Part 3: Managing in a changeable operating environment
Our risk management framework
Our risk management framework is the set of elements of our management system that we use to identify and manage risk. Identifying and managing risk is integral to our business and forms a key part of our annual planning process. Our strategic audit planning defines plans and allocates resources to achieve objectives. An integral part of that process is to identify anything that threatens achievement of our objectives.
We have categorised the risks that we are exposed to as strategic, professional operational, and business operational risks. All risks are managed within the same framework, as experience shows that inadequately managed professional operational and business operational risks can escalate to the level of strategic risk.
Strategic risks
Our risk management framework is aligned to our outcomes and the strategies designed to achieve these outcomes.
Ongoing strategic risks
In our view, we face four strategic risks that will always be present, although much of the work we do helps to mitigate them. In addition, we have identified two risks that relate more specifically to the period of our strategy from 2009-12 and the medium-term period of this annual plan.
- Loss of independence – independence underpins the value of the Auditor-General’s products. Losing that independence in fact or appearance, whether by failure on the part of the Auditor-General or his appointed auditors to act independently or otherwise, would undermine trust in our organisation.
- Audit failure – the risk that we issue an incorrect audit opinion with material impact, or a report that is significantly wrong in nature or process.
- Loss of capability – the risk that we are unable to retain, recruit, or access people with the technical and other skills our audit work requires.
- Loss of reputation – the risk that we may lose reputation or credibility that affects our ability to maintain effective relationships with stakeholders.
Mitigation actions
Our main mitigation actions for the ongoing strategic risks are:
- the Auditor-General’s independence standards – the Auditor-General sets a high standard for independence for his employees and the auditors he appoints;
- monitoring of the independence of the two statutory officers, employees, and appointed auditors – the system includes regular declarations of interest and, where necessary, implementation of measures to avoid conflicts of interest;
- adhering to professional auditing standards and supplementing such standards with the Auditor-General’s auditing standards;
- quality assurance regimes, including implementing and complying with revised quality control standards from the New Zealand Institute of Chartered Accountants;
- peer review and substantiation procedures – these include annual independent evaluation of our audit allocation and tendering processes, independent external review of two performance audits each year, and stakeholder feedback studies;
- an independent Audit and Risk Committee, comprising three external members and the Deputy Controller and Auditor-General; and
- ongoing training and development of our staff – including talent and capability management programmes, leadership development initiatives, and professional development programmes.
Overall, the Office is effectively managing its ongoing strategic risks. This view is based on our ongoing monitoring and the results of our international peer review conducted during 2007/08.
Strategic risks in 2009-12
Our Strategy 2009-12 recognises the effects on the Office of demands created by changes within the public sector and the accounting and auditing profession together with the continuing difficulty in finding and retaining suitably qualified and experienced staff. The coupling of public sector and accounting and auditing professional changes with labour market difficulties has meant that our audit work has had to focus more heavily on public entities’ financial statements. This has been at the expense of public-interest audit work based on fuller consideration of the risks and challenges that public entities face in their strategic, governance, and operational contexts.
We intend working to rebalance our audit effort during the period of our Strategy 2009-12 and for the medium-term period of this annual plan. In considering this, we have identified two additional strategic risks that may also affect our operational risks in 2009-12.
- Failure to successfully implement our strategy the risk that our Strategy 2009-12 will place significant demands on our people, capability, and resources during the next three years. This strategy will test our ability to build relationships and communicate to public entities and Parliament about the focus of our work and the benefits they may expect to see as a result – in particular, in the wider context of fiscal constraint for public entities and increasing pressure on audit and assurance costs. Our strategy proposes incremental movement toward providing greater insight and value from the work we do, to allow for adjustment and learning on our own part and on that of public entities.
As the Auditor-General’s discretionary mandate is broad, it is inevitable that we will not meet all expectations. With more than 87% of the Office’s expenditure being on annual audits and the level of audit work not being significantly within our control, achieving our strategy also depends on the willingness:- of Parliament and others to rigorously explore opportunities for a more differentiated model of accountability for public entities and to reduce audit and other compliance costs where appropriate; and
- of Parliament to consider questions about the balance of funding available to the Office for other discretionary products to allow us to conduct a greater range of work in the public interest – such as performance audits and other studies, inquiries, and supporting accountability to Parliament.
- Leadership transition the risk of a loss of focus or direction resulting from uncertainty during the transition of leadership to a new Auditor-General and to a new Executive Director of Audit New Zealand. Our Strategy 2009-12 was being prepared at the time that a new Executive Director (Stephen Walker) joined us, and the term of the incumbent Auditor-General (Kevin Brady) ends in mid-2009. The current Auditor-General has been clear that, while an incoming Auditor-General will bring their own priorities to the job, it is important for us to prepare the strategy for 2009-12 to ensure that the Office’s current intentions and position are clearly laid out for the new Auditor-General to consider. The current Deputy Auditor-General’s term runs to mid-2010, providing a clear bridge for the transition between the outgoing and incoming Auditors-General and for the new Executive Director.