EDITED

B YJ A M E S

ROTH AND DONALD

ESPERSEN

RISK

A Change of Focus
R.A.DtTIONALLY, INTERNAL audit functions have used risk analysis techniques to identify candidate areas for audit coverage. The objective of these techniques is to prioritize areas for review by providing a comparative risk ranking of those functions. Some common risk analysis variables, sucb as dollar value and changes in key personnel, are now considered part of tbe enterprise risk management (ERM) framework. As organizations establish tbeir own ERM frameworks, many are expecting tbeir internal audit department to align its risk analysis witb their framework to establisb a consistent basis for setting priorities and to promote risk management througbout the organization. Recently, the audit committee of tbe Brisbane City Council directed its Assurance & Audit Services (A&AS) department to integrate its internal audit planning more directly witb the council's own corporate risk management framework to ensure tbat audits assessrisksand controls In line with tbe framework. In tbe past, A&AS has used nine risk assessment factors to prioritize areas for internal audit attention, but that analysis functioned independently from tbe council's framework. Some members of tbe audit committee argued tbat there was considerable overlap among key variables in tbe ASCAS risk analysis. Like many internal audit departments, A&AS lacked a strategy for linking its risk analysis to an ERM framework. One of tbe problems tbe department faced was tbat tbe corporate risk management framework lacked tbe detail needed to permit audit planning to occur at tbe level required to schedule and manage reviews. To address this problem, A&AS decided to go beyond tbe corporate framework and look at tbe more detailed divisional and branch risk management plans (risk registers). An alignment exercise was undertaken to identify more direct links between risk categories and aspects contained in the risk registers and, wbere applicable, tbe items tbat were already included in tbe audit universe recognized by ASCAS. Some risk categories found in the registers, sucb as workplace bealtb and safety, did not lend themselves to internal audits and would need to be reviewed by specialists in tbose areasAnotber problem tbe council encountered was the need to prioritize items that are rated at least a high inherent risk. Although sucb risks warrant audit attention, tbere are too many to review. Tbe risk registers usually provide assessments of inherent risks and current risks, after taking into account tbe controls put in place. Managers and staff from each area use a self-assessment process to gauge tbe adequacy and effectiveness of controls and mitigating strategies in place, but tbese individuals may lack tbe detailed knowledge and objectivity necessary to provide an accurate assessment. Based on tbese self-assessments, existing or proposed mitigation strategies or actions tbat are judged to reduce the risk of a system or process significantly are considered key controls. Subsequently, an important focus of A8CAS' internal audit planning is to consider inberently bigb-risk areas that bave been reduced by users to low current risks through the self-assessment of controls.
A NEW STRATEGY

Internal auditors in Australia get a broader view of risks by Uniting their risk analysis to an ERM framework.
BY ANDREW MACLEOD AND BOB OVERELL

To comply witb tbe audit committee's directive, A&AS approacbed risk analysis in a new way that directly links the annual audit plans to tbe divisional and 97
AUGUST 200^ INTERNAL AUDITOR

branch risk registers, and through them to the corporate risk management framework. This strategy also allows A&AS to focus more on the value of selfassessed, but untested, controls, using a conversion chart developed by corporate risk management that assigns numerical values to inherent and current risk ratings (see "Risk Rating Calculation" above). Auditors calculate a mathematical value of the risk treatments based on the numerical difference between the inherent and current risks, and scale up the differential based on ratings assigned by A&AS under the headings of "executive management interest," A&AS control perception," and "time since last audit" (see "Risk Differential Scaling Factors" below). Using ASCAS' risk analysis methodology to calculate this differential directs auditors' attention to areas of inherently high risk where key controls may not be as effective as local management believes them to be. This situation may have occurred because independent reviews of these areas have not been scheduled. A&AS will provide separate reports to the audit committee detailing its risk analyses of areas where the divisional or branch risk registers show a high rating for inherent risk, where the current risk remains largely unchanged, and where no action by management or review coverage is planned. Several of the highest risk areas where no action by management or review coverage is planned could be included in the department's annual audit plan, such as where the chief executive officer or a divisional

2. Control systems on which the organization is most reliant. 3. Areas where the differential is great between inherent risk and current risk, auditable units ranked by risk analysis. For their plan, the council's internal THE ANNUAL PLAN auditors are interested in areas that pose In making its annual audit plan, A&AS high current risk and that contain key contakes a risk-based approach to selecting trol systems. Through a strategic audit units for internal audit review. ASCAS' planning process, A&AS identifies both strategy is consistent with Australian areas of unacceptable current risk where Standard 4360 (AS/NZ 4360), Risk Man- management action is required and conagement Within the Internal Audit trol systems upon which the council is Process, which was published by Stan- most reliant. These considerations lead dards Australia in 2002. The Guide to the auditors to include different kinds of Use of AS/NZ ^j6o states that an audit reviews in their annual plan; plan should include: Investigative reviews where organiza1. Unacceptable current risks where tional management has an unacceptmanagement action is required. able level of uncertainty about the These would be areas with very little processes related to a business activity key controls or mitigating factors that or identified risk area. executive management want reviewed Reviews where A&AS assists organistraight away. zational management in developing

manager have particular concerns and A8CAS resources are available. In addition, A&AS continues to include a selection of depot or site reviews each year, even though these areas are not rated a high risk in the A&AS risk analysis.

Risk Differential Scaling Factors

EXECUTIVE MANAGEMENT INTEREST

40 30
20 10

High Medium High Medium Low

Poor Fair Good

A&AS CONTROL PERCEPTION

30
20 10

TIME SINCE LAST AUDIT

30 20 10

3 or more years 1-3 years Within the last year

99
AUGUST 2005 INTERNAL AUDITOR

RISK

WATCH

the control systems to mitigate unacceptable current risks. These reviews would target the highest risk areas where no action by management or review coverage is planned. Control assurance reviews where A&AS assesses the adequacy and efficiency ofthe control systems in place over a function of interest to management or of a function where the control systems are complex or expensive. These are the most common type of
reviews A6CAS performs.

Risk Reassessment and Feedback Report

Comparison of Current Risk Assessment Against A&AS
Reassessment

Corporate Risk Profile (or Divisional Risk Management Plan)

Assurance & Audit Services Reassessment

Inherent Risk

High 32

High 32

Depot reviews where inherent and current risks would not be very high. The A&cAS annual audit plan identifies those areas proposed for internal audit review activity together with a priority order and reasoning for their identification. To help determine high-risk areas for review, A&AS modified its risk analysis support program to track all auditahle units after the mapping exercise. ASCAS provides senior management and the audit committee with a list of candidate reviews that meet the emphasis mix required by

Risk Treatments and Controls

Managed to Varying Levels.

Structures in Place But Not Fully Effective

Current Risk

Medium8

Medium + 16

tive has allowed auditors to identify areas that their old method would have missed. In addition, by reassessing the ratings in the divisional risk registers through a combination of independent and self assessments, auditors can provide management with comfort that assessments of key risk areas are reliable. The methodology A&AS has adopted links internal As A&AS has discovered, internal auditors can promote risk management auditors' risk analysis more closely with the council's throughout their organization by aligning their risk analysis with the ERM corporate risk management framework. framework of their organization. This alignment can challenge and enhance risk rankings and treatments, as well as improve the identification and evaluathe organization. To enable the organi- A&AS reassessment facilitates reporting tion of controls. Moreover, tying interzation's top management to make the nec- by auditors and feedback to staff respon- nal audit risk analysis to such frameworks essary choices, the auditors indicate the sible for risk management {see "Risk Re- can clarify the ownership of risks, reduce resource requirements tbr completing each assessment and Feedback Report" above). the number of disputes at the conclusion review, such as employing subject area speLater, as more reviews are conducted, of audits, and align reports more with cialists. Management chooses the audits assessments ofthe divisional risk registers the organization's objectives. to be conducted based on these resource will provide management with comfort constraints and the risk profiles ofthe areas that activities deemed to be of an acceptunder review. able current risk have, in fact, been assessed ANDREW MACLEOD, CIA, FCPA, CISA. is manindependently. Also, in the corporate risk ager, Assurance and Audit Services at the FEEDBACK ON RISK RATINGS management framework, auditors can add Brisbane City Council in Australia. A&AS comments on the overall risk man- a comment in the "Assurance" segment agement ofthe area under review in the noting that A&AS has reviewed the risk BOB OVERELL, CIA, MIIA. is financial assurconclusion of its reports to the audit com- treatments and including brief details of ance and audit manager at the Brisbane mittee and management. These reports findings and dates. City Council. iUso show the pre-audit inherent and current risks of an area with the implied INCREASING THE RELIABILITY 7b comment on this article, e-mail the value of the controls in place together OF ASSESSMENTS authors at amacleod@theiia.org. with the auditors' reassessment ofthe risk The methodology A&AS has adopted links ratings after discussion and agreement with internal auditors' risk analysis more closely To share emerging risk issues and best practices from your own audit experiences, or to request management. Auditors feed this reassess- with the council's corporate risk managecoverage of a particular risk, e-mail ment, which could confirm the current ment framework. Moreover, reassessing jamesroth@auditt rends.com. rankings, into the area's risk management the audit universe from another perspec101
AUGUST 2003 INTERNAL AUDITOR

framework and into the corporate risk management framework. The council's Corporate Risk Management Branch and Corporate Risk Management Committee receive information on any reassessment. A consistent reporting format for the