Add to collection(s) Add to saved
  1. Business
  2. Finance

internal audit strategic plan 2009 – 2012

advertisement 
INTERNAL AUDIT STRATEGIC PLAN
2009 – 2012
MARCH 2009
EXECUTIVE SUMMARY
Report Reference in Bold.
§
The purpose of the Internal Audit Strategic Plan is to determine the
Northern Ireland Fire & Rescue Services’ (NIFRS) need for Internal Audit
activity over a three-year period beginning in April 2009.
§
A risk based approach was used. Overall systems risk was determined
using a 3 fold risk based approach, specifically, systems were prioritised
by examining:
§ The NIFRS Business Risk Register;
§ The Internal Audit Unit risk rating based on the importance of the
system within the hierarchy of internal control in NIFRS. This
assessment was based on systems knowledge and an
understanding of systems linkages; and
§ Annual Management Assurance Statements signed by functional
heads.
§
Based on the above analysis, a scoring mechanism was developed which
determined the number of audits required in the 3 year period. This
represents an ‘ideal’ situation. (Appendix 3)
§
Based on average available days of 100 days/auditor, to complete the
work plan in its entirety, the staffing complement of the Internal Audit Unit
would need to increase to 3.33 Internal Auditors. (Appendix 1)
§
Given the current staffing complement of the Internal Audit Unit is 2
Internal Auditors, Appendix 2 shows an achievable work plan equating to
10 audit jobs per annum or 200 audit days.
§
This plan ensures full coverage of all systems at least once in a
rolling three year period.
CONTENTS
SECTION
PAGE NO
1.
INTRODUCTION
1
2.
PLANNING
3
3.
ASSESSMENT OF AUDIT NEEDS
7
APPENDICES:
APPENDIX 1 – SUMMARY OF STAFFING REQUIREMENTS
APPENDIX 2 - FOUR YEAR ST RATEGIC PLAN
APPENDIX 3 - RISK ASSESSMENT AND AUDIT FREQUENCY
1.
INTRODUCTION
TERMS OF REFERENCE
1.1
The Audit Committee of NIFRS is responsible for approving a system
of internal audit and to ensure that NIFRS internal audit meets the
standards specified in the Government Internal Audit Manual (GIAM)
and complies in all other respects with these guidelines and meets
agreed levels of service.
1.2
The purpose of the Internal Audit Strategic Plan is to determine
Northern Ireland Fire & Rescue Services’ (NIFRS) need for Internal
Audit activity over a three-year period beginning in April 2009.
BACKGROUND
1.3
The objective of the Internal Audit Unit is to assess on behalf of the
Accounting Officer, the internal control system that covers the whole
range of NIFRS activities. An understanding of those activities is
required in order to determine the relative risk and materiality of the
systems within NIFRS, and hence determine the audit approach and
estimate the resources required.
ACCOUNTING OFFICER RESPONSIBILITY
1.4
The Government Internal Audit Manual (GIAM) Section C7 details the
range of audit responsibility recommended by HM Treasury. Section
C7.4 states:
“The essence of an Accounting Officer’s (AO) role is a personal
responsibility for the propriety and regularity of the public finances for
which he or she is answerable. The AO will therefore wish to have
confidence in the organisation’s systems supporting these
responsibilities.”
1.5
The Chief Fire Officer, as AO for NIFRS, may therefore require an
opinion on a range of controls such as those over the regularity of
transactions, the accuracy of the accounts, protection against fraud,
value for money, the success of the organisation in conducting its main
business and the proper conduct of management and staff within their
organisation and its agencies.
RISK BASED APPROACH
1.6
The Institute of Internal Auditors (United Kingdom and Ireland) have
issued Standards for the Professional Practice of Internal Audit. These
standards, which became effective from 1 January 2002, specify that
Audit Planning should include a risk-based approach.
1
1.7
Specifically, Standard 2010 “Planning” states that:
“The chief audit executive should establish risk-based plans to
determine the priorities of the internal audit activity, consistent with the
organisations goals.”
1.8
Furthermore, Standard 2010.A1 states that:
“The internal audit activity’s plan of engagements should be based on
a risk assessment, undertaken at least annually. The input of senior
management and the board should be considered in this process.”
ANA APPROACH
1.9
The document is divided into three sections. Section 1 outlines the
approach used to derive short and long-term audit plans, while Section
2 examines the detailed process involved in risk assessing the internal
control systems. Section 3 concludes on the number of days required
to meet the assessed audit needs.
1.10
Appendix 1 shows the allocation of audit days to NIFRS corporate
systems. Appendix 2 shows a summary of the audits to be carried out
within a three-year period beginning in April 2009, and Appendix 3
contains the results of the risk analysis carried out.
2
2.
PLANNING
STRATEGIC PLANNING APPROACH
2.1
The Internal Audit Strategic Plan is a risk focused plan derived from
direct reference to the NIFRS Business Risk Register.
2.2
An Internal Audit Strategic Plan is a systematic aid to planning, the
main output being a definition of all systems within the organisation.
The planning process involves:
§ assessing the level of risk associated with each system;
§ deriving a hierarchy of areas for review through risk criticality; and
§ determining resources necessary to obtain assurance on each
system.
RESOURCE CONST RAINTS
2.3
GIAM Section B3.3 requires that Audit Planning should initially be
developed without regard to resource constraints. This principle has
been followed in the development of Appendix 3. However, the
Strategic Three-Year Plan uses the risk assessment results to
prioritise the audit resources of the Internal Audit Unit.
2.4
This is calculated as follows:
§
§
§
2.5
365 working days less 104 week end days = 261 days;
261 working days less 40 holidays reflecting statutory days and
annual leave = 221 days;
221 working days less 21 days estimated annual training
(Including attendance at Fire Service Peer Group meetings)= 200
working days per person.
The predicted apportionment of days for the Head of Internal Audit
(HIA) given an analysis of work done during previous years and
additional tasks taken on by the Internal Audit Unit is shown in table 1
overleaf.
3
Table 1:
1.
2.
3.
4.
5.
6.
7.
8.
AREA
SCHEDULED INTERNAL AUDIT S
REVIEW OF AUDIT WORK
BEST VALUE REVIEW S
RISK MANAGEMENT
POST PROJECT EVALUATION (1)
PROJECT ASSURANCE (2)
UNSCHEDULED AUDIT
STATION/DISTRICT/AREA & OTHER OPERATIONAL
AUDITS (3):
§ Periodic review/update of pro-forma documents;
§ Collating Audit reports;
§ Review of Audit outcomes; and
§ Carrying out sample audit visits.
TOTAL
DAYS
80
18
20
20
10
12
20
20
200
Notes:
(1)
(2)
(3)
2.6
IAU are responsible for the quality review of completed pro-forma
PPEs generated by budget holders for completed business cases.
Approximately 10 - 12 PPEs will be reviewed annually with a review
time of ½ – 1 day per PPE.
IAU has project assurance responsibility for projects such as Mobile
Data
IAU has full station & district audit responsibility and is working
closely with the Operations Department on the Operational
Assurance of Service Delivery document.
The work of the Senior Internal Auditor (SIA) reflects a different level
of responsibility. The predicted work pattern given work undertaken
during previous years is shown in Table 2 overleaf.
4
Table 2:
AREA
SCHEDULED INTERNAL AUDIT S
BEST VALUE REVIEW S
RISK MANAGEMENT
UNSCHEDULED AUDIT
STATION/DISTRICT/AREA & OTHER OPERATIONAL
AUDITS (1):
§ Periodic review/update of pro-forma documents;
§ Collating Audit reports;
§ Review of Audit outcomes; and
§ Carrying out sample audit visits.
TOTAL
1.
2.
3.
4.
5.
DAYS
120
20
20
20
20
200
Notes:
IAU has full station & district audit responsibility and is working
closely with the Operations Department on the Operational
Assurance of Service Delivery document.
(1)
2.7
The total days available for scheduled internal audit work per annum
equals 200 days (80+120). Average annual audit days per auditor
equals 100 days (200/2).
AUDIT RESOURCES
2.8
The typical resource allocation for an internal audit assignment is as
follows:
§
Preliminary Survey and Draft Terms of Reference:
This involves the initial interview process to gain an understanding
of the audit area under consideration, and to draft audit objectives
which will draw assurance, and to agree these with management;
(2 days)
§
Recording, Evaluating and Testing:
This is the main audit testing stage. It involves the design of audit
tests to be carried out, the implementation of the testing strategy
and compilation of results. The results are then evaluated to
identify significant trends and results and this is then written up
using audit templates;
(12 days)
§
Quality Review:
Each audit follows a predetermined series of steps, which are in
line with guidance with the GIAM manual. Each audit must be
reviewed by the Head of Internal Audit, and review points followed
5
up and signed off before forwarding to
management;
(3
days)
§
Report Writing and Managerial Discussion:
Testing results are written up in the standard Internal Audit report
format. An initial draft report is issued to management.
Management are then invited to comment on the main findings of
the draft report and the recommendations made. Discussions will
take place between management and the Head of Internal Audit to
obtain an agreed final report, which is then forwarded to the Chief
Fire Officer and the Audit Committee;
(3 days)
Total
2.9
20 days
This compares with a typical budget of between 25 and 40 days for a
similar audit in the mainstream DHSSPS, where the systems under
consideration would be larger and more complex.
REPORTING
2.10
The Internal Audit Unit will submit to the Chief Fire Officer annually or
more frequently as necessary:
§
The Annual Audit Plan for work to be carried out in the next
financial year, which is largely drawn down from the Strategic Audit
Plan;
§
An explanation of significant variations from previously approved
plans; and
§
An assurance derived from opinions on the adequacy, reliability
and effectiveness of internal control in each system audited.
6
3.
ASSESSMENT OF AUDIT NEEDS
INTRODUCT ION
3.1
Audit resources required to give assurance on internal controls are
determined by assessing the risk assessment of each NIFRS system
and the resulting frequency with which they should be audited.
RISK ASSESSMENT IMPACT
3.2
Overall systems risk was determined using a 3 fold risk based
approach. Specifically, systems were prioritised by examining:
§ The NIFRS Business Risk Register;
§ The Internal Audit Unit risk rating based on the importance of the
system within the hierarchy of internal control in NIFRS. (This
assessment was based on systems knowledge and an
understanding of systems linkages); and
§ Annual Management Assurance Statements signed by functional
heads.
I
RISK REGISTER
3.3
Risk was assessed using the existing NIFRS Business Risk Register.
This document looks at key risk areas and assesses these based on
likelihood and impact as assessed by functional managers.
3.4
‘Likelihood’ assesses the probability that an outcome will occur whilst
‘Impact’ assesses the operational impact of an identified risk actually
occurring.
3.5
‘Likelihood’ is assessed on a scale of 1 – 5 with 5 indicating high
likelihood and 1 indicating low likelihood based on the following scale:
Scoring
5
4
3
2
1
3.6
Likelihood
High
Medium
Medium
Low
Low
‘Impact’ is assessed on a scale A – C with A indicating high impact and
C indicating low impact based on the following scale:
Scoring
A
B
C
Impact
High
Medium
Low
7
3.7
Both likelihood and impact were assessed as either high, medium or
low and based on this assessment, a weighted score was assigned as
follows:
Likelihood
High
Medium
Low
High
Medium
Low
High
Medium
Low
3.8
Impact
High
High
High
Medium
Medium
Medium
Low
Low
Low
Score
100
80
60
80
60
40
60
40
20
Individual project risks were linked as appropriate to an audit title and
assigned a weighted score by risk register section. Where a number
of risks within a section linked to one audit title, an average weighted
score was determined by dividing the sum of individual weighted
scores by the number of risks.
II
HIERARCHY IN NIFRS SYSTEM OF INTERNAL CONTROL
3.9
The Internal Audit Unit based on systems knowledge and experience
assigned a risk rating. This risk rating was based on the importance of
the system when looking at as part of the whole system of internal
control.
3.10
Risk was assessed using the following scale:
§
Very High Importance
100
§
High Importance
80
§
Medium Importance
60
§
Low Importance
40
§
Minimum Importance
20
III
3.11
MANAGERIAL ASSURANCE ST ATEMENTS
Functional heads within their Annual Assurance Statements completed
in April 2007 highlighted potential concerns. These concerns were
examined and an assessment made of the risk they posed to
achievement of organisational goals. Risk was assessed using the
following scale:
§
Very High Risk
100
§
High Risk
80
§
Medium Risk
60
§
Low Risk
40
§
Minimum Risk
20
8
9
3.12
A risk value was assigned based on the level and effect of concerns
raised by managers in this exercise and this scoring can only be as
complete and accurate as the information provided.
TOTAL SYSTEMS RISK
3.13
The sum of scores determined in each of the assessment approaches
were analysed mathematically to target those system identified as high
risk. The frequency of an audit in the three-year period is determined
as follows:
Score
0 - 180
181 – 260
261+
Audit Frequency
Once every 3 years
Twice every 3 years
Every Year
3.14
The scope for financial loss is significantly higher with regards to
Payroll, Pensions, Payments, Bank & Cash (Including Imprest
Accounts) and Contracts and although the risk analysis indicated an
audit frequency of twice every three years, the Audit Committee has
requested coverage in these areas during each year of the audit plan.
3.15
The full risk assessment and Audit Committee request is reflected in
Appendix 3.
Appendix 1
3.16
This is a summary of the ‘ideal’ audit staffing requirements to audit all
NIFRS systems in a comprehensive manner. The staffing requirement
is divided across the main corporate systems within NIFRS.
Appendix 2
3.17
As indicated in paragraph 2.7, this plan illustrates the actual audit
possible to complete in the year based on 200 audit days per annum.
Appendix 3
3.18
This is a tabular summary of the 26 systems identified within NIFRS,
their weighted average risk score and suggested number of audits in a
three-year cycle.
10
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Fetal Medicine Foundation - FMF
Fetal Medicine Foundation - FMF
Basic Clinical Audit MHC Workshop
Basic Clinical Audit MHC Workshop
Download
advertisement