Embed Size (px)
Citation preview
An Overview of Internal An Overview of Internal AuditAudit
Jim Farquhar – Chief Internal Jim Farquhar – Chief Internal AuditorAuditor
Deborah Clark – Audit & Risk Deborah Clark – Audit & Risk ManagerManager
What is Internal Audit?What is Internal Audit?
• ““Internal auditing is an independent, Internal auditing is an independent, objective assurance and consulting objective assurance and consulting activity designed to add value and activity designed to add value and improve an organisation’s operations. improve an organisation’s operations. It helps an organisation accomplish its It helps an organisation accomplish its objectives by bringing a systematic, objectives by bringing a systematic, disciplined approach to evaluate and disciplined approach to evaluate and improve the effectiveness of risk improve the effectiveness of risk management, control and governance management, control and governance processes”processes”
The Three Lines of Defence The Three Lines of Defence ModelModel
Internal Audit StrategyInternal Audit Strategy
• 2013-16 Strategy agreed July 20132013-16 Strategy agreed July 2013
• Purpose, Outputs and PerformancePurpose, Outputs and Performance
• Key responsibilitiesKey responsibilities
• Links to the risk profile of the Links to the risk profile of the CompanyCompany
• ResourcesResources
Work ProgrammeWork Programme
• Risk based planRisk based plan
• Internal audit knowledgeInternal audit knowledge
• Input from directors and managersInput from directors and managers
• Horizon scanningHorizon scanning
• Approved by Audit CommitteeApproved by Audit Committee
Risk Assessment ToolRisk Assessment Tool1 2 3 4 5
1 Annual Gross Income or
Expenditure Budget
Up to £500,000 £500,001 - £1million £1-5million £5-10million Over £10million
102 Potential losses from
cash and other desirable goods
Less than £5K £5-25K £25K-100K £100-250K Over £250K
53 Volume of
transactions per annum
Less than 999 1,000 - 9,999 10,000 - 99,999 100,000 - 199,999 More than 200,000
104 Complexity of
systemSimple Straightforward Some Complexities Complex Very Complex
10
5 Adverse publicity Minimum impact on the organisations image
Adverse internal criticism Adverse external criticism Public/media local concern Public/media national outrage 8
6 Operational impact Minimal disruption to internal company
operations
Minimal disruption to public and stakeholders
Noticeable disruption to internal operations, public
and stakeholders
Major disruption to internal company operations and
curtailment of ability to fully achieve the organisations
strategic objectives.
Major disruption to public and stakeholders and
inability of organisation to achieve strategic
objectives. 10
7 Audit Opinion Operating Well Satisfactory Significant Weakness 48 Time since last audit 1 year 2 years 3 years Never/ over 3 years/ follow
up 3
9 Experience of management and
staff
All managers and employees are highly
experienced in their roles.
Managers and employees have adequate skills and
experience.
Managers and key employees lack relevant skills, qualifications and
experience. 110 Staff
Turnover/Current Vacancies
No changes since last audit
Some recent turnover and new staff in key roles
High turnover and restructuring. Currently vacancies in key roles. 1
11 Level of Supervision High Adequate Low3
12 New systems and innovations
No changes since last audit
New system introduced in the last 1-2 years
New system has been introduced since last audit
either ICT or process1
13 Legislative change No changes since last audit
Minor legislative changes since last audit
Significant changes, full details of new statutory
framework unclear 3
RISK RATING SCORE AUDIT FREQUENCYLow 149 or less once every 36 months
Medium 150 to 210 once every 24 monthsHigh over 210 once every 12 months
Pers
on
nel
Pro
cess C
han
ges
Imp
acts
Weig
hti
ng
Mate
riali
tyS
en
sit
ivit
yA
ud
it
His
tory
Ris
k F
acto
rs Scores
PerformancePerformance
• Progress against the planProgress against the plan
• Actual hours against planned hoursActual hours against planned hours
• Number of audit assignments Number of audit assignments completed completed against planagainst plan
• Number of audit recommendations Number of audit recommendations implemented implemented
• Audits completed within agreed timeAudits completed within agreed time
• Customer satisfaction levelsCustomer satisfaction levels
Priority of Priority of RecommendationsRecommendations• HIGHHIGH - These are fundamental - These are fundamental weaknesses, weaknesses, which represent a major risk which represent a major risk to the to the organisationorganisation, , service or establishment service or establishment and and immediate remedial action is imperative immediate remedial action is imperative
• MEDIUMMEDIUM - These are weaknesses, which - These are weaknesses, which represent a considerable risk to the represent a considerable risk to the organisation, organisation, service or establishment and service or establishment and urgent remedial urgent remedial action is necessaryaction is necessary
• BEST PRACTICEBEST PRACTICE - These issues merit - These issues merit attention attention and their implementation will and their implementation will enhance the enhance the control environment or control environment or promote value for moneypromote value for money
Priority of Priority of RecommendationsRecommendationsHIGHHIGH
• Leads to a failure to achieve Leads to a failure to achieve organisational organisational or service objectivesor service objectives
• Breach of legal requirementBreach of legal requirement
• Material errorMaterial error
• Major breach of organisation’s policies or Major breach of organisation’s policies or proceduresprocedures
• Potential for major public embarrassmentPotential for major public embarrassment
Priority of Priority of RecommendationsRecommendationsMEDIUMMEDIUM
• Significant or frequent error rateSignificant or frequent error rate
• Lesser breach of the organisation’s Lesser breach of the organisation’s policies or procedurespolicies or procedures
• Significant potential to improve value for Significant potential to improve value for moneymoney
Priority of Priority of RecommendationsRecommendations
BEST PRACTICEBEST PRACTICE
• Minor but noteworthy errorsMinor but noteworthy errors
• Lesser value for money issueLesser value for money issue
Reporting OpinionsReporting Opinions• OPERATING WELL -OPERATING WELL - Used where the system is effective Used where the system is effective
and no recommendations or only a few best practice and no recommendations or only a few best practice recommendations have been raised. The vast majority of recommendations have been raised. The vast majority of recommendations from the previous audit need also to recommendations from the previous audit need also to have been implemented. have been implemented.
• SATISFACTORY -SATISFACTORY - Used where the system works but Used where the system works but there are a number of medium priority recommendations there are a number of medium priority recommendations or where issues have not been addressed from the or where issues have not been addressed from the previous audit.previous audit.
• SIGNIFICANT WEAKNESSES -SIGNIFICANT WEAKNESSES - Used where the system Used where the system is flawed so there is one or more high priority or a large is flawed so there is one or more high priority or a large number of medium priority recommendations. Also number of medium priority recommendations. Also where very little or no action has been taken since the where very little or no action has been taken since the previous audit.previous audit.
The ProcessThe Process
• Assignment Brief IssuedAssignment Brief Issued• Fieldwork UndertakenFieldwork Undertaken• Exit MeetingExit Meeting• Working papers and draft report producedWorking papers and draft report produced• Quality reviewQuality review• Draft report issuedDraft report issued• Discussion/NegotiationDiscussion/Negotiation• Final report issuedFinal report issued
Action Plans for Action Plans for ManagementManagement
Statement of Internal Statement of Internal ControlControl
Annual review of the effectiveness of Annual review of the effectiveness of the internal control systems covering:the internal control systems covering:
• Governance and Risk ManagementGovernance and Risk Management• Performance ManagementPerformance Management• Financial ManagementFinancial Management• Internal AuditInternal Audit• External AuditExternal Audit
Special InvestigationsSpecial Investigations
• Counter fraud and corruption Counter fraud and corruption investigationsinvestigations
• Financial irregularitiesFinancial irregularities
• Police liaisonPolice liaison
Audit Committee’s Terms of ReferenceAudit Committee’s Terms of Reference
Approval required by the Board following Approval required by the Board following review by the Committee:review by the Committee:
• To consider draft audited accounts and make To consider draft audited accounts and make recommendations to the Board.recommendations to the Board.
• To (at least annually) report to the Board on the To (at least annually) report to the Board on the adequacy the Company's financial and internal adequacy the Company's financial and internal control arrangements and recommendations for control arrangements and recommendations for change.change.
• To make recommendations to the Board concerning To make recommendations to the Board concerning the appointment of the Company's internal and the appointment of the Company's internal and external auditors (subject to ratification at the AGM)external auditors (subject to ratification at the AGM)
Audit Committee’s Terms of ReferenceAudit Committee’s Terms of Reference
Matters delegated to the committee for Matters delegated to the committee for decision:decision:
• To review the work programmes and performance To review the work programmes and performance of the Company's internal and external auditors.of the Company's internal and external auditors.
• To consider the external auditor's management To consider the external auditor's management letter and draft a response for the Board to approve.letter and draft a response for the Board to approve.
• To oversee, the Company's financial and internal To oversee, the Company's financial and internal control arrangements, including internal audit, risk control arrangements, including internal audit, risk management, health and safety, delegations and management, health and safety, delegations and financial regulations.financial regulations.
• Review and monitor management's response to Review and monitor management's response to findings and recommendations of the internal findings and recommendations of the internal auditor.auditor.
Effective Audit CommitteeEffective Audit Committee
• Self-Assess effectiveness against best Self-Assess effectiveness against best practicepractice
• Ensure you meet the terms of referenceEnsure you meet the terms of reference• Ask for assurance where you need toAsk for assurance where you need to• Knowledge of wider organisation and key Knowledge of wider organisation and key
issuesissues• Horizon scanningHorizon scanning• Other assurance providers – The first and Other assurance providers – The first and
second lines of defencesecond lines of defence
Any Questions?Any Questions?
