Auditing & Risk Management
A Happy Couple or a Shotgun Marriage?
Presented by
Bruce Turner CGAP, FIIA (Aust), CISA, CFE, FFin, FPNA, MAICD, AFAIM
Chief Internal Auditor
Australian Taxation Office
15 October 2010
Overview
We’ll explore the pre-nuptials … how strong is the
connection between internal audit and risk management
… does it provide the foundation for a happy couple?
Auditing & Risk Management
www.ato.gov.au
Overview
 Internal Audit
 Governance Roles
 Integrating Internal Audit with Enterprise Risk Management
Auditing & Risk Management
3
Internal audit
Fundamentals of professional auditing practices
 Definition
 Key elements
 Professional standards
Auditing & Risk Management
4
Definition of internal auditing
“Internal audit is an independent, objective assurance and
consulting activity designed to add value and improve an
organisation’s operations. It helps an organisation accomplish
its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control and governance processes.”
Auditing & Risk Management
5
Key elements
 Governance
 Risk management
 Control
Auditing & Risk Management
6
Auditing standards
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance of Risks
Auditing & Risk Management
7
Auditing standards - planning (2010)
“The chief audit executive must establish risk-based plans to
determine the priorities of the internal audit activity, consistent
with the organisation’s goals.”
Auditing & Risk Management
8
Auditing standards – risk management (2120)
“The internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management
processes.”
Auditing & Risk Management
9
“Risk management remains at the heart of internal audit. It
defines the focus as well as the effort of the internal audit staff.
Getting it right through a comprehensive risk assessment will
drive better results, achieve greater efficiencies, and cover the
important things that either add or preserve value in an
organisation.”
* Financial Executive November 2008 - Better Internal Audit Leads to Better Controls - by Robert B Hirth Jr – from Protiviti NewsAlert January 2009
Auditing & Risk Management
10
Risk elements in audit process
 Planning
– Forward work program
– Each audit engagement
 Fieldwork
– Scope and work program
 Reporting
– Each audit reported
– Basis of prioritising recommendations
– Consolidated high-level reporting
 Follow-up of recommendations
Auditing & Risk Management
11
Example - audit planning development
process
Scrutineers (ANAO)
Other Governance Specialists (Chief Knowledge Officer; Governance
& Government Relations Executive including Assistant Commissioner
Integrity Assurance)
Audit Themes
ATO Strategic Risk Register and Corporate Priorities
Cyclical Schedule of Information Technology Audits
Review of Prior Internal Audit Executive Summaries and Reports (for
any commitments)
Analysis
Fraud Control Planning
Audit Completion Summaries (ideas for future audits generated after
each completed internal audit)
Systemic Issues Reporting (including Complaints analysis)
Follow-up Audits for External Scrutineers (including ANAO, Inspector
General of Taxation, Ombudsman)
Emerging Issues from Chief Audit Executive Network (Including
counterparts in Major Agencies)
o Complexity










Core Tax Administration
Change Program
Security & Privacy
Contracts Management
Overheads Management
Fraud Control
Financial Stewardship
Strategic Reviews
Management Information
Assurance Activities
o Tone at the Top
Plans
o Legal / Regulatory
 Stakeholder Engagement
o Reputational Impact
o Supplier Engagement
o Client Engagement
o Government engagement
 Enabling Capabilities
o Importance of Technology
o Staffing
o Financial Management
o Volume of Transactions
 External Threats
o Economic Climate
o Business Continuity
Research
Scrutineer Forward Work Programs (including Inspector General of
Taxation and ANAO)
 Tax Administration
o Security Breaches
Audit Director Roundtable ‘Global Hotspots 2009’
Institute of Internal Auditors (changes to Professional Practices
Framework and auditing standards)
Factors
 Other Factors
o Time Since Last Audit
o Extent of Change
Other Areas (e.g. JCPAA briefings; Privacy Commissioner)
Auditing & Risk Management
Forward
Work
Program
o Importance
Internal Audit Directors and Staff (at Internal Audit Conference
November 2008 and Subsequently)
Audits Carried Forward from Prior Program/s
Apply Risk
Factors – Risk
Priority Process
Priority ‘A’ Audits
Audit Liaison Officers (both SES and business support levels)
Schedule of
Audit Themes,
Potential Audit
Topics, and
Scoping
Priority ‘B’ Audits
Audit Committee (at ‘In Camera’ session February 2009; One-on-one
meetings with Chair and Some Other Members; Sub-committee
Meeting April 2009)
Priority ‘C’ Audits
Sub-plan Executives (including Second Commissioners, Chief
Financial Officer, other Members of ATO Executive, and NPMs)
Consultation
Plenary Governance Forum (including Commissioner)
12
 Eighteen Month
From Mid-2009
Through 2010
 Three-year Through
2011 to Mid-2012
Example – ATO audit themes
 Core tax administrative activities
 Change Program
 Financial stewardship
 Strategic reviews
 Assurance activities
Auditing & Risk Management
13
Example – ATO audit themes cont’d
 Managing contracts
 Managing overheads
 Fraud control
 Non-financial management information
 Security and privacy
Auditing & Risk Management
14
Looks like a marriage …
Auditing & Risk Management
15
Governance
The inter-relationships between the risk management players
 Management
 Risk management advisor
 Auditors
The effect of changing risk profiles
Auditing & Risk Management
16
Management
- Owns the risks
- Manages the risks
Anatomy of a Risk
No Controls
Risk
Risk
Drivers
Drivers
Risk
Risk
Events
Events
Causes
Manifestation
Preventative
Controls
Risk
Risk
Controls
Controls
Risk
Risk
Consequences
Consequences
Outcomes
Recovery
Measure
Control Environment
Risk management advisor
Internal auditors
- Develops the framework
- Use risk based planning
- Produces risk reporting
- Evaluate controls
Auditing & Risk Management
www.ato.gov.au
Business Objectives
Governance
Risk Management
Internal Controls
Auditing & Risk Management
18
The changing risk profile
Auditing & Risk Management
19
Change is inevitable
 Risk management activity must be dynamic
 Vital to embed risk management in organisational processes
 Both risk management framework and processes
 The organisation and its environment will change
 Auditors to be agile and flexible to accommodate changes
Auditing & Risk Management
20
Thinking about risks
Yesterday
Tomorrow
Managing known risks
Exploring emerging risks
Avoiding unknown risks
Capitalise emerging opportunities
Register of known risks
Radar of emerging risks
Established risk tools
Optimised approaches to risk
Individual risk responses
Collaborative risk mitigation
* Based on thought leadership in a PwC Publication – Extending Enterprise Risk Management to address emerging risks (2009)
Auditing & Risk Management
21
Examples - emerging risk areas
 Increased competitive pressures
 Continued recessionary pressures
 Cost reduction pressures
 Talent risks
 Commodity prices
Auditing & Risk Management
22
Examples - emerging risk areas (cont’d)
 Strategic change management
 Third party solvency
 Political trends
 Compliance
 Lack of investment in product innovation
* Sourced from Audit Director Roundtable Publication – Top Ten Emerging Risks – Likelihood, Impact and Velocity (October 2009)
Auditing & Risk Management
23
Examples - local government risk areas
 Developer contributions
 Climate change
 Water supply
 Attract / retain staff
 Culture centre development
 Long-term finances
 Asset maintenance
 Information management
 Integrated planning
 Fraud and corruption
Auditing & Risk Management
24
Examples - state government risk areas
 Shared services provision
 Attract / retain staff
 Information technology
 OH&S
 Security
 Major projects
 State plan delivery
 Reactive work
 Specific reforms
 Fiduciary controls
Auditing & Risk Management
25
Examples - enterprise risk categories
.
External Environment
Security & Privacy
Innovation & Change
Policy Advice & Design
Law Interpretation
Tax Product Compliance
Knowledge
Major Tax Integrity Threats
Transfers Compliance
Technology
People
Product & Payment Processing
Tax Revenue
Governance
Marketing & Communications
Finance
Client Experience
Legal Support
Client Engagement
Facilities
Regulatory Compliance
Government Engagement
Tax Administration
Stakeholder Engagement
Business Continuity
International Engagement
Enabling Capabilities
External Threats/Opportunities
Reputation Management
Auditing & Risk Management
Supplier Engagement
www.ato.gov.au
Internal auditing policy agenda
 Internal audit is fundamental to good governance
 Public entities need strong effective audit committees
 Appropriate reporting lines for head of internal audit
 Clear accountability for risk management and control
 Internal audit operates at consistently high standard
Auditing & Risk Management
27
Ticks along like a marriage …
Auditing & Risk Management
28
Integrating internal audit and
enterprise risk management
Optimising the benefits of the risk management investment
 A long engagement
 Audit themes
 Case studies
Auditing & Risk Management
www.ato.gov.au
A long engagement - case
study - loan portfolio audit
Auditing & Risk Management
30
Routine auditing
 Broad coverage of personal loans
 Average loan $30,000
 Thorough audit completed
 Appropriate sampling techniques
 well-constructed working papers
 well-written report
Auditing & Risk Management
31
Different loan product offering
 Foreign exchange loans introduced that year
 Average loan $750,000
 Not part of ‘routine’ audit program
 No audit coverage of new product lines
Auditing & Risk Management
32
Adding value
 Narrow focus on ‘routine’ loan portfolio
 Changing risk profile not assessed
 Audit value diminished
 The audit and risk marriage is already over 25 years strong
Auditing & Risk Management
33
Case study – on time running
Auditing & Risk Management
34
Public information
 Objectives of entity articulated
– Clean
– Safe
– Reliable
 Key measure of reliability – on time running
 KPI result updated daily on website
Auditing & Risk Management
35
End-to-end controls
 Well articulated policy and KPI commitment
 Counting rules clear and transparent
 High-level sign-offs for release to website and Minister
 Assertions on the collation of data and calculation of results
 Strong website security
Auditing & Risk Management
36
Data origination
 Grassroots collection of data
 Near enough is good enough approach
 Integrity of data severely tarnished
 Reputational damage
 Strong Auditor-General criticism
Auditing & Risk Management
37
Case study – security risks
Auditing & Risk Management
38
Emerging security risks (2008)
 More electronic records breached than 4 prior years
 Corporations fell victim to the largest cyber-crimes ever
 Motivated hackers know where and what to target
 90% of records breaches involved organised crime
 Could avoid 9 out of 10 breaches with security basics
 Mistakes and oversights hindered security efforts
* Australian Institute of Management, Management Today, July 2009, pp. 7-8, 37
Auditing & Risk Management
39
“In recent times, a number of events have occurred overseas
resulting in the loss or disclosure of sensitive information.
One particularly high public profile incident resulted in the
resignation of the Chief Executive of Her Majesty’s Revenue
and Customs (HMRC) in the UK.”
* ATO, Information Security Practices Review, PricewaterhouseCoopers, April 2008, p. 2
Auditing & Risk Management
40
Example – ATO reporting on audit themes
Logical access provisions
Managing client records
Site visits – remote locations
(physical security)
Consolidated high-level
audit report on security
Satellite audit – security
classifications
Auditing & Risk Management
41
Risk management elements
 Sound governance structures
 A clear corporate stance
 Effective education and awareness programs
 A well-defined security classification framework
 Effective security monitoring incident response mechanisms
 Robust plans for IT incidents.
* ATO, Information Security Practices Review, PricewaterhouseCoopers, April 2008, covering letter, p. 2
Auditing & Risk Management
42
Influences service standards
 Community perceptions strong
– 80% think the ATO is doing a good job*
 Business perceptions strong
– 89% think the ATO is doing a good job*
 Professional survey positive
– 79% are ‘satisfied’ or ‘very satisfied’ with the professionalism of
ATO employees*
Auditing & Risk Management
43
Comes together like a marriage …
Auditing & Risk Management
44
Conclusion
The pre-nuptials are sound:
 Internal audit and risk management have a strong inseparable connection
 Risk management provides the foundation for effective auditing
In turn internal audit:
 Supports the risk management process
 Validates the effectiveness of internal controls that mitigate the risks
Auditing & Risk Management
45
My vote … a happy couple!
Auditing & Risk Management
www.ato.gov.au
Questions?
© COMMONWEALTH OF AUSTRALIA 2010
This presentation was current in July 2010
Auditing & Risk Management
47
About the ATO
 Australian Government’s main revenue collection agency
 Administers main aspects of Australia’s super system
 Celebrates its centenary in 2010
 Net revenue collection of 270.8 billion*
 Operating budget of $3.1 billion**
 Average staffing level 21,720**
 75 locations across all states and territories**
 25 business and service lines*
* end June 2008 ** end June 2009
Auditing & Risk Management
www.ato.gov.au
Audit staff
 Around 40 full-time equivalent staff
 We employ specialist external staff for technical audits
 Four teams across 3 sites in ACT, NSW and Victoria
 Audit capability meets global benchmarks
– Qualifications, certifications, experience
 Multi-disciplinary team
 Completes 60 to 70 audits per year
Auditing & Risk Management
www.ato.gov.au
Our commitment to you
We are committed to providing you with guidance you can rely
on, so we make every effort to ensure that our presentations
are correct.
Auditing & Risk Management
www.ato.gov.au