Building Strategic RiskBased Internal Audit Services Case Studies

1
Building StrategicRisk-Based Internal Audit
ServicesCase Studies
2
Outline

• Two Universities - Two Approaches
• Linkages between Internal Audit Enterprise-Wide
  Risk Management (ERM)
• ERMs application in audit processes
• Participative encourage everyone to share
  successful practices

3
The University of Alberta

• In 2007
• Over 36,500 students
• Over 8100 degrees granted
• Staff 3493 Academic, 6233 Support (FTE)
• Over 420 million in annual research
• The current capital program is valued at more
  than 1 billion

4
New Internal Audit Strategy

• Conducted a Current State Analysis
• Supported by External Audit of Internal Audit
  (2005)
• Interviewed Senior Administration (34) Audit
  Committee members (3 of 5)
• What would you like to see from internal audit?

5
Board Audit Committee Responsibilities
1 The Changing Role of the Audit Committee
Leading Practices for Colleges, Universities and
Other Not-for-Profit Education Institutions,
PricewaterhouseCoopers 2004
6
Strategic Business Plan

• Internal Auditing (Core Business)
• Examining Suspected Fraud and Irregularities
  (Secondary Business)
• Related Activities
• Liaison with External Auditors
• Continuous Auditing
• Risk Management
• Institutional Compliance

7
Strategic Business Plan

• The Strategic Plan outlines
• Strategic initiatives
• Objectives
• Specific IA strategies
• Performance measures
• Clear linkage to the U of As strategy documents
  Dare to Discover Dare to Deliver
• Report progress annually

8
Strategic Business Plan
9
Audit Linkage to ERM

• Separate Functions at U of A

10
History of ERM

• 2002/03 PWC hired to develop framework
• Accountability and Risk Management Steering
  Committee established (IA ex-officio)
• Risk Management Policy /Appetite statements
• ERM reviews in 2005 and 2007
• Adoption of COSO ERM Integrated Framework
• New Associate Vice-President (Risk Management)
  position created in Dec 2007
• Risk Management, Budgets, Emergency Preparedness,
  Insurance. Environmental Health Safety, and
  Compliance

11
ERM Internal Audit

The Institute of Internal Auditors. The Role of
Internal Auditing in Enterprise-wide Risk
Management, September 29, 2004.
12
Challenges

• ERM is evolving
• Roles responsibilities
• Where should we be on the continuum?
• Board of Governors oversight requirements

13
A Snapshot of Queens

• 20,566 students
• 2,374 faculty 2,472 staff
• Fiscal 2006-07 revenue of 733M
• Largest ever capital expansion program with debt
  requirements
• Fiscally conservative governance

14
Internal Audit

• Formerly Internal Audit, now Risk Management
  Audit Services (RMAS)
• First audit completed in 1991
• Averaged two to three staff members until
  reorganization to RMAS in 2004
• Presently three staff members and a student
  auditor

15
Internal Audit Strategy

• New VP from New Zealand with ERM experience
• Department name change to RMAS in 2004
• View to outsourcing internal audit function
• After first year of revised mandate, agreed on
  strategy to provide audit services in-house with
  co-sourcing where expertise required (i.e. IT)

16
Revised Mandates

• Audit Committee mandate revised May 05 with best
  practice responsibilities, including oversight of
  effectiveness of risk management
• RMAS Charter revised
• Staff complement of 3 achieved April 07
• No departmental strategic plan to date

17
ERM at Queens

• Deloitte engaged in 2005 to perform initial risk
  assessment and advise on framework
• RMAS leader of project with executive leadership
  support
• Initial report to the Audit Committee
• Further development of framework put on hold as
  University Strategic Plan developed
• Recent update of current strategies and action
  plans

18
ERM and Internal Audit

• RMAS is the ERM Champion
• Included in RMAS Charter
• Develop and maintain the ERM framework
• Coordinate and report on ERM activities
• Promote a strong risk management culture, monitor
  strategies and provide advice
• Develop the audit plan using risk-based
  methodology

19
ERM and Internal Audit
Legitimate IA role per IIA
20
Challenges

• ERM is still in relative infancy
• Difficult to champion a process while building a
  department and delivering on a risk based audit
  plan
• No internal risk management committee
• Audit Committee concern

21
Group Discussion

• What are the ERM linkages to Internal Audit in
  your institution?
• What are the challenges?

22
ERM Application in Internal Audit

• Audit Planning
• Two year plan (updated no less frequently that
  annually)
• Projects Mapped to risks identified through ERM.
• Inherent Risk assessment
• Section of plan deals with items highlighted and
  not covered in plan

23
Internal Audit Planning process
24
ERM Application in Internal Audit

• Audit Engagements - Planning
• Strategic objectives of U of A and area
• Potential risks use the U of A risk appetite
  statements in the area to guide audit focus.
• Areas noted as risks are documented in Project
  terms of Reference

25
Narrow Example (Audit of Commercialization
Governance)

26
ERM Application in Internal Audit

• Audit Engagements Reporting

27
ERM Application in Internal Audit

• Audit Engagements Reporting (cont.)

28
Results

• Fewer red lights
• Focussed recommendations with a clear linkage to
  risk and strategy
• Foundation for overall assessments
• Good feedback from administration (increased use
  of audits in governance meetings and decisions)
• Budget
• NOT PERFECT

29
Challenges

• Striving to ensure committee members have
  sufficient information to fulfill their mandate
• Interpretation of risk appetite
• Financial vs. Strategic, Operations Risks
• Coverage Conclusion on Internal Control
• Role in Fraud Prevention/Detection
• Fraud Policy and Protected Disclosure
• New IIA position
• Role in Institutional Compliance

30
ERM and Audit Planning

• Previous audit universe was academic,
  administrative, ancillary and research units gt
  audits were unit based
• The top 13 critical risks are very high level
  (e.g. Human Resources, Reputation etc.)
• Review audit universe in two ways
• Traditional general ledger units
• Functional/operational processes

31
ERM and Audit Planning

• Dual annual risk assessment processes for audit
  plan
• Units (level of expenditures complexity
  management concerns etc.)
• Functions/Processes
• Governance
• Finance and Administration
• Programs and Services
• Students
• Human Resources
• IT
• External Relations

Mapped to Enterprise risks

32
Mapping Enterprise Risks
33
ERM and Audit Planning

• Professional judgement
• No risk appetite or policy to refer to
• Balancing low hanging fruit and high-level
  risks in audit plan
• Have not specifically ruled out review of certain
  risks
• NEEDS FURTHER WORKAn evolving process

34
ERM and Audit Reports

• Example Research Grants Contract Audit

35
ERM and Audit Reports

• Have avoided rating findings to date
• No standard risk rating
• Will rate findings not implemented during
  follow-up audit (High, Medium, Low risk)
• Subjective

36
Challenges

• No risk policy or risk tolerances developed
• No standard risk ratings
• Subjective
• Not all risks are easily auditable
• Some keys risks under constant management review
• Coverage of issues versus the high level risks
• Addressing Audit Committee concerns

37
Group Discussion

• What other challenges do you see in integrating
  ERM practically with IA requirements?
• Success stories to share?
• Any other comments?