Task 3

Fortescue Metal
AUDIT PL AN

CONTENTS
Section

1.

Page

1)

Introduction and Summary of coverage

2)

Audit Needs Assessment Methodology

3)

Key Issues

4)

Strategy for Internal Audit

12

5)

Proactive Counter Fraud Plan

13

INTRODUCTION

Purpose
This document sets out the proposed Fortescue Metal annual Internal Audit plan
for 2011/12. The Plan has been derived from the 5 -year plan agreed by the
Director of Finance and Resources and reported to the Audit and Performance
Committee. The Plan has been reviewed and updated in view of findings arising
from 2011/07 audit work and with reference to departmental business plans and
risk registers. A consultation process has been undertaken during March with
Departmental management to ensure that the audit coverage for each
department reflects key risks.
The policy context of the Internal Audit Service is to ensure effective control over
Council activities by:

Monitoring, appraising and reporting upon the Fortescue Metal internal

control procedures.
Investigating and reporting upon any suspected areas of fraud or
irregularity.

The purpose of Internal Audit is to provide the Council, through the Audit and
Performance Committee and the Director of Finance, and Resources with an
independent and objective opinion on risk management, control and governance
and their effectiveness in achieving the Fortescue Metal objectives. This opinion
forms part of the framework of assurances that the Council receives and is to be

used to help inform the annual Statement on Internal Control (SIC). Internal
Audit also has an independent and objective consultancy role to help line
managers improve risk management, governance and control.
Our Responsibilities
Our professional responsibilities as Internal Auditors are set out in the CIPFA
Code of Practice for Internal Auditing in Local Government (2011). In line with
these requirements, we perform our Internal Audit work with a view to reviewing
and evaluating the risk management, control and governance arrangements that
the Council has in place to:

Establish and monitor the achievement of the Fortescue Metal objectives

Identify, assess and manage the risks to achieving the Fortescue Metal
objectives
Formulate and evaluate policy, or provide policy advice, within the
responsibilities of the Section 151 Officer
Ensure the economical, effective and efficient use of resources
Ensure compliance with established policies, procedures, laws and
regulations, including the Fortescue Metal own governance arrangements
Safeguard the organisations assets and interests from losses of all kinds,
including those arising from fraud, irregularity or corruption
Ensure the integrity and reliability of information, accounts and data

As well as the planned audits detailed in the Annual Audit Plan, Internal Audit will
also undertake the following work during the forthcoming year:
1
Follow-up
Recommendations arising from audits will be followed up to confirm that agreed
actions have been implemented. The following criteria will be applied:
Audits which receive No Assurance will be followed up on an ongoing basis
until all priority 1 recommendations have been implemented.
Audits which receive Limited Assurance will be followed up 3 months after the
final report is issued.
Audits which receive Substantial Assurance will be followed up six months
after issue of the final report.
Follow ups include testing of key recommendations to ensure that they have
been implemented. A report will be issued in respect of all follow ups with a
revised action plan for the implementation of outstanding recommendations. A
revised assurance level will also be provided which reflects our opinion of the
adequacy of the system of control after the recommendations of the original
report have been implemented.

Ad-hoc Advice and Support

This will be provided throughout the year on a range of issues including; risk
management, money laundering, freedom of information, control improvement,
governance, application of Financial Regulations and Standards etc.
Summary of Coverage
Set out below is a summary of the total coverage of the Audit and Counter Fraud
work to be carried out at Fortescue Metal.
AREA OF COVERAGE
Internal Audit Services
Systems and Compliance Audits (including
Advisory Services)
Internal Audit Services sub-total
Fraud Investigation Services
Proactive Anti-Fraud (including follow up)
Benefits Fraud Investigation
Parking Permits and Disabled Badge
Investigation
General Fraud Investigation (including
Advisory Services)
Fraud Services sub-total
Internal Audit and Fraud Services Total

RESOURCE ALLOCATION
2011/07 Days
1920

2011/12 Days
1725

1920
2011/07 Days
100
2170
850

1725
2011/12 Days
100
1950
750

300

300

3420
5340

3100
4825

Allocation (by approximate person days) of Audit and Fraud Coverage

2011/07

Permit / Badge
Fraud Services
(850 days)
16%

Benefit Fraud
Services (2170
days)
40%

Systems and
Compliance Audit
Services (1920
days)
36%

General Fraud
Services (300
days)
6%
Proactive AntiFraud Services
(100 days)
2%

Allocation (by approximate person days) of Audit and Fraud Coverage

2011/12

Permit / Badge
Fraud Services
(750 days)
16%

Systems and
Compliance Audit
Services (1725
days)
36%

Benefit Fraud
Services (1950
days)
40%

General Fraud
Services (300
days)
6%
Proactive AntiFraud Services
(100 days)
2%

an
d

Co
rp
or
at
R
e
Ch
es
ou
ild
re
rc
n'
es
s
Se
rv
ice
s
Po
Cu
H
lic
st
ou
om
y
sin
an
er
g
d
Se
Co
r
m
vi
ce
m
un
s
ic
a
tio
Tr
Co
an
ns
Ad
m
s
po
m
ul
un
rta
tS
ity
tio
oc
Pr
n
ia
lC
ot
e
ar
ct
e
io
an
n
d
Le
H
ga
ea
la
lt h
nd
Pl
En
Ad
an
v
m
ni
a
in
ng
nd
an
Le
d
isu
De
re
ve
lo
pm
en
t

400
350
300
250
200
150
100
50
0

Fi
na
nc
e

No. of Days

Allocation of Internal Audit time between departments

Allocation of Counter Fraud Time 2011/12

General Fraud Services (300

days)
10%

Proactive Anti - Fraud Services

(100 days)
3%

Permit / Badge Services(750

days)
24%

Benefit Fraud Services (1950

days)
63%

Rationale for coverage:

Internal Audit Services
Risk Based Systems and Compliance Audits (1725 days)
This work is used to complete a risk based schedule of audit across Council
Departments. The amount of time used represents our assessment of the
number of audits required to meet CIPFAs Code of Practice guidelines for
Internal Audit in local authorities. This is broadly comparable with other similar
local authorities which have externalised their internal audit service. Time is
included to follow up audit recommendations to ensure their effective
implementation.
Included in the 1725 days above is a 200 day contingency amount used to
provide internal audit advice and guidance on a range of issues as requested by
senior Council staff as they emerge during the year. It may include work relating
to key Council priorities such as worksmart or procurement. It may also include
a range of issues such as advice on new IT systems, advice on financial
regulations, compliance with governance requirements, input to the annual Use
of Resources assessment and support in the development of management self
certification and assurance systems
.

Counter Fraud Services

Proactive anti Fraud Programme (100 Days)
The proactive counter fraud programme consists of a programme of targeted
projects to those areas of the Fortescue Metals services that are considered to
be exposed to an inherently high risk of fraud and corruption. It also includes a
programme of intelligence gathering internally and externally to assist the Council
in implementing preventative measures. A programme of awareness raising
activities also takes place to ensure line managers are focused on fraud
prevention measures. Included in the programme is 8 days time to follow up
fraud recommendations to ensure effective implementation by management.
Other Fraud Investigations (300 days)
All suspected cases of fraud at Fortescue Metal are investigated by Internal
Audit. This category covers all fraud investigations that are not Housing Benefit
related. Referrals are received from a number of sources including pro active
fraud exercises, management referrals, reports via the fraud hotline , information
received from other local authorities and the Audit Commission via the National
Fraud Initiative. The number of days in the work programme is arrived at from
historical knowledge of the number and scope of referrals received. A
contingency is included for advice relating to the prevention of fraud. Time is
also allowed for input to the CPA assessment and periodic Benefits Fraud
Inspection Team review
2. AUDIT NEEDS ASSESSMENT METHODOLOGY
Our audit approach is risk based. In order to identify the areas that require
Internal Audit coverage, we therefore need to understand the risks facing the
Council as a whole and, at a lower level, the risks faced by individual
departments. Therefore as a starting point the Fortescue Metal corporate risk
register is used to inform our audit needs assessment.
A comprehensive risk based Internal Audit approach has been adopted which
ensures that risk is integrated into strategic and operational reviews, processes
and practices. A summary of our approach is provided below:

Identification of risk areas;

Performance of a risk assessment to gauge the degree of risk or
materiality associated with a particular area. Audit areas are classified
as high, medium or low priority;
Internal Audit resources are then focused on the areas of highest risk.

We used cumulative knowledge of the organisation from previous

Internal Audit work to identify areas that would benefit from Internal
Audit coverage
From the Fortescue Metal own risk register and performance reports,
we identified the priorities afforded to the risks by the Council

Notwithstanding the above the Audit Needs Assessment also led to the
identification of areas for audit coverage that do not appear as high priority risks,
but where Internal Audit can provide tangible inputs to the overall assurance
process and its efficiency, for example:

Requirements of management
Minimum Internal Audit coverage requirements e.g. key
controls audit and documentation of key information flows
Areas of concern flagged by management or the Audit and
Performance Committee
The requirements of the external auditor
Emerging issues; and
Need for ongoing assurance in relation to key aspects of
internal control

3. KEY ISSUES 2011

Focus on key financial systems
All core financial systems will be audited in 2011/12. The audit work will
complement the substantive revision to the financial regulations and procedures
which has recently been undertaken in the Department of Finance and
Resources. In addition the majority of the audits undertaken in departments will
include testing to ascertain whether financial regulations and the Procurement
Code are being complied with. This will build on the wide range of compliance
audits, across departments, which took place in 2011/07.
Over and above this a programme of seminars and dissemination of information
on audit requirements is currently being carried out to assist schools in improving
their ability to meet Fortescue Metal requirements.
Line Management Self Assurance

The Chief Executives Steering Group and Corporate Management Board have
agreed to the Head of Risk and Audits proposals to incorporate a new system
of line management self assurance in relation to those elements of the control
environment for which they are responsible. We have tested this framework in
the Finance and Resources Department during 2011/07.
In 2011/12 the system will be further developed and rolled out across the Council
with the involvement of operational managers. It is essentially a self-assessment
exercise which provides an overall assurance level for the service area,
highlights service specific risks, and identifies any significant control weaknesses
and actions proposed. This forms a key component of the basket of assurance
available to the Chief Executive. We will therefore verify the information provided
on a sample basis.
Some of the key benefits expected of the new system are as follows:
Support managers in the delivery of services and achievement of
objectives
Provide a consistent framework for management monitoring and
accountability across the Council
Address external audit concerns about weaknesses in control systems
and support improvement of the CPA score in this area
Support the external auditors plans for increased emphasis on review of
financial systems
Underpin the implementation of revised financial regulations and
procurement code
Demonstrate compliance with corporate policies and procedures
Support the preparation of the Statement of Internal Control
E- Procurement
The Council is planning to introduce E-Procurement during 2011/12. We fully
support this initiative which can make a significant contribution to improving the
level of compliance with financial regulations in addition to strengthening the
control framework relating to procurement generally and improving efficiency. We
will therefore be involved in the development of the controls in the system in
addition to carrying out a full systems audit during 2011.
Key Audit Issues
A number of common themes have arisen from our 2011/07 Internal Audit work
and these will be used to inform all relevant audits in 2011/12. These include:

Controls to maximise income recovery

Controls to ensure that debt is identified and recovered effectively
Contract Monitoring of Contractors
Compliance with financial regulations and the procurement code

Agreement of Annual Plan / Circulation of Internal Audit Work

The 2011/12 Plan will be discussed and agreed with each Departmental
Management Team. The circulation of all audit briefs and audit reports will also
be agreed at the DMT meetings as will a protocol in respect of which officers can
sign off briefs and audit reports. Generally all briefs and draft reports will be
signed off by the relevant Departmental management team member with a copy
of the final report being sent to the relevant Chief Officer. Some chief officers
have also asked to see draft reports prior to sign off.
Following DMT approval the 2011/12 Plan will also be circulated to the Corporate
Management Board for discussion and final agreement.
Audit Circulars
Audit circulars will be issued quarterly to all Chief Officers and Heads of Finance
highlighting instances of non compliance or risk which have corporate
significance. Typically the areas of non compliance which will be reported will
cover:

Procurement Code
Financial Regulations
Standing Orders/Constitution
Value for Money Issues Identified
Contract Monitoring
Response to and implementation of audit recommendations
Fraud Awareness

Process and Audit Working Group

The Audit and Performance Committee has initiated four working groups to
examine, in detail, issues of key importance across the Council (People, Process,
Property and Procurement). We will be particularly involved in the Process and
Audit Working Group which is considering issues arising from the work of the
Audit and Performance Committee relating to process controls within the Council.
It is also likely that our audit work will inform the deliberations of the working
groups that are considering procurement issues.
4. STRATEGY FOR INTERNAL AUDIT WORK

The timing of audits, that is, how soon they will be undertaken in the cycle will
depend upon:
The priority for each area of coverage for Internal Audit, in terms of levels
of risk to the Council
When the last audit of the area was undertaken and what was the
outcome
When the risk to be considered is likely to impact upon the organisation
Whether there are management concerns about the area
Whether or not there have been significant systems, staff or organisational
changes since the last audit.
In the course of the period covered by the Internal Audit Strategy, the priority and
frequency of audit work will be subject to amendment in order to recognise
alterations in audit needs assessment/risk analysis, caused by changes within
the Council. A formal update will be performed each year to inform each years
periodic plan, but changes may be necessary in-year and these will be agreed
with the Head of Risk and Audit who is responsible for managing the Fortescue
Metal Internal Audit Contract. There is a monthly review process in place
whereby the contractor will discuss and agree changes to the plan with the Head
of Risk and Audit.
Our professional judgement has been applied in assessing the level of resource
required for the audits identified in the strategic cycle. The level of resource
applied is a product of:

The complexity of the system in place

Factors such as number of locations, number of transactions or frequency
of transactions
The assurance which can be brought forward from previous years audits
The type of audit undertaken.

The audit needs assessment is prepared with regard to constraints such as time
and resources. Its purpose is to:

Determine priorities and establish the most cost effective means of

achieving audit objectives
Assist in the direction and control of all audit work
Ensure that adequate attention is devoted to critical aspects of audit work

All audits are followed up according to a timetable dependent on the level of

assurance received. The purpose of the follow up is to assess the degree of
implementation achieved in relation to recommendations agreed by management

during the audit. The level of implementation is reported to the Audit and
Performance Committee.

5. COUNTER FRAUD WORK

Proactive Work
The draft 2011/12 proactive plan is attached. The plan includes the detailed work
that it is anticipated will be carried out in 2011/12. The plan is split into three
areas;
1.
2.
3.

Anti-fraud awareness and maintenance of an anti-fraud culture

Anti-fraud intelligence gathering
Specific anti fraud proactive projects (both non HB and HB fraud)

The projects mentioned at 3 above represent approximately half of the budgeted

annual plan. These projects represent areas of potential high risk and arise
from a risk assessment including:
Assessment of the outcome of reactive fraud results / referrals;
Internal Audit findings;
Feedback from any external fraud questionnaires;
Issues emerging from fraud forums;
Risk assessment of Council activities in relation to the potential for fraud;
Experiences of Bentley Jennisons Business Integrity and Investigations Service
with other clients;
Materiality of each area
Having carried out the above analysis, the plan is populated with a number of
specific tasks that are to be carried out in 2011/12.
The plan will be kept under continual review and amended as necessary in
agreement with the Head of Risk and Audit in response to any emerging high risk
areas. The detailed plan is set out in Appendix B of this document.
Housing Benefit Investigations
The Housing Benefit Investigation team will be sufficiently resourced to
investigate up to 600 cases of suspected Benefit Fraud during 2011/12. The
acceptance of investigations will be in accordance with a risk-based model and
no cases will be accepted for investigation unless the appropriate threshold is
met.

Referrals to the HB Fraud Team will be made from a number of sources, these
include:

Housing Benefit Matching Service (HBMS);

National Fraud initiative (NFI);
Fraud Hotline;
Report a Fraud (website);
Written allegations;
Benefits Assessment Teams;
Department for Work and Pensions;
Proactive Fraud initiatives;
Results of other fraud investigations.

The HB Fraud Team will investigate every case to determine whether a criminal
offence has been committed.
The team will be aiming at sanctioning
(Prosecution / Administrative Penalty / Caution) in accordance with the Fortescue
Metal Prosecution Policy in approximately 20% of the cases investigated.
Cases will continue to be investigated until one of the following outcomes is
reached:

There is sufficient evidence to demonstrate that a criminal offence has been

committed and a sanction is to be applied;

There is insufficient evidence (or prospect) that a criminal offence has been
committed and the case is to be closed with no further action.

In some case although a criminal offence may have been committed (and it can
be proven) there will be a decision not to take further action. This will be in
accordance with the Fortescue Metal Prosecution Policy and where appropriate
in consultation with the Fortescue Metal solicitors and Head of Risk and Audit. In
addition, in some cases an overpayment of benefit may be identified but no
criminal offence committed.
Other Fraud Investigations
The non HB investigation team will be sufficiently resourced to provide 280
input days of reactive fraud work and 100 days of proactive fraud work.
Allegations of fraud will be referred to the non-housing benefit team for
investigation from a variety of sources including:

Fraud Hotline;
Report a Fraud (Website);
Written allegations;

National Fraud Initiative (NFI);

Council Officer / Member referrals;
Results of Proactive exercises;
Results of other fraud investigations

Investigations carried out by the non hb team will continue to be made until one
(or more) of the following outcomes is met:

Evidence to show that a criminal offence has been committed;

Evidence to show that a disciplinary offence has taken place;
Evidence that no fraud has taken place;
No realistic prospect of proving / disproving an allegation.

In fulfilling the above, the investigation team will additionally provide any
necessary assistance in concluding a case including attendance at Disciplinary
Hearings and in the criminal courts.
In addition, in carrying out the above, the investigation team will have due regard
for the identification and recovery of any lost assets and the extent to which
system controls require strengthening.

C O R P O R ATE AU D I T S

The following projects are proposed in 2011/12:

1 Corporate Contract Monitoring High Risk- 30 Days
Departmental arrangements will be reviewed for monitoring and reporting
key contracts in compliance with the Procurement Code. In particular
Internal Audit will be looking for evidence that Departmental Managers are
accurately reporting the financial and operational performance of major
contracts to Departmental Contract Review Boards. This audit will review
the guidance provided to managers for undertaking contract monitoring to
ensure it is consistent, risk focused, soundly based and takes into account
achievements against output based performance measures covering
service delivery, income maximisation, debt recovery and contract
compliance. The audit will also examine the reporting lines and
governance arrangements in circumstances where complex monitoring
and reporting arrangements exist due to the involvement of subcontractors and /or differing departmental and NPO responsibilities. At the

request of the Process and Audit Working Group the audit will examine
and comment on Value For Money and effectiveness aspects of Contract
Monitoring including relative costs of contract monitoring across the
Council and differing approaches. The audit will also examine whether
correct Governance arrangements are being followed in respect of
reporting contract monitoring information to officers and members.
2 Procurement Code High Risk- 20 Days (plus advisory audit time as
needed )
The Procurement Code provides the corporate framework for letting and
managing contracts for the Fortescue Metal. The Code is currently being
rewritten (Feb 07). This audit will be in two stages. A review of the new
code prior to implementation and a subsequent review 3 months after
implementation to assess the impact of the code. The audit will also
excess the extent to which best practice on issues such as the Green
Agenda and VFM are promoted within the Code . In addition to this audit
time will be allocated as necessary from the Advisory audit budget to
ensure that audit is involved is advising management on control issues
during the project implementation stage.

3 E- Procurement IT Audit High Risk 20 Days

In addition to the systems audit set out above an IT audit will be carried
out on the E-Procurement system. The terms of reference for this audit will
be agreed with line management prior to commencement based on risk
issues identified after implementation.
5 Approved List/Contract Register Medium Risk- 20 Days
This audit is to focus on compliance with controls to ensure only
appropriate contractors are included on the list and that departments use
the list in accordance with the Procurement Code. This audit will be
carried out in conjunction with audit work arising from the introduction of EProcurement. A significant amount of work is currently taking place on the
Approved list by the Procurement Team. This audit is subject to review
dependant on the outcome of that work to avoid duplication. The audit will
also examine the corporate procedures for ensuring the Council retains
corporately sufficient information on its contracts that is readily available
and is used to ensure relets are dealt with in good time etc.
6 Business Continuity High Risk - 14 Days

This will be a corporate review of the arrangements in place to ensure

effective business continuity arrangements are in place across the
Council. This work will be carried out tin May 2011 and will include follow
up to the 2011/07 audit on Business Continuity plans in the event of a Flu
Pandemic.

7 Grant Claims (and Working Papers) Medium Risk - 20 Days

This audit will examine the control mechanisms in place to ensure the
Fortescue Metal major grant claims are
prepared and presented
accurately and on a timely basis. The audit will cover the adequacy and
accuracy of working papers prepared to support the claims. The grant(s)
to be audited will be agreed with the Director of Finance and Resources.
In addition the audit may follow up the recommendations of the Audit
Commissions 2011/07 grant claim work.

Performance Indicators High Risk - 25 Days

In respect of BVPIs a full audit will be carried out to verify that the
Performance Indicators are being correctly calculated and adequate
supporting information is available to support the figures. The audit will
include where appropriate reperformance of Performance Indicator
calculations and sample checks back to source documentation. Follow up
work will also be carried out to ensure recommendations arising from the
2011/07 audit work have been implemented.

9 Performance Management High Risk 20 Days

This will be a review of processes in place for identifying , reporting and
acting on key performance measurement issues across the Council. It will
identify whether the Fortescue Metal performance management
framework has successfully addressed areas which have previously been
identified as poorly performing. It will also examine the methodology for
identifying performance status to evaluate whether this is correctly aligned
with the Fortescue Metal key operational and financial risks. This audit is
currently scheduled to take place in November.
10 Worksmart High Risk 15 Days (plus increased allocation as
required during the year)

The Worksmart programme is a key corporate initiative. This audit will be

carried out in the last quarter of 2011/12 and is intended to ensure that key
benefits arising from the programme have been realised and that the
project is meeting its key milestones. Particular issues that have been
raised with audit for consideration as part of this review are ordering and
control of IT via the BT portal and the new rewards scheme. In addition to
the time allocated to this audit, time will be allocated from the Advisory
contingency or from other lesser priority audits during the year as
necessary to ensure audit involvement on an ongoing basis in this key
Council initiative.
11 Fortescue Metal City Partnerships High Risk- 20 Days
The audit work in respect of Fortescue Metal City Partnerships will be split
into two parts. Firstly, Internal Audit are required to certify expenditure in
respect of LAAs . The precise scope of the work will depend on the nature
of the certification required. This work is likely to take place in July.
An additional audit is likely to take place to verify that the control
framework is sufficient to ensure that partners achieve agreed objectives.
This audit will take place in November

12 Governance High Risk 16 Days

The following areas will be covered :.

Policies and Procedures a review of how the authority ensures that it

makes policies and guidance available to all staff, that they have read
the guidance, and where necessary accepted it. Policies to be included
in the remit of this audit include Employee Code of Conduct, Financial
Regulations, Procurement Code, HR policies , Gifts and Hospitality,
Conflicts of Interest and Whistleblowing.

In addition the audit will review the Governance arrangements relating

to officers, members, partners and contractors involvement in external
organisations

The audit will also review whether adequate information sharing

protocols are in place for both Electronic and Hard Copy Data in respect
of partner organisations

The terms of reference of this audit will be discussed with the Director of
Legal and Administrative Services prior to commencement

13 Compliance Reviews High Risk 35 Days

A sample of transactions will be taken each month from the General
Ledger and traced back to source documentation to ensure Financial
Regulations and the Procurement Code have been complied with.

14 Line Management Self Assurance High Risk 20 Days

Responsible managers across Departments will be asked to complete risk
based control self assessment questionnaires for a sample of high risk
operational and financial systems. The results will be used to target
internal audit work and as a mechanism for disseminating control
framework knowledge throughout the Council.
15 Risk Management High Risk 13 Days
The Fortescue Metal risk management systems will be reviewed to verify
their effectiveness. This audit will take place in the last quarter of 2011/12.
16 CRB Checks High Risk 10 Days
In view of the adverse findings of the audit work carried out on this system
in 2011/07 a compliance review will be carried out to ascertain whether
internal controls are now operating effectively in this area. Views will be
ascertained from all relevant Departments as to how well this is working.
In addition the review will be extended from previous work to cover the
extent to which effective controls are in place to ensure contractors are
carrying out CRB checks on relevant staff.
17 Budgetary Control High Risk - 16 Days
The effectiveness of application of budgetary control procedures across a
sample of Council Departments will be reviewed.