Internal Audit Risk and Assurance Samantha Buckland – Audit Manager Internal Audit
Content Role of IA Engagement – Barriers and Approach Risk and Assurance IA role in Business and H&S risk
What is our authority? • Statutory authority through Accounts and Audit regulations • Gives us right to all information and explanations necessary in order to perform our duties
Objectives and Role of Internal Audit To provide “independent” assurance on the adequacy and effectiveness of governance, risk management and internal controls across the Council To investigate allegations of fraud, corruption or other lapses in control or governance arrangements To provide advisory work to support directorates, for example in development on new systems or processes To assist the Corporate Directors to sign their Annual Governance Statement
Engagement Barriers Lack of understanding of IA role, for example bureaucratic, etc. Seen as critical, trying to ‘catch people out’, internal ‘police’, etc.
Engagement • Approach • Presentations at all levels to explain the role of internal audit • Be seen as approachable and supportive • Review of the way we approach what we do • Making sure recommendations are pragmatic and address key risks
Risk and Assurance • Definition of assurance • An evidence based statement designed to give confidence that…. • Integrate assurance • What do we mean by integration • How does it work? • Audit, Risk Management, H&S Team, Managers, Staff, etc.
IA role in Business Risk • Risk based plan • Assurance on the identification, evaluation and management of risks in individual audits, for example: • Health and Safety • Establishments • Reports and recommendations • Agreed management actions • Follow-up
Five Levels of Assurance • High - There is a sound system of control operating effectively to achieve service/system objectives. Any issues identified are minor in nature and should not prevent system/service objectives being achieved. • Substantial - The system of control is adequate and controls are generally operating effectively. A few weaknesses in internal control and/or evidence of a level of non compliance were noted during the audit that may put a system/service objective at risk. • Adequate - The system of control is sufficiently sound to manage key risks. However there were weaknesses in internal control and/or evidence of a level of non compliance with some controls that may put system/service objectives at risk. • Limited - Adequate controls are not in place to meet all the system/service objectives and/or controls are not being consistently applied. Certain weaknesses require immediate management attention as if unresolved they may result in system/service objectives not being achieved. • No Assurance - The system of control is inadequate and controls in place are not operating effectively. The system/service is exposed to the risk of abuse, significant error or loss and/or misappropriation. This means we are unable to form a view as to whether objectives will be achieved.
Follow Ups • We will follow up recommendations with the accountable officers after the agreed deadline date has passed to ensure that these have been implemented. The follow up process varies according to the risk rating applied to the agreed recommendation • High - We will contact the accountable manager and make arrangements to undertake sample testing to verify implementation of the agreed recommendation • Medium - We will contact the accountable manager and ask them to provide evidence that the agreed recommendation has been implemented • Low - We will contact the accountable manager to request assurance that the recommendation has been implemented • Recommendations both implemented and overdue for implementation will be reported to the Corporate Management Team and the Governance and Audit Committee on a quarterly basis. • Where recommendations are overdue officers may be required to provide an explanation.
Questions? • For further information please contact: • Samantha Buckland • (01622) 694611 • firstname.lastname@example.org