B.6 Risk Resolution Policy

Background

As part of every audit, PRIA identifies risk-related control deficiencies and potential process improvements. The deficiencies and process improvements are reviewed with appropriate levels of management for resolution and action plans. At times, management may choose to disagree with an observation (i.e., choose to accept the risk noted in the deficiency). When this occurs, PRIA reviews the level of risk to determine if the risk accepted exceeds the risk appetite of the organization.

This policy applies to any observation or process improvement where management has elected to accept the risk rather than correct the deficiency and, in the opinion of internal audit, the risk accepted exceeds the risk appetite of the organization.

When a risk is accepted by management rather than resolved, PRIA will review the likelihood of the risk occurrence as well as the impact to the organization should that risk event occur. If the impact on the Office is deemed to be significant, the CAE will enter into discussion with the appropriate Service Leader in order to discuss mitigating measures. If the CAE and the Service Leader are unable to reach a common understanding of the significant risk, the CAE will then discuss the matter with the Auditor General. The Auditor General may resolve the matter at that time or bring the issue forward, with the CAE, to the Audit Committee for further discussion.
If the Audit Committee will make a recommendation to the Auditor General to accept the risk or to address the risk. If the Audit Committee chooses not to accept the risk, then the CAE will inform respective Service Leader that the level of risk has not been accepted by the Audit Committee and that a resolution for the issue must be implemented.
In all cases, the Auditor General will be the final arbiter of the level of risk acceptable and unacceptable to the organization.