Systems Based Auditing Control Matrices: Series 5

It is essential that systems are tested to provide management with assurance that effective internal controls are in place and working, and as a means of supporting the corporate governance process. In local government’s case, there is a further need to provide evidence for completion of the required annual Statement on Internal Control.

The fifth in the series of Systems Based Auditing (SBA) Control Matrices features the following critical non-financial systems:

• Enterprise risk management
• Health and safety
• Data protection
• Freedom of information
• Records management

These control matrices have been written by Exeter City Council’s expert team of practitioners using the ‘risk based’ SBA approach they devised. The starting point is identifying hazards and possible consequences (using a Hazard Identification Document) so that risks can be considered and properly evaluated.

The purpose of these matrices is to enable internal auditors to embrace and deliver with confidence their remit to audit beyond the traditional finance systems. It is very important that the terms ‘finance systems based auditing’ and ‘systems based auditing’ are not confused. The former refers to the type of systems being audited (ie creditors, payroll, debtors and the like), whilst the latter refers to the audit methodology used (ie identifying possible hazards and expected mitigating controls/countermeasures, and testing that the controls/countermeasures are in place and effective).

The control matrices are non-sector specific (with the exception of freedom of information that only applies to the public sector) and are therefore suitable for use in the private as well as the public sector. Particular mention should be made of the risk management matrix that has been written with reference to, and with the AICPA’s kind permission uses some of the main and sub-headings in, the COSO Enterprise Risk Management – Integrated Framework.

The control matrices are delivered to you as a zip file containing the PDF and the Word files, to enable flexibility of use and tailoring to local circumstances. The PDF comes with a licence for the purchaser to network the matrices throughout the acquiring organisation.

Ultimately, these control matrices are unrivalled in the practical support they lend to the provision of assurance to management, internal audit and external audit alike that crucial systems of internal control are not just adequate, but effective too.