Defining the Role of Internal Audit – A Government Perspective
description
Transcript of Defining the Role of Internal Audit – A Government Perspective
Defining the Role of Internal Defining the Role of Internal Audit – A Government Audit – A Government PerspectivePerspective
Ray HarrisRay Harris
BackgroundBackground MyselfMyself Internal Audit In Central Government in UKInternal Audit In Central Government in UK Late 1970’s criticism from the National Audit Office Late 1970’s criticism from the National Audit Office
(NAO) Parliament’s external financial auditors in a (NAO) Parliament’s external financial auditors in a report to the Public Accounts Committee (PAC)report to the Public Accounts Committee (PAC)
Wass Bancroft Report recommending reform and Wass Bancroft Report recommending reform and leading to a basic level of training standard leading to a basic level of training standard (BATS) and a common approach across (BATS) and a common approach across Departments – from financial based Departments – from financial based ‘Internal ‘Internal Check’Check’ and and ‘Tick & Turn’‘Tick & Turn’ to a to a ‘Systems based ‘Systems based approach’ AND adopting the IIA as the approach’ AND adopting the IIA as the preferred professional bodypreferred professional body
Where are we now?Where are we now?
UK Accountability FrameworkUK Accountability Framework
IAIA
Accounting Officer’s MemorandumAccounting Officer’s Memorandum Accounting Officers are separately appointed by Accounting Officers are separately appointed by
HM Treasury and the responsibilities of the HM Treasury and the responsibilities of the Accounting Officer in relation to Government Accounting Officer in relation to Government Accounting regulations are set out in Accounting regulations are set out in ‘The ‘The Accounting Officer’s Memorandum’Accounting Officer’s Memorandum’
A key component of the Memorandum is that A key component of the Memorandum is that ‘‘Internal Audit is established in accordance with Internal Audit is established in accordance with the objectives, standards and practices set out in the objectives, standards and practices set out in the ‘Government Internal Standards’the ‘Government Internal Standards’ (GIAS) (GIAS) published by HM Treasurypublished by HM Treasury
Accounting Officers have a particular responsibility Accounting Officers have a particular responsibility for ensuring compliance with parliamentary for ensuring compliance with parliamentary requirements in the control of expenditure and in requirements in the control of expenditure and in particular ‘particular ‘Regularity and Propriety’Regularity and Propriety’
RegularityRegularity = requirement for all expenditure and = requirement for all expenditure and receipts to be dealt with in accordance with the receipts to be dealt with in accordance with the legislation authorising them and the rules of legislation authorising them and the rules of Government Accounting i.e. Government Accounting i.e. ‘The Ambit of the ‘The Ambit of the Vote’Vote’
ProprietyPropriety = the further requirement that = the further requirement that expenditure and receipts should be dealt with in expenditure and receipts should be dealt with in accordance with Parliament’s intentions and the accordance with Parliament’s intentions and the principles of parliamentary control including the principles of parliamentary control including the conventions agreed with Parliament (and in conventions agreed with Parliament (and in particular the Public Accounts Committee particular the Public Accounts Committee (PAC)(PAC)
Government Internal Audit Government Internal Audit StandardsStandards
10 Standards 5 relating to 10 Standards 5 relating to Organisational Organisational status 5 relating to status 5 relating to OperationalOperational approach: approach:
Organisational StandardsOrganisational Standards
Standard 1:Standard 1: Scope of Internal Audit – Scope of Internal Audit – defined by the Accounting Officer in defined by the Accounting Officer in Terms Terms of Referenceof Reference which amongst others: which amongst others:
Standard 2:Standard 2: Establish Establish organisational organisational independenceindependence and embrace the risk and embrace the risk management control and governance management control and governance processes of the organisation including processes of the organisation including all all its operations, resources, services and its operations, resources, services and responsibilities for other bodiesresponsibilities for other bodies
Establish internal audit’s Establish internal audit’s right of accessright of access to to all records, assets personnel and premises all records, assets personnel and premises and its authority to obtain such information and its authority to obtain such information as it considers necessary to fulfil its as it considers necessary to fulfil its responsibilitiesresponsibilities
An Accounting Officer is charged with An Accounting Officer is charged with organising internal audit in accordance with organising internal audit in accordance with the objectives, standards and practices set the objectives, standards and practices set out in out in GIASGIAS . .
The HIA should be of appropriate grade or The HIA should be of appropriate grade or status, have wide experience of internal status, have wide experience of internal audit and management, and must meet the audit and management, and must meet the Government Internal Audit Standard and the Government Internal Audit Standard and the Senior Staff standard as set down in Senior Staff standard as set down in GIASGIAS . .
8. The HIA is responsible to the 8. The HIA is responsible to the Accounting Officer, but normally Accounting Officer, but normally reports to reports to the Principalthe Principal Finance Finance Officer and the audit committee. In Officer and the audit committee. In all cases, all cases, the Head of Internal the Head of Internal Audit has the right of direct access Audit has the right of direct access to the Accounting Officer.to the Accounting Officer.
Standard 3: Audit CommitteesStandard 3: Audit Committees
Accounting Officer is required to establish Accounting Officer is required to establish an Audit Committee to:an Audit Committee to:
Advise him on the skills, competence, TORs Advise him on the skills, competence, TORs effectiveness and resourcing of Internal effectiveness and resourcing of Internal Audit including planning, reporting, quality, Audit including planning, reporting, quality, relationships with management and external relationships with management and external audit and the adequacy of management’s audit and the adequacy of management’s responses to audit reportsresponses to audit reports
Head of Audit’s Relationship Head of Audit’s Relationship
The Head of Internal Audit should attend The Head of Internal Audit should attend Audit Committee meetings Audit Committee meetings
The Head of Internal Audit should have a The Head of Internal Audit should have a right of access to the Chair of the Audit right of access to the Chair of the Audit Committee to discuss ant issues they wish Committee to discuss ant issues they wish to raiseto raise
Standard 4: Relationships with Standard 4: Relationships with Management, other Auditors and Management, other Auditors and
other Review Bodiesother Review Bodies Relations with Management – emphasis on Relations with Management – emphasis on
service to management – service to management – mutual trustmutual trust – – added valueadded value – without compromising – without compromising responsibilities to the Accounting Officerresponsibilities to the Accounting Officer
Relations with other Internal Auditors – inter Relations with other Internal Auditors – inter departmental co-operation – reliance on departmental co-operation – reliance on other’s work – Accounting Officer other’s work – Accounting Officer endorsementendorsement
Relationships with External Auditors - Relationships with External Auditors - regular meetings – techniques` and regular meetings – techniques` and methodologies – reliance by external audit methodologies – reliance by external audit on the work of internal auditon the work of internal audit
Relationships with other review bodies – Relationships with other review bodies – management inspection, compliance teams, management inspection, compliance teams, liasion and quality assurance in order to liasion and quality assurance in order to place relianceplace reliance
The Head of Internal Audit should establish The Head of Internal Audit should establish a means to gain an overview of other a means to gain an overview of other assurance providers’ work and if appropriate assurance providers’ work and if appropriate report to the Accounting Officerreport to the Accounting Officer
Standard 5: Staffing Training and Standard 5: Staffing Training and DevelopmentDevelopment
Internal audit should be appropriately Internal audit should be appropriately staffed in terms of numbers, grades and staffed in terms of numbers, grades and experience, having regard to its objectives experience, having regard to its objectives and standards. Internal auditors must be and standards. Internal auditors must be properly trained to fulfil their properly trained to fulfil their responsibilities.responsibilities.
Government Internal Audit Certificate Government Internal Audit Certificate (GIAC)- mandatory(GIAC)- mandatory
Continuing professional developmentContinuing professional development
Standard 6: Audit StrategyStandard 6: Audit Strategy
HIA to develop and maintain an efficient and HIA to develop and maintain an efficient and effective strategy for providing the Accounting effective strategy for providing the Accounting Officer an objective opinion on the effectiveness of Officer an objective opinion on the effectiveness of the organisation’s risk management , control and the organisation’s risk management , control and governance arrangementsgovernance arrangements
The Head of Internal Audit’s opinions are a key The Head of Internal Audit’s opinions are a key element of the framework of assurance the element of the framework of assurance the Accounting Officer needs to inform their Accounting Officer needs to inform their completion of the annual Statement of Internal completion of the annual Statement of Internal Control (SIC) Control (SIC)
Planning:Planning: internal audit work should be internal audit work should be planned at all levels of operation in order to planned at all levels of operation in order to establish priorities, achieve objectives and establish priorities, achieve objectives and ensure the efficient and effective use of ensure the efficient and effective use of audit resourcesaudit resources
Standard 7: Management of Audit Standard 7: Management of Audit AssignmentsAssignments
Assignment planning – scope, objectives Assignment planning – scope, objectives and timing – reporting linesand timing – reporting lines
Sponsors for each assignmentSponsors for each assignment Approach – objectives, risks and controls – Approach – objectives, risks and controls –
appropriateness – over/under controlappropriateness – over/under control Conclusions, report recommendations and Conclusions, report recommendations and
opinionopinion Follow – up – managements implementation Follow – up – managements implementation
of responses to audit recommendationsof responses to audit recommendations
Standard 8: Due Professional Standard 8: Due Professional CareCare
Skill that a reasonably prudent and Skill that a reasonably prudent and competent internal auditor will apply in competent internal auditor will apply in performing their dutiesperforming their duties
Due care = working with competence and` Due care = working with competence and` diligencediligence
Due professional care = the use of audit Due professional care = the use of audit skills and judgement based on appropriate skills and judgement based on appropriate experience training (including CPD) ability, experience training (including CPD) ability, integrity and objectivityintegrity and objectivity
Conduct of individual auditors – compliance Conduct of individual auditors – compliance with standard – appropriate programme of with standard – appropriate programme of quality assurance review by HIA and senior quality assurance review by HIA and senior staff staff
Standard 9: ReportingStandard 9: Reporting
Standards style and methodology set by HIAStandards style and methodology set by HIA HIA produces written report to the HIA produces written report to the
Accounting Officer timed to support the Accounting Officer timed to support the Statement of Internal Control (SIC)Statement of Internal Control (SIC)
HIA produces an annual report covering the HIA produces an annual report covering the overall opinion on the control frameworkoverall opinion on the control framework
In addition to the annual report HIA makes In addition to the annual report HIA makes arrangements for interim reporting to the arrangements for interim reporting to the Accounting Officer in the course of the yearAccounting Officer in the course of the year
Standard 10 : Quality AssuranceStandard 10 : Quality Assurance
A continuously effective level of performance A continuously effective level of performance compliant with the standards is maintainedcompliant with the standards is maintained
HIA to develop a quality assurance programme HIA to develop a quality assurance programme designed to gain assurance both by internal and designed to gain assurance both by internal and external reviewexternal review
HIA to publish an Audit Manual for managing HIA to publish an Audit Manual for managing Internal Audit and ensure that there is appropriate Internal Audit and ensure that there is appropriate supervision throughout all audit assignments supervision throughout all audit assignments
Treasury Definition of IATreasury Definition of IA
INTERNAL AUDIT IS AN INDEPENDENT AND OBJECTIVE APPRAISAL SERVICE WITHIN AN ORGANISATION:
Internal audit primarily provides an Internal audit primarily provides an independent and objective opinion to the independent and objective opinion to the Accounting Officer on risk management, Accounting Officer on risk management, control and governance, by measuring and control and governance, by measuring and evaluating their effectiveness in achieving evaluating their effectiveness in achieving the organisation’s the organisation’s agreed objectivesagreed objectives. .
In addition, internal audit’s findings and In addition, internal audit’s findings and recommendations are beneficial to line recommendations are beneficial to line management in the audited areas.management in the audited areas.
Risk management, control and governance Risk management, control and governance comprise the policies, procedures and operations comprise the policies, procedures and operations established to ensure the achievement of established to ensure the achievement of objectives, the appropriate assessment of risk, the objectives, the appropriate assessment of risk, the reliability of internal and external reporting and reliability of internal and external reporting and accountability processes, compliance with accountability processes, compliance with applicable laws and regulations, and compliance applicable laws and regulations, and compliance with the behavioural and ethical standards set for with the behavioural and ethical standards set for the organisation.the organisation.
Internal audit also provides an independent and objective Internal audit also provides an independent and objective consultancy serviceconsultancy service specifically to help line management specifically to help line management improve the organisation’s risk management, control and improve the organisation’s risk management, control and governance. The service applies the professional skills of governance. The service applies the professional skills of internal audit through a systematic and disciplined internal audit through a systematic and disciplined evaluation of the policies, procedures and operations that evaluation of the policies, procedures and operations that management put in place to ensuremanagement put in place to ensure
the achievement of the organisation’s objectives, and the achievement of the organisation’s objectives, and through recommendations for improvement. Such through recommendations for improvement. Such consultancy work contributes to the opinion which internal consultancy work contributes to the opinion which internal audit provides on risk management, control and audit provides on risk management, control and governance.governance.
WHAT IA DOESWHAT IA DOES ACCOMPLISHMENT OF ACCOMPLISHMENT OF
ESTABLISHED GOALS AND ESTABLISHED GOALS AND OBJECTIVESOBJECTIVES
COMPLIANCE WITH RELEVANT COMPLIANCE WITH RELEVANT LAWS AND REGULATIONSLAWS AND REGULATIONS
RELIABILITY AND INTEGRITY OF RELIABILITY AND INTEGRITY OF INFORMATIONINFORMATION
ECONOMIC, EFFECTIVE AND ECONOMIC, EFFECTIVE AND EFFICIENT USE OF RESOURCESEFFICIENT USE OF RESOURCES
SAFEGUARDING OF ASSETSSAFEGUARDING OF ASSETS
INTERNAL AUDIT DOES INTERNAL AUDIT DOES NOTNOT
ACT AS A POLICEMANACT AS A POLICEMAN ACT AS A SUBSTITUTE FOR ACT AS A SUBSTITUTE FOR
MANAGEMENTMANAGEMENT AUDIT END OF YEAR FINANCIAL AUDIT END OF YEAR FINANCIAL
ACCOUNTSACCOUNTS HAVE RESPONSIBILITY FOR HAVE RESPONSIBILITY FOR
EXECUTIVE FUNCTIONSEXECUTIVE FUNCTIONS INVESTIGATE FRAUDINVESTIGATE FRAUD
Who Are We Here To Serve?Who Are We Here To Serve?
The Accounting OfficerThe Accounting Officer The Management BoardThe Management Board The Audit CommitteeThe Audit Committee
Role of the Audit CommitteeRole of the Audit Committee Appointed by the BoardAppointed by the Board Helps set the “Tone at the Top”Helps set the “Tone at the Top” Reviews the assessment and Reviews the assessment and
management of riskmanagement of risk Provides independent reporting line with Provides independent reporting line with
protection for Internal Audit terms of protection for Internal Audit terms of reference and resourcesreference and resources
Evaluates Internal Audit Coverage and Evaluates Internal Audit Coverage and performanceperformance
Sets priorities for Internal AuditSets priorities for Internal Audit Agrees both long term and annual plansAgrees both long term and annual plans Review of year end Corporate Governance Review of year end Corporate Governance
statements made by managementstatements made by management Review of Corporate Risk AssessmentsReview of Corporate Risk Assessments Review of other sources of assuranceReview of other sources of assurance On going assessments of business critical On going assessments of business critical
projects (BCPs)projects (BCPs)
Internal Audit OutputsInternal Audit Outputs(Tangible)(Tangible)
Audit ReportsAudit Reports The Annual ReportThe Annual Report Strategic and Annual PlansStrategic and Annual Plans Consultancy and adviceConsultancy and advice Protection against outside criticismProtection against outside criticism
Supported BySupported By Individual Audit Reports which must:Individual Audit Reports which must: Focus on the wants and needs of the Focus on the wants and needs of the
Committee and which they can relate to Committee and which they can relate to without going into fine details.without going into fine details.
Demonstrate that the audit effort is being Demonstrate that the audit effort is being directed at the critical areas of the businessdirected at the critical areas of the business
Show added value to the organisationShow added value to the organisation Encompass awareness of current thinking Encompass awareness of current thinking
utilising the latest techniques and promoting utilising the latest techniques and promoting best practice best practice
Who are Your Reports Aimed At?Who are Your Reports Aimed At?
Line Management? - at what level?Line Management? - at what level? Accounting Officer?Accounting Officer? Audit Committee?Audit Committee? External AuditExternal Audit
March 1999March 1999 Ray HarrisRay Harris 3636
Internal Audit OutputsInternal Audit Outputs(Intangible)(Intangible)
Deterrent effectDeterrent effect Wood for the treesWood for the trees Force for the goodForce for the good
March 1999March 1999 Ray HarrisRay Harris
CORPORATEGOVERNANCE
March 1999March 1999 Ray HarrisRay Harris
BACKGROUNDBACKGROUND Public disquietPublic disquiet about BCCI, Polly Peck, Maxwell about BCCI, Polly Peck, Maxwell
Pensions and Barings BankPensions and Barings Bank 1992 1992 Cadbury CommitteeCadbury Committee code of practice relating code of practice relating
to the management and control arrrangements of to the management and control arrrangements of companiescompanies
““Rutteman Report”Rutteman Report” produced in 1994 instigated the produced in 1994 instigated the requirement for statements on internal financial requirement for statements on internal financial control, this was developed by the Hampel control, this was developed by the Hampel Committee, successor to the Cadbury CommitteeCommittee, successor to the Cadbury Committee
TreasuryTreasury introduced the requirement to introduced the requirement to departments with effect from 1 January 1998. Post departments with effect from 1 January 1998. Post TurnbullTurnbull the requirement for a statement covering the requirement for a statement covering all control has been introduced wef. 2001all control has been introduced wef. 2001
March 1999March 1999 Ray HarrisRay Harris
WHAT IS CORPORATEWHAT IS CORPORATE GOVERNANCE?GOVERNANCE?
Cadbury defined Corporate Governance Cadbury defined Corporate Governance as:as:
The way in which an organisation is The way in which an organisation is managed, and which includes the managed, and which includes the following elements:-following elements:-
March 1999March 1999 Ray HarrisRay Harris
MAIN ELEMENTS OF CORPORATE MAIN ELEMENTS OF CORPORATE GOVERNANCEGOVERNANCE
Senior management structure (board of directors Senior management structure (board of directors and audit committee)and audit committee)
Organisational structureOrganisational structure Control environmentControl environment Integrity and ethical valuesIntegrity and ethical values Commitment to competenceCommitment to competence LeadershipLeadership Management’s philosophy and operating styleManagement’s philosophy and operating style Assignment of authority and responsibilityAssignment of authority and responsibility
March 1999March 1999 Ray HarrisRay Harris
Human resource policies and practicesHuman resource policies and practices Risk assessmentRisk assessment Strategic planningStrategic planning Change managementChange management Control activitiesControl activities Financial controlFinancial control Information and communicationInformation and communication MonitoringMonitoring
March 1999March 1999 Ray HarrisRay Harris
WHAT’S NEW ?
STATEMENT OF INTERNAL CONTROL The Requirement - Treasury Requirement post Turnbull - Widening the Scope
What is Internal Control?
The achievement of objectives in four categories: The effectiveness and of operations; The reliability of internal control (including
the safeguarding of assets); Compliance with applicable laws and regulations. The economical and efficient use of resources
Role of Audit in SICRole of Audit in SIC
Statements contain the wording ‘As Statements contain the wording ‘As Accounting Officer I also have responsibility Accounting Officer I also have responsibility for reviewing the effectiveness of the system for reviewing the effectiveness of the system of internal control. My review of the of internal control. My review of the effectiveness of the system of internal effectiveness of the system of internal control control is informed by the work of the is informed by the work of the internal auditors….’internal auditors….’
March 1999March 1999 Ray HarrisRay Harris
Currently managed via five interrelated components :
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Moving to Enterprise Risk Management which has 8 components
Enterprise Risk ManagementEnterprise Risk Management
March 1999March 1999 Ray HarrisRay Harris
1. THE CONTROL ENVIRONMENT
To ensure commitment to competence and quality
To ensure the establishment and maintenance of ethical standards and control consciousness
To ensure an appropriate organisational structure
To ensure appropriate assignment of authority, responsibility and accountability
March 1999March 1999 Ray HarrisRay Harris
2. BUSINESS RISK IDENTIFICATION AND ASSESSMENT
To ensure appropriate corporate aims, objectives and measures are in place
To ensure risks to achieving corporate objectives are identified and managed
March 1999March 1999 Ray HarrisRay Harris
WHAT IS RISK?WHAT IS RISK?
The threat of bad things happeningThe threat of bad things happening
and/orand/or
Good things not Good things not
March 1999March 1999 Ray HarrisRay Harris
RISKRISK
Risk of What?Risk of What?
People - Competence,IntegrityPeople - Competence,Integrity Planning - Should be integratedPlanning - Should be integrated ProcessesProcesses
- information and communications- information and communications
- operational and financial policies and - operational and financial policies and activities activities
- monitoring arrangements- monitoring arrangements
- supporting systems- supporting systems
March 1999March 1999 Ray HarrisRay Harris
POTENTIAL BUSINESS RISKSPOTENTIAL BUSINESS RISKS
Failure to meet our business objectivesFailure to meet our business objectives Procurement failures especially IT systemsProcurement failures especially IT systems Failure to implement new initiativesFailure to implement new initiatives Maladministration leading to criticism by Maladministration leading to criticism by
Parliamentary CommissionerParliamentary Commissioner Failure to meet improved performance following Failure to meet improved performance following
changes to organisational procedureschanges to organisational procedures Qualification of the Resource Accounts by NAOQualification of the Resource Accounts by NAO Appearance before the PACAppearance before the PAC
March 1999March 1999 Ray HarrisRay Harris
Risk Management CycleRisk Management Cycle
Identify Business RisksIdentify Business Risks
Evaluate Effectiveness of Controls
MonitorImplementation
Implement Revised Controls
Assessment of Risk
AllocateResponsibility
Identifyneed forRevised Controls
ILLUSTRATIVE RISK REGISTER ENTRYILLUSTRATIVE RISK REGISTER ENTRY RISK: REPUTATIONAL Risk owner: Director RCIAS
Risk adviser: J Sullivan Related Objective(s) ‘To be our customers’ first choice’
Risk assessment: Probability – Medium – Impact - High
Sub risks: Reduced Customer
satisfaction Poor product development Poor service delivery Poor Quality control Poor Customer care Inadequate marketing
strategy Misunderstanding
customer/stakeholder expectations
Controls in place
Clearly articulated vision and purpose Values and expected behaviours An open trusting and supportive culture Customer survey Staff training/skills Benchmarking Peer review Documented processes Policy research and development Quality control systems A robust dynamic risk management system with effective
early warning indicators
Audit comment: Overall assessment: Green = Controls in place to manage risks are reasonable Amber = Moderate gap in effectiveness Between controls in place and those required Red = Significant gap in effectiveness Between controls in place and those required
AMBER
March 1999March 1999 Ray HarrisRay Harris
3. INFORMATION AND COMMUNICATION
To ensure sufficient, reliable and relevant information is provided to the right people at the right time through appropriate communication systems
March 1999March 1999 Ray HarrisRay Harris
4. CONTROL ACTIVITIES
To ensure effective day to day control of key business functions
March 1999March 1999 Ray HarrisRay Harris
FINANCIAL CONTROL FRAMEWORK
Comprehensive budgeting system with an annual budget
Procedural review and budget agreement
Preparation of regular financial reports and outturns
Clearly defined capital investment control guidelines
Formal project management disciplines, as appropriate
March 1999March 1999 Ray HarrisRay Harris
INTERNAL CONTROLINTERNAL CONTROL
AT SENIOR LEVELAT SENIOR LEVEL
PSA, FOO returns and Stewardship ReportsPSA, FOO returns and Stewardship Reports Financial delegation provided by the Senior Financial delegation provided by the Senior
Finance OfficerFinance Officer Policy on financial mattersPolicy on financial matters Policy on fraud (inc disciplinary measures)Policy on fraud (inc disciplinary measures) IT security policyIT security policy
March 1999March 1999 Ray HarrisRay Harris
INTERNAL CONTROLINTERNAL CONTROL
AT OPERATIONAL LEVELAT OPERATIONAL LEVEL Exception ReportingException Reporting Separation of dutiesSeparation of duties Management ChecksManagement Checks Reconciliation proceduresReconciliation procedures Control Risk Self Assessment Control Risk Self Assessment Authorisation proceduresAuthorisation procedures Contractual delegationsContractual delegations
Communication of policy Backup of databases Business Recovery procedures Change control over system softwareCustomer satisfaction surveysCustomer liaison activities Effective marketing and targetingTraining and development strategy
March 1999March 1999 Ray HarrisRay Harris
5. MONITORING AND CORRECTIVE ACTION
To ensure appropriate monitoring and corrective action systems are in place: Management Board
MIS
Budget Monitoring
Stewardship Reports
Performance Reporting
Internal Audit
March 1999March 1999 Ray HarrisRay Harris
STATEMENT OF INTERNAL CONTROL
ACCOUNTING OFFICER
AUDIT COMMITTEE MANAGEMENT BOARD
INTERNAL AUDITINTERNAL ASSURANCE
OTHER STRANDS OF
ASSURANCE
ASSURANCE STATEMENTS
INCL. CONTROL ASPECTS
>>>AUDIT OPINION
ASSURANCE TEAM’S OPINION CONTROL REQUIREMENTS
March 1999March 1999 Ray HarrisRay Harris
STATEMENT OF INTERNAL CONTROL
CORPORATE GOVERNANCE
ASSURANCESTATEMENTS
GROUP STATEMENTS OF INTERNAL CONTROL
AND OTHER SOURCES OF ASSURANCE
END OF YEAR AUDIT COMMITTEE MEETING FACILITATES ACCOUNTING OFFICER’S REVIEW OF
CORPORATE GOVERNANCE ASSURANCE STATEMENTS MADE BY MANAGEMENT AND REVIEW
OF THE RISK REGISTER. HE IS INFORMED BY INTERNAL AUDIT’S INDEPENDENT OPINION ON THE
STATEMENTS AND THE RISK MANAGEMENT STRATEGY
March 1999March 1999 Ray HarrisRay Harris
Sources of AssuranceSources of Assurance Corporate Governance Assurance Corporate Governance Assurance
Statements from ManagersStatements from Managers Risk Register -Reviewed by Audit Risk Register -Reviewed by Audit
CommitteeCommittee Internal Audit opinion on Control Internal Audit opinion on Control
EnvironmentEnvironment Internal Audit opinion on Statement of Internal Audit opinion on Statement of
Internal ControlInternal Control Internal Audit opinion on Risk Internal Audit opinion on Risk
Management Management
3 KEY ISSUES3 KEY ISSUES
ProbityProbity
AccountabilityAccountability
TransparencyTransparency
OLD verus NewOLD verus New Old = ANA = 3-5 YEARSOld = ANA = 3-5 YEARS New = 1 year plan derived from risk New = 1 year plan derived from risk
registers and consultation with clientsregisters and consultation with clients Resource Accounting move from input Resource Accounting move from input
funding to output funding over a 3 year funding to output funding over a 3 year performance agreement with Departmentsperformance agreement with Departments
Modernising Government White Paper = Modernising Government White Paper = encouraging managed risk taking in order to encouraging managed risk taking in order to pull through innovation – reduction in pull through innovation – reduction in bureaucracy and red-tapebureaucracy and red-tape
Best in Class AttributesBest in Class Attributes Strategic Alignment – organisation’s value drivers and stakeholder Strategic Alignment – organisation’s value drivers and stakeholder
expectations;expectations; Defined value drivers – identify which internal audit activities create Defined value drivers – identify which internal audit activities create
most value for key stakeholder groups;most value for key stakeholder groups; Good communications – how IA contributes to the organisation’s Good communications – how IA contributes to the organisation’s
performance – clear understanding by senior management of the performance – clear understanding by senior management of the audit function;audit function;
Commitment to human capital – skill needs and resources related Commitment to human capital – skill needs and resources related to value drivers and career development progress;to value drivers and career development progress;
Strong affinity for knowledge management – capture manage and Strong affinity for knowledge management – capture manage and share internal knowledge = most valuable asset after people and share internal knowledge = most valuable asset after people and vital for long-term success;vital for long-term success;
Technology – broad and pervasive use of technology to support Technology – broad and pervasive use of technology to support process, knowledge management and data retrieval and analysis process, knowledge management and data retrieval and analysis support strong performance and consistent results.support strong performance and consistent results.
Maturity Model Gap AnalysisMaturity Model Gap Analysisfor Best in class audit functionsfor Best in class audit functions
Beginning Developing Performing High Performing Excelling
No, haven't really thought about it, too busy.
Don't see yet what it can do for me.
Done a bit of thinking, had some ideas, tried to make it work in one or two areas.
Better than we were but we didn't really follow it through with any real energy.
Think it could be useful but not sure how.
Getting to grips with this.
Did some stuff - and hey! it's working!
We copied the published, recognised model/best practice
The key areas are sorted and improving.
We've shared what we did with a peer group and we're working together to make it better next time.
We're making real progress here.
We tried the standard model then developed it into our own way and it really works for us.
We're getting pretty slick at this - other peole are coming to us to see how we do it.
Our way of doing it is published in AMS.
Everybody else says we're one of the best.
We do this all the time, review it regularly and are always looking to improve the way we do it.
People say our way is the best they've seen and we're working with many of them to help make it even better.
We've redefined the boundary here and we've been asked to publish how we do it internationally.
VisionVisionNextNextNowNow
Defining the Role of Internal Defining the Role of Internal Audit – A Government Audit – A Government PerspectivePerspective
Ray HarrisRay Harris
Managing the Managing the Business:Business:
Providing strategicProviding strategic directiondirection
Audit Policies & Audit Policies & processesprocesses
Business planning Business planning &Performance Mgt &Performance Mgt
Organisational Organisational structure and staffingstructure and staffing
Market & Market & Relationship Relationship Management:Management:
StakeholderStakeholder managementmanagement
CustomerCustomer RelationshipsRelationships
Market IntelligenceMarket Intelligence
Development Development InitiativesInitiatives
Service Delivery:Service Delivery:Operations planningOperations planning
Providing advice and Providing advice and ConsultancyConsultancy
Responding to Responding to requestsrequests
Quality ControlQuality Control
Delivery to time and Delivery to time and cost cost
Continuous Continuous improvementimprovement
Providing AssuranceProviding Assurance
Strategic review looking for:Strategic review looking for:Quick winsQuick winsLonger term development.Longer term development.
An ApproachAn Approach
An Approach - An Approach - Managing the BusinessManaging the Business
Understand the key issues - develop the strategic Understand the key issues - develop the strategic objectivesobjectives
Run as a business – challenging business plan that Run as a business – challenging business plan that is output focused is performance managed and is output focused is performance managed and takes the service forwardtakes the service forward
Maximise the resource available by matching the Maximise the resource available by matching the skill sets, use of enabling technology, flexible skill sets, use of enabling technology, flexible working patterns – reduce the office overhead, working patterns – reduce the office overhead, smarter working now and into the futuresmarter working now and into the future
Policies and processes that underpin the business Policies and processes that underpin the business model.model.
An Approach - An Approach - Market & Relationship Market & Relationship ManagementManagement
Obtain strategic alignment with organisational Obtain strategic alignment with organisational objectivesobjectives
Stakeholder management – construct a policy and Stakeholder management – construct a policy and strategy for effective management of stakeholder strategy for effective management of stakeholder expectationsexpectations
Added value service to the accounting officer, Added value service to the accounting officer, customers and stakeholders by employing a customers and stakeholders by employing a constructive partnership ethosconstructive partnership ethos
Marketing and communication strategy that ensures Marketing and communication strategy that ensures clear definition of requirements and on-going clear definition of requirements and on-going feedback and dialogue.feedback and dialogue.
An Approach - An Approach - Service DeliveryService Delivery Construct a new risk based audit strategy – Construct a new risk based audit strategy –
categories of audit - sources of assurance - audit categories of audit - sources of assurance - audit sponsors – COSO 2 frameworksponsors – COSO 2 framework
Programme construction - 6 month rolling - more Programme construction - 6 month rolling - more reactive to emerging requirementsreactive to emerging requirements
Individuals to have Strategic alignment with Individuals to have Strategic alignment with customers customers
Consistency and quality of approach across the Consistency and quality of approach across the customer base - share best practice customer base - share best practice
Reporting – format, quality, timeliness, relevance, Reporting – format, quality, timeliness, relevance, media - added valuemedia - added value
Continuous improvement driven by customer Continuous improvement driven by customer feedbackfeedback
Successful programme delivery via managing in a Successful programme delivery via managing in a Hard charging regime.Hard charging regime.
CustomerCustomerCustomerCustomer
Process ImprovementProcess ImprovementProcess ImprovementProcess Improvement
Learning and DevelopmentLearning and DevelopmentLearning and DevelopmentLearning and Development
Resource ManagementResource ManagementResource ManagementResource Management
Key Performance Results
Customer ResultsPeople ResultsSociety Results
PeoplePolicy & StrategyPartnerships & Resources
Leadership
Processes
EXTERNAL - RESULTS
INTERNAL - ENABLERS
Business ImprovementBusiness Improvement End to end process reviewEnd to end process review MarketingMarketing Knowledge ManagementKnowledge Management Quality Initiatives (ISO/EFQM)Quality Initiatives (ISO/EFQM) Technology enabledTechnology enabled
Resource ManagementResource Management Audit Plans & Performance MgtAudit Plans & Performance Mgt StaffingStaffing FacilitiesFacilities Staff ManagementStaff Management Contract SupportContract Support
Learning and InnovationLearning and Innovation Professional TrainingProfessional Training General Skills UpliftGeneral Skills Uplift Continuing Professional Continuing Professional
DevelopmentDevelopment Strategic PartneringStrategic Partnering
Service Delivery to ClientsService Delivery to Clients Programme DeliveryProgramme Delivery Product DeliveryProduct Delivery Customer & Stakeholder ManagementCustomer & Stakeholder Management
Learning and InnovationLearning and Innovation Professional TrainingProfessional Training General Skills UpliftGeneral Skills Uplift Continuing Professional DevelopmentContinuing Professional Development Strategic PartneringStrategic Partnering
Resource ManagementResource Management Audit Plans & Performance MgtAudit Plans & Performance Mgt StaffingStaffing FacilitiesFacilities Staff ManagementStaff Management Contract SupportContract Support
Service Delivery to ClientsService Delivery to Clients Programme DeliveryProgramme Delivery Product DeliveryProduct Delivery Customer & Stakeholder Customer & Stakeholder
ManagementManagement
Business ImprovementBusiness Improvement Quality Initiatives Quality Initiatives
(ISO/EFQM)(ISO/EFQM) MarketingMarketing Knowledge ManagementKnowledge Management Technology enabledTechnology enabled
Quick WinsQuick Wins Long Term DevelopmentsLong Term Developments BestBestinin
ClassClass
Defining the Role of Internal Defining the Role of Internal Audit – A Government Audit – A Government PerspectivePerspective
Ray HarrisRay Harris