Risk assessment has frequently proved to be of key importance in the current pandemic situation. It served to predict developments related to healthcare and the economy, and served as a pillar for the work of SAIs during the pandemic (Austria, Chile). It helped raise awareness of the importance of risk management among the auditees. It has proved an important role of SAIs as they have a holistic vision of the state actors, have risk management expertise and can provide a comprehensive view of government-wide risks (Costa Rica, Finland, France).
We seek to take a whole of government approach to public audit. For example, a recent example of our approach is the development and execution of our audit program on the UK Government’s response to the COVID-19 pandemic. Our program was developed following an in-depth risk-assessment at a cross-government, sector and entity level. It includes a range of value-for-money audits, augmented by our annual audit of 400 financial statements of government entities. In addition, we have published: • Our first report in May 2020 was a non-evaluative Overview of the UK Government’s response –a baseline for more evaluative audits. • A cost-tracker which provides and overview of the policy measures and financial resources committed. • Guidance for audit and risk committees advising them of the risks to be aware of with the government organizations they help govern.
However, risk-oriented approach dates back a lot and most SAIs report to have already implemented necessary frameworks and systems of risk management since as early, as the 1990s (USA). It proved useful for planning purposes (Cyprus, Jordan, Jamaica, Czech Republic, Malaysia, Russia), selecting audit topics and tasks in order to channel scarce resources in the areas that are of greatest risk (Bahrain, Saint Vincent and the Grenadines). Audit recommendations provide objective actions to solve problems, mitigate risks and improve the implementation of government programs. Risk analysis for planning has become a fundamental part of having an accurate audit sample (Mexico).
Risk management of SAIs frequently rests upon international audit standards and ISO standards (Fiji, Indonesia, Jordan), resulting in development and implementation of special guidelines for risk assessment or risk management strategies (Ecuador, India, North Macedonia, UK).
SAIs designate special staff and units to this area (Algeria, Fiji), which also implies providing necessary training and extensive knowledge-sharing on risk management and prevention (Bahrain, Ecuador, Peru). In this regard SAIs find international cooperation of particular value, which takes form of cooperative audits and surveys (North Macedonia, Costa Rica), as well as workshops and guidelines from relevant INTOSAI working groups. Traditionally, risk-oriented approach has been more frequent in the areas of economy and finance (China, Jamaica), internal control of government entities (Egypt), corruption (Ecuador). However, it is increasingly used to identify emerging risks in new and more specific areas, such as public procurement during the pandemic (Thailand). For this purpose, facilitating stakeholder involvement in risk assessments has been helpful (Russia).
SAI Ecuador, through the development of the Guide "Auditing of Public Private Partnerships PPPs", has proposed an annex for risk assessment. WGFACML development of the Social Control Guide also contributes to reduce lack of communication and societies participation risks in audit processes. Capacity building in risk-based auditing is executed. Under the "SAIs in the Fight against Corruption" Agreement, we trained auditors in prevention of corruption risk. A report was developed on the alignment of the institutional code of ethics with ISSAI-130, to update institutional regulations.
SAIs identify challenges in the process of prioritizing the risks. Namely, when it comes to more global and systemic risks, focusing on some risks rather than others, in a context of uncertainty such as the current pandemic, may prove difficult because it is not up to SAIs to prioritize them, especially if they are risks that are partly beyond the control of governments (France). The complex framework of national, international and shared competences, low availability and accessibility of information and incomplete risk profiling exacerbate the situation (ECA, Malaysia). Traditional organizational culture obstructs the work of SAIs in this area, making it necessary to implement new technological tools and techniques and raising awareness of the importance of risk-management (Peru, Italy).
Moreover, despite the fact, that risk-oriented approach is not something totally new, the identification of the entire audit universe and ranking or scoring the audit universe based on various risk factors is not yet finished. The process is time consuming and thus hinders quick implementation (Malta). Also, insufficient experience and training has been noted in terms of compliance and performance audits, compared to risk-management in financial audits (St. Vincent and the Grenadines). Finally, as the risk-oriented approach is increasingly being taken into account in the planning process and operations of most SAIs, it is becoming less relevant as a separate area of particular focus (Norway).
Risk management is expected to remain or be introduced as the basis for strategic mid-term and long-term planning in the work of SAIs, enable them to identify audit areas, provide strategic recommendations based on risk assessment (Costa Rica, Malta, China, Yemen, Czech Republic, Mexico, Saint Kitts and Nevis). SAIs understand the importance and plan to extend risk-based approach so as to take a high-level view of government goals as opposed to separate areas or audited entities (Cyprus). As stipulated by the provision, it is planned to make an emphasis on systemic risks identification, and to provide effective and strategic audit recommendations (China).
In terms of organizational culture SAIs are looking forward to approve necessary guiding documents, elaborate action plans at the national level to manage risk-based control services and provide necessary training to auditors in risk management (Peru). One of the cross-cutting priorities shall be to employ big data analysis of government’s entire data base for risk identification (Malaysia). Separately, SAIs have planned for more collaborative audits based on risk-oriented approach (Bahamas) and look up to INTOSAI for guidance and leadership in this area (Portugal).