The Planning Process
Strategic and Tactical Plans
Our service is based upon a three year rolling risk based plan. The annual Tactical Plan is derived from the Strategic Plan in terms of the planned assignments to be undertaken during the year. The planning process is explained below.
Audit Universe
The Audit Universe or Audit Environment is, essentially, a risk-based database of each of the various risk areas which are subject to audit. The Audit Universe is reviewed in January or February of each year in order to allow for the production of an agreed Annual Tactical Plan before the commencement of the new financial year. This review, in conjunction with Service Directors and Senior Management, attempts to ensure that all of the Council’s activities are identified.
Risk Prioritisation
Each of the auditable activities identified within the Audit Universe is scored against various risk factors, including: materiality; system complexity and the time since the previous audit. In addition, we ask each Service Director to consider the risks and impact applicable to each activity and provide scores to reflect these.
At the end of the above risk scoring prioritisation process, the various activities are categorised into different risk groups dependant on their score. It is then ensured that all of the activities within the “high” risk group are included within the Annual Plan.
Audit Process
The service we will provide to you as Service Director/ Client Officer:
Our approach is always to work closely with our clients, thus ensuring that we focus on issues that are important to the Council. To this end, we will aim to deliver the following service:
Strategic & Annual Planning
- We will meet with Service Directors each year in order to discuss the Audit Universe, as part of the Risk Prioritisation Process.
Assignment Planning
- At the start of the quarter in which the audit is scheduled to take place, we will contact the Service Director in order to remind them that the audit is scheduled to take place.
- Prior to the audit taking place we will contact the Service Director or Client Officer in order to identify the most appropriate timing for the audit to take place for both parties.
- We will produce terms of reference and scope that are agreed with the Service Director or Client Officer in order to reflect the key issues of risk for the area under review.
Fieldwork
- We will endeavour to provide a professional; and independent service that complies with standards of professional bodies and adheres to our procedures manual.
- We will undertake the work to meet the agreed terms of reference.
- We will endeavour to ensure that we cause the minimum of disruption to your work environment during the fieldwork.
- We will provide you with ongoing progress reporting during the review and will meet with you at the conclusion of this phase to discuss the major findings of the fieldwork.
Reporting
- We will issue a draft report to the Client Officer which will be based upon the feedback provided to you at the end of the audit. We will offer an opportunity for you to respond to the draft within the mutually agreed timescale, correct any inaccuracies therein and provide an Action Plan addressing any areas of concern identified. It is intended that the report will be balanced and constructive with recognition of areas of good practice identified during the review. It will also categorise the report findings using Prioritisation Classifications which will provide an indication of the severity of any concerns identified.
- We will issue a final report to the Service Director, enclosing the agreed Action Plan, and notifying the date of the Audit & Scrutiny Committee when the report summary will be presented.
Other
- After each audit, we will issue a Client Satisfaction Questionnaire in order that you can provide feedback directly to the Head of Internal Audit & Risk Management regarding the service you received.
- We will undertake a follow-up review approximately six months after the audit in order to ensure that the agreed actions have been implemented.
- Outwith the planned programme of audits, we will be available to provide guidance and advice regarding internal controls.
What we need from you:
Strategic & Annual Planning
- We will require access to meet each Service Director each year in order to discuss the Audit Universe and obtain their perception of the risks therein.
- We will need each Service Director to notify the relevant staff within their Service of the audits which are scheduled for review, following the annual planning process and following the notification of the audits to be undertaken each quarter.
Assignment Planning
- We will need the relevant Client Officer to be available in order to assist in planning and scoping the audit review and to identify the key staff involved.
Fieldwork
We will require access to relevant staff, policies, records and assets during the review. We will also require a space to work although we accept that this may be limited.
We will endeavour to work in a manner which causes minimal disruption to the work environment.
We will need the Client Officer to be available after the fieldwork is complete in order that we can discuss the findings of our work and record any response for inclusion within the draft report.
We will need the audit to be conducted in a spirit of openness and accountability.
Reporting
- Upon issuing the draft report we will agree a timescale with the Client Officer in which to respond. We would ask that this timescale is observed in order that the report can be issued at the earliest opportunity.
- We will ask Client Officers to complete an Action Plan within the response to the draft report. The proposed Action Plan should be agreed with the Service Director and should detail the target date for the implementation of the action and the job title of the responsible officer.
Other
- We would ask that the Client Officer completes the Client Satisfaction Questionnaire and returns this to the Head of Internal Audit & Risk Management in order that we can evaluate and benchmark our service and learn of any areas where we can improve.
- We would ask that all Agreed Actions are completed in accordance with the target dates set out within the Action Plans. We will need the Client Officer to confirm this when we follow-up the audit review. If a decision is taken not to implement an agreed action, we will need formal confirmation of this.
- Outwith the planned programme of audits we would ask that you contact us with regard to the following:
- When you require risk or control advice.
- When you are introducing a new system.
- When any fraud or irregularity is suspected
Quality Assurance
Standards
The Internal Audit Section’s work will be performed with due professional care and in accordance with the Chartered Institute of Public Finance & Accountancy’s Code of Practice for Internal Audit in Local Government in the United Kingdom and the Professional Practice of Internal Auditing, published by the Institute of Internal Auditors.
The Head of Internal Audit & Risk Management is responsible for implementing measures to monitor the effectiveness of the service. Such measures include evaluating the performance regarding individual audits by way of the Client Satisfaction Questionnaire. Additionally, the Audit & Scutiny Committee review the results of the performance measures.
External Audit reviews the work that we perform on an ongoing basis, particularly with regard to our reviews of central systems, and seek to place reliance on this.
During 2002/03 the Section undertook an extensive Best Value review of its operations and produced an improvement action plan in order to improve the service it provided. In addition to ensuring that the improvement actions have been introduced, the Section has committed to reviewing its performance on an annual basis in order to ensure that both our procedures and our performance is evaluated and measured against best practice.
Finally, in order to ensure that we deliver a professional and consistent service to our clients we operate to an extensive Audit Manual which has been developed in such a manner as to ensure that we comply with best practice.