Audit Committee Meeting: 22nd March 2011 ECAC … Work in Progress or Planned 9 4 Liaison with...

The Electoral Commission 1 Internal Audit Progress Report

THE ELECTORAL COMMISSION

Internal Audit Progress Report Audit Committee Meeting: 22nd March 2011 ECAC 12/11 Content Correct as at 14th March 2011

The Electoral Commission ECAC 12/11 Internal Audit Progress Report

CONTENTS

SECTION PAGE

1 Introduction 1

2 Final Reports Issued and Key Findings 1

3 Work in Progress or Planned 9

4 Liaison with Management and External Audit 9

5 Changes to the Internal Audit Plan 10

6 Conflicts of Interest 10

7 Recommendations not agreed by management 10

Appendix A Periodic Plan Performance 2010/11 11

Appendix B Definitions 13

Appendix C Briefings 16

The matters raised in this report are only those which came to our attention during our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. Whilst every care has been taken to ensure that the information provided in this report is as accurate as possible, based on the information provided and documentation reviewed, no complete guarantee or warranty can be given with regard to the advice and information contained herein. Our work does not provide absolute assurance that material errors, loss or fraud do not exist. This report is prepared solely for the use of Board and senior management of the Electoral Commission. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose.

© 2010 RSM Tenon Limited RSM Tenon Limited is a member of RSM Tenon Group RSM Tenon Limited is an independent member firm of RSM International an affiliation of independent accounting and consulting firms. RSM International is the name given to a network of independent accounting and consulting firms each of which practices in its own right. RSM International does not exist in any jurisdiction as a separate legal entity. RSM Tenon Limited (No 4066924) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England

The Electoral Commission ECAC 12/11 1 Internal Audit Progress Report

1. INTRODUCTION

1.1 The Internal Audit Periodic Plan for the period 2010/11 was presented to and approved by the Audit Committee on 10th March 2010. This report

summarises the outcome of work completed in respect of 2010/11 and incorporates cumulative data in support of internal audit performance.

2. FINAL REPORTS ISSUED AND KEY FINDINGS

2.1 The following reports have been finalised since the previous Audit Committee:

Fraud Thematic (Advisory)

In an economic downturn, research suggests that fraud is likely to increase and organisations need to ensure they are robust against such a risk. With available budgets under pressure, attention needs to be focused on protecting finances and assets, as every pound lost to fraud is, at the very least, a pound not spent on achieving the organisation‟s aims and objectives. Any investigation, whether it is disciplinary, civil, criminal or regulatory, has to be tackled in a way that is the most efficient and cost-effective for the organisation. However, experience has shown, rather than focusing on tackling the problem after it has occurred, effort should be focused on the deterrence and prevention of fraud.

Clearly, any strategy to assist in reducing losses to fraud is based on an understanding of what the true nature and scale of the risks are for the organisation. Underpinning the strategy are key messages which need to be cascaded to the team and the creation and roll out of an anti-fraud culture.

The first CIPFA Red Book, Managing the Risk of Fraud – Actions to Counter Fraud and Corruption, described what action is needed for an organisation to be effective in countering fraud and corruption. The updated version, Red Book 2 (published October 2008) expands on that original guidance. This review compared the arrangements within the organisation against the good practice set out in the CIPFA guidance.

The Commission is an organisation with public perception at the forefront of its concerns, to this end it strives to be transparent and accountable for its every function. The Commission‟s Anti Fraud Policy is a very good example of how its responsibility for countering fraud is a top level commitment. There is an atmosphere of pride and responsibility in the work of the Commission.

While recommendations were made to improve on existing counter fraud arrangements the Commission has received „green lights‟ for each of the areas considered under the CIPFA guidance. It must be noted that in the area of „deterrence‟ when applied prescriptively the Commission would receive a „red light‟ for not publicising fraud issues or previous cases of fraud. However, it is recognised that as there has been only one case of fraud in the last five years (and that was in the organisation‟s outsourced payroll provider not the Commission itself), it is recognised that the value of deterrence could well be outweighed by the disproportionate effect of negative publicity which could arise from publicising this one case.

To its credit the Commission does publicise new and reviewed policies to staff and recognises the responsibilities of all staff to prevent fraud. The Commission also has a robust security standard for the employment of individuals and code of conduct which is comprehensive and binding at all levels within the organisation.


The key recommendations from this review were: The Commission, to ensure good governance and protect its reputation, should implement an Anti Bribery Policy prior to the Bribery Act 2010

becoming fully enforced in April 2011;

In order to identify and deter malicious allegations all referrals should be subject to a formal risk assessment at the point at which the allegation is made. This would prevent investigations being conducted disproportionately and without tangible evidence to support allegations made;

Anti Fraud Policy, Fraud Response Plan, Whistleblowing Policy and Disciplinary Policy should be revised to include the date that it was ratified, the date it is due for review, the author of the document and a distribution list to ensure that these policies are distributed to the correct people;

All fraud risks from each of the risk registers should be collated to give an overall review of fraud risks identified by staff throughout the year;

Prior to the implementation of new policies, procedures and systems, or the reviewing of existing policies, procedures and systems, the Commission should ensure the risk of fraud and corruption is considered and where applicable systems or documents should be revised;

Applicant‟s declaration on the Baseline Security Standard Checklist should be amended to state that “I understand that my app lication for employment may be rejected, that I may be dismissed or face criminal prosecution for withholding relevant details or giving false information.”

That any individual who conducts disciplinary, civil or criminal investigations is appropriately trained or that as an alternative an external professionally trained investigator is used; and

Fraud and corruption awareness training should be provided at all staff induction events along with the provision of information packs for all new and existing staff and members. The Commission should consider fraud and corruption awareness training for managers and directors in order to assist in instilling an anti fraud and anti corruption culture throughout the organisation.

Governance (Amber - Red)

Policies and procedures provide the strategic and operational link between the corporate vision, aims and objectives and daily operations. Well documented policies and procedures support staff in understanding their respective roles and responsibilities.

Documented policies and procedures should afford clarity to staff in respect of accountability or activities that are of significant to the organisation. Factors that have an impact on the Commission‟s policy and framework include legislative changes and requirements, Government updates, governance best practices and external updates and expertise.

Establishing and maintaining clear written policies and procedures are therefore key to effective organisational governance. The Commission have recognised this and have invested resources in improving policy management. The Secretary to the Commission Board has been tasked with undertaking a detailed review of existing policies and procedures to generate a definitive database in which all documents are appropriately approved, up-to-date and devoid of duplicates.

This review covered the following areas:

Process for identifying need for policies and procedures given the Commission‟s risk profile;

The compatibility of policies with operational requirements and delivery of operational objectives;


The means by which the Commission disseminates policies following their first approval and subsequent reviews and to the correct audience;

Delegated ownership and central logging of all policies and procedures;

Application of version control- electronic and manual; and

Acceptance and staff awareness of corporate policy and procedure;

We also coordinated an independent survey to assess the level of staff acceptance and/or awareness of key policies and identify areas where management focus should be directed to mitigate potential risk. Whilst the Board can take some assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective, further action is required to ensure this risk is appropriately managed. The key findings from this review were as follows:

Design of control framework

There is no framework document that provides a systematic and structured approach to the risk assessment, development, approval and review of strategies, policies and procedures. Consequently there maybe an ad-hoc approach taken to policy and procedure development that may undermine their consistency, effectiveness and understanding;

A consistent approach should be adopted for disseminating policies and procedures via the best possible method and for notifying staff of new or amended policy / procedure documents to maximise exposure and understanding. The intranet does not include a section dedicated to policies and procedures. There is risk staff are unable to locate key and up-to-date guidance in a timely manner, leading to non-compliance with corporate policies and procedures; and

A universally applied version control template for policies and procedures has not been established to minimise the risk of out of dated documents being used by staff.

Application of control framework

A definitive list of policies and procedures should be established. This was illustrated by the lack of consistency between the Schedule of Policies and the documents posted to the intranet. Business Continuity – Follow Up (Adequate Progress)

The previous Business Continuity Planning & Disaster Recovery (09.09/10) provided a Limited Assurance opinion, as such a Follow Up review was undertaken to assess the level of progress made in implementing agreed recommendations.

The seven recommendations considered as part of this review comprised of five rated „Significant‟ (Medium) and two categorised „Merits Attention‟ level.


Since the original audit on this area, there have been significant changes to the organisation, namely, the Local Government Boundary Commission for England became a separate entity to the Electoral Commission and the headquarters has relocated from Trevelyan House, Westminster to Bunhill Row, Moorgate. These have affected the Commission‟s ability to meet the agreed deadlines to the original recommendations.

The Commission also employed the services of a specialist consultancy to review the Commission‟s Business Continuity processes and this resulted in the forming of the CMT Admin Group and the Business Continuity Management System policy and scope documentation to govern these activities.

The Commission has demonstrated adequate progress in implementing actions agreed to address internal audit recommendations. This is a positive opinion and review of current practices in this area suggest that the risk of the Commission not being able to respond and continue business operations in the event of a disruptive incident, has been reduced since the initial audit which started in October 2009.

57% of recommendations had either been fully implemented or superseded. There are no „High„(Fundamental) or „Medium‟ (Significant) recommendations that we consider to be receiving inadequate management attention. We acknowledge that since the original audit on this area, there have been significant changes to the organisation, namely, the separation of the Local Government Boundary Commission for England and the relocation of the headquarters. These have affected the Commission‟s ability to meet the agreed deadlines to the original recommendations.

The one remaining recommendation categorised as „Medium‟ is in respect of delivering business continuity and Business impact assessment training to all relevant staff.

Core Financial Controls (Amber – Green)

The scope of the cyclical review of the Commissions finance systems included:

Month End Closedown - Adherence to and timeliness of the month end close down reporting timetable following period end, completion of control account reconciliations (Bank, Fixed Assets, Creditors, Payroll etc..), clearance of suspense accounts, Trial Balance reviews and production of the Management Accounts.

Government Procurement Card - Review of the Government Procurement Card control framework and application testing of the control environment.

Proposed Process Changes and Alterations to the Current Finance Manual - Testing of the validity of the proposed changes to the Finance Manual, as identified by the external consultant, as a means of streamlining finance processes without having a detrimental affect on the robustness of the control environment and exposing the Commission to unnecessary risk.

Recommendation Follow Up - To meet the CIIA Standards and provide management with ongoing assurance regarding implementation of recommendations, a follow up review to confirm implementation of agreed actions from the 2009/10 Core Financial Controls. Eleven recommendations considered as part of this review comprised three „Medium‟ and eight „Low‟ categorised recommendations.

The Board can take reasonable assurance that the controls upon which the organisation relies to manage its financial controls are suitably designed, consistently applied and effective. However we have identified issues that, if not addressed, increase the likelihood of risk materialising in this area.


Overall, the above level of assurance demonstrates the Commission‟s progress over the last three years; previous reports have identified a number of medium / high recommendations however during this review it was evident that Finance have made progressive and positive steps in tightening and improving the financial control framework.

Notwithstanding this, a number of issues were identified both in respect of the adequacy of the control environment and its application.

The one key finding from this review, categorised as „Medium‟ in respect of the Application of the Control Framework was in reference to:

Evidence of budget manager prior-authorisation for the GPC purchases reviewed was not retained with the relevant transaction log and in one instance the expenditure of one budget manager had been self authorised increasing the risk of inappropriate expenditure being committed.

With regards to the follow up work, management have made good progress in implementing the previously agreed recommendations in that all 11 recommendations have been fully implemented.

A further six recommendations categorised as „Low‟ and one „Suggestion‟ were raised, all of which were accepted and appropriate action plans for implementation set.

PEF Casework (Amber - Green)

The Party and Election Finance (PEF) Directorate is responsible for regulating the financing of political parties, organisations and individuals engaged in campaigning. The Directorate helps to ensure parties comply with established rules providing ongoing advice and guidance, and enforce the laws when these rules are not followed. The key operations and activities conducted within the Directorate are as follows:

Legislation - Providing information on laws governing the registration and financing of political organisations and individuals;

Guidance - Providing guidance on how to comply with the law to those they regulate, including advice on how to register a political organisation and to report statutory returns;

Public registers – Maintenance and safeguarding of several public registers of political parties and details of their donations, borrowings, campaign expenditures and annual accounts;

Analysis - Analyse the financial data provided by political parties and make the information more intelligible through summaries, charts and tables; and

Enforcement - Verifying that those regulated comply with the rules established and providing assurances that fair, thorough and proportionate investigations are conducted so that voters can be confident that those who fail to comply are held to account.

Enforcement is one of the primary objectives of PEF. As the regulator of party finances they are responsible for monitoring and taking steps to secure compliance with the controls and requirements set out in the Political Parties, Elections and Referendums Act 2000 (PPERA).

This review was undertaken to ensure enforcement activity complies with procedures documented in the Quality Management System (QMS), identify areas for potential improvement and training needs and overall, provide assurance as to the quality of PEF work and the continuous improvement of workflow processes.

http://www.opsi.gov.uk/Acts/acts2000/ukpga_20000041_en_1


The Board can take reasonable assurance that the controls upon which the organisation relies to manage „Cases Under Investigations‟ and „Cases Under Review‟ are suitably designed, consistently applied and effective. However we have identified issues that, if not addressed, increase the likelihood of risk materialising in this area.

The level of assurance provided is informed by the transparent and robust control framework in place to manage operations, not only for Enforcement but also the other activities performed by the Directorate. The framework governing PEF‟s operations and processes are documented within the Quality Management System which provides a structured framework for managing processes and workflows, to support the Directorate achieve its objectives. Not withstanding this, although audit testing primarily focused on the application of the existing framework, we identified a number of areas where the control framework should be updated to either strengthen the existing control environment or reflect current working practices.

There is a strong and clearly defined control framework in place for the enforcement work undertaken by the Commission. Although, a number of weaknesses were identified with regards to its application, in most instances they arose because of a gap in updating QMS processes to reflect current practice or were relatively minor failures to adhere to processes. Given the potential damaging impact to the reputation of the Commission should enforcement procedures be breached and case decisions challenged, it is imperative that the workflows as outlined on the QMS are properly applied.

Effectiveness of the Control Framework

Review of 10 „Cases Under Review‟, one of which later became a „Case Under Investigation‟ and internal performance reports identified:

All cases had an Initial Assessment completed within five working days of receipt of the matter into PEF;

The PEF performance reports confirmed 113 Initial Assessments had been carried out in 2010/11, of which 110 (98%) were complete within the five working day KPI.

The PEF performance reports noted 40 reviews were closed during 2010/11 of which 37 (92.5%) were completed within the 90 day KPI. 90% of the cases reviewed were completed within 90 days of the Initial Assessment. One „Case Under Review‟ was concluded 154 days (i.e. 64 days past the 90 day target) after the Initial Assessment without appropriate escalation.

The PEF performance reports noted two Investigations (one of which was in our fieldwork sample) were closed during 2010/11; none were within the six month KPI. The one „Case Under Investigation‟ was concluded 300 days (120 days beyond the six month target) after the Initial Assessment

It is evident that the current control framework for undertaking Initial Assessments and completing „Cases Under Review‟ is largely effective, however management should consider reviewing the current KPI for closing „Cases Under Investigations‟ to ensure it is both realistic and achievable given past performance.

Application of and compliance with control framework

The four key findings from this review categorised as „Medium‟ are as follows:

Conflicts of Interest declarations are not routinely completed for all stages of the case review / investigation undermining the transparency of the review process and increasing the risk of reputational damage should the outcome of a case file be challenged;


To ensure compliance with the QMS procedures, Case Review and Investigation Plans should be signed and dated by both the caseworker and Enforcement Team Manager. The absence of appropriate signatures and dates on Case Review / Investigation Plans may undermine the quality control process and timely delivery of reviews against KPI increasing the risk of reputational damage should the outcome of a case file be challenged;

QMS procedures require, as applicable, monthly stage two and three assessments supported with a final assessment are fully completed and retained on case files until the closure of each case. The absence of a clear audit trail for stage two and three assessments may result in cases being either less effectively managed, or challenges to decisions and potential reputational damage; and

QMS procedures provide for a final summary disclosure report to be provided (even if conditional disclosure has been provided) to relevant parties to the case following formal sign off. QMS procedures should be followed or updated to reflect current agreed practice. Failure to do so may increase the risk of reputational damage should the outcome of a case file be challenged.

A further six recommendations, categorised as „Low‟ and four „Suggestions‟ were raised, , all of which were accepted and appropriate action plans for implementation set.

Recommendation Follow Up – Part 2 (Good Progress)

This is the second of a two part follow up review to assess the level of progress made in implementing previously agreed internal audit recommendations.

The 20 recommendations considered by this review comprised of four „Medium‟ and 16 „Low‟ category recommendations. Two recommendations, both categorised as „Low‟ were not due for implementation and were not followed up at this time.

The Commission has demonstrated good progress in implementing the actions (within the scope of this review) agreed to address internal audit recommendations. At the time of review, 72% of the due recommendations reviewed had either been fully implemented (50%) or were superseded (22%).

Of the four „Medium‟ categorised recommendations due to be followed up, two had been fully implemented and testing confirmed the controls to be operating effectively. The remaining two recommendations had been superseded with adequate alternative arrangements introduced to mitigate the risk exposure.

The implementation of the remaining seven recommendations has been delayed due to a number of reasons, all of which have had a bearing on the timing of when the recommendations will be addressed. For example:

restructure or changes in key personnel

dependent on completion of interdependent projects or recommendations

re-prioritisation due to lack of resources.


Efficiency Planning – Follow Up (Advisory)

Following a review of the Commission‟s efficiency planning plan in September 2009 a follow-up exercise based on the recommendations identified in the initial review to measure progress made in the intervening period was conducted.

Since the last review the Commission has seen some significant changes impact the organisation both operationally and financially. Most notably the government's spending review has challenged the Commission to reduce its cost base and the Commission has also transferred its London office from Great Peter St to Bunhill Row.

The previous review identified that the Commission had established a five year corporate efficiency plan which identified efficiency saving activity across the Directorates. However, more recently the focus has moved towards streamlining services and removing unnecessary cost from the organisation.

Achieving the requirements of the government spending review has meant the Commission has had to review its budgets for the next four year period and identify areas of significant savings. The Commission is also undertaking an organisational review in 2011/12.

To this end the Commission has integrated both savings drawn from pre-defined efficiency plans and operational under / overspend which have occurred due to a number of factors that could not have been either recognised or quantified at the budget setting stage. These savings are monitored on a monthly basis with a midpoint review in the budget year which allows budget adjustments to be made should the Commission believe operational change has taken or is likely to take place.

In terms of progress since the last efficiency review there has been a positive shift toward understanding and capturing the potential savings from efficiencies, however, it is still unclear how the Commission can clearly determine the effectiveness of the efficiencies when they are combined with operational fluctuations.

The concern lies with the level of detail required when reporting the Commission‟s outturn to the financing bodies such as the Speakers Committee. If the Commission is to be held accountable for not only the funding requirements to operate but the requirements placed upon it to reduce base costs then activity needs to be defined and therefore savings outlined in greater detail. An example of this would be where an under spend has resulted in a significant cost saving. This is currently presented as a total figure, consequently it is difficult to determine from tables where the savings had been generated and more importantly if the savings are sustainable, or even a true saving. The Commission should develop the ability to differentiate the source of such savings to allow the appropriate funding level from central government to be maintained.

By clearly representing where savings have been generated the Commission would be in a stronger position when applying for additional funding as the organisation will be able to demonstrate a firm grasp on its ability to manage the resources both effectively and efficiently. This has already been demonstrated by the use of efficiency savings to fund additional services that have not been financed from external sources.

2.2 The above final reports have already been circulated to members of the Audit Committee outside of the meeting.


3. WORK IN PROGRESS OR PLANNED

3.1 Having been presented at the last Audit Committee, at the request of members, the Performance Standards Data Validation report has been revised and reissued to management for comment. Completion of this report will conclude the 2010/11 internal audit programme.

3.2 The Head of Internal Audit (HIA) Annual Opinion Report is currently being prepared and will be issued for management comment upon completion of

the above reviews.

As the provider of the internal audit service to the Commission we provide the Board with an opinion on the adequacy and effectiveness of the organisation‟s governance, risk management and control arrangements. In giving our opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide to the Board is a reasonable assurance that there are no major weaknesses in risk management, governance and control processes. The matters raised in Annual Opinion Report will be only those which came to our attention during our internal audit work and not a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. The overall opinion may be used by the Board in the preparation of the annual Statement on Internal Control as part of the Annual Accounts.

4 LIAISON WITH MANAGEMENT AND EXTERNAL AUDIT

4.1 To effectively target audit work and maximise the effectiveness of the overall approach, it is important that we liaise with management on a regular basis. We confirm that we have liaised closely with management in scoping all of the 2010/11 internal audit assignments and ensuring timely completion of each assignment and the annual plan.

4.2 We would like to record our thanks to Commission staff, especially the PA to Director of Finance & Corporate Services, for assisting in the timely delivery of the 2010/11 internal audit plan.

4.3 A protocol document was agreed with the Commission at the start of our appointment setting out the arrangements for the working relationship between us and will continue to underpin the delivery of internal audit to the Commission.

4.4 We continue to liaise and share our audit scopes and findings with external audit in respect of any audit review, especially the finance related audit assignments.


5 CHANGES TO THE INTERNAL AUDIT PLAN

5.1 At the request of management, and upon the approval of the Chair of the Audit Committee, the Corporate Social Responsibility (CSR) and Carbon Reduction Commitment review was cancelled from this years internal audit plan.

5.2 At the request of the Audit Committee in June 2010, the scope of the Follow Up – Part 1 review included a follow up on the Asset Accounting and Bank

Reconciliations recommendations raised as part of the 2009/10 Core Financial Controls internal audit review. 5.3 At the request of management the IT Systems - Access controls for key IT business information systems review was deferred to the 2011/12 internal

audit programme.

6 CONFLICTS OF INTEREST

6.1 The failure to declare an interest and act appropriately can affect the reputation of both the Commission and RSM Tenon, as well as validity of actions or decisions. All new and existing RSM Tenon personnel prior to engaging with the Electoral Commission will on a routine basis review their interests against those of the Commission taking into account the nature of the Commission‟s business, including in particular as a regulator, of party and election finance. This is to ensure there are no relationships that may affect, or could reasonably be perceived to effect or lead to suspicion by a fair minded and informed observer about, the independence and objectivity of the team, and which are required to be disclosed under auditing standards. Further and in accordance with the requirements of the Commission any potential conflict of interest (direct or indirect connections) will be declared to the Commission. Interests to be declared are not only financial ones but those which involve some material benefit to a party. Personal friendships, other than mere acquaintances, may constitute a connection. If in doubt, the connection will be declared and acted upon according to legal advice and the wishes of the Commission. The interest declared will be recorded.

7 RECOMMENDATIONS NOT AGREED BY MANAGEMENT

7.1 At the request of the Committee, this section of the report will detail, where applicable, those recommendations from the reports finalised since the last Audit Committee that management have rejected. There were no recommendations rejected by management from the reviews undertaken since the last Audit Committee meeting.


APPENDIX A: OPERATIONAL PLAN PERFORMANCE 2010/11

Detailed below will be a summary of the work undertaken in 2010/11 to date, showing, upon completion, the levels of assurance given and the number of recommendations arising. Definitions with regard to the levels of assurance and the classification of recommendations are provided overleaf.

Auditable Area Start Date

Debrief date

Draft report due

Draft report issued

Responses due*

Responses received

Final report issued

Audit Committee

Audit approach

Assurance level given

Number of Recommendations Made

H M L In

Total Agreed

Data Protection 19 Jul

10 20 Jul

10 11 Aug

10* 4 Aug

10 25 Aug 10* 11 Aug 10

18 Aug 10

November 2010

Key Control - Assurance

GREEN 0 2 0 2 2

Campaigns – Follow Up

26 July 10

27 Jul 10

17 Aug 10*

5 Aug 10

26 Aug 10* 11 Aug 10 11 Aug

10 November

2010 Follow Up

GOOD PROGRESS

0 0 2 2 2**

Research: Procurement

26 Jul 10

28 Jul 10

18 Aug 10*

13 Aug 10

3 Sep 10* 14 Sep 10 14 Sep

10 November

2010 Key Control - Assurance

GREEN 0 0 1 1 1

Recommendation Follow Up – Part 1

2 Aug 10

3 Aug 10

24 Aug 10*

23 Aug 10

13 Sep 10* 15 Sep 10 15 Sep

10 November

2010 Follow Up

ADEQUATE PROGRESS

0 2 17 19 19**

Employment Taxes 6 Sep

10 8 Sep

10 29 Sep

10* 29 Sep

10 20 Oct 10*

8 Oct 10

21 Oct 10

13 Oct 10

21 Oct 10

November 2010

Healthcheck ADVISORY 0 0 2 2 1

Performance Standards Data Validation

6 Sep 10

21 Oct 10

11 Nov 10*

3 Nov 10

3 Mar 11***

24 Nov 10

24 Mar 10*

30 Nov 10

21 Dec 10

21 Dec 10

January 2011 Key Control - Assurance

Health and Safety 4 Oct 10 7 Oct 10 28 Oct

10* 20 Oct

10 10 Nov 10* 21 Oct 10

21 Oct 10

November 2010


GREEN 0 0 2 2 2

Information Strategies

5 Oct 10 8 Oct 10 29 Oct

10* 1 Nov

10 22 Nov 10* 10 Nov 10

10 Nov 10

January 2011 Key Control - Assurance

GREEN 0 1 0 1 1

Assurance Stocktake (Risk Management)

11 Oct 10

14 Oct 10

4 Nov 10*

8 Nov 10

28 Nov 10* 26 Nov 10 26 Nov

10 January 2011

Thematic - Advisory

ADVISORY 1 2 1 4 4

Performance Management and KPI Data Validation

8 Nov 10

13 Nov 10

06 Dec 10*

6 Dec 10

24 Dec 10* 10 Dec 10 10 Dec

10 January 2011


GREEN 0 2 1 3 3

Fraud Thematic 15 Nov

10 18 Nov

10 9 Dec 10*

9 Dec 10

7 Jan 11* 24 Jan 11 26 Jan

11 March 2011

Thematic - Advisory

ADVISORY 1 7 7 15 15


Auditable Area Start Date

Debrief date

Draft report due

Draft report issued

Responses due*

Responses received

Final report issued

Audit Committee

Audit approach

Assurance level given

Number of Recommendations Made

H M L In

Total Agreed

Governance 6 Dec

10 9 Dec

10 30 Dec

10* 22 Dec

10 25 Jan 11* 8 Feb 11

9 Feb 11

March 2011 Key Control - Assurance

AMBER - RED

0 4 4 8 8

Core Financial Controls

17 Jan 11

4 Feb 11

25 Feb 11*

24 Feb 11

17 Mar 11* 4 Mar 11 7 Mar

11 March 2011

Key Control – Assurance

AMBER - GREEN

0 1 6 7 7

PEF Casework 31 Jan

11 4 Feb

11 25 Feb

11* 24 Feb

11 17 Mar 11* 4 Mar 11

7 Mar 11

March 2011 Compliance AMBER - GREEN

0 4 6 10 10

BCP – Follow Up 1 Feb

11 2 Feb

11 23 Feb

11* 9 Feb

11 2 Mar 11* 24 Feb 11

24 Feb 11

March 2011 Follow Up ADEQUATE PROGRESS

0 1 2 3 3**

Recommendation Follow Up – Part 2

7 Feb 11

15 Feb 11

01 Mar 11*

24 Feb 11

17 Mar 11* 4 Mar 11 7 Mar

11 March 2011 Follow Up

GOOD PROGRESS

0 0 7 7 7**

Efficiency Plan – Follow Up

8 Feb 11

24 Feb 11

17 Mar 11*

9 Mar 11

26 Mar 11* 9 Mar 11 14 Mar

11 March 2011 Advisory ADVISORY 0 0 4 4 4**

IT Systems - Access controls for key IT business information systems

Deferred to 2011/12 internal audit programme.

CSR and Carbon Reduction Management

Cancelled. Area not deemed to be of significant risk to the Commission to warrant internal audit coverage.

Totals 2 26 62 90 89

*Estimated date based on audit timings and protocol. ** Number of recommendations deemed outstanding upon testing.

***Having been presented at January 2011 Audit Committee, at the request of members, the Performance Standards Data Validation report was revised and reissued to management for comment.


APPENDIX B: DEFINITIONS

New assurance opinions have been introduced to clarify the meaning of our opinions. The meaning of the term “adequate” has changed over time when applied in an audit or scrutiny context and we recognise that in many sectors “adequate” is now considered to reflect “meeting only minimum standards”.

Our opinion will be graphically represented as a speedometer (see below).

Taking account of the issues identified, the Board cannot take assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.

Action needs to be taken to ensure this risk is managed.

Taking account of the issues identified, whilst the Board can take some assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective, action needs to be taken to ensure this risk is managed.

Taking account of the issues identified, the Board can take reasonable assurance that the controls upon which the organisation relies to manage this area are suitably designed, consistently applied and effective. However we have identified issues that, if not addressed, increase the likelihood of risk materialising in this area.

Taking account of the issues identified, the Board can take substantial assurance that the controls upon which the organisation

relies to manage this risk are suitably designed, consistently applied and effective.

The Amber assurance level is split into two so that we are able to give you a clear indication of whether we consider the assurance to be “above or below the line”. We hope this will help draw attention to those reports where we are highlighting that although not a negative opinion, the organisation does need to take action to ensure the risk is managed. Similarly the above the line amber opinion reflects that although a positive opinion, there is still room for improvement.


Our assurance will continue to reflect an opinion on the controls in place to manage a risk and advises how much assurance the Board can take on how that risk is managed. During the year our progress reports to Audit Committee will reflect the opinions given and build up a picture of our findings so that there will be no surprises in our year end annual opinion.

In giving our opinions, it should be noted that assurance can never be absolute and, therefore the most that the internal audit service can provide is a reasonable assurance that there are no major weaknesses in risk management, governance and internal control.

For recommendations, we are moving from fundamental, significant and merits attention to high, medium and low priority recommendations. We have also introduced a “suggestion” category to highlight ideas we have seen elsewhere that you may wish to consider. Unlike the prioritised recommendations, the suggestion category will have no bearing on the overall assurance opinion.


DEFINITIONS FOR PROGRESS MADE IN FOLLOW UP REVIEWS

The following opinions are given on the progress made in implementing recommendations.

This opinion relates solely to the implementation of those recommendations followed up and not does not reflect an opinion on the entire control environment.

Progress in implementing

recommendations

Overall number of recommendations fully implemented

Consideration of high recommendations

Consideration of medium recommendations

Consideration of low recommendations

Good 75% + None outstanding None outstanding All low recommendations

outstanding are in the process of being implemented

Adequate 51 – 75% None outstanding 75% of medium recommendations made are in the process of being

implemented

75% of low recommendations made are in the process of being

implemented

Little 30 – 50% All high recommendations

outstanding are in the process of being implemented

50% of medium recommendations made are in the process of being

implemented

50% of low recommendations made are in the process of being

implemented

Poor < 30% Unsatisfactory progress has been

made to implement high recommendations

Unsatisfactory progress has been made to implement medium

recommendations

Unsatisfactory progress has been made to implement low

recommendations.

Client briefing 16

RSM Tenon Limited is a member of RSM Tenon Group. RSM Tenon Limited is an independent member firm of RSM International, an affiliation of independent accounting and consulting firms. RSM International is the name given to a network of independent accounting and consulting firms each of which practices in its own right. RSM International does not exist in any jurisdiction as a separate legal entity. RSM Tenon Limited (No 4066924) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England.

APPENDIX C: BRIEFINGS

INTRODUCTION

In the current financial climate it is particularly important that central government bodies show that the resources for which they are responsible for are used, managed and controlled effectively. Quality internal control systems are a key mechanism in which organisations can achieve their aims and the Statement on Internal Control (SIC) is used to provide details of the effectiveness of internal control within the organisation as a whole.

The National Audit Office (NAO) has recently published The Statement on Internal Control: A Guide for Audit Committees. This provides information on the NAO‟s approach to reviewing the SIC and provides guidance to Audit Committee members on providing effective challenge to the disclosures made.

PURPOSE OF THE SIC AND THE APPROACH OF THE NAO

The SIC is the method used by Accounting Officers to declare both their approach and responsibility for risk management, internal control and corporate governance. The SIC is used to highlight any weaknesses that may exist within the organisation‟s internal control system and it forms part of the Annual Report and Accounts. The SIC is a primary accountability document and is a mandatory disclosure for all central government organisations that adhere to the Financial Reporting Manual (FReM). Importantly the SIC must make disclosures under the headings:

Scope of responsibility;

The purpose of the system of internal control;

Capacity to handle risk;

The risk and control framework; and

Review of effectiveness.

The NAO reviews the SIC to ensure it is supported by appropriate evidence and that controls, including controls and governance around the preparation of the SIC, are reliable. The NAO will also consider if the content of the SIC is consistent with the NAO‟s understanding of issues facing the organisation. The NAO will begin its engagement with organisations early in the reporting period, so that discussions can be held with senior executives (including the Accounting Officer) about the risks the organisation faces, the adequacy of controls and transparency of reporting in the previous year.

A Guide for Audit Committees on the Statement of Internal Control

19 January 2010

Client Briefing - CG 01.10

Client briefing 17


THE ROLE OF THE AUDIT COMMITTEE AND HOW THEY CAN ADD VALUE

Audit Committees play an important role in the development of the SIC as they should review the assurances received by the organisation and should also highlight to the Board and Accounting Officer any significant control issues that should be disclosed in the SIC.

The NAO has reviewed a range of SICs in order to identify good practice. The NAO hopes the good practice examples will assist Audit Committees to better identify where processes and procedures can be further strengthened or where further additional disclosures would add more value to the SIC.

We would be happy to help you review how you meet the guidance set out in the NAO document. For more information, please speak to your RSM Tenon internal audit contact.

Client briefing 18


INTRODUCTION

HM Treasury has issued guidance on the minimum requirements for sustainability reporting within public sector annual reports. The guidance is applicable to all central government bodies that produce annual reports and accounts in accordance with HM Treasury‟s Government Financial Reporting Manual (FReM), and that will produce a sustainability report. HM Treasury has set 2010/11 as a dry run for reporting on sustainability, while in the following year it will become mandatory.

WHAT IS REQUIRED?

HM Treasury requires that annual reports include a section covering organisational performance on sustainability during the year. The section in the annual report must include:

A simple overview covering performance in the reported year together with a summary of future plans; and

A „Sustainability Report‟ comprising a table of financial and non-financial information covering details of the organisation‟s emissions, waste and finite resource consumption.

In developing the sustainability section within the annual report the key principles of: transparency to ensure clarity and openness and; consistency for comparative purposes should be upheld.

The table overleaf provides an overview of the minimum requirements in each of the three main reporting areas:

Greenhouse Gas Emissions;

Waste Minimisation and Management; and

Finite Resources.

HOW CAN RSM TENON HELP?

RSM Tenon can provide assistance in compiling the required data, verifying and validating data for year on year consistency and calculating green house gas emissions. We can also provide assistance in formulating a sustainability policy and strategy and processes for managing and integrating sustainability within an organisation. If you are seeking assistance, please contact your client manager or Graham Dalrymple on 07748 152 002 or alternatively email on [email protected]

Sustainability Reporting within Public Sector Annual Reports

2 March 2011

Client Briefing - CG 01.11

mailto:[email protected]

The Electoral Commission 19 Internal Audit Progress Report

Area Type Non-Financial Information Financial Information

Greenhouse Gas Emissions

Scope 1 (Direct) GHG Emissions

All Scope 1 emissions must be accounted for. These occur from sources owned or controlled by the organisation. Examples include emissions as a result of combustion in boilers owned or controlled by the organisation. This includes emissions from organisation-owned fleet vehicles (including vehicles on finance leases). An analysis of related gas consumption, in kWh, should also be included.

Gross expenditure on the purchase of energy, expenditure and income (recycling payments) on the Carbon Reduction Commitment Energy Efficiency Scheme (referred to as the CRC), expenditure on accredited offset purchases, total expenditure on official business travel and expenditure on reported areas of energy use.

Scope 2 (Energy Indirect) Emissions

All Scope 2 emissions must be accounted for. These result from energy consumed which is supplied by another party. For example, electricity supply in buildings or outstations. They also include purchased heat, steam and cooling. An analysis of related energy consumption, in kWh, should also be included.

Scope 3 Official Business Travel Emissions.

Scope 3 emissions relating to official business travel directly paid for by an organisation (i.e. not business travel re-charged by contractors) must be accounted for.

Waste minimisation and management

The minimum requirement is to report absolute values for (administrative and operational including construction) produced by the organisation against the following categories;

(a) total waste arising, (b) waste sent to landfill (e.g. residual waste), (c) waste recycled / reused (recycled, composted, internal or external re-used), and (d) waste incinerated / energy from waste (e.g. food waste)

Total expenditure on waste disposal. (incl waste disposal contracts, specialist waste arising and the purchase of licenses for waste) and expenditure against each of the additional three categories (b) to (d) opposite.

Finite Resources

As a minimum public sector bodies must report on water consumption in cubic metres. Public sector bodies must also consider which, if any, other finite resources‟ use is material and report on consumption.

Total expenditure on purchase of related finite resources including purchase of licenses.

Source: HM Treasury‟s Public Sector Annual Reports: Sustainability Reporting, Guidance for the 2010-11 Dry Run available at: http://tiny.cc/omfs3

http://tiny.cc/omfs3

Audit Committee Meeting: 22nd March 2011 ECAC … Work in Progress or Planned 9 4 Liaison with...

Documents

Transcript of Audit Committee Meeting: 22nd March 2011 ECAC … Work in Progress or Planned 9 4 Liaison with...