EDITED BY JAMES ROTH AND DONALD ESPERSEN RISK Internal auditors in Australia get a broader view of risks by Uniting their risk analysis to an ERM framework. BY ANDREW MACLEOD AND BOB OVERELL A Change of Focus R.A.DtTIONALLY, INTERNAL audit functions have used risk analysis techniques to identify candidate areas for audit cov- erage. The objective of these techniques is to prioritize areas for review by providing a comparative risk ranking of those functions. Some common risk analysis variables, sucb as dollar value and changes in key personnel, are now considered part of tbe enterprise risk management (ERM) framework. As orga- nizations establish tbeir own ERM frame- works, many are expecting tbeir internal audit department to align its risk analy- sis witb their framework to establisb a consistent basis for setting priorities and to promote risk management througb- out the organization. Recently, the audit committee of tbe Brisbane City Council directed its Assur- ance & Audit Services (A&AS) depart- ment to integrate its internal audit planning more directly witb the council's own corporate risk management frame- work to ensure tbat audits assessrisksand controls In line with tbe framework. In tbe past, A&AS has used nine risk assess- ment factors to prioritize areas for inter- nal audit attention, but that analysis functioned independently from tbe coun- cil's framework. Some members of tbe audit committee argued tbat there was considerable overlap among key variables in tbe ASCAS risk analysis. Like many internal audit departments, A&AS lacked a strategy for linking its risk analysis to an ERM framework. One of tbe problems tbe department faced was tbat tbe corporate risk management framework lacked tbe detail needed to permit audit planning to occur at tbe level required to schedule and manage reviews. To address this problem, A&AS decided to go beyond tbe corporate framework and look at tbe more detailed divisional and branch risk management plans (risk registers). An alignment exer- cise was undertaken to identify more direct links between risk categories and aspects contained in the risk registers and, wbere applicable, tbe items tbat were already included in tbe audit uni- verse recognized by ASCAS. Some risk categories found in the registers, sucb as workplace bealtb and safety, did not lend themselves to internal audits and would need to be reviewed by specialists in tbose areas- Anotber problem tbe council encoun- tered was the need to prioritize items that are rated at least a high inherent risk. Although sucb risks warrant audit attention, tbere are too many to review. Tbe risk registers usually provide assess- ments of inherent risks and current risks, after taking into account tbe controls put in place. Managers and staff from each area use a self-assessment process to gauge tbe adequacy and effectiveness of controls and mitigating strategies in place, but tbese individuals may lack tbe detailed knowledge and objectivity nec- essary to provide an accurate assessment. Based on tbese self-assessments, exist- ing or proposed mitigation strategies or actions tbat are judged to reduce the risk of a system or process significantly are considered key controls. Subsequently, an important focus of A8CAS' internal audit planning is to consider inberently bigb-risk areas that bave been reduced by users to low current risks through the self-assessment of controls. A NEW STRATEGY To comply witb tbe audit committee's directive, A&AS approacbed risk analy- sis in a new way that directly links the annual audit plans to tbe divisional and 97 AUGUST 200^ INTERNAL AUDITOR
Transcript
E D I T E D B Y J A M E S R O T H A N D D O N A L D E S P E R S E N RISK
Internal auditors in
Australia get a broader
view of risks by Uniting
their risk analysis to an
ERM framework.
BY ANDREW MACLEOD ANDBOB OVERELL
A Change of FocusR.A.DtTIONALLY, INTERNALaudit functions have used riskanalysis techniques to identifycandidate areas for audit cov-erage. The objective of these
techniques is to prioritize areas for reviewby providing a comparative risk rankingof those functions. Some common riskanalysis variables, sucb as dollar valueand changes in key personnel, are nowconsidered part of tbe enterprise riskmanagement (ERM) framework. As orga-nizations establish tbeir own ERM frame-works, many are expecting tbeir internalaudit department to align its risk analy-sis witb their framework to establisb aconsistent basis for setting priorities andto promote risk management througb-out the organization.
Recently, the audit committee of tbeBrisbane City Council directed its Assur-ance & Audit Services (A&AS) depart-ment to integrate its internal auditplanning more directly witb the council'sown corporate risk management frame-work to ensure tbat audits assess risks andcontrols In line with tbe framework. Intbe past, A&AS has used nine risk assess-ment factors to prioritize areas for inter-nal audit attention, but that analysisfunctioned independently from tbe coun-cil's framework. Some members of tbeaudit committee argued tbat there wasconsiderable overlap among key variablesin tbe ASCAS risk analysis.
Like many internal audit departments,A&AS lacked a strategy for linking itsrisk analysis to an ERM framework. Oneof tbe problems tbe department facedwas tbat tbe corporate risk managementframework lacked tbe detail needed topermit audit planning to occur at tbelevel required to schedule and managereviews. To address this problem, A&ASdecided to go beyond tbe corporate
framework and look at tbe more detaileddivisional and branch risk managementplans (risk registers). An alignment exer-cise was undertaken to identify moredirect links between risk categories andaspects contained in the risk registersand, wbere applicable, tbe items tbatwere already included in tbe audit uni-verse recognized by ASCAS. Some riskcategories found in the registers, sucb asworkplace bealtb and safety, did not lendthemselves to internal audits and wouldneed to be reviewed by specialists intbose areas-
Anotber problem tbe council encoun-tered was the need to prioritize itemsthat are rated at least a high inherentrisk. Although sucb risks warrant auditattention, tbere are too many to review.Tbe risk registers usually provide assess-ments of inherent risks and current risks,after taking into account tbe controls putin place. Managers and staff from eacharea use a self-assessment process togauge tbe adequacy and effectiveness ofcontrols and mitigating strategies inplace, but tbese individuals may lack tbedetailed knowledge and objectivity nec-essary to provide an accurate assessment.Based on tbese self-assessments, exist-ing or proposed mitigation strategies oractions tbat are judged to reduce the riskof a system or process significantly areconsidered key controls. Subsequently,an important focus of A8CAS' internalaudit planning is to consider inberentlybigb-risk areas that bave been reducedby users to low current risks through theself-assessment of controls.
A NEW STRATEGYTo comply witb tbe audit committee'sdirective, A&AS approacbed risk analy-sis in a new way that directly links theannual audit plans to tbe divisional and
97A U G U S T 2 0 0 ^ I N T E R N A L A U D I T O R
branch risk registers, and through themto the corporate risk managementframework. This strategy also allowsA&AS to focus more on the value of self-assessed, but untested, controls, using aconversion chart developed by corporaterisk management that assigns numeri-cal values to inherent and current riskratings (see "Risk Rating Calculation"above). Auditors calculate a mathemat-ical value of the risk treatments basedon the numerical difference between theinherent and current risks, and scale upthe differential based on ratings assignedby A&AS under the headings of "exec-utive management interest," A&AS con-trol perception," and "time since lastaudit" (see "Risk Differential ScalingFactors" below).
Using ASCAS' risk analysis method-ology to calculate this differential directsauditors' attention to areas of inherentlyhigh risk where key controls may not beas effective as local management believesthem to be. This situation may haveoccurred because independent reviewsof these areas have not been scheduled.A&AS will provide separate reports tothe audit committee detailing its riskanalyses of areas where the divisional orbranch risk registers show a high ratingfor inherent risk, where the current riskremains largely unchanged, and whereno action by management or review cov-erage is planned. Several of the high-est risk areas where no action bymanagement or review coverage isplanned could be included in the depart-ment's annual audit plan, such as wherethe chief executive officer or a divisional
manager have particular concerns andA8CAS resources are available. In addi-tion, A&AS continues to include a selec-tion of depot or site reviews each year,even though these areas are not rated ahigh risk in the A&AS risk analysis.
THE ANNUAL PLANIn making its annual audit plan, A&AStakes a risk-based approach to selectingunits for internal audit review. ASCAS'
strategy is consistent with AustralianStandard 4360 (AS/NZ 4360), Risk Man-agement Within the Internal AuditProcess, which was published by Stan-dards Australia in 2002. The Guide to theUse of AS/NZ ^j6o states that an auditplan should include:1. Unacceptable current risks where
management action is required.These would be areas with very littlekey controls or mitigating factors thatexecutive management want reviewedstraight away.
2. Control systems on which the orga-nization is most reliant.
3. Areas where the differential is greatbetween inherent risk and currentrisk, auditable units ranked by riskanalysis.
For their plan, the council's internalauditors are interested in areas that posehigh current risk and that contain key con-trol systems. Through a strategic auditplanning process, A&AS identifies bothareas of unacceptable current risk wheremanagement action is required and con-trol systems upon which the council ismost reliant. These considerations leadauditors to include different kinds ofreviews in their annual plan;• Investigative reviews where organiza-
tional management has an unaccept-able level of uncertainty about theprocesses related to a business activityor identified risk area.
• Reviews where A&AS assists organi-zational management in developing
Risk Differential Scaling Factors
EXECUTIVE MANAGEMENT INTEREST 403020
10
HighMedium HighMediumLow
A&AS CONTROL PERCEPTION 3020
10
PoorFairGood
TIME SINCE LAST AUDIT 30 3 or more years20 1-3 years10 Within the last year
AUGUST 2 0 0 5 I N T E R N A L A U D I T O R
99
RISK WATCH
the control systems to mitigate unac-ceptable current risks. These reviewswould target the highest risk areaswhere no action by management orreview coverage is planned.
• Control assurance reviews whereA&AS assesses the adequacy and effi-ciency ofthe control systems in placeover a function of interest to manage-ment or of a function where the con-trol systems are complex or expensive.These are the most common type ofreviews A6CAS performs.
• Depot reviews where inherent andcurrent risks would not be very high.The A&cAS annual audit plan identi-
fies those areas proposed for internal auditreview activity together with a priorityorder and reasoning for their identifica-tion. To help determine high-risk areasfor review, A&AS modified its risk analy-sis support program to track all auditahleunits after the mapping exercise. ASCASprovides senior management and the auditcommittee with a list of candidate reviewsthat meet the emphasis mix required by
framework and into the corporate riskmanagement framework. The council'sCorporate Risk Management Branch andCorporate Risk Management Committeereceive information on any reassessment.A consistent reporting format for the
The methodology A&AS has adopted links internal
auditors' risk analysis more closely with the council's
corporate risk management framework.
the organization. To enable the organi-zation's top management to make the nec-essary choices, the auditors indicate theresource requirements tbr completing eachreview, such as employing subject area spe-cialists. Management chooses the auditsto be conducted based on these resourceconstraints and the risk profiles ofthe areasunder review.
FEEDBACK ON RISK RATINGSA&AS comments on the overall risk man-agement ofthe area under review in theconclusion of its reports to the audit com-mittee and management. These reportsiUso show the pre-audit inherent and cur-rent risks of an area — with the impliedvalue of the controls in place — togetherwith the auditors' reassessment ofthe riskratings after discussion and agreement withmanagement. Auditors feed this reassess-ment, which could confirm the currentrankings, into the area's risk management
A&AS reassessment facilitates reportingby auditors and feedback to staff respon-sible for risk management {see "Risk Re-assessment and Feedback Report" above).
Later, as more reviews are conducted,assessments ofthe divisional risk registerswill provide management with comfortthat activities deemed to be of an accept-able current risk have, in fact, been assessedindependently. Also, in the corporate riskmanagement framework, auditors can adda comment in the "Assurance" segmentnoting that A&AS has reviewed the risktreatments and including brief details offindings and dates.
INCREASING THE RELIABILITYOF ASSESSMENTSThe methodology A&AS has adopted linksinternal auditors' risk analysis more closelywith the council's corporate risk manage-ment framework. Moreover, reassessingthe audit universe from another perspec-
tive has allowed auditors to identify areasthat their old method would have missed.In addition, by reassessing the ratings inthe divisional risk registers through a com-bination of independent and self assess-ments, auditors can provide managementwith comfort that assessments of key riskareas are reliable.
As A&AS has discovered, internal audi-tors can promote risk managementthroughout their organization by align-ing their risk analysis with the ERMframework of their organization. Thisalignment can challenge and enhance riskrankings and treatments, as well asimprove the identification and evalua-tion of controls. Moreover, tying inter-nal audit risk analysis to such frameworkscan clarify the ownership of risks, reducethe number of disputes at the conclusionof audits, and align reports more withthe organization's objectives.
ANDREW MACLEOD, CIA, FCPA, CISA. is man-ager, Assurance and Audit Services at theBrisbane City Council in Australia.
BOB OVERELL, CIA, MIIA. is financial assur-ance and audit manager at the BrisbaneCity Council.
To share emerging risk issues and best practicesfrom your own audit experiences, or to requestcoverage of a particular risk, e-mailjamesroth@auditt rends.com.
