Integrating Risks in Audit Work Programs

2015 RIAS Manila, 10 – 11 September 2015

Contents

• Relevant Facts & Figures

• IAEA Approach

• FAO Approach

• Similarities and Differences

• Survey Results (2011 vs. 2015)

• Q & A

2RIAS 2015 - Risk Assessment for Work Plan Preparation

Relevant Facts & Figures

3RIAS 2015 - Risk Assessment for Work Plan Preparation

• IAEA

• Established in 1957 – Independent

Org. (Statute)

• Promotes peaceful use of nuclear

energy

• 2 300 Staff Members

• Centralised Management of Activities

• 2015: RB - MEUR 344; EB - MEUR 157

• OIOS

• Audit, Advisory, Investigation and

Evaluation

• 17 Staff Members (5 Auditors)

• 20 IA projects p.a.

• Reports directly to the DG

• Annual report on activities to MS

• FAO

• Established in 1945 – Specialized

Agency of the United Nations

• Eradication of hunger

• 3 450 Staff Members

• HQ in Rome and presence in +130

countries

• 2014-15: assessed contributions

MUSD 2 400; voluntary

contributions MUSD 1 400

• OIG

• Audit, Advisory and Investigation

• 25 Staff (13 Auditors)

• 30 IA projects p.a.

• Reports to the DG

• Public annual report

IAEA Approach

• Annual Risk Assessment based on four inputs:

• Interactions with (Senior) Management

• Corporate Risk Register

• Independent Risk Assessment of Audit Universe

• Auditors’ judgement and proposals

• Required Level of Assurance• High-risk areas must be covered every 5 years

4RIAS 2015 - Risk Assessment for Work Plan Preparation

5

IAEA Approach

RIAS 2015 - Risk Assessment for Work Plan Preparation

Interactions with Management

• Informal discussions with management (DDsG and

Directors)

• Formal request of depart. / divisional exposures;

areas of concern; significant changes; specific

project proposals

Risk Assessment of Audit Universe (Heat Maps)

• Audit Entities: Business Processes; Organizational

Chart (DDSU); Agency’s Programmes; Chart of

Accounts; ‘One-off’ Projects; IT; Country Portfolio

• Rating (impact & likelihood) based on Risk Factors:

Fin. Magnitude; Level of Change and Complexity;

Reputation Loss; WB Gov. Index (Inherent Risk) /

State of IC & results of previous OIOS or Ext.

Auditor’s work (Residual Risk)

Auditors’ Judgement

• Based on the auditors’ expertise; previously

completed projects; knowledge of the organization

Corporate Risk Register

• Corp. Risk Mgmt. Policy issued in 2009 (Rev. 2012)

• Owned by Senior Strategy Officer in DGOC

• Risk Register: 440 risks (H/M/L)

• ‘WIP’: duplications; inconsistent ratings; unfiltered

(strategic / tactical / operational – corporate /

project); ‘non-auditable’; integration with RBM & ICF

FINAL PROJECT SELECTION

12 Proposals from Clients 31 Risks

27 Entities / Areas 22 Proposals from Audit

6

IAEA Approach

RIAS 2015 - Risk Assessment for Work Plan Preparation

14 IA Projects & 3 Country Level Assessments (combined IA / Evaluation) included in the 2015 Plan

Final Project Selection:

• Consolidation and filtering of 92 inputs;

• Final assessment and rating;

• Consideration of other factors: carry-forwards; internal meetings; discussion with

External Auditors; coordination with other OIOS functions; available resources

7

IAEA Approach

RIAS 2015 - Risk Assessment for Work Plan Preparation

Interactions with Management

Risk Assessment of Audit Universe (Heat Maps) Auditors’ Judgement

Corporate Risk Register

FINAL PROJECT SELECTION

31 Risks

27 Entities / Areas 22 Proposals from Audit

12 Proposals from Clients

Final Project Selection:

8

IAEA Approach

RIAS 2015 - Risk Assessment for Work Plan Preparation

14 IA Projects & 3 Country Level Assessments (combined IA / Evaluation) included in the 2015 Plan

FAO Approach

• Rolling audit plan updated provisionally on an

annual basis and more fully each biennium; inputs:

• Interaction with Management and Audit Committee

• OIG risk register (corporate ERM under development)

• OIG assessment of Audit Universe

• Auditors’ judgement

• …..

• Required Level of Assurance• Coverage of corporate high risks over three biennia

9RIAS 2015 - Risk Assessment for Work Plan Preparation

10

FAO Approach

RIAS 2015 - Risk Assessment for Work Plan Preparation

Interaction with Management and Audit

Committee

• Discussion and pro-active requests

• Audit work plan includes provision for additional

work outside the risk-based priorities, i.a. to

conduct inspections of specific issues at

management request

Audit Universe

• Audit Entities: by function, process or location, e.g.

Governance; Financial Management; Decentralized

Offices Management; Field Programme Cycle

• Scoring and Prioritizing risks:

1. Risk assessment – five dimensions:

Achievement of objectives, Financial,

Reputation, Personnel, Operations

2. Impact (5 criteria), Likelihood (judgement)

Auditors’ Judgement

• Based on the auditors’ expertise; previously

completed projects; knowledge of the organization

OIG Risk Register

• Owned by OIG

• Originally developed in 2009 in partnership with

Deloitte regularly updated to reflect emerging risks

and changing risk priorities

• 265 risks (H/M/L)

• Corporate ERM is currently under development in

cooperation with Office of Strategy, Planning and

Resource Management

FINAL PROJECT SELECTION

6 Inspections/Audit Memoranda

70 High Risks

59 Processes/ Functions

11

FAO Approach

RIAS 2015 - Risk Assessment for Work Plan Preparation

29 IA Projects – 9 core processes and 20 decentralized activities audits included in the 2015 Plan

Final Project Selection:

• Final assessment and ranking

• Rolling plan, audit history

• Coverage of multiple risks through individual assignments

• Available resources versus estimated resource requirements

• 50-60% of resources to review decentralized operations

12

FAO Approach

RIAS 2015 - Risk Assessment for Work Plan Preparation

Interactions with Management

Risk Assessment of Audit Universe Auditors’ Judgement

Corporate Risk Register

FINAL PROJECT SELECTION

70

70 High Risks

59 Processes/Functions

6 Inspections/Audit Memoranda

Final Project Selection:

13

FAO Approach

RIAS 2015 - Risk Assessment for Work Plan Preparation

29 IA Projects – 9 core processes and 20 decentralized activities audits included in the 2015 Plan

Similarities and Differences

14RIAS 2015 - Risk Assessment for Work Plan Preparation

• Vey similar inputs used for the

identification of priorities

• Similar required level of

assurance (5 to 6 years)

• Frequency (yearly assessment vs. biannual with

yearly update)

• Use of inputs for risk assessment driven by level of

maturity of the organization’s governance (i.e.

existence of audit committee; stage of development

of corporate risk management tools)

• Differences in focus on Decentralized Offices Network

Has your organization implemented ERM or any other risk management tool?

Use of ERM & Corporate Risk Registers

Survey Results (2011 vs. 2015)

15RIAS 2015 - Risk Assessment for Work Plan Preparation

2011 2015

RESPONSES TO SURVEY 20 27

ORG. WITH IMPLEMENTED ERM SYSTEM (Abs.) 5 22

ORG. WITH IMPLEMENTED ERM SYSTEM (%) 25% 81%

9

2

11

20

0

5

10

15

20

25

2011 2015

USE OF CORPORATE RISK MANAGEMENT TOOLS

WHEN PREPARING THE ANNUAL AUDIT WORK PLAN

NO

YES

14

66

16

0

5

10

15

20

25

2011 2015

USE OF CORPORATE RISK MANAGEMENT TOOLS

WHEN DEVELOPING AUDIT PROGRAMS

NO

YES

Integrating Risks in Audit Work Programs

16RIAS 2015 - Risk Assessment for Work Plan Preparation

Q & A