1

38th Meeting of RIAS

Vienna International Centre
22-24 October 2007

Wednesday 24 October

RISK MANAGEMENT
AND THE IMPLICATIONS FOR INTERNAL AUDIT


Peter STOKHOF CA, CIA

Deputy Auditor-General
Office of the Auditor-General
Organisation for Economic Cooperation and Development (OECD)
peter.stokhof@oecd.org
Tel: 33-1-45 24 84 77 Fax: 33-1-45 24 17 00

2
Presentation Contents
1. IIA Standards in relation to Risk Management
2. The experience of Internal Audit at OECD
3. IIA Standards in relation to Control
4. The experience of Internal Audit at OECD
5. Conclusions proposed implications for Internal
Audit
3
IIA DEFINITION OF INTERNAL AUDITING
Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organisations operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of RISK MANAGEMENT,
control, and governance processes.

4
Risk Management:
IIA Performance Standard 2110.A1

monitor and evaluate the effectiveness of the
organisations risk management system

5
Risk Management:
IIA Practice Advisory 2110-1


Internal Audit should assess the adequacy of the risk
management process in terms of five key objectives:

Risks are identified and prioritised

Management has determined the level of risks acceptable

Risk mitigation activities - designed to reduce/manage
risks to levels deemed acceptable

Risks and effectiveness of controls to manage it are
periodically monitored and reassessed

Periodic reports to governing body
6
Risk Management .
the Experience of Internal Audit at the OECD


Financial Rule Article 7 Risk Management - An
effective system of financial risk management shall
be established to identify and address internal and
external risks to the Organisation, on an ongoing
basis throughout the year, and bring them to the
attention of the Budget Committee in a timely
manner.
7
The OECD Risk Register

First approved by Council in May 2004 updated in January
2006

Risks categorised according to strategic, financial, staff, IT
For each risk, management has identified the possible
consequences; severity; business units responsible;
preventative action
Promoted by the Audit Committee with the leverage of
Internal Audit in its role as secretary
Compilation lead by the Executive Directorate input from all
managers Internal Audit acting as both catalyst and advisor
Constitutes (i) the primary source for Internal Audits bi-annual
audit plan and (ii) the starting point for each theme audited:
assessing the completeness of risks and identifying the
business units responsible for managing them
8
Control:
Performance Standard 2120.A1

evaluate the adequacy and effectiveness of
controls encompassing the organisations
governance, operations and information systems
regarding the:
Reliability and integrity of financial and
operational information
Effectiveness and efficiency of operations
Safeguarding of assets
Compliance with laws, regulations and
contracts
9
Control:
Practice Advisory 2120.A1-1


The audit plan should provide sufficient evidence
to enable Internal Audit to report, usually once a
year, on the adequacy and effectiveness of the
organisations risk management and internal
control processes

If scope insufficient to enable such expression of
assurance, Internal Audit should inform senior
management and the governing body

10
Expectation Gap



It is one thing to identify responsibility for the
management of risk


but quite another to identify responsibility if
something goes wrong.
11

How many of you in your Annual Report give
simply a synopsis of audits performed and the
conclusions reached on each?

How many of you, on the basis of the work
performed, go further and give an overall
conclusion (even a qualified one) as to the quality of
controls to mitigate risk?
12








No overall assurance statement

A stated objective, but with the proviso that first
management asserts to having applied Key Controls
programmed for 2008

The external audit function performs internal audit-type
work

The Audit Committee assures Internal and External Audit
coordination, but has no mandate to oversee the risk
management and internal control processes
Control
the Experiences of Internal Audit at the OECD

13
Risk Management Oversight the
Audit Committees Role

The OECD Corporate Governance Principles the Board of
Directors should ensurethat appropriate systems of control
are in place, in particular, systems for risk management,
financial and operating control.

Article 41 of the European Commission 8th directive (May
2006) the Audit Committee shallmonitor the effectiveness
of the Companys internal controland risk management
systems

The IIA Research Foundation publication Audit Committee
Effectiveness what worksBest - Chapter 2 Risk
Management and Internal Control - provides examples of
best practice for the role of the Audit Committee in overseeing
the risk management process
14

If you have an Audit Committee, does it have a
defined oversight responsibility for risk?

If you do not have an Audit Committee, what
process do you have for attributing oversight
responsibility for risk?
15
Conclusions Proposed Implications for
Internal Audit


Internal Audit should aim to provide an overall statement on
the quality of internal controls designed to mitigate risk,

but with the provisos that

it promotes a process whereby first management asserts to
having applied key controls over processes financed by
budgets for which they are responsible,

and that, in relation to other audit actors, i.e. External Audit
and Audit Committee it promotes a process whereby there is
clear identification of responsibility for risk oversight.