SlideShare une entreprise Scribd logo

Audit of Risk Management Final Report

E
essbaih

Audit of Risk Management Final Report

Business
1  sur  17
Télécharger pour lire hors ligne
1 Audit of Risk Management Final Report March 25, 2010 Prepared by Internal Audit & Evaluation for the: Audit and Evaluation Committee meeting of March 25, 2010 Finance Canada
2 Table of Contents Executive Summary 3 Background 4 Audit Objective and Scope 5 Approach, Assurance Statement and Auditing Standards Employed 6 Conclusions 7 Findings by Audit Criteria 8 Recommendations and Management Action Plan 13 Members of the Audit Team 14 Appendices Appendix A – List of Department of Finance Canada Personnel Interviewed 16 Appendix B – List of Key Documents Consulted 17
3 Executive Summary As part of the Government of Canada’s commitment to strengthening risk management practices in the public service, the Treasury Board of Canada Secretariat (TBS) developed the Integrated Risk Management Framework (IRMF) in 2001. The IRMF defines integrated risk management as a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives. The objective of the Audit of Risk Management is to provide the Department of Finance (the Department) with reasonable assurance that the corporate risk management framework and processes it has in place effectively identify, assess and manage corporate risks. Our audit concluded that overall, the Department has developed an adequate Corporate Risk Profile (CRP) and has established an Integrated Risk Management (IRM) function, in line with good management practices and the TBS guidelines on IRMF. The Department has implemented the elements of an effective risk management framework; however, some elements of the communication strategy presented in the Corporate Risk Profile (CRP) have not been fully implemented.
4 Background History As per the Treasury Board Policy on Internal Audit, risk management is a mandatory element of internal audit coverage. Consequently, the Audit of Risk Management has been included as part of the Department’s three-year risk-based audit plan, which was approved by the Deputy Minister upon the recommendation of the Audit and Evaluation Committee. Background As part of the Government of Canada’s commitment to strengthening risk management practices in the public service, TBS developed the IRMF in 2001. The IRMF provides Departments with guidance on developing their risk management function so that they may be more effective in identifying and mitigating risks, which would otherwise affect their ability to meet departmental objectives. As per the IRMF, the primary element of establishing an effective risk management framework is for an organization to develop a Corporate Risk Profile (CRP). The CRP is an effective tool used to identify key corporate risks such as infrastructure risks, people risks, policy risks and process risks and establish strategies to mitigate these risks. In the Department, the Corporate Services Branch provides leadership towards integrating risk management at all levels and provides guidance to branches, as required. The ultimate responsibility for implementing effective risk management; however, rests with all employees, particularly the management team.
5 Objective The objective of the Audit of Risk Management is to provide reasonable assurance that a corporate risk management framework and processes are in place and that corporate risks are identified, assessed and managed. Scope The scope of the audit includes assessing risk management practices at the corporate and branch levels. At the corporate level, the audit examines the Department’s CRP for the purpose of assessing the integrated risk management function. Other integrated risk management practices at the departmental level were also assessed. At the branch level, the audit examines practices and processes regarding the implementation of the integrated risk management framework, such as the manner in which each branch establishes the necessary systems and appropriate mitigation strategies to implement risk management in their respective functions. The scope of the audit does not include the following: An assessment of the appropriateness of the ten key risk areas identified in the CRP. An assessment of the appropriateness of policy recommendations. Audit Objective and Scope
6 The audit was conducted in accordance with the International Standards for the Professional Practices of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective was achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and conclusions presented in this report. Audit procedures included, but were not limited to, interviews, observations, review of supporting documentation, and analytical reviews. The audit criteria used to develop the required audit tests were based on: (1) good management practices; and (2) applicable policies and regulations, in particular the TBS guidelines on IRMF, and relevant elements of the Office of the Comptroller General’s Core Management Controls. In total, 18 individuals were interviewed including personnel from each of the Department’s nine branches, specifically two senior representatives per branch in most instances. The complete list of personnel interviewed is provided in Appendix A. In addition, the audit team conducted a review of relevant policies, standards, directives and related documents (list provided in Appendix B). The audit approach allowed for the audit results to be communicated in such a manner as to enable management to review and provide feedback on the findings and conclusions before they were finalized. Approach, Assurance Statement and Auditing Standards Employed
7 Conclusions To provide reasonable assurance that a corporate risk management framework and processes are in place and that corporate risks are identified, assessed and managed. The audit concluded that overall, the Department’s Risk Management practices are in line with good management practices and the TBS guidelines on Integrated Risk Management Framework (IRMF). In particular, the following good management practices and key aspects are worth noting:  The Department has a standard approach to risk management and an approved Corporate Risk Profile (CRP) that identifies key risks.  The Department has established an Integrated Risk Management (IRM) function led by the Corporate Planning Division (CPD) of the Corporate Services Branch (CSB).  Risk Management is practiced enterprise-wide and at the branch levels. An effective communication strategy is an essential part of fostering a corporate culture that enables effective and integrated risk management at every level of the organization, including the sharing of best practices. The Department has implemented the elements of an effective risk management framework; however, some elements of the communication strategy presented in the Corporate Risk Profile (CRP) have not been fully implemented. Audit Objective
8 The following table presents the assessment of the level of risk exposure identified in the audit. Levels of risk exposure are categorized by audit criteria. The audit criteria used to assess the risk exposure are based on good management practices, the TBS guidelines on IRMF and relevant elements of OCG Core Management Controls related to risk management. The risk ranking is based on the level of risk exposure. A high, medium or low ranking corresponds to the potential risk exposure auditors believe may have an impact on the achievement of Department objectives, and is indicative of the priority management should give to address the recommendations. The assessment summarizes the audit observations based on the factual evidence gathered and analyzed during the audit. Based on these assessments, issues/themes along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendations and Management Responses” section. Findings by Audit Criteria High exposure Medium exposure Low exposure
9 Criteria Risk Exposure Assessment Establishing the Corporate Risk Profile The Corporate Risk Profile of the Department has identified and highlighted key corporate risk areas Low The Department has a standard approach to risk management and an approved Corporate Risk Profile (CRP) which identifies key risks. The Department has had a CRP since November 2007 and its status is reviewed three times a year as part of the integrated planning cycle, with changes to the CRP included as warranted. This has led to revisions to the CRP in November 2008 and June 2009. The process of developing and updating the CRP is integrated within the Department’s planning, monitoring and reporting cycle. The Department’s major risks identified in the CRP are regularly reviewed as part of the integrated planning process. An environmental scan involving all branches is usually conducted three times a year, threats and opportunities are identified, mitigation strategies are developed and progress on the implementation of these strategies is monitored. The risks in the CRP are identified by management as risks that would most affect the Department’s ability to achieve its objectives. The most recent CRP was reviewed and discussed with senior management at various committees, including the Departmental Coordinating Committee (DCC), prior to receiving final approval at the Executive Committee (EXEC) on June 5, 2009. Findings by Audit Criteria
10 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management The Department implements and practices Integrated Risk Management within an established framework Low The Department has established and implemented an Integrated Risk Management (IRM) function led by the Corporate Planning Division (Corporate Planning) of the Corporate Services Branch (CSB). The Corporate Planning within the CSB provides horizontal support and leadership to all branches on matters related to risk management, by providing advice and coordinating activities related to the function. As part of the integrated planning process, each branch regularly assesses the risks relevant to their area and develops corresponding mitigation strategies. This risk information is collected from the branches and assessed through a standard planning template by the Corporate Planning, with the support of the Department’s Planning Network (Network). The Network is made up of representatives from all branches in order to integrate business planning and risk management across the Department. The information collected in these templates is updated three times a year by the branches and forms the basis of changes to the CRP as warranted.
11 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management (continued from the previous page) The Department implements and practices Integrated Risk Management within an established framework Low Once templates have been completed and information has been assessed, senior management is further consulted through the DCC for their review, prior to a final review and approval from the EXEC. The risk identification process is rigorous and considers internal and external risk exposures. This process results in the identification of the ten major risk areas documented in the CRP, which are categorized into four groups: (1) policy risks, (2) people risks, (3) infrastructure risks and (4) process risks. In addition to the CRP risks, each branch identifies other risks that could impact their specific subject business areas. During 2009-2010, the branches identified approximately thirty additional risks during one of three integrated planning exercises. Mitigation strategies were developed and included in each of the branches’ respective business plans.
12 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management (continued from the previous page) The Department implements and practices Integrated Risk Management within an established framework Low The integrated approach to risk management is complemented by appointing “risk champions”, at the Assistant Deputy Minister level for each risk identified in the CRP. These “risk champions” are responsible for ensuring effective synchronized mitigation strategies for the department-wide key corporate risk assigned to them; however, their involvement beyond their Branch is limited. Although the Department has an effective integrated approach to risk management, some elements of the communication strategy presented in the CRP have not been fully implemented. For the most part, these relate to communicating key corporate messages more widely across Branches to management and all staff regarding: (1) availability of the risk management web site, (2) recommended risk management tools; (3) important updates to the department-wide risk management strategy; and (4) sharing and discussing best practices at department-wide forums such as the general assembly and the annual executive retreat. An effective communication strategy is an essential part of fostering a corporate culture that enables effective and integrated risk management at every level of the organization, including the sharing of best practices.
13 Recommendations and Management Action Plan The following section presents the key opportunity for improvement stemming from the audit findings. The impact and recommendation is also stated. Where applicable, the relevant management initiatives already underway are included. For the recommendation, management has provided:  An action plan, which addresses the recommendation;  The position responsible for implementing the action plan; and,  The target date for completion.
14 Summary of the Audit Finding and its Impact As part of its Integrated Risk Management Framework and consistent with best practices, the Department has established a communication strategy. Effective communication is essential to increasing awareness and effective implementation of key risk management practices at all levels, particularly risk mitigation strategies. Although the Department has an effective integrated approach to risk management, some elements of the communication strategy presented in the CRP have not been fully implemented. For the most part, these relate to communicating key corporate messages more widely across Branches to foster the sharing of best practices among management and all staff. Fully implementing an effective communication strategy will further improve management and staff’s awareness of the Corporate Risk Profile and encourage the use of available tools, such as the Department’s website on risk management. Ultimately, increasing risk management awareness and the sharing of best practices will better enable the Department to achieve its objectives. Recommendation Management Response It is recommended that the ADM, Corporate Services Branch (CSB), in cooperation with the ADM, Consultations and Communications (C&C) Branch, fully implement the communication strategy for risk management. The ADM CSB, in cooperation with the ADM C&C Branch, is committed to continue to foster communications around risk management. The Director Corporate Planning will work with Finance Branches to validate which form of communication is best suited to increase awareness of risk management practices across the Department, as part of the comprehensive review of the Corporate Risk Profile planned for summer 2010. The communications strategy will be updated based on review findings by the end of Q2 2010-11. The ADM-CSB will then work to implement the updated communications strategy with a focus on increasing risk management awareness and the sharing of best practices among management and staff across all Branches. It is expected that the communication strategy will be fully implemented by the end of Q2 2011-12. 1. Foster Communications Around Risk Management Best Practices
15 The members of the audit team are: Roger Vachon, Master in Administration, Audit Manager Olivia Zhu, MPA, CIA, Senior Auditor Ziad Shadid, CGA, Audit Manager Christian Kratchanov, MBA, CIA, Chief Audit Executive Members of the Audit Team
16 Appendix A – List of Department of Finance Canada Personnel Interviewed Jean- Michel Catta, General Director, Consultations and Communications Branch Chris Forbes, General Director, Federal-Provincial Relations and Social Policy Branch David Gamble, Director - Public Affairs & Operations Division, Consultations and Communications Branch Barb Gibbon, Director – Corporate Planning, Corporate Services Branch James A. Haley, General Director, International Trade & Finance Branch Sherry Harrison, Chief Financial Officer and Executive Director, Corporate Services Branch (acting ADM Corporate Services Branch at the time of the audit interview) Nancy Horsman, General Director, Tax Policy Branch Claude Lavoie, Director – Economic Studies & Policy Analysis Division, Economic and Fiscal Policy Branch Clifton Lee-Sing, Chief – Financial Markets Division, Financial Sector Policy Branch Sheila Macdonald, Chief-International Policy & Analysis Division, International Trade and Finance Branch Erin O’Brien, Chief - Policy Analysis & Coordination, Economic Development & Corporate Finance Branch Hélène Shirreff, Senior Analyst – Corporate Planning, Corporate Services Branch Trevor J. Smith, Special Advisor and Counsel to the ADM, Law Branch Rob Stewart, General Director, Financial Sector Policy Branch Peter Turner, Chief – Personal Income Tax Division, Tax Policy Branch Julie Turcotte, Chief – Economic Studies and Policy Analysis Division, Economic and Fiscal Policy Branch Nipun Vats, Senior Chief – Federal-Provincial Relations Division, Federal-Provincial Relations and Social Policy Branch Kathy Wesley, Director - Access to Information and Privacy Division, Law Branch
17 Appendix B – List of Key Documents consulted Legislation • The Accountability Act (April 2006) Standards (TBS) • Integrated Risk Management Framework (April 2001) Policy (TBS) • Risk Management Policy (October 2001) Documents Specific to the Department • Corporate Risk Profile (June 2009) • Corporate Risk Profile (November 2008) • Corporate Risk Profile (November 2007) • Integrated Business Plan (2009-2010) • Business Planning Input – Operating Environment and Risk Analysis (May 2009 – one document per Branch) Other Documents • Management Accountability Framework (2008-2009) • Integrated Risk Management Implementation Guide - (TBS) (2004) • OCG Core Management Controls: A Guide for Internal Auditors (OCG) (November 2007)

Recommandé

Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit plan
essbaih
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal Audit
Smitesh Bhosale
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
minkhollow
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
Henry H L Lim
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
Nidhi Gupta
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
International Federation of Accountants
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAH
Tommy Seah
 

Recommandé

Key considerations for your internal audit plan
Key considerations for your internal audit planKey considerations for your internal audit plan
Key considerations for your internal audit plan
essbaih
 
Risk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal AuditRisk assessment and internal controls - Internal Audit
Risk assessment and internal controls - Internal Audit
Smitesh Bhosale
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
minkhollow
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
Henry H L Lim
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
Nidhi Gupta
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
International Federation of Accountants
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAH
Tommy Seah
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
Manoj Agarwal
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunities
Manoj Agarwal
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal Audit
Manoj Agarwal
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
Jesús Gándara
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
Tunde Elijah Kelani
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk Management
Manoj Agarwal
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
Irfan Ahmed - ACA, CICA
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Model i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaModel i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for ia
Rajeswaran Muthu Venkatachalam
 
Ppt on risk based internal audit
Ppt on risk based internal auditPpt on risk based internal audit
Ppt on risk based internal audit
AmitaMistry2
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
ijazurrehman
 
Coso framework
Coso frameworkCoso framework
Coso framework
Darryl Woolley
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guide
CenapSerdarolu
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
Jesús Gándara
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
Salih Islam
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
Haresh Lalwani
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
Salih Islam
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practices
Pamela Mantone
 
Internal audit strategy for non-profits
Internal audit strategy for non-profitsInternal audit strategy for non-profits
Internal audit strategy for non-profits
Debashis Gupta
 
Auditing Principles2
Auditing Principles2Auditing Principles2
Auditing Principles2
Jose Cintron
 
Risk assessments
Risk assessmentsRisk assessments
Risk assessments
ElisaNarborough
 

Contenu connexe

Tendances

Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
ijazurrehman
 
Internal audit strategy for non-profits
Internal audit strategy for non-profitsInternal audit strategy for non-profits
Internal audit strategy for non-profits
Debashis Gupta
 

Tendances (20)

Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Turning risk into opportunities
Turning risk into opportunitiesTurning risk into opportunities
Turning risk into opportunities
 
Professional opportunities in Internal Audit
Professional opportunities in Internal AuditProfessional opportunities in Internal Audit
Professional opportunities in Internal Audit
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
 
Audit Audit Commite And Risk Management
Audit Audit Commite And Risk ManagementAudit Audit Commite And Risk Management
Audit Audit Commite And Risk Management
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
 
Model i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for iaModel i best practice evaluation worksheet for ia
Model i best practice evaluation worksheet for ia
 
Ppt on risk based internal audit
Ppt on risk based internal auditPpt on risk based internal audit
Ppt on risk based internal audit
 
Coso And Internal Audit
Coso And Internal AuditCoso And Internal Audit
Coso And Internal Audit
 
Coso framework
Coso frameworkCoso framework
Coso framework
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guide
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
 
Corporate Governance
Corporate GovernanceCorporate Governance
Corporate Governance
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practices
 
Internal audit strategy for non-profits
Internal audit strategy for non-profitsInternal audit strategy for non-profits
Internal audit strategy for non-profits
 

En vedette

Auditing Principles2
Auditing Principles2Auditing Principles2
Auditing Principles2
Jose Cintron
 
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Andreas Zarifis ACII Chartered Insurer
 
“Risk Based Internal Audit in Bangladesh Bank”
“Risk Based Internal Audit in Bangladesh Bank”“Risk Based Internal Audit in Bangladesh Bank”
“Risk Based Internal Audit in Bangladesh Bank”
M Anwarul Hoque Tareque
 
Operational risk management
Operational risk managementOperational risk management
Operational risk management
Ujjwal 'Shanu'
 
Measuring operational risk
Measuring operational riskMeasuring operational risk
Measuring operational risk
Ujjwal 'Shanu'
 
Risk Based Quality Audit Part 1
Risk Based Quality Audit Part 1Risk Based Quality Audit Part 1
Risk Based Quality Audit Part 1
Thomas Bradley
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessment
casahiljain1992
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
Frackson Kathibula-Nyoni
 
6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management
PECB
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
Eneni Oduwole
 
Enterprise Risk Management Framework
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
Enterprise Risk Management Framework
Nigel Tebbutt
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
Jorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 

En vedette (18)

Auditing Principles2
Auditing Principles2Auditing Principles2
Auditing Principles2
 
Risk assessments
Risk assessmentsRisk assessments
Risk assessments
 
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
Enterprise Risk Management in Financial Institutions- Revelations of the Rece...
 
“Risk Based Internal Audit in Bangladesh Bank”
“Risk Based Internal Audit in Bangladesh Bank”“Risk Based Internal Audit in Bangladesh Bank”
“Risk Based Internal Audit in Bangladesh Bank”
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit Plan
 
Operational risk management
Operational risk managementOperational risk management
Operational risk management
 
Measuring operational risk
Measuring operational riskMeasuring operational risk
Measuring operational risk
 
Internal Audit Plan 2015
Internal Audit Plan 2015Internal Audit Plan 2015
Internal Audit Plan 2015
 
Risk Based Quality Audit Part 1
Risk Based Quality Audit Part 1Risk Based Quality Audit Part 1
Risk Based Quality Audit Part 1
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
 
Audit planning and risk assessment
Audit planning and risk assessmentAudit planning and risk assessment
Audit planning and risk assessment
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
 
6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management
 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Enterprise Risk Management Framework
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
Enterprise Risk Management Framework
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
 

Similaire à Audit of Risk Management Final Report

Kaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managentKaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managent
avinashchauhan70462
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
abdo badr
 
dt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformationdt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformation
Mark Micallef
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit Governance
Aswin Kumar
 
Case Study - Leveraging Risk Management for Future Growth - Published Final Copy
Case Study - Leveraging Risk Management for Future Growth - Published Final CopyCase Study - Leveraging Risk Management for Future Growth - Published Final Copy
Case Study - Leveraging Risk Management for Future Growth - Published Final Copy
Kevin Fryatt
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
mikaelastafrace
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
Prashant Jain
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
Mpact Risk Management Review_FINAL
Mpact Risk Management Review_FINALMpact Risk Management Review_FINAL
Mpact Risk Management Review_FINAL
Deborah Chapman
 
Risk Appetite Statements - IRM India Affiliate
Risk Appetite Statements - IRM India AffiliateRisk Appetite Statements - IRM India Affiliate
Risk Appetite Statements - IRM India Affiliate
IRM India Affiliate
 

Similaire à Audit of Risk Management Final Report (20)

Kaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managentKaneshiro Slides and enterprise ris managent
Kaneshiro Slides and enterprise ris managent
 
Bank gaborone
Bank gaboroneBank gaborone
Bank gaborone
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
 
dt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformationdt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformation
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit Governance
 
Erm whitepaper (2)
Erm whitepaper (2)Erm whitepaper (2)
Erm whitepaper (2)
 
Case Study - Leveraging Risk Management for Future Growth - Published Final Copy
Case Study - Leveraging Risk Management for Future Growth - Published Final CopyCase Study - Leveraging Risk Management for Future Growth - Published Final Copy
Case Study - Leveraging Risk Management for Future Growth - Published Final Copy
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
Risk management
Risk managementRisk management
Risk management
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi
 
COSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfCOSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdf
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
Mpact Risk Management Review_FINAL
Mpact Risk Management Review_FINALMpact Risk Management Review_FINAL
Mpact Risk Management Review_FINAL
 
Risk Appetite Statements - IRM India Affiliate
Risk Appetite Statements - IRM India AffiliateRisk Appetite Statements - IRM India Affiliate
Risk Appetite Statements - IRM India Affiliate
 
ERM Presentation.final
ERM Presentation.finalERM Presentation.final
ERM Presentation.final
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 

Dernier

The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Aggregage
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
ritikaroy0888
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Anamikakaur10
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
lizamodels9
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
dlhescort
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 

Dernier (20)

B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 

Audit of Risk Management Final Report

  • 1. 1 Audit of Risk Management Final Report March 25, 2010 Prepared by Internal Audit & Evaluation for the: Audit and Evaluation Committee meeting of March 25, 2010 Finance Canada
  • 2. 2 Table of Contents Executive Summary 3 Background 4 Audit Objective and Scope 5 Approach, Assurance Statement and Auditing Standards Employed 6 Conclusions 7 Findings by Audit Criteria 8 Recommendations and Management Action Plan 13 Members of the Audit Team 14 Appendices Appendix A – List of Department of Finance Canada Personnel Interviewed 16 Appendix B – List of Key Documents Consulted 17
  • 3. 3 Executive Summary As part of the Government of Canada’s commitment to strengthening risk management practices in the public service, the Treasury Board of Canada Secretariat (TBS) developed the Integrated Risk Management Framework (IRMF) in 2001. The IRMF defines integrated risk management as a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective. It is about making strategic decisions that contribute to the achievement of an organization's overall corporate objectives. The objective of the Audit of Risk Management is to provide the Department of Finance (the Department) with reasonable assurance that the corporate risk management framework and processes it has in place effectively identify, assess and manage corporate risks. Our audit concluded that overall, the Department has developed an adequate Corporate Risk Profile (CRP) and has established an Integrated Risk Management (IRM) function, in line with good management practices and the TBS guidelines on IRMF. The Department has implemented the elements of an effective risk management framework; however, some elements of the communication strategy presented in the Corporate Risk Profile (CRP) have not been fully implemented.
  • 4. 4 Background History As per the Treasury Board Policy on Internal Audit, risk management is a mandatory element of internal audit coverage. Consequently, the Audit of Risk Management has been included as part of the Department’s three-year risk-based audit plan, which was approved by the Deputy Minister upon the recommendation of the Audit and Evaluation Committee. Background As part of the Government of Canada’s commitment to strengthening risk management practices in the public service, TBS developed the IRMF in 2001. The IRMF provides Departments with guidance on developing their risk management function so that they may be more effective in identifying and mitigating risks, which would otherwise affect their ability to meet departmental objectives. As per the IRMF, the primary element of establishing an effective risk management framework is for an organization to develop a Corporate Risk Profile (CRP). The CRP is an effective tool used to identify key corporate risks such as infrastructure risks, people risks, policy risks and process risks and establish strategies to mitigate these risks. In the Department, the Corporate Services Branch provides leadership towards integrating risk management at all levels and provides guidance to branches, as required. The ultimate responsibility for implementing effective risk management; however, rests with all employees, particularly the management team.
  • 5. 5 Objective The objective of the Audit of Risk Management is to provide reasonable assurance that a corporate risk management framework and processes are in place and that corporate risks are identified, assessed and managed. Scope The scope of the audit includes assessing risk management practices at the corporate and branch levels. At the corporate level, the audit examines the Department’s CRP for the purpose of assessing the integrated risk management function. Other integrated risk management practices at the departmental level were also assessed. At the branch level, the audit examines practices and processes regarding the implementation of the integrated risk management framework, such as the manner in which each branch establishes the necessary systems and appropriate mitigation strategies to implement risk management in their respective functions. The scope of the audit does not include the following: An assessment of the appropriateness of the ten key risk areas identified in the CRP. An assessment of the appropriateness of policy recommendations. Audit Objective and Scope
  • 6. 6 The audit was conducted in accordance with the International Standards for the Professional Practices of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective was achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and conclusions presented in this report. Audit procedures included, but were not limited to, interviews, observations, review of supporting documentation, and analytical reviews. The audit criteria used to develop the required audit tests were based on: (1) good management practices; and (2) applicable policies and regulations, in particular the TBS guidelines on IRMF, and relevant elements of the Office of the Comptroller General’s Core Management Controls. In total, 18 individuals were interviewed including personnel from each of the Department’s nine branches, specifically two senior representatives per branch in most instances. The complete list of personnel interviewed is provided in Appendix A. In addition, the audit team conducted a review of relevant policies, standards, directives and related documents (list provided in Appendix B). The audit approach allowed for the audit results to be communicated in such a manner as to enable management to review and provide feedback on the findings and conclusions before they were finalized. Approach, Assurance Statement and Auditing Standards Employed
  • 7. 7 Conclusions To provide reasonable assurance that a corporate risk management framework and processes are in place and that corporate risks are identified, assessed and managed. The audit concluded that overall, the Department’s Risk Management practices are in line with good management practices and the TBS guidelines on Integrated Risk Management Framework (IRMF). In particular, the following good management practices and key aspects are worth noting:  The Department has a standard approach to risk management and an approved Corporate Risk Profile (CRP) that identifies key risks.  The Department has established an Integrated Risk Management (IRM) function led by the Corporate Planning Division (CPD) of the Corporate Services Branch (CSB).  Risk Management is practiced enterprise-wide and at the branch levels. An effective communication strategy is an essential part of fostering a corporate culture that enables effective and integrated risk management at every level of the organization, including the sharing of best practices. The Department has implemented the elements of an effective risk management framework; however, some elements of the communication strategy presented in the Corporate Risk Profile (CRP) have not been fully implemented. Audit Objective
  • 8. 8 The following table presents the assessment of the level of risk exposure identified in the audit. Levels of risk exposure are categorized by audit criteria. The audit criteria used to assess the risk exposure are based on good management practices, the TBS guidelines on IRMF and relevant elements of OCG Core Management Controls related to risk management. The risk ranking is based on the level of risk exposure. A high, medium or low ranking corresponds to the potential risk exposure auditors believe may have an impact on the achievement of Department objectives, and is indicative of the priority management should give to address the recommendations. The assessment summarizes the audit observations based on the factual evidence gathered and analyzed during the audit. Based on these assessments, issues/themes along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendations and Management Responses” section. Findings by Audit Criteria High exposure Medium exposure Low exposure
  • 9. 9 Criteria Risk Exposure Assessment Establishing the Corporate Risk Profile The Corporate Risk Profile of the Department has identified and highlighted key corporate risk areas Low The Department has a standard approach to risk management and an approved Corporate Risk Profile (CRP) which identifies key risks. The Department has had a CRP since November 2007 and its status is reviewed three times a year as part of the integrated planning cycle, with changes to the CRP included as warranted. This has led to revisions to the CRP in November 2008 and June 2009. The process of developing and updating the CRP is integrated within the Department’s planning, monitoring and reporting cycle. The Department’s major risks identified in the CRP are regularly reviewed as part of the integrated planning process. An environmental scan involving all branches is usually conducted three times a year, threats and opportunities are identified, mitigation strategies are developed and progress on the implementation of these strategies is monitored. The risks in the CRP are identified by management as risks that would most affect the Department’s ability to achieve its objectives. The most recent CRP was reviewed and discussed with senior management at various committees, including the Departmental Coordinating Committee (DCC), prior to receiving final approval at the Executive Committee (EXEC) on June 5, 2009. Findings by Audit Criteria
  • 10. 10 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management The Department implements and practices Integrated Risk Management within an established framework Low The Department has established and implemented an Integrated Risk Management (IRM) function led by the Corporate Planning Division (Corporate Planning) of the Corporate Services Branch (CSB). The Corporate Planning within the CSB provides horizontal support and leadership to all branches on matters related to risk management, by providing advice and coordinating activities related to the function. As part of the integrated planning process, each branch regularly assesses the risks relevant to their area and develops corresponding mitigation strategies. This risk information is collected from the branches and assessed through a standard planning template by the Corporate Planning, with the support of the Department’s Planning Network (Network). The Network is made up of representatives from all branches in order to integrate business planning and risk management across the Department. The information collected in these templates is updated three times a year by the branches and forms the basis of changes to the CRP as warranted.
  • 11. 11 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management (continued from the previous page) The Department implements and practices Integrated Risk Management within an established framework Low Once templates have been completed and information has been assessed, senior management is further consulted through the DCC for their review, prior to a final review and approval from the EXEC. The risk identification process is rigorous and considers internal and external risk exposures. This process results in the identification of the ten major risk areas documented in the CRP, which are categorized into four groups: (1) policy risks, (2) people risks, (3) infrastructure risks and (4) process risks. In addition to the CRP risks, each branch identifies other risks that could impact their specific subject business areas. During 2009-2010, the branches identified approximately thirty additional risks during one of three integrated planning exercises. Mitigation strategies were developed and included in each of the branches’ respective business plans.
  • 12. 12 Findings by Audit Criteria Criteria Risk Exposure Assessment Practicing Integrated Risk Management (continued from the previous page) The Department implements and practices Integrated Risk Management within an established framework Low The integrated approach to risk management is complemented by appointing “risk champions”, at the Assistant Deputy Minister level for each risk identified in the CRP. These “risk champions” are responsible for ensuring effective synchronized mitigation strategies for the department-wide key corporate risk assigned to them; however, their involvement beyond their Branch is limited. Although the Department has an effective integrated approach to risk management, some elements of the communication strategy presented in the CRP have not been fully implemented. For the most part, these relate to communicating key corporate messages more widely across Branches to management and all staff regarding: (1) availability of the risk management web site, (2) recommended risk management tools; (3) important updates to the department-wide risk management strategy; and (4) sharing and discussing best practices at department-wide forums such as the general assembly and the annual executive retreat. An effective communication strategy is an essential part of fostering a corporate culture that enables effective and integrated risk management at every level of the organization, including the sharing of best practices.
  • 13. 13 Recommendations and Management Action Plan The following section presents the key opportunity for improvement stemming from the audit findings. The impact and recommendation is also stated. Where applicable, the relevant management initiatives already underway are included. For the recommendation, management has provided:  An action plan, which addresses the recommendation;  The position responsible for implementing the action plan; and,  The target date for completion.
  • 14. 14 Summary of the Audit Finding and its Impact As part of its Integrated Risk Management Framework and consistent with best practices, the Department has established a communication strategy. Effective communication is essential to increasing awareness and effective implementation of key risk management practices at all levels, particularly risk mitigation strategies. Although the Department has an effective integrated approach to risk management, some elements of the communication strategy presented in the CRP have not been fully implemented. For the most part, these relate to communicating key corporate messages more widely across Branches to foster the sharing of best practices among management and all staff. Fully implementing an effective communication strategy will further improve management and staff’s awareness of the Corporate Risk Profile and encourage the use of available tools, such as the Department’s website on risk management. Ultimately, increasing risk management awareness and the sharing of best practices will better enable the Department to achieve its objectives. Recommendation Management Response It is recommended that the ADM, Corporate Services Branch (CSB), in cooperation with the ADM, Consultations and Communications (C&C) Branch, fully implement the communication strategy for risk management. The ADM CSB, in cooperation with the ADM C&C Branch, is committed to continue to foster communications around risk management. The Director Corporate Planning will work with Finance Branches to validate which form of communication is best suited to increase awareness of risk management practices across the Department, as part of the comprehensive review of the Corporate Risk Profile planned for summer 2010. The communications strategy will be updated based on review findings by the end of Q2 2010-11. The ADM-CSB will then work to implement the updated communications strategy with a focus on increasing risk management awareness and the sharing of best practices among management and staff across all Branches. It is expected that the communication strategy will be fully implemented by the end of Q2 2011-12. 1. Foster Communications Around Risk Management Best Practices
  • 15. 15 The members of the audit team are: Roger Vachon, Master in Administration, Audit Manager Olivia Zhu, MPA, CIA, Senior Auditor Ziad Shadid, CGA, Audit Manager Christian Kratchanov, MBA, CIA, Chief Audit Executive Members of the Audit Team
  • 16. 16 Appendix A – List of Department of Finance Canada Personnel Interviewed Jean- Michel Catta, General Director, Consultations and Communications Branch Chris Forbes, General Director, Federal-Provincial Relations and Social Policy Branch David Gamble, Director - Public Affairs & Operations Division, Consultations and Communications Branch Barb Gibbon, Director – Corporate Planning, Corporate Services Branch James A. Haley, General Director, International Trade & Finance Branch Sherry Harrison, Chief Financial Officer and Executive Director, Corporate Services Branch (acting ADM Corporate Services Branch at the time of the audit interview) Nancy Horsman, General Director, Tax Policy Branch Claude Lavoie, Director – Economic Studies & Policy Analysis Division, Economic and Fiscal Policy Branch Clifton Lee-Sing, Chief – Financial Markets Division, Financial Sector Policy Branch Sheila Macdonald, Chief-International Policy & Analysis Division, International Trade and Finance Branch Erin O’Brien, Chief - Policy Analysis & Coordination, Economic Development & Corporate Finance Branch Hélène Shirreff, Senior Analyst – Corporate Planning, Corporate Services Branch Trevor J. Smith, Special Advisor and Counsel to the ADM, Law Branch Rob Stewart, General Director, Financial Sector Policy Branch Peter Turner, Chief – Personal Income Tax Division, Tax Policy Branch Julie Turcotte, Chief – Economic Studies and Policy Analysis Division, Economic and Fiscal Policy Branch Nipun Vats, Senior Chief – Federal-Provincial Relations Division, Federal-Provincial Relations and Social Policy Branch Kathy Wesley, Director - Access to Information and Privacy Division, Law Branch
  • 17. 17 Appendix B – List of Key Documents consulted Legislation • The Accountability Act (April 2006) Standards (TBS) • Integrated Risk Management Framework (April 2001) Policy (TBS) • Risk Management Policy (October 2001) Documents Specific to the Department • Corporate Risk Profile (June 2009) • Corporate Risk Profile (November 2008) • Corporate Risk Profile (November 2007) • Integrated Business Plan (2009-2010) • Business Planning Input – Operating Environment and Risk Analysis (May 2009 – one document per Branch) Other Documents • Management Accountability Framework (2008-2009) • Integrated Risk Management Implementation Guide - (TBS) (2004) • OCG Core Management Controls: A Guide for Internal Auditors (OCG) (November 2007)