Upload
surindran-subramaniam
View
223
Download
0
Embed Size (px)
Citation preview
8/6/2019 Graham Cassell Present at at Ion
1/25
Internal Audit
ANNUAL REPORT AND ASSURANCEGraham Cassell
Head of Internal Audit
ECGD
8/6/2019 Graham Cassell Present at at Ion
2/25
2
INTRODUCTION
Government Internal Audit Standards (GIAS)
Opinion
Assurance Frameworks
Annual Report (planning and assignment reporting)
8/6/2019 Graham Cassell Present at at Ion
3/25
3
STANDARDS
GIAS Standard 9
(At least) Annually Opinion.
Adequacy and effectiveness.
Risk Management Governance Control Processes.
Issues relevant to the Statement on Internal Control (SIC).
Compare actual activity with that planned but..
8/6/2019 Graham Cassell Present at at Ion
4/25 4
OPINION
Opinion Positive reasonable assurance.
Scope: sufficient work whole of the organisation.
Positive: confident assertion based on evidence.
Reasonable.
Period of time cumulative or annual?
8/6/2019 Graham Cassell Present at at Ion
5/25 5
ASSURANCE
Assurance framework.
Audit Committee Handbook (consultation draft principle C5.3)
Annual Report
Comprehensiveness of assurances.
Reliability and integrity of these assurances.
Opinion assurance is sufficient.
Specific attention SIC.
Financial reporting.
Quality of IA and EA.
Its own effectiveness.
8/6/2019 Graham Cassell Present at at Ion
6/25 6
ASSURANCE
ResidualRisk
Assurance Control/Risk Management
Low
Medium
High
Well controlled, although may be some efficiencies to be made. There
is a need to maintain an oversight and consider efficiency
improvements.
Some weaknesses which could have an impact on the achievement of
business objectives. Action is required to monitor the situation and
improve control.
Significant weaknesses which could threaten the achievement of
business objectives. Prompt remedial attention from management isrequired.
Significant weaknesses which could threaten the achievement of critical
business objectives or lead to a PAC appearance. Urgent remedial
attention from senior management is required.
8/6/2019 Graham Cassell Present at at Ion
7/25 7
STRATEGY
Audit strategyThe audit strategy takes into account i) thematurity of risk management in ECGD ii) theaudit work on which the Board require anassurance and, iii) the need to provide abalance between fundamental assurance andvalue added audit and, iv) external audit and
other assurance providers.
The Audit Plan reflects ECGDs risk frameworkand is informed from the following sources:
The strategic risk register Appendix 1demonstrates the link between ECGDsstrategic risks, which are driven from theBusiness Plan, and the audit work we
plan for the year. Where possible Divisional plans (PRPs) /
risk registers, which reflect the businessand operational risks of the department.
The change programme and associatedrisk registers - Appendix 3.
The Executive Committee - Discussionswith the Accounting Officer and members
of the Executive Committee.
Time is also set aside to provide i) consultancyand advice. Consultancy is defined as arequest by management for an audit of aspecific area of risk/process or issue.
Change is reviewed at two levels. Firstly by a
review of the overall governance process forchange management. Secondly by reviewingindividual projects using one of a range ofoptions.
The IAA Operational plan
Step 2
Consider themesand prioritise
Identify themes andconsider priorities
Step 4
Flexibleauditplan
Key control reviews
Develop an internalaudit plan and a
proposed methodologyto address the gaps
and / or test the otherforms of assurance
Step 1
Strategicrisk
assessment
Operationalrisk
assessment
Define audit universe from top down (i.e.strategic /change programme) and
bottom up (i.e.operational)risk profiling of the business
ChangeProgramme /Major spend
ExternalAudit
Legal
Otherassurance
Step 3Understand what is in
the scope of otherassurance processes(e.g.self assessment,oversight functions)
Consultation
Risk based audits
Consultancy or specia
reviews e.g. efficiency
For example: For example:
Governanceandcontrolen
vironment
Embedded riskmanagement
8/6/2019 Graham Cassell Present at at Ion
8/25 8
PERIODIC PLANS
Area Area of risk Sponsor Priority Days Comments Qtr
1.1 Board Effectiveness.1. Strategy andGovernance
2.1 Follow up of Pilot TradingFund Post ImplementationReview.
3. Operational
4.1 Reporting, MonthlyManagement Report and validationof performance information.
4. Financial
3.1 Post cost plan assurance.
2. RiskManagement
8/6/2019 Graham Cassell Present at at Ion
9/25 9
ASSIGNMENT REPORTING
Introduction
Internal Audit & Assurance have completedtheir assessment of
Background to the review
Objective
Scope of the review
Summary of approach
Exclusion from scope
Audit assurance and conclusion
Our overall assurance for ..is thatthere...
As a result IAA have proposed a number
of recommendations for action and we
attach managements agreed actions in
the Detailed Findings at Section 2 of this
report.
On the basis of the work performed within thisreview, we found that:
The risks related to.
Introduction
Background
Objectivesand scope ofthe review
Summary ofapproach
Exclusionfrom scope
Auditassuranceand
conclusion
8/6/2019 Graham Cassell Present at at Ion
10/2510
ASSIGNMENT REPORTING
Risk and control assessment
Our assessment of risk before and after the consideration of the quality of controls is shown below.
1 Inherent risk is our assessment of the level of risk before consideration of any controls.2Residual risk takes into account the strength of controls based on our evaluation and testing.
Priorities for Detailed Findings
High Priority
Medium Priority
Low Priority
RiskInherent risk
rating1Residual risk
rating2 Finding ref.
Ineffective or incomplete review of allcontributions
Medium Low -
Medium Low -
Medium Medium 1.1
High Medium 2.1
High High 2.1-2.6
High Medium 2.1
High Medium 3.1-3.7
Sponsor
Resources
Risks
Risk andcontrolassessment
Priorities fordetailedfindings
8/6/2019 Graham Cassell Present at at Ion
11/2511
ASSIGNMENT REPORTING
Finding Risk Recommendation Agreed Action
Owner /
Timesca
1)Project GovernanceProcedures
1.1 The Project Board setup to manage the 2005-06 Finance year end
process...
The processdoes nothaveappropriategovernance
proceduresleading to alack ofaccountabilityand
management
1.The Project Board
Priority
8/6/2019 Graham Cassell Present at at Ion
12/25
Internal Audit
ANNUAL REPORT AND ASSURANCEGraham Cassell
Head of Internal Audit
ECGD
8/6/2019 Graham Cassell Present at at Ion
13/25
13
Internal Audit & Assurance Annual ReportPurpose
Purpose of this document
The purpose of this document is to present Internal Audits view of the adequacy and effectiveness ofECGDs risk management, internal control and governance processes for the year ended March 2006,based on the internal audit coverage in the year and progress towards implementing agreed actionsfrom earlier periods. Internal Audits annual report is addressed primarily to the Accounting Officer and
is presented also to the Audit Committee for its consideration.
The report is split into a number of sections:- Page
Overall assurance and executive summary.
Summary conclusion and assurance.
High level assurance by audit.
Summary conclusions for each audit.
Outturn against the audit plan.
Key performance indicators.
8/6/2019 Graham Cassell Present at at Ion
14/25
14
Internal Audit & Assurance Annual ReportExecutive Summary
Overall Assurance.
Our overall assurance is that the system of internal control is well controlled although
there may be some efficiencies to be made. There is a need to maintain an oversight
and consider efficiency improvements.
For the A audit reports issued during the year, we rated B areas as containing minor or no controlweaknesses, C areas as indicating some control weaknesses and D areas as containing significantinternal control issues.
Implementation of agreed actions.
Management responses to reports issued in the year have been positive. A actions were completedduring the year. There are currently B outstanding actions (C high priority) of which D are overdue.E of these are high priority.
Coverage -summary of audit coverage (including wider independent assurances).
Quality Assurance
The feedback received from on completion of each audit was positive. We received an overallscore of A out of a possible B (scale one (low) to five High). During the year Internal Audit wassubject to an independent external quality assurance review; its conclusion was.
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
15/25
15
Internal Audit & Assurance Annual ReportSummary conclusion and assurance
Governance
Although the Accounting Officer has the ultimate responsibility for standards of governance, risk
management and internal control, he is supported in this by the Board, the Senior Management Team
and the sub-committees to whom responsibility is delegated. Internal Audit was asked to .
Corporate Governance: Code of Good Practice.
Management Board.
Delegated Authorities
Information Systems Management Forum
Risk Management
An assessment of ECGDs financial risk management systems in the context of.
While ECGD's operational risk procedures .
The latest version of the Risk Management Assessment Framework includes numerous examples of.
The last quarterly report on operational risk to the Executive Committee shows that...
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
16/25
16
Internal Audit & Assurance Annual ReportSummary conclusion and assurance
Financial Management
A review of aspects of financial management concluded that A agreed actions from this
report remain outstanding .
Internal Audit undertook a review of ECGDs financial management arrangements in preparation for areview by HM Treasury. The HM Treasury review was part of a wider review of financial managementacross central government. The Internal Audit review identified ..
The transfer of ECGDs finance activity to London by March 2006 involved both the recruitment..
HM Treasury Internal Audit conducted an audit on behalf of the HMT Payroll Consortium, of whichECGD is a member.
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
17/25
17
Internal Audit & Assurance Annual ReportSummary conclusion and assurance
Operational Procedures and control
Systems
Key elements of the Roadmap programme were launched in May 2005. Internal Audit was askedto complete a position statement on the readiness to launch the new operating framework prior togo live. After due consideration of the controls established by management and the assurancereceived from the key business representatives, Internal Audit ..
As part of the follow-up work on implementation, Internal Audit was asked to undertake anoperational procedures review of the new business systems affected by the implementation of theACBS system. Overall, controls were
Customer Charter
Change Management
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
18/25
18
te a ud t & ssu a ce ua epo tSummary conclusion and assurance
Information Assurance
The Infrastructure Division (ID) has a framework of control in place. However,
End User DevelopmentsInformation systems security
File management and security.
In April 2005, an audit of file management and security . IMPACT is a key element in
improving ECGDs business efficiency and enabling a better service to its stakeholders in an
environment of cost constraints. The Project
Business Continuity Planning
ECGD is developing a plan to counter the effects on the business of a pandemic out-break. ECGD also
has an overarching Departmental business continuity plan in place. This is supported by
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
19/25
19
pSummary conclusion and assurance
Fraud
Over the last year, the Department has been .
Anti bribery and corruption procedures.
Fraud Risk Assessment.
Fraud Policy Statement.
Whistle blowing Policy.
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
20/25
20
Internal Audit & Assurance Annual ReportAssurance for each audit
Assignment Assurance Assignment Assurance
1. Amber 7. Amber
2. Yellow 8. Yellow
3. Yellow 9. Performing
4. Improving 10. Amber
5. Green 11. Yellow
6. Improving 12. Yellow
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
21/25
21
Internal Audit & Assurance Annual ReportSummary of conclusions
Review conclusions
We have summarised below our conclusions from each review:
Assignment Published Audit conclusion
FileManagementand security
April
2005
May
2005
Overall Assurance: Amber
The audit identified a number .
Review of
Roadmap
Overall Assurance: Yellow
A number of reports were issued with regard to the launch of theRoadmap products. The final report issued on 10 May 2005showed..
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
22/25
22
Internal Audit & Assurance Annual ReportInternal Audit plan for 2005 / 2006
Internal Audit plan for the year. The audit plan for the year to April 2006 is shown below.
Audit title Sponsor PriorityWork In
ProgressReport
PublishedActualDays Notes
Financial
Political/Legal/Reputational
February2006
2
Revised tohigh priority
12
Budget
days
Carriedforward
to 2006/7
40
10Customer Charter M Complete
HReporting, MMR andvalidation of performanceinformation and KPIs.
Internal Audit & Assurance Annual Report
8/6/2019 Graham Cassell Present at at Ion
23/25
23
Internal Audit & Assurance Annual ReportKey performance indicators
Reviews completed in the period.
Status of agreed actions.
Client satisfaction.
Etc.
8/6/2019 Graham Cassell Present at at Ion
24/25
24
KEY POINTS
Customer expectations.
Assurance framework.
Holistic approach.
Paint a picture - key messages back and forward looking?
Be positive.
Keep it simple.
House style.
8/6/2019 Graham Cassell Present at at Ion
25/25
25
FINAL THOUGHTS
How do we stay fleet of foot and make sure the assurance is relevant to to-days
challenges?
How do we ensure we add value by providing an assurance against new or
emerging standards?
What is unique about Internal Audit (independence aside)? How do we positioninternal audit assurance alongside other assurance providers?
Do the Standards require updating to reflect a more dynamic environment?