(based on ASX Principle 7)
Recognising and managing risk
Our Risk Management Framework is embedded in our strategic and operational policies and practices. The Auditor-General assumes ultimate responsibility for our Risk Management Framework.
The Office Executive sets the organisation’s Risk Appetite Statement (RAS) and ensures strategic risks are identified, assessed and treated in accordance with the agreed RAS. The Office Executive regularly reviews the enterprise risk register which is supported by detailed analysis of each strategic risk, taking into account the underlying business risks.
The Audit and Risk Committee provides independent advice to the Auditor-General on the risk and internal control frameworks.
Our Risk Management Framework
Our Risk Management Framework is developed in line with NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 15-03), the Risk Management Toolkit (TPP 12-03), the Australian/New Zealand Risk Management Standard (AS/ NZS ISO 31000:2009), and the Accounting Professional and Ethical Standards Board’s professional risk management standard (APES 325 Risk Management for Firms).
During 2015–16, we
- developed a risk appetite statement for the Audit Office. In general, the Audit Office has a low risk appetite for our audit activities, meaning we avoid risk and uncertainty, while we have a more open appetite for risk in our corporate and management activities
- completed a self-assessment of our Risk Management Framework against ISO 31000:2009 and TPP15-03. We identified some areas of improvement around better integrating risk management with our strategic and business planning processes, and risk reporting that will be addressed during 2016−17
- incorporated risk identification in the annual strategic planning process
- delivered enterprise risk management training for the Office Executive and key staff in financial and performance audit, corporate services and governance. The training provided useful tools to identify and manage risks associated with an organisation’s strategic initiatives and objectives.
Our insurance cover is provided by the Treasury Managed Fund in respect of:
- workers’ compensation according to NSW statute
- property (full replacement, new for old, consequential loss, and business continuity costs or losses of revenue)
- liability, including but not limited to public liability, professional indemnity and directors and officers liability
- motor vehicles
- miscellaneous losses including those due to staff dishonesty, personal accident, and protection for local and overseas travel.
Exposures not included are:
- illegal activities
- wear and tear and inherent vice
- pollution (not being sudden and accidental pollution).
In 2016–17, we will:
- refine the way risk is reported to senior management and the Audit and Risk Committee, taking a more enterprise-wide risk approach
- clarify the relationship between operation and strategic risks, and the strategic and business plans, projects, and business as usual
- incorporate risk analysis in corporate key performance indicator (KPI) reporting
- develop an organisation-wide operational risk register in addition to the current strategic risk register
- review our risk appetite.
In 2015–16, our six key strategic risks remained unchanged and were:
- failure to anticipate, manage and live up to stakeholder expectations and to fulfil our mandate
- failure to achieve efficiencies and demonstrate value for money
- our audit opinions and reports do not meet our quality standards
- internal governance failure
- failure to effectively manage our workforce
- inability to adapt to and influence changes in audit mandate.
Risk management and internal control attestation
To provide additional assurance that the Audit Office’s Risk Management Framework and related controls are operating properly, two attestations are completed each year. The first is an annual attestation by the Auditor-General on the quality of the Audit Office’s risk management and internal audit processes. This is based on our compliance with the core requirements of NSW Treasury Policy 15-03 Internal Audit and Risk Management Policy (see our Internal Audit and Risk Management Attestation statement.
The second is a Management Internal Control Sign-Off which is completed annually in line with the Audit Office’s financial statements and covers the financial year. Managers sign off on the implementation of internal controls as they relate to their business area and staff compliance with our policies.