on IA strategic initiatives


Audit Linkage to ERM

Separate Functions at U of A


History of ERM• 2002/03 PWC hired to develop framework • Accountability and Risk Management Steering

Committee established (IA ex-officio) • Risk Management Policy /Appetite statements • ERM reviews in 2005 and 2007• Adoption of COSO ERM Integrated Framework• New Associate Vice-President (Risk

Management) position created in Dec 2007• Risk Management, Budgets, Emergency

Preparedness, Insurance. Environmental Health & Safety, and Compliance


ERM & Internal Audit

–

The Institute of Internal Auditors. “The Role of Internal Auditing in Enterprise-wide Risk Management”, September 29, 2004.


Challenges

– ERM is evolving

– Roles & responsibilities

Where should we be on the continuum?

– Board of Governors oversight requirements


A Snapshot of Queen’s

• 20,566 students• 2,374 faculty; 2,472 staff• Fiscal 2006-07 revenue of $733M• Largest ever capital expansion program with debt

requirements• Fiscally conservative governance


Internal Audit

– Formerly Internal Audit, now Risk Management & Audit Services (“RMAS”)

– First audit completed in 1991– Averaged two to three staff members until

reorganization to RMAS in 2004– Presently three staff members and a student auditor


Internal Audit Strategy

– New VP from New Zealand with ERM experience– Department name change to RMAS in 2004– View to outsourcing internal audit function– After first year of revised mandate, agreed on

strategy to provide audit services in-house with co-sourcing where expertise required (i.e. IT)


Revised Mandates

– Audit Committee mandate revised May ’05 with best practice responsibilities, including oversight of effectiveness of risk management

– RMAS Charter revised– Staff complement of 3 achieved April ’07– No departmental strategic plan to date


ERM at Queen’s

– Deloitte engaged in 2005 to perform initial risk assessment and advise on framework

– RMAS leader of project with executive leadership support

– Initial report to the Audit Committee

– Further development of framework put on hold as University Strategic Plan developed

– Recent update of current strategies and action plans


ERM and Internal Audit

RMAS is the ERM “Champion”

Included in RMAS’ Charter :• Develop and maintain the ERM framework• Coordinate and report on ERM activities• Promote a strong risk management culture, monitor

strategies and provide advice• Develop the audit plan using risk-based

methodology


ERM and Internal Audit

Legitimate IA role per IIA


Challenges

– ERM is still in relative infancy– Difficult to champion a process while building a

department and delivering on a risk based audit plan– No internal risk management committee– Audit Committee concern


Group Discussion

• What are the ERM linkages to Internal Audit in your institution?

• What are the challenges?


ERM Application in Internal Audit

– Audit Planning

Two year plan (updated no less frequently that annually)

Projects Mapped to risks identified through ERM.

Inherent Risk assessment

Section of plan deals with items highlighted and not covered in plan


Internal Audit Planning process

Major IT Systems

Projects Description Type Priority Timing Level of Effort

Project 1

Project 2Project 3Project 4

Scope and Objective Audit - AssuranceAudit - Assurance

Audit - Consulting

Audit - Assurance

Quarter / Year

Quarter / YearQuarter / Year

Quarter / Year

HoursHours

Hours

Hours

Scope and Objective

Scope and ObjectiveScope and Objective

Risk-Based Internal Audit Plan

Universe Risks1 2 43 5 6 87 9

Internal Audit Universe Risk FrameworkUnacceptable

Institutional Risks (as identified through ARMSC processes)

Academic Faculty Renewal

Academic Reputation

Enrolment Growth and Complexity

HR ProcessesIT

InfrastructureSafety and

Security

Research Growth,

Complexity and

Stewardship

Leadership &

Admin Structure

Relationship with Key

Supporters

Base Funding

Academic & Administrative Units, Centres Institutes

Core Processes (e.g. Risk Management, Strategic Planning, Financial Reporting)

Audit Universe

Imp

act

Inherent Risk Exposure

Probability

Acceptable

Caution

H

M

L

HML

Unacceptable



– Audit Engagements - Planning

Strategic objectives – of U of A and area

Potential risks – use the U of A risk appetite statements in the area to guide audit focus.

Areas noted as risks are documented in Project terms of Reference


Narrow Example (Audit of Commercialization Governance)

Business Objective 18: Ensure proper oversight of related party transactions and

conflict of interest situations1.

Key Inherent Risks (Risks that could impact

achievement of the business objective)

Risk Ratings for Key In herent Risks

Auditability Summary of Key Considera tions

From Preliminary Survey Work

Auditsteps

F.4 and F.5

I L E

1. Conflict of interest issues may arise due to the activities of TEC Edmonton.

Possible causes: The “conflict of interest”

policy may not be followed or known.

H M MH

Review how the University “Conflict of Interest” policy flows through to TEC Edmonton.

Review how conflict of interest issues are monitored and reported.

The application of the policy is unclear, however it is mentioned in both the joint venture agreement and the master secondment agreement.



– Audit Engagements – Reporting

Table Attributes Description

Criteria Outlines the criteria used in the audit – what should be in place according to good practices.

Current Environment and Potential Risks

Highlights of what was found during the review. This includes the potential risk exposure with the current environment, as assessed based on the work conducted.

Risk rating* The risk-rating framework used is that outlined below and is consistent with the University’s Risk Management policy.

Opportunities for Improvement

Recommendations to mitigate risks or improve operations where necessary.



– Audit Engagements – Reporting (cont.)Rating Description

High risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb

Moderate risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb

Low risk of significant reputation damage, financial loss or exposure, major breakdown in information system or information integrity, significant incident(s) of regulatory non-compliance, potential risk of loss of life or limb


Results– Fewer – “red lights”– Focussed recommendations with a clear linkage

to risk and strategy– Foundation for overall assessments– Good feedback from administration (increased

use of audits in governance meetings and decisions)

– Budget

NOT PERFECT


Challenges– Striving to ensure committee members have

sufficient information to fulfill their mandate– Interpretation of risk appetite– Financial vs. Strategic, Operations Risks– Coverage – Conclusion on Internal Control– Role in Fraud Prevention/Detection:

– Fraud Policy and Protected Disclosure– New IIA position

– Role in Institutional Compliance


ERM and Audit Planning

– Previous audit universe was academic, administrative, ancillary and research units => audits were unit based

– The top 13 critical risks are very high level (e.g. Human Resources, Reputation etc.)

– Review audit universe in two ways:– Traditional general ledger units– Functional/operational processes



– Dual annual risk assessment processes for audit plan– Units (level of expenditures; complexity;

management concerns etc.)– Functions/Processes

– Governance

– Finance and Administration

– Programs and Services

– Students

– Human Resources

– IT

– External Relations

Map

ped

to E

nterp

rise risk

s｝


Mapping Enterprise Risks

Process maps to > 70% of key risks

Process maps to > 30% and < 70% of key risks

Process maps to < 30% of key risks

Enterprise Risks

Audit Universe Processes

Gov

ernm

ent P

olic

y

Aca

dem

ic Q

uali

ty

Str

ateg

ic P

lann

ing

Infr

astr

uctu

re

Hum

an R

esou

rces

Info

rmat

ion

Tec

hnol

ogy

Rep

utat

ion

Cha

nge

Rea

dine

ss

Com

peti

tor

Fin

anci

al

Lea

ders

hip

Qua

lity

Stu

dent

Sat

isfa

ctio

n

Hea

lth

and

Saf

ety

Tot

al

GovernanceVision and Strategy development/review X X X X X X X X X 9Fiduciary and academic oversight X X X X X X 6

Finance and AdministrationPlanning and resource allocation process X X X X X X X X X X X X 12Expenditure controls/ budget management X X 2Capital plan and projects/expenditures X X X X X X X X X 9Cash management X X X X 4



– Professional judgement– No risk appetite or policy to refer to– Balancing “low hanging fruit” and high-level risks

in audit plan– Have not specifically ruled out review of certain

risks

NEEDS FURTHER WORK…An evolving process


ERM and Audit Reports

Example: Research Grants & Contract AuditAudit Risk Enterprise Risk

Research activity and expenditures are not in compliance with legislative requirements or terms of the contract or grant, jeopardizing future grants and contracts and impacting the reputation of Queen’s University;

There are project delays and cost

overruns leaving the University exposed to contractual defaults and funding shortfalls; and

Existing processes result in ineffective

management of grants and contracts and/or use of resources and the potential for lost opportunities.

Competitor Risk (i.e. actions of competitors affect Queen’s ability to meet enrolment targets, obtain high levels of research funding and hire the best faculty and staff)

Reputation Risk (i.e. communicating,

maintaining and enhancing Queen’s reputation)

Change Readiness Risk (i.e. being

responsive to external and internal funding changes)

Financial Risk (i.e. not meeting goals

and objectives due to insufficient funds, cost overruns or project management issues)


ERM and Audit Reports

– Have avoided rating findings to date– No standard risk rating – Will rate findings not implemented during follow-up

audit (High, Medium, Low risk)– Subjective


Challenges

– No risk policy or risk tolerances developed– No standard risk ratings– Subjective– Not all risks are easily auditable– Some keys risks under constant management

review– Coverage of issues versus the high level risks – Addressing Audit Committee concerns


Group Discussion

• What other challenges do you see in integrating ERM practically with IA requirements?

• Success stories to share?• Any other comments?

building strategic risk-based internal audit services case studies

Documents

audit services audit

internal audit processes

audit services challenges

audit services history

audit committee members

audit processes participative

building strategic risk

role of internal auditing