This document summarizes Peter Stokhof's presentation on risk management and internal auditing at the OECD. Some key points:
1. Stokhof discussed IIA standards related to internal audit's role in evaluating risk management processes and controls. He also described the OECD's experience developing a risk register and risk management framework.
2. At OECD, internal audit plays a role in compiling the risk register and uses it to develop the audit plan. However, OECD internal audit does not currently provide an overall assurance statement on risk management and controls.
3. Stokhof proposed internal audit should aim to provide such an assurance statement, with the caveats that management first asserts which key controls are
Original Description:
Risk Management and the Implication foir IA - Mr Stokhof (OECD)
Original Title
Risk Management and the Implication Foir IA - Mr Stokhof (OECD)
This document summarizes Peter Stokhof's presentation on risk management and internal auditing at the OECD. Some key points:
1. Stokhof discussed IIA standards related to internal audit's role in evaluating risk management processes and controls. He also described the OECD's experience developing a risk register and risk management framework.
2. At OECD, internal audit plays a role in compiling the risk register and uses it to develop the audit plan. However, OECD internal audit does not currently provide an overall assurance statement on risk management and controls.
3. Stokhof proposed internal audit should aim to provide such an assurance statement, with the caveats that management first asserts which key controls are
This document summarizes Peter Stokhof's presentation on risk management and internal auditing at the OECD. Some key points:
1. Stokhof discussed IIA standards related to internal audit's role in evaluating risk management processes and controls. He also described the OECD's experience developing a risk register and risk management framework.
2. At OECD, internal audit plays a role in compiling the risk register and uses it to develop the audit plan. However, OECD internal audit does not currently provide an overall assurance statement on risk management and controls.
3. Stokhof proposed internal audit should aim to provide such an assurance statement, with the caveats that management first asserts which key controls are
RISK MANAGEMENT AND THE IMPLICATIONS FOR INTERNAL AUDIT
Peter STOKHOF CA, CIA
Deputy Auditor-General Office of the Auditor-General Organisation for Economic Cooperation and Development (OECD) peter.stokhof@oecd.org Tel: 33-1-45 24 84 77 Fax: 33-1-45 24 17 00
2 Presentation Contents 1. IIA Standards in relation to Risk Management 2. The experience of Internal Audit at OECD 3. IIA Standards in relation to Control 4. The experience of Internal Audit at OECD 5. Conclusions proposed implications for Internal Audit 3 IIA DEFINITION OF INTERNAL AUDITING Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of RISK MANAGEMENT, control, and governance processes.
4 Risk Management: IIA Performance Standard 2110.A1
monitor and evaluate the effectiveness of the organisations risk management system
5 Risk Management: IIA Practice Advisory 2110-1
Internal Audit should assess the adequacy of the risk management process in terms of five key objectives:
Risks are identified and prioritised
Management has determined the level of risks acceptable
Risk mitigation activities - designed to reduce/manage risks to levels deemed acceptable
Risks and effectiveness of controls to manage it are periodically monitored and reassessed
Periodic reports to governing body 6 Risk Management . the Experience of Internal Audit at the OECD
Financial Rule Article 7 Risk Management - An effective system of financial risk management shall be established to identify and address internal and external risks to the Organisation, on an ongoing basis throughout the year, and bring them to the attention of the Budget Committee in a timely manner. 7 The OECD Risk Register
First approved by Council in May 2004 updated in January 2006
Risks categorised according to strategic, financial, staff, IT For each risk, management has identified the possible consequences; severity; business units responsible; preventative action Promoted by the Audit Committee with the leverage of Internal Audit in its role as secretary Compilation lead by the Executive Directorate input from all managers Internal Audit acting as both catalyst and advisor Constitutes (i) the primary source for Internal Audits bi-annual audit plan and (ii) the starting point for each theme audited: assessing the completeness of risks and identifying the business units responsible for managing them 8 Control: Performance Standard 2120.A1
evaluate the adequacy and effectiveness of controls encompassing the organisations governance, operations and information systems regarding the: Reliability and integrity of financial and operational information Effectiveness and efficiency of operations Safeguarding of assets Compliance with laws, regulations and contracts 9 Control: Practice Advisory 2120.A1-1
The audit plan should provide sufficient evidence to enable Internal Audit to report, usually once a year, on the adequacy and effectiveness of the organisations risk management and internal control processes
If scope insufficient to enable such expression of assurance, Internal Audit should inform senior management and the governing body
10 Expectation Gap
It is one thing to identify responsibility for the management of risk
but quite another to identify responsibility if something goes wrong. 11
How many of you in your Annual Report give simply a synopsis of audits performed and the conclusions reached on each?
How many of you, on the basis of the work performed, go further and give an overall conclusion (even a qualified one) as to the quality of controls to mitigate risk? 12
No overall assurance statement
A stated objective, but with the proviso that first management asserts to having applied Key Controls programmed for 2008
The external audit function performs internal audit-type work
The Audit Committee assures Internal and External Audit coordination, but has no mandate to oversee the risk management and internal control processes Control the Experiences of Internal Audit at the OECD
13 Risk Management Oversight the Audit Committees Role
The OECD Corporate Governance Principles the Board of Directors should ensurethat appropriate systems of control are in place, in particular, systems for risk management, financial and operating control.
Article 41 of the European Commission 8th directive (May 2006) the Audit Committee shallmonitor the effectiveness of the Companys internal controland risk management systems
The IIA Research Foundation publication Audit Committee Effectiveness what worksBest - Chapter 2 Risk Management and Internal Control - provides examples of best practice for the role of the Audit Committee in overseeing the risk management process 14
If you have an Audit Committee, does it have a defined oversight responsibility for risk?
If you do not have an Audit Committee, what process do you have for attributing oversight responsibility for risk? 15 Conclusions Proposed Implications for Internal Audit
Internal Audit should aim to provide an overall statement on the quality of internal controls designed to mitigate risk,
but with the provisos that
it promotes a process whereby first management asserts to having applied key controls over processes financed by budgets for which they are responsible,
and that, in relation to other audit actors, i.e. External Audit and Audit Committee it promotes a process whereby there is clear identification of responsibility for risk oversight.