defining the role of internal audit – a government perspective ray harris

Defining the Role of Internal Defining the Role of Internal Audit – A Government Audit – A Government PerspectivePerspective

Ray HarrisRay Harris

BackgroundBackground MyselfMyself Internal Audit In Central Government in UKInternal Audit In Central Government in UK Late 1970’s criticism from the National Audit Office Late 1970’s criticism from the National Audit Office

(NAO) Parliament’s external financial auditors in a (NAO) Parliament’s external financial auditors in a report to the Public Accounts Committee (PAC)report to the Public Accounts Committee (PAC)

Wass Bancroft Report recommending reform and Wass Bancroft Report recommending reform and leading to a basic level of training standard leading to a basic level of training standard (BATS) and a common approach across (BATS) and a common approach across Departments – from financial based Departments – from financial based ‘Internal ‘Internal Check’Check’ and and ‘Tick & Turn’‘Tick & Turn’ to a to a ‘Systems based ‘Systems based approach’ AND adopting the IIA as the approach’ AND adopting the IIA as the preferred professional bodypreferred professional body

Where are we now?Where are we now?

UK Accountability FrameworkUK Accountability Framework

IAIA

http://www.pm.gov.uk/output/Page297.asp

http://www.hm-treasury.gov.uk/index.cfm

http://www.hm-treasury.gov.uk/index.cfm

http://www.nao.org.uk/home.htm

Accounting Officer’s MemorandumAccounting Officer’s Memorandum Accounting Officers are separately appointed by Accounting Officers are separately appointed by

HM Treasury and the responsibilities of the HM Treasury and the responsibilities of the Accounting Officer in relation to Government Accounting Officer in relation to Government Accounting regulations are set out in Accounting regulations are set out in ‘The ‘The Accounting Officer’s Memorandum’Accounting Officer’s Memorandum’

A key component of the Memorandum is that A key component of the Memorandum is that ‘‘Internal Audit is established in accordance with Internal Audit is established in accordance with the objectives, standards and practices set out in the objectives, standards and practices set out in the ‘Government Internal Standards’the ‘Government Internal Standards’ (GIAS) (GIAS) published by HM Treasurypublished by HM Treasury

Accounting Officers have a particular responsibility Accounting Officers have a particular responsibility for ensuring compliance with parliamentary for ensuring compliance with parliamentary requirements in the control of expenditure and in requirements in the control of expenditure and in particular ‘particular ‘Regularity and Propriety’Regularity and Propriety’

RegularityRegularity = requirement for all expenditure and = requirement for all expenditure and receipts to be dealt with in accordance with the receipts to be dealt with in accordance with the legislation authorising them and the rules of legislation authorising them and the rules of Government Accounting i.e. Government Accounting i.e. ‘The Ambit of the ‘The Ambit of the Vote’Vote’

ProprietyPropriety = the further requirement that = the further requirement that expenditure and receipts should be dealt with in expenditure and receipts should be dealt with in accordance with Parliament’s intentions and the accordance with Parliament’s intentions and the principles of parliamentary control including the principles of parliamentary control including the conventions agreed with Parliament (and in conventions agreed with Parliament (and in particular the Public Accounts Committee particular the Public Accounts Committee (PAC)(PAC)

Government Internal Audit Government Internal Audit StandardsStandards

10 Standards 5 relating to 10 Standards 5 relating to Organisational Organisational status 5 relating to status 5 relating to OperationalOperational approach: approach:

Organisational StandardsOrganisational Standards

Standard 1:Standard 1: Scope of Internal Audit – Scope of Internal Audit – defined by the Accounting Officer in defined by the Accounting Officer in Terms Terms of Referenceof Reference which amongst others: which amongst others:

Standard 2:Standard 2: Establish Establish organisational organisational independenceindependence and embrace the risk and embrace the risk management control and governance management control and governance processes of the organisation including processes of the organisation including all all its operations, resources, services and its operations, resources, services and responsibilities for other bodiesresponsibilities for other bodies

Establish internal audit’s Establish internal audit’s right of accessright of access to to all records, assets personnel and premises all records, assets personnel and premises and its authority to obtain such information and its authority to obtain such information as it considers necessary to fulfil its as it considers necessary to fulfil its responsibilitiesresponsibilities

An Accounting Officer is charged with An Accounting Officer is charged with organising internal audit in accordance with organising internal audit in accordance with the objectives, standards and practices set the objectives, standards and practices set out in out in GIASGIAS . .

The HIA should be of appropriate grade or The HIA should be of appropriate grade or status, have wide experience of internal status, have wide experience of internal audit and management, and must meet the audit and management, and must meet the Government Internal Audit Standard and the Government Internal Audit Standard and the Senior Staff standard as set down in Senior Staff standard as set down in GIASGIAS . .

8. The HIA is responsible to the 8. The HIA is responsible to the Accounting Officer, but normally Accounting Officer, but normally reports to reports to the Principalthe Principal Finance Finance Officer and the audit committee. In Officer and the audit committee. In all cases, all cases, the Head of Internal the Head of Internal Audit has the right of direct access Audit has the right of direct access to the Accounting Officer.to the Accounting Officer.

Standard 3: Audit CommitteesStandard 3: Audit Committees

Accounting Officer is required to establish Accounting Officer is required to establish an Audit Committee to:an Audit Committee to:

Advise him on the skills, competence, TORs Advise him on the skills, competence, TORs effectiveness and resourcing of Internal effectiveness and resourcing of Internal Audit including planning, reporting, quality, Audit including planning, reporting, quality, relationships with management and external relationships with management and external audit and the adequacy of management’s audit and the adequacy of management’s responses to audit reportsresponses to audit reports

Head of Audit’s Relationship Head of Audit’s Relationship

The Head of Internal Audit should attend The Head of Internal Audit should attend Audit Committee meetings Audit Committee meetings

The Head of Internal Audit should have a The Head of Internal Audit should have a right of access to the Chair of the Audit right of access to the Chair of the Audit Committee to discuss ant issues they wish Committee to discuss ant issues they wish to raiseto raise

Standard 4: Relationships with Standard 4: Relationships with Management, other Auditors and Management, other Auditors and

other Review Bodiesother Review Bodies Relations with Management – emphasis on Relations with Management – emphasis on

service to management – service to management – mutual trustmutual trust – – added valueadded value – without compromising – without compromising responsibilities to the Accounting Officerresponsibilities to the Accounting Officer

Relations with other Internal Auditors – inter Relations with other Internal Auditors – inter departmental co-operation – reliance on departmental co-operation – reliance on other’s work – Accounting Officer other’s work – Accounting Officer endorsementendorsement

Relationships with External Auditors - Relationships with External Auditors - regular meetings – techniques` and regular meetings – techniques` and methodologies – reliance by external audit methodologies – reliance by external audit on the work of internal auditon the work of internal audit

Relationships with other review bodies – Relationships with other review bodies – management inspection, compliance teams, management inspection, compliance teams, liasion and quality assurance in order to liasion and quality assurance in order to place relianceplace reliance

The Head of Internal Audit should establish The Head of Internal Audit should establish a means to gain an overview of other a means to gain an overview of other assurance providers’ work and if appropriate assurance providers’ work and if appropriate report to the Accounting Officerreport to the Accounting Officer

Standard 5: Staffing Training and Standard 5: Staffing Training and DevelopmentDevelopment

Internal audit should be appropriately Internal audit should be appropriately staffed in terms of numbers, grades and staffed in terms of numbers, grades and experience, having regard to its objectives experience, having regard to its objectives and standards. Internal auditors must be and standards. Internal auditors must be properly trained to fulfil their properly trained to fulfil their responsibilities.responsibilities.

Government Internal Audit Certificate Government Internal Audit Certificate (GIAC)- mandatory(GIAC)- mandatory

Continuing professional developmentContinuing professional development

Standard 6: Audit StrategyStandard 6: Audit Strategy

HIA to develop and maintain an efficient and HIA to develop and maintain an efficient and effective strategy for providing the Accounting effective strategy for providing the Accounting Officer an objective opinion on the effectiveness of Officer an objective opinion on the effectiveness of the organisation’s risk management , control and the organisation’s risk management , control and governance arrangementsgovernance arrangements

The Head of Internal Audit’s opinions are a key The Head of Internal Audit’s opinions are a key element of the framework of assurance the element of the framework of assurance the Accounting Officer needs to inform their Accounting Officer needs to inform their completion of the annual Statement of Internal completion of the annual Statement of Internal Control (SIC) Control (SIC)

Planning:Planning: internal audit work should be internal audit work should be planned at all levels of operation in order to planned at all levels of operation in order to establish priorities, achieve objectives and establish priorities, achieve objectives and ensure the efficient and effective use of ensure the efficient and effective use of audit resourcesaudit resources

Standard 7: Management of Audit Standard 7: Management of Audit AssignmentsAssignments

Assignment planning – scope, objectives Assignment planning – scope, objectives and timing – reporting linesand timing – reporting lines

Sponsors for each assignmentSponsors for each assignment Approach – objectives, risks and controls – Approach – objectives, risks and controls –

appropriateness – over/under controlappropriateness – over/under control Conclusions, report recommendations and Conclusions, report recommendations and

opinionopinion Follow – up – managements implementation Follow – up – managements implementation

of responses to audit recommendationsof responses to audit recommendations

Standard 8: Due Professional Standard 8: Due Professional CareCare

Skill that a reasonably prudent and Skill that a reasonably prudent and competent internal auditor will apply in competent internal auditor will apply in performing their dutiesperforming their duties

Due care = working with competence and` Due care = working with competence and` diligencediligence

Due professional care = the use of audit Due professional care = the use of audit skills and judgement based on appropriate skills and judgement based on appropriate experience training (including CPD) ability, experience training (including CPD) ability, integrity and objectivityintegrity and objectivity

Conduct of individual auditors – compliance Conduct of individual auditors – compliance with standard – appropriate programme of with standard – appropriate programme of quality assurance review by HIA and senior quality assurance review by HIA and senior staff staff

Standard 9: ReportingStandard 9: Reporting

Standards style and methodology set by HIAStandards style and methodology set by HIA HIA produces written report to the HIA produces written report to the

Accounting Officer timed to support the Accounting Officer timed to support the Statement of Internal Control (SIC)Statement of Internal Control (SIC)

HIA produces an annual report covering the HIA produces an annual report covering the overall opinion on the control frameworkoverall opinion on the control framework

In addition to the annual report HIA makes In addition to the annual report HIA makes arrangements for interim reporting to the arrangements for interim reporting to the Accounting Officer in the course of the yearAccounting Officer in the course of the year

Standard 10 : Quality AssuranceStandard 10 : Quality Assurance

A continuously effective level of performance A continuously effective level of performance compliant with the standards is maintainedcompliant with the standards is maintained

HIA to develop a quality assurance programme HIA to develop a quality assurance programme designed to gain assurance both by internal and designed to gain assurance both by internal and external reviewexternal review

HIA to publish an Audit Manual for managing HIA to publish an Audit Manual for managing Internal Audit and ensure that there is appropriate Internal Audit and ensure that there is appropriate supervision throughout all audit assignments supervision throughout all audit assignments

Treasury Definition of IATreasury Definition of IA

INTERNAL AUDIT IS AN INDEPENDENT AND OBJECTIVE APPRAISAL SERVICE WITHIN AN ORGANISATION:

Internal audit primarily provides an Internal audit primarily provides an independent and objective opinion to the independent and objective opinion to the Accounting Officer on risk management, Accounting Officer on risk management, control and governance, by measuring and control and governance, by measuring and evaluating their effectiveness in achieving evaluating their effectiveness in achieving the organisation’s the organisation’s agreed objectivesagreed objectives. .

In addition, internal audit’s findings and In addition, internal audit’s findings and recommendations are beneficial to line recommendations are beneficial to line management in the audited areas.management in the audited areas.

Risk management, control and governance Risk management, control and governance comprise the policies, procedures and operations comprise the policies, procedures and operations established to ensure the achievement of established to ensure the achievement of objectives, the appropriate assessment of risk, the objectives, the appropriate assessment of risk, the reliability of internal and external reporting and reliability of internal and external reporting and accountability processes, compliance with accountability processes, compliance with applicable laws and regulations, and compliance applicable laws and regulations, and compliance with the behavioural and ethical standards set for with the behavioural and ethical standards set for the organisation.the organisation.

Internal audit also provides an independent and objective Internal audit also provides an independent and objective consultancy serviceconsultancy service specifically to help line management specifically to help line management improve the organisation’s risk management, control and improve the organisation’s risk management, control and governance. The service applies the professional skills of governance. The service applies the professional skills of internal audit through a systematic and disciplined internal audit through a systematic and disciplined evaluation of the policies, procedures and operations that evaluation of the policies, procedures and operations that management put in place to ensuremanagement put in place to ensure

the achievement of the organisation’s objectives, and the achievement of the organisation’s objectives, and through recommendations for improvement. Such through recommendations for improvement. Such consultancy work contributes to the opinion which internal consultancy work contributes to the opinion which internal audit provides on risk management, control and audit provides on risk management, control and governance.governance.

WHAT IA DOESWHAT IA DOES ACCOMPLISHMENT OF ACCOMPLISHMENT OF

ESTABLISHED GOALS AND ESTABLISHED GOALS AND OBJECTIVESOBJECTIVES

COMPLIANCE WITH RELEVANT COMPLIANCE WITH RELEVANT LAWS AND REGULATIONSLAWS AND REGULATIONS

RELIABILITY AND INTEGRITY OF RELIABILITY AND INTEGRITY OF INFORMATIONINFORMATION

ECONOMIC, EFFECTIVE AND ECONOMIC, EFFECTIVE AND EFFICIENT USE OF RESOURCESEFFICIENT USE OF RESOURCES

SAFEGUARDING OF ASSETSSAFEGUARDING OF ASSETS

INTERNAL AUDIT DOES INTERNAL AUDIT DOES NOTNOT

ACT AS A POLICEMANACT AS A POLICEMAN ACT AS A SUBSTITUTE FOR ACT AS A SUBSTITUTE FOR

MANAGEMENTMANAGEMENT AUDIT END OF YEAR FINANCIAL AUDIT END OF YEAR FINANCIAL

ACCOUNTSACCOUNTS HAVE RESPONSIBILITY FOR HAVE RESPONSIBILITY FOR

EXECUTIVE FUNCTIONSEXECUTIVE FUNCTIONS INVESTIGATE FRAUDINVESTIGATE FRAUD

Who Are We Here To Serve?Who Are We Here To Serve?

The Accounting OfficerThe Accounting Officer The Management BoardThe Management Board The Audit CommitteeThe Audit Committee

Role of the Audit CommitteeRole of the Audit Committee Appointed by the BoardAppointed by the Board Helps set the “Tone at the Top”Helps set the “Tone at the Top” Reviews the assessment and Reviews the assessment and

management of riskmanagement of risk Provides independent reporting line with Provides independent reporting line with

protection for Internal Audit terms of protection for Internal Audit terms of reference and resourcesreference and resources

Evaluates Internal Audit Coverage and Evaluates Internal Audit Coverage and performanceperformance

Sets priorities for Internal AuditSets priorities for Internal Audit Agrees both long term and annual plansAgrees both long term and annual plans Review of year end Corporate Governance Review of year end Corporate Governance

statements made by managementstatements made by management Review of Corporate Risk AssessmentsReview of Corporate Risk Assessments Review of other sources of assuranceReview of other sources of assurance On going assessments of business critical On going assessments of business critical

projects (BCPs)projects (BCPs)

Internal Audit OutputsInternal Audit Outputs(Tangible)(Tangible)

Audit ReportsAudit Reports The Annual ReportThe Annual Report Strategic and Annual PlansStrategic and Annual Plans Consultancy and adviceConsultancy and advice Protection against outside criticismProtection against outside criticism

Supported BySupported By Individual Audit Reports which must:Individual Audit Reports which must: Focus on the wants and needs of the Focus on the wants and needs of the

Committee and which they can relate to Committee and which they can relate to without going into fine details.without going into fine details.

Demonstrate that the audit effort is being Demonstrate that the audit effort is being directed at the critical areas of the businessdirected at the critical areas of the business

Show added value to the organisationShow added value to the organisation Encompass awareness of current thinking Encompass awareness of current thinking

utilising the latest techniques and promoting utilising the latest techniques and promoting best practice best practice

Who are Your Reports Aimed At?Who are Your Reports Aimed At?

Line Management? - at what level?Line Management? - at what level? Accounting Officer?Accounting Officer? Audit Committee?Audit Committee? External AuditExternal Audit

March 1999March 1999 Ray HarrisRay Harris 3636

Internal Audit OutputsInternal Audit Outputs(Intangible)(Intangible)

Deterrent effectDeterrent effect Wood for the treesWood for the trees Force for the goodForce for the good

March 1999March 1999 Ray HarrisRay Harris

CORPORATEGOVERNANCE


BACKGROUNDBACKGROUND Public disquietPublic disquiet about BCCI, Polly Peck, Maxwell about BCCI, Polly Peck, Maxwell

Pensions and Barings BankPensions and Barings Bank 1992 1992 Cadbury CommitteeCadbury Committee code of practice relating code of practice relating

to the management and control arrrangements of to the management and control arrrangements of companiescompanies

““Rutteman Report”Rutteman Report” produced in 1994 instigated the produced in 1994 instigated the requirement for statements on internal financial requirement for statements on internal financial control, this was developed by the Hampel control, this was developed by the Hampel Committee, successor to the Cadbury CommitteeCommittee, successor to the Cadbury Committee

TreasuryTreasury introduced the requirement to introduced the requirement to departments with effect from 1 January 1998. Post departments with effect from 1 January 1998. Post TurnbullTurnbull the requirement for a statement covering the requirement for a statement covering all control has been introduced wef. 2001all control has been introduced wef. 2001


WHAT IS CORPORATEWHAT IS CORPORATE GOVERNANCE?GOVERNANCE?

Cadbury defined Corporate Governance Cadbury defined Corporate Governance as:as:

The way in which an organisation is The way in which an organisation is managed, and which includes the managed, and which includes the following elements:-following elements:-


MAIN ELEMENTS OF CORPORATE MAIN ELEMENTS OF CORPORATE GOVERNANCEGOVERNANCE

Senior management structure (board of directors Senior management structure (board of directors and audit committee)and audit committee)

Organisational structureOrganisational structure Control environmentControl environment Integrity and ethical valuesIntegrity and ethical values Commitment to competenceCommitment to competence LeadershipLeadership Management’s philosophy and operating styleManagement’s philosophy and operating style Assignment of authority and responsibilityAssignment of authority and responsibility


Human resource policies and practicesHuman resource policies and practices Risk assessmentRisk assessment Strategic planningStrategic planning Change managementChange management Control activitiesControl activities Financial controlFinancial control Information and communicationInformation and communication MonitoringMonitoring


WHAT’S NEW ?

STATEMENT OF INTERNAL CONTROL The Requirement - Treasury Requirement post Turnbull - Widening the Scope

What is Internal Control?

The achievement of objectives in four categories: The effectiveness and of operations; The reliability of internal control (including

the safeguarding of assets); Compliance with applicable laws and regulations. The economical and efficient use of resources

Role of Audit in SICRole of Audit in SIC

Statements contain the wording ‘As Statements contain the wording ‘As Accounting Officer I also have responsibility Accounting Officer I also have responsibility for reviewing the effectiveness of the system for reviewing the effectiveness of the system of internal control. My review of the of internal control. My review of the effectiveness of the system of internal effectiveness of the system of internal control control is informed by the work of the is informed by the work of the internal auditors….’internal auditors….’


Currently managed via five interrelated components :

Control environment

Risk assessment

Control activities

Information and communication

Monitoring

Moving to Enterprise Risk Management which has 8 components

Enterprise Risk ManagementEnterprise Risk Management


1. THE CONTROL ENVIRONMENT

To ensure commitment to competence and quality

To ensure the establishment and maintenance of ethical standards and control consciousness

To ensure an appropriate organisational structure

To ensure appropriate assignment of authority, responsibility and accountability


2. BUSINESS RISK IDENTIFICATION AND ASSESSMENT

To ensure appropriate corporate aims, objectives and measures are in place

To ensure risks to achieving corporate objectives are identified and managed


WHAT IS RISK?WHAT IS RISK?

The threat of bad things happeningThe threat of bad things happening

and/orand/or

Good things not Good things not


RISKRISK

Risk of What?Risk of What?

People - Competence,IntegrityPeople - Competence,Integrity Planning - Should be integratedPlanning - Should be integrated ProcessesProcesses

- information and communications- information and communications

- operational and financial policies and - operational and financial policies and activities activities

- monitoring arrangements- monitoring arrangements

- supporting systems- supporting systems


POTENTIAL BUSINESS RISKSPOTENTIAL BUSINESS RISKS

Failure to meet our business objectivesFailure to meet our business objectives Procurement failures especially IT systemsProcurement failures especially IT systems Failure to implement new initiativesFailure to implement new initiatives Maladministration leading to criticism by Maladministration leading to criticism by

Parliamentary CommissionerParliamentary Commissioner Failure to meet improved performance following Failure to meet improved performance following

changes to organisational procedureschanges to organisational procedures Qualification of the Resource Accounts by NAOQualification of the Resource Accounts by NAO Appearance before the PACAppearance before the PAC


Risk Management CycleRisk Management Cycle

Identify Business RisksIdentify Business Risks

Evaluate Effectiveness of Controls

MonitorImplementation

Implement Revised Controls

Assessment of Risk

AllocateResponsibility

Identifyneed forRevised Controls

ILLUSTRATIVE RISK REGISTER ENTRYILLUSTRATIVE RISK REGISTER ENTRY RISK: REPUTATIONAL Risk owner: Director RCIAS

Risk adviser: J Sullivan Related Objective(s) ‘To be our customers’ first choice’

Risk assessment: Probability – Medium – Impact - High

Sub risks: Reduced Customer

satisfaction Poor product development Poor service delivery Poor Quality control Poor Customer care Inadequate marketing

strategy Misunderstanding

customer/stakeholder expectations

Controls in place

Clearly articulated vision and purpose Values and expected behaviours An open trusting and supportive culture Customer survey Staff training/skills Benchmarking Peer review Documented processes Policy research and development Quality control systems A robust dynamic risk management system with effective

early warning indicators

Audit comment: Overall assessment: Green = Controls in place to manage risks are reasonable Amber = Moderate gap in effectiveness Between controls in place and those required Red = Significant gap in effectiveness Between controls in place and those required

AMBER


3. INFORMATION AND COMMUNICATION

To ensure sufficient, reliable and relevant information is provided to the right people at the right time through appropriate communication systems


4. CONTROL ACTIVITIES

To ensure effective day to day control of key business functions


FINANCIAL CONTROL FRAMEWORK

Comprehensive budgeting system with an annual budget

Procedural review and budget agreement

Preparation of regular financial reports and outturns

Clearly defined capital investment control guidelines

Formal project management disciplines, as appropriate


INTERNAL CONTROLINTERNAL CONTROL

AT SENIOR LEVELAT SENIOR LEVEL

PSA, FOO returns and Stewardship ReportsPSA, FOO returns and Stewardship Reports Financial delegation provided by the Senior Financial delegation provided by the Senior

Finance OfficerFinance Officer Policy on financial mattersPolicy on financial matters Policy on fraud (inc disciplinary measures)Policy on fraud (inc disciplinary measures) IT security policyIT security policy


INTERNAL CONTROLINTERNAL CONTROL

AT OPERATIONAL LEVELAT OPERATIONAL LEVEL Exception ReportingException Reporting Separation of dutiesSeparation of duties Management ChecksManagement Checks Reconciliation proceduresReconciliation procedures Control Risk Self Assessment Control Risk Self Assessment Authorisation proceduresAuthorisation procedures Contractual delegationsContractual delegations

Communication of policy Backup of databases Business Recovery procedures Change control over system softwareCustomer satisfaction surveysCustomer liaison activities Effective marketing and targetingTraining and development strategy


5. MONITORING AND CORRECTIVE ACTION

To ensure appropriate monitoring and corrective action systems are in place: Management Board

MIS

Budget Monitoring

Stewardship Reports

Performance Reporting

Internal Audit


STATEMENT OF INTERNAL CONTROL

ACCOUNTING OFFICER

AUDIT COMMITTEE MANAGEMENT BOARD

INTERNAL AUDITINTERNAL ASSURANCE

OTHER STRANDS OF

ASSURANCE

ASSURANCE STATEMENTS

INCL. CONTROL ASPECTS

>>>AUDIT OPINION

ASSURANCE TEAM’S OPINION CONTROL REQUIREMENTS


STATEMENT OF INTERNAL CONTROL

CORPORATE GOVERNANCE

ASSURANCESTATEMENTS

GROUP STATEMENTS OF INTERNAL CONTROL

AND OTHER SOURCES OF ASSURANCE

END OF YEAR AUDIT COMMITTEE MEETING FACILITATES ACCOUNTING OFFICER’S REVIEW OF

CORPORATE GOVERNANCE ASSURANCE STATEMENTS MADE BY MANAGEMENT AND REVIEW

OF THE RISK REGISTER. HE IS INFORMED BY INTERNAL AUDIT’S INDEPENDENT OPINION ON THE

STATEMENTS AND THE RISK MANAGEMENT STRATEGY


Sources of AssuranceSources of Assurance Corporate Governance Assurance Corporate Governance Assurance

Statements from ManagersStatements from Managers Risk Register -Reviewed by Audit Risk Register -Reviewed by Audit

CommitteeCommittee Internal Audit opinion on Control Internal Audit opinion on Control

EnvironmentEnvironment Internal Audit opinion on Statement of Internal Audit opinion on Statement of

Internal ControlInternal Control Internal Audit opinion on Risk Internal Audit opinion on Risk

Management Management

3 KEY ISSUES3 KEY ISSUES

ProbityProbity

AccountabilityAccountability

TransparencyTransparency

OLD verus NewOLD verus New Old = ANA = 3-5 YEARSOld = ANA = 3-5 YEARS New = 1 year plan derived from risk New = 1 year plan derived from risk

registers and consultation with clientsregisters and consultation with clients Resource Accounting move from input Resource Accounting move from input

funding to output funding over a 3 year funding to output funding over a 3 year performance agreement with Departmentsperformance agreement with Departments

Modernising Government White Paper = Modernising Government White Paper = encouraging managed risk taking in order to encouraging managed risk taking in order to pull through innovation – reduction in pull through innovation – reduction in bureaucracy and red-tapebureaucracy and red-tape

Best in Class AttributesBest in Class Attributes Strategic Alignment – organisation’s value drivers and stakeholder Strategic Alignment – organisation’s value drivers and stakeholder

expectations;expectations; Defined value drivers – identify which internal audit activities create Defined value drivers – identify which internal audit activities create

most value for key stakeholder groups;most value for key stakeholder groups; Good communications – how IA contributes to the organisation’s Good communications – how IA contributes to the organisation’s

performance – clear understanding by senior management of the performance – clear understanding by senior management of the audit function;audit function;

Commitment to human capital – skill needs and resources related Commitment to human capital – skill needs and resources related to value drivers and career development progress;to value drivers and career development progress;

Strong affinity for knowledge management – capture manage and Strong affinity for knowledge management – capture manage and share internal knowledge = most valuable asset after people and share internal knowledge = most valuable asset after people and vital for long-term success;vital for long-term success;

Technology – broad and pervasive use of technology to support Technology – broad and pervasive use of technology to support process, knowledge management and data retrieval and analysis process, knowledge management and data retrieval and analysis support strong performance and consistent results.support strong performance and consistent results.

Maturity Model Gap AnalysisMaturity Model Gap Analysisfor Best in class audit functionsfor Best in class audit functions

Beginning Developing Performing High Performing Excelling

No, haven't really thought about it, too busy.

Don't see yet what it can do for me.

Done a bit of thinking, had some ideas, tried to make it work in one or two areas.

Better than we were but we didn't really follow it through with any real energy.

Think it could be useful but not sure how.

Getting to grips with this.

Did some stuff - and hey! it's working!

We copied the published, recognised model/best practice

The key areas are sorted and improving.

We've shared what we did with a peer group and we're working together to make it better next time.

We're making real progress here.

We tried the standard model then developed it into our own way and it really works for us.

We're getting pretty slick at this - other peole are coming to us to see how we do it.

Our way of doing it is published in AMS.

Everybody else says we're one of the best.

We do this all the time, review it regularly and are always looking to improve the way we do it.

People say our way is the best they've seen and we're working with many of them to help make it even better.

We've redefined the boundary here and we've been asked to publish how we do it internationally.

VisionVisionNextNextNowNow

Managing the Managing the Business:Business:

Providing strategicProviding strategic directiondirection

Audit Policies & Audit Policies & processesprocesses

Business planning Business planning &Performance Mgt &Performance Mgt

Organisational Organisational structure and staffingstructure and staffing

Market & Market & Relationship Relationship Management:Management:

StakeholderStakeholder managementmanagement

CustomerCustomer RelationshipsRelationships

Market IntelligenceMarket Intelligence

Development Development InitiativesInitiatives

Service Delivery:Service Delivery:Operations planningOperations planning

Providing advice and Providing advice and ConsultancyConsultancy

Responding to Responding to requestsrequests

Quality ControlQuality Control

Delivery to time and Delivery to time and cost cost

Continuous Continuous improvementimprovement

Providing AssuranceProviding Assurance

Strategic review looking for:Strategic review looking for:Quick winsQuick winsLonger term development.Longer term development.

An ApproachAn Approach

An Approach - An Approach - Managing the BusinessManaging the Business

Understand the key issues - develop the strategic Understand the key issues - develop the strategic objectivesobjectives

Run as a business – challenging business plan that Run as a business – challenging business plan that is output focused is performance managed and is output focused is performance managed and takes the service forwardtakes the service forward

Maximise the resource available by matching the Maximise the resource available by matching the skill sets, use of enabling technology, flexible skill sets, use of enabling technology, flexible working patterns – reduce the office overhead, working patterns – reduce the office overhead, smarter working now and into the futuresmarter working now and into the future

Policies and processes that underpin the business Policies and processes that underpin the business model.model.

An Approach - An Approach - Market & Relationship Market & Relationship ManagementManagement

Obtain strategic alignment with organisational Obtain strategic alignment with organisational objectivesobjectives

Stakeholder management – construct a policy and Stakeholder management – construct a policy and strategy for effective management of stakeholder strategy for effective management of stakeholder expectationsexpectations

Added value service to the accounting officer, Added value service to the accounting officer, customers and stakeholders by employing a customers and stakeholders by employing a constructive partnership ethosconstructive partnership ethos

Marketing and communication strategy that ensures Marketing and communication strategy that ensures clear definition of requirements and on-going clear definition of requirements and on-going feedback and dialogue.feedback and dialogue.

An Approach - An Approach - Service DeliveryService Delivery Construct a new risk based audit strategy – Construct a new risk based audit strategy –

categories of audit - sources of assurance - audit categories of audit - sources of assurance - audit sponsors – COSO 2 frameworksponsors – COSO 2 framework

Programme construction - 6 month rolling - more Programme construction - 6 month rolling - more reactive to emerging requirementsreactive to emerging requirements

Individuals to have Strategic alignment with Individuals to have Strategic alignment with customers customers

Consistency and quality of approach across the Consistency and quality of approach across the customer base - share best practice customer base - share best practice

Reporting – format, quality, timeliness, relevance, Reporting – format, quality, timeliness, relevance, media - added valuemedia - added value

Continuous improvement driven by customer Continuous improvement driven by customer feedbackfeedback

Successful programme delivery via managing in a Successful programme delivery via managing in a Hard charging regime.Hard charging regime.

CustomerCustomerCustomerCustomer

Process ImprovementProcess ImprovementProcess ImprovementProcess Improvement

Learning and DevelopmentLearning and DevelopmentLearning and DevelopmentLearning and Development

Resource ManagementResource ManagementResource ManagementResource Management

Key Performance Results

Customer ResultsPeople ResultsSociety Results

PeoplePolicy & StrategyPartnerships & Resources

Leadership

Processes

EXTERNAL - RESULTS

INTERNAL - ENABLERS

Business ImprovementBusiness Improvement End to end process reviewEnd to end process review MarketingMarketing Knowledge ManagementKnowledge Management Quality Initiatives (ISO/EFQM)Quality Initiatives (ISO/EFQM) Technology enabledTechnology enabled

Resource ManagementResource Management Audit Plans & Performance MgtAudit Plans & Performance Mgt StaffingStaffing FacilitiesFacilities Staff ManagementStaff Management Contract SupportContract Support

Learning and InnovationLearning and Innovation Professional TrainingProfessional Training General Skills UpliftGeneral Skills Uplift Continuing Professional Continuing Professional

DevelopmentDevelopment Strategic PartneringStrategic Partnering

Service Delivery to ClientsService Delivery to Clients Programme DeliveryProgramme Delivery Product DeliveryProduct Delivery Customer & Stakeholder ManagementCustomer & Stakeholder Management

Learning and InnovationLearning and Innovation Professional TrainingProfessional Training General Skills UpliftGeneral Skills Uplift Continuing Professional DevelopmentContinuing Professional Development Strategic PartneringStrategic Partnering

Resource ManagementResource Management Audit Plans & Performance MgtAudit Plans & Performance Mgt StaffingStaffing FacilitiesFacilities Staff ManagementStaff Management Contract SupportContract Support

Service Delivery to ClientsService Delivery to Clients Programme DeliveryProgramme Delivery Product DeliveryProduct Delivery Customer & Stakeholder Customer & Stakeholder

ManagementManagement

Business ImprovementBusiness Improvement Quality Initiatives Quality Initiatives

(ISO/EFQM)(ISO/EFQM) MarketingMarketing Knowledge ManagementKnowledge Management Technology enabledTechnology enabled

Quick WinsQuick Wins Long Term DevelopmentsLong Term Developments BestBestinin

ClassClass

defining the role of internal audit – a government perspective ray harris

Documents

scope of internal audit

head of internal audit

role of internal audit

rules of government

internal audits

propriety slide

financial based internal

central government