Treasury Management Audit Program
The corporate treasury department is essential to companies when it comes to financial risk management. This sample audit work program focuses on policies and procedures for the corporate treasury department to ensure they are current and approved by the board of directors. Project work steps detailed include: planning, fieldwork, wire transfers, cash management, investments, foreign exposure exchange management, interest rate swaps, and reporting.This document can be used as a general guide to understand and review this process. Organizations should continuously update and monitor the processes included in this document to ensure that it reflects business operations.
Bill JonesDeputy CommissionerCanada Revenue Agency555 MacKenzie AvenueOttawa, Ontario K1A 0L5Canada16 July 2014Internal Audit of Enterprise Risk ManagementDear Mr. Jones:Please find enclosed our internal audit report on enterprise risk management for the Canada Revenue Agency (CRA). The examination phase of this internal audit was conducted between February and April 2014.This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards for the Government of Canada. This report was prepared for the CRA, and as such any third parties who may wish to make use of it do so entirely at their own risk.
The management action plans incorporated in this report reflect management's response to the findings and recommendations from the internal audit, and have not been assessed by EY.We would like to extend our thanks to the many senior executives and Agency staff who cooperated with us in performing this audit; it was a pleasure working with your team. Please do not hesitate to contact the undersigned if you would like to discuss any aspect of this report.Sincerely,Bill Kessels, CPA, CA, CIAPartner613-598-4830bill.kessels@ca.ey.com. Audit ScopeThe audit assessed the CRA's ERM control framework as at October 2013, as well as improvements underway or planned. Audit ApproachA risk assessment based on interviews and documentation review was carried out during audit planning to determine areas for examination. Audit criteria to address the risks were developed and can be found in Appendix A. The examination phase of the audit was conducted between February and April 2014.Although the audit was carried out to address all audit criteria, this report has been organized according to themes to group common findings.This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards for the Government of Canada. Governance and IndependenceThe mandate of the Board of Management states that the Board is responsible for overseeing the organization and administration of the CRA and the management of the Agency's resources, services, property, personnel and contracts.
Specifically, the Board oversees the Corporate Business Plan, the management regime and general administration of the Agency, which includes responsibility for reviewing and approving administrative policies governing corporate resources.The CRA ERM Policy assigns the Board of Management the responsibility for overseeing risk at the Agency. ERM FrameworkThe International Organization for Standardization (ISO) 31000 Standards defines a risk management framework as a “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.”Treasury Board's Framework for the Management of Risk became effective in August 2010 and highlights six key principles that Deputy Heads are encouraged to apply in their responsibility for managing their organization's risks. Specifically, the Treasury Board Framework assigns responsibility to the Deputy Head for leading the implementation of effective risk management practices, monitoring risk management practices, considering risks that arise when partnering with organizations as well as creating a learning environment that promotes continuous improvement in risk management competencies and capacity. Although the ERM Policy outlines these to be the responsibilities of various stakeholders within the Agency, it was noted that the Policy does not explicitly state that the Commissioner and CEO has delegated their assigned accountabilities and responsibilities from Treasury Board through the ERM Policy.The Agency does not have a documented ERM framework that outlines all the activities that support enterprise risk management in the organization; however, the key elements of an ERM framework are in place.
The ERM framework at the Agency is comprised of the following:. The ERM Policy that outlines the risk management roles, responsibilities and accountabilities of various stakeholders across the Agency.
An Assistant Commissioner and Chief Audit Executive, AERB with accountability for providing strategic advice to the Commissioner and CEO, Agency Management Committee (AMC), senior management, and the Board of Management and supporting the effective application of the ERM Policy throughout the Agency. The Agency should review the ERM Policy, the Board mandate and other ERM supporting documentation to ensure that accountabilities and responsibilities are clearly articulated, particularly in instances where the Commissioner and CEO has delegated their responsibility for risk management activities to stakeholders across the Agency.Management Action PlanERMD agrees with this recommendation as it regularly reviews and updates the corporate policy instruments for which it is responsible. The last review and update occurred in March 2013. The next review will take into account recommendation # 2.
ERMD will also engage with the CCPD of the SIB to ensure roles and responsibilities continue to be aligned with the CRA Board of Management mandate as per the CRA Act, as well as the Treasury Board of Canada Secretariat's Framework for the Management of Risk and Guide to Integrated Risk Management.2. ERMD should assess the value of formalizing their ERM Framework by documenting a consolidated view of all the activities within the Agency that support the implementation of ERM at the Agency.Management Action PlanERMD agrees with this recommendation and will formalize its existing ERM Framework. ERMD will do this by documenting a consolidated view of the activities that support the implementation of ERM at the Agency by early 2015. The consolidated view will be in the form of a visual representation that will be shared on InfoZone. ERMD will engage the Corporate Committees and Policy Division (CCPD) of the Strategy and Integration Branch (SIB) as the subject matter experts on corporate policy instruments.3. ERMD should ensure that guidance material on the Agency's Intranet (InfoZone) and communicated to employees through training reflect guidance on how to determine and utilize risk tolerance information.Management Action PlanERMD agrees with this recommendation and has already developed a robust methodology that outlines how risk tolerance can be determined and used. An enhanced communication approach is targeted for spring 2015.
Management Audit Program
ERMD should assess whether there are sensitivities around the information gathered from their advisory activities that would prohibit sharing of this information across internal Agency stakeholders. Where possible and appropriate, risk information gathered through ERMD activities should be shared with Agency stakeholders that would benefit from the information.Management Action PlanERMD agrees with this recommendation and will assess on a case-by-case basis and with the client's consent, the information from advisory activities that could be shared with other Agency stakeholders. In addition, ERMD will strive to share systemic risk findings from several advisories with Agency stakeholders and will evaluate the most appropriate forum and medium to do so.5. ERMD should ensure that the risk management training provided to Agency employees meets the Agency's needs with respect to the use of risk information as part of the business planning and resource allocation process.Management Action PlanERMD agrees with this recommendation and has already developed tools and training to support the Agency's needs with respect to the use of risk information as part of the business planning and resource allocation process. The one-day risk management training course includes “Unit 3: Integrating Risk Management into the Workplace” and is further complemented by the following guidance tools developed by ERMD and already available on InfoZone:. “How to use the CRP information”.
“How to integrate risk management into planning”An initiative is underway to transfer the one-day course to the Canada School of Public Service (CSPS). As the CRA will no longer have full authority over future content, discussions are underway with the CSPS to leverage the existing content of the course for integration within the school's risk management curriculum.6. The Agency should target risk management training to those who, based on their role, would benefit the most from it with consideration given to the participant's level and scope of work.Management Action PlanERMD agrees with this recommendation and currently has a multi-faceted approach for risk management training that targets key audiences, based on their roles, with different products to meet their needs. The suite of training products includes a module within the CRA's Leadership Plus manager training program, a component within the annual Executive/Cadre Learning Program and a one day risk management course.Where appropriate, ERMD will continue to keep training materials relevant and current for the various audiences through its partnership with HRB and the CSPS, with whom the materials of the one-day risk management course have been shared.
ERMD will also continue to use its advisory services and related workload planning as a key source from which individuals or work units tasked with risk management roles can be identified and proactively offered technical assistance to meet their needs. Corporate Risk ProfileThe Agency's CRP identifies and analyzes the enterprise risks that may threaten the achievement of the Agency's mandate and presents the accountabilities for the management of enterprise risks and how these risks are being addressed. The CRP is also a key source of information to assist employees in understanding ERM priorities and applying the principles of sound risk management in to their daily activities.ERMD has a formal approach for developing the CRP that is consistent with the CRA risk management process and described in the ERM Policy. The process takes into consideration various information sources including an internal and external environmental scan and input on risk information from various stakeholders using a middle-up approach i.e. Soliciting managers and Director level resources on risk information.The 2012-2013 CRP process piloted a risk tolerance approach to assist in streamlining the process by focusing on areas where the residual risk exposure was “in the caution zone” or “above the caution zone” on the risk tolerance scale. This allowed discussions with senior management to focus on ways to address the risks requiring new or further mitigation.
As part of the annual CRP process, ERMD also facilitates the process of engaging the Office of Primary Interests (OPI) and Office of Collaborative Interests (OCI) to gather information on the risk action plans for AMC and Board reporting. The June 2013 status update on CRP enterprise risk action plans was facilitated by ERMD. Follow up on enterprise risks found that 20 of the Agency's 30 enterprise risks were subject to mitigation that resulted in 72 individual initiatives. Senior management were adequately following up on risk action plans and reported that of the 72 individual initiatives planned,17 were completed, 36 were on track and 19 were mostly on track. There were no initiatives that were categorized as not on track.Finally, the annual CRP process concludes with ERMD engaging stakeholders to provide ongoing feedback on areas that worked well and areas that would benefit from enhancement.The culmination of the CRP process in 2012-2013 resulted in the identification of 30 enterprise risks which were prioritized based on categorizing risk responses into three categories: maintain controls, mitigate – current plan or mitigate – new or enhanced plan.
Demise Rise Of The Kutan 388 peb pl downloadFile name: Demise Rise Of The Kutan 388 peb.pl.rarSize: 407.84 MBType:.rarSource: links-http://rapidshare.com/files/198971346/DemiseRiseOfTheKutan388peb.pl.part1.rarhttp://rapidshare.com/files/198989419/DemiseRiseOfTheKutan388peb.pl.part2.rarhttp://rapidshare.com/files/199003612/DemiseRiseOfTheKutan388peb.pl.part3.rarhttp://rapidshare.com/files/199015227/DemiseRiseOfTheKutan388peb.pl.part4.rar. Autodata 3.39 pl peb 2016.
20 of the 30 enterprise risks were considered priorities and required mitigation. A majority of stakeholders interviewed found the CRP to contain too many risks for it to properly allow them to focus on the key areas that require attention. Additionally, many stakeholders noted that the CRP process continued to require a great deal of time and resources from the Branches and Regions while yielding few new risks. ERMD should consider a streamlined CRP process and CRP reporting that leverages the use of a risk register to document and monitor those risks that do not have risk action plans and limit enterprise risk reporting in the CRP to only those that require action, thereby reducing the number of risks in the CRP.
The ERMD prioritization of risks should consider the significance of the gap between residual risk and tolerance.Management Action PlanERMD agrees with this recommendation and will continue to seek opportunities to enhance the CRP development process by streamlining steps and reducing the amount of time required from stakeholders, while ensuring those accountable for managing risks and determining acceptable levels of risk exposure continue to provide input at key decision points. SynergiesIn 2013 the merger of the internal audit and enterprise risk functions allowed the two to leverage risk information between the functions, and the risk based audit plan (RBAP) process included participation of the Risk Advisory Team Lead as an observer.
However, additional opportunities exist to leverage risk and control information among ERMD, Internal Audit Division and Program Evaluation Division. One initiative identified by ERMD as part of their 2013-2016 Strategic Plan is leveraging the internal audit software TeamMate and increasing information sharing between ERMD teams.ERMD's risk advisory services has developed a workload management approach that considers many key factors in determining the level of support ERMD should provide to clients. This approach considers linkages to: corporate risks, Agency priorities and transformation agenda, scope, fairness of distribution and the client's risk management proficiency. These linkages are utilized as a means to determine where ERMD can provide the highest impact with their expertise. The performance of ERMD's risk advisory services is evaluated using a client satisfaction questionnaire. However, while ERMD is currently developing a performance measurement framework, key performance indicators for the Division are currently informal and without targets. ERMD should review the internal audit, risk management and program evaluation activities to assess whether there are opportunities to further leverage risk and control information between these functions.Management Action PlanERMD agrees with this recommendation and will continue to explore new ways to collaborate with internal audit and program evaluation to leverage risk and controls information.
Treasury Management Audit
In 2014-2015, ERMD will once again contribute to the development of the risk-based audit and evaluation plan. In addition, the spring 2015 follow-up cycle will align and, where appropriate, integrate risk and internal audit action plan reporting.9.
Treasury Management Audit Program Review
ERMD should ensure that the Performance Measurement Framework currently being developed for the Division includes key performance indicators and accompanying targets.Management Action PlanERMD agrees with this recommendation and already had an initiative underway to establish a performance measurement framework (PMF) for the Division. The PMF currently being developed will include key performance indicators and accompanying targets. ERMD will also ensure that its PMF aligns with the Branch level PMF. ERMD is targeting implementation of its initial PMF by spring 2015. Efficiency and EffectivenessAlthough the Agency has been practicing risk management since 2005, the creation of a separate ERM Branch in 2010 has facilitated the development of risk management expertise and the establishment of an ERM Program. Many ERM practices have since been formalized and ERM at the Agency has evolved to what can be considered a “mature” state: where the Agency is refining their ERM practices and processes, rather than developing them. It is noteworthy that the CRA's US counterpart, the Internal Revenue Service (IRS), recently appointed a Chief Risk Officer to lead their ERM program similar to the one CRA has in place.As previously noted ERMD was comprised of 15 FTEs (including 2 students and a fraud risk assessment resource) with expenditures of $1.3 million in 2013-2014 and is responsible for leading the development of the CRP as well as providing risk advisory services, fraud risk assessment and risk training.
Currently six FTEs plus a student are devoted to the development and monitoring of the CRP and another six FTEs plus a student focus on providing risk advisory services. These two groups are supervised by a full-time Director. The structure and resources devoted to ERMD have allowed CRA to develop an internal consulting capability and eliminated the need for external risk consultants. This insourcing approach has the added benefit of allowing the CRA to maintain its corporate risk knowledge. The investment of resources specifically in the area of the CRP has facilitated the development of risk management processes and enabling infrastructure.The ERM function was compared against the risk management functions of three other comparable federal government departments in order to identify whether ERMD is efficiently utilizing resources to provide its services. Of the three departments, two identified their risk management functions as established and mature, and one as developing.
None of the departments maintained internal risk consulting groups, although they all performed some form of ad hoc support when requested by stakeholders. The audit found the number of FTE's devoted to the CRP by ERMD was consistent with the organization that possessed a developing maturing risk management function. The organizations with established and mature functions maintained approximately half the FTE's, reflecting that it requires fewer resources to maintain risk infrastructure than it does to build it. ERMD has completed this build out process and is now poised to refocus its resources on areas that meet the Agency's evolving needs. ERMD should examine opportunities to refocus risk management resources reflecting the move to a mature risk management function.Management Action PlanERMD agrees with this recommendation and has already been moving in this direction to support the high volume and ad-hoc nature of risk management advisory services in the Division. ERMD will seek to expand and formalize its matrix approach currently used, where resources are directed to priority initiatives and engagements based on availability and pressures. To formally support the matrix model and resource optimization, a holistic workplan for the division will be established and monitored for 2014-2015 and future years.Where appropriate, workloads and related decisions will be aligned to larger strategies and objectives, such as the branch strategic plan and Blueprint2020.
Information sources, such as the Strategic Investment Plan and internal audit recommendations, will be leveraged to assist the planning of advisory engagements where the Division can provide maximum value in support of important business initiatives and Agency priorities. Sub-criteria1.1 An oversight body is in place with responsibility for overseeing risk management at the Agency.1.2 The Agency has a clearly defined ERM framework that defines the enterprise risk management roles, responsibilities, and accountabilities of various parties within the Agency including management and ERMD.1.3 ERMD has a clearly defined role within the Agency's overall ERM framework that is communicated and understood by key stakeholders across the organization.1.4 Clear governance protocols are established that ensure independence of the ERM function from internal audit.