Only a few days to go: We’re raising £25,000 to keep TheyWorkForYou running and make sure people across the UK can hold their elected representatives to account.Donate to our crowdfunder
To ask the Secretary of State for Foreign and Commonwealth Affairs what criteria (a) his Department and (b) its public bodies use when deciding whether and when to hold an internal audit; and if he will make a statement.
The Foreign and Commonwealth Office (FCO) Internal Audit Department provides internal audit services to the Foreign and Commonwealth Office, its Executive Agency (Wilton Park) and Trading Fund (FCO Services). This activity provides their accounting officers with an overall opinion on risk management, control and governance arrangements, as required by HM Treasury. For each of these bodies a discrete annual programme of work is agreed with their Audit Committee and the Permanent Under-Secretary (FCO) or Chief Executives of FCO Services and Wilton Park, as appropriate. The criteria used for deciding what to audit and when are as follows.
FCO Internal Audit works in the context of the FCO's risk management framework, an approach generally known as risk-based internal auditing. There is an annually agreed strategy setting out which areas of the FCO should be audited. There are two distinct approaches within the strategy: one for the risks in the UK and the other for overseas risk. For the home programme the strategy takes account of FCO risk registers, known and expected business change, input from FCO Directors and the risk of fraud and reputational damage. For the overseas network a risk model is used to help prioritise posts in terms of risk. Within any given year, the timing of an actual audit is at the discretion of the auditor leading it, unless management has expressed a particular view (i.e. because of the timing of other reviews or anticipated changes to the systems in question). Other issues around timing include logistics and, overseas, security. FCO Internal Audit also conducts some audits without notice.
The methodology for selecting audits is very similar to the FCO except that FCO Services adopts a three- year strategy (with an annual review) and audits are carried out exclusively in the UK. The methodology to populate the strategy with individual audits is risk based and takes account of FCO Services risk registers, discussion with senior management, forward objectives, key performance indicators and a review of other sources of assurance. Within any given year the timing of an actual audit is at the discretion of the auditor leading it unless management has expressed a particular view which it would be sensible to accommodate.
FCO Internal Audit prepares a three-year strategy which is then reviewed and approved each year by the Audit Committee and Chief Executive. The methodology to populate the strategy with individual audits is risk based and takes account of business changes and input from the Finance and Operations Directors. It takes account of the risk of fraud and reputational damage and considers all other sources of assurance. Audits are carried out exclusively in the UK and the exact timing of an audit is a collaborative decision involving Wilton Park senior staff and the lead auditor. Timing takes into account seasonal peaks in business activity and the availability of audit staff.