Annex F: Key lines of enquiry
This list of questions is not intended to be exhaustive or restrictive nor should it be treated as a tick list substituting for detailed consideration of the issues it raises. Rather it is intended to act as a 'prompt' to help the committee ensure that their work is comprehensive.
On the strategic processes for risk, control and governance, how do we know:
- that the risk management culture is appropriate?
- that there is a comprehensive process for identifying and evaluating risk, and for deciding what levels of risk are tolerable?
- that the risk register is an accurate reflection of the risks facing the organisation?
- that appropriate ownership of risk is in place?
- that management has an appropriate view of how effective internal control is?
- that risk management is carried out in a way that really benefits the organisation or is it treated as a box ticking exercise?
- that the organisation as a whole is aware of the importance of risk management and of the organisation's risk priorities?
- that the system of internal control will provide indicators of things going wrong?
- that the AO's annual governance statement is meaningful, and what evidence underpins it?
- that the governance statement appropriately discloses action to deal with material problems?
- that the organisation is appropriately considering the results of the effectiveness review underpinning the governance statement?
On risk management processes, how do we know:
- how senior management (and Ministers where appropriate) support and promote risk management?
- how well are people equipped and supported to manage risk well?
- that there is a clear risk strategy and policies?
- that the organisation's risk appetite has been articulated?
- that there are effective arrangements for managing risks with partners?
- that the organisation's processes incorporate effective risk management?
- if risks are handled well:
- key strategic risks can change very quickly?
- scenario planning and stress testing?
- bubbling under' risks?
- Risk focus is wide enough:
- external and emerging risks are considered?
- 'financial' risks and 'non-financial' risks are reviewed?
- if risk management contributes to achieving outcomes?
- that management are regularly reviewing top risks?
On the planned activity and results of both internal and external audit, how do we know:
- that the Internal Audit strategy is appropriate for delivery of a positive reasonable assurance on the whole of risk, control and governance?
- that the internal audit plan will achieve the objectives of the Internal Audit strategy, and in particular is it adequate to facilitate a positive, reasonable assurance on the key risks facing the organisation?
- that Internal Audit has appropriate resources, including skills, to deliver its objectives?
- that Internal Audit takes appropriate account of other assurance activity, especially in the first and second line (and that this assurance is understood and owned by management)? that Internal Audit recommendations that have been agreed by management are timeously implemented?
- that any issues arising from line management not accepting Internal Audit recommendations are appropriately escalated for consideration?
- that the quality of Internal Audit work is adequate? What does application of the Internal Audit Quality Assessment process tell us about the quality of the Internal Audit service?
- that there is appropriate co-operation between the internal and external auditors?
- The Accountable Officer and Board have taken all necessary steps to make themselves aware of any relevant information and that auditors are aware of that information?
A more detailed tool for evaluation of the quality of the Internal Audit service is the "Internal Audit Quality Assessment Framework" produced by HM Treasury.
On the accounting policies, the accounts, and the annual report of the organisation, how do we know:
- how effective and accurate budgeting and in-year forecasting is?
- if the finance function is fit for purpose?
- what the "hidden" financial risks are, relating to (inter alia):
- Sudden loss of funding/revenue?
- that the accounting policies in place comply with relevant requirements, particularly the HMT Financial Reporting Manual?
- there has been due process in preparing the accounts and annual report and is that process robust?
- that the accounts and annual report have been subjected to sufficient review by management and by the Board and Accountable Officer?
- that when new or novel accounting issues arise, appropriate advice on accounting treatment is gained?
- that there is an appropriate anti-fraud policy in place and losses are suitably recorded?
- that suitable processes are in place to ensure accurate financial records are kept?
- that suitable processes are in place to ensure fraud is guarded against and regularity and propriety is achieved?
- that financial control, including the structure of delegations, enables the organisation to achieve its objectives with good value for money?
- if there are any issues likely to lead to qualification of the accounts?
- if the accounts have been qualified, that appropriate action is being taken to deal with the reason for qualification?
- that issues raised by the External Auditors are given appropriate attention?
On the adequacy of management response to issues identified by audit activity, how do we know:
- that the implementation of recommendations is monitored and followed up?
- that there are suitable resolution procedures in place for cases when management reject audit recommendations which the auditors stand by as being important?
On assurances relating to the corporate governance requirements for the organisation, how do we know:
- corporate governance arrangements operate effectively and are clear to the whole organisation?
- the Accountable Officer's Governance Statement is meaningful, and that robust evidence underpins it?
- the Governance Statement appropriately discloses action to deal with material problems?
- the Board/Executive is appropriately considering the results of the effectiveness review underpinning the annual Governance Statement?
- the range of assurances available is sufficient to facilitate the drafting of a meaningful annual Governance Statement?
- those producing the assurances understand fully the scope of the assurance they are being asked to provide, and the purpose to which it will be put?
- effective mechanisms are in place to ensure that assurances are reliable and adequately evidenced?
- assurances are 'positively' stated ( i.e. – premised on sufficient relevant evidence to support them)?
- the assurances draw appropriate attention to material weaknesses or losses which should be addressed?
- the annual Governance Statement realistically reflects the assurances on which it is premised?
On the work of the committee itself, how do we know:
- that we are being effective in achieving our terms of reference and adding value to corporate governance and control systems of the organisation?
- that we have the appropriate skills mix?
- that we have an appropriate level of understanding of the purpose and work of the organisation?
- that we understand all of the sources of assurance available to the organisation?
- that we have sufficient time to give proper consideration to our business?
- that our individual members are avoiding any conflict of interest?
- that we are avoiding "group think"
- what impact we are having on an organisation?