ALARM SOUTH EAST ALARM South East Conference 2005

ALARM SOUTH EAST ALARM South East Conference 2005 Risk Based Auditing: -The 4 th Paradigm Peter O-Mensah (ODPM) Bill Sulman (Heath Lambert)

Stages in Audit Development • Inspection & Compliance Assurance – Consider – Basis – Audit Unit • Financial / Control Based • System Based • Risk Based Audit / Business Objectives

Risk Based Audit • Changing Scope of Internal Audit Service i) The Challenges of Corporate Governance ii) Board expectation of Internal Audit is changing iii) Need to create measurable added value iv) IIA reaction : re-defining the role of Internal Audit

Models of Risk Based Auditing • MACRO LEVEL • MICRO LEVEL

Macro Level • Audit Risk Identification Audit Universe Strategic Audit Plan Operational Audit Plan

Main Drivers –Audit Universe • • Strategic Risk Register Directorate Risk Register HIA Annual Opinion Audit Committee Audit Findings Machinery of Government Change in Management Structure Past history

Micro Level • Business Risk Identification Establish Audit Objective / Scope Identify & record key business objectives Establish congruence of objectives Review risk management process Identify threats to achievement Identify key controls managing the threats

Micro Level Evaluate the controls Identify instances of over control/exposure Device appropriate audit risk test Conclusion-report-management action (Report on Management of key risks)

Benefits of RBA • • Simplicity Transparency Effective reporting to Board Directs audit at the high risks areas Organisation buy-in More challenging and interesting to staff Greater value added

Problem Areas • • • Understanding the concept Threat to independence and objectivity Hard work Complex delivery Re-training

Key Risk Identification Pointers – Questions to ask? • What could go wrong? • How could we fail? • What must go right for us to succeed? • Where are we vulnerable? • How could operations be disrupted? • Are we achieving our objectives?

Key Risk Identification Pointers – Questions to ask? • What decisions require most judgment? • What activities are most complex? • What activities are regulated? • What is our greatest legal exposure?

Risk Identification Exercise Case Study-Local Authority Summary of Mission Statement / Challenges • Putting People First • Promoting a strong / responsible economy • Protecting & promoting our environment • Developing learning communities • Finance, Asset Management/Human Res. Identify three top key strategic risks for each of the five challenges.

Key Challenges for Internal Audit • What we do - audit “all business risks” - report on effectiveness - audit what they say and do • What we audit - control environment - risk management process - management of key risks

Key Changes for Internal Audit • How we do it - Audit Universe driven by risk register - Emphasis on RBA - Short audit report - Opinion: traffic light approach • How we think - Philosophers - Training needs

Key Changes for Internal Audit • How we relate to our colleagues - adult to adult - with humility - management know best not auditors • Who does it? - specialised skills - mixed skills - joint approach

Challenges for the Profession • • Recognising there is a paradigm shift Understand nature of the shift Taking the lead Be proactive Educate the Board Emphasis on assurance Focus on key risks Agree deliverables with Audit Committee

Questions to ask yourself? • • Do I really use RBA? How good is my relation with the AC? Do I really know what they want? Does my organisation understand how IAS adds value?

Reference Material • www. hm-treasury. gov. uk • ceu. enquiries@hm-treasury. gov. uk • HMTreasury Guidance on Risk Based Auditing • HMTreasury Corporate governance in central government: code of good practice