Building Strategic
Risk-Based Internal Audit Services
Case Studies
Outline
• Two Universities - Two Approaches
– Linkages between Internal Audit & EnterpriseWide Risk Management (ERM)
– ERM’s application in audit processes
• Participative – encourage everyone to share
successful practices
RISK BASED AUDIT SERVICES
The University of Alberta
In 2007:
– Over 36,500 students
– Over 8100 degrees granted
– Staff: 3493 Academic, 6233 Support (FTE)
– Over $420 million in annual research
– The current capital program is valued at more than
$1 billion
RISK BASED AUDIT SERVICES
New Internal Audit Strategy
• Conducted a Current State Analysis
• Supported by External Audit of Internal Audit
(2005)
• Interviewed Senior Administration (34) & Audit
Committee members (3 of 5)
– “What would you like to see from internal
audit?”
RISK BASED AUDIT SERVICES
Board Audit Committee Responsibilities
Leading Practices for Post-Secondary Institutions 1
Strategy
Manage the Relationship with the External Auditor

Ensure the Quality of Financial Reporting
Oversee Regulatory Compliance
Work with the Internal Audit Function
Monitor Management’s Handling of Internal Controls
& Risk Management
Monitor the Ethics Program




Whistleblowing
1 The Changing Role of the Audit Committee – Leading Practices for Colleges,
Universities and Other Not-for-Profit Education Institutions,
PricewaterhouseCoopers 2004
RISK BASED AUDIT SERVICES
Strategic Business Plan
• Internal Auditing (Core Business)
• Examining Suspected Fraud and Irregularities
(Secondary Business)
• Related Activities:
– Liaison with External Auditors
– Continuous Auditing
– Risk Management
– Institutional Compliance
RISK BASED AUDIT SERVICES
Strategic Business Plan
• The Strategic Plan outlines:
– Strategic initiatives
– Objectives
– Specific IA strategies
– Performance measures
• Clear linkage to the U of A’s strategy documents
Dare to Discover & Dare to Deliver
– Report progress annually
RISK BASED AUDIT SERVICES
Strategic Business Plan
Stakeholder Satisfaction
• Committee & Senior Mgt
• Auditee Surveys
• # recommendations
accepted/implemented
Innovation & Capability
• Training Hours
• Certified Staff
• Effective Use of Good Practices.
Internal Audit Processes
•Completed vs. planned audits
• Time analysis
• Audit Cycle Time
• Compliance with Standards
Other:
• Budget and Benchmarks
• Reporting on IA strategic initiatives
RISK BASED AUDIT SERVICES
Audit Linkage to ERM
Separate Functions at U of A
RISK BASED AUDIT SERVICES
History of ERM
• 2002/03 PWC hired to develop framework
• Accountability and Risk Management Steering
Committee established (IA ex-officio)
• Risk Management Policy /Appetite statements
• ERM reviews in 2005 and 2007
• Adoption of COSO ERM Integrated Framework
• New Associate Vice-President (Risk Management)
position created in Dec 2007
• Risk Management, Budgets, Emergency
Preparedness, Insurance. Environmental Health &
Safety, and Compliance
RISK BASED AUDIT SERVICES
ERM & Internal Audit
–
The Institute of Internal Auditors. “The Role of Internal Auditing in Enterprisewide Risk Management”, September 29, 2004.
RISK BASED AUDIT SERVICES
Challenges
– ERM is evolving
– Roles & responsibilities
Where should we be on the continuum?
– Board of Governors oversight requirements
RISK BASED AUDIT SERVICES
A Snapshot of Queen’s
•
•
•
•
20,566 students
2,374 faculty; 2,472 staff
Fiscal 2006-07 revenue of $733M
Largest ever capital expansion program with debt
requirements
• Fiscally conservative governance
RISK BASED AUDIT SERVICES
Internal Audit
– Formerly Internal Audit, now Risk Management &
Audit Services (“RMAS”)
– First audit completed in 1991
– Averaged two to three staff members until
reorganization to RMAS in 2004
– Presently three staff members and a student auditor
RISK BASED AUDIT SERVICES
Internal Audit Strategy
–
–
–
–
New VP from New Zealand with ERM experience
Department name change to RMAS in 2004
View to outsourcing internal audit function
After first year of revised mandate, agreed on
strategy to provide audit services in-house with cosourcing where expertise required (i.e. IT)
RISK BASED AUDIT SERVICES
Revised Mandates
– Audit Committee mandate revised May ’05 with best
practice responsibilities, including oversight of
effectiveness of risk management
– RMAS Charter revised
– Staff complement of 3 achieved April ’07
– No departmental strategic plan to date
RISK BASED AUDIT SERVICES
ERM at Queen’s
– Deloitte engaged in 2005 to perform initial risk assessment
and advise on framework
– RMAS leader of project with executive leadership support
– Initial report to the Audit Committee
– Further development of framework put on hold as University
Strategic Plan developed
– Recent update of current strategies and action plans
RISK BASED AUDIT SERVICES
ERM and Internal Audit
RMAS is the ERM “Champion”
Included in RMAS’ Charter :
• Develop and maintain the ERM framework
• Coordinate and report on ERM activities
• Promote a strong risk management culture, monitor
strategies and provide advice
• Develop the audit plan using risk-based
methodology
RISK BASED AUDIT SERVICES
ERM and Internal Audit
Legitimate
IA role per IIA
RISK BASED AUDIT SERVICES
Challenges
– ERM is still in relative infancy
– Difficult to champion a process while building a
department and delivering on a risk based audit plan
– No internal risk management committee
– Audit Committee concern
RISK BASED AUDIT SERVICES
Group Discussion
• What are the ERM linkages to Internal Audit in
your institution?
• What are the challenges?
RISK BASED AUDIT SERVICES
ERM Application in Internal Audit
– Audit Planning
Two year plan (updated no less frequently that
annually)
Projects Mapped to risks identified through
ERM.
Inherent Risk assessment
Section of plan deals with items highlighted
and not covered in plan
RISK BASED AUDIT SERVICES
Internal Audit Planning process
Institutional Risks (as identified through ARMSC processes)
Academic
Faculty Renewal
Leadership &
Admin Structure
Base
Funding
Enrolment
Growth and
Complexity
Research
Growth,
Complexity
and
Stewardship
Relationship
with Key
Supporters
IT
Infrastructure
HR Processes
Audit Universe
Academic
Reputation
Academic &
Administrative
Units, Centres
Institutes
Core Processes (e.g. Risk
Management, Strategic
Planning, Financial
Reporting)
Safety and
Security
Inherent Risk Exposure
Internal Audit Universe Risk Framework
Universe
2
3
4
Risks
5
6
7
8
H
9
Impa
ct
1
Major IT Systems
M
L
L
M
Probability
H
Risk-Based Internal Audit Plan
Projects
Project 1
Project 2
Project 3
Project 4
Description
Scope and Objective
Scope and Objective
Scope and Objective
Scope and Objective
Type
Priority
Audit - Assurance
Audit - Assurance
AuditBASED
- Consulting
RISK
AUDIT SERVICES
Audit - Assurance
Timing
Quarter / Year
Quarter / Year
Quarter / Year
Quarter / Year
Level of Effort
Hours
Hours
Hours
Hours
ERM Application in Internal Audit
– Audit Engagements - Planning
Strategic objectives – of U of A and area
Potential risks – use the U of A risk appetite
statements in the area to guide audit focus.
Areas noted as risks are documented in Project
terms of Reference
RISK BASED AUDIT SERVICES
Narrow Example
(Audit of Commercialization Governance)
Business Objective 18: Ensure proper oversight of related party transactions and
conflict of interest situations1.
Key Inherent Risks
(Risks that could impact
achievement of the
business objective)
1.
Conflict of interest issues
may arise due to the
activities of TEC
Edmonton.
Possible causes:
 The “conflict of interest”
policy may not be followed
or known.
Risk Ratings
for Key
Inherent
Risks
I
L
E
H
M
M
H
Auditability


Review how the
University
“Conflict of
Interest” policy
flows through to
TEC Edmonton.
Review how
conflict of
interest issues
are monitored
and reported.
RISK BASED AUDIT SERVICES
Summary of Key
Considerations
From Preliminary
Survey Work

The application
of the policy is
unclear, however
it is mentioned in
both the joint
venture
agreement and
the master
secondment
agreement.
Audit
steps
F.4 and
F.5
ERM Application in Internal Audit
– Audit Engagements – Reporting
Table Attributes
Description
Criteria
Outlines the criteria used in the audit – what should be in
place according to good practices.
Current Environment
and Potential
Risks
Highlights of what was found during the review. This
includes the potential risk exposure with the current
environment, as assessed based on the work conducted.
Risk rating*
The risk-rating framework used is that outlined below and
is consistent with the University’s Risk Management
policy.
Opportunities for
Improvement
Recommendations to mitigate risks or improve operations
where necessary.
RISK BASED AUDIT SERVICES
ERM Application in Internal Audit
– Audit Engagements – Reporting (cont.)
Rating
Description
High risk of significant reputation damage, financial loss or
exposure, major breakdown in information system or information
integrity, significant incident(s) of regulatory non-compliance,
potential risk of loss of life or limb
Moderate risk of significant reputation damage, financial loss or
exposure, major breakdown in information system or information
integrity, significant incident(s) of regulatory non-compliance,
potential risk of loss of life or limb
Low risk of significant reputation damage, financial loss or
exposure, major breakdown in information system or information
integrity, significant incident(s) of regulatory non-compliance,
potential risk of loss of life or limb
RISK BASED AUDIT SERVICES
Results
– Fewer – “red lights”
– Focussed recommendations with a clear linkage
to risk and strategy
– Foundation for overall assessments
– Good feedback from administration (increased
use of audits in governance meetings and
decisions)
– Budget
NOT PERFECT
RISK BASED AUDIT SERVICES
Challenges
– Striving to ensure committee members have
sufficient information to fulfill their mandate
– Interpretation of risk appetite
– Financial vs. Strategic, Operations Risks
– Coverage – Conclusion on Internal Control
– Role in Fraud Prevention/Detection:
– Fraud Policy and Protected Disclosure
– New IIA position
– Role in Institutional Compliance
RISK BASED AUDIT SERVICES
ERM and Audit Planning
– Previous audit universe was academic,
administrative, ancillary and research units => audits
were unit based
– The top 13 critical risks are very high level (e.g.
Human Resources, Reputation etc.)
– Review audit universe in two ways:
– Traditional general ledger units
– Functional/operational processes
RISK BASED AUDIT SERVICES
ERM and Audit Planning
– Dual annual risk assessment processes for audit plan
– Units (level of expenditures; complexity;
management concerns etc.)
– Functions/Processes
｝
Governance
Finance and Administration
Programs and Services
Students
Human Resources
IT
RISK BASED AUDIT SERVICES
External Relations
Mapped to
Enterprise
risks
–
–
–
–
–
–
–
Mapping Enterprise Risks
Process maps to > 70% of key risks
Process maps to > 30% and < 70% of key risks
X
X
X
Total
X
Health and Safety
X
X
Student Satisfaction
X
X
Leadership Quality
X
X
Financial
X
X
X
X
X
Competitor
X
X
Change Readiness
X
X
X
Reputation
X
X
X
Audit Universe Processes
Governance
Vision and Strategy development/review
Fiduciary and academic oversight
Information Technology
X
Human Resources
Strategic Planning
X
X
Infrastructure
Academic Quality
Enterprise Risks
Government Policy
Process maps to < 30% of key risks
9
6
Finance and Administration
Planning and resource allocation process
Expenditure controls/ budget management
Capital plan and projects/expenditures
Cash management
RISK BASED AUDIT SERVICES
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
12
2
9
4
ERM and Audit Planning
– Professional judgement
– No risk appetite or policy to refer to
– Balancing “low hanging fruit” and high-level risks
in audit plan
– Have not specifically ruled out review of certain
risks
NEEDS FURTHER WORK…An evolving process
RISK BASED AUDIT SERVICES
ERM and Audit Reports
Example: Research Grants & Contract Audit
Audit Risk
Enterprise Risk

Research activity and expenditures
are not in compliance with legislative
requirements or terms of the contract
or grant, jeopardizing future grants
and contracts and impacting the
reputation of Queen’s University;

There are project delays and cost
overruns leaving the University
exposed to contractual defaults and
funding shortfalls; and

Existing processes result in ineffective
management of grants and contracts
and/or use of resources and the
potential for lost opportunities.

Competitor Risk (i.e. actions of
competitors affect Queen’s ability to
meet enrolment targets, obtain high
levels of research funding and hire the
best faculty and staff)

Reputation Risk (i.e. communicating,
maintaining and enhancing Queen’s
reputation)

Change Readiness Risk (i.e. being
responsive to external and internal
funding changes)

Financial Risk (i.e. not meeting goals
and objectives due to insufficient
funds, cost overruns or project
management issues)
RISK BASED AUDIT SERVICES
ERM and Audit Reports
– Have avoided rating findings to date
– No standard risk rating
– Will rate findings not implemented during follow-up
audit (High, Medium, Low risk)
– Subjective
RISK BASED AUDIT SERVICES
Challenges
–
–
–
–
–
No risk policy or risk tolerances developed
No standard risk ratings
Subjective
Not all risks are easily auditable
Some keys risks under constant management
review
– Coverage of issues versus the high level risks
– Addressing Audit Committee concerns
RISK BASED AUDIT SERVICES
Group Discussion
• What other challenges do you see in integrating
ERM practically with IA requirements?
• Success stories to share?
• Any other comments?
RISK BASED AUDIT SERVICES