Assessing Risk
Assessing potential risk is an important task when selecting the most significant oversight issues to audit. Auditors can review the information they have gathered early in the audit (governance structure, minutes of board or committee meetings, and so on) and determine whether they can identify indicators that oversight of the selected project, program, or service may be at risk.
A list of common indicators that oversight may be at risk is presented in Table 11. While such indicators can be useful to target further examination work, their presence should not be indiscriminately accepted as evidence that an oversight deficiency exists. Auditors must always gather sufficient appropriate evidence to support a cause-and-effect relationship before concluding that the presence of an indicator means that an actual deficiency exists.
Table 11 – Indicators that Oversight May Be at Risk |
- A wholesale change of oversight body members took place or turnover is very high.
- The oversight body does not (or rarely) question and challenge the managers of the overseen initiative.
- The chair of the oversight body is overdominant at oversight meetings.
- Conflicts of interests are a frequent occurrence among the members of the oversight body and/or actions taken to manage known conflicts of interest are not documented.
- Oversight body members are involved in the day-to-day management of the overseen initiative or there is no segregation of duties between the oversight body and the management of the initiative.
- The oversight body rarely meets or holds short, orchestrated, perfunctory meetings.
- The oversight body has no charter or clear terms of reference.
- Oversight body members do not understand their roles, are not aware of the scope of their oversight responsibilities, and believe that many aspects are management’s responsibility.
- Internal audit recommendations are not, or rarely, implemented, or internal audit is being dismantled or outsourced.
- The oversight body does not periodically seek assurance that the overseen initiative is in compliance with applicable legislation, regulations, and policies.
- The oversight body is too passive in defining its information requirements and/or fails to follow up on information requests.
- There is an absence of risk management policies and processes applicable to the overseen initiative, or risk management policies and processes are not being implemented as intended.
- There are significant performance problems in the overseen initiative: poor performance against operational or strategic targets; significant delays and cost overruns; a high number of complaints, penalties, and fines; or risks that are escalating.
- The overseen initiative is not aligned with the department’s mandate.
- There is poor documentation of oversight activities and decisions.
- Oversight body provided with too much information, or poorly organized information prior to oversight meetings.
- Oversight body not provided with oversight information sufficiently in advance of oversight meetings to facilitate meaningful review.
- There is a lack of or misleading performance information.
- There is a failure to take follow-up or corrective actions when significant issues are brought to the attention of the oversight body.
|