Transcript Presentation to TRs Changes and Potential Impact 21 August 2014

TREASURY REGULATIONS’ CHANGES AND
POTENTIAL IMPACT
OFFICE OF THE ACCOUNTANT-GENERAL
Presenter: Risk Management Support
| National Treasury
| August 2014
BACKGROUND
2
CURRENT TREASURY REGULATIONS
Part 2 Management Arrangements
3. Internal control
“3.2.1 The accounting officer must ensure that a risk assessment is
conducted regularly to identify emerging risks of the institution. A risk
management strategy, which must include a fraud prevention plan, must be
used to direct internal audit effort and priority, and to determine the skills
required of managers and staff to improve controls and to manage these
risks.
The strategy must be clearly communicated to all officials to ensure that the
risk management strategy is incorporated into the language and culture of
the institution”.
TRs Updated October 2012
3
CURRENT TREASURY REGULATIONS Cont...
“3.2.7 An internal audit unit must prepare, in consultation with and for
approval by the audit committee –
(a) a rolling three-year strategic internal audit plan based on its
assessment of key areas of risk for the institution, having regard to its
current operations, those proposed in its strategic plan and its risk
management strategy”.
TRs Updated October 2012
4
PROPOSED RISK MANAGEMENT CHANGES
Chapter 4: Corporate Governance
Part 1: Internal control
16 (2) The system of internal control referred to in sub-regulation (1) must
consist of the following components:
(a) Control environment;
(b) risk assessment;
(c) control activities;
(d) information and communication; and
(e) monitoring activities.
5
PROPOSED RISK MANAGEMENT CHANGES Cont…
Part 2: Risk Management
22 (2) The system of risk management referred to in subregulation (1) must
at least include –
 systematic process to identify and document the key risks in a risk
register regardless of whether or not such risks are within the direct
control of the institution;
 a fraud and corruption prevention strategy and plan;
 review of the business continuity plan;
 assessment of risks within SCM processes, including the awarding of
bids;
 assessment of occupational health and safety risks;
 establishing the risk tolerance and risk appetite levels of the
institution; and
 an assessment of operational losses
6
FORA FOCUS AREAS
Previous Fora Topics
Other Topics
• Business Continuity Plan
• Supply Chain Management
• Fraud Risk Assessment
• Assessment of Operational
• Risk Appetite and Tolerance
• Information Technology
Losses
• Assessment of OHS Risks
• Combined Assurance
7
BCP ISSUES DISCUSSED
• What is a business continuity plan?
• What should be considered when developing a business continuity plan?
• Who are the key stakeholders in developing a BCP?
• Is it a function for risk officers?
• How does a BCP relate to identified risks?
• Is there an acceptable standard or framework that should be followed in
developing BCPs?
• What are the typical issues raised by assurance providers about BCPs?
8
THE 6 ELEMENTS OF THE BCM LIFECYCLE
1. Understand the Organisation
2. Determine the BCM strategy
3. Develop & implement a BCM
response
4. Exercise, maintain & review
5. Establish BCM policy and
programme management
6. Embed a BCM Culture
9
SERVICE CONTINUITY PLANS
SOUTH AFRICA EARTHQUAKE KILLS
ONE, 17 MINERS INJURED
POWER FAILURE AT SITA
CENTURION
10
FRAUD RISK ASSESSMENT ISSUES DISCUSSED
• What is Fraud Risk Management
• Minimum Requirements for an Effective Risk Management Programme
• Fraud Risk Management Reports
• Role of Chief Risk Officer
• Expectations of Assurance Providers on the Assessment and
Management of Fraud Risks
• Challenges that Affect the Successful Implementation of FRM Plans
11
IT RISK GOVERNANCE ISSUES DISCUSSED
•
IT risk is a business risk specifically associated with the use, ownership, operation,
involvement, influence and adoption of IT within an enterprise.
•
It consists of IT-related events that could potentially impact the business. It can occur
with both uncertain frequency and magnitude, and it creates challenges in meeting
strategic goals and objectives;
•
Aims to prioritize and manage IT risk;
•
Senior executives need a frame of reference and a clear understanding of the IT
function and IT risk associated with it;
DPSA
•
IT risk is not just a technical issue; and
•
Organisation managers determine what IT needs to do to support their business;
they set the targets for IT and are accountable for managing the associated risks.
12
THE RELATIONSHIP BETWEEN IT RISK & IT AUDIT
Source: National Treasury Internal Audit - Information Systems Audit Methodology
13
RISK APPETITE & TOLERANCE ISSUES DISCUSSED
14
RISK APPETITE & TOLERANCE ISSUES DISCUSSED
• ;
15
SCM & OPERATIONAL LOSSES
..
16
CONCLUSION
17
THANK YOU
18