CEO's welcomeThank you for joining us. The topic for today is ‘Risk appetite and the annual audit plan’. The timing is particularly relevant as HIAs start to draft their annual internal audit opinion. The annual internal audit plan leads to the overall opinion which is the professional judgement of the HIA based primarily on the results of individual internal audit engagements, supported in some instances by incorporating other reliable assurance information. It is for a specific time interval determined by an organisation, most commonly a year. Risk appetite helps organisations establish a threshold of impacts they are willing and able to absorb in pursuit of objectives. |
Chair's opening commentsWelcome to our Local Authority Forum. Internal Auditors in Local authorities are at this time of the year turning our thoughts to planning for the next financial year. Different councils are at different stages of risk maturity, and we need to consider whether our council has defined what its risk appetite is. Risk appetite provides a framework which enables an organisation to make informed management decisions. By defining both optimal and tolerable positions, councils can clearly set out both the target and acceptable positions when pursuing their strategic objectives. And, of course, all of our work throughout the year leads to an overall opinion in the AGS. The overall opinion is the Head of Audit’s opportunity to demonstrate the unique value of internal audit including its independence and objectivity. |
Chair's closing commentsCouncils are on a journey regarding culture around risk management – we need to bridge the gap with those in our organisations who see risk management as an impediment to their day job, when in fact it is part of what they do on a day-to-day basis. |
Institute's closing commentsA public sector event organised by the South West region will take place on 16th March. The Audit and Risk awards are open and the closing date for nominations is 16th February. Our next LA Forum meeting will take place on 23 February 2022 and will look at how ‘How to conduct a fraud risk assessment’. Details of all upcoming local authority forums can be found here. Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith on email at liz.sandwith@iia.org.uk |
Q: You talked about target risk and assurances, your internal audit plan and your opinion, and your insurance certification project. Do you share all of those documents with your audit committee?
A: I do informal sessions, prior to the audit committee, which allows me to give them all the background briefing. I find that having informal sessions with them allows them to see all the things that are going on in the background.
Q: At our council, there is an implied risk appetite at the individual risk level as we have target scores. We don't currently have an organisational risk appetite. Do you think that there is value in an organisational risk appetite in addition?
A: It depends on how mature the different elements of the organisation are. However, the more granular target risks and the appetite at directorate level are more significant in terms of decision making.
Q: Risk appetite is something I've thought about for some time, but a difficulty for me is whether a large and complex authority can have one risk appetite? Children’s services would have a very different risk appetite to our commercial Team. I suspect we would need multiple appetites and that adds to the difficulty implementing something. At present, we have target scores for each risk.
A: Large complex councils may approach things on a directorate basis. However, it may be helpful to consider a more thematic approach. Having one appetite is a challenge and you do need to look at the different parts of the organisation and how they’re all working.Q: I'm comfortable with risk in relation to audit work, but I think management generally struggle to find value in risk management. And it shouldn't need an industry behind it to work!
A: There is a danger with risk management that it becomes its own special project which is why it could be helpful to push the assurance framework and how the assurance map fits in.Q: Can I ask how risk management is corporately managed? Where does it sit? Is that with internal audit? If so, how do you provide assurance on something that is internal to the team.......sort of auditing yourself? We have this issue and are currently wondering where it should sit.
A: In Cornwall Council’s audit committee, the risk manager will come and talk about risk so that the Head of Audit is there to talk about audit. The risk reporting line will also be different to the audit reporting line. Many organisations are resource strapped with these issues having to be managed as best it is possible.
Q: In the private sector, the 2nd line risk function would monitor the implementation of controls to bring a residual risk back in line with the relevant risk appetite, leaving internal audit to provide assurance over the operation of controls for high inherent risks (which are within appetite). Due to resource issues, I can't operate this model in local authority - does anyone have a well enough resourced risk team which actually performs a 2nd line role?
A: Many organisations and local authorities are going through resource cuts, so this aspect is very challenging. The assurance framework is very important because of this. It may put the onus back on to individual managers.
Q: Very interesting. We are trying to develop this more at our audit clients but have struggled with buy-in. Have you linked the assurance areas in your assurance map directly to risks in the corporate risk register or have you developed your own assurance areas?
A: It is based on the strategic risks and feeds back to the risk appetite and to the plan.
Q: As part of my work overseeing the AGS, I've previously asked Directors to identify what assurances they receive and how often...but rather informally....so 'll ask the question on everyone's lips....Can you please share your questionnaire?
A: Yes no problem. Here are instructions for how to complete the questionnaire and here is the corporate assurance form.
Q: A question regarding the assessment of risk management when it sits in internal audit. Our insurer’s agreed to a consultancy resource when they tendered, which we tapped into. We declare the conflict risk in our plan and annual report.
A: It depends on your budget if you bring in external consultants, but the concept is interesting.
Chat box comments: