EDITED

B YJ A M E S

ROTH AND DONALD

ESPERSEN

RISK

A Change of Focus
R.A.DtTIONALLY, INTERNAL audit functions have used risk analysis techniques to identify candidate areas for audit coverage. The objective of these techniques is to prioritize areas for review by providing a comparative risk ranking of those functions. Some common risk analysis variables, sucb as dollar value and changes in key personnel, are now considered part of tbe enterprise risk management (ERM) framework. As organizations establish tbeir own ERM frameworks, many are expecting tbeir internal audit department to align its risk analysis witb their framework to establisb a consistent basis for setting priorities and to promote risk management througbout the organization. Recently, the audit committee of tbe Brisbane City Council directed its Assurance & Audit Services (A&AS) department to integrate its internal audit planning more directly witb the council's own corporate risk management framework to ensure tbat audits assessrisksand controls In line with tbe framework. In tbe past, A&AS has used nine risk assessment factors to prioritize areas for internal audit attention, but that analysis functioned independently from tbe council's framework. Some members of tbe audit committee argued tbat there was considerable overlap among key variables in tbe ASCAS risk analysis. Like many internal audit departments, A&AS lacked a strategy for linking its risk analysis to an ERM framework. One of tbe problems tbe department faced was tbat tbe corporate risk management framework lacked tbe detail needed to permit audit planning to occur at tbe level required to schedule and manage reviews. To address this problem, A&AS decided to go beyond tbe corporate framework and look at tbe more detailed divisional and branch risk management plans (risk registers). An alignment exercise was undertaken to identify more direct links between risk categories and aspects contained in the risk registers and, wbere applicable, tbe items tbat were already included in tbe audit universe recognized by ASCAS. Some risk categories found in the registers, sucb as workplace bealtb and safety, did not lend themselves to internal audits and would need to be reviewed by specialists in tbose areasAnotber problem tbe council encountered was the need to prioritize items that are rated at least a high inherent risk. Although sucb risks warrant audit attention, tbere are too many to review. Tbe risk registers usually provide assessments of inherent risks and current risks, after taking into account tbe controls put in place. Managers and staff from each area use a self-assessment process to gauge tbe adequacy and effectiveness of controls and mitigating strategies in place, but tbese individuals may lack tbe detailed knowledge and objectivity necessary to provide an accurate assessment. Based on tbese self-assessments, existing or proposed mitigation strategies or actions tbat are judged to reduce the risk of a system or process significantly are considered key controls. Subsequently, an important focus of A8CAS' internal audit planning is to consider inberently bigb-risk areas that bave been reduced by users to low current risks through the self-assessment of controls.
A NEW STRATEGY

Internal auditors in Australia get a broader view of risks by Uniting their risk analysis to an ERM framework.
BY ANDREW MACLEOD AND BOB OVERELL

To comply witb tbe audit committee's directive, A&AS approacbed risk analysis in a new way that directly links the annual audit plans to tbe divisional and 97
AUGUST 200^ INTERNAL AUDITOR

which was published by Stan. ASCAS' planning process.management action is required and conagement Within the Internal Audit trol systems upon which the council is Process. and where no action by management or review coverage is planned. even though these areas are not rated a high risk in the A&AS risk analysis. auditable units ranked by risk analysis. using a conversion chart developed by corporate risk management that assigns numerical values to inherent and current risk ratings (see "Risk Rating Calculation" above). In addition. the council's internal THE ANNUAL PLAN auditors are interested in areas that pose In making its annual audit plan." and "time since last audit" (see "Risk Differential Scaling Factors" below). A&AS will provide separate reports to the audit committee detailing its risk analyses of areas where the divisional or branch risk registers show a high rating for inherent risk. Auditors calculate a mathematical value of the risk treatments based on the numerical difference between the inherent and current risks. Through a strategic audit units for internal audit review. plan should include: • Investigative reviews where organiza1. A&AS identifies both strategy is consistent with Australian areas of unacceptable current risk where Standard 4360 (AS/NZ 4360). executive management want reviewed • Reviews where A&AS assists organistraight away. Risk Man. The Guide to the auditors to include different kinds of Use of AS/NZ ^j6o states that an audit reviews in their annual plan." A&AS control perception. Risk Differential Scaling Factors EXECUTIVE MANAGEMENT INTEREST 40 30 20 10 High Medium High Medium Low Poor Fair Good A&AS CONTROL PERCEPTION 30 20 10 TIME SINCE LAST AUDIT 30 20 10 3 or more years 1-3 years Within the last year 99 AUGUST 2005 INTERNAL AUDITOR . This strategy also allows A&AS to focus more on the value of selfassessed. and through them to the corporate risk management framework. Several of the highest risk areas where no action by management or review coverage is planned could be included in the department's annual audit plan. This situation may have occurred because independent reviews of these areas have not been scheduled. A&AS high current risk and that contain key contakes a risk-based approach to selecting trol systems. but untested. and scale up the differential based on ratings assigned by A&AS under the headings of "executive management interest.most reliant. controls. able level of uncertainty about the These would be areas with very little processes related to a business activity key controls or mitigating factors that or identified risk area. 3. Control systems on which the organization is most reliant. Unacceptable current risks where tional management has an unacceptmanagement action is required. where the current risk remains largely unchanged.branch risk registers. Using ASCAS' risk analysis methodology to calculate this differential directs auditors' attention to areas of inherently high risk where key controls may not be as effective as local management believes them to be. A&AS continues to include a selection of depot or site reviews each year. These considerations lead dards Australia in 2002. Areas where the differential is great between inherent risk and current risk. such as where the chief executive officer or a divisional 2. For their plan. zational management in developing manager have particular concerns and A8CAS resources are available.

This alignment can challenge and enhance risk rankings and treatments. is financial assurconclusion of its reports to the audit com. the auditors indicate the sible for risk management {see "Risk Re. reduce resource requirements tbr completing each assessment and Feedback Report" above). The council's Corporate Risk Management Branch and Corporate Risk Management Committee receive information on any reassessment.org. The A&cAS annual audit plan identifies those areas proposed for internal audit review activity together with a priority order and reasoning for their identification. CIA.RISK WATCH the control systems to mitigate unacceptable current risks. of audits. e-mail ment. Moreover. To enable the organi. as more reviews are conducted. A consistent reporting format for the . City Council. ASCAS provides senior management and the audit committee with a list of candidate reviews that meet the emphasis mix required by Risk Treatments and Controls Managed to Varying Levels. These reviews would target the highest risk areas where no action by management or review coverage is planned. framework of their organization. These reports findings and dates. reassessing jamesroth@auditt rends. which could confirm the current ment framework. been assessed ANDREW MACLEOD. as well as improve the identification and evaluathe organization.by auditors and feedback to staff respon. Structures in Place — But Not Fully Effective Current Risk Medium8 Medium + 16 tive has allowed auditors to identify areas that their old method would have missed. to be conducted based on these resource will provide management with comfort constraints and the risk profiles ofthe areas that activities deemed to be of an acceptunder review. A&AS modified its risk analysis support program to track all auditahle units after the mapping exercise. A&AS comments on the overall risk man. Assurance and Audit Services at the FEEDBACK ON RISK RATINGS management framework.nal audit risk analysis to such frameworks essary choices. auditors can provide management with comfort that assessments of key risk areas are reliable. FCPA.com. These are the most common type of reviews A6CAS performs. the number of disputes at the conclusion review.A&AS reassessment facilitates reporting tion of controls. Moreover. in the corporate risk ager. rankings. Auditors feed this reassess.can clarify the ownership of risks. by reassessing the ratings in the divisional risk registers through a combination of independent and self assessments. with the auditors' reassessment ofthe risk The methodology A&AS has adopted links ratings after discussion and agreement with internal auditors' risk analysis more closely To share emerging risk issues and best practices from your own audit experiences. Management chooses the audits assessments ofthe divisional risk registers the organization's objectives. and align reports more with cialists. In addition. such as employing subject area speLater. iUso show the pre-audit inherent and current risks of an area — with the implied INCREASING THE RELIABILITY 7b comment on this article. Also.with the council's corporate risk managecoverage of a particular risk. internal auditors can promote risk management auditors' risk analysis more closely with the council's throughout their organization by aligning their risk analysis with the ERM corporate risk management framework. CISA. MIIA. The methodology A&AS has adopted links internal As A&AS has discovered. is manindependently. Risk Reassessment and Feedback Report Comparison of Current Risk Assessment Against A&AS Reassessment Corporate Risk Profile (or Divisional Risk Management Plan) Assurance & Audit Services Reassessment Inherent Risk High 32 High 32 • Depot reviews where inherent and current risks would not be very high. e-mail the value of the controls in place — together OF ASSESSMENTS authors at amacleod@theiia. tying interzation's top management to make the nec.treatments and including brief details of ance and audit manager at the Brisbane mittee and management. To help determine high-risk areas for review. • Control assurance reviews where A&AS assesses the adequacy and efficiency ofthe control systems in place over a function of interest to management or of a function where the control systems are complex or expensive. able current risk have.a comment in the "Assurance" segment agement ofthe area under review in the noting that A&AS has reviewed the risk BOB OVERELL. auditors can add Brisbane City Council in Australia. or to request management. in fact. into the area's risk management the audit universe from another perspec101 AUGUST 2003 INTERNAL AUDITOR framework and into the corporate risk management framework. CIA.

Sign up to vote on this title
UsefulNot useful