INTERNAL AUDIT PROTOCOL Appendix E

PLANNING Risk Based Audit Plan

Auditors are allocated audit engagements from the plan. They research the audit area
Audit Assigned
and meet the client to understand relevant strategies, objectives and risks. A risk
assessment informs the audit objectives and approach.
Research & Scoping
Control Stage 1 (Audit Planning) – The risk assessment is reviewed by a member of the
audit management team, and used to develop the audit terms of reference (TOR)

The TOR is issued: it sets out the area/s under review, the objectives, approach and
records required. The TOR is sent to the relevant management (Line Management, OM Audit Planning - Risk Assessment
(and Director, where appropriate)). The audit fieldwork will commence as set out in
the TOR.
Terms of Reference
NB – For consultancy services, the guidance / support is planned with management
directly, with the objectives documented for significant engagements. There will be
regular dialogue with the reviewing manager throughout the audit, but only formal
control stage 4 will apply (Post Audit Review).
Commence Fieldwork
FIELDWORK
Audit visits are normally pre-arranged to help minimise disruption. Any significant
issues will be raised as soon as they are identified. The main findings will be discussed Pit Stop
at the end of the visit or shortly afterwards.

Control Stage 2 (Audit Fieldwork) – An audit ‘pit-stop’ is held with the senior team
member mid-way through the audit as a quality assurance and progress check. A full Fieldwork Completed & Quality
quality assurance review is completed once fieldwork is completed and the draft audit Assurance Reviewed
opinion, output and recommendations are prepared.

Once fieldwork completed and a review undertaken, a decision will be made whether
to issue a formal Report or an Action Plan, depending on the overall ‘Audit Opinion’.
Audit Opinion
REPORTING
The audit output prepared depends on the audit opinion:
o An Action Plan – For Effective or Effective with Opportunity for Improvement Effective or Effective with Insufficient with major
opportunity for improvement needed or
audit opinions (where recommendations are raised);
improvement Unsatisfactory
o A Report and Action Plan – for Insufficient with Major Improvement or
Unsatisfactory audit opinions.

Control Stage 3 (Audit Reporting) – Where the audit opinion is Insufficient with Major Audit Management Team
Review
Improvement or Unsatisfactory, the draft report will be considered by the Audit
Management Team prior to being issued.

Draft Reports / Action Plans are discussed with Client Manager and comments Action Plan Draft Report
considered in any Final Report / Action Plan. Management responses to audit
recommendations are recorded in the Action Plan.

Final report or Action Plan issued to the Director, OM/Line Manager and an Discuss & Agree Draft Action Plan /
opportunity to discuss the report or provide comments is provided. Any Report with Client
recommendations not agreed are referred to the Director for consideration.

Control Stage 4 (Post Audit Review) – Upon conclusion of each audit, the auditor, and Issue Final Report/Action Plan
a senior team member review the auditor’s performance. A client satisfaction survey is
used to identify the audit delivery and value from the client’s perspective.
Development needs are progressed.
Begin Tracking Recommendations
The Audit Manager reports the summary findings of Insufficient and Unsatisfactory
reports to the Chief Executive and the Audit Committee. For all Unsatisfactory reports,
an Executive Summary is prepared, discussed with the Chief Executive and Section 151
Officer, and reported to the relevant Portfolio Cabinet Member(s) and the Audit Post Audit Review
Committee.

RESPONSE
For Unsatisfactory Audits
Recommendations are added to the ‘Recommendation Tracker’ in SharePoint, through
which management provide progress updates and, for ‘red’ or ‘red/amber’ actions, Executive Summaries Circulated to:
also submit evidence of delivery. The recommendation tracker is reported to each • Portfolio Cabinet Member(s); &
Audit Committee meeting, and discussed in Director Relationship Manager Meetings. • Audit Committee.
All Unsatisfactory Audit Opinion Reports will be scheduled for an audit follow-up six NB. Executive Summaries are publically
months after the audit conclusion. available