Risk Management and Internal Controls
Risk concerns uncertainty of outcome. The delivery of an organisation's objectives is surrounded by uncertainty which both poses threats to success and offers opportunities for increasing success. Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. Each public sector organisation's internal control systems should include arrangements for identifying, assessing and managing risks. Risk management should be closely linked to the business planning process and performance monitoring arrangements.
Public bodies are required to provide a Governance Statement in order to comply with best practice as recommended by the Turnbull Committee Report. As part of that process, the Chief Executive is required to review, at least annually, the effectiveness of all controls, including financial, operational and compliance controls. Organisations need to show that they have established and maintained effective and on-going procedures for identifying, evaluating and managing business risks.
The Board should help ensure that there is a system in place for continuous risk management which extends from the front-line services through to the Board and ultimately through to the Chief Executive. This involves having a framework of prudent and effective controls in place to enable risks to be identified, assessed and managed. The Board should regularly assist the Chief Executive to review key business risks affecting the organisation.
Where a body is responsible for a budget, an Audit Committee must be established to advise the Accountable Officer on internal control (including corporate governance) and audit matters.
All accounting entities to which the SPFM is directly applicable should establish an Audit Committee. The Committee should comprise at least three members all of whom should be either Board members or independent external members.
All Audit Committees in organisations to which the SPFM is directly applicable are subject to the guidance in the Audit Committee Handbook published by the Scottish Government. A degree of flexibility will be appropriate in applying the guidance in the Handbook, particularly with regard to smaller accounting entities.
The exact role of the Audit Committee will depend on the particular circumstances of the organisation. Examples of issues affecting the role of the Audit Committee include the strategic risk management arrangements that the Accountable Officer has established, whether or not there is a separate Risk Committee and the whistleblowing arrangements which have been put in place as part of the anti-fraud and corruption arrangements. An Audit Committee should not have any executive responsibilities or be charged with making or endorsing any decisions, although it may draw attention to strengths and weaknesses in control and make suggestions for how weaknesses might be dealt with. The overarching purpose of the Audit Committee is to advise the Accountable Officer; it is then the Accountable Officer who makes the relevant decisions.
To fulfill its role, an Audit Committee should generally meet at least three or four times per year. Additional meetings should be convened as deemed necessary, reflecting the needs of the organisation.
All Audit Committee members, whatever their status or background, will have training and development needs. Those who have recently joined the Audit Committee will need induction training, either to help them understand their role; or if they have audit committee experience elsewhere, to help them understand the organisation. In particular, those joining a public sector Audit Committee for the first time will need training to help them understand public sector standards, especially those relating to governance and accountability.
The Audit Committee should:
- Have written terms of reference from the Chief Executive, which encompass all the assurance needs of the Accountable Officer. Within this, the Audit Committee should have particular engagement with the work of Internal Audit, the work of the External Auditor and with financial reporting issues;
- Support the Accountable Officer by reviewing the scope, reliability and integrity of the assurances provided to them;
- Highlight those aspects of risk management, governance and internal control that are functioning effectively and, just as importantly, those that need to be improved;
- Have at least three non-executive members, under the chairmanship of a non-executive member who should be someone other than the meeting Chair of the public body or Chair of any other sub-committee;
- Own corporately an appropriate skills mix to allow it to carry out its overall function. At least one of the Committee members should have recent and relevant financial experience;
- Have a Chair whose role goes beyond chairing meetings - this is key to achieving Committee effectiveness. The additional workload should be taken into account in the appointment of the Chair;
- Have a Chair who is involved in the appointment of new Committee members, including providing advice on the skills and experience being sought by the Committee, and is responsible for ensuring that the work of the Audit Committee is appropriately resourced;
- Be independent and objective; in addition each member should have a good understanding of the objectives and priorities of the organisation and of their role as an Audit Committee member;
- Encourage the Accountable Officer, Head of Internal Audit and Director of Finance to attend meetings (though not as members of the Audit Committee);
- Should have regular and on-going liaison with External Auditors;
- Should ensure it has effective communication with the Accountable Officer, the Head of Internal Audit, the External Auditor, and other stakeholders. In addition, the role of the Chair and provision of appropriate secretariat support are important elements in achieving Audit Committee effectiveness.
In any government related organisation there will be two significant sources of assurance that the Audit Committee can be certain will be present: Internal Audit and External Audit. Internal Audit provides an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations.
Internal Audit is an internal appraisal service, established by the management of an organisation, to review the internal control system. It objectively examines, evaluates and reports on the adequacy of internal control as a contribution to the proper, economic, efficient and effective use of resources. The scope of the Internal Audit service should be unrestricted across the organisation's operations. The Internal Auditors should have sufficient authority to access assets, records and personnel as necessary for the discharge of their responsibilities.
The work of Internal Audit is likely to be the single most significant resource used by the Audit Committee in discharging its responsibilities. This is because the Head of Internal Audit, in accordance with the Public Sector Internal Audit Standards, has a responsibility to offer an annual opinion on the overall adequacy and effectiveness of the organisation's risk management, control and governance processes. There is consequently a major synergy between the purpose of the Head of Internal Audit and the role of the Audit Committee.
The role of the Audit Committee in relation to Internal Audit should include advising (to ensure consistency) the Accountable Officer on:
- The Audit Strategy and periodic Audit Plans, forming a view on how well they support the Head of Internal Audit's responsibility to provide an annual opinion on the overall adequacy and effectiveness of the organisation's risk management, control and governance processes;
- The results of Internal Audit work, and and the management response to Internal Audit findings; and
- Internal Audit coverage.
External Audit provides independent scrutiny of an organisation's finances, performing an audit of the financial statement of an organisation. External Audit can also give assurance that organisations have used their resources in discharging their functions properly, efficiently and effectively e.g. through a performance audit. The Audit Committee should engage with the activity of the External Auditor, ensuring that examinations are carried out effectively. As well as considering the results of External Audit work, they should enquire about and consider the External Auditor's planned approach and the way in which the External Auditor is co-operating with Internal Audit to maximise overall audit efficiency, capture opportunities to derive a greater level of assurance and minimise unnecessary duplication of work.
The Auditor General for Scotland is the External Auditor of a number of public bodies.
The Auditor General may appoint a member of the staff of Audit Scotland or an appropriately qualified professional firm as the auditor of your body.
External Audit of the Annual Accounts
An External Audit of the annual accounts undertaken by the Auditor General is conducted in accordance with the Public Finance and Accountability (Scotland) Act 2000 and the Code of Audit Practice issued by Audit Scotland on behalf of the Auditor General.
On completion of the External Audit, the appointed auditor sends a copy of the accounts and the audit opinion to the Auditor General. The Auditor General may then add a report (for example, on a qualification of the auditor's opinion or other matter drawn to their attention by the auditor) before Executive Agencies and sponsored bodies send their accounts and reports to the Scottish Ministers for laying before the Parliament. Non-Ministerial bodies lay their accounts directly before the Parliament.
External Audit Of The Annual Accounts
The appointed auditor will:
- Issue an opinion as to whether the accounts give a true and fair view of the state of affairs of the public body at the year end and of its income and expenditure for the year and whether the accounts have been prepared in accordance with any applicable legislation and accounts direction;
- Issue an opinion (known as the "regularity" opinion) as to whether the income and expenditure has been properly received or incurred in accordance with legislation, the Budget Act for the relevant year and any other guidance issued by the Scottish Ministers;
- Review the Governance Statement prepared by the body and report if it is not in accordance with the auditor's understanding of the body;
- Review the body's arrangements in relation to financial sustainability, financial management, governance and transparency and Value for Money;
- Consider the body's governance arrangements and arrangements for prevention and detection of fraud; and
- Provide reports to the Chief Executive and Audit Committee on matters arising during the course of the audit.
Performance audits look at the performance of a public body and include a Value for Money audit which is an examination of the economy, efficiency and effectiveness with which a body has used its resources to carry out its functions.
The Auditor General has powers to conduct performance audits. These audits examine the economy, efficiency and effectiveness of aspects of the public sector. They can assess:
- performance across several public bodies in a particular theme - for example, managing changes in the workforce; or
- performance of an individual public body or a particular aspect of that body's performance.
Performance audits may be conducted by Audit Scotland staff, the appointed auditor, consultants or any combination of these. A draft report on the audit will be discussed with the public body (or bodies) to ensure factual accuracy. Once finalised, the report will be laid before the Scottish Parliament and published with an accompanying news release. In most cases, the Auditor General will present the report to the Scottish Parliament's Public Audit and Post-legislative Scrutiny Committee. Performance audit reports may contain material such as checklists to assist non-executive Board members in holding management to account.
For many public bodies, the founding legislation provides that
General will appoint the auditor. In such circumstances, the
General has a statutory right to carry out a Value for
Where the Auditor General is not the auditor of a public body and has not appointed the auditor, they should have rights under statute or by agreement to carry out an inspection of the use of resources by those bodies.