|.Accessibility|.

Internal Audit

When Audit Say Risk - What Do We Mean?

Risk Management.

Evaluation of Risks.

Internal Audit and Risk.

Risk is the chance of something going wrong. Organisations encounter risk in all of their business activities. The risks involved, whether of a financial or non-financial nature, pose the threat that an organisation may not achieve its objectives.

Risks can include the following:

inability to provide statutory services (e.g. as a result of a natural disaster such as a flood)
prosecution due to failure to meet statutory & regulatory requirements (e.g. Health and Safety)
loss, theft and misappropriation of resources and assets
customer dissatisfaction, negative publicity & damage to the organisation's reputation
acquiring resources uneconomically or using them inefficiently or ineffectively
wrong decisions being taken from incorrect, untimely, incomplete or otherwise unreliable information (e.g. financial strategy)
incurring penalties due to error or maladministration (e.g. loss of supplier discounts due to delays in processing invoices)

However, risk taking does present opportunities to maximise business potential. Therefore, failure to take a risk in itself, for example e-commerce, can lead to inefficiency and ineffectiveness.

Risk Management

Risk Management is being formally introduced to the authority and is the overarching process of identifying, evaluating and controlling risk across the authority on two levels:

Strategic Risks- which relate to the long term goals and objectives of the organisation and include economical, legislative, environment and competitive risks.

Operational Risks- which are encountered in the daily course of work and include physical, professional, reputational and technological risks.

Once risks exposures have been identified a decision on how to deal with it can be made using the 4 T's: Tolerate, Transfer, Terminate or Treat. It is the responsibility of the Council's management to identify, assess and manage risks associated with their activities by implementing adequate internal controls.

Evaluation of Risks

In deciding the most appropriate response to managing risk exposures identified, they need to be evaluated in terms of the perceived likelihood and impact of the risk occurring.

Below are some examples of what might fall in each category plus some national examples of risks that have been realised in recent years !!

High Likelihood, High Impact	DSS Benefit Fraud Food poisoning due to poor food handling practices Theft of ICT equipment from unlocked Council Offices over the Christmas period Severe injury of resident due to unprotected open manhole
High Likelihood, Low Impact	Theft of receipted income left in a reception area Penalty incurred due to suppliers invoice not paid on time
Low Likelihood, High Impact	Downfall of Barings Bank due to rogue trader Disappearance of Mirror group pension fund Downloading child pornography sites from the Internet Inability to pay Housing Benefit due to fire in Council Offices
Low Likelihood, Low Impact	Theft of all departmental stationery supplies

Internal Audit and Risk

Internal Audit's role is to objectively evaluate the effectiveness of risk management processes across the Council and make recommendations for improvement in internal control where necessary.

The perceived risk associated with each system and services of the Council, for audit purposes, are calculated in terms of:

Their contribution to the Councils Aims and Objectives

Their inherent risk (i.e. the nature of the system.) - For example a large complex service such as Housing Benefits, which requires a high degree of professional knowledge, has a high customer impact, involves a large number of financial transactions and is subject to continuous changes in legislation and innovation, will have a high inherent risk.

Their residual risk (i.e. adequacy of controls in place to cope with the inherent risk). This is established from previous audits or other agency coverage, best value reviews, error rates and manager perceptions.

This results in a 'Risk Factor' for that service or system and determines the frequency of audit coverage. The time spent during an audit is then allocated across the risk elements ' within' that system. Internal Audit use a 'Scoping Matrix' of these risk elements which consists of 2 main sections:

Specific risks - which are the sub-elements of operation pertinent to that service. For example in an audit of the postal system this would include post opening, use of the franking machine, security of out-going mail and payments to Royal Mail.

General risks - which are general to most systems and services and include business management, ICT systems risks, income risks, and budgetary control.

Risks identified for an audit are then weighted across both categories on a scale of 1 to 5. With 1 being high and 5 being low. This plus previous coverage determines the priorities for the audit.

Back To Internal Audit Home Page

How to get here

Fareham Borough Council, Civic Offices, Civic Way, Hampshire, PO16 7AZ

Tel: +44 (0)1329 236100 | Mobile Text/Photo: 07876 131415 | Fax: +44 (0)1329 821770

Privacy Statement | Disclaimer | Technical | Copyright | Top of Page