Part 4: Risk management

Annual Report for the year ended 30 June 2009.

Risk management framework

Our risk management framework is the set of elements of our management system that we use to identify and manage risk. The framework is aligned to our business outcomes and the strategies designed to achieve these outcomes.

Identifying and managing risk is a key part of our planning. Our strategic planning defines plans and allocates resources to achieve certain objectives. An integral part of the planning is to identify anything that might threaten the achievement of those objectives.

We categorise the risks that we are exposed to as strategic or operational risks. All risks are managed within the same framework, because experience shows that inadequately managed operational risks can escalate to become strategic risks.

Strategic risks

We have identified our main strategic risks as being the loss of our independence, audit failure, loss of capability, and loss of reputation:

  • Loss of independence – The risk that we lose independence, in fact or appearance, whether by failure on the part of the Auditor-General or appointed auditors to act independently or otherwise, As independence underpins the value of the Auditor-General's work, loss of independence would undermine trust in our organisation.
  • Audit failure – The risk that we issue an incorrect audit opinion with material impact, or a report that is significantly wrong in nature or process.
  • Loss of capability – The risk that we are unable to retain, recruit, or access people with the technical and other skills our audit work requires.
  • Loss of reputation – The risk that we may lose reputation or credibility, which would affect our relationships with stakeholders.

These risks will always be present, but the way we do our work can greatly reduce them.

Strategic risk mitigation actions

The key mitigation actions are:

  • the Auditor-General's independence standards – the Auditor-General sets a high standard for independence for both employees and appointed auditors from chartered accounting firms;
  • monitoring the independence of the two statutory officers, employees, and appointed auditors – the system includes regular declarations of interest and, where necessary, implementation of measures to avoid conflicts of interest;
  • adhering to professional auditing standards;
  • quality assurance procedures, including complying with NZICA's quality control standards;
  • peer review and substantiation procedures – these include annual independent evaluation of our audit allocation and tendering processes, independent external review of two performance audits each year, stakeholder feedback interviews, and client surveys;
  • an independent Audit and Risk Committee, comprising three external members and the Deputy Controller and Auditor-General; and
  • ongoing training and development of our staff – including talent and capability management programmes, leadership development initiatives, and professional development programmes.

Operational risks

We identify specific risks during our annual planning by carrying out a review of the environment in which we operate. We consider economic, legal, social, environmental, and technological developments, and changes in the accounting and auditing professions, which might affect us. We look too at the effect such matters might have on our stakeholders and the public entities that we audit.

Demand created by changes within the public sector and the accounting and auditing profession, together with the historic difficulty in finding and retaining suitably qualified and experienced staff, has meant that our audit work has had to focus more heavily on the financial statements of public entities. This has been at the expense of public interest audit work based on fuller consideration of the risks and challenges that entities face in their strategic, governance, and operational contexts.

We have been working to rebalance our audit effort to consider this fuller perspective in the audit of each public entity, to the extent judged appropriate by the entity's appointed auditor. These changes have been reflected in the revised Auditor-General's Auditing Standard (AG-4) issued in July 2009. This should result in a stronger emphasis on non-financial reporting, waste, probity, and accountability. It may, over time, affect how our audits are costed, resourced, carried out, and reported.

In Part 3 of this report, we describe the efforts we are making to maintain and build our organisational health and capability to equip us to deal with the increased demands of our environment.

Refining our risk management framework

During 2008/09, we continued to refine our processes for managing risk, to ensure that all significant risks are identified, that mitigation measures are put in place where appropriate, and that responsibility for implementing those measures is clearly allocated. We have also reviewed and updated our risk management documentation to reflect those enhancements.

As a result, we have now established two key steps in our risk management framework:

  • an annual refreshing of our risks and controls, encompassing strategic, environmental, and business plan changes; and
  • a six-monthly review of the identified risks and controls, with subsequent reporting to our leadership teams and our Audit and Risk Committee.

Report of the Audit and Risk Committee

for the year ended 30 June 2009


John Hagen MBA, MCom, FCA (Chairman), Investigating accountant

Stephen Revill BA, LLB

Ross Tanner MA (Hons), MPA (Harvard), Director, Ross Tanner Consulting Limited (to 20 March 2009)

Phillippa Smith BA, LLB, MPP, Deputy Controller and Auditor-General

Neil Walter MA, CNZM, Director (from 20 March 2009)

The Audit and Risk Committee is an independent committee established by and reporting directly to the Auditor-General. The Committee was established in 2003, as the Audit Committee. The reference to risk was included in the name of the Committee in December 2005, to better describe the Committee's role.

The purpose of the Committee is to oversee:

  • risk management and internal control;
  • audit functions (internal and external) for the Office;
  • financial and other external reporting;
  • the governance framework and processes;
  • compliance with legislation, policies, and procedures.

The Committee has no management functions.

During the past year, the Committee:

  • met on five occasions to fulfil its duties and responsibilities;
  • received briefings from the Auditor-General and other senior managers on key business activities of the Office, as a basis for ensuring that risks facing the Office are being appropriately addressed;
  • oversaw the Office's continuing review of its risk management framework and the procedures underpinning the framework;
  • discussed with the external auditors their audit plan for the year and findings from their audit work;
  • monitored the implementation of recommendations made by the external auditor;
  • received and considered reports from the internal auditors (KPMG), and monitored implementation of any recommendations made by the internal auditors;
  • reviewed the annual plan and annual financial statements of the Office prior to their approval by the Auditor-General, having particular regard to the accounting policies adopted, major judgmental areas, and compliance with legislation and relevant standards;

The Committee has reported to the Auditor-General on the above and other matters it has seen fit to do so. There are no outstanding or unresolved concerns that the Committee has brought to the attention of the Auditor-General.

John Hagen

for the Audit and Risk Committee

6 August 2009

page top