General Audit work
Systems Audit
Internal Audit’s prime role is to offer advice and provide assurance on the adequacy of the system of internal control operating throughout the Council. The principal mechanism by which this is achieved is by undertaking systems-based audits. The conduct of an audit using this methodology enables auditors to:
- Assess how internal controls are operating in a system, thereby forming a view on whether reliance can be placed upon the system
- Provide management with assurances that systems are adequately meeting the purposes for which they were designed
- Provide constructive and practical recommendations to strengthen systems and address identified risks
- Use findings to feed into an overall opinion on the control framework of the Council, thereby helping to meet the demands of Corporate Governance
- Furnish appropriate evidence for external audit and other review agencies.
Compliance Audit (Central Systems)
These audits are undertaken to provide a level of assurance that the main financial systems of the Council are operating effectively at establishment level (i.e. School; Resource Centre; Area Office). The audits involve the testing of the main systems in operation, including payroll, debtors and creditors in order to ensure the proper and accurate recording of transactions.
Contract Audit
Expenditure on both capital and revenue contracts forms a significant part of the Council’s expenditure. Therefore it follows that it is necessary to maintain an adequate and effective internal audit of that expenditure. Contract audit within the Council is predominantly conducted using a systems-based approach although this is supplemented by a review of individual contracts or projects.
Computer Audit
The Council needs to have sound and robust computer systems to ensure that they produce timely and accurate information in a secure environment thus ensuring that information at a strategic, service and business unit level is available to support the management of the Council.
The CIPFA Computer Audit Guidelines define computer audit as follows:
“The application of auditing skills to the technological aspects of an authority’s business processes. It embraces the independent reviewing and testing of the Council’s practices ad procedures relating to:
- The secure provision of business processing
- The processes for developing and acquiring new systems and facilities
- The economy, efficiency and effectiveness of the use and exploitation of IT facilities”
Computer audit within the Council is undertaken using a systems-based approach, undertaking work through our risk-based audit plan and regularly undertake work in the following areas:
- Strategic and organisational IT issues
- Pre and post implementation reviews
- Installation and access control reviews
- Security reviews
- Business continuity planning
- Software control reviews
Consultancy
Control Advice for system/procedural changes
Financial Regulation 17.1 requires that “The Head of Internal Audit & Risk Management must be consulted on, and given assurance to, the adequacy of internal control when any system is being introduced or materially altered.” In order to achieve this, Internal Audit needs to be advised at the earliest opportunity in order to assess the extent of their involvement, if any. This could involve the review of project documentation or the attendance at project meetings.
The document “Computer Audit Guidelines for Council Staff on Standard Controls for Existing and New Computer Systems” has been drafted in order to provide a simple guide on controls for Council staff who use existing computer systems or services or who are involved in the implementation of a new system, including small systems developed in Access or Excel. The Guidelines make reference to relevant Council policies/ guidance and detail the various types of controls and audit trails that should be built into all systems. Finally there is reference to back up and recovery requirements and Business Continuity Planning.
Control and Risk Self Assessment (CRSA)
CIPFA have defined Control and Risk Assessment as “a formalised, documented and committed approach to the regular, fundamental and open review by managers and staff of the strength of control systems designed to achieve business objectives and guard against risks within their sphere of influence.” CRSA is a structured approach that allows individual members and line mangers to take part in reviewing existing controls to assess their adequacy and, if appropriate, to make recommendations to improve them. To a limited extent, Internal Audit has been involved in assisting Services with the identification of controls in an attempt to roll out CRSA within the Council.
Audit Certificates
Where external funding has been provided to the Council it is often a requirement that Internal Audit check and certify the grant claims, returns or accounts. In order to be able to accommodate this work, Service Directors are asked to notify the Head of Internal Audit & Risk Management at the earliest opportunity.
(link to information that the Service should provide and to the European info site administered by CX)
Fraud Investigation
Initial Notification
Financial Regulation 17.2 provides the following requirement with regard to the notification of suspected fraud or irregularity:
“Whenever any matter arises which involves, or is thought to involve, irregularities concerning finance, assets or property of the Council or any suspected irregularities in the exercise of the functions of the Council, the Head of Service concerned (the Investigating Officer) will immediately notify the Head of Internal Audit & Risk Management (the Advisory Officer). The Head of Internal Audit & Risk Management will take such steps as are considered necessary to investigate any such matters”.
Financial Regulation 17.3 also makes reference to the notification of irregularities:
“In terms of the Council’s Whistleblowing Policy (link) any complaint, once demonstrated to suggest an irregularity may have been committed, or the information available contains sufficient grounds for concern, the complaint must be referred to the Head of Internal Audit & Risk Management.”
The Council’s policy for dealing with such activity is set out on its Strategy for the Prevention and Detection of Fraud & Corruption.
It is essential that
- Managers or other staff do not investigate suspicions themselves unless it has been agreed with the Head of Internal Audit and Risk Management that this would be the most appropriate course of action.
- Absolute secrecy and confidentiality is maintained.
This will ensure that the investigation is not compromised by the suspect being alerted, thus allowing evidence to be destroyed.
Investigation
Internal Audit’s role is to gather facts and information (including interviewing people involved), report findings, and act as key adviser to the Investigating Officer. Within the structure of the Section we have specialist staff to deal with each investigation.
Reporting
After each fraud or irregularity investigation we will issue two reports; one concerning the circumstances behind the fraud itself which will be of assistance within any Disciplinary Investigation and one addressing any system or procedural weaknesses.