SlideShare a Scribd company logo

Audit of Risk Management Final Report

E
essbaih

Audit of Risk Management Final Report

Business
1 of 17
Download to read offline
1 Audit of Risk Management Final Report March 25, 2010 Prepared by Internal Audit & Evaluation for the: Audit and Evaluation Committee meeting of March 25, 2010 Finance Canada
2 Table of Contents Executive Summary 3 Background 4 Audit Objective and Scope 5 Approach, Assurance Statement and Auditing Standards Employed 6 Conclusions 7 Findings by Audit Criteria 8 Recommendations and Management Action Plan 13 Members of the Audit Team 14 Appendices Appendix A – List of Department of Finance Canada Personnel Interviewed 16 Appendix B – List of Key Documents Consulted 17
3 Executive Summary As part of the Government of Canada’s commitment to strengthening risk management practices in the public service, the Treasury Board of Canada Secretariat (TBS) developed the Integrated Risk Management Framework (IRMF) in 2001. The IRMF defines integrated risk management as a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives. The objective of the Audit of Risk Management is to provide the Department of Finance (the Department) with reasonable assurance that the corporate risk management framework and processes it has in place effectively identify, assess and manage corporate risks. Our audit concluded that overall, the Department has developed an adequate Corporate Risk Profile (CRP) and has established an Integrated Risk Management (IRM) function, in line with good management practices and the TBS guidelines on IRMF. The Department has implemented the elements of an effective risk management framework; however, some elements of the communication strategy presented in the Corporate Risk Profile (CRP) have not been fully implemented.
4 Background History As per the Treasury Board Policy on Internal Audit, risk management is a mandatory element of internal audit coverage. Consequently, the Audit of Risk Management has been included as part of the Department’s three-year risk-based audit plan, which was approved by the Deputy Minister upon the recommendation of the Audit and Evaluation Committee. Background As part of the Government of Canada’s commitment to strengthening risk management practices in the public service, TBS developed the IRMF in 2001. The IRMF provides Departments with guidance on developing their risk management function so that they may be more effective in identifying and mitigating risks, which would otherwise affect their ability to meet departmental objectives. As per the IRMF, the primary element of establishing an effective risk management framework is for an organization to develop a Corporate Risk Profile (CRP). The CRP is an effective tool used to identify key corporate risks such as infrastructure risks, people risks, policy risks and process risks and establish strategies to mitigate these risks. In the Department, the Corporate Services Branch provides leadership towards integrating risk management at all levels and provides guidance to branches, as required. The ultimate responsibility for implementing effective risk management; however, rests with all employees, particularly the management team.
5 Objective The objective of the Audit of Risk Management is to provide reasonable assurance that a corporate risk management framework and processes are in place and that corporate risks are identified, assessed and managed. Scope The scope of the audit includes assessing risk management practices at the corporate and branch levels. At the corporate level, the audit examines the Department’s CRP for the purpose of assessing the integrated risk management function. Other integrated risk management practices at the departmental level were also assessed. At the branch level, the audit examines practices and processes regarding the implementation of the integrated risk management framework, such as the manner in which each branch establishes the necessary systems and appropriate mitigation strategies to implement risk management in their respective functions. The scope of the audit does not include the following: An assessment of the appropriateness of the ten key risk areas identified in the CRP. An assessment of the appropriateness of policy recommendations. Audit Objective and Scope
6 The audit was conducted in accordance with the International Standards for the Professional Practices of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective was achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and conclusions presented in this report. Audit procedures included, but were not limited to, interviews, observations, review of supporting documentation, and analytical reviews. The audit criteria used to develop the required audit tests were based on: (1) good management practices; and (2) applicable policies and regulations, in particular the TBS guidelines on IRMF, and relevant elements of the Office of the Comptroller General’s Core Management Controls. In total, 18 individuals were interviewed including personnel from each of the Department’s nine branches, specifically two senior representatives per branch in most instances. The complete list of personnel interviewed is provided in Appendix A. In addition, the audit team conducted a review of relevant policies, standards, directives and related documents (list provided in Appendix B). The audit approach allowed for the audit results to be communicated in such a manner as to enable management to review and provide feedback on the findings and conclusions before they were finalized. Approach, Assurance Statement and Auditing Standards Employed
7 Conclusions To provide reasonable assurance that a corporate risk management framework and processes are in place and that corporate risks are identified, assessed and managed. The audit concluded that overall, the Department’s Risk Management practices are in line with good management practices and the TBS guidelines on Integrated Risk Management Framework (IRMF). In particular, the following good management practices and key aspects are worth noting:  The Department has a standard approach to risk management and an approved Corporate Risk Profile (CRP) that identifies key risks.  The Department has established an Integrated Risk Management (IRM) function led by the Corporate Planning Division (CPD) of the Corporate Services Branch (CSB).  Risk Management is practiced enterprise-wide and at the branch levels. An effective communication strategy is an essential part of fostering a corporate culture that enables effective and integrated risk management at every level of the organization, including the sharing of best practices. The Department has implemented the elements of an effective risk management framework; however, some elements of the communication strategy presented in the Corporate Risk Profile (CRP) have not been fully implemented. Audit Objective
8 The following table presents the assessment of the level of risk exposure identified in the audit. Levels of risk exposure are categorized by audit criteria. The audit criteria used to assess the risk exposure are based on good management practices, the TBS guidelines on IRMF and relevant elements of OCG Core Management Controls related to risk management. The risk ranking is based on the level of risk exposure. A high, medium or low ranking corresponds to the potential risk exposure auditors believe may have an impact on the achievement of Department objectives, and is indicative of the priority management should give to address the recommendations. The assessment summarizes the audit observations based on the factual evidence gathered and analyzed during the audit. Based on these assessments, issues/themes along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendations and Management Responses” section. Findings by Audit Criteria High exposure Medium exposure Low exposure
9 Criteria Risk Exposure Assessment Establishing the Corporate Risk Profile The Corporate Risk Profile of the Department has identified and highlighted key corporate risk areas Low The Department has a standard approach to risk management and an approved Corporate Risk Profile (CRP) which identifies key risks. The Department has had a CRP since November 2007 and its status is reviewed three times a year as part of the integrated planning cycle, with changes to the CRP included as warranted. This has led to revisions to the CRP in November 2008 and June 2009. The process of developing and updating the CRP is integrated within the Department’s planning, monitoring and reporting cycle. The Department’s major risks identified in the CRP are regularly reviewed as part of the integrated planning process. An environmental scan involving all branches is usually conducted three times a year, threats and opportunities are identified, mitigation strategies are developed and progress on the implementation of these strategies is monitored. The risks in the CRP are identified by management as risks that would most affect the Department’s ability to achieve its objectives. The most recent CRP was reviewed and discussed with senior management at various committees, including the Departmental Coordinating Committee (DCC), prior to receiving final approval at the Executive Committee (EXEC) on June 5, 2009. Findings by Audit Criteria
10 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management The Department implements and practices Integrated Risk Management within an established framework Low The Department has established and implemented an Integrated Risk Management (IRM) function led by the Corporate Planning Division (Corporate Planning) of the Corporate Services Branch (CSB). The Corporate Planning within the CSB provides horizontal support and leadership to all branches on matters related to risk management, by providing advice and coordinating activities related to the function. As part of the integrated planning process, each branch regularly assesses the risks relevant to their area and develops corresponding mitigation strategies. This risk information is collected from the branches and assessed through a standard planning template by the Corporate Planning, with the support of the Department’s Planning Network (Network). The Network is made up of representatives from all branches in order to integrate business planning and risk management across the Department. The information collected in these templates is updated three times a year by the branches and forms the basis of changes to the CRP as warranted.
11 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management (continued from the previous page) The Department implements and practices Integrated Risk Management within an established framework Low Once templates have been completed and information has been assessed, senior management is further consulted through the DCC for their review, prior to a final review and approval from the EXEC. The risk identification process is rigorous and considers internal and external risk exposures. This process results in the identification of the ten major risk areas documented in the CRP, which are categorized into four groups: (1) policy risks, (2) people risks, (3) infrastructure risks and (4) process risks. In addition to the CRP risks, each branch identifies other risks that could impact their specific subject business areas. During 2009-2010, the branches identified approximately thirty additional risks during one of three integrated planning exercises. Mitigation strategies were developed and included in each of the branches’ respective business plans.
12 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management (continued from the previous page) The Department implements and practices Integrated Risk Management within an established framework Low The integrated approach to risk management is complemented by appointing “risk champions”, at the Assistant Deputy Minister level for each risk identified in the CRP. These “risk champions” are responsible for ensuring effective synchronized mitigation strategies for the department-wide key corporate risk assigned to them; however, their involvement beyond their Branch is limited. Although the Department has an effective integrated approach to risk management, some elements of the communication strategy presented in the CRP have not been fully implemented. For the most part, these relate to communicating key corporate messages more widely across Branches to management and all staff regarding: (1) availability of the risk management web site, (2) recommended risk management tools; (3) important updates to the department-wide risk management strategy; and (4) sharing and discussing best practices at department-wide forums such as the general assembly and the annual executive retreat. An effective communication strategy is an essential part of fostering a corporate culture that enables effective and integrated risk management at every level of the organization, including the sharing of best practices.
13 Recommendations and Management Action Plan The following section presents the key opportunity for improvement stemming from the audit findings. The impact and recommendation is also stated. Where applicable, the relevant management initiatives already underway are included. For the recommendation, management has provided:  An action plan, which addresses the recommendation;  The position responsible for implementing the action plan; and,  The target date for completion.
14 Summary of the Audit Finding and its Impact As part of its Integrated Risk Management Framework and consistent with best practices, the Department has established a communication strategy. Effective communication is essential to increasing awareness and effective implementation of key risk management practices at all levels, particularly risk mitigation strategies. Although the Department has an effective integrated approach to risk management, some elements of the communication strategy presented in the CRP have not been fully implemented. For the most part, these relate to communicating key corporate messages more widely across Branches to foster the sharing of best practices among management and all staff. Fully implementing an effective communication strategy will further improve management and staff’s awareness of the Corporate Risk Profile and encourage the use of available tools, such as the Department’s website on risk management. Ultimately, increasing risk management awareness and the sharing of best practices will better enable the Department to achieve its objectives. Recommendation Management Response It is recommended that the ADM, Corporate Services Branch (CSB), in cooperation with the ADM, Consultations and Communications (C&C) Branch, fully implement the communication strategy for risk management. The ADM CSB, in cooperation with the ADM C&C Branch, is committed to continue to foster communications around risk management. The Director Corporate Planning will work with Finance Branches to validate which form of communication is best suited to increase awareness of risk management practices across the Department, as part of the comprehensive review of the Corporate Risk Profile planned for summer 2010. The communications strategy will be updated based on review findings by the end of Q2 2010-11. The ADM-CSB will then work to implement the updated communications strategy with a focus on increasing risk management awareness and the sharing of best practices among management and staff across all Branches. It is expected that the communication strategy will be fully implemented by the end of Q2 2011-12. 1. Foster Communications Around Risk Management Best Practices
15 The members of the audit team are: Roger Vachon, Master in Administration, Audit Manager Olivia Zhu, MPA, CIA, Senior Auditor Ziad Shadid, CGA, Audit Manager Christian Kratchanov, MBA, CIA, Chief Audit Executive Members of the Audit Team
16 Appendix A – List of Department of Finance Canada Personnel Interviewed Jean- Michel Catta, General Director, Consultations and Communications Branch Chris Forbes, General Director, Federal-Provincial Relations and Social Policy Branch David Gamble, Director - Public Affairs & Operations Division, Consultations and Communications Branch Barb Gibbon, Director – Corporate Planning, Corporate Services Branch James A. Haley, General Director, International Trade & Finance Branch Sherry Harrison, Chief Financial Officer and Executive Director, Corporate Services Branch (acting ADM Corporate Services Branch at the time of the audit interview) Nancy Horsman, General Director, Tax Policy Branch Claude Lavoie, Director – Economic Studies & Policy Analysis Division, Economic and Fiscal Policy Branch Clifton Lee-Sing, Chief – Financial Markets Division, Financial Sector Policy Branch Sheila Macdonald, Chief-International Policy & Analysis Division, International Trade and Finance Branch Erin O’Brien, Chief - Policy Analysis & Coordination, Economic Development & Corporate Finance Branch Hélène Shirreff, Senior Analyst – Corporate Planning, Corporate Services Branch Trevor J. Smith, Special Advisor and Counsel to the ADM, Law Branch Rob Stewart, General Director, Financial Sector Policy Branch Peter Turner, Chief – Personal Income Tax Division, Tax Policy Branch Julie Turcotte, Chief – Economic Studies and Policy Analysis Division, Economic and Fiscal Policy Branch Nipun Vats, Senior Chief – Federal-Provincial Relations Division, Federal-Provincial Relations and Social Policy Branch Kathy Wesley, Director - Access to Information and Privacy Division, Law Branch
17 Appendix B – List of Key Documents consulted Legislation • The Accountability Act (April 2006) Standards (TBS) • Integrated Risk Management Framework (April 2001) Policy (TBS) • Risk Management Policy (October 2001) Documents Specific to the Department • Corporate Risk Profile (June 2009) • Corporate Risk Profile (November 2008) • Corporate Risk Profile (November 2007) • Integrated Business Plan (2009-2010) • Business Planning Input – Operating Environment and Risk Analysis (May 2009 – one document per Branch) Other Documents • Management Accountability Framework (2008-2009) • Integrated Risk Management Implementation Guide - (TBS) (2004) • OCG Core Management Controls: A Guide for Internal Auditors (OCG) (November 2007)

Recommended

Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit planessbaih
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Risk Management1
Risk Management1Risk Management1
Risk Management1Henry H L Lim
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Nidhi Gupta
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationInternational Federation of Accountants
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHTommy Seah
 

Recommended

Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit planessbaih
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditSmitesh Bhosale
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Risk Management1
Risk Management1Risk Management1
Risk Management1Henry H L Lim
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Nidhi Gupta
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationInternational Federation of Accountants
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHTommy Seah
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunitiesManoj Agarwal
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSOJesús Gándara
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditingTunde Elijah Kelani
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditingFrederick Altum Pokoo-Aikins
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementManoj Agarwal
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkAziz Fataliyev, Internal Audit Practitioner
 
Model i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaModel i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaRajeswaran Muthu Venkatachalam
 
Ppt on risk based internal audit
Ppt on risk based internal auditPpt on risk based internal audit
Ppt on risk based internal auditAmitaMistry2
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
Coso framework
Coso frameworkCoso framework
Coso frameworkDarryl Woolley
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideCenapSerdarolu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologySalih Islam
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate GovernanceSalih Islam
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practicesPamela Mantone
 
Internal audit strategy for non-profits
Internal audit strategy for non-profitsInternal audit strategy for non-profits
Internal audit strategy for non-profitsDebashis Gupta
 
Auditing Principles2
Auditing Principles2Auditing Principles2
Auditing Principles2Jose Cintron
 
Risk assessments
Risk assessmentsRisk assessments
Risk assessmentsElisaNarborough
 

More Related Content

What's hot

Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunitiesManoj Agarwal
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal AuditManoj Agarwal
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementManoj Agarwal
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Ppt on risk based internal audit
Ppt on risk based internal auditPpt on risk based internal audit
Ppt on risk based internal auditAmitaMistry2
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Auditijazurrehman
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideCenapSerdarolu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologySalih Islam
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate GovernanceSalih Islam
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practicesPamela Mantone
 
Internal audit strategy for non-profits
Internal audit strategy for non-profitsInternal audit strategy for non-profits
Internal audit strategy for non-profitsDebashis Gupta
 

What's hot (20)

Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunities
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal Audit
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk Management
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
 
Model i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaModel i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for ia
 
Ppt on risk based internal audit
Ppt on risk based internal auditPpt on risk based internal audit
Ppt on risk based internal audit
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
 
Coso framework
Coso frameworkCoso framework
Coso framework
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guide
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practices
 
Internal audit strategy for non-profits
Internal audit strategy for non-profitsInternal audit strategy for non-profits
Internal audit strategy for non-profits
 

Viewers also liked

Auditing Principles2
Auditing Principles2Auditing Principles2
Auditing Principles2Jose Cintron
 
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...Andreas Zarifis ACII Chartered Insurer
 
“Risk Based Internal Audit in Bangladesh Bank”
“Risk Based Internal Audit in Bangladesh Bank”“Risk Based Internal Audit in Bangladesh Bank”
“Risk Based Internal Audit in Bangladesh Bank”M Anwarul Hoque Tareque
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanCaseWare IDEA
 
Operational risk management
Operational risk managementOperational risk management
Operational risk managementUjjwal 'Shanu'
 
Measuring operational risk
Measuring operational riskMeasuring operational risk
Measuring operational riskUjjwal 'Shanu'
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015Mohammad Kashif
 
Risk Based Quality Audit Part 1
Risk Based Quality Audit Part 1Risk Based Quality Audit Part 1
Risk Based Quality Audit Part 1Thomas Bradley
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarAviva Spectrum™
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessmentcasahiljain1992
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONFrackson Kathibula-Nyoni
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit ApproachSalih Islam
 
6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk ManagementPECB
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Enterprise Risk Management Framework
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
Enterprise Risk Management FrameworkNigel Tebbutt
 

Viewers also liked (18)

Auditing Principles2
Auditing Principles2Auditing Principles2
Auditing Principles2
 
Risk assessments
Risk assessmentsRisk assessments
Risk assessments
 
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
 
“Risk Based Internal Audit in Bangladesh Bank”
“Risk Based Internal Audit in Bangladesh Bank”“Risk Based Internal Audit in Bangladesh Bank”
“Risk Based Internal Audit in Bangladesh Bank”
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit Plan
 
Operational risk management
Operational risk managementOperational risk management
Operational risk management
 
Measuring operational risk
Measuring operational riskMeasuring operational risk
Measuring operational risk
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015
 
Risk Based Quality Audit Part 1
Risk Based Quality Audit Part 1Risk Based Quality Audit Part 1
Risk Based Quality Audit Part 1
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessment
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
 
6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management
 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Enterprise Risk Management Framework
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
Enterprise Risk Management Framework
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
 

Similar to Audit of Risk Management Final Report

Kaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managentKaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managentavinashchauhan70462
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfabdo badr
 
dt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformationdt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_TransformationMark Micallef
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit GovernanceAswin Kumar
 
Case Study - Leveraging Risk Management for Future Growth - Published Final Copy
Case Study - Leveraging Risk Management for Future Growth - Published Final CopyCase Study - Leveraging Risk Management for Future Growth - Published Final Copy
Case Study - Leveraging Risk Management for Future Growth - Published Final CopyKevin Fryatt
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
Risk management
Risk managementRisk management
Risk managementLepipi
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationDavid Fernandes
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahiSN Panigrahi, PMP
 
COSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfCOSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfAliehaDhea
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to financeRobert Reed
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 
Mpact Risk Management Review_FINAL
Mpact Risk Management Review_FINALMpact Risk Management Review_FINAL
Mpact Risk Management Review_FINALDeborah Chapman
 
Risk Appetite Statements - IRM India Affiliate
Risk Appetite Statements - IRM India AffiliateRisk Appetite Statements - IRM India Affiliate
Risk Appetite Statements - IRM India AffiliateIRM India Affiliate
 

Similar to Audit of Risk Management Final Report (20)

Kaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managentKaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managent
 
Bank gaborone
Bank gaboroneBank gaborone
Bank gaborone
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
 
dt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformationdt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformation
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit Governance
 
Erm whitepaper (2)
Erm whitepaper (2)Erm whitepaper (2)
Erm whitepaper (2)
 
Case Study - Leveraging Risk Management for Future Growth - Published Final Copy
Case Study - Leveraging Risk Management for Future Growth - Published Final CopyCase Study - Leveraging Risk Management for Future Growth - Published Final Copy
Case Study - Leveraging Risk Management for Future Growth - Published Final Copy
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
Risk management
Risk managementRisk management
Risk management
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi
 
COSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfCOSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdf
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
Mpact Risk Management Review_FINAL
Mpact Risk Management Review_FINALMpact Risk Management Review_FINAL
Mpact Risk Management Review_FINAL
 
Risk Appetite Statements - IRM India Affiliate
Risk Appetite Statements - IRM India AffiliateRisk Appetite Statements - IRM India Affiliate
Risk Appetite Statements - IRM India Affiliate
 
ERM Presentation.final
ERM Presentation.finalERM Presentation.final
ERM Presentation.final
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 

Recently uploaded

Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Associazione Digital Days
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...ssuserf63bd7
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerAggregage
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsGOKUL JS
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesDoe Paoro
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Planetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifePlanetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifeBhavana Pujan Kendra
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 

Recently uploaded (20)

Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon Harmer
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebs
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic Experiences
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Planetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifePlanetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in Life
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 

Audit of Risk Management Final Report

  • 1. 1 Audit of Risk Management Final Report March 25, 2010 Prepared by Internal Audit & Evaluation for the: Audit and Evaluation Committee meeting of March 25, 2010 Finance Canada
  • 2. 2 Table of Contents Executive Summary 3 Background 4 Audit Objective and Scope 5 Approach, Assurance Statement and Auditing Standards Employed 6 Conclusions 7 Findings by Audit Criteria 8 Recommendations and Management Action Plan 13 Members of the Audit Team 14 Appendices Appendix A – List of Department of Finance Canada Personnel Interviewed 16 Appendix B – List of Key Documents Consulted 17
  • 3. 3 Executive Summary As part of the Government of Canada’s commitment to strengthening risk management practices in the public service, the Treasury Board of Canada Secretariat (TBS) developed the Integrated Risk Management Framework (IRMF) in 2001. The IRMF defines integrated risk management as a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives. The objective of the Audit of Risk Management is to provide the Department of Finance (the Department) with reasonable assurance that the corporate risk management framework and processes it has in place effectively identify, assess and manage corporate risks. Our audit concluded that overall, the Department has developed an adequate Corporate Risk Profile (CRP) and has established an Integrated Risk Management (IRM) function, in line with good management practices and the TBS guidelines on IRMF. The Department has implemented the elements of an effective risk management framework; however, some elements of the communication strategy presented in the Corporate Risk Profile (CRP) have not been fully implemented.
  • 4. 4 Background History As per the Treasury Board Policy on Internal Audit, risk management is a mandatory element of internal audit coverage. Consequently, the Audit of Risk Management has been included as part of the Department’s three-year risk-based audit plan, which was approved by the Deputy Minister upon the recommendation of the Audit and Evaluation Committee. Background As part of the Government of Canada’s commitment to strengthening risk management practices in the public service, TBS developed the IRMF in 2001. The IRMF provides Departments with guidance on developing their risk management function so that they may be more effective in identifying and mitigating risks, which would otherwise affect their ability to meet departmental objectives. As per the IRMF, the primary element of establishing an effective risk management framework is for an organization to develop a Corporate Risk Profile (CRP). The CRP is an effective tool used to identify key corporate risks such as infrastructure risks, people risks, policy risks and process risks and establish strategies to mitigate these risks. In the Department, the Corporate Services Branch provides leadership towards integrating risk management at all levels and provides guidance to branches, as required. The ultimate responsibility for implementing effective risk management; however, rests with all employees, particularly the management team.
  • 5. 5 Objective The objective of the Audit of Risk Management is to provide reasonable assurance that a corporate risk management framework and processes are in place and that corporate risks are identified, assessed and managed. Scope The scope of the audit includes assessing risk management practices at the corporate and branch levels. At the corporate level, the audit examines the Department’s CRP for the purpose of assessing the integrated risk management function. Other integrated risk management practices at the departmental level were also assessed. At the branch level, the audit examines practices and processes regarding the implementation of the integrated risk management framework, such as the manner in which each branch establishes the necessary systems and appropriate mitigation strategies to implement risk management in their respective functions. The scope of the audit does not include the following: An assessment of the appropriateness of the ten key risk areas identified in the CRP. An assessment of the appropriateness of policy recommendations. Audit Objective and Scope
  • 6. 6 The audit was conducted in accordance with the International Standards for the Professional Practices of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective was achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and conclusions presented in this report. Audit procedures included, but were not limited to, interviews, observations, review of supporting documentation, and analytical reviews. The audit criteria used to develop the required audit tests were based on: (1) good management practices; and (2) applicable policies and regulations, in particular the TBS guidelines on IRMF, and relevant elements of the Office of the Comptroller General’s Core Management Controls. In total, 18 individuals were interviewed including personnel from each of the Department’s nine branches, specifically two senior representatives per branch in most instances. The complete list of personnel interviewed is provided in Appendix A. In addition, the audit team conducted a review of relevant policies, standards, directives and related documents (list provided in Appendix B). The audit approach allowed for the audit results to be communicated in such a manner as to enable management to review and provide feedback on the findings and conclusions before they were finalized. Approach, Assurance Statement and Auditing Standards Employed
  • 7. 7 Conclusions To provide reasonable assurance that a corporate risk management framework and processes are in place and that corporate risks are identified, assessed and managed. The audit concluded that overall, the Department’s Risk Management practices are in line with good management practices and the TBS guidelines on Integrated Risk Management Framework (IRMF). In particular, the following good management practices and key aspects are worth noting:  The Department has a standard approach to risk management and an approved Corporate Risk Profile (CRP) that identifies key risks.  The Department has established an Integrated Risk Management (IRM) function led by the Corporate Planning Division (CPD) of the Corporate Services Branch (CSB).  Risk Management is practiced enterprise-wide and at the branch levels. An effective communication strategy is an essential part of fostering a corporate culture that enables effective and integrated risk management at every level of the organization, including the sharing of best practices. The Department has implemented the elements of an effective risk management framework; however, some elements of the communication strategy presented in the Corporate Risk Profile (CRP) have not been fully implemented. Audit Objective
  • 8. 8 The following table presents the assessment of the level of risk exposure identified in the audit. Levels of risk exposure are categorized by audit criteria. The audit criteria used to assess the risk exposure are based on good management practices, the TBS guidelines on IRMF and relevant elements of OCG Core Management Controls related to risk management. The risk ranking is based on the level of risk exposure. A high, medium or low ranking corresponds to the potential risk exposure auditors believe may have an impact on the achievement of Department objectives, and is indicative of the priority management should give to address the recommendations. The assessment summarizes the audit observations based on the factual evidence gathered and analyzed during the audit. Based on these assessments, issues/themes along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendations and Management Responses” section. Findings by Audit Criteria High exposure Medium exposure Low exposure
  • 9. 9 Criteria Risk Exposure Assessment Establishing the Corporate Risk Profile The Corporate Risk Profile of the Department has identified and highlighted key corporate risk areas Low The Department has a standard approach to risk management and an approved Corporate Risk Profile (CRP) which identifies key risks. The Department has had a CRP since November 2007 and its status is reviewed three times a year as part of the integrated planning cycle, with changes to the CRP included as warranted. This has led to revisions to the CRP in November 2008 and June 2009. The process of developing and updating the CRP is integrated within the Department’s planning, monitoring and reporting cycle. The Department’s major risks identified in the CRP are regularly reviewed as part of the integrated planning process. An environmental scan involving all branches is usually conducted three times a year, threats and opportunities are identified, mitigation strategies are developed and progress on the implementation of these strategies is monitored. The risks in the CRP are identified by management as risks that would most affect the Department’s ability to achieve its objectives. The most recent CRP was reviewed and discussed with senior management at various committees, including the Departmental Coordinating Committee (DCC), prior to receiving final approval at the Executive Committee (EXEC) on June 5, 2009. Findings by Audit Criteria
  • 10. 10 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management The Department implements and practices Integrated Risk Management within an established framework Low The Department has established and implemented an Integrated Risk Management (IRM) function led by the Corporate Planning Division (Corporate Planning) of the Corporate Services Branch (CSB). The Corporate Planning within the CSB provides horizontal support and leadership to all branches on matters related to risk management, by providing advice and coordinating activities related to the function. As part of the integrated planning process, each branch regularly assesses the risks relevant to their area and develops corresponding mitigation strategies. This risk information is collected from the branches and assessed through a standard planning template by the Corporate Planning, with the support of the Department’s Planning Network (Network). The Network is made up of representatives from all branches in order to integrate business planning and risk management across the Department. The information collected in these templates is updated three times a year by the branches and forms the basis of changes to the CRP as warranted.
  • 11. 11 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management (continued from the previous page) The Department implements and practices Integrated Risk Management within an established framework Low Once templates have been completed and information has been assessed, senior management is further consulted through the DCC for their review, prior to a final review and approval from the EXEC. The risk identification process is rigorous and considers internal and external risk exposures. This process results in the identification of the ten major risk areas documented in the CRP, which are categorized into four groups: (1) policy risks, (2) people risks, (3) infrastructure risks and (4) process risks. In addition to the CRP risks, each branch identifies other risks that could impact their specific subject business areas. During 2009-2010, the branches identified approximately thirty additional risks during one of three integrated planning exercises. Mitigation strategies were developed and included in each of the branches’ respective business plans.
  • 12. 12 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management (continued from the previous page) The Department implements and practices Integrated Risk Management within an established framework Low The integrated approach to risk management is complemented by appointing “risk champions”, at the Assistant Deputy Minister level for each risk identified in the CRP. These “risk champions” are responsible for ensuring effective synchronized mitigation strategies for the department-wide key corporate risk assigned to them; however, their involvement beyond their Branch is limited. Although the Department has an effective integrated approach to risk management, some elements of the communication strategy presented in the CRP have not been fully implemented. For the most part, these relate to communicating key corporate messages more widely across Branches to management and all staff regarding: (1) availability of the risk management web site, (2) recommended risk management tools; (3) important updates to the department-wide risk management strategy; and (4) sharing and discussing best practices at department-wide forums such as the general assembly and the annual executive retreat. An effective communication strategy is an essential part of fostering a corporate culture that enables effective and integrated risk management at every level of the organization, including the sharing of best practices.
  • 13. 13 Recommendations and Management Action Plan The following section presents the key opportunity for improvement stemming from the audit findings. The impact and recommendation is also stated. Where applicable, the relevant management initiatives already underway are included. For the recommendation, management has provided:  An action plan, which addresses the recommendation;  The position responsible for implementing the action plan; and,  The target date for completion.
  • 14. 14 Summary of the Audit Finding and its Impact As part of its Integrated Risk Management Framework and consistent with best practices, the Department has established a communication strategy. Effective communication is essential to increasing awareness and effective implementation of key risk management practices at all levels, particularly risk mitigation strategies. Although the Department has an effective integrated approach to risk management, some elements of the communication strategy presented in the CRP have not been fully implemented. For the most part, these relate to communicating key corporate messages more widely across Branches to foster the sharing of best practices among management and all staff. Fully implementing an effective communication strategy will further improve management and staff’s awareness of the Corporate Risk Profile and encourage the use of available tools, such as the Department’s website on risk management. Ultimately, increasing risk management awareness and the sharing of best practices will better enable the Department to achieve its objectives. Recommendation Management Response It is recommended that the ADM, Corporate Services Branch (CSB), in cooperation with the ADM, Consultations and Communications (C&C) Branch, fully implement the communication strategy for risk management. The ADM CSB, in cooperation with the ADM C&C Branch, is committed to continue to foster communications around risk management. The Director Corporate Planning will work with Finance Branches to validate which form of communication is best suited to increase awareness of risk management practices across the Department, as part of the comprehensive review of the Corporate Risk Profile planned for summer 2010. The communications strategy will be updated based on review findings by the end of Q2 2010-11. The ADM-CSB will then work to implement the updated communications strategy with a focus on increasing risk management awareness and the sharing of best practices among management and staff across all Branches. It is expected that the communication strategy will be fully implemented by the end of Q2 2011-12. 1. Foster Communications Around Risk Management Best Practices
  • 15. 15 The members of the audit team are: Roger Vachon, Master in Administration, Audit Manager Olivia Zhu, MPA, CIA, Senior Auditor Ziad Shadid, CGA, Audit Manager Christian Kratchanov, MBA, CIA, Chief Audit Executive Members of the Audit Team
  • 16. 16 Appendix A – List of Department of Finance Canada Personnel Interviewed Jean- Michel Catta, General Director, Consultations and Communications Branch Chris Forbes, General Director, Federal-Provincial Relations and Social Policy Branch David Gamble, Director - Public Affairs & Operations Division, Consultations and Communications Branch Barb Gibbon, Director – Corporate Planning, Corporate Services Branch James A. Haley, General Director, International Trade & Finance Branch Sherry Harrison, Chief Financial Officer and Executive Director, Corporate Services Branch (acting ADM Corporate Services Branch at the time of the audit interview) Nancy Horsman, General Director, Tax Policy Branch Claude Lavoie, Director – Economic Studies & Policy Analysis Division, Economic and Fiscal Policy Branch Clifton Lee-Sing, Chief – Financial Markets Division, Financial Sector Policy Branch Sheila Macdonald, Chief-International Policy & Analysis Division, International Trade and Finance Branch Erin O’Brien, Chief - Policy Analysis & Coordination, Economic Development & Corporate Finance Branch Hélène Shirreff, Senior Analyst – Corporate Planning, Corporate Services Branch Trevor J. Smith, Special Advisor and Counsel to the ADM, Law Branch Rob Stewart, General Director, Financial Sector Policy Branch Peter Turner, Chief – Personal Income Tax Division, Tax Policy Branch Julie Turcotte, Chief – Economic Studies and Policy Analysis Division, Economic and Fiscal Policy Branch Nipun Vats, Senior Chief – Federal-Provincial Relations Division, Federal-Provincial Relations and Social Policy Branch Kathy Wesley, Director - Access to Information and Privacy Division, Law Branch
  • 17. 17 Appendix B – List of Key Documents consulted Legislation • The Accountability Act (April 2006) Standards (TBS) • Integrated Risk Management Framework (April 2001) Policy (TBS) • Risk Management Policy (October 2001) Documents Specific to the Department • Corporate Risk Profile (June 2009) • Corporate Risk Profile (November 2008) • Corporate Risk Profile (November 2007) • Integrated Business Plan (2009-2010) • Business Planning Input – Operating Environment and Risk Analysis (May 2009 – one document per Branch) Other Documents • Management Accountability Framework (2008-2009) • Integrated Risk Management Implementation Guide - (TBS) (2004) • OCG Core Management Controls: A Guide for Internal Auditors (OCG) (November 2007)