Part 4: Risk management

Annual report for the year ended 30 June 2008.

Risk management framework

Our risk management framework is the set of elements of our management system concerned with identifying and managing risk. It is aligned to our business outcomes and the strategies designed to achieve these outcomes.

Risk identification and management is a key part of our annual planning. Our strategic planning defines plans and allocates resources to achieve objectives. An integral part of that process is the identification of anything that threatens our achieving those objectives.

We have categorised the risks we are exposed to as strategic, professional operational, and business operational risks. All risks are managed within the same framework, as experience shows that inadequately managed professional operational and business operational risks can escalate to the level of strategic risk.

Strategic risks

Identifying and managing risk is integral to our business. For several years, we have identified our key strategic risks as being the loss of our independence and audit failure. We have recently included two additional strategic risks – loss of capability and loss of reputation. In our view, we now face four main strategic risks:

  • Loss of independence – Independence underpins the value of the Auditor-General’s products. Losing that independence in fact or appearance, whether by failure on the part of the Auditor-General or his appointed auditors to act independently or otherwise, would undermine trust in our organisation.
  • Audit failure – the risk that we issue an incorrect audit opinion with material impact, or a report that is significantly wrong in nature or process.
  • Loss of capability – the risk that we are unable to retain, recruit, or access people with the technical and other skills our audit work requires.
  • Loss of reputation – the risk that we may lose reputation or credibility, which would affect our relationships with stakeholders.

These risks will always be present, but much of the way we do our work reduces them.

Strategic risk mitigation actions

The key mitigation actions are:

  • the Auditor-General’s independence standards – the Auditor-General sets a high standard for independence for both his employees and the auditors he appoints;
  • monitoring the independence of the two statutory officers, employees, and appointed auditors – the system includes regular declarations of interest and, where necessary, implementation of measures to avoid conflicts of interest;
  • adhering to professional auditing standards;
  • quality assurance regimes – including implementing and complying with New Zealand Institute of Chartered Accountants’ revised quality control standards;
  • peer review and substantiation procedures – including annual independent evaluation of our audit allocation and tendering processes, independent external review of two performance audits each year, and stakeholder feedback studies;
  • an independent Audit and Risk Committee, comprising three external members and the Deputy Controller and Auditor-General; and
  • ongoing training and development of our staff – including talent and capability management programmes, leadership development initiatives, and professional development programmes.

Operational risks

Identifying more specific risks is a key part of our annual planning. We carry out a review of the environment in which we operate. We consider economic, legal, social, environmental, and technological developments, and changes in the accounting and auditing professions, which might affect us. We look too at the effect such matters might have on our stakeholders and the entities that we audit.

Demand created by changes within the public sector and the accounting and auditing professions, together with the continuing difficulty in finding and retaining suitably qualified and experienced staff, has meant that our audit work has had to focus more heavily on entities’ financial statements. This has been at the expense of public interest audit work based on fuller consideration of the risks and challenges that entities face in their strategic, governance, and operational contexts.

We are therefore working to rebalance our audit effort so that it takes this fuller perspective in the audit of each individual entity, to the extent deemed appropriate in the judgement of each entity’s appointed auditor. This should result in a stronger emphasis on non-financial reporting, waste, probity, and accountability, and may over time affect how our audits are costed, resourced, carried out, and reported.

In Part 3 of this report, we have described the efforts we are making to maintain and build our organisational health and capability to equip us to deal with the increased demands of our environment. However, in the short to medium term, we expect to see trends such as increasing levels of arrears in the issuing of public entities’ audit reports.

Enhancement of risk management

Over the past year, we have continued to develop our processes for managing strategic and operational risks, to ensure that all significant risks are identified, that mitigation measures are put in place where appropriate, and that responsibility for the implementation of those measures is clearly allocated. We have also reviewed and updated our risk management documentation to reflect those enhancements.

As a result, the following are now established key elements of our risk management framework:

  • review of environmental scanning results through our annual Office-wide planning process to identify risks;
  • application of our risk management processes;
  • implementation of our risk management information system;
  • our risk reporting environment; and
  • our existing controls that are in place to minimise risk.

Report of the Audit and Risk Committee

For the year ended 30 June 2008


Anthony N Frankham FCA, FAMINZ, FIOD (Chairman), professional director and specialist investigating accountant (to 21 April 2008)

John Hagen MBA, MCom, FCA Investigating accountant (member from 15 February 2008; Chairman from 21 April 2008)

Joanna Perry MA (Cantab), FCA (ICAEW), FCA (NZICA), professional director and chartered accountant (to 8 September 2007)

Stephen Revill BA, LLB, Senior legal counsel, Unisys New Zealand Limited (from 3 September 2007)

Ross Tanner MA (Hons), MPA (Harvard), Director, Ross Tanner Consulting Limited

Phillippa Smith BA, LLB, MPP, Deputy Controller and Auditor-General

The Audit and Risk Committee is an independent committee established by and reporting directly to the Auditor-General. The Committee was established in 2003, as the Audit Committee. The reference to risk was included in the name of the Committee in December 2005, to better describe the Committee’s role.

The purpose of the Committee is to oversee:

  • risk management and internal control;
  • audit functions (internal and external) for the Office;
  • financial and other external reporting;
  • the governance framework and processes;
  • compliance with legislation, policies and procedures.

The Committee has no management functions.

During the past year, the Committee:

  • met on three occasions to fulfil its duties and responsibilities;
  • received briefings from the Auditor-General and other senior managers on key business activities of the Office, as a basis for ensuring that risks facing the Office are being appropriately addressed;
  • oversaw the Office’s continuing review of its risk management framework and the procedures underpinning the framework;
  • discussed with the external auditors their audit plan for the year and findings from their audit work;
  • monitored the implementation of recommendations made by the external auditors;
  • reviewed the proposed three-year plan for internal audit, and generally oversaw the implementation of the internal audit function contracted to KPMG;
  • reviewed the annual plan and annual financial statements of the Office prior to their approval by the Auditor-General, having particular regard to the accounting policies adopted, major judgmental areas, and compliance with legislation and relevant standards;
  • received and considered the report of the independent peer review team on the Office.

The Committee has reported to the Auditor-General on the above and other matters it has seen fit to do so. There are no outstanding or unresolved concerns which the Committee has brought to the attention of the Auditor-General.

John Hagen

for the Audit and Risk Committee

28 July 2008

page top