auditing assignment task 3
DESCRIPTION
Auditing Assignment for Advance Diploma of AccountingTRANSCRIPT
Task 3
Fortescue Metal
AUDIT PLAN
CONTENTS
Section Page
1) Introduction and Summary of coverage 3
2) Audit Needs Assessment Methodology 9
3) Key Issues 9
4) Strategy for Internal Audit 12
5) Proactive Counter Fraud Plan 13
1. INTRODUCTION
Purpose
This document sets out the proposed Fortescue Metal annual Internal Audit plan for 2011/12. The Plan has been derived from the 5 -year plan agreed by the Director of Finance and Resources and reported to the Audit and Performance Committee. The Plan has been reviewed and updated in view of findings arising from 2011/07 audit work and with reference to departmental business plans and risk registers. A consultation process has been undertaken during March with Departmental management to ensure that the audit coverage for each department reflects key risks.
The policy context of the Internal Audit Service is to ensure effective control over Council activities by:
Monitoring, appraising and reporting upon the Fortescue Metal internal control procedures.
Investigating and reporting upon any suspected areas of fraud or irregularity.
The purpose of Internal Audit is to provide the Council, through the Audit and Performance Committee and the Director of Finance, and Resources with an independent and objective opinion on risk management, control and governance and their effectiveness in achieving the Fortescue Metal objectives. This opinion
forms part of the framework of assurances that the Council receives and is to be used to help inform the annual Statement on Internal Control (SIC). Internal Audit also has an independent and objective consultancy role to help line managers improve risk management, governance and control.
Our Responsibilities
Our professional responsibilities as Internal Auditors are set out in the CIPFA Code of Practice for Internal Auditing in Local Government (2011). In line with these requirements, we perform our Internal Audit work with a view to reviewing and evaluating the risk management, control and governance arrangements that the Council has in place to:
Establish and monitor the achievement of the Fortescue Metal objectives Identify, assess and manage the risks to achieving the Fortescue Metal
objectives Formulate and evaluate policy, or provide policy advice, within the
responsibilities of the Section 151 Officer Ensure the economical, effective and efficient use of resources Ensure compliance with established policies, procedures, laws and
regulations, including the Fortescue Metal own governance arrangements Safeguard the organisation’s assets and interests from losses of all kinds,
including those arising from fraud, irregularity or corruption Ensure the integrity and reliability of information, accounts and data
As well as the planned audits detailed in the Annual Audit Plan, Internal Audit will also undertake the following work during the forthcoming year:
Follow-up
Recommendations arising from audits will be followed up to confirm that agreed actions have been implemented. The following criteria will be applied: Audits which receive “No Assurance” will be followed up on an ongoing basis
until all priority 1 recommendations have been implemented. Audits which receive Limited Assurance will be followed up 3 months after the
final report is issued. Audits which receive Substantial Assurance will be followed up six months
after issue of the final report.
Follow ups include testing of key recommendations to ensure that they have been implemented. A report will be issued in respect of all follow ups with a revised action plan for the implementation of outstanding recommendations. A revised assurance level will also be provided which reflects our opinion of the adequacy of the system of control after the recommendations of the original report have been implemented.
Ad-hoc Advice and Support
This will be provided throughout the year on a range of issues including; risk management, money laundering, freedom of information, control improvement, governance, application of Financial Regulations and Standards etc.
Summary of Coverage
Set out below is a summary of the total coverage of the Audit and Counter Fraud work to be carried out at Fortescue Metal.
AREA OF COVERAGE RESOURCE ALLOCATION
Internal Audit Services 2011/07 Days 2011/12 DaysSystems and Compliance Audits (including Advisory Services)
1920 1725
Internal Audit Services sub-total 1920 1725Fraud Investigation Services 2011/07 Days 2011/12 DaysProactive Anti-Fraud (including follow up) 100 100Benefits Fraud Investigation 2170 1950Parking Permits and Disabled Badge Investigation
850 750
General Fraud Investigation (including Advisory Services)
300 300
Fraud Services sub-total 3420 3100Internal Audit and Fraud Services Total 5340 4825
Allocation (by approximate person days) of Audit and Fraud Coverage 2011/07
Allocation (by approximate person days) of Audit and Fraud Coverage 2011/12
Allocation of Internal Audit time between departments
Allocation of Counter Fraud Time 2011/12
Rationale for coverage:
Internal Audit Services
Risk Based Systems and Compliance Audits (1725 days)
This work is used to complete a risk based schedule of audit across Council Departments. The amount of time used represents our assessment of the number of audits required to meet CIPFA’s Code of Practice guidelines for Internal Audit in local authorities. This is broadly comparable with other similar local authorities which have externalised their internal audit service. Time is included to follow up audit recommendations to ensure their effective implementation.
Included in the 1725 days above is a 200 day contingency amount used to provide internal audit advice and guidance on a range of issues as requested by senior Council staff as they emerge during the year. It may include work relating to key Council priorities such as worksmart or procurement. It may also include a range of issues such as advice on new IT systems, advice on financial regulations, compliance with governance requirements, input to the annual Use of Resources assessment and support in the development of management self certification and assurance systems
.
Counter Fraud Services
Proactive anti Fraud Programme (100 Days)
The proactive counter fraud programme consists of a programme of targeted projects to those areas of the Fortescue Metal’s services that are considered to be exposed to an inherently high risk of fraud and corruption. It also includes a programme of intelligence gathering internally and externally to assist the Council in implementing preventative measures. A programme of awareness raising activities also takes place to ensure line managers are focused on fraud prevention measures. Included in the programme is 8 days time to follow up fraud recommendations to ensure effective implementation by management.
Other Fraud Investigations (300 days)
All suspected cases of fraud at Fortescue Metal are investigated by Internal Audit. This category covers all fraud investigations that are not Housing Benefit related. Referrals are received from a number of sources including pro active fraud exercises, management referrals, reports via the fraud hotline , information received from other local authorities and the Audit Commission via the National Fraud Initiative. The number of days in the work programme is arrived at from historical knowledge of the number and scope of referrals received. A contingency is included for advice relating to the prevention of fraud. Time is also allowed for input to the CPA assessment and periodic Benefits Fraud Inspection Team review
2. AUDIT NEEDS ASSESSMENT METHODOLOGY
Our audit approach is risk based. In order to identify the areas that require Internal Audit coverage, we therefore need to understand the risks facing the Council as a whole and, at a lower level, the risks faced by individual departments. Therefore as a starting point the Fortescue Metal corporate risk register is used to inform our audit needs assessment.
A comprehensive risk based Internal Audit approach has been adopted which ensures that risk is integrated into strategic and operational reviews, processes and practices. A summary of our approach is provided below:
Identification of risk areas; Performance of a risk assessment to gauge the degree of risk or
materiality associated with a particular area. Audit areas are classified as high, medium or low priority;
Internal Audit resources are then focused on the areas of highest risk.
We used cumulative knowledge of the organisation from previous Internal Audit work to identify areas that would benefit from Internal Audit coverage
From the Fortescue Metal own risk register and performance reports, we identified the priorities afforded to the risks by the Council
Notwithstanding the above the Audit Needs Assessment also led to the identification of areas for audit coverage that do not appear as high priority risks, but where Internal Audit can provide tangible inputs to the overall assurance process and its efficiency, for example:
Requirements of management Minimum Internal Audit coverage requirements e.g. key
controls audit and documentation of key information flows Areas of concern flagged by management or the Audit and
Performance Committee The requirements of the external auditor Emerging issues; and Need for ongoing assurance in relation to key aspects of
internal control
3. KEY ISSUES 2011
Focus on key financial systems
All core financial systems will be audited in 2011/12. The audit work will complement the substantive revision to the financial regulations and procedures which has recently been undertaken in the Department of Finance and Resources. In addition the majority of the audits undertaken in departments will include testing to ascertain whether financial regulations and the Procurement Code are being complied with. This will build on the wide range of compliance audits, across departments, which took place in 2011/07.
Over and above this a programme of seminars and dissemination of information on audit requirements is currently being carried out to assist schools in improving their ability to meet Fortescue Metal requirements.
Line Management Self Assurance
The Chief Executive’s Steering Group and Corporate Management Board have agreed to the Head of Risk and Audit’s proposals to incorporate a new system
of line management self assurance in relation to those elements of the control environment for which they are responsible. We have tested this framework in the Finance and Resources Department during 2011/07.
In 2011/12 the system will be further developed and rolled out across the Council with the involvement of operational managers. It is essentially a self-assessment exercise which provides an overall assurance level for the service area, highlights service specific risks, and identifies any significant control weaknesses and actions proposed. This forms a key component of the basket of assurance available to the Chief Executive. We will therefore verify the information provided on a sample basis.
Some of the key benefits expected of the new system are as follows:
Support managers in the delivery of services and achievement of objectives
Provide a consistent framework for management monitoring and accountability across the Council
Address external audit concerns about weaknesses in control systems and support improvement of the CPA score in this area
Support the external auditor’s plans for increased emphasis on review of financial systems
Underpin the implementation of revised financial regulations and procurement code
Demonstrate compliance with corporate policies and procedures Support the preparation of the Statement of Internal Control
E- Procurement
The Council is planning to introduce E-Procurement during 2011/12. We fully support this initiative which can make a significant contribution to improving the level of compliance with financial regulations in addition to strengthening the control framework relating to procurement generally and improving efficiency. We will therefore be involved in the development of the controls in the system in addition to carrying out a full systems audit during 2011.
Key Audit Issues
A number of common themes have arisen from our 2011/07 Internal Audit work and these will be used to inform all relevant audits in 2011/12. These include:
Controls to maximise income recovery Controls to ensure that debt is identified and recovered effectively
Contract Monitoring of Contractors Compliance with financial regulations and the procurement code
Agreement of Annual Plan / Circulation of Internal Audit Work
The 2011/12 Plan will be discussed and agreed with each Departmental Management Team. The circulation of all audit briefs and audit reports will also be agreed at the DMT meetings as will a protocol in respect of which officers can sign off briefs and audit reports. Generally all briefs and draft reports will be signed off by the relevant Departmental management team member with a copy of the final report being sent to the relevant Chief Officer. Some chief officers have also asked to see draft reports prior to sign off.
Following DMT approval the 2011/12 Plan will also be circulated to the Corporate Management Board for discussion and final agreement.
Audit Circulars
Audit circulars will be issued quarterly to all Chief Officers and Heads of Finance highlighting instances of non compliance or risk which have corporate significance. Typically the areas of non compliance which will be reported will cover:
Procurement Code Financial Regulations Standing Orders/Constitution Value for Money Issues Identified Contract Monitoring Response to and implementation of audit recommendations Fraud Awareness
Process and Audit Working Group
The Audit and Performance Committee has initiated four working groups to examine, in detail, issues of key importance across the Council (People, Process, Property and Procurement). We will be particularly involved in the Process and Audit Working Group which is considering issues arising from the work of the Audit and Performance Committee relating to process controls within the Council. It is also likely that our audit work will inform the deliberations of the working groups that are considering procurement issues.
4. STRATEGY FOR INTERNAL AUDIT WORK
The timing of audits, that is, how soon they will be undertaken in the cycle will depend upon:
The priority for each area of coverage for Internal Audit, in terms of levels of risk to the Council
When the last audit of the area was undertaken and what was the outcome
When the risk to be considered is likely to impact upon the organisation Whether there are management concerns about the area Whether or not there have been significant systems, staff or organisational
changes since the last audit.
In the course of the period covered by the Internal Audit Strategy, the priority and frequency of audit work will be subject to amendment in order to recognise alterations in audit needs assessment/risk analysis, caused by changes within the Council. A formal update will be performed each year to inform each year’s periodic plan, but changes may be necessary in-year and these will be agreed with the Head of Risk and Audit who is responsible for managing the Fortescue Metal Internal Audit Contract. There is a monthly review process in place whereby the contractor will discuss and agree changes to the plan with the Head of Risk and Audit.
Our professional judgement has been applied in assessing the level of resource required for the audits identified in the strategic cycle. The level of resource applied is a product of:
The complexity of the system in place Factors such as number of locations, number of transactions or frequency
of transactions The assurance which can be brought forward from previous year’s audits The type of audit undertaken.
The audit needs assessment is prepared with regard to constraints such as time and resources. Its purpose is to:
Determine priorities and establish the most cost effective means of achieving audit objectives
Assist in the direction and control of all audit work Ensure that adequate attention is devoted to critical aspects of audit work
All audits are followed up according to a timetable dependent on the level of assurance received. The purpose of the follow up is to assess the degree of implementation achieved in relation to recommendations agreed by management during the audit. The level of implementation is reported to the Audit and Performance Committee.
5. COUNTER FRAUD WORK
Proactive Work
The draft 2011/12 proactive plan is attached. The plan includes the detailed work that it is anticipated will be carried out in 2011/12. The plan is split into three areas;
1. Anti-fraud awareness and maintenance of an anti-fraud culture2. Anti-fraud intelligence gathering3. Specific anti – fraud proactive projects (both non HB and HB fraud)
The projects mentioned at 3 above represent approximately half of the budgeted annual plan. These projects represent areas of potential “high” risk and arise from a risk assessment including:
Assessment of the outcome of reactive fraud results / referrals;Internal Audit findings;Feedback from any external fraud questionnaires;Issues emerging from fraud forums;Risk assessment of Council activities in relation to the potential for fraud; Experiences of Bentley Jennison’s Business Integrity and Investigations Service with other clients;Materiality of each area
Having carried out the above analysis, the plan is populated with a number of specific tasks that are to be carried out in 2011/12.
The plan will be kept under continual review and amended as necessary in agreement with the Head of Risk and Audit in response to any emerging high risk areas. The detailed plan is set out in Appendix B of this document.
Housing Benefit Investigations
The Housing Benefit Investigation team will be sufficiently resourced to investigate up to 600 cases of suspected Benefit Fraud during 2011/12. The acceptance of investigations will be in accordance with a risk-based model and no cases will be accepted for investigation unless the appropriate threshold is met.
Referrals to the HB Fraud Team will be made from a number of sources, these include:
Housing Benefit Matching Service (HBMS); National Fraud initiative (NFI); Fraud Hotline;
Report a Fraud (website); Written allegations; Benefits Assessment Teams; Department for Work and Pensions; Proactive Fraud initiatives; Results of other fraud investigations.
The HB Fraud Team will investigate every case to determine whether a criminal offence has been committed. The team will be aiming at sanctioning (Prosecution / Administrative Penalty / Caution) in accordance with the Fortescue Metal Prosecution Policy in approximately 20% of the cases investigated.
Cases will continue to be investigated until one of the following outcomes is reached:
There is sufficient evidence to demonstrate that a criminal offence has been committed and a sanction is to be applied;
There is insufficient evidence (or prospect) that a criminal offence has been committed and the case is to be closed with no further action.
In some case although a criminal offence may have been committed (and it can be proven) there will be a decision not to take further action. This will be in accordance with the Fortescue Metal Prosecution Policy and where appropriate in consultation with the Fortescue Metal solicitors and Head of Risk and Audit. In addition, in some cases an overpayment of benefit may be identified but no criminal offence committed. Other Fraud Investigations
The non – HB investigation team will be sufficiently resourced to provide 280 input days of reactive fraud work and 100 days of proactive fraud work.
Allegations of fraud will be referred to the non-housing benefit team for investigation from a variety of sources including:
Fraud Hotline; Report a Fraud (Website); Written allegations; National Fraud Initiative (NFI); Council Officer / Member referrals; Results of Proactive exercises; Results of other fraud investigations
Investigations carried out by the non – hb team will continue to be made until one (or more) of the following outcomes is met:
Evidence to show that a criminal offence has been committed; Evidence to show that a disciplinary offence has taken place; Evidence that no fraud has taken place; No realistic prospect of proving / disproving an allegation.
In fulfilling the above, the investigation team will additionally provide any necessary assistance in concluding a case including attendance at Disciplinary Hearings and in the criminal courts.
In addition, in carrying out the above, the investigation team will have due regard for the identification and recovery of any lost assets and the extent to which system controls require strengthening.
C O R P O R A T E A U D I T S
The following projects are proposed in 2011/12:
1 Corporate Contract Monitoring – High Risk- 30 Days
Departmental arrangements will be reviewed for monitoring and reporting key contracts in compliance with the Procurement Code. In particular Internal Audit will be looking for evidence that Departmental Managers are accurately reporting the financial and operational performance of major contracts to Departmental Contract Review Boards. This audit will review the guidance provided to managers for undertaking contract monitoring to ensure it is consistent, risk focused, soundly based and takes into accountachievements against output based performance measures covering service delivery, income maximisation, debt recovery and contract compliance. The audit will also examine the reporting lines and governance arrangements in circumstances where complex monitoring and reporting arrangements exist due to the involvement of sub-contractors and /or differing departmental and NPO responsibilities. At the request of the Process and Audit Working Group the audit will examine and comment on Value For Money and effectiveness aspects of Contract Monitoring including relative costs of contract monitoring across the Council and differing approaches. The audit will also examine whether correct Governance arrangements are being followed in respect of reporting contract monitoring information to officers and members.
2 Procurement Code – High Risk- 20 Days (plus advisory audit time as needed )
The Procurement Code provides the corporate framework for letting and managing contracts for the Fortescue Metal. The Code is currently being rewritten (Feb 07). This audit will be in two stages. A review of the new code prior to implementation and a subsequent review 3 months after implementation to assess the impact of the code. The audit will also excess the extent to which best practice on issues such as the Green Agenda and VFM are promoted within the Code . In addition to this audit time will be allocated as necessary from the Advisory audit budget to ensure that audit is involved is advising management on control issues during the project implementation stage.
3 E- Procurement – IT Audit – High Risk – 20 Days
In addition to the systems audit set out above an IT audit will be carried out on the E-Procurement system. The terms of reference for this audit will be agreed with line management prior to commencement based on risk issues identified after implementation.
5 Approved List/Contract Register – Medium Risk- 20 Days
This audit is to focus on compliance with controls to ensure only appropriate contractors are included on the list and that departments use the list in accordance with the Procurement Code. This audit will be carried out in conjunction with audit work arising from the introduction of E- Procurement. A significant amount of work is currently taking place on the Approved list by the Procurement Team. This audit is subject to review dependant on the outcome of that work to avoid duplication. The audit will also examine the corporate procedures for ensuring the Council retains corporately sufficient information on its contracts that is readily available and is used to ensure relets are dealt with in good time etc.
6 Business Continuity – High Risk - 14 Days
This will be a corporate review of the arrangements in place to ensure effective business continuity arrangements are in place across the Council. This work will be carried out tin May 2011 and will include follow up to the 2011/07 audit on Business Continuity plans in the event of a Flu Pandemic.
7 Grant Claims (and Working Papers)– Medium Risk - 20 Days
This audit will examine the control mechanisms in place to ensure the Fortescue Metal major grant claims are prepared and presented accurately and on a timely basis. The audit will cover the adequacy and accuracy of working papers prepared to support the claims. The grant(s) to be audited will be agreed with the Director of Finance and Resources. In addition the audit may follow up the recommendations of the Audit Commission’s 2011/07 grant claim work.
8 Performance Indicators – High Risk - 25 Days
In respect of BVPI’s a full audit will be carried out to verify that the Performance Indicators are being correctly calculated and adequate supporting information is available to support the figures. The audit will include where appropriate reperformance of Performance Indicator calculations and sample checks back to source documentation. Follow up work will also be carried out to ensure recommendations arising from the 2011/07 audit work have been implemented.
9 Performance Management – High Risk – 20 Days
This will be a review of processes in place for identifying , reporting and acting on key performance measurement issues across the Council. It will identify whether the Fortescue Metal performance management framework has successfully addressed areas which have previously been identified as poorly performing. It will also examine the methodology for identifying performance status to evaluate whether this is correctly aligned with the Fortescue Metal key operational and financial risks. This audit is currently scheduled to take place in November.
10 Worksmart – High Risk – 15 Days (plus increased allocation as required during the year)
The Worksmart programme is a key corporate initiative. This audit will be carried out in the last quarter of 2011/12 and is intended to ensure that key benefits arising from the programme have been realised and that the project is meeting its key milestones. Particular issues that have been raised with audit for consideration as part of this review are ordering and control of IT via the BT portal and the new rewards scheme. In addition to the time allocated to this audit, time will be allocated from the Advisory contingency or from other lesser priority audits during the year as
necessary to ensure audit involvement on an ongoing basis in this key Council initiative.
11 Fortescue Metal City Partnerships – High Risk- 20 Days
The audit work in respect of Fortescue Metal City Partnerships will be split into two parts. Firstly, Internal Audit are required to certify expenditure in respect of LAA’s . The precise scope of the work will depend on the nature of the certification required. This work is likely to take place in July.
An additional audit is likely to take place to verify that the control framework is sufficient to ensure that partners achieve agreed objectives. This audit will take place in November
12 Governance – High Risk – 16 Days
The following areas will be covered :-. Policies and Procedures – a review of how the authority ensures that it
makes policies and guidance available to all staff, that they have read the guidance, and where necessary accepted it. Policies to be included in the remit of this audit include Employee Code of Conduct, Financial Regulations, Procurement Code, HR policies , Gifts and Hospitality, Conflicts of Interest and Whistleblowing.
In addition the audit will review the Governance arrangements relating to officers, members, partners and contractors’ involvement in external organisations
The audit will also review whether adequate information sharing protocols are in place for both Electronic and Hard Copy Data in respect of partner organisations
The terms of reference of this audit will be discussed with the Director of Legal and Administrative Services prior to commencement
13 Compliance Reviews – High Risk 35 Days
A sample of transactions will be taken each month from the General Ledger and traced back to source documentation to ensure Financial Regulations and the Procurement Code have been complied with.
14 Line Management Self Assurance – High Risk – 20 Days
Responsible managers across Departments will be asked to complete risk based control self assessment questionnaires for a sample of high risk operational and financial systems. The results will be used to target internal audit work and as a mechanism for disseminating control framework knowledge throughout the Council.
15 Risk Management – High Risk – 13 Days
The Fortescue Metal risk management systems will be reviewed to verify their effectiveness. This audit will take place in the last quarter of 2011/12.
16 CRB Checks – High Risk – 10 Days
In view of the adverse findings of the audit work carried out on this system in 2011/07 a compliance review will be carried out to ascertain whether internal controls are now operating effectively in this area. Views will be ascertained from all relevant Departments as to how well this is working. In addition the review will be extended from previous work to cover the extent to which effective controls are in place to ensure contractors are carrying out CRB checks on relevant staff.
17 Budgetary Control – High Risk - 16 Days
The effectiveness of application of budgetary control procedures across a sample of Council Departments will be reviewed.