An Overview of Internal Audit An Overview of Internal Audit Jim - - PowerPoint PPT Presentation

An Overview of Internal Audit An Overview of Internal Audit

Jim Farquhar Jim Farquhar – – Chief Internal Chief Internal Auditor Auditor Deborah Clark Deborah Clark – – Audit & Risk Audit & Risk Manager Manager

What is Internal Audit? What is Internal Audit?

• “

“I nternal auditing is an independent, I nternal auditing is an independent,

• bjective assurance and consulting
• bjective assurance and consulting

activity designed to add value and improve activity designed to add value and improve an organisation an organisation’ ’s operations. I t helps an s operations. I t helps an

• rganisation accomplish its objectives by
• rganisation accomplish its objectives by

bringing a systematic, disciplined bringing a systematic, disciplined approach to evaluate and improve the approach to evaluate and improve the effectiveness of risk management, control effectiveness of risk management, control and governance processes and governance processes” ”

The Three Lines of Defence Model The Three Lines of Defence Model

Internal Audit Strategy Internal Audit Strategy

• 2013

2013-

• 16 Strategy agreed July 2013

16 Strategy agreed July 2013

• Purpose, Outputs and Performance

Purpose, Outputs and Performance

• Key responsibilities

Key responsibilities

• Links to the risk profile of the Company

Links to the risk profile of the Company

• Resources

Resources

Work Programme Work Programme

• Risk based plan

Risk based plan

• Internal audit knowledge

Internal audit knowledge

• Input from directors and managers

Input from directors and managers

• Horizon scanning

Horizon scanning

• Approved by Audit Committee

Approved by Audit Committee

Risk Assessment Tool Risk Assessment Tool

1 2 3 4 5 1 Annual Gross Income or Expenditure Budget Up to £500,000 £500,001 - £1million £1-5million £5-10million Over £10million 10 2 Potential losses from cash and other desirable goods Less than £5K £5-25K £25K-100K £100-250K Over £250K 5 3 Volume of transactions per annum Less than 999 1,000 - 9,999 10,000 - 99,999 100,000 - 199,999 More than 200,000 10 4 Complexity of system Simple Straightforward Some Complexities Complex Very Complex 10 5 Adverse publicity Minimum impact on the

• rganisations image

Adverse internal criticism Adverse external criticism Public/media local concern Public/media national

• utrage

8 6 Operational impact Minimal disruption to internal company

• perations

Minimal disruption to public and stakeholders Noticeable disruption to internal operations, public and stakeholders Major disruption to internal company operations and curtailment of ability to fully achieve the organisations strategic objectives. Major disruption to public and stakeholders and inability of organisation to achieve strategic

• bjectives.

10 7 Audit Opinion Operating Well Satisfactory Significant Weakness 4 8 Time since last audit 1 year 2 years 3 years Never/ over 3 years/ follow up 3 9 Experience of management and staff All managers and employees are highly experienced in their roles. Managers and employees have adequate skills and experience. Managers and key employees lack relevant skills, qualifications and experience. 1 10 Staff Turnover/Current Vacancies No changes since last audit Some recent turnover and new staff in key roles High turnover and

• restructuring. Currently

vacancies in key roles. 1 11 Level of Supervision High Adequate Low 3 12 New systems and innovations No changes since last audit New system introduced in the last 1-2 years New system has been introduced since last audit either ICT or process 1 13 Legislative change No changes since last audit Minor legislative changes since last audit Significant changes, full details of new statutory framework unclear 3 RISK RATING SCORE AUDIT FREQUENCY Low 149 or less

• nce every 36 months

Medium 150 to 210

• nce every 24 months

High

• ver 210
• nce every 12 months

Personnel Process Changes Impacts Weighting Materiality Sensitivity Audit History Risk Factors Scores

Performance Performance

• Progress against the plan

Progress against the plan

• Actual hours against planned hours

Actual hours against planned hours

• Number of audit assignments completed

Number of audit assignments completed against plan against plan

• Number of audit recommendations

Number of audit recommendations implemented implemented

• Audits completed within agreed time

Audits completed within agreed time

• Customer satisfaction levels

Customer satisfaction levels

Priority of Recommendations Priority of Recommendations

• HI GH

HI GH -

• These are fundamental

These are fundamental weaknesses, which represent a major risk weaknesses, which represent a major risk to the organisation to the organisation, , service or establishment service or establishment and immediate remedial action is imperative and immediate remedial action is imperative

• MEDI UM

MEDI UM -

• These are weaknesses, which

These are weaknesses, which represent a considerable risk to the represent a considerable risk to the

• rganisation, service or establishment and
• rganisation, service or establishment and

urgent remedial action is necessary urgent remedial action is necessary

• BEST PRACTI CE

BEST PRACTI CE -

• These issues merit

These issues merit attention and their implementation will attention and their implementation will enhance the control environment or enhance the control environment or promote value for money promote value for money

Priority of Recommendations Priority of Recommendations

HI GH HI GH

• Leads to a failure to achieve organisational

Leads to a failure to achieve organisational

• r service objectives
• r service objectives
• Breach of legal requirement

Breach of legal requirement

• Material error

Material error

• Major breach of organisation

Major breach of organisation’ ’s policies or s policies or procedures procedures

• Potential for major public embarrassment

Potential for major public embarrassment

Priority of Recommendations Priority of Recommendations

MEDI UM MEDI UM

• Significant or frequent error rate

Significant or frequent error rate

• Lesser breach of the organisation

Lesser breach of the organisation’ ’s s policies or procedures policies or procedures

• Significant potential to improve value for

Significant potential to improve value for money money

Priority of Recommendations Priority of Recommendations

BEST PRACTI CE BEST PRACTI CE

• Minor but noteworthy errors

Minor but noteworthy errors

• Lesser value for money issue

Lesser value for money issue

Reporting Opinions Reporting Opinions

• OPERATI NG WELL

OPERATI NG WELL -

• Used where the system is

Used where the system is effective and no recommendations or only a few best effective and no recommendations or only a few best practice recommendations have been raised. The vast practice recommendations have been raised. The vast majority of recommendations from the previous audit majority of recommendations from the previous audit need also to have been implemented. need also to have been implemented.

• SATI SFACTORY

SATI SFACTORY -

• Used where the system works but

Used where the system works but there are a number of medium priority recommendations there are a number of medium priority recommendations

• r where issues have not been addressed from the
• r where issues have not been addressed from the

previous audit. previous audit.

• SI GNI FI CANT WEAKNESSES

SI GNI FI CANT WEAKNESSES -

• Used where the

Used where the system is flawed so there is one or more high priority or system is flawed so there is one or more high priority or a large number of medium priority recommendations. a large number of medium priority recommendations. Also where very little or no action has been taken since Also where very little or no action has been taken since the previous audit. the previous audit.

The Process The Process

• Assignment Brief Issued

Assignment Brief Issued

• Fieldwork Undertaken

Fieldwork Undertaken

• Exit Meeting

Exit Meeting

• Working papers and draft report produced

Working papers and draft report produced

• Quality review

Quality review

• Draft report issued

Draft report issued

• Discussion/Negotiation

Discussion/Negotiation

• Final report issued

Final report issued

Action Plans for Management Action Plans for Management

Statement of Internal Control Statement of Internal Control

Annual review of the effectiveness of the Annual review of the effectiveness of the internal control systems covering: internal control systems covering:

• Governance and Risk Management

Governance and Risk Management

• Performance Management

Performance Management

• Financial Management

Financial Management

• Internal Audit

Internal Audit

• External Audit

External Audit

Special Investigations Special Investigations

• Counter fraud and corruption

Counter fraud and corruption investigations investigations

• Financial irregularities

Financial irregularities

• Police liaison

Police liaison

Audit Committee Audit Committee’ ’s Terms of Reference s Terms of Reference

Approval required by the Board following review Approval required by the Board following review by the Committee: by the Committee:

• To consider draft audited accounts and make

To consider draft audited accounts and make recommendations to the Board. recommendations to the Board.

• To (at least annually) report to the Board on the

To (at least annually) report to the Board on the adequacy the Company's financial and internal control adequacy the Company's financial and internal control arrangements and recommendations for change. arrangements and recommendations for change.

• To make recommendations to the Board concerning the

To make recommendations to the Board concerning the appointment of the Company's internal and external appointment of the Company's internal and external auditors (subject to ratification at the AGM) auditors (subject to ratification at the AGM)

Audit Committee Audit Committee’ ’s Terms of Reference s Terms of Reference

Matters delegated to the committee for decision: Matters delegated to the committee for decision:

• To review the work programmes and performance of the

To review the work programmes and performance of the Company's internal and external auditors. Company's internal and external auditors.

• To consider the external auditor's management letter

To consider the external auditor's management letter and draft a response for the Board to approve. and draft a response for the Board to approve.

• To oversee, the Company's financial and internal control

To oversee, the Company's financial and internal control arrangements, including internal audit, risk arrangements, including internal audit, risk management, health and safety, delegations and management, health and safety, delegations and financial regulations. financial regulations.

• Review and monitor management's response to findings

Review and monitor management's response to findings and recommendations of the internal auditor. and recommendations of the internal auditor.

Effective Audit Committee Effective Audit Committee

• Self

Self-

• Assess effectiveness against best

Assess effectiveness against best practice practice

• Ensure you meet the terms of reference

Ensure you meet the terms of reference

• Ask for assurance where you need to

Ask for assurance where you need to

• Knowledge of wider organisation and key

Knowledge of wider organisation and key issues issues

• Horizon scanning

Horizon scanning

• Other assurance providers

Other assurance providers – – The first and The first and second lines of defence second lines of defence

Any Questions? Any Questions?