The Audit Plan. It’s NOT “Set and Forget”

shutterstock_74923093

Following on from my recent post on ‘Internal Audit’s Role (an Audit Committee perspective)’, I wanted to share another issue that came up in discussion with colleagues, before and during, the course of the recent Public Sector Internal Audit Conference in Canberra.

The issue was ‘When does risk appetite change?’

In my experience, it is the practice of many agencies to set audit plans for the year and then monitor progress with those, without assessing, on an ongoing basis, whether the audit plan needs to be revised for new or increasing risks.  This situation is compounded by the fact that audit committee meetings are typically scheduled for many months ahead, usually four general purpose meetings in a year, plus one to review the financial statements.  This practice consolidates the notion that there is a fixed plan for the year and that the requirement is then only to ensure the program is on track and to consider findings from scheduled audits.

That practice is dangerous.  It ignores the fact that we live in a constantly changing environment.  The shark patrol may have given the all clear two weeks ago but does that mean there are no sharks lurking today?!

The challenge is to keep the audit plan under review and be prepared to change it for potential new risks.  Examples of developments which could warrant review of the program include:

  • Funding cuts – funding cuts frequently lead to reductions in staffing and expectations that people will do more, or at least the same, with less.  For example, the federal government is currently proposing a reduction of the order of 800 SES and Executive Level positions in the Australian Public Service (APS), as an offset to revenue losses flowing from a proposed move from Carbon Pricing to an Emissions Trading Scheme.  If this comes to pass it will, almost certainly, mean an increase in responsibility for many remaining staff.  A question for audit committees to consider might be around the risks in asking people to do more and how the risks will be mitigated?
  • Machinery of Government (MOG) changes – There have already been two MOG changes in recent months and others will inevitably flow after the forthcoming federal election, regardless of who wins Government.  What arrangements will be put in place by each agency to ensure appropriate funding, personnel, skills, systems and governance arrangements flow with these changes?  How will risks be mitigated?
  • Introduction of new programs – Introduction of a new program is always an area of potential risk, particularly where these are expected in haste by Government.  The risks and consequences can be profound.  We only have to look at the example of the Home Insulation Scheme.  It is not always possible, or desirable, to dissuade the government from introducing a new program in haste.  Where it is to happen the risks need to be well understood and appropriate governance and mitigation strategies put in place.
  • Changes to legislation and regulations – Understanding the consequences of changes to legislation and regulations is critical, not least when the Government chooses to remove existing arrangements.  The federal opposition is currently proposing that, if it wins government, it will give priority to reducing business regulation.  It also proposes that the performance of APS chief executives will partly be tied to how successful they are in reducing regulation.  Intuitively reduction in regulatory burden is a good thing, but it is also important to remember that regulations have typically been put in place to control some aspect of risk or market failure.  What then has changed and what risks will result from removing current regulatory arrangements?
  • Changes to business models – Moving to a new business model also typically exposes government to risk.  There have been a number of examples of problems where the government of the day has moved to a new business model, without fully identifying or understanding the risks involved.  Perhaps the most high profile case was the failure around the Sale of Multi-point Distribution Service licences in to enable Pay TV in the early 1990s.  The government and the former Department of Transport and Communications, did not have an adequate understanding of running a large scale auction process, in a new regulatory regime, where industry players would be looking to maximise their commercial advantage.  Failure of the process was a significant public embarrassment for the government.

I am not suggesting that audit committees will necessarily have all the answers or that involving them will provide absolute guarantee of no failures in public administration.

What was canvassed during discussions, is the proposition that chief executives and their departments need to ensure, when there are significant changes to current arrangements, their audit committees are briefed on the changes.  Briefing should also identify the risks and proposed risk mitigation strategies.  In response, audit committees need to be ready to review the audit program, recommending reallocation of internal audit resources where they see significant emerging risks to an agency being able to achieve its objectives.

Image:   Lightspring/Shutterstock.com

(If you would like to receive notification of future blog posts please send an email, at the link on the contact page, with the word ‘Subscribe’ in the message field.)