www.pwc.co.

uk

Oxford City Council

Internal Audit Risk
Assessment and Plan
2013/2014
June 2013

Distribution List
Corporate Management Team

Heads of Service

Members of the Audit and Governance Committee

This document has been prepared only for Oxford City Council and solely for the
purpose and on the terms agreed with the Council.
Contents
1. Introduction and Approach 2
2. Risk Assessment 6
3. Internal Audit Plan and Indicative Timeline 10
Appendix 1: Corporate Objectives and Risks 15
Appendix 2: Risk Assessment Criteria 17
Appendix 3: Detailed methodology 18

PwC  Contents
 1. Introduction and Approach
Introduction
This document sets out the internal audit risk assessment and annual plan for Oxford City Council.

Our approach is tailored to the Council and complies with Public Sector Internal Audit Standards (that came
into effect from 1 April 2013) and the Institute of Internal Auditors’ guidance on risk based internal auditing
(2005).

Key contacts
Meetings have been held with Heads of Service and the Senior Management Team as part of the planning
process, and we have consulted Ernst & Young (the External Auditors).

Defining the Audit Universe

We have identified the auditable units within the Council based on your structure and meetings with Officers
and Members. This process is described in more detail in Section 2.

Scope of our plan

We discuss the resources available for the internal audit service with officers, and a budget of 220 days is
available. We agreed that this was sufficient for the work required to report on key risks and controls during
the year and to prepare our annual audit opinion and report. We cannot address all risks identified by the risk
assessment process. The Audit and Governance Committee needs to be satisfied that we address those risks
about which it needs assurance, and let us know if it requires us to reassess priorities or carry out further work.

Delivery
The internal audit service comprises a number of reviews. Each review addresses one or more risks or systems,
and is scoped to identify the relevant controls and monitoring, and then to test their operation.

There is a “Protocol” for the delivery of the internal audit service which establishes responsibilities of auditors
and auditees, covering the whole process from agreeing terms of reference to implementation of
recommendations. This is shared with each auditee at the first point of contact, and has been attached to the
Internal Audit Charter which is a separate document that we update and present to the Audit and Governance
Committee on an annual basis.

Reporting
We recognise that it is essential that reports are produced and monitored in a timely and effective manner.
Formal reports will be produced for each review identified in our internal audit plan, unless an alternative
deliverable is agreed. Following completion of fieldwork, findings will be discussed at a clearance meeting with
the audit sponsor and reports will be produced in line with the final report grading and circulation
arrangements, as set out in the new Charter.

Final reports receiving a risk classification of ‘Medium risk’ or above will be sent to the Audit and Governance
Committee, along with a progress report which will summarise the work performed since the previous
Committee meeting, and will highlight any areas of weakness and high priority recommendations.

2
Basis of our annual internal audit conclusion
We comply with the Public Sector Internal Audit Standards (PSIAS). The PSIAS encompass the mandatory
elements of the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) but
are not designed or intended to conform to the International Standards on Assurance Engagements issued by
the International Auditing and Assurance Standards Board.

Our annual internal audit opinion will be based on, and limited to, the internal audits we have completed over
the year and the control objectives agreed for each individual internal audit. The agreed control objectives will
be reported in our final individual internal audit reports.

Delivering value through our approach

As your control environment matures and you continue on the path ‘from Good to Great’, we would also expect
for the type of review needed to change and develop. Over time, we would expect to therefore increase the
amount of time dedicated to advisory reviews and decrease our emphasis on financial control work.

Our approach focuses on two types of review, Value Protection (VP) and Value Enhancement (VE) as illustrated
in the diagram below. VP provides a review of your current governance, risk management and control
arrangements, which constitutes a traditional controls assurance methodology. VE is focused on assessing
future risks, such as looking at your new projects / systems and improving your performance, by, for example,
identifying opportunities for efficiency gains, saving money and improving quality. The nature of value
protection and value enhancement is illustrated below:

Value
enhancement Strategy
implications

Delivering
future value

Efficiency Process Monetary

gains improvement savings

Improving business performance

Systems Investment Emerging Due

development decisions risks diligence

Assessing future governance, risk management and control

Value
Business Projects & Financial
protection Law and
process & major process &
Safeguarding Corporate
regulation assets governance
systems contracts systems

Assessing current governance, risk management and control

3
Value protection
You need assurance on your core systems. We maximise audit efficiency by working with your external
auditors, Ernst & Young LLP. We will meet to agree how external audit can rely on our work and we will
include necessary core system reviews in the plan. We will also communicate risk areas and issues identified
from our respective review work so that our approach is co-ordinated to address risks identified.

4
Value enhancement
Risk based work is critical to Oxford City Council, as it improves risk awareness and overall control. Our work
programme is designed to ensure the significant risks identified in your risk register are managed effectively. As
part of this process we will assess your risk management framework and governance. Internal audit provides a
valuable role in improving business performance and delivering future value. We use our broader specialist
skills and experience to help the Council to achieve its aims and objectives.

An element of the internal audit plan will always remain focussed on fundamental processes; we intend to
increase the proportion of our plan supporting you to improve your business performance in areas such as
efficiency gains, process improvements and delivering savings.

Approach
A summary of our approach to developing the risk assessment and annual internal audit plan is set out below. A
more detailed description can be found in Appendix 3.

Step 1  Obtain information and utilise sector knowledge to

Understand corporate identify corporate level objectives and risks.
objectives and risks

Step 2  Identify all of the auditable units within the

Define the audit universe organisation. Auditable units can be functions,
processes or locations.

Step 3  Assess the inherent risk of each auditable unit based on

Assess the inherent risk impact and likelihood criteria.

Step 4  Assess the strength of the control environment within

Assess the strength of the each auditable unit to identify auditable units with a
high reliance on controls.
control environment

Step 5  Calculate the audit requirement rating taking into

Calculate the audit requirement account the inherent risk assessment and the strength of
rating the control environment for each auditable unit.

Step 66
Steps  Determine the timing and scope of audit work based on
Other considerations
Determine the audit plan the organisation’s risk appetite.

Step 7  Consider additional audit requirements to those

identified from the risk assessment process
Other considerations

5
 2. Risk Assessment
Defining the Audit Universe
We have identified the auditable units within the Council based on your structure and meetings with Officers
and Members.

Any processes running across a number of different elements in the Council and which can be audited once
have been separately identified under cross-cutting reviews in the audit universe.

Corporate level objectives and risks as defined in both the Corporate Plan and Risk Register respectively have
been mapped to the auditable units. They are set out in Appendix 1.

Each auditable unit has been assessed for inherent risk and the strength of the control environment, in
accordance with the methodology set out in Appendix 3. The results are summarised in the table below.

Risk Assessment
Our risk assessment is based on:

 A review of the Council’s risk registers;

 Consultation with a number of key stakeholders across the Council;

 A review of relevant documentation and reports;

 Our knowledge of the Council and results of Internal Audit work in 2012/13; and

 Our broader understanding of local government and the broader public sector.

Our risk assessment is limited to matters emerging from the processes listed above. We will review and update
this assessment and the resulting plan annually. We will continually review the plan with management as risks
emerge or change in priority and, with the approval of the Audit and Governance Committee, ensure that audit
resources are appropriately focused.

A full risk assessment is included below. In order to carry out the risk assessment, we have defined all the
auditable activities and processes in the Council (defined as the ‘audit universe’) and risk assessed each separate
element of the audit universe (defined as ‘auditable units’) applying the methodology outlined in Appendix 3.
This approach helps to ensure that we have a complete understanding of all areas in the Council which should
be subject to Internal Audit and that these have been risk assessed on a Council-wide level.

From this risk assessment we have identified the areas that we propose to audit in 2013/14 and these have been
included in the Internal Audit Plan in the following section.

6
 strongest controls
Rating (1 = lowest
objectives and

Indicator (6 =
Inherent Risk

Environment

Requirement

Colour code
Corporate

Control

Rating
Audit
risks

risk)
Auditable Unit Frequency

A - Cross
cutting
processes

General Ledger Efficient, 6 4 4  Every year

effective
Debtors Council 6 3 5  Every year

Creditors 6 3 5  Every year

Payroll 6 4 4  Every year

Budgetary 6 4 4  Every year

Control

Collection Fund 6 4 4  Every year

Cashiers 6 4 4  Every year

Treasury 5 4 3  Every two years

Management

Housing Benefits 6 4 4  Every year

Fixed Assets 6 4 4  Every year

VAT 3 3 2  Every three years

Car Parking 5 4 3  Every two years

Housing Rents 6 4 4  Every year

Governance 6 4 4  Every year

Risk Management 6 4 4  Every year

B - Department
Level

Human Efficient, 5 4 3  Every two years

Resources and effective
Facilities Council

Law and Efficient, 5 4 3  Every two years

Governance effective
Council

Corporate Assets Vibrant, 5 4 3  Every two years

sustainable
economy
7
Housing Meeting 5 4 3  Every two years
housing
needs

City Development Stronger, 3 2 2  Every three years

active
communities

Policy, Culture Vibrant, 3 2 2  Every three years

and sustainable
Communications economy

Oxford Direct Cleaner, 5 4 3  Every two years

Services greener
Oxford

Environmental Cleaner, 3 2 2  Every three years

Development greener
Oxford

Leisure and Parks Stronger, 3 2 2  Every three years

active
communities

Customer Efficient, 4 3 3  Every two years

Services effective
Council

Finance Efficient, 5 4 3  Every two years

effective
Council

Business Efficient, 5 4 3  Every two years

Improvement and effective
Technology Council

Key to frequency of audit work

Audit Colour Timescale Description
Requirement Code
Rating
6, 5 and 4  Every year A review of processing and monitoring control design
and operating effectiveness
3  Every two years A review of the design and operating effectiveness of
monitoring controls
2  Every three A review of the adequacy of breadth of monitoring
years controls and analytical review of the output of
monitoring controls.
1  No further work n/a
 Key sub-process audits

The audit requirement rating drives the frequency of an internal audit. Our recommended planning approach
involves scheduling an annual audit when the rating ranges from 6 to 4, an audit every two years when the
rating is 3 and an audit every three years when the rating is 2.
8
The internal audit budget of 220 days does not allow us to carry out audits on all systems at the frequency
which our methodology suggests, and we have flexed the frequency to meet the budget. The following
systems/departments will be audited less frequently than our methodology suggests:

 Policy, Culture and Communications

 Housing

 Leisure and Parks

 Customer Services

The Audit and Governance Committee should satisfy itself that this provides the assurance it requires.

9
 3. Internal Audit Plan and
Indicative Timeline
Internal Audit Plan and Indicative Timeline
The following table sets out the internal audit work planned for 2012/13 together with indicative start dates for
each audit.

Indicative
number of
Ref Auditable Unit audit days Q1 Q2 Q3 Q4 Comments
A Cross Cutting Systems
Value protection reviews
A.1 Debtors and 14    Debtors
Creditors  Raising sales orders
 Billing processes
 Debt Collection and Recovery
 Accounting for debtors
 Controls to manage the introduction of
direct payments
 IT based testing (CAATs) and reporting
of transactions against controls
Creditors
 Order and invoice process
 Payments process
 Creditor system outputs
 Benefits realisation post
implementation of P2P
 IT based testing (CAATs) and reporting
of transactions against controls
A.2 Collection Fund 10  Processes review to include:
 Calculation of liabilities
 Billing processes
 Debt Collection and Recovery
 Exceptions
 System integrity
A.3 Housing Benefits 7   Benefits processing
 Payment of benefits
 Quality checking
 Processes for implementing legislative
changes regarding under-occupancy

10
A.4 Fixed Assets and 12   Fixed Assets
General Ledger  Asset Movement controls
 Management of Capital Programme
 Early substantive testing
 IT based testing (CAATs) and reporting
of transactions against controls
General Ledger
 Key control account reconciliations
 Input and output controls
 System enhancements
 System integrity
 IT based testing (CAATs) and reporting
of transactions against controls
A.5 Budgetary control, 15  Budgetary control and efficiency savings
Risk Management  Budget setting
and Performance  Budget monitoring
 Management and monitoring of
efficiency savings
Risk Management and Performance
 Policies and Procedures
 Reporting and Monitoring of risk
 Risk Identification
 Embedding Risk Management
 Use of Performance Monitoring
Software
 Use of increased functionality and
access of integrated reporting
A.6 Governance 2   Risk based review of the Annual
Governance Statement
A.7 IT General 7   Agresso applications testing
Controls  Academy applications testing
 Access and change/permission controls
testing
 Other requests from External Audit
A.8 Fraud Risk 6     Fraud risk assessment diagnostic to
Assessment identify areas of risk and controls in
place to prevent and detect corporate
fraud.
 Future needs assessment for benefits
fraud given possible changes to the
DWP Central Fraud Team
Value enhancement reviews
A.9 Cash and card 10     Are plans for becoming cash free
payments robust?
 Are existing controls around cash
adequate?
 Are existing controls around card
payments adequate?
 How can they be improved for future
proofing?
A.10 Grant payments 7   Review of approval arrangements for
grants made by the Council
 Are controls over payments adequate?
 Are they being adhered to?

11
 Subtotal 90
B Department Level Reviews
Value protection reviews
B.1 Finance – Year end 5 [] Year end accounts support in June 2014
Support
B.2 Direct Services - 6   Cash Collection
Car Parking  Accounting for income
 Excess charge notice processes
 Credit card payment
B.3 Community 10   Review of control arrangements from
Development – Council run centres through to Social
Community Club arrangements.
Centres and  Review of funding arrangements and
Associations controls over cash
 Are there adequate leading
arrangements?
 Are formal agreements reached over
responsibilities and are these followed?
B.4 Corporate Property 5   Are processes in place adequate?
– Health and  Are policies being adhered to?
Safety  Is the system being kept up to date?
 Are roles, responsibilities and reporting
requirements clear?
 Is data retention adequate?
B.5 Finance - Town 7   Review of controls under new
Hall income management.
 Are accounting practices robust?
 Are income streams being recorded
appropriately?
B.6 Business 6   Windows 7 post implementation review
Improvement and  Have lessons learned from the roll out
Technology – been learned?
System  Should process prevent disruption on
implementation future system roll outs?
 Includes liaison with County Council
Subtotal 129 
Value enhancement reviews
VE.1 Environmental 10   Two part review:
Development –  Phase one to focus on learning from
Carbon budgeting others through sharing good practice
and benchmarking information
 Phase two to focus on reviewing.
Improvements against the Council’s
plans to improve beyond scope 1
compliance.

12
VE.2 Human 16   Three phase review:
Resources and  Phase one to focus on a compliance
Facilities – Payroll audit of Tax and NI. Review to consider
including Tax, NI the Council’s approach to grossing up;
and compliance to severance payments and other
assumptions regarding taxable benefits.
 Phase two to validate the compliance
with auto-enrolment and real time
information requirements following
implementation earlier in the year.
 Phase three to consist of a standard
review of controls covering:
- Starters and Leavers
- Amendments to payroll
- Processing payroll
VE.3 Direct Services - 10   Is the reporting / charging / costing
Income generation appropriate?
through DSOs  Are quality assurance mechanisms
adequate to manage the reputational
risks of failing to deliver?
 Are bidding and tendering processes
adequate to manage the financial risks
to the Council?
 Is the impact on core business being
managed?
 Are controls around billing adequate to
avoid fraud and corruption?
 Are there signs that the budget is not
achievable?
 Has VAT been fully considered?
VE.4 Law and 10   Were the processes followed efficient /
Governance - best practice?
Temple Cowley  Were costs incurred reasonable for the
Pool benefits gained by the Council?
 What could have been done to mitigate
costs further?
 What skill sets does the Council need to
respond to similar public interest in the
future?
SUBTOTAL 175   
Follow up 5    
Audit Management 25    
Contingency 15    
2013/14 220    
SUBTOTAL
C 2012/13 Roll Forward
RF.1 Finance – Fixed 5   Procurement of new system
Asset Register  Completeness of transferred
Implementation information
 Testing of accuracy of upload

13
RF.2 Corporate Asset – 5     Independent review of the Corporate
Asset Management Asset Management Strategy prior to,
Strategy and during, its refresh.
 Are assets being rationalized?
 Is the Council’s securing value from its
assets?
2013/14 TOTAL 230    

14
Appendix 1: Corporate Objectives
and Risks
These corporate level objectives and risks have been determined by Oxford City Council as documented in the
‘Corporate Plan 2012-16’:

Objective Cross reference to Internal Audit Plan

(see Section 3)

Vibrant and sustainable economy RF.2 Asset Management Strategy

Meeting housing needs A.3 Housing Benefits

Strong, active communities B.3 Community Centres and Associations

Cleaner, greener Oxford VE.1 Carbon Budgeting

Efficient, effective Council All of our cross cutting process reviews

address this objective along with reviews
in the following areas:
B.2 Car Parking
B.5 Town Hall Income
B.6 System Implementation
VE.2 Payroll

The risks included in the table below are those reported within the Corporate Risk Register presented to the
Audit and Governance Committee on 28 February 2013:

Risk Cross reference to Internal Audit Plan

(see Section 3)

CRR-004: Delivery of key projects = ability to deliver cross A.9 – Cash and Card Payments
cutting projects VE.3 Income generation through DSOs
People and the council are not developed sufficiently to make risk
based decisions, carry out options appraisals. Decision making can
be poor. Innovation is not encouraged, low risk appetite.

CRR-006: Supplier Management VE.4 – Temple Cowley Pool

Ability of the council to manage large contracts and to obtain best B.6 – System implementation
value from those contracts

CRR-007: Health & Safety B.4 Health and Safety – Corporate

Existence of operational risks (relating to internal as well as public Property
concerns – property not vehicle)

CRR-012: Failure to achieve budget reductions over four B.5 - Town Hall income
year period VE.3 Income generation through DSOs
Inability to achieve savings in budget

15
CRR-013: Impact on homelessness of changes in Housing A.3 Housing Benefits
Benefit
Changes in housing benefit and universal housing benefit increase
homelessness

16
Appendix 2: Risk Assessment
Criteria
Determination of Inherent Risk
We determine inherent risk as a function of the estimated impact and likelihood for each auditable unit
within the audit universe as set out in the tables below.

Impact Assessment rationale

rating
6 Critical impact on operational performance (quantify = if possible); or
Critical monetary or financial statement impact (quantify = materiality); or
Critical breach in laws and regulations that could result in material fines or consequences (quantify if
possible); or
Critical impact on the reputation or brand of the organisation which could threaten its future viability
(quantify if possible).
5 Significant impact on operational performance (quantify if possible); or
Significant monetary or financial statement impact (quantify = materiality /2); or
Significant breach in laws and regulations resulting in large fines and consequences (quantify if possible); or
Significant impact on the reputation or brand of the organisation (quantify if possible).
4 Major impact on operational performance (quantify if possible); or
Major monetary or financial statement impact (quantify = materiality /4); or
Major breach in laws and regulations resulting in significant fines and consequences (quantify if possible); or
Major impact on the reputation or brand of the organisation (quantify if possible).
3 Moderate impact on the organisation’s operational performance (quantify if possible); or
Moderate monetary or financial statement impact (quantify = materiality /8); or
Moderate breach in laws and regulations with moderate consequences (quantify if possible); or
Moderate impact on the reputation of the organisation (quantify if possible).
2 Minor impact on the organisation’s operational performance (quantify if possible); or
Minor monetary or financial statement impact (quantify = materiality /16 ); or
Minor breach in laws and regulations with limited consequences (quantify if possible); or
Minor impact on the reputation of the organisation (quantify if possible).
1 Insignificant impact on the organisation’s operational performance (quantify if possible); or
Insignificant monetary or financial statement impact (quantify = materiality /32); or
Insignificant breach in laws and regulations with little consequence (quantify if possible); or
Insignificant impact on the reputation of the organisation (quantify if possible).

Likelihood Assessment rationale

rating
6 Has occurred or probable in the near future

5 Possible in the next 12 months

4 Possible in the next 1-2 years

3 Possible in the medium term (2-5 years)

2 Possible in the long term (5-10 years)

1 Unlikely in the foreseeable future

17
Appendix 3: Detailed methodology
Step 1 -Understand corporate objectives and risks
In developing our understanding of your corporate objectives and risks, we have:
 reviewed your Corporate Plan and Strategic Risk Register;
 drawn on our knowledge of Local Government; and
 met with a number senior management and members.

Step 2 -Define the Audit Universe

In order that our internal audit plan reflects your management and operating structure we have identified the
audit universe for Oxford City Council made up of a number of auditable units. Auditable units include
functions, processes, systems, products or locations. Any processes or systems which cover multiple locations
are separated into their own distinct cross cutting auditable unit.

Step 3 -Assess the inherent risk

Our internal audit plan should focus on the most risky areas of the business. As a result each auditable unit is
allocated an inherent risk rating i.e. how risky the auditable unit is to the overall organisation and how likely the
risks are to arise.

The inherent risk assessment is determined by:

 mapping the corporate risks to the auditable units;

 our knowledge of your organisation and its sector; and
 discussions with management.

Likelihood Rating
Impact Rating
6 5 4 3 2 1
6 6 6 5 5 4 4
5 6 5 5 4 4 3
4 5 5 4 4 3 3
3 5 4 4 3 3 2
2 4 4 3 3 2 2
1 4 3 3 2 2 1

Step 4 -Assess the strength of the control environment

In order to effectively allocate internal audit resources we also need to understand the strength of the control
environment within each auditable unit. This is assessed based on:
 our knowledge of your internal control environment;
 information obtained from other assurance providers; and
 the outcomes of previous internal audit reviews.

18
Step 5 -Calculate the audit requirement rating
The inherent risk and the control environment indicator are used to calculate the audit requirement rating. The
formula ensures that our audit work is focused on areas of with high reliance on controls or a high residual risk.
Inherent Risk Control design indicator
Rating 1 2 3 4 5 6
6 6 5 5 4 4 3
5 5 4 4 3 3 n/a
4 4 3 3 2 n/a n/a
3 3 2 2 n/a n/a n/a
2 2 1 n/a n/a n/a n/a
1 1 n/a n/a n/a n/a n/a

Step 6 -Determine the audit plan

Your risk appetite determines the frequency of internal audit work at each level of audit requirement. Auditable
units may be reviewed annually, every two years or every three years.

In some cases it may be possible to isolate the sub-process (es) within an auditable unit which are driving the
audit requirement. For example, an auditable unit has been given an audit requirement rating of 5 because of
inherent risks with one particular sub-process, but the rest of the sub-processes are lower risk. In these cases it
may be appropriate for the less risky sub-processes to have a lower audit requirement rating be subject to
reduced frequency or lower intensity of audit work. These sub-processes driving the audit requirement areas
are highlighted in the plan as key sub-process audits.

Step 7 -Other considerations

In addition to the audit work defined through the risk assessment process described above, we may be
requested to undertake a number of other internal audit reviews such as regulatory driven audits, value
enhancement or consulting reviews. These have been identified separately in the annual plan.

19
This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers
LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone,
other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if
any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance.
© 2013 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a
limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers
International Limited, each of which is a separate and independent legal entity.
Design: 1001164_stranddesign/ns_modified_stranddesign/ga