TREASURY REGULATIONS’ CHANGES AND POTENTIAL IMPACT

OFFICE OF THE ACCOUNTANT-GENERAL

Presenter: Risk Management Support | National Treasury | August 2014

BACKGROUND

2

CURRENT TREASURY REGULATIONS

Part 2 Management Arrangements

3. Internal control

“3.2.1 The accounting officer must ensure that a risk assessment is conducted regularly to identify emerging risks of the institution. A risk management strategy, which must include a fraud prevention plan, must be used to direct internal audit effort and priority, and to determine the skills required of managers and staff to improve controls and to manage these risks.

The strategy must be clearly communicated to all officials to ensure that the risk management strategy is incorporated into the language and culture of the institution”.

TRs Updated October 2012

3

CURRENT TREASURY REGULATIONS Cont...

“3.2.7 An internal audit unit must prepare, in consultation with and for approval by the audit committee –

(a) a rolling three-year strategic internal audit plan based on its assessment of key areas of risk for the institution, having regard to its current operations, those proposed in its strategic plan and its risk management strategy”.

TRs Updated October 2012

4

PROPOSED RISK MANAGEMENT CHANGES

Chapter 4: Corporate Governance

Part 1: Internal control

16 (2) The system of internal control referred to in sub-regulation (1) must consist of the following components:

(a) Control environment;

(b) risk assessment;

(c) control activities;

(d) information and communication; and

(e) monitoring activities.

5

PROPOSED RISK MANAGEMENT CHANGES Cont…

Part 2: Risk Management

22 (2) The system of risk management referred to in subregulation (1) must at least include –

systematic process to identify and document the key risks in a risk register regardless of whether or not such risks are within the direct control of the institution;

a fraud and corruption prevention strategy and plan; review of the business continuity plan; assessment of risks within SCM processes, including the awarding of

bids; assessment of occupational health and safety risks; establishing the risk tolerance and risk appetite levels of the

institution; and an assessment of operational losses

6

FORA FOCUS AREAS

Previous Fora Topics

• Business Continuity Plan

• Fraud Risk Assessment

• Risk Appetite and Tolerance

• Information Technology

• Combined Assurance

Other Topics

• Supply Chain Management

• Assessment of Operational

Losses

• Assessment of OHS Risks

7

BCP ISSUES DISCUSSED

• What is a business continuity plan?

• What should be considered when developing a business continuity plan?

• Who are the key stakeholders in developing a BCP?

• Is it a function for risk officers?

• How does a BCP relate to identified risks?

• Is there an acceptable standard or framework that should be followed in

developing BCPs?

• What are the typical issues raised by assurance providers about BCPs?

8

THE 6 ELEMENTS OF THE BCM LIFECYCLE

1. Understand the Organisation

2. Determine the BCM strategy

3. Develop & implement a BCM

response

4. Exercise, maintain & review

5. Establish BCM policy and

programme management

6. Embed a BCM Culture

9

SERVICE CONTINUITY PLANS

SOUTH AFRICA EARTHQUAKE KILLS ONE, 17 MINERS INJURED

POWER FAILURE AT SITA CENTURION

10

FRAUD RISK ASSESSMENT ISSUES DISCUSSED

• What is Fraud Risk Management

• Minimum Requirements for an Effective Risk Management Programme

• Fraud Risk Management Reports

• Role of Chief Risk Officer

• Expectations of Assurance Providers on the Assessment and

Management of Fraud Risks

• Challenges that Affect the Successful Implementation of FRM Plans

11

IT RISK GOVERNANCE ISSUES DISCUSSED

• IT risk is a business risk specifically associated with the use, ownership, operation,

involvement, influence and adoption of IT within an enterprise.

• It consists of IT-related events that could potentially impact the business. It can occur

with both uncertain frequency and magnitude, and it creates challenges in meeting

strategic goals and objectives;

• Aims to prioritize and manage IT risk;

• Senior executives need a frame of reference and a clear understanding of the IT

function and IT risk associated with it;

• IT risk is not just a technical issue; and

• Organisation managers determine what IT needs to do to support their business;

they set the targets for IT and are accountable for managing the associated risks.

12

DPSA

THE RELATIONSHIP BETWEEN IT RISK & IT AUDIT

Source: National Treasury Internal Audit - Information Systems Audit Methodology 13

RISK APPETITE & TOLERANCE ISSUES DISCUSSED

14

RISK APPETITE & TOLERANCE ISSUES DISCUSSED

• ;

15

SCM & OPERATIONAL LOSSES

..

16

CONCLUSION

17

THANK YOU

18