Internal Audit ANNUAL REPORT AND ASSURANCE

Graham Cassell Head of Internal Audit ECGD

INTRODUCTION

Government Internal Audit Standards (GIAS)

Opinion

Assurance Frameworks

Annual Report (planning and assignment reporting)

STANDARDS

GIAS Standard 9

(At least) Annually Opinion. Adequacy and effectiveness. Risk Management Governance Control Processes. Issues relevant to the Statement on Internal Control (SIC). Compare actual activity with that planned but..

OPINION

Opinion Positive reasonable assurance.

Scope:

sufficient work whole of the organisation.

Positive: confident assertion based on evidence.

Reasonable.

Period of time cumulative or annual?

ASSURANCE

Assurance framework. Audit Committee Handbook (consultation draft principle C5.3) Annual Report Comprehensiveness of assurances. Reliability and integrity of these assurances. Opinion assurance is sufficient. Specific attention SIC. Financial reporting. Quality of IA and EA. Its own effectiveness.

ASSURANCE

Residual Risk Low

Assurance

Control/Risk Management

Well controlled, although may be some efficiencies to be made. There is a need to maintain an oversight and consider efficiency improvements. Some weaknesses which could have an impact on the achievement of business objectives. Action is required to monitor the situation and improve control. Significant weaknesses which could threaten the achievement of business objectives. Prompt remedial attention from management is required.

Medium

High

Significant weaknesses which could threaten the achievement of critical business objectives or lead to a PAC appearance. Urgent remedial attention from senior management is required.

STRATEGY

Audit strategy The audit strategy takes into account i) the maturity of risk management in ECGD ii) the audit work on which the Board require an assurance and, iii) the need to provide a balance between fundamental assurance and value added audit and, iv) external audit and other assurance providers. The Audit Plan reflects ECGDs risk framework and is informed from the following sources: The strategic risk register Appendix 1 demonstrates the link between ECGDs strategic risks, which are driven from the Business Plan, and the audit work we plan for the year. Where possible Divisional plans (PRPs) / risk registers, which reflect the business and operational risks of the department. The change programme and associated risk registers - Appendix 3. The Executive Committee - Discussions with the Accounting Officer and members of the Executive Committee. Time is also set aside to provide i) consultancy and advice. Consultancy is defined as a request by management for an audit of a specific area of risk/process or issue. Change is reviewed at two levels. Firstly by a review of the overall governance process for change management. Secondly by reviewing individual projects using one of a range of options.

The IAA Operational plan

Step 1
Define audit universe from top down (i.e. trategic / s change programme) and bottom up (i.e. perational) o risk profiling of the business

Step 2
Identify themes and consider priorities

Step 3
Understand what is in the scope of other assurance processes (e.g.self assessment, oversight functions)

Step 4
Develop an internal audit plan and a proposed methodology to address the gaps and / or test the other forms of assurance

Governance and control environment

Strategic risk assessment

Consider themes and prioritise

Other assurance

Flexible audit plan

Operational risk assessment

For example: Embedded risk management

For example: Risk based audits

Change Programme / Major spend

External Audit

Key control reviews

Consultancy or special Legal Consultation reviews e.g. efficiency

PERIODIC PLANS

Area

Area of risk

Sponsor

Priority Days

Comments

Qtr

1. Strategy and 1.1 Board Effectiveness. Governance

2. Risk Management

2.1 Follow up of Pilot Trading Fund Post Implementation Review.

3.1 Post cost plan assurance. 3. Operational

4.1 Reporting, Monthly Management Report and validation of performance information. 4. Financial
8

ASSIGNMENT REPORTING

Introduction Background Objectives and scope of the review Summary of approach Exclusion from scope Audit assurance and conclusion

Introduction Internal Audit & Assurance have completed their assessment of

Audit assurance and conclusion Our overall assurance for ..is that there... As a result IAA have proposed a number of recommendations for action and we attach managements agreed actions in the Detailed Findings at Section 2 of this report. On the basis of the work performed within this review, we found that: The risks related to.

Background to the review Objective Scope of the review Summary of approach Exclusion from scope

ASSIGNMENT REPORTING

Sponsor Risk and control Resources assessment Risks Priorities for detailed findings

Risk and control assessment Our assessment of risk before and after the consideration of the quality of controls is shown below.

Risk

Inherent risk rating1

Residual risk rating2

Finding ref.

Ineffective or incomplete review of all contributions

Medium

Low

Medium High High Medium High

1

Medium Medium High Low Medium

1.1 2.1 2.1-2.6 2.1 3.1-3.7

Inherent risk is our assessment of the level of risk before consideration of any controls. High Medium Residual risk takes into account the strength of controls based on our evaluation and testing.

Priorities for Detailed Findings High Priority Medium Priority Low Priority
10

ASSIGNMENT REPORTING

Finding

Risk

Recommendation

Agreed Action

Owner / Timescale

Priority 1)Project Governance Procedures 1.1 The Project Board set up to manage the 200506 Finance year end process...

The process 1.The Project Board does not have appropriate governance procedures leading to a lack of accountability and management

11

Internal Audit ANNUAL REPORT AND ASSURANCE

Graham Cassell Head of Internal Audit ECGD

Internal Audit & Assurance Annual Report Purpose

Purpose of this document The purpose of this document is to present Internal Audits view of the adequacy and effectiveness of ECGDs risk management, internal control and governance processes for the year ended March 2006, based on the internal audit coverage in the year and progress towards implementing agreed actions from earlier periods. Internal Audits annual report is addressed primarily to the Accounting Officer and is presented also to the Audit Committee for its consideration. The report is split into a number of sections: Overall assurance and executive summary. Summary conclusion and assurance. High level assurance by audit. Summary conclusions for each audit. Outturn against the audit plan. Key performance indicators. Page

13

Internal Audit & Assurance Annual Report Executive Summary

Overall Assurance. Our overall assurance is that the system of internal control is well controlled although there may be some efficiencies to be made. There is a need to maintain an oversight and consider efficiency improvements.

For the A audit reports issued during the year, we rated B areas as containing minor or no control weaknesses, C areas as indicating some control weaknesses and D areas as containing significant internal control issues. Implementation of agreed actions. Management responses to reports issued in the year have been positive. A actions were completed during the year. There are currently B outstanding actions (C high priority) of which D are overdue. E of these are high priority. Coverage -summary of audit coverage (including wider independent assurances). Quality Assurance The feedback received from on completion of each audit was positive. We received an overall score of A out of a possible B (scale one (low) to five High). During the year Internal Audit was subject to an independent external quality assurance review; its conclusion was.
14

Internal Audit & Assurance Annual Report Summary conclusion and assurance

Governance Although the Accounting Officer has the ultimate responsibility for standards of governance, risk management and internal control, he is supported in this by the Board, the Senior Management Team and the sub-committees to whom responsibility is delegated. Internal Audit was asked to . Corporate Governance: Code of Good Practice. Management Board. Delegated Authorities Information Systems Management Forum Risk Management An assessment of ECGDs financial risk management systems in the context of. While ECGD's operational risk procedures . The latest version of the Risk Management Assessment Framework includes numerous examples of. The last quarterly report on operational risk to the Executive Committee shows that...
15

Internal Audit & Assurance Annual Report Summary conclusion and assurance

Financial Management A review of aspects of financial management concluded that A agreed actions from this report remain outstanding . Internal Audit undertook a review of ECGDs financial management arrangements in preparation for a review by HM Treasury. The HM Treasury review was part of a wider review of financial management across central government. The Internal Audit review identified .. The transfer of ECGDs finance activity to London by March 2006 involved both the recruitment .. HM Treasury Internal Audit conducted an audit on behalf of the HMT Payroll Consortium, of which ECGD is a member.

16

Internal Audit & Assurance Annual Report Summary conclusion and assurance

Operational Procedures and control Systems Key elements of the Roadmap programme were launched in May 2005. Internal Audit was asked to complete a position statement on the readiness to launch the new operating framework prior to go live. After due consideration of the controls established by management and the assurance received from the key business representatives, Internal Audit .. As part of the follow-up work on implementation, Internal Audit was asked to undertake an operational procedures review of the new business systems affected by the implementation of the ACBS system. Overall, controls were Customer Charter Change Management

17

Internal Audit & Assurance Annual Report Summary conclusion and assurance

Information Assurance The Infrastructure Division (ID) has a framework of control in place. However, End User Developments Information systems security File management and security. In April 2005, an audit of file management and security . IMPACT is a key element in improving ECGDs business efficiency and enabling a better service to its stakeholders in an environment of cost constraints. The Project Business Continuity Planning ECGD is developing a plan to counter the effects on the business of a pandemic out-break. ECGD also has an overarching Departmental business continuity plan in place. This is supported by

18

Internal Audit & Assurance Annual Report Summary conclusion and assurance

Fraud Over the last year, the Department has been . Anti bribery and corruption procedures. Fraud Risk Assessment. Fraud Policy Statement. Whistle blowing Policy.

19

Internal Audit & Assurance Annual Report Assurance for each audit

Assignment 1.

Assurance Amber 7.

Assignment

Assurance Amber

2.

Yellow

8.

Yellow

3.

Yellow

9.

Performing

4. 5. 6.

Improving Green Improving

10. 11. 12.

Amber Yellow Yellow

20

Internal Audit & Assurance Annual Report Summary of conclusions

Review conclusions We have summarised below our conclusions from each review:
Assignment Published Audit conclusion

April File Management 2005 and security Review of Roadmap May 2005

Overall Assurance: Amber The audit identified a number .

Overall Assurance: Yellow A number of reports were issued with regard to the launch of the Roadmap products. The final report issued on 10 May 2005 showed..

21

Internal Audit & Assurance Annual Report Internal Audit plan for 2005 / 2006
Internal Audit plan for the year. The audit plan for the year to April 2006 is shown below.

Audit title Financial

Sponsor

Priority

Work In Progress

Report Published

Budget days

Actual Days

Notes

Reporting, MMR and validation of performance information and KPIs.

Carried forward to 2006/7

40

Political/Legal/Reputational

Customer Charter

Complete February 2006

10

12

Revised to high priority

22

Internal Audit & Assurance Annual Report Key performance indicators

Reviews completed in the period. Status of agreed actions. Client satisfaction. Etc.

23

KEY POINTS

Customer expectations.

Assurance framework. Holistic approach. Paint a picture - key messages back and forward looking? Be positive. Keep it simple. House style.

24

FINAL THOUGHTS

How do we stay fleet of foot and make sure the assurance is relevant to to-days challenges?

How do we ensure we add value by providing an assurance against new or emerging standards?

What is unique about Internal Audit (independence aside)? How do we position internal audit assurance alongside other assurance providers?

Do the Standards require updating to reflect a more dynamic environment?

25