1. Business Assurance Service An explanation of risk based auditing and reporting Anthony Garnett, Head of BAS February 2008

2. ∂ Risk based internal auditing PoliciesAuditReporting ObjectivesRisksAuditReporting Starts with policies and agreed procedures Considers what management have stated should occur Rules based Focused on compliance and conformance Policeman role Focuses on discrete systems (may risk prioritise systems) Sample testing of ‘transactions’ Historically focused on financial processes Reports based on reporting exceptions Reports operationally focused Reports at low level Identify minor issues Easy to respond to as focus on discrete systems and departments Conclusions based in levels of compliance / operation of controls Starts with objectives as agreed by management. Where no clear objectives have been agreed (absence of a policy or strategy) imputed objectives are considered Role is not to challenge objectives Objectives cover many systems, processes and departments Consider risks that flow from objectives Will use management’s own risk assessment where one is present (this is not the case at the University for most areas) Audit will perform a risk assessment identifying the risks and scoring risks Audit work considers risks to objectives and will look for expected controls / mitigating actions The work will follow the risk, so if a risk is managed across a number of departments the audit will consider how to assess this and work across the departments Audit is qualitative and based on professional judgement. Audit covers all processes and systems across the institution Audit asks not just ‘is the University doing things right [compliance / operation of controls], but is it doing the right things [effectiveness / design of controls]’ Report identifies risks and makes suggestions for management to consider to mitigate identified risks Risks prioritised at strategic and operational level. Qualitative and professional judgement applied to risk grading and conclusions Reports become a dialogue and are co-produced with management Recommendations are not prescriptive but are suggestions Traditional Internal Audit Risk Based Internal Audit

3. ∂ Report format Clear risk grading based on net risk exposure to the University from the current arrangements in place over the process or system reviewed Clear tracking of the report based upon the dates agreed with management in the scope. Note that for BAS KPIs the protocol will be used to report on these as these measure stage-to-stage performance Clear version control Clear UEC and process owner sponsor, as agreed in the scope

4. ∂ Report format 2 page executive summary Clear opinion on the adequacy of controls as operated (compliance) and as designed (effectiveness against objectives) Risk grading given (maps to front of report) based upon the net risk exposure taking into account current controls in place Summary of the risks identified within the report categorised by the size of the risk. Also a one line italicised summary of the agreed University action. Top three categories only. Grading of recommendations by the size of the risk. Categorisation below. Risk Priorities University-wide significant strategic risk – This is a risk that significantly impacts on the achievement of one or many of the University’s strategic objectives. University-wide important strategic risk – This is a risk that has an important impact on the achievement of one or many of the University’s strategic objectives. University operational significant risk – This is a risk that significantly impacts on an operational department or process and on the achievement of one or many University operational objectives. University operational important risk – This is a risk that has an important impact on an operational department or process and on the achievement of one or many University operational objectives.

5. ∂ Report format Report points linked under themes that align to either management responsibility or linked areas of operation Risk grading given to each risk and colour coded to scale (on previous page) to enable quick navigation of report Suggested recommendations to address the risks identified. This may refer to appendices where best practice ideas or benchmarking is provided Space to record planned University actions. This includes a due date and assigned person responsible for the action. The four potential University responses to actions listed below: Delivery protocol Include in report Type University response to risk identified University response to suggested recommendation 1Agree with riskAgree with recommendation as stated 2Agree with risk Note the recommendation but propose an alternative on cost or other grounds 3Agree with risk Consider risk is acceptable and propose no action 4Disagree with risk Disagree with action identified and propose no action 

6. ∂ Report format Risk map illustrates a selection of risks considered by the audit to the University’s objectives for the process audited. The aggregate net risk should align to the risk grading of the report.