Scottish Public Finance Manual

The Scottish Public Finance Manual (SPFM) is issued by the Scottish Ministers to provide guidance on the proper handling and reporting of public funds.


Internal audit

Scope

1. This section gives guidance on internal audit arrangements and procedures. The guidance is aimed at all organisations to which the Scottish Public Finance Manual (SPFM) is directly applicable, including the core Scottish Government (SG), the Crown Office and Procurator Fiscal Service, SG Executive Agencies, non-ministerial departments and bodies sponsored by the SG.

Key points

2. Internal audit should provide an independent, objective assurance and consulting service designed to add value and improve an organisation's operations. It should provide an appraisal of an organisation's governance, risk management and internal control system and take the action needed to provide Accountable Officers with a continuing assurance that the organisation's risk management, control and governance arrangements are adequate and effective.

3. Accountable Officers are responsible for ensuring that appropriate internal control systems exist within their own organisations (or parts thereof), and for deciding whether or not to accept and implement internal audit findings and recommendations.

4. Internal audit evaluates compliance with an organisation's internal control system - including relevant regulations, guidance and procedures - as part of its review process. However, the primary responsibility for monitoring compliance rests with operational areas and their line management, up to and including the relevant Accountable Officer.

5. Entities or individuals involved in the external audit of an organisation should only undertake non-external audit related work for the same organisation in exceptional circumstances.

Background

6. Internal audit should provide an independent, objective assurance and consulting service designed to add value and improve an organisation's operations. It should provide an appraisal of an organisation's governance, risk management and internal control system and take the action needed to provide Accountable Officers with a continuing assurance that the organisation's risk management, control and governance arrangements are adequate and effective. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The operation and conduct of internal audit should comply with Public Sector Internal Audit Standards.

7. Accountable Officers are responsible for ensuring that appropriate internal control systems exist within their own organisations (or parts thereof), and for deciding whether or not to accept and implement internal audit findings and recommendations. Accountable Officers have overall responsibility for ensuring that prompt and effective action is taken on recommendations, and that the risks resulting from inaction are recognised and accepted. The organisation's Head of Internal Audit should have the right of direct access to the Accountable Officer and the organisation's Audit Committee.

8. Internal audit evaluates compliance with an organisation's internal control system - including relevant regulations, guidance and procedures - as part of its review process. However, the primary responsibility for monitoring compliance rests with operational areas and their line management, up to and including the relevant Accountable Officer.

Internal control system

9. The internal control system comprises the whole network of systems established in an organisation to provide reasonable assurance that organisational objectives will be achieved, with particular reference to:

  • governance arrangements;

  • risk management;

  • the effectiveness of operations;

  • the economical and efficient use of resources;

  • compliance with applicable policies, procedures, laws and regulations;

  • safeguards against losses, including those arising from fraud, irregularity or corruption; and

  • the integrity and reliability of information and data.

10. Internal audit should not have responsibility for executive functions or for the development or implementation of systems. Internal audit may, however, serve as a valuable source of advice on systems of risk, governance and control without impairing its objectivity and independence.

Internal audit process

11. Internal audit should:

  • analyse the governance, risk management and internal control system and establish a risk based assurance programme;

  • identify and evaluate the controls which are established to achieve objectives in the most economic, effective and efficient manner;

  • report findings and conclusions and, where appropriate, make recommendations for improvement;

  • provide an opinion on the controls under review; and

  • provide an assurance based on the evaluation of the governance, risk management and internal control system within the organisation as a whole. 

Internal audit assurance

12. An annual audit assurance is provided to Accountable Officers through the professional opinion of the Head of Internal Audit (or equivalent) on the adequacy and effectiveness of the governance, risk management and internal control system operating in the organisation. That opinion is contained in an annual report from the Head of Internal Audit to the organisation's Audit Committee, and forms part of the assurance required by Accountable Officers to enable them to sign a governance statement as part of the accounts for which they are directly responsible. The assurance framework relating to the SG is described in the section of the SPFM on Certificates of Assurance.

Internal / external audit relationship

13. Close working relationships should be established and maintained between an organisation's internal and external auditors. The two types of auditor should consult each other and co-operate in order to seek opportunities to avoid duplication of work and achieve an efficient use of audit resources.

Internal Audit will also look to work closely with other providers of independent assurance, such as through Gateway Reviews, in order to maximise the efficiency of assurance related resources.

Entities or individuals involved in the external audit of an organisation should only undertake non-external audit related work for the same organisation in exceptional circumstances. This separation of external audit and non-external audit related work safeguards against conflicts of interest and the possible loss of objectivity and independence.

 

Updated: December 2018

Back to top