Chapter four

Risk-based Auditing

This publication emphasises the change in the focus of internal audit. In fulfilling this new role, internal audit must methodically review and provide an opinion on the:

■design and operation of the risk management process
■responses adopted to reduce risks to an acceptable level
■adequacy and effectiveness of the system of internal control in sufficiently mitigating risks.

The chief audit executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement.

The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.

Source: PSIAS 2450 Overall Opinions

In order to provide such an opinion, internal audit needs to take a risk-based approach to planning its work and undertaking audit assignments. Previous chapters have covered audit’s role in the assurance framework, and in assessing risk management arrangements and contributing to their effectiveness. This chapter focuses on developing a risk-based plan, and how risk-based auditing can be used for individual audit assignments. Findings and evidence from risk-based auditing then serve to support the audit opinion.

DEVELOPING A RISK-BASED AUDIT PLAN

As a minimum, internal audit needs to develop an audit plan based on the assessment of risk maturity, and to take a risk-based approach to audit assignments by identifying objectives, risks and controls, evaluating the extent to which those controls address the organisation’s risks, identifying over- or under-control, articulating residual risk, and recommending management action as appropriate.

The requirement of the PSIAS with regard to audit planning is that:

The [head of internal audit] must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals.

Source: PSIAS 2010 Planning

When developing the audit plan, internal auditors also need to ensure that they have addressed the requirements of the PSIAS:

■The internal audit activity must assess and make appropriate recommendations for improving the governance process. (PSIAS 2110)
■The internal audit activity must assess whether the information technology governance of the organisation supports the organisation’s strategies and objectives. (PSIAS 2110.A2)
■The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. (PSIAS 2120)
■The internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk. (PSIAS 2120.A2)
■The internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. (PSIAS 2130)

The audit plan needs to demonstrate that it is based on an evaluation of the organisation’s risk management, and that it meets the PSIAS requirements set out above. The Shropshire Council case study presented later in this chapter gives a practical demonstration of how internal audit can ensure it has addressed PSIAS requirements.

As a start, it can be useful to think about the risk-based planning process as a ‘top-down’ approach, following three main stages.

The first stage is a strategic risk assessment. This involves building up a picture of strategic risks and the regulatory environment in which the organisation operates, understanding key internal and external developments. It draws on the assessment of risk maturity, internal audit’s participation in the assurance framework and discussions with governing body and audit committee members on their assurance requirements. This assessment should also take into account the risk appetite of the organisation.

A useful way to check whether the strategic assessment has covered all of the key risks is to compare planned audits to the strategic risk register, as in the following example.

Coverage by strategic risk

Note: the larger the circle, the greater the number of audit assignments.

Strategic risk	Number of audits
A Maintaining a balanced budget while delivering current and future political objectives.	13
B OneSource (transformation programme) does not deliver savings required in the timeframe set, improve efficiency and customer satisfaction or generate income from new customers as expected.	20
C Failure of corporate governance and leadership.	13
D Newham Private Rented vehicle does not provide a viable business plan to meet the objectives of delivering an increase in the number of private rented properties.	1
E Major development and big projects being considered fail to meet stated objectives or interfere with the council’s priorities.	2
F Major failure in the health service causes strain on the delivery of adults’ and children’s services.	6
G Changes to legislation and statutes impact adversely on the council’s delivery of the priorities for residents.	8
H The change programme does not deliver the priorities for residents as expected.	1

Source: London Borough of Newham

The second stage of the process is to focus on systems that are critical to the delivery of the organisation’s business and operations, taking into account regulatory requirements specific to each operational area, and liaising with other assurance providers such as external audit.

The final stage is to translate this understanding into audit planning by reviewing local risk assessment for specific activities and systems, and using this to scope out specific audit assignments and objectives.

These stages set out in the following example of an NHS risk-based audit planning approach.

Audit planning: risk-based approach

Source: Mersey Internal Audit Agency

The cyclical planning process

Although the strategic assessment described above employs a top-down approach, the audit planning process itself is cyclical. The lifecycle is unlikely to fit into a neat annual exercise, as the process must be dynamic in responding to changing environmental and organisational risks and needs. However, the formal documentation and agreement of the plan will normally align to annual audit committee meetings and organisational strategic planning milestones. The process encompasses five phases, shown below.

The five phases of the cyclical planning process

Phase 1: understanding the organisational context

Knowledge of the organisation’s strategy, objectives and targets, and a sound understanding of the environment in which it operates, and the challenges it faces, are prerequisites for the effective identification, analysis and management of risk. This awareness must therefore be the starting point for any consideration of the risk management process for internal audit planning purposes and the design of a value-adding programme of work.

To be most effective, this phase should go beyond a review of formal documentation, as objectives and the operational environment, as well as external factors such as sector policy and directives, are continually shifting. Appropriate forums and communication should be used to stay alive to these changes and to ensure that the organisational direction and the internal audit plan remain aligned. This should include regular and open dialogue with senior management and close knowledge of the work of groups where strategy, objectives and policies are agreed and where change is determined and managed.

Phase 2: evaluating the risk management process

The relative maturity of the risk management process determines whether internal audit can use the organisation’s own view of risk. The approach adopted must be tailored to each organisation, and during the evolution of the risk management process the internal audit role should adapt from an initial focus on promotion, facilitation and support through to review, assessment and use of the outputs within a fully risk-enabled organisation. Chapter three of this publication sets out how the auditor assesses risk maturity.

Phase 3: designing the audit plan

Designing a risk-based audit plan is a professional judgment, rather than a mechanistic process. Key to this judgment is ensuring that the audit plan can provide assurance on the achievement of the organisation’s objectives (PSIAS 2120.A1) and in doing so is able to demonstrate that the scope of planned work meets the requirements of the PSIAS as set out at the start of this chapter.

It is essential that internal audit understands the relationship between the risks identified, their relative assessment and where within the organisation they are being managed.

The relationship between risks and the processes that manage them is unlikely to be one to one. Most risks are managed via a number of processes and each process is likely to manage a number of risks. It is also useful to understand the relative weight of this relationship – each process will have a greater or a lesser role in managing each risk.

Reviews may be designed to cover all of the key processes necessary to provide assurance over the management of an individual risk or may cover a logical range of related processes and the risks that these manage. In some cases, a number of reviews may contribute to, or cross-validate, assurance over the management of certain key risks. The important point is that the relationship between each review and the risks over which it is designed to provide assurance is fully understood and can be clearly explained.

The aim is to provide reasonable, rather than absolute, assurance over the management of risks. This is achieved through the delivery of a programme of work designed to provide a balanced assurance over:

■the effective management of those risks assessed as highest by the organisation, often referred to as ‘key’ risks
■the effectiveness of the control environment as a whole, including the ongoing management of other, lesser, ‘non-key’ risks
■any specifically identified areas of uncertainty or concern, for example internal audit’s own knowledge based on previous years’ audit work, the time elapsed since the last review, history or potential exposure to fraud.

Coverage of lesser risks ensures that the assumptions made over the effectiveness of control within management’s risk assessment remains informed and valid.

The level of assurance required will depend on the nature of the business being undertaken and the risk appetite of the organisation.

The type of internal audit input will depend on the level of assurance required by the organisation and the potential for process improvement in the management of the related risks. Processes that have been subject to regular review, and are not impacted by significant change, are unlikely to benefit from full repetitious review of the design and operation of risk management actions. Similarly, areas of high risk where there is potential for significant process improvement are unlikely to be best served by a review of compliance or the sole use of self-assessment, and would commonly be the focus of systems development and change projects.

Appropriate consideration should be given to the intended outcome of each review and the best tools and techniques available to internal audit to achieve this.

After analysing the reviews necessary to provide the required level of assurance and the nature of the internal audit input, the sources and skills required to deliver the programme can be assessed and the relative priority and timing of each review can be considered.

2030 Resource Management

The [head of internal audit] must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan.

Interpretation:

Appropriate refers to the mix of knowledge, skills and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimises the achievement of the approved plan.

Public sector requirement

The risk-based plan must explain how internal audit’s resource requirements have been assessed.

Where the [head of internal audit] believes that the level of agreed resources will impact adversely on the provision of the annual internal audit opinion, the consequences must be brought to the attention of the [governing body].

Source: Public Sector Internal Audit Standards: Applying the IIA International Standards to the UK Public Sector, the Relevant Internal Audit Standard Setters, 2013

Identifying the exact level for resources required for the audit plan is not an exact science. But it is important that internal audit is able to demonstrate a methodical, evidence-based approach to identifying and justifying the resources – either in audit staff time or sourced elsewhere – required to meet the audit plan.

Depending on the size of the organisation and the overall resources available to internal audit, there will usually be a standard allocation of days or time to deliver each audit assignment. The number and type of reviews required will be identified from the processes described above. The total requirement in days or time can then be calculated, and compared to available resources expressed in auditor days.

Where the total requirement exceeds available resources, decisions will need to be made to include only the highest-priority reviews in the audit plan, or to consider whether to increase audit resources to cover all the reviews identified by the risk-based audit planning process. Approaches to calculating resource requirements vary according to the size and nature of the organisation. Annex 4.2 to this chapter provides an example of a method for allocating resources.

Auditor judgment and the principle of triangulation

Risk-based audit planning requires the auditor to make judgments based on their understanding of the organisation. Auditors build up a sense of the business and knowledge of the whole organisation through time, drawing on a number of sources; current and previous audit findings, risk registers and the assurance framework. It is based on the exercise of professional judgment, reviewing different sources of evidence and assessing whether as a whole, the evidence tells the correct story. Assurance statements from management might, for example, be contradicted by the findings of recent audit assignments that indicate that the controls are not operating as effectively as management have stated. This judgment is a process of triangulation – seeking several evidence sources and comparing what they say.

Phase 4: communicating and agreeing the plan

All of the above analysis provides a sound basis from which to communicate and agree the audit plan, and in particular to share the links between the reviews to be undertaken, the processes covered, the risks over which assurance will be provided and the techniques to be used. It also allows internal audit to be explicit over any risks where it will not contribute an assurance as a part of the plan and where other sources should be utilised.

The documented plan should provide sufficient information and analysis to support communication of the scope and approach of each review. The plan should be shared and agreed with senior management and the audit committee. The following case study is an extract from the internal audit plan report to the London Borough of Newham’s audit committee.

Case study: Extract from London Borough of Newham’s internal audit plan report 2013

The other major factor that is considered when identifying audits is risk. The audit plan has been informed to a significant extent by the corporate risk register. This register records the operational risks each service has identified and the controls it is planning to put in place for controlling these risks. The estimated severity of the risk (high, medium, low) before and after it is controlled is also shown. In addition, the following matters may be considered when deciding whether an audit should be carried out:

■value of transactions
■complexity
■volume of transactions
■impact of failure of system
■sensitivity
■new activities or projects.

The risks within the council are reviewed and prioritised, with potential audits being graded according to risk and to ensure coverage over a five-year period. The audit plan only covers very high (priority 1), high (priority 2) and medium (priority 3) risks; low risks are not subject to audit coverage. A list of topics excluded from the plan is maintained and reviewed annually as part of the review of the strategic audit plan. An extract from the audit plan is shown below.

Area	Days	Priority	Source	Risk	Audit outline
Strategic Commissioning and Partnership Development; Commissioning Services	30	1	Risk register	The move towards a single approach to a strategic commissioning model fails to deliver a more efficient and effective use of resources and a better way of delivering services	The audit will examine the commissioning strategy, the commissioning framework, needs assessments and community engagement in the commissioning process
Highways – Capital Monitoring	20	1	Intelligence	Capital monitoring processes are inadequate, leading to significant over- or underspends against budget	To confirm that there are arrangements in place to ensure that there is adequate monitoring and reporting on the progress of capital projects
Traffic Management Orders	20	3	Strategic audit plan	Traffic management orders are required, in order to enable the council to enforce parking regulations (among other things). If the orders are not in place, enforcement can be challenged, with a negative impact on income	To confirm that the council has arrangements in place to ensure that traffic management orders have been implemented
Source: London Borough of Newham

Phase 5: reviewing and revising the plan

Risks are dynamic in nature and the direction and coverage provided through the audit plan should be reviewed regularly to ensure that it remains aligned to the corporate risk profile. In effect, the work of internal audit can be regarded as a rolling programme to be revised as new business opportunities arise, risks change and new information about the risk management process is identified.

The audit planning cycle and the provision of assurance should be continuous, with the impact of changes to the risk profile and any associated changes to plans being analysed and communicated at appropriate milestones, such as audit committee meetings. Review and revision of the plan should as a minimum be aligned with formal changes to the organisation’s objectives and risk profile.

Case study: Shropshire Council – a practical approach to risk-based planning

A practical challenge for auditors is that it is sometimes difficult to directly read across from the organisation’s risk registers to the requirement to produce an audit plan. Shropshire’s approach meets this challenge by bringing together strategic risks, audit’s assessment of risk, and the requirements of PSIAS, and identifying any areas that, although they do not necessarily score ‘high’ in risk terms, need to be kept under review by the audit committee.

Planning phases set out in this chapter: understanding the organisational context and evaluating the risk management process

Assignments are identified based on information about the organisation’s risks, and discussions with key personnel, external audit and other relevant stakeholders. Where risk registers are not mature, a risk assessment needs to be completed by the auditor and coverage of the PSIAS requirements considered. The risk assessment takes account of the following criteria:

■impact and political sensitivity
■non-financial impacts
■links to strategic and operational risks
■materiality (value and transactions)
■previous internal audit assurance categories
■links to risk management – controls assurance from other providers
■management arrangements (partnership/shared service, etc)
■stability of the system
■requests from stakeholders
■susceptibility to fraud and corruption.

Planning phases set out in this chapter: designing the audit plan

Once all assignments have a risk assessment score, they are categorised as to whether the assignment provides assurance for risk management, internal (financial) controls, fraud, governance or other category (an area of review that may cover different operational risks than the bulleted criteria set out above, for example a library) to ensure that all assignments identified in the final plan can be linked back to the PSIAS requirements.

Resources available are identified (as available working days per auditor). Days are allocated against assignments based on past and professional knowledge, the size of the organisation and the potential impact of risks, and an understanding of the skill levels of available resources in the given timeframes. Some types of audit attract standard day allocations but each area needs to be considered in line with its risks and adjusted to reflect them.

Plans and resources are then compared to actual resources available and adjusted following overall review. The impact of any resource issues is raised and clarity provided on what areas are not to be audited, further resources required or to be provided, or where assurance may be provided independently of audit.

Planning phases set out in this chapter: communicating and agreeing the plan/reviewing and revising the plan

The audit plan spreadsheet enables internal audit to see where audits score on the audit risk assessment against the delivery of assurances for key risk areas relating to the PSIAS. This provides the basis for deciding which audits should be done; with 1 = must do, 2 = should, 3 = optional and 4 = do not do.

Audits receiving a score of 4 are reported to the audit committee, who must seek assurances direct from managers that, because internal audit will not be looking at them, evidence can be provided through other methods. Audits attracting a score of 1 are completed in year and some of the 2s as resources allow. This quick rating allows changes to be made throughout the year as resources and risks change.

See Annex 4.1 to this chapter for an example of a risk-based audit plan.

RISK-BASED AUDIT ASSIGNMENTS

The previous section describes in general terms how audit assignments can be identified and scoped by analysing the relationship between the risks identified, their relative assessment and where within the organisation these risks are being managed.

A risk-based audit assignment can be defined as one that:

■identifies and records the objectives, risks and controls relating to a system or activity (including consideration of whether it is required to meet corporate objectives or is being delivered in a way that provides value for money)
■establishes the extent to which the objectives of the system are consistent with higher-level corporate objectives
■evaluates the controls in principle to decide whether they are appropriate and can be reasonably relied upon to address the organisation’s risks and therefore achieve their purpose
■identifies any instances of over- and under-control and provides management with a clear articulation of residual risks where existing controls are inadequate
■determines an appropriate strategy to test the effectiveness of controls, ie through compliance and/or substantive testing
■arrives at conclusions and produces a report, leading to management actions as necessary and providing an opinion on the effectiveness of the control environment.

A risk-based audit assignment will usually be scoped by identifying the risks relating to the service or activity being audited, assessing the controls or mitigation currently in place to safeguard against these risks, and then designing tests and audit processes to evaluate the effectiveness of the controls to minimise risk.

Unmitigated or residual risks will also be identified and their impact and likelihood identified and reported to management.

It is important that auditors do not just rely on risks identified at the audit planning stage; risks and controls can only be properly understood in the context of ongoing operations. Internal audit should therefore have a high-level and up-to-date understanding of the objectives and operational environment of the business area under review, including significant recent or planned organisational changes and the management structure. Internal audit’s understanding of the business area and of its risk profile will develop throughout the assignment and consideration should be given to whether new information should affect decisions and judgments already made.

A useful technique in scoping the assignment is to hold discussions or workshops with management and staff in order to better understand the operation of the activity, and the risks to its achievement. Such workshops can help all participants understand better the objectives of the activity, the potential risks, the controls and processes currently in place, and any key gaps in control or areas that might need improvement. In a sense, the workshop becomes part of the audit testing procedure as well as helping focus the actual audit. It also helps develop the ownership of risk by staff and managers, and is more likely to lead to agreement on the recommendations that internal audit makes because the client more easily understands their purpose and relevance.

Scoping also draws on previous audit findings and review of all relevant documentation. It is important that key audit risks are identified at the scoping stage so that the assignment does not produce an inappropriate opinion based on poor evidence or testing.

Once the audit assignment has been scoped, the auditor will undertake testing to seek evidence about how well controls are operating to safeguard against the risks identified. This is an essential part of the risk-based auditing process; the auditor needs to be confident that controls are designed appropriately to safeguard against risks (they meet their objective).

Audit should consider whether the design of controls will, in theory, produce a portfolio of residual risks which is reasonable given the organisation’s defined risk appetite. Consideration should also be given to whether there are any instances of over-control, where more risk management actions are in place than are required by the organisation’s risk appetite.

Weaknesses in the design of controls should be identified and communicated to management through the reporting process. Audit testing will then determine whether there is sufficient and reliable evidence that controls are operated in practice in the manner and to the extent required to mitigate risks to the level of the organisation’s risk appetite.

Evidence can then be assessed and a judgment made about how well controls safeguard against risks. This part of the approach uses the usual audit techniques for evaluating and testing internal controls.

Deficiencies in the operation of controls should be identified and reported to management through the reporting process. For each failure in the design or operation of a control, internal audit should consider whether there is a resulting risk to management’s objectives.

Documentation should clearly show how controls relate to risks and how both relate to the audit scope and objectives; matrices are often used to document the relationship between risks, controls, work done and audit findings. The two examples at the end of this section show how risk-based audits can be documented.

At the end of the risk-based assignment, internal audit will make recommendations to management to:

■improve controls where there is evidence from testing that they are not performing as they should
■design and implement controls where currently none exist to guard against risks
■recommend other action where residual risks remain high and unacceptable (for example, transferring the risk, etc).

In order to have a positive impact on the organisation’s risk profile, audit reports must be acted on by management. While action to remedy deficiencies or to improve processes is the responsibility of management, internal audit should have in place effective follow-up processes to ensure that progress has been made to implement agreed actions. This is so that assurance can be reassessed on the basis of the improved management of risks leading to a reduction in residual risk.

A common practice in internal audit reporting to audit committees is keeping the committee informed of any instances where there has been a failure to reach agreement on the recommendation to improve a control to safeguard against a high-priority risk. The committee can then require management to comply or explain. Progress in agreeing and implementing high-priority recommendations can also be part of regular monitoring by the audit committee. Such reporting reinforces the audit committee’s role in ensuring that the organisation has a robust assurance process.

Example of a risk and control evaluation matrix for Lancashire County Council’s review of information governance

Risk and Control Evaluation (RACE) Information governance Preliminary assessment of the council's controls against expected controls		Risk 1	Risk 2	Risk 3	Risk 4
		The organisation does not meet the expectations of the government or Information Commissioner and has not made defensible alternative arrangements	The organisation is not compliant with the requirements of relevant legislation	Information is gathered and held inappropriately	Information is held for longer than is necessary or legal
Organisational environment controls
C1	There is a designated senior information risk owner (SIRO) who sits at an appropriately senior level and has been trained to meet the requirements of the role. The Information Commissioner's and Permanent Secretary of DCLG's view is that this should be a member of the board, ie management team.	•	•
C2	The SIRO is supported by specialist officer(s) with adequate and appropriate knowledge of the council’s responsibilities under the relevant legislation, including the Data Protection Act 1998 and the Freedom of Information Act 2000.		•
C3	The SIRO and specialist officer(s) are supported by officers across the council who understand the information needs and risks of the council's business, and who can interpret the council’s information governance framework and policies for their business areas.		•	•	•
C4	A clear information governance framework has been established setting out an information classification scheme, how each class of information must be held, for how long, where, and how it can be retrieved. The framework is likely to consist of standards, policies and procedures relating to each class of information (by sensitivity) and each media (for example, electronic, paper or audio), and will set out how information owners are defined and identified.		•	•	•

Source: Lancashire County Council

The advantage of such a document is that it presents as a snapshot the controls expected for each risk and where there are gaps or shortcomings requiring management action.

The following example illustrates the results of a risk-based audit assignment for a local authority’s children’s activity centre. It describes the risk for each control objective, the evaluation of the actual control (that the control is designed in a satisfactory way to meet the objective), the testing undertaken by internal audit and the evaluation of the testing. This is a straightforward and transparent way of communicating a risk-based audit to the client.

London Borough of Redbridge control evaluation sheet

Control Objective:

To ensure that there is an effective system in place for bookings and admissions

Ref

Expected Control

(Risk)

Actual Control

(Evaluation)

Testing

Test Results

(Evaluation)

WP Ref

(Action Plan Ref)

2.1

There are documented procedures in place for bookings at the centre.

Inconsistent processing leading to increased risk of fraud and error.

There are documented procedures for accepting bookings.

All LBR schools and regular ‘outside’ customers are issued with a pack that includes all of the information and documentation required to make a booking at the centre.

Satisfactory.

Obtain a copy of the booking procedure and confirm that this is up to date and adequate.

There are procedures covering what the customer needs to do for the booking but not what the centre has to do.

Unsatisfactory.

2.2

There is a price list that sets out the prices of the various activities and accommodation costs.

Incorrect rates applied for users.

There is a price list included within the pack that includes the charges that apply, which is based upon the number of students attending.

There are different price schedules that apply to in-scope courses and to
non-in-scope groups.

Satisfactory.

Confirm that there are both in-scope and non-in-scope pricing schedules.

There are both in-scope and
non-in-scope pricing schedules in place for the Main House and Bunkhouse.

Satisfactory.

Source: London Borough of Redbridge

Chapter Summary

In order to deliver an opinion on the adequacy and effectiveness of their organisation’s framework of governance, risk management and control, internal audit needs to take a risk-based approach. It needs to demonstrate that the audit plan relates to the organisation’s risk and from an evaluation of its risk management processes.

The plan needs to be adequately resourced, and based on professional judgment evidenced by a robust methodology. Risk-based auditing focuses on risks to objectives and the adequacy of controls to safeguard against risk. It is an approach that should be owned and appreciated by managers and staff as well as internal auditors.

It is essential that the outcomes of risk-based auditing are acted upon by management: by revising risk registers where required, by considering how residual risk will be managed and by acting upon any gaps or deficiencies in assurance.

CHECKLIST FOR AUDITORS

Is the internal audit opinion adequately supported by a risk-based plan?	□
Does the audit plan link to the organisation's risks and is it based on an evaluation of the organisation’s risk management processes?	□
Does the audit plan cover the scope and nature of work set out in the PSIAS?	□
Are all audit assignments risk based?	□
Are the outcomes of risk-based audits acted upon effectively by management, and risk registers and risk management arrangements changed as a result?	□

ANNEX 4.1: EXAMPLE OF A RISK-BASED AUDIT PLAN – NHS

Core Audit Plan Outputs			Risk Source	Days	Proposed Timing
Financial Systems
Combined Financial Systems – Assurance will be provided in respect of key controls within the main financial systems. The scope of the review will be restricted to the key controls supplemented with analytical review and surveys. The systems incorporated in the review will be:			Audit Risk Assessment		Qtr 3
■Financial Reporting ■Financial Ledger	■Accounts Payable ■Accounts Receivable (income)	■ Treasury Management ■ Budgetary Control
Departmental Locality Reviews: Deep Dives – As part of the rolling programme of reviews across the FT, a cross-system audit will be conducted. The overall objective is to review controls and systems in place to ensure that management arrangements, roles and responsibilities are clearly defined, and are operating effectively. The following areas (as appropriate) will be included: activity recording, ESQS process, general security, financial procedures, staffing, rostering and occupancy, annual leave recording and sickness absence, payroll and vacancy controls, computer security, patients’ property, retention of documents, bank and agency staff requirement, and cash handling and payroll. Reviews to be included in 2014/15: ■Oak Ward (c/fwd from 13/14) ■COPD			Management Request		Qtr 1 & 2
IM&T
Business Continuity Planning/Disaster Recovery Plan (C/fwd 13/14) – To undertake the second phase of the review and provide an opinion on the effectiveness and coverage of the IT service continuity solution designed and implemented by the NMHIS and its alignment to business requirements in terms of supporting service continuity arrangements.			Management Request		Qtr 1
Critical Systems Review: EDMS Scanning Solution – As the trust has recently implemented EDMS, this review would evaluate the adequacy of the control framework around the technical solutions of the access controls, confidentiality and business continuity arrangements.			Audit Risk Assessment		Qtr 2
Threat and Vulnerability Management – To assess how the trust manages its technical architecture in regards to ongoing threats, ie antivirus, malware and patch management.			Audit Risk Assessment		Qtr 3
Performance
Electronic Integrated Performance Report – To review the systems and processes to ensure the accuracy of data contained within the trust performance reports to governing body and standing committees following the introduction of new governance and reporting arrangements.			Management Request		Qtr 4
Quality
Care Quality Commission: Compliance with Regulations – To provide an opinion on the systems and processes in place to ensure regulatory compliance with the CQC outcomes.			Assurance Framework		Qtr 3
Electronic Patient Records – Following the implementation of the EPR, to undertake an assessment of the quality of the records that are kept.			Management Request		Qtr 3
Disconnect Survey – The survey will assess if there is a disconnection between the governing body and ward/department-level staff in relation to their perceptions around the five theme areas highlighted in the Keogh report. The statements will be sent as an electronic survey and the results from the two groups will be analysed and compared. The findings will be compiled in a written report and if requested, presented formally to the organisation.			Management Request		Qtr 2
Workforce
Payroll/Human Resources (ESR) – MIAA will provide an assessment of the effectiveness of the systems of control operating at the trust to ensure that only employees of the organisation are paid, and only for work that they perform on behalf of the organisation. This will include a review of the interface with Capita.			Assurance Framework		Qtr 3
Bank, Agency and Locum Staffing – A review will be undertaken of the overall arrangements, systems and processes for bank and agency staff following the introduction of new arrangements with the transfer of the operation from the capacity team to HR.			Management Request		Qtr 4
Consultant Job Plans – To evaluate the job planning process for consultants (under the 2003 consultant contract) to provide an assurance that these are completed in accordance with national guidelines and reflect local business objectives.			Management Request		Qtr 3
Governance, Risk and Legality
Assurance Framework Opinion – An annual opinion will be provided on the method by which the organisation produces, refreshes, manages and monitors the assurance framework. Ensuring risks identified through the annual plan are reflected accurately within the assurance framework and are a key focus for the governing body.			Mandated Requirement		Qtr 4
Corporate Governance Manual Review – To support the trust with the annual review of the corporate governance manual.			Management Request		Qtr 3
Emergency Preparedness – To assess the adequacy of the arrangements in place within the trust to ensure legislative responsibilities are fulfilled in relation to emergency preparedness.			Management Request		Qtr 2
Estates Statutory Duties: Fire Safety – To provide assurance that there are adequate systems and controls in place to ensure fire safety is appropriately managed.			Management Request		Qtr 2
Business Cases: Phase 2 – The trust has updated the process for completion, review and approval of business cases. In 2013/14 a review was undertaken to provide an opinion on the adequacy of the design of the revised business case process. Phase 2 of the review will assess the effectiveness of the implementation of these revised processes.			Audit Risk Assessment		Qtr 4
Serious Untoward Incidents – To undertake a review of the systems and processes in place relating to serious incidents, ensuring that controls are in place and are operating effectively.			Management Request		Qtr 1
Follow-up and Contingency
Follow-up will be conducted throughout the year to provide the audit committee with assurance regarding management’s implementation of agreed actions.			Mandated Requirement		Qtr 1 & 3
Contingency – This element of the plan allows the flexibility to respond to management requests in order to meet specific client needs during the course of the financial year.			Mandated Requirement
Audit Committee, Planning and Management
Audit Committee Self-assessment – MIAA will facilitate a session based on the self-assessment checklist contained within the audit committee handbook and provide a report summarising the outcomes agreed.			Management Request		Qtr 4
In providing an internal audit service, an allocation of time is required for the management of the contract:
■Planning liaison and management – Incorporating preparation and attendance at audit committee, completion of risk assessment and planning; liaison with the client and organisation of the audit reviews.			Mandated Requirement
■ Reporting and meetings – Key reports will be provided to support this, such as the director of audit opinion and annual report, annual plan and interim update reports.			Mandated Requirement
Total Days

Source: Mersey Internal Audit Agency

ANNEX 4.2: RESOURCING AN AUDIT PLAN – EXAMPLE MODEL

For this suggested model there are some basic assumptions:

■The audit unit is usually expressed as a day or part of a day of an auditor’s time. Days can be broken down into small units; some as parts of an hour but for the sake of argument we will assume one unit is one person day (that is, available time taking account of public holidays, administrative time, leave, etc).
■Audit assignments are made up of audit units. The complexity of the assignment, the scale of the system (whether operated across the organisation, for example) and its priority usually determine the number of audit units needed for each assignment.
■Assignments can be classified as follows:
– Light touch: seeking evidence that a control continues to operate, or that a recommendation has been implemented. Level of evidence: usually observation/written confirmation/low-level sampling. Units required: 2.
– Medium touch: seeking evidence that controls or systems work as they should; some knowledge of a good standard of compliance in the past is needed. Level of evidence: usually sample testing. Updating of systems documentation required. Units required: 10.
– Full assignment: system not previously audited; seeking assurance about the controls in the system as a whole. Systems need to be documented and tests need to be designed for controls. Level of evidence: sample testing, analytical review, etc. Units required: 20.
■There are finite resources for the audit function (except for the possibility of buying in extra resources in exceptional, one-off circumstances).
■Resources are therefore calculated by combining the units required from each type of assignment required.
■Risks are identified from the risk register, which is maintained by management. Registers include details of the controls put in place to mitigate the risk, the extent to which risks remain after mitigation (residual risk), and indicators identifying potential risks that may appear on the risk register in the future.
■Some areas of the organisation or some systems will relate to more than one risk; it will never be possible to map every risk on a register to every system to be audited. The auditor therefore needs to apply professional judgment to relate a system to the risks; for example by identifying control objectives listing a range of potential risks.

The following table shows how resources can be identified for any area.

Audit resource plan

Risk area or description of risks in areas	Is risk controlled or controllable? Scale 1 to 5 where 1 = easily controllable	Has it been audited and what is audit’s confidence level? Scale 1 to 5 where 1 = full confidence	Degree of residual risk Scale 1 to 5 where 1 = low residual risk	Risk score: Low =1 Medium= 2 High=5	Total score: type of assignment required Light touch = less than 5 Medium touch = 5 to 10 Full = 10 plus	Audit units required
Payroll	2	1	3	2	8; M	10
Library fees and charges	1	1	1	2	5; L	2
Public health contracts	3	4	3	5	15; F	20
Total audit units						32

The model provides a clear link between planned audit resources for a particular auditable area and the risks related to that area.

Source: Patrick Clackett, independent consultant

Previous | Next