TREASURY REGULATIONS’ CHANGES AND POTENTIAL IMPACT OFFICE OF THE ACCOUNTANT-GENERAL Presenter: Risk Management Support | National Treasury | August 2014 BACKGROUND 2 CURRENT TREASURY REGULATIONS Part 2 Management Arrangements 3. Internal control “3.2.1 The accounting officer must ensure that a risk assessment is conducted regularly to identify emerging risks of the institution. A risk management strategy, which must include a fraud prevention plan, must be used to direct internal audit effort and priority, and to determine the skills required of managers and staff to improve controls and to manage these risks. The strategy must be clearly communicated to all officials to ensure that the risk management strategy is incorporated into the language and culture of the institution”. TRs Updated October 2012 3 CURRENT TREASURY REGULATIONS Cont... “3.2.7 An internal audit unit must prepare, in consultation with and for approval by the audit committee – (a) a rolling three-year strategic internal audit plan based on its assessment of key areas of risk for the institution, having regard to its current operations, those proposed in its strategic plan and its risk management strategy”. TRs Updated October 2012 4 PROPOSED RISK MANAGEMENT CHANGES Chapter 4: Corporate Governance Part 1: Internal control 16 (2) The system of internal control referred to in sub-regulation (1) must consist of the following components: (a) Control environment; (b) risk assessment; (c) control activities; (d) information and communication; and (e) monitoring activities. 5 PROPOSED RISK MANAGEMENT CHANGES Cont… Part 2: Risk Management 22 (2) The system of risk management referred to in subregulation (1) must at least include – systematic process to identify and document the key risks in a risk register regardless of whether or not such risks are within the direct control of the institution; a fraud and corruption prevention strategy and plan; review of the business continuity plan; assessment of risks within SCM processes, including the awarding of bids; assessment of occupational health and safety risks; establishing the risk tolerance and risk appetite levels of the institution; and an assessment of operational losses 6 FORA FOCUS AREAS Previous Fora Topics Other Topics • Business Continuity Plan • Supply Chain Management • Fraud Risk Assessment • Assessment of Operational • Risk Appetite and Tolerance • Information Technology Losses • Assessment of OHS Risks • Combined Assurance 7 BCP ISSUES DISCUSSED • What is a business continuity plan? • What should be considered when developing a business continuity plan? • Who are the key stakeholders in developing a BCP? • Is it a function for risk officers? • How does a BCP relate to identified risks? • Is there an acceptable standard or framework that should be followed in developing BCPs? • What are the typical issues raised by assurance providers about BCPs? 8 THE 6 ELEMENTS OF THE BCM LIFECYCLE 1. Understand the Organisation 2. Determine the BCM strategy 3. Develop & implement a BCM response 4. Exercise, maintain & review 5. Establish BCM policy and programme management 6. Embed a BCM Culture 9 SERVICE CONTINUITY PLANS SOUTH AFRICA EARTHQUAKE KILLS ONE, 17 MINERS INJURED POWER FAILURE AT SITA CENTURION 10 FRAUD RISK ASSESSMENT ISSUES DISCUSSED • What is Fraud Risk Management • Minimum Requirements for an Effective Risk Management Programme • Fraud Risk Management Reports • Role of Chief Risk Officer • Expectations of Assurance Providers on the Assessment and Management of Fraud Risks • Challenges that Affect the Successful Implementation of FRM Plans 11 IT RISK GOVERNANCE ISSUES DISCUSSED • IT risk is a business risk specifically associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. • It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives; • Aims to prioritize and manage IT risk; • Senior executives need a frame of reference and a clear understanding of the IT function and IT risk associated with it; DPSA • IT risk is not just a technical issue; and • Organisation managers determine what IT needs to do to support their business; they set the targets for IT and are accountable for managing the associated risks. 12 THE RELATIONSHIP BETWEEN IT RISK & IT AUDIT Source: National Treasury Internal Audit - Information Systems Audit Methodology 13 RISK APPETITE & TOLERANCE ISSUES DISCUSSED 14 RISK APPETITE & TOLERANCE ISSUES DISCUSSED • ; 15 SCM & OPERATIONAL LOSSES .. 16 CONCLUSION 17 THANK YOU 18