graham cassell present at at ion

8/6/2019 Graham Cassell Present at at Ion

1/25

Internal Audit

ANNUAL REPORT AND ASSURANCEGraham Cassell

Head of Internal Audit

ECGD


2/25

2

INTRODUCTION

Government Internal Audit Standards (GIAS)

Opinion

Assurance Frameworks

Annual Report (planning and assignment reporting)


3/25

3

STANDARDS

GIAS Standard 9

(At least) Annually Opinion.

Adequacy and effectiveness.

Risk Management Governance Control Processes.

Issues relevant to the Statement on Internal Control (SIC).

Compare actual activity with that planned but..


4/25 4

OPINION

Opinion Positive reasonable assurance.

Scope: sufficient work whole of the organisation.

Positive: confident assertion based on evidence.

Reasonable.

Period of time cumulative or annual?


5/25 5

ASSURANCE

Assurance framework.

Audit Committee Handbook (consultation draft principle C5.3)

Annual Report

Comprehensiveness of assurances.

Reliability and integrity of these assurances.

Opinion assurance is sufficient.

Specific attention SIC.

Financial reporting.

Quality of IA and EA.

Its own effectiveness.


6/25 6

ASSURANCE

ResidualRisk

Assurance Control/Risk Management

Low

Medium

High

Well controlled, although may be some efficiencies to be made. There

is a need to maintain an oversight and consider efficiency

improvements.

Some weaknesses which could have an impact on the achievement of

business objectives. Action is required to monitor the situation and

improve control.

Significant weaknesses which could threaten the achievement of

business objectives. Prompt remedial attention from management isrequired.

Significant weaknesses which could threaten the achievement of critical

business objectives or lead to a PAC appearance. Urgent remedial

attention from senior management is required.


7/25 7

STRATEGY

Audit strategyThe audit strategy takes into account i) thematurity of risk management in ECGD ii) theaudit work on which the Board require anassurance and, iii) the need to provide abalance between fundamental assurance andvalue added audit and, iv) external audit and

other assurance providers.

The Audit Plan reflects ECGDs risk frameworkand is informed from the following sources:

The strategic risk register Appendix 1demonstrates the link between ECGDsstrategic risks, which are driven from theBusiness Plan, and the audit work we

plan for the year. Where possible Divisional plans (PRPs) /

risk registers, which reflect the businessand operational risks of the department.

The change programme and associatedrisk registers - Appendix 3.

The Executive Committee - Discussionswith the Accounting Officer and members

of the Executive Committee.

Time is also set aside to provide i) consultancyand advice. Consultancy is defined as arequest by management for an audit of aspecific area of risk/process or issue.

Change is reviewed at two levels. Firstly by a

review of the overall governance process forchange management. Secondly by reviewingindividual projects using one of a range ofoptions.

The IAA Operational plan

Step 2

Consider themesand prioritise

Identify themes andconsider priorities

Step 4

Flexibleauditplan

Key control reviews

Develop an internalaudit plan and a

proposed methodologyto address the gaps

and / or test the otherforms of assurance

Step 1

Strategicrisk

assessment

Operationalrisk

assessment

Define audit universe from top down (i.e.strategic /change programme) and

bottom up (i.e.operational)risk profiling of the business

ChangeProgramme /Major spend

ExternalAudit

Legal

Otherassurance

Step 3Understand what is in

the scope of otherassurance processes(e.g.self assessment,oversight functions)

Consultation

Risk based audits

Consultancy or specia

reviews e.g. efficiency

For example: For example:

Governanceandcontrolen

vironment

Embedded riskmanagement


8/25 8

PERIODIC PLANS

Area Area of risk Sponsor Priority Days Comments Qtr

1.1 Board Effectiveness.1. Strategy andGovernance

2.1 Follow up of Pilot TradingFund Post ImplementationReview.

3. Operational

4.1 Reporting, MonthlyManagement Report and validationof performance information.

4. Financial

3.1 Post cost plan assurance.

2. RiskManagement


9/25 9

ASSIGNMENT REPORTING

Introduction

Internal Audit & Assurance have completedtheir assessment of

Background to the review

Objective

Scope of the review

Summary of approach

Exclusion from scope

Audit assurance and conclusion

Our overall assurance for ..is thatthere...

As a result IAA have proposed a number

of recommendations for action and we

attach managements agreed actions in

the Detailed Findings at Section 2 of this

report.

On the basis of the work performed within thisreview, we found that:

The risks related to.

Introduction

Background

Objectivesand scope ofthe review

Summary ofapproach

Exclusionfrom scope

Auditassuranceand

conclusion


10/2510


Risk and control assessment

Our assessment of risk before and after the consideration of the quality of controls is shown below.

1 Inherent risk is our assessment of the level of risk before consideration of any controls.2Residual risk takes into account the strength of controls based on our evaluation and testing.

Priorities for Detailed Findings

High Priority

Medium Priority

Low Priority

RiskInherent risk

rating1Residual risk

rating2 Finding ref.

Ineffective or incomplete review of allcontributions

Medium Low -

Medium Low -

Medium Medium 1.1

High Medium 2.1

High High 2.1-2.6

High Medium 2.1

High Medium 3.1-3.7

Sponsor

Resources

Risks

Risk andcontrolassessment

Priorities fordetailedfindings


11/2511


Finding Risk Recommendation Agreed Action

Owner /

Timesca

1)Project GovernanceProcedures

1.1 The Project Board setup to manage the 2005-06 Finance year end

process...

The processdoes nothaveappropriategovernance

proceduresleading to alack ofaccountabilityand

management

1.The Project Board

Priority


12/25

Internal Audit

ANNUAL REPORT AND ASSURANCEGraham Cassell

Head of Internal Audit

ECGD


13/25

13

Internal Audit & Assurance Annual ReportPurpose

Purpose of this document

The purpose of this document is to present Internal Audits view of the adequacy and effectiveness ofECGDs risk management, internal control and governance processes for the year ended March 2006,based on the internal audit coverage in the year and progress towards implementing agreed actionsfrom earlier periods. Internal Audits annual report is addressed primarily to the Accounting Officer and

is presented also to the Audit Committee for its consideration.

The report is split into a number of sections:- Page

Overall assurance and executive summary.

Summary conclusion and assurance.

High level assurance by audit.

Summary conclusions for each audit.

Outturn against the audit plan.

Key performance indicators.


14/25

14

Internal Audit & Assurance Annual ReportExecutive Summary

Overall Assurance.

Our overall assurance is that the system of internal control is well controlled although

there may be some efficiencies to be made. There is a need to maintain an oversight

and consider efficiency improvements.

For the A audit reports issued during the year, we rated B areas as containing minor or no controlweaknesses, C areas as indicating some control weaknesses and D areas as containing significantinternal control issues.

Implementation of agreed actions.

Management responses to reports issued in the year have been positive. A actions were completedduring the year. There are currently B outstanding actions (C high priority) of which D are overdue.E of these are high priority.

Coverage -summary of audit coverage (including wider independent assurances).

Quality Assurance

The feedback received from on completion of each audit was positive. We received an overallscore of A out of a possible B (scale one (low) to five High). During the year Internal Audit wassubject to an independent external quality assurance review; its conclusion was.

Internal Audit & Assurance Annual Report


15/25

15

Internal Audit & Assurance Annual ReportSummary conclusion and assurance

Governance

Although the Accounting Officer has the ultimate responsibility for standards of governance, risk

management and internal control, he is supported in this by the Board, the Senior Management Team

and the sub-committees to whom responsibility is delegated. Internal Audit was asked to .

Corporate Governance: Code of Good Practice.

Management Board.

Delegated Authorities

Information Systems Management Forum

Risk Management

An assessment of ECGDs financial risk management systems in the context of.

While ECGD's operational risk procedures .

The latest version of the Risk Management Assessment Framework includes numerous examples of.

The last quarterly report on operational risk to the Executive Committee shows that...



16/25

16


Financial Management

A review of aspects of financial management concluded that A agreed actions from this

report remain outstanding .

Internal Audit undertook a review of ECGDs financial management arrangements in preparation for areview by HM Treasury. The HM Treasury review was part of a wider review of financial managementacross central government. The Internal Audit review identified ..

The transfer of ECGDs finance activity to London by March 2006 involved both the recruitment..

HM Treasury Internal Audit conducted an audit on behalf of the HMT Payroll Consortium, of whichECGD is a member.



17/25

17


Operational Procedures and control

Systems

Key elements of the Roadmap programme were launched in May 2005. Internal Audit was askedto complete a position statement on the readiness to launch the new operating framework prior togo live. After due consideration of the controls established by management and the assurancereceived from the key business representatives, Internal Audit ..

As part of the follow-up work on implementation, Internal Audit was asked to undertake anoperational procedures review of the new business systems affected by the implementation of theACBS system. Overall, controls were

Customer Charter

Change Management



18/25

18

te a ud t & ssu a ce ua epo tSummary conclusion and assurance

Information Assurance

The Infrastructure Division (ID) has a framework of control in place. However,

End User DevelopmentsInformation systems security

File management and security.

In April 2005, an audit of file management and security . IMPACT is a key element in

improving ECGDs business efficiency and enabling a better service to its stakeholders in an

environment of cost constraints. The Project

Business Continuity Planning

ECGD is developing a plan to counter the effects on the business of a pandemic out-break. ECGD also

has an overarching Departmental business continuity plan in place. This is supported by



19/25

19

pSummary conclusion and assurance

Fraud

Over the last year, the Department has been .

Anti bribery and corruption procedures.

Fraud Risk Assessment.

Fraud Policy Statement.

Whistle blowing Policy.



20/25

20

Internal Audit & Assurance Annual ReportAssurance for each audit

Assignment Assurance Assignment Assurance

1. Amber 7. Amber

2. Yellow 8. Yellow

3. Yellow 9. Performing

4. Improving 10. Amber

5. Green 11. Yellow

6. Improving 12. Yellow



21/25

21

Internal Audit & Assurance Annual ReportSummary of conclusions

Review conclusions

We have summarised below our conclusions from each review:

Assignment Published Audit conclusion

FileManagementand security

April

2005

May

2005

Overall Assurance: Amber

The audit identified a number .

Review of

Roadmap

Overall Assurance: Yellow

A number of reports were issued with regard to the launch of theRoadmap products. The final report issued on 10 May 2005showed..



22/25

22

Internal Audit & Assurance Annual ReportInternal Audit plan for 2005 / 2006

Internal Audit plan for the year. The audit plan for the year to April 2006 is shown below.

Audit title Sponsor PriorityWork In

ProgressReport

PublishedActualDays Notes

Financial

Political/Legal/Reputational

February2006

2

Revised tohigh priority

12

Budget

days

Carriedforward

to 2006/7

40

10Customer Charter M Complete

HReporting, MMR andvalidation of performanceinformation and KPIs.



23/25

23

Internal Audit & Assurance Annual ReportKey performance indicators

Reviews completed in the period.

Status of agreed actions.

Client satisfaction.

Etc.


24/25

24

KEY POINTS

Customer expectations.

Assurance framework.

Holistic approach.

Paint a picture - key messages back and forward looking?

Be positive.

Keep it simple.

House style.


25/25

25

FINAL THOUGHTS

How do we stay fleet of foot and make sure the assurance is relevant to to-days

challenges?

How do we ensure we add value by providing an assurance against new or

emerging standards?

What is unique about Internal Audit (independence aside)? How do we positioninternal audit assurance alongside other assurance providers?

Do the Standards require updating to reflect a more dynamic environment?

graham cassell present at at ion

Documents