Internal audit: Does your charity need it and how can you achieve the most from it? Sally Knight Partner MHA MacIntyre Hudson 13 May 2015 What is internal audit? The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively. Chartered Institute of Internal Auditors Our definition includes being a critical friend. External vs. Internal audit Requirement / duty: Objective: External audit Depends on size of charity (charity audit thresholds), requirements of governing document, requirements of funders True and fair opinion on the statutory financial statements Internal audit No statutory requirement for charities to have IA although there is a duty for Trustees to manage risk and maintain adequate and appropriate internal control systems Opinion on the effectiveness of governance, risk management and internal control processes more discretion on how this is expressed Reports to: Will depend on statute and constitution usually Trustees / Co Act Directors / members Trustees and / or Directors usually via an Audit or similar Committee Coverage: Focus on reviewing and testing financial information and controls for purposes of giving an opinion on the year end accounts; concept of materiality More than financial! All aspects of the charity s operations, including strategic, risk management and governance processes Responsibility to report improvements: No - although there is a duty to report (material) issues / weaknesses, and this would normally include recommendations. Usually done via the management letter Yes this is fundamental to the purpose of internal auditing - through advising and facilitating so as not to undermine the responsibilities of management in respect of internal controls
How do you gain assurance? Board Assurance Framework Legislative & regulatory framework; charity s constitution Vision, mission, values, tone from the top Governance framework, processes & Trustees responsibilities Board Committees: ToR, delegation, reporting Strategic planning & SWOT analysis Operating policies & principles Schemes of delegation, Standing Orders Risk management policy, strategy, risk register Governing Body Executive Team Internal control framework Implementation of policies & procedures Segregation of duties KPIs review & reporting Self assessments & evaluation Reporting & accountability frameworks Discretionary, flexible & responsive Wider remit than EA Compliance vs. advisory Include best practice, efficiency and VFM recommendations Eyes & ears especially in dispersed locations Benchmarking against best practice Independent assurance: Internal auditors Independent assurance: External auditors What is the nature of this relationship? (rely; inform; ignore) Statutory audit Focus on financial statements Concept of materiality Management letter Local auditors / funder audits (esp. INGOs) Making IA work in practice: The R factors (1) Consider: Role and remit Resources available Relationship with risk Rolling strategic audit plan Responsiveness In-house vs. outsourced Staff, time, expertise and budget Risk policy, strategy, register Content, scope and timescales Compliance vs. consultancy Making IA work in practice: The R factors (2) Consider: Reporting lines Reporting format and process Respective responsibilities Relationship with External Audit Review and evaluate Day to day and overall Providing assurance Buy-in, ownership and follow-up Ensuring optimal audit coverage How does Internal Audit add value?
Role and remit What do you want to achieve? What is the nature and size of the Internal Audit jigsaw piece? Dedicated in-house resource vs. outsourced provider Independence and reporting lines Access to wider services and expertise Benchmarking Share resource with other charities? Flex to your charity s needs, priorities and challenges Internal Audit Charter Internal Audit Charter Define purpose and objectives of the IA function Link to ToR for the Trustee Board and relevant subcommittees e.g. Audit Committee Relationships and mutual responsibilities Reporting lines Reporting format Quality of recommendations Timeliness Expectations and KPIs Resources available Availability of your staff time and buy-in Are there any gaps in existing knowledge / expertise? e.g. IT, business continuity, data protection Budget Depends on scope and plan Annual input days x blended day rate Disbursements
Relationship with risk How does the charity define risk? Unrewarded and rewarded risk Relationship with the charity s attitude and tolerance to risk (risk policy); and risk management strategy Role of the risk register Align IA activity to the charity s overall risk management framework, which in turn should link clearly into the charity s strategic planning processes Rolling strategic audit plan Content and scope - assessing the audit universe Financial vs. other activities Head Office vs. regional activities Follow up; contract administration time Responsiveness Compliance vs. consultancy Agreed programme vs. reacting to unforeseen issues Timescales One year scoped in detail with an eye on the future [2] years Developing a strategic internal audit plan Three year rolling plan with first year scoped in detail Implementation of [new] governance / operational structures Effectiveness of the charity s assurance framework Effectiveness of the charity s risk management processes Identification and management of key risks and others Ownership and accountability Links with strategic planning Governance & assurance framework Key financial controls Core focus initially? Compliance with financial procedures Test implementation of new [financial] systems Head Office functions and support Anti-fraud policy, controls and awareness H.R. and volunteers Branding and marketing Safeguarding; Health & Safety Information security; Data Protection Fundraising; funding Capital projects Procurement and purchasing IT; Business continuity Operational reviews & VFM Local activity: themed / location reviews Compliance with procedures at a local level Delegation, documentation and implementation Compare, share and benchmark Relationship with Head Office KPIs review and reporting
Reporting lines Key is IA s objectivity and independence and perception thereof Balancing act: Need effective day to day relationship with management but overall responsibility is to Audit Committee / Trustees Where IA function is outsourced, nominate an internal designated IA liaison officer (typically the Resources / Finance Director) Conduit; coordination; collation of information Whistle-blowing provisions internal and external Reporting format and process: Assignment reports Agreeing findings and recommendations e.g. high, medium, low, advisory Factual accuracy, realistic and value added Action plans and timescales - ensure buy-in and ownership Clearance and circulation - staff, management, Audit Committee, Trustees Opinion on the assignment area audited e.g. substantial, adequate, low or no assurance Follow-up arrangements and responsibilities Reporting format and process: Annual report and opinion Providing annual assurance Opinion on the charity s overall internal control framework Coverage and scope, with reference to the Board assurance framework Who is relying on this opinion?
Relationship with External Audit Aspire to providing optimal audit assurance when both functions are viewed together but... Objectives are different so don t expect work from IA to reduce fees of EA Key is to fully appreciate the respective roles and responsibilities of each set of auditors In practice, role of IA work in relation to EA is somewhere on a spectrum, and may change with time: Ignore Inform Rely Review and evaluate What does adding value mean to your charity? How will success be measured? Quality assurance Assess the efficiency and effectiveness of IA payback time! Regular feedback from staff; annual survey; view of the Audit Committee Self-assessment; external assessment (CIIA recommends every 5 years) Realise the full potential of Internal Audit! In summary: Internal Audit Cycle
Thank you Any questions? E: sally.knight@mhllp.co.uk T: 020 7429 0501 W: www.macintyrehudson.co.uk