Audit Committee 5 June 2019 Agenda item: 07 Report no: 08/2019 Scottish Social Services Council Internal Audit Plan 2019/20 May 2019
Audit Committee
5 June 2019
Agenda item: 07
Report no: 08/2019
Scottish Social Services Council Internal Audit Plan 2019/20
May 2019
Audit Committee
5 June 2019
Agenda item: 07
Report no: 08/2019
Scottish Social Services Council
Internal Audit Plan 2019/20
Introduction 1
Internal audit approach 2
Proposed internal audit plan 4
Quality assurance and improvement 5
Delivering the internal audit plan 7
Appendix 1 – Strategic Internal Audit Plan 2019-22 8
Appendix 2 – Strategic Risk Register 12
Appendix 3 – Audit timetable for 2019/20 13
Appendix 4 – Audit Universe 14
Appendix 5 – Internal Audit Charter 16
Appendix 6 – Draft Assignment Plans 22
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 1
Introduction
Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organisation’s operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes.
Section 4 – Definition of Internal Auditing, Public Sector Internal Audit Standards
Scott-Moncrieff’s internal audit methodology complies fully with the Public Sector Internal Audit Standards
(PSIAS), which cover the mandatory elements of the Institute of Internal Auditors’ International Professional
Practices Framework. PSIAS have superseded the Government Internal Audit Standards.
Internal audit plan
The PSIAS require the Chief Internal Auditor to produce a risk-based plan, which takes into account SSSC’s
risk management framework, its strategic objectives and priorities, and the views of senior managers and the
Audit Committee. This Internal Audit Plan is directly linked to SSSC’s Strategic Risk Register as at February
2019.
The objective of audit planning is to direct audit resources in the most efficient manner to provide sufficient
assurance that key risks are being managed effectively and value for money is being achieved. This document
addresses these requirements by setting out a proposed plan for 2019/20 in the context of a three year
strategic internal audit plan for the period 2019/20 to 2021/22.
Audit Committee action
This 2019/20 plan has been prepared as a basis for discussed and agreed with the Executive Management
Team prior to presentation at the Audit Committee. The detailed scope and objectives within Appendix 6 have
been reviewed and agreed by the EMT and we now present the proposed Internal Audit Plan 2019/20 to the
Audit Committee for review and approval.
The Internal Audit Plan remains flexible to allow internal to respond to emerging issues and risks throughout the
year.
2 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Internal audit approach
Supporting the Governance Statement
Our internal audit plan is designed to provide SSSC, through the Audit Committee, with the assurance it needs
to prepare an annual Governance Statement that complies with best practice in corporate governance. We
also aim to contribute to the improvement of governance, risk management, and internal control processes
using a systematic and disciplined evaluation approach.
Risk based internal auditing
Our internal audit methodology links internal audit activity to the organisation’s risk management framework.
The main benefit to SSSC is a strategic, targeted internal audit function that focuses on the key risk areas and
provides maximum value for money.
By focussing on the key risk areas, internal audit should be able to conclude that:
• Management has identified, assessed and responded to SSSC’s key risks;
• The responses to risks are effective but not excessive;
• Where residual risk is unacceptably high, further action is being taken;
• Risk management processes, including the effectiveness of responses, are being monitored by
management to ensure they continue to operate effectively; and
• Risks, responses and actions are being properly classified and reported.
We have reviewed SSSC’s risk management arrangements and have confirmed that they are sufficiently robust
for us to place reliance on the Strategic Risk Register as one source of the information we use to inform our
audit needs assessment.
Audit needs assessment
Internal audit plans are based on an assessment of audit need. “Audit need” represents the assurance
required by the Audit Committee from internal audit that the control systems established to manage and
mitigate the key inherent risks are adequate and operating effectively. The objective of the audit needs
assessment is therefore to identify these key controls systems and determine the internal audit resource
required to provide assurance on their effectiveness.
Our audit needs assessment takes both a top-down and bottom-up approach followed by a reasonableness
check. The top-down approach involves identifying the areas of highest inherent risk and the control systems
in place to manage those risks. The bottom-up approach involves defining SSSC’s audit universe (potential
auditable areas) and covering all systems on a cyclical basis in line with their relative risk and significance. The
reasonableness check involves us using our experience of similar organisations, together with discussions with
other internal auditors, to ensure that all key risk areas and systems have been considered and the resulting
internal audit plan seems appropriate.
Our audit needs assessment has involved the following activities:
• Reviewing SSSC’s risk register;
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 3
• Reviewing SSSC’s Strategic Plan;
• Reviewing previous internal audit reports;
• Reviewing external audit reports and plans;
• Reviewing the SSSC website and internal policies and procedures;
• Utilising our experience at similar organisations and our understanding of central government and the
wider public sector; and
• Discussions with the Executive Management Team (EMT) and the Audit Committee.
The audit needs assessment is revised on an on-going basis (at least annually) to take account of any changes
in SSSC’s risk profile. Any changes to the Internal Audit Plan are approved by the Audit Committee.
Best value
Our work helps SSSC to determine whether services are providing best value. Each year, the Plan contains
specific reviews that focus on assessing whether the current processes provide best value. In addition, every
report includes an assessment of value for money; i.e. whether the controls identified to mitigate risks are
working efficiently and effectively. Where we identify opportunities for improving value for money, we raise
these with management and include them in the report action plan.
4 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Proposed internal audit plan
Appendix 1 presents the Strategic Internal Audit Plan for 2019/20 to 2021/22. The Strategic Internal Audit Plan
is based on our latest audit needs assessment.
Our internal audit approach is based on risk. Therefore our proposed internal audit plan is also cross-
referenced to SSSC’s Strategic Risk Register. This is included in Appendix 2 for reference.
Internal audit is only one source of assurance for the Audit Committee. Assurance on the management of risk
is provided from a number of other sources, including the EMT, external audit, and the risk management
framework itself.
We seek to complement the areas being covered by SSSC’s external auditor. Following discussion of this Plan
at the Audit Committee, we welcome any comment from the external auditors and will look to incorporate the
feedback received into the final version submitted for approval to the Audit Committee. This helps us to target
our work in the most effective manner, avoiding duplication of effort and maximising the use of the total audit
resource.
The table below demonstrates how the 24 internal audit days for 2019/20 are allocated across each area of the
audit universe:
Financial reviews17%
Strategic reviews16%
Follow Up13%
Internal Audit Mgmt21%
Allocation of audit days
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 5
Quality assurance and improvement
Key Performance Indicators
The SSSC has set out eleven performance indicators which aim to ensure its internal audit service is effective
and efficient. These performance indicators have been set up under the three headings of service delivery,
quality, and invoicing. The eleven performance indicators are as follows:
Area KPIs Description
Service
Delivery
1.1 Number of internal audits delivered to original timescales agreed in the approved audit plan
1.2 Number of internal audits delivered to original cost agreed in annual audit plan
1.3 Number of audit reports presented to Audit Committees within agreed timescales
1.4 Proportion of Senior staff attendance at Audit Committees
1.5 Proportion of recommendations agreed by management
Quality 2.1 External audit can place reliance on the work in internal audit
2.2 Stakeholders satisfaction of internal audit service
2.3 Audits are planned in advance with the lead officer to ensure key staff are
available and audit work deliverable within agreed timescales
2.4 Actual skill mix of audit team agrees with skill mix in the agreed annual audit plan
Invoicing 3.1 Proportion of all invoiced prices are valid and correct
3.2 Disputed invoices are resolved within two weeks of notification of the dispute
6 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 7
Delivering the internal audit plan
Internal Audit Charter
At Appendix 5 we have set out our Internal Audit Charter, which details how we will work together to deliver the
internal audit plan.
Confirmation of independence
PSIAS require us to communicate on a timely basis all facts and matters that may have a bearing on our
independence.
We can confirm that all members of the internal audit team are independent of SSSC and their objectivity has
not been compromised.
8 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Appendix 1 – Strategic Internal Audit Plan 2019-22
Audit area 2019/20 days
2020/21 days
2021/22 days
Risk Reg Ref Notes
A. Financial controls reviews
A1. Procurement 4 SR5 We will review the arrangements in place
within SSSC that support the delivery of
the procurement activities, including the
ongoing management of significant
contracts.
A2. Income and receivables 3 SR5 Joint review of income and accounts
receivable processes.
A3. Expenditure and payables 3 SR5 Joint review of procedures for non-pay
expenditure payments. This will include:
• appropriateness of policies and
procedures; and
• ensuring payments are only made
to legitimate creditors.
Sub-total A – Financial controls
reviews
3 4 3
B. Strategic reviews
B1. Strategic Review 7 SR4, SR5 Consultancy style engagement to support
the SSSC in ensuring its operational model
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20
9
Audit area 2019/20 days
2020/21 days
2021/22 days
Risk Reg Ref Notes
supports the delivery of the Corporate
Strategy.
B2. Shared Services 6 SR3 Overview of the effectiveness of shared
services arrangements.
Sub-total B – Strategic reviews
7 6
C. Operational reviews
C1. Stakeholder Engagement 6 SR2, SR3 To review the progress and evidence of
impact of the:
• Stakeholder Strategy and
Framework; and
• Involving People Plan.
Sub-total C – Operational reviews
6
D. ICT Reviews
D1. Digital Strategy 6 SR6 Review of the implementation of the Digital
Strategy. Indicative objectives include:
• The ICT function has established
and applied a structured approach
regarding the digital planning
process.
• ICT Management have a process in
place to promptly and accurately
10 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Audit area 2019/20 days
2020/21 days
2021/22 days
Risk Reg Ref Notes
modify the digital plan to
accommodate changes to the
organisation’s strategic plan.
D2. ICT Healthcheck 6 SR5, SR6 This review will consider how the Board’s
network infrastructure is monitored and
managed, considering security and
resilience of the network environment.
D3. Business Continuity Planning 6 SR6 This review will consider the extent to
which the SSSC has implemented an
effective Business Continuity Management
(BCM) framework and ensured appropriate
testing of plans.
Sub-total D – ICT reviews 6 6 6
E. Other reviews
E1. Follow up of previous
recommendations
3 3 3 We will follow up the action plans from
previous internal audits.
Sub-total E – Other reviews 3 3 3
F. Management
Audit Needs Assessment / Strategic and
Annual Internal Audit Plan preparation
1 1 1
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20
11
Audit area 2019/20 days
2020/21 days
2021/22 days
Risk Reg Ref Notes
Audit Committee attendance and
preparation
3 3 2
Annual Internal Audit Report 1 1 1
Sub-total F – Management 5 5 5
TOTAL 24 24 24
12 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Appendix 2 – Strategic Risk Register As part of our audit needs assessment, we have reviewed the Strategic Risk Register to identify auditable areas against each identified risk. The summary results
of this review are as set out below. We have used the version of the Risk Register as at February 2019 to inform this exercise.
Risk ref
Risk Description Risk Rating (Likelihood /
Consequence)
2019/20 IA Response
Raw Residual
SR1 That failures in our regime of registration or fitness to practise leads to public protection failure.
20 8 Covered in 2018-19 Plan
SR2 The SSSC is not able to demonstrate to our stakeholders (including SG) that its operational activity is fulfilling its strategic outcomes.
12 6 Stakeholder Engagement
SR3 Ineffective working relationships with partner bodies impact significantly on our ability to deliver our organisational objectives.
16 6 Stakeholder Engagement/Shared Services
SR4 The qualifications framework and workforce development
products we produce do not meet the needs of employers and
social service workers.
16 6 Strategic Review
SR5 The SSSC does not have sustainable resources to support the
delivery of Strategic Plan objectives (i.e. the strategic planning
growth assumptions are not financially sustainable)
16 9 Strategic Review
Income and receivables
SR6 The SSSC experiences disruption or loss or reputation damage from a failure in its ICT systems, physical security or information governance arrangements.
20 12 ICT Healthcheck/Business Continuity
Planning/Digital Review
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20
13
Appendix 3 – Audit timetable for 2019/20 Ref and Name of
report
Audit Sponsor Quarter Start
fieldwork
Complete
fieldwork
Draft
Report
Mgmt
Response
Final
Report
Audit
C’ttee
A2. Income and
Receivables
Head of Shared
Services Q1 April 2019 May 2019 May 2019 May 2019 May 2019 June 2019
B1. Strategic Review Chief Executive Q2 Jun 2019 Jun 2019 Jul 2019 Jul 2019 Aug 2019 Sept 2019
C1. ICT Healthcheck Director of
Strategy and
Performance
Q3 Sep 2019 Sep 2019 Oct 2019 Oct 2019 Nov 2019 Nov 2019
D1. Follow up N/A Ongoing
Annual Internal Audit
Report
N/A Q4 Jan 2020 Feb 2020 Feb 2020 Feb 2020 Mar 2020 Mar 2020
Annual Internal Audit
Plan 2020/21
N/A N/A N/A N/A N/A N/A N/A Mar 2020
14 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Appendix 4 – Audit Universe Audit area 2017/18 2018/19 2019/20 2020/21 2021/22
Risk Ref
Frequency
A. Financial reviews
Financial systems health-check X X M Cyclical review - every 3 - 5 years
Budget management X H Cyclical review - every 3 - 5 years
Financial reporting M Reviewed annually by external audit
Efficiency savings X H Cyclical review - every 3 - 5 years
Financial ledger L Reviewed annually by external audit
Payroll X M Cyclical review - every 3 - 5 years
Expenditure and payables X M Cyclical review - every 3 - 5 years
Income and receivables X M Cyclical review - every 3 - 5 years
Treasury and cash management X L Cyclical review - every 3 - 5 years
Procurement X L Cyclical review - every 3 - 5 years
Accounting policies L Reviewed annually by external audit
B. Strategic reviews
Strategic planning X M Cyclical review - every 3 - 5 years
Risk management X M Cyclical review - every 3 - 5 years
Corporate governance
X L Annual Coverage by external audit/Strategic Review coverage
Information governance X M Cyclical review - every 3 - 5 years
Performance reporting X
X X X M Selection of key performance indicators will be reviewed each year
Partnership working X M Addressed in Strategic
Workforce planning X M Included in risk register
Fitness to practise governance X X M Cyclical review – every 3 – 5 years
Stakeholder engagement
X M Identified as critical to the achievement of corporate objectives.
Shared services governance X M Cyclical review - every 3 - 5 years
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20
15
Audit area 2017/18 2018/19 2019/20 2020/21 2021/22 Risk Ref
Frequency
C. Operational reviews
Operational planning X M Cyclical review every 3 - 5 years
Service redesign L Recommended prior to major change
Registration cycles/workload management X M Cyclical review every 3 - 5 years
Engagement with Scottish Government L Cyclical review every 3 - 5 years
Legal services and training L Not identified as an area of risk
Complaints handling M Cyclical review every 3 - 5 years
Stakeholder engagement X M Cyclical review every 3 - 5 years
Impact on service users X X M Cyclical review every 3 - 5 years
Business continuity planning X M Cyclical review every 3-5 years
Quality assurance X M Included in risk register
Care workforce development X H Cyclical review every 3-5 years
Absence management L Not identified as an area of risk
Fitness to Practise process (inc FTP panel hearings)
X M Cyclical review every 3-5 years
Digital strategy X X H Cyclical review every 3-5 years
Succession planning M Cyclical review every 3 - 5 years
Recruitment and retention X M Cyclical review every 3 - 5 years
16 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Appendix 5 – Internal Audit Charter
Internal auditing is an independent and objective assurance and consulting activity that is guided by a
philosophy of adding value to improve the operations of SSSC.
It helps SSSC accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance processes.
Aim
The aim of this protocol is to set out the management by both parties of the internal audit process. The
protocol sets out and outlines in detail, the context of the internal audit function. This includes the place of the
Audit Committee, the key personnel involved, and the timescales and processes to be followed for each
internal audit review.
This Charter is in line with the best practice guidance set out by the Chartered Institute of Internal Auditors. It
has however been developed and enhanced to meet the needs and requirements of SSSC.
Personnel
The senior staff employed by the respective parties to manage this protocol are as follows:
Scott-Moncrieff
Chief Audit Executive: Gary Devlin, Exchange Place 3, Semple Street, Edinburgh, EH3 8BL
Tel: 0131 473 3500
Email: [email protected]
Audit Manager: Nicola MacKenzie, Exchange Place 3, Semple Street, Edinburgh, EH3 8BL
Tel: 0131 473 3500
Email: [email protected]
SSSC
Head of Shared Mr Kenny Dick, Compass House, 11 Riverside Drive, Dundee, DD1 4NY
Services Tel: 0345 60 30 891
Email: [email protected]
Head of Finance Ms Nicky Anderson, Compass House, 11 Riverside Drive, Dundee, DD1 4NY
Tel: 0345 60 30 891
Email: [email protected]
Role
Internal auditing is an independent and objective assurance and consulting activity designed to add value and
improve the operations of SSSC. It helps SSSC accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 17
Gary Devlin will take the role as Chief Audit Executive for SSSC.
Professionalism
The internal audit activity will adhere to mandatory guidance of The Chartered Institute of Internal Auditors
(CIIA) including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the
Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the
fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness
of the internal audit activity's performance.
The CIIA's Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to
guide operations. In addition, the internal audit activity will adhere to SSSC’s relevant policies and procedures.
Internal audit activity will also reflect relevant Scottish Government directions, as relevant to SSSC.
Authority
The internal audit activity, with strict accountability for confidentiality and safeguarding records and information,
is authorised full, free, and unrestricted access to any and all of SSSC’s records, physical properties, and
personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit
activity in fulfilling its role and responsibilities. The internal audit activity will also have free and unrestricted
access to the Audit Committee.
Accountability
The Chief Audit Executive will be accountable to the Audit Committee and will report administratively to the
Head of Finance.
The Audit Committee will approve all decisions regarding the performance evaluation, appointment, or removal
of the Chief Audit Executive.
The Chief Audit Executive will communicate and interact directly with the Audit Committee, including between
Audit Committee meetings as appropriate.
Independence and objectivity
The internal audit activity will remain free from interference by any element in SSSC, including on matters of
audit selection, scope, procedures, frequency, timing, or report content. This is essential in maintaining the
internal auditors’ independence and objectivity.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited.
Accordingly, auditors will not implement internal controls, develop procedures, install systems, prepare records,
or engage in any other activity that may impair the internal auditor's judgement.
Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being examined. Internal auditors must make a
balanced assessment of all the relevant circumstances and must not be unduly influenced by their own
interests or by others in forming judgments.
18 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
The Chief Audit Executive will confirm to the Audit Committee, at least annually, the organisational
independence of the internal audit activity.
Scope and responsibility
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the
adequacy and effectiveness of SSSC’s governance, risk management, and internal control processes. Internal
control objectives considered by internal audit include:
• Consistency of operations with established objectives and goals;
• Effectiveness and efficiency of operations and use of resources;
• Compliance with significant policies, plans, procedures, laws, and regulations ;
• Reliability and integrity of management and financial information processes, including the means to
identify, measure, classify, and report such information; and
• Safeguarding of assets.
Internal audit is responsible for evaluating all processes, the 'audit universe', of SSSC, including governance
processes and risk management processes. In doing so, internal audit maintains a proper degree of
coordination with external audit.
Internal audit may perform consulting and advisory services related to governance, risk management and
control. It may also evaluate specific operations at the request of the Audit Committee or management, as
appropriate.
Based on its activity, internal audit is responsible for reporting significant risk exposures and control issues
identified to the Audit Committee and to senior management, including fraud risks, governance issues, and
other matters needed or requested by SSSC.
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 19
Annual internal audit plan
The audit year runs from 1 April to 31 March.
The Chief Audit Executive will submit an annual internal audit plan for the forthcoming year to the Audit
Committee for review and approval. The plan will be presented to the Committee in April / May of each year,
unless there are exceptional circumstances. The internal audit plan will detail, for each subject review area:
• The outline scope for the review;
• The number of days budgeted;
• The timing, including which Audit Committee the final will report will go to; and
• The Audit Sponsor.
The internal audit plan will be developed based on a prioritisation of the audit universe using a risk-based
methodology, including input of senior management. Prior to submission to the Audit Committee for approval,
the plan will be discussed with senior management. In particular, the outline scope and timing of each review
will be agreed with the relevant Audit Sponsor (member of senior management).
Any significant deviation from the approved internal audit plan will be communicated through the periodic
activity reporting process.
Assignment Planning and Conduct
An assignment plan will be drafted in draft 2 of the annual plan setting out the scope, objectives, timescales,
and key contacts for the assignment.
Specifically, the assignment plan will detail the timescales for carrying out the work, issuing the draft report,
receiving management responses and issuing the final report. The assignment plan will also include the
number and categories of the staff to be interviewed. Where appropriate, the staff interviewed should include
both the providers and the consumers of the process or service being audited.
The assignment plan will be agreed with the Audit Sponsor (via EMT meeting approval) when the 2nd draft of
the plan is agreed by Audit Cttee
The assignment plan will be formally signed off by the Audit Sponsor (via EMT meeting) and copied to the
Head of Finance. Any subsequent amendments to scope must be approved and signed off by the Audit
Sponsor and Head of Finance.
The internal auditor will discuss key issues arising from the audit as soon as reasonably practicable with the
Key Contacts and/or Audit Sponsor, as appropriate.
20 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Reporting and Monitoring
A written report will be prepared and issued by the Chief Audit Executive or designee following the conclusion
of each internal audit engagement. Each report will be distributed to the Audit Sponsor for management
responses and comments. The draft reports will also be copied to the Head of Finance.
At a minimum each internal audit report will include the following sections:
• Audit scope;
• Summary of findings;
• Conclusions; and
• Management action plan.
Draft reports will be issued by email within two weeks of fieldwork concluding. The covering email will specify
the deadline for management responses, which will normally be within a further two weeks.
The management comments and response to any report will be overseen by the Audit Sponsor or named co-
ordinator, approved by the Audit Sponsor and then sent to the Head of Finance. Auditors will collate
management responses and issue the draft report (due two weeks before the EMT meeting). The management
comments will also be subject to review and approval by the wider EMT before being returned to the internal
auditor. Internal audit will issue the final report to the Head of Finance. The final report will be issued within
one week of the management responses being received. Finalised internal audit reports will be presented to
the Audit Committee.
The timings set out above are maximum timescales expected for each review. Tighter timescales may be
agreed for a review and these will be set out in the assignment plan.
Follow-up
The internal audit activity will be responsible for appropriate follow-up on audit findings and recommendations.
All significant findings will remain in an open issues file until cleared. Approval of audit committee will be
obtained for any changes to deadlines. Internal audit will report to each Audit Committee on progress with the
implementation of agreed audit recommendations.
Audit Committee
The Audit Committee meets regularly during the year a year. Dates for Audit Committee meetings will be
provided to internal audit as soon as they are agreed.
The Chief Audit Executive and / or Internal Audit Manager will attend all meetings of the Audit Committee.
Internal audit will schedule its work so as to spread internal audit reports over the Audit Committee cycle of
meetings. The annual internal audit plan will detail the internal audit reports to be presented to each Audit
Committee meeting.
Finalised internal audit reports must be sent to the Head of Finance at least twoweeks before the date of each
Audit Committee meeting.
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 21
The Chief Audit Executive will present specific reports to the Committee throughout its annual cycle. These
reports and the expected timescales are as follows:
Output Meeting
Audit needs assessment February
Annual internal audit plan February (draft) and June (final)
Annual report June
Progress report
Follow up reports
All meetings
All meetings
The Audit Committee will meet privately with the internal auditors at least once a year.
Periodic Assessment
The Chief Audit Executive is responsible for providing a periodic self-assessment on the internal audit activity.
This self-assessment will cover performance against the internal audit plan and also highlight any issues
relating to the implementation or compliance with this Internal Audit Charter.
In addition, the Chief Audit Executive will communicate to senior management and the Council on the internal
audit activity's quality assurance and improvement program, including results of ongoing internal assessments
and external assessments conducted at least every five years in accordance with Public Sector Internal Audit
Standards.
Review of Protocol
This protocol will be reviewed by both parties each year and amended if appropriate.
22 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
Appendix 6 – Draft Assignment Plans
A1. Income and Receivables
Client: SSSC
Assignment: Income & Receivables
Background: The SSSC must have robust financial systems in place to deliver
economy and efficiency, and secure the financial health of the
organisation. Two of the key financial systems are income/receivables
and treasury/cash management.
The finance team manages the income and receivables systems as a
shared service with both SSSC and the Care Inspectorate. This review
will therefore be carried out as a joint audit with The Care Inspectorate.
Scope: In accordance with the 2019/20 Internal Audit Plan, we will perform a
review of the operational controls in income and receivables systems.
Control objectives: Income and receivables:
• Invoices are raised correctly and timeously for all income
generating activities;
• Debtor terms are in place and communicated to all debtors;
• Debtors are managed appropriately to minimise aged debt and
maximise income received;
• Income is reflected accurately in the accounting system; and
• Accounts receivable data on the accounting system is held
securely and protected from unauthorised changes.
Risk register link: This review relates to the following risk in the Strategic Risk Register,
as at February 2019:
• Strategic Risk 5: The SSSC does not have sustainable
resources to support the delivery of Strategic Plan outcomes
(i.e. the strategic planning growth assumptions are not
financially sustainable).
Client contacts: Audit Sponsor: Kenny Dick, Head of Shared Services
Key contacts: Nicky Anderson, Head of Finance, Julia White,
Transactions Manager
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 23
Resources: Internal Auditor: Kenneth Shields, 2.5 days
Audit Partner: Gary Devlin, 0.5 day
Timetable: Fieldwork commences: March 2019
Fieldwork completed: April 2019
Closing meeting with auditee: April 2019
Draft report issued for management responses: early May 2019
Management responses to be provided by: May 2019
Report to be issued as final by: May 2019
Audit Committee meeting: May 2019
Reporting format: Standard internal audit report to management and the Audit
Committees of the Care Inspectorate
Agreed by client and date: TBC
24 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
B1. Assignment Plan – Strategic Review
Client: SSSC
Assignment: Strategic Review
Background: The SSSC is responding to significant and new challenges as it
reviews organisational effectiveness following a period of significant
growth in its operations and investment in information technology.
A new Chief Executive was appointed in 2018 and, working together
with the Council, has sought to develop a strategic and organisational
response to meet these key challenges. Accordingly, the Chief
Executive has commissioned this review to ensure that the SSSC’s
corporate control arrangements (maintenance and enforcement of
appropriate policies and procedures, scheme of delegation, Council
and committee reporting and decision making implementation etc) can
continue to deliver its current objectives in addition to meeting the
needs of future change and growth.
Going forward, it is imperative for the organisation to have the
necessary strategic financial and organisational management
capabilities, competencies, resources, structures, financial systems
and processes in place. These capabilities are critical to managing
the growing and complex financial and organisational challenges
inherent in the potential changes ahead.
Scope: The purpose of this review is to critically assess the organisations
corporate control arrangements to ensure it continues to meet the
needs of the organisation following a period of significant change.
Business objectives: • Review and test the SSSC’s corporate control and compliance
arrangements covering, maintenance and enforcement of
appropriate policies and procedures, scheme of delegation, and
compliance monitoring arrangements
• Ensure adequate arrangements are in place to capture and
monitor implementation of Council and Committee decisions
• Make recommendations to the Chief Executive to improve
corporate compliance arrangements.
Methodology • Document existing corporate control arrangements and identify
any gaps or control weaknesses
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 25
• Test a sample of policies (e.g. annual leave entitlement,
sickness absence, Council reporting timetables etc) to ensure
compliance
• Document Council and Committee decisions over the last 12
months and test for implementation.
Risk register link: The review is linked to the following risk in Corporate Risk Register:
• SR1, 2, 3 and 5
Client contacts: Review Sponsors: Lorraine Gray - Chief Executive
Key Contacts: Kenny Dick, Head of Shared Services
Resources: Consultant: Gary Devlin, Partner – 7 days
Timetable: Fieldwork commences: June 2019
Fieldwork completed: June 2019
Closing meeting with auditee: early July 2019
Draft report issued for management responses by: July 2019
Management responses to be provided by: end July 2019
Report to be issued as final by: August 2019
Audit Committee meeting: August 2019
Reporting format: Consultancy report to CEO
Agreed by client and date: TBC
26 Scottish Social Services Council Internal Audit Plan 2019/20 scott-moncrieff.com
D2 – Assignment Plan – ICT Healthcheck
Client: SSSC
Assignment: D.2. ICT Healthcheck
Background: The SSSC is reliant on its technological infrastructure to support the delivery of its key business objectives. It is crucial that the infrastructure is maintained at a level capable of supporting the organisation’s business plans and strategy and to ensure the confidentiality, integrity and availability of the organisation’s data.
The increasing ease of access to corporate networks provides users with greater flexibility to work remotely or when mobile. The proliferation of such solutions underlines the importance of robust IT security measures being in place to reduce the risk of disruption to network availability, unauthorised access to or loss of data.
Scope: This review will consider how the Council’s network infrastructure is monitored and managed, considering security and resilience of the network environment.
Business objectives: • Network Access by users is controlled;
• There is adequate security control over the network and network devices;
• Resilience and recovery is designed into the network; and
• The network is appropriately administered and managed, with adequate error reporting and clearance.
Risk register link: This review relates to the following risk in your Corporate Risk
Register:
• The SSSC experiences disruption or loss or reputation damage from a failure in its ICT business systems, physical security or information governance arrangements
Client contacts: Review Sponsor: Director of Strategy and Performance
Key Contacts: Head of IT
Resources: Senior IT Auditor – 4.5 days
Senior IT Audit Manager – 1 day
Partner – 0.5 days
Timetable: Fieldwork commences: Sept 2019
Fieldwork completed: Sept 2019
Closing meeting with auditee: Oct 2019
Draft report issued for management responses by: Oct 2019
Management responses to be provided by: Oct 2019
scott-moncrieff.com Scottish Social Services Council Internal Audit Plan 2019/20 27
Final report to be issued as final by: Nov 2019
Audit Committee meeting: Nov 2019
Reporting format: Standard Internal Audit report
Agreed by client and date: Not agreed yet
© Scott-Moncrieff Chartered Accountants 2019. All rights reserved. “Scott-Moncrieff” refers to Scott-Moncrieff
Chartered Accountants, a member of Moore Stephens International Limited, a worldwide network of
independent firms.
Scott-Moncrieff Chartered Accountants is registered to carry on audit work and regulated for a range of
investment business activities by the Institute of Chartered Accountants of Scotland.