Systems Based Auditing Control Matrices: Series 6

It is essential that systems are tested to provide management with assurance that effective internal controls are in place and working, and as a means of supporting the corporate governance process. In local government’s case, there is a further need to provide evidence for completion of the required new annual Governance Statement necessary, in England, to comply with the Accounts and Audit Regulations.

Series 5 in this popular series of Systems Based Auditing (SBA) Control Matrices was groundbreaking in that it covered five critical non-financial systems, including Enterprise Risk Management (ERM) that was based upon COSO’s ERM – Integrated Framework (2004).

This sixth series of Systems Based Auditing features the following four critical non-financial systems (the first three of which are closely linked to ERM):

• Business continuity management
• Information technology service continuity management
• Civil emergencies
• Performance indicators and data quality.

The value of risk management is now widely recognised. The need for business and service continuity, however, has not attracted the same attention even though it is far more important. Whilst risk management may/can reduce the impact and likelihood of an event, some events are bound to happen. It is essential, therefore, that continuity plans and procedures are prepared and in place in order to ensure prompt recovery and resumption, and thereby survival of the business concerned.

Once again, these control matrices have been written by Exeter City Council’s expert team of practitioners, winners of the CIPFA 2007 Sir Harry Page Technical Innovation Merit Award, using their ‘risk based’ SBA approach. The purpose of these new matrices is to enable internal auditors to further embrace and deliver with confidence audits beyond the traditional finance systems.

As is the norm, the control matrices are non-sector specific (with the exception of Civil Emergencies which only applies to local authorities) and are therefore suitable for use in the public, private and voluntary sectors.

The control matrices are delivered to you as a zip file containing the PDF and the Word files, to enable flexibility of use and tailoring to local circumstances. The PDF comes with a licence for the purchaser to network the matrices throughout the acquiring organisation.

These award winning control matrices are unrivalled in the practical support they lend to the provision of assurance to management, internal audit and external audit alike that crucial systems of internal control are not just adequate, but effective too.