Embed Size (px)
Citation preview
INTERNAL AUDIT STRATEGIC PLAN
2009 – 2012
MARCH 2009
EXECUTIVE SUMMARY Report Reference in Bold. § The purpose of the Internal Audit Strategic Plan is to determine the
Northern Ireland Fire & Rescue Services’ (NIFRS) need for Internal Audit activity over a three-year period beginning in April 2009.
§ A risk based approach was used. Overall systems risk was determined using a 3 fold risk based approach, specifically, systems were prioritised by examining: § The NIFRS Business Risk Register; § The Internal Audit Unit risk rating based on the importance of the
system within the hierarchy of internal control in NIFRS. This assessment was based on systems knowledge and an understanding of systems linkages; and
§ Annual Management Assurance Statements signed by functional heads.
§ Based on the above analysis, a scoring mechanism was developed which
determined the number of audits required in the 3 year period. This represents an ‘ideal’ situation. (Appendix 3)
§ Based on average available days of 100 days/auditor, to complete the
work plan in its entirety, the staffing complement of the Internal Audit Unit would need to increase to 3.33 Internal Auditors. (Appendix 1)
§ Given the current staffing complement of the Internal Audit Unit is 2
Internal Auditors, Appendix 2 shows an achievable work plan equating to 10 audit jobs per annum or 200 audit days.
§ This plan ensures full coverage of all systems at least once in a
rolling three year period.
CONTENTS
SECTION PAGE NO 1. INTRODUCTION 1 2. PLANNING 3 3. ASSESSMENT OF AUDIT NEEDS 7 APPENDICES: APPENDIX 1 – SUMMARY OF STAFFING REQUIREMENTS APPENDIX 2 - FOUR YEAR STRATEGIC PLAN APPENDIX 3 - RISK ASSESSMENT AND AUDIT FREQUENCY
1
1. INTRODUCTION
TERMS OF REFERENCE 1.1 The Audit Committee of NIFRS is responsible for approving a system
of internal audit and to ensure that NIFRS internal audit meets the standards specified in the Government Internal Audit Manual (GIAM) and complies in all other respects with these guidelines and meets agreed levels of service.
1.2 The purpose of the Internal Audit Strategic Plan is to determine
Northern Ireland Fire & Rescue Services’ (NIFRS) need for Internal Audit activity over a three-year period beginning in April 2009.
BACKGROUND
1.3 The objective of the Internal Audit Unit is to assess on behalf of the
Accounting Officer, the internal control system that covers the whole range of NIFRS activities. An understanding of those activities is required in order to determine the relative risk and materiality of the systems within NIFRS, and hence determine the audit approach and estimate the resources required.
ACCOUNTING OFFICER RESPONSIBILITY
1.4 The Government Internal Audit Manual (GIAM) Section C7 details the
range of audit responsibility recommended by HM Treasury. Section C7.4 states:
“The essence of an Accounting Officer’s (AO) role is a personal responsibility for the propriety and regularity of the public finances for which he or she is answerable. The AO will therefore wish to have confidence in the organisation’s systems supporting these responsibilities.”
1.5 The Chief Fire Officer, as AO for NIFRS, may therefore require an
opinion on a range of controls such as those over the regularity of transactions, the accuracy of the accounts, protection against fraud, value for money, the success of the organisation in conducting its main business and the proper conduct of management and staff within their organisation and its agencies.
RISK BASED APPROACH
1.6 The Institute of Internal Auditors (United Kingdom and Ireland) have
issued Standards for the Professional Practice of Internal Audit. These standards, which became effective from 1 January 2002, specify that Audit Planning should include a risk-based approach.
2
1.7 Specifically, Standard 2010 “Planning” states that:
“The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisations goals.”
1.8 Furthermore, Standard 2010.A1 states that:
“The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process.”
ANA APPROACH
1.9 The document is divided into three sections. Section 1 outlines the
approach used to derive short and long-term audit plans, while Section 2 examines the detailed process involved in risk assessing the internal control systems. Section 3 concludes on the number of days required to meet the assessed audit needs.
1.10 Appendix 1 shows the allocation of audit days to NIFRS corporate
systems. Appendix 2 shows a summary of the audits to be carried out within a three-year period beginning in April 2009, and Appendix 3 contains the results of the risk analysis carried out.
3
2. PLANNING
STRATEGIC PLANNING APPROACH 2.1 The Internal Audit Strategic Plan is a risk focused plan derived from
direct reference to the NIFRS Business Risk Register. 2.2 An Internal Audit Strategic Plan is a systematic aid to planning, the
main output being a definition of all systems within the organisation. The planning process involves: § assessing the level of risk associated with each system; § deriving a hierarchy of areas for review through risk criticality; and § determining resources necessary to obtain assurance on each
system.
RESOURCE CONST RAINTS 2.3 GIAM Section B3.3 requires that Audit Planning should initially be
developed without regard to resource constraints. This principle has been followed in the development of Appendix 3. However, the Strategic Three-Year Plan uses the risk assessment results to prioritise the audit resources of the Internal Audit Unit.
2.4 This is calculated as follows:
§ 365 working days less 104 week end days = 261 days; § 261 working days less 40 holidays reflecting statutory days and
annual leave = 221 days; § 221 working days less 21 days estimated annual training
(Including attendance at Fire Service Peer Group meetings)= 200 working days per person.
2.5 The predicted apportionment of days for the Head of Internal Audit
(HIA) given an analysis of work done during previous years and additional tasks taken on by the Internal Audit Unit is shown in table 1 overleaf.
4
Table 1:
AREA DAYS 1. SCHEDULED INTERNAL AUDITS 80 2. REVIEW OF AUDIT WORK 18 3. BEST VALUE REVIEW S 20 4. RISK MANAGEMENT 20 5. POST PROJECT EVALUATION (1) 10 6. PROJECT ASSURANCE (2) 12 7. UNSCHEDULED AUDIT 20 8. STATION/DISTRICT/AREA & OTHER OPERATIONAL
AUDITS (3): § Periodic review/update of pro-forma documents; § Collating Audit reports; § Review of Audit outcomes; and § Carrying out sample audit visits.
20 TOTAL 200
Notes: (1) IAU are responsible for the quality review of completed pro-forma
PPEs generated by budget holders for completed business cases. Approximately 10 - 12 PPEs will be reviewed annually with a review time of ½ – 1 day per PPE.
(2) IAU has project assurance responsibility for projects such as Mobile Data
(3) IAU has full station & district audit responsibility and is working closely with the Operations Department on the Operational Assurance of Service Delivery document.
2.6 The work of the Senior Internal Auditor (SIA) reflects a different level
of responsibility. The predicted work pattern given work undertaken during previous years is shown in Table 2 overleaf.
5
Table 2:
AREA DAYS 1. SCHEDULED INTERNAL AUDITS 120 2. BEST VALUE REVIEW S 20 3. RISK MANAGEMENT 20 4. UNSCHEDULED AUDIT 20 5. STATION/DISTRICT/AREA & OTHER OPERATIONAL
AUDITS (1): § Periodic review/update of pro-forma documents; § Collating Audit reports; § Review of Audit outcomes; and § Carrying out sample audit visits.
20 TOTAL 200
Notes: (1) IAU has full station & district audit responsibility and is working
closely with the Operations Department on the Operational Assurance of Service Delivery document.
2.7 The total days available for scheduled internal audit work per annum
equals 200 days (80+120). Average annual audit days per auditor equals 100 days (200/2).
AUDIT RESOURCES
2.8 The typical resource allocation for an internal audit assignment is as
follows: § Preliminary Survey and Draft Terms of Reference:
This involves the initial interview process to gain an understanding of the audit area under consideration, and to draft audit objectives which will draw assurance, and to agree these with management; (2 days)
§ Recording, Evaluating and Testing:
This is the main audit testing stage. It involves the design of audit tests to be carried out, the implementation of the testing strategy and compilation of results. The results are then evaluated to identify significant trends and results and this is then written up using audit templates; (12 days)
§ Quality Review: Each audit follows a predetermined series of steps, which are in line with guidance with the GIAM manual. Each audit must be reviewed by the Head of Internal Audit, and review points followed
6
up and signed off before forwarding to management; (3
days)
§ Report Writing and Managerial Discussion:
Testing results are written up in the standard Internal Audit report format. An initial draft report is issued to management. Management are then invited to comment on the main findings of the draft report and the recommendations made. Discussions will take place between management and the Head of Internal Audit to obtain an agreed final report, which is then forwarded to the Chief Fire Officer and the Audit Committee; (3 days)
Total 20 days
2.9 This compares with a typical budget of between 25 and 40 days for a
similar audit in the mainstream DHSSPS, where the systems under consideration would be larger and more complex.
REPORTING
2.10 The Internal Audit Unit will submit to the Chief Fire Officer annually or
more frequently as necessary:
§ The Annual Audit Plan for work to be carried out in the next financial year, which is largely drawn down from the Strategic Audit Plan;
§ An explanation of significant variations from previously approved
plans; and
§ An assurance derived from opinions on the adequacy, reliability and effectiveness of internal control in each system audited.
7
3. ASSESSMENT OF AUDIT NEEDS
INTRODUCTION 3.1 Audit resources required to give assurance on internal controls are
determined by assessing the risk assessment of each NIFRS system and the resulting frequency with which they should be audited.
RISK ASSESSMENT IMPACT
3.2 Overall systems risk was determined using a 3 fold risk based
approach. Specifically, systems were prioritised by examining: § The NIFRS Business Risk Register; § The Internal Audit Unit risk rating based on the importance of the
system within the hierarchy of internal control in NIFRS. (This assessment was based on systems knowledge and an understanding of systems linkages); and
§ Annual Management Assurance Statements signed by functional heads.
I RISK REGISTER
3.3 Risk was assessed using the existing NIFRS Business Risk Register.
This document looks at key risk areas and assesses these based on likelihood and impact as assessed by functional managers.
3.4 ‘Likelihood’ assesses the probability that an outcome will occur whilst
‘Impact’ assesses the operational impact of an identified risk actually occurring.
3.5 ‘Likelihood’ is assessed on a scale of 1 – 5 with 5 indicating high
likelihood and 1 indicating low likelihood based on the following scale:
Scoring Likelihood 5 High 4 Medium 3 Medium 2 Low 1 Low
3.6 ‘Impact’ is assessed on a scale A – C with A indicating high impact and
C indicating low impact based on the following scale: Scoring Impact
A High B Medium C Low
8
3.7 Both likelihood and impact were assessed as either high, medium or
low and based on this assessment, a weighted score was assigned as follows:
Likelihood Impact Score High High 100 Medium High 80 Low High 60 High Medium 80 Medium Medium 60 Low Medium 40 High Low 60 Medium Low 40 Low Low 20
3.8 Individual project risks were linked as appropriate to an audit title and
assigned a weighted score by risk register section. Where a number of risks within a section linked to one audit title, an average weighted score was determined by dividing the sum of individual weighted scores by the number of risks.
II HIERARCHY IN NIFRS SYSTEM OF INTERNAL CONTROL
3.9 The Internal Audit Unit based on systems knowledge and experience
assigned a risk rating. This risk rating was based on the importance of the system when looking at as part of the whole system of internal control.
3.10 Risk was assessed using the following scale:
§ Very High Importance - 100 § High Importance - 80 § Medium Importance - 60 § Low Importance - 40 § Minimum Importance - 20 III MANAGERIAL ASSURANCE STATEMENTS
3.11 Functional heads within their Annual Assurance Statements completed
in April 2007 highlighted potential concerns. These concerns were examined and an assessment made of the risk they posed to achievement of organisational goals. Risk was assessed using the following scale: § Very High Risk - 100 § High Risk - 80 § Medium Risk - 60 § Low Risk - 40 § Minimum Risk - 20
10
3.12 A risk value was assigned based on the level and effect of concerns
raised by managers in this exercise and this scoring can only be as complete and accurate as the information provided.
TOTAL SYSTEMS RISK
3.13 The sum of scores determined in each of the assessment approaches
were analysed mathematically to target those system identified as high risk. The frequency of an audit in the three-year period is determined as follows: Score Audit Frequency 0 - 180 Once every 3 years 181 – 260 Twice every 3 years 261+ Every Year
3.14 The scope for financial loss is significantly higher with regards to
Payroll, Pensions, Payments, Bank & Cash (Including Imprest Accounts) and Contracts and although the risk analysis indicated an audit frequency of twice every three years, the Audit Committee has requested coverage in these areas during each year of the audit plan.
3.15 The full risk assessment and Audit Committee request is reflected in
Appendix 3.
Appendix 1
3.16 This is a summary of the ‘ideal’ audit staffing requirements to audit all NIFRS systems in a comprehensive manner. The staffing requirement is divided across the main corporate systems within NIFRS.
Appendix 2
3.17 As indicated in paragraph 2.7, this plan illustrates the actual audit
possible to complete in the year based on 200 audit days per annum.
Appendix 3
3.18 This is a tabular summary of the 26 systems identified within NIFRS, their weighted average risk score and suggested number of audits in a three-year cycle.
