Annual report to the Board on the Association’s system of internal controls for
Kingston and Wimbledon YMCA
For the period ending 31st March 2007
As reviewed by the Audit Committee at their meeting on 23rd July 2007
___________________________________________________________________
Introduction
This report is intended to help the Board review the effectiveness of the Association’s system
of internal control. Although the Association is not required (due to the number of housing
units) by regulation to undertake such a review it has determined that, as a matter of good
practice, an annual statement should continue to be prepared and presented to the Board for
their consideration.
Housing Corporation circular R2 – 25/01 requires the Board to
a) maintain a sound system of internal control which
 focuses on the significant risks, and
 provides reasonable assurance of the safeguarding of assets
b) conduct an annual review of the effectiveness of the Association’s system of internal
control. The Chief Executive or senior team are required to present an annual report
on the effectiveness of the system to assist the Board with this.
c) include a statement on internal controls in the audited financial statements which
refers to the board’s annual review.
This report is The Chief Executive’s report referred to under (b) above and has been prepared
jointly with the Finance Director.
Internal Controls – Annual Report
July 2007
1
Identification of Risks
Risk management is central to any system of internal controls. The Board has put in place a
system to identify and control risks. The main elements are;


A schedule of the key risks faced by the Association including a schedule of actions
required in order to minimise these risks. This has been reviewed during the course of
the past twelve months utilising a computer package to assist in the management of these
risks. Specific responsibility to oversee the management of risks has been delegated to a
member of the senior staff team.
Updating this by consideration of risks in new pieces of work.

The senior team report on key risks regularly to the Board. All Board reports include
a paragraph on risk management.

A procedure for Incident Reporting has been introduced, including assessing whether
the risk register needs updating following a particular incident.

Staff are issued with risk identification forms and have been provided with an overview of the key risks faced by the Association.

Departmental Plans have been approved to include the identification of departmental
risks and action required to minimise these.

An internal audit review has been undertaken in respect of risk identification and risk
management utilising interviews with a broad range of staff– this has assessed the system
as providing substantial assurance.

The Chief Executive and senior team implement the risk management decisions of the
Board. The Chief Executive has retained responsibility for the implementation of the
Association’s Risk Strategy whilst delegating responsibility for managing risk awareness
to the Director of Corporate Services.
The Board has reviewed the schedule of risks and these are included in the Association’s Risk
Map. A more detailed review, reducing the number of key risks faced by the Association
has recently been carried out which included a seminar on risk awareness.
The control environment
There is a relatively strong culture of commitment to internal control. In particular;
The organisation works within its Vision, Values, Ethos and Mission. These are clearly
communicated to staff, volunteers and partner organisations and key stakeholders. They set
the tone of the organisational culture. The Values include relationships built on integrity and
trust, development of all people in body, mind and spirit, and being forward looking and
progressive.
The Board demonstrates a lead in internal control by requiring regular reports on risks, on the
controls or actions in place to mitigate risks, and on key performance indicators. The Board
also demonstrates a lead in the values of the Association. A balance scorecard approach to
Internal Controls – Annual Report
July 2007
2
the measurement of KPIs was approved by the Board in February 2007 for introduction in the
financial year 2007/08.
The Chief Executive and senior staff team are responsible for making the values live within
the organisation and thereby for creating a culture in which there is a commitment to internal
control. In particular the senior staff team are responsible for specific key areas of control
and for the management of other staff with responsibilities for developing and/or operating
internal controls. Disregard of control procedures is treated seriously.
Our system of internal controls
The key internal controls within Kingston and Wimbledon YMCA are;
Governance
Memorandum
and Articles of
Association;
Operational
Risk
management
process:
Financial
Financial
Standing
Orders;
Board
Members’
Handbook;
An annual
budget and
operating plan
agreed before
the start of the
financial year;
Monthly
income
statements and
management
accounts;
Board member
and staff codes
of conduct;
A more
rigorous code
of conduct for
the Chief
Executive and
Senior Staff
Team;
Oversight and
scrutiny by the
Audit
Committee;
The approval
and review of a
range of
strategic
policies and
procedures;
Delegation of
approval of
non-strategic
policies to the
SST
determined
upon a risked
based
A strategic five
year plan;
Five year
financial
projections;
A five year
business plan;
Daily review of
bank balances;
Written
policies and
procedures that
are regularly
reviewed and
disseminated to
staff and
volunteers;
Procedures for
the
authorisation
of expenditure;
The issuing of
key policies
and procedures
to staff with
payslips and
the availability
of policies on
the shared
server;
Staff induction;
A Capital
Panel in order
to oversee
capital
expenditure;
External
The process of
internal audit;
External audit
reports.
Compliance
External
compliance and
regulation from
external
bodies:- The Housing
Corporation
- The Charity
Commissioners
- OFSTED
- The
Commission
for Social Care
Inspection.
- Partner Local
Authorities
- Supporting
People
Commissioning
Bodies;
- Funders
Procedures for
the control of
cash;
Procedures for
the
authorisation
of credit card
transactions.
Job
descriptions
Internal Controls – Annual Report
July 2007
3
approach;
A twelve
months
forward plan
for the Board;
Regular skills
assessment for
Board
membership;
Procedures for
the
identification
and reduction
of fraud.
and person
specifications;
Staff
recruitment,
line
management
and regular
work review
processes;
Staff training
and
development;
A child
protection
officer
accountable
directly to the
Board;
ICT back up
procedures and
disaster
recovery plans;
Site specific
emergency
procedures
manuals;
A programme
of internal
audit
undertaken on
the basis of risk
assessment.
Review of the effectiveness of controls
The Board and the senior team receive assurances that controls are operating as planned from
the following sources;
Board overview of the risk management process
Management assurances: reports from managers providing financial and operational
information.
Regular planned reviews of key operational areas – catering services, child care and
PR and Marketing;
Internal Controls – Annual Report
July 2007
4
Key Performance Indicators: reports on operational or financial areas identified as
significant to achieving the business objectives utilising a balanced scorecard
approach;
External audit management letter.
Reports from other regulators and key stakeholders.
The implementation of the YMCA National Standards.
Housing Corporation compliance reports and reports from CSCI in relation to the
Care Homes.
An assurance statement from Internal Audit.
An assurance statement from the Audit Committee.
The external auditors, the Housing Corporation and other external bodies do not have any
specific responsibility to identify shortcomings in the system of internal control, so the main
source of independent assurance is internal audit.
The following internal audits have been undertaken in the past twelve months with the
following levels of assurance provided:-
Corporate Governance/Risk
Building Maintenance
Human Resources
Investment Management
VAT and PAYE
Follow up report
Substantial
Adequate
Adequate
Adequate
Adequate
Adequate
The Internal Audit Reports have been reviewed by the Audit Committee and key
recommendations have been discussed and implementation followed through.
Kingston and Wimbledon YMCA is compliant with the Housing Corporation requirements to
combat fraud. The Board has established policies that set out the organisation’s commitment
to the highest ethical standards. These are combined with codes of conduct for both
employees and Board members, which set out detailed policies. A fraud register has been
established to maintain details of all actual or attempted fraud. Any entries on the register wil
are reviewed by the Audit Committee. All cases in excess of £5000, or which involve a
member of the Board or senior team, will be reported to the Housing Corporation. There are
procedures in place if fraud or attempted fraud is discovered. One cases of suspected fraud
investigated during the course of the year well below the £5,000 reporting threshold.
Whilst the Association has reviewed the internal controls and believe them to be adequate, it
is appreciated that further improvement will always be required. Recommendations for
improvements will be made to the Board as and when required.
Conclusion: There is sufficient evidence to confirm that adequate systems of control existed
and operated throughout the year to manage the main risks faced by Kingston and Wimbledon
YMCA and in order to achieve the charitable and operational objectives of the Association.
Internal Controls – Annual Report
July 2007
5
Kingston and Wimbledon YMCA
Board’s annual report on internal controls
The Board must make an annual statement on internal control for publication with the
accounts. The statement must include;

An acknowledgement by the Board that it is responsible for the Association’s system
of internal control and for reviewing its effectiveness;
 An explanation that the system of internal control is designed to manage rather than
eliminate the risk of failure to achieve business objectives, and can only provide
reasonable, and not absolute assurance against material misstatement or loss;
 An explanation that the process for identifying, evaluating and managing the
significant risks faced by the Association is ongoing, has been in place throughout the
year under review and up to the date of approval of the report and accounts, and is
regularly reviewed by the Board;

A summary of the process the Board has adopted in reviewing the effectiveness of the
system of internal controls;
 A summary of the main policies which the Board has established and which are
designed to provide effective internal control; and
 Information on the process the Board has adopted in addressing material internal
control aspects of any significant problems disclosed in the annual report and accounts.
Reference to regulatory concerns should also be considered if the Housing Corporation
has intervened.
A suggested draft report is attached for the Board’s consideration once it has undertaken its
review of controls.
Internal Controls – Annual Report
July 2007
6
Kingston and Wimbledon YMCA
DRAFT report on internal controls
The Board of Management has overall responsibility for establishing and maintaining the
Association’s system of internal control and for reviewing its effectiveness.
The Board recognises that no system of internal control can provide absolute assurance
against financial misstatement or loss or eliminate all risk. The system of internal controls is
designed to manage key risks and to provide reasonable assurance that planned business
objectives and outcomes are achieved. It also exists to give reasonable assurance about the
preparation and reliability of financial and operational information and the safeguarding of
the Association’s assets and interests.
The Board confirms that there is an ongoing process for identifying, evaluating and managing
the significant risks faced by the Association. This approach has operated throughout the year
under review up to and including the date of approval of the annual report and accounts.
The process adopted by the Board to review the effectiveness of the system of internal
control, together with some of the key elements of the control framework that the Board has
established includes:


Identification and evaluation of key risks: Risk Management is included as an item on
all reports considered by the Board. The Board has reviewed the risk register in the
course of the past twelve months.
Training on risk management for the Board and Senior Staff Team;

The adoption of a Strategic and Business Plan setting out strategic and operational
objectives for the period 2006 - 2010;

The continuation of a Strategic Building Review in order to ascertain the best use of
the Association’s property assets in order to meet the changing needs of our client group;

The adoption of an annual operating plan and specific departmental plans, with
progress being reviewed during the course of the year;

The operation of a comprehensive budgeting system and the regular review of
financial performance by management and by the Board;

The regular review of key performance indicators by management and the Board;

The formal appraisal by the Board of the business case for new opportunities;

The appointment of new members of the Board of Management with a range of skills
to assist in meeting the Association’s key objectives;

A scheme of delegation (reviewed during the course of the year) between the Board of
Management, the Chief Executive and Senior Staff Team;

A detailed staff training plan based upon the outcomes of Regular Work Reviews and
regulatory and operational requirements;
Internal Controls – Annual Report
July 2007
7

The development of a detailed values statements for the Senior Staff Team
establishing the culture in which the Association will be managed and extending this to
the respective departmental managers.

The appointment of a child protection officer with direct access to the Board of
Management and statutory authorities.

A framework of policies and procedures with which employees must comply. The
Board has adopted, amongst others, policies covering financial and accounting
procedures, authorisation of transactions, health and safety, protection of children and
vulnerable adults, equalities and diversity and various employment polices and
procedures, as well as a Code of Conduct for employees. A separate, more detailed Code
of Conduct has been introduced for the Chief Executive and Senior Staff Team. Detailed
reviews of these polices are carried out at regular intervals.

The delegation of operational polices to the Senior Staff Team assessed based upon
risk;


Up-to-date Criminal Record Bureau Checks for staff and Board members.
A robust process of internal audit, undertaken on the basis of risk. The Internal Audit
opinion for 2006/07 states:-
“..for the twelve months ended 31st March 2007 Kingston and Wimbledon YMCA has
adequate and effective risk management, control and governance processes to manage the
achievement of the organisation’s objectives.”
The Board confirms that there have been no regulatory concerns which have led the Housing
Corporation or other regulatory bodies to intervene, nor any significant failures of internal
controls which require disclosure in the financial statements.
Internal Controls – Annual Report
July 2007
8
Review of risk management and control environment
This section does not form part of the main report. It is part of the evidence of the review of
controls and is used to draw the conclusions in the report. It also draws attention to areas
where improvements can be made for future years.
This section has been prepared using the Charity Commission Internal Financial Controls
self-assessment checklist, the NGO Finance Charities Internal Audit checklist, the Housing
Corporation Guidance Notes on Internal Controls Assurance and the Beever and Struthers
Corporate Governance Review for Registered Social Landlords (February 2003) to identify
questions we should ask ourselves about our internal controls.
Risk management
Does your Association have a policy on risk management and associated
procedures?
The Association has a Risk Management Strategy. The main elements of the Risk
management process within the Association are: The existence of a risk register that is regularly reviewed and updated.
 The completion of a risk analysis for all new areas of work.
 The reporting of risks and controls to the Board of Management.
 Risk issues included on all Board papers.
 A full programme of internal audit based upon key risks.
 An assessment of the Association’s Risk Appetite.
 Training on risk awareness for the Board and SST.
 Details of key incidents within the Association to the audit Committee and whether
these require the Risk Register to be updated.
 The Reporting of failures in controls to the Audit Committee for review.
A review of the Association’s Risk Strategy is currently outstanding. It has been agreed that
this will be carried out once Board training has been
Action: continue review of the Risk Map and risk
Register. Bring forward the Review of the Risk
Strategy to the September meeting of the Audit
Committee
Have the main risks faced by the association been identified?
Yes. There is a risk register that has identified the key risks facing the Association. This has
recently been reviewed by the Board and SST and the number of key risks substantially
reduced. Departmental Registers are updated for new pieces of work. Details of mitigating
factors and responsibilities for the implementation of controls have been identified and are
considered by the Senior Staff Team at regular intervals.
Are the primary means of controlling these risks documented on the risk register?
Yes. –again utilising the “Just Assured” IT system.
Are the controls working and have you obtained assurance they are working?
Internal Controls – Annual Report
July 2007
9
This is achieved through management reporting to the board. It is of course impossible to say
whether all the controls are working, and some will be more effective than others. However
no major unidentified risks or control failures have come to light in the past year. Failures in
controls are reported to the Audit Committee. No failures in controls have been reported for
the period in question.
Assurance is primarily through management assurances and review of financial and other
performance indicators by the Board.
Internal Audit has now become a key tool in the provision of assurance – during the course of
the last financial year a review was undertaken to assess the awareness of risk management at
all levels within the Association – this resulted in substantial assurance being provided to the
Board.
Are the persons/committees responsible for monitoring controls clearly identified
and do they actually carry out the monitoring process?
In general the senior team members are responsible for monitoring. This is itself checked by
the requirement to report to the Audit Committee and Board. Responsibility for the
implementation of controls are clearly identified within the Risk Register. Regular reviews
are carried out by the Senior Staff Team with responsibility for co-ordinating action delegated
to the Director of Corporate Services.
Is the risk register regularly reviewed and updated during the year?
The full risk register was reviewed during the course of the past twelve months , utilising the
“Just Assured” IT based system. The Board and Senior Staff Team have recently undertaken
a substantial review – this will be considered at the July and September Audit Committee
meetings.
Does the board play an active part in ensuring it is aware of all main risks and how
they are managed?
Yes. The Board receives and considers risk reports. The Board also regularly receives copies
of publications and briefings on risk management and assurance. The Audit Committee
monitors the Risk register and the appropriateness of controls. The Board have recently
participated in a training seminar on Risk Management.
Conclusion: There is an ongoing process for identifying and managing the significant risks
faced by Kingston and Wimbledon YMCA, which is regularly reviewed by the Board. The
risk management process is effective in identifying the main risks and the controls in place to
manage them, and in monitoring whether the controls work.
Internal Controls – Annual Report
July 2007
10
Control environment
Does the Association’s culture, code of conduct, human resource policies and
performance reward systems support the business objectives and risk management
and internal control systems?
Yes. The culture is based on The Association’s Vision, Values, Ethos and Mission. These
are clearly communicated to staff through a variety of means, including monthly newsletters
and staff meetings. HR policies are under revision to more closely support the business
objectives. Staff manuals, procedures and instructions support the risk management and
control systems. Significant progress has been made in the past twelve months in order to
ensure that all policies and procedures are up to date and fit for purpose. Risk management is
starting to become embedded into the management culture – for example regular discussions
at SST meetings and Managers’ Conferences. All staff have been encouraged to engage in
the identification and management of key risks. Key policies and procedures are issued to all
members of staff, along with a staff handbook. The Staff Information and Consultation
Group receives reports on key developments within the life of the Association including the
management or risk and the opportunities provided for new developments.
Action: Continued updating of policies and procedures on a
regular basis.
Does senior management demonstrate, through its actions as well as its policies, the
necessary commitment to competence, integrity and fostering a climate of trust
within the Association?
Again broadly Yes. The Chief Executive takes a strong lead in fostering a climate of
competence, integrity and trust and the SST and indeed staff at all levels support this. In
particular the level of integrity and trust expected based upon the Association’s ethos is high.
Senior management are expected to be part of the Christian centre of the Association.
Senior management in finance and human resources are particularly responsible for ensuring
that some key internal control procedures are followed in practice. Staffing levels in both
Finance and HR are considered to be appropriate.
Are authority, responsibility and accountability defined clearly such that decisions
are made and actions taken by the appropriate people? Does the Association
communicate to staff what is expected of them and their freedom to act?
A scheme of delegation between the Board and the Chief Executive is in place. This also
includes responsibilities delegated by the Board to the Chair or in his absence one of the Vice
Chairs.
Within the senior staff team, each job description contains full details of what is expected of
the post holder and their discretion to act, and this is reinforced through line management.
Notes of line management meetings are kept and progress in meeting key objectives reviewed
at least every other month.
Policies and Procedures are communicated to all staff through the regular monthly newsletter
and additional staff input and training.
Internal Controls – Annual Report
July 2007
11
Do staff have the knowledge, skills and tools to support the achievement of the
association’s objectives?
Broadly, Yes. This is achieved through recruitment, training and line management of staff.
Recruitment is carried out through a recruitment procedure which is designed to, and does,
ensure that staff with the right competencies are recruited to particular roles. A reasonably
generous training budget is set aside to develop staff. The Regular Work Review process has
commenced and needs to become more embedded into the lifecycle of the Association. A
training and development plan has been developed, and this needs to be embedded further
into the management of the Association. Staff induction for new staff takes place regularly
with the Chief Executive attending part of every induction programme. All Line Managers
are required to successfully complete the nine-day Line Managers Training Programme. All
but two line-managers have participated on this programme and they have been scheduled to
attend in the next few months.
Action: Full implementation of the RWR process
Conclusion: The control environment is adequate. There is a culture of relationships based
on integrity and trust. Disregard of control procedures are treated seriously.
Information and communication
Do management and the Board receive timely, relevant & reliable reports on
progress against business objectives and the related risks that provide them with the
information for decision making?
Relevant financial reports are prepared and presented to the Board at every meeting. Cashflow projections are still outstanding but will be produced from September onwards.
The Board receives information in a consistent format and this has just been updated to
improve its relevance and consistency.
Key Performance Indicators are now produced utilising the Balance Score Card Method and
based upon targets set by the Board at the start of the financial year.
Action: - Cash-flow forecasts to be included in the management accounts on a monthly
basis.
Are the periodic reporting procedures, including annual reporting, effective in
communicating a balanced and understandable account of the association’s
position and prospects?
Yes – the Board have indicated that Board Reports are clear and consistent and that
appropriate reporting mechanisms are in place.
Are there established channels of communication for individuals to report suspected
breaches of laws or regulations or other improprieties?
Yes – within the Whistleblowing Policy and Staff Handbook.
Internal Controls – Annual Report
July 2007
12
Monitoring
Are there ongoing processes embedded within the business operations, which
monitor the effective application of the policies and procedures related to internal
control and risk management?
In some areas, for example controls over expenditure, there is clear and effective monitoring.
Internal Audit provides assurance in relation to the operation of key polices and procedures.
The Finance Director will undertake a co-ordinating role to ensure that compliance is
maintained.
Conclusion: information and monitoring controls exist and are adequate but can be improved
upon in the future.
Internal Controls – Annual Report
July 2007
13