Search
Top Links
Home

Annual Reports
Related Links

Audit Work - Reports

Archives

Business Systems and Controls
Archives

 

Our Vision

An effective internal audit function in HRM.

Enhanced public trust.

Our Mission


To add value and improve operations within HRM by assisting Council in their governance and oversight responsibilities and management in the effective discharge of their duties and responsibilities by providing them with objective and independent analyses, appraisals, recommendations, counsel and information with respect to governance, accountability, risk management and performance.

To support a local government that is seen to be open, accountable and responsive because citizens understand the decisions that affect the quality of their lives and their finances.

HRM Mandate and Goals

Business Systems and Control  supports the organization's goals in many ways.

Governance
We evaluate and report on these outcomes:

  • Citizens are satisfied that HRM Vision and priorities have been implemented.
  • Citizens are confident in the governance and management of HRM.
  • HRM has sound financial management practices

Service Delivery
We evaluate and report on these outcomes:

  • Citizens are satisfied with the levels of services received from HRM.
  • Citizens are satisfied with the quality of services received from staff and Council.

Healthy, Sustainable, Vibrant Communities
We evaluate and report on these outcomes:

  • Preservation of the environment
  • Development is appropriately planned and fiscally sustainable

Public Safety
We evaluate and report on these outcomes:

 
  • Buildings, properties and infrastructure in HRM are safe, healthy, and well maintained.
  • Reasonable amount spent to maintain buildings, properties and infrastructure.

How we measure our success

1.      a)      Number of requests for information/documents;
         b)      Number of recommendations implemented, where the change

                  is measurable and achieves the intended effect;
         c)      Recognition by related professional association such as the

                  IIA, NALGA, CALGA.

2.       a)     Survey of external and internal clients indicating level or  

                  improvement in trust in completed work;
          b)     Peer Review which indicates that level of trust in completed

                  work is high or improving.

 

 

Charter

This charter is established under the authority of the Chief Administrative Officer of the Halifax Regional Municipality.

The charter establishes the purposes, authorities and responsibilities of the business systems and control function so that it can provide an effective and value added service to the HRM.

Objective:

The Business Systems and Control Group's overall objective is to assist management of the Halifax Regional Municipality in the effective discharge of their duties and responsibilities by providing them with objective analyses, appraisals, recommendations, counsel and information concerning the activities reviewed. In meeting this objective, the group will comprise of two roles:

  1. Business Advisory role
  2. Policy Compliance role
  1. Business Advisory:
    • To conduct managerial, financial, operational and investigative studies for HRM business units and related bodies to provide recommendations for the enhancement of business outcomes and processes. The recommendations will result from the group working as agents of change through the promotion of continuous improvement and cost-effective innovative solutions.
    • To coordinate and monitor the delivery of operational and program studies undertaken by business units, conducted internally and/or externally.
    • To provide consulting services which assist staff in designing management accountability systems and re-engineering operations. Advise and provide input relating to efficiency, effectiveness and control factors that will be identified through participation in corporate and business unit initiatives on a pro-active basis.
  2. Policy Compliance
    • To review existing HRM policies and recommend improvements and/or requirements for additional policies.
    • To review corporate policies relating to compliance with laws and regulations, ethics, and conflicts of interest.
    • To carry out special internal audit assignments ranging from consulting work to investigating suspected fraud or wrongdoing.

Business and Audit Standards

Confidentiality - Information that is gained during the course of an assignment is confidential and will not be used or conveyed for purposes outside the scope of approved responsibilities. Special arrangements will be made when examining confidential items to ensure confidentiality is maintained.

  1. Business Advisory
    Management Consulting services will be undertaken, as follows:
    1. Collaborative and facilitative approach
    2. Problem-solving approach.
    3. Reporting must be timely, honest and objective.
    4. Studies must be performed with proficiency and due professional care.
  2. Policy Compliance Internal Auditing will be conducted in a manner consistent with the Standards for Professional Practice of Internal Auditing issued by the Institute of Internal Auditors.

    Specific standards to be followed include:

    1. The Business Systems and Control Group must be independent of the activities they review and audit and must maintain an independent outlook.
    2. Reporting must be timely, honest and objective.
    3. Reviews must be performed with proficiency and due professional care.
    4. Evidence supporting audit/review observations must be sufficient, reliable, competent and appropriate to the review topic.
    5. The Group will maintain a quality assurance program to review the Business Systems and Control operations to ensure that the work complies with this charter and solicit an external quality review at least once every three (3) years unless limited resources or other unforeseen factors justify a different interval. The review will determine compliance with the standards incorporated into this charter and shall be conducted by qualified, objective persons who are independent of the HRM's functions and activities.

    Reporting Structure

    Effective March 2, 2006, the function of Business Systems and Control has been realigned directly under the Chief Administrative Officer with a direct reporting line to the Audit Committee of Council.                                                                                                        

                                                                                                                      As part of the annual business planning process, the annual work plan will be reviewed and approved by the Chief Administrative Officer and reflected in the annual business plan for the Business Unit.

    For the purposes of administration of the day-to-day function, the Business Systems and Control Group will report to the Director of Finance (changed effective March 2, 2006). Specifically, in the area of work plans, business plan and budget, achievement of goals and objectives and human resources and personal performance.

    For the purposes of reporting on findings and recommendations, the Group will report to the respective Business Unit Director and the Chief Administrative Officer through to the Audit Committee.

    Authority

    To the extent permitted by law, the Business Systems and Control Group shall have access to all activities, properties, personnel, and records which are relevant to an area under study or review.

    Independence

    1. Business Advisory
      Independence in where and how facts are gathered regarding a specific business study and the ability to make unabridged and appropriate recommendations is integral to the success of this function. In delivering Business Advisory services, we will attempt to provide reasonableness tests to maintain a level of objectivity and independence.
    2. Policy Compliance
      Independence reflects freedom to determine audit or assurance scope and to perform the appropriate scope of work.

    The Business Systems and Control Group shall be free from control or undue influence in:

    1. the selection and application of audit techniques, procedures and programs;
    2. the interpretation of facts revealed by the examination or in the development of recommendations or opinions;
    3. the selection of areas, activities, personal relationships and managerial policies to be examined; and
    4. Selection of legitimate sources of information, records and other materials needed to perform the required services.

    Objectivity

    Objectivity is an essential element of independence and must exist in both Management Consulting and Internal Auditing.

    Staff of Business Systems and Control will only participate in an advisory capacity in the planning, development, implementation and modification of business systems - computerized or manual. In addition, where required, staff will test the reasonableness of assumptions and/or relevant findings for material bias.

    Management Responsibilities

    Management of HRM accept, as a partner the Business Systems and Control Group, and agree to participate fully in the process of determining areas of opportunity and business risk for the HRM. Management understands that they are the owner of the processes, opportunities and business risks and it is their responsibility to exploit opportunity and control underlying business risks, not the Business Systems and Control Group.

 

Policies and Guidelines

 

Admin Order 40 - Illegal and Irregular Conduct Policy, approved by Council June 27, 2006

Admin Order 41 - Ethical Code of Conduct Policy, approved by Council June 27, 2006.

Presentation - Ethics and the Public Servant

Release  and Reporting of Audit Findings Guidelines

 

Risk Management

Enterprise Risk Management

Introduction:

Everyday managers and employees practice risk management by making decisions on what to do, how to do it and when to do it. In both our personal and business lives our decisions are based on a variety of factors. Do I have the time? or Do I have the money? or Do I need help to accomplish this? Enterprise risk management is a change in philosophical focus from the "I" to the "we." Does the organization have the capacity? Has the organization set aside the funds? Will this impact on other business units?

Enterprise risk management is not just a passing trend. It is here to stay and is being driven by both governance issues and the demands of the citizen. Public sector organizations such as Human Resources and Development Canada, the Auditor General of Canada, Treasury Secretariat Board and ACOA have successfully embraced enterprise risk management.

Risk management does not have to be complex or a heavy resource user. It can be tailored to meet the needs of the organization in its early stages and modified as the level of sophistication and comfort with the process grows.

It is a systematic and proactive approach to managing risk. This means that high risk exposure areas are understood, managed and controlled to an acceptable level of exposure so that the organization is properly protected to minimize negative consequences. It allows the organization to focus on what is important to control versus what is easy to control.

What gets in the way of an effective risk management process:

  • Too narrow a focus on risk -
    • Extend focus from financial risk to include non-financial risk at the strategic, business, process and "control-culture" levels
    • Don’t just focus on the "comfortable" areas
  • Failure to manage risk complexity and materiality
    • Support enterprise-wide consistency, yet provide opportunity for local customization
    • Set parameters to ensure focus is on the most critical risks rather than every risk
    • Use materiality factors based on risk tolerance
  • Complex reporting and communications
    • Develop a communication plan early in process
    • Use simple, colour-coded charts
  • Unclear accountability for risk
    • Allocation of accountability usually performed after the "event"
    • Establish accountability (ownership) for risk management to appropriate operational managers
    • Create linkages to compensation
    • Ensure appropriate executive sponsorship
    • Need one clear owner (at executive level)
  • Undefined roles and responsibilities
    • Executive committee must set direction and strategy
    • Executive management must accept residual risk
    • Senior management must accept ownership of risk
    • Risk Policy & support through the development of guidelines, tools and measurement
    • Operations management responsible for identifying, assessing, mitigating and monitoring and asserting.
    • Business Systems and Control must perform periodic assessment and assurance

Integration with Business Planning, HRM Scorecard:

A fully integrated risk management program is an effective program. It can "enable managers at key levels to identify, assess and manage risk inherent in their strategies, businesses and processes through a learning cycle of scanning, looking ahead, assessment and action." The following slide from the 2003 Atlantic Conference put on by Deloitte & Touche captures the extent of the integration available through an effective enterprise risk management program.

The Importance of Integration

Benefits of an integrated risk management approach includes:

  • alignment of risk at all levels to strategic objectives
  • accountability for and ownership of risk management
  • an ability to foresee and predict risk occurrence, and take preventative action - minimize costly time "fighting fires."
  • optimize risk taking by the organization
  • addresses control culture issues
  • the capability to aggregate and correlate information about the current state of risk exposure at strategic, operating and process levels.

Direct Benefits of Risk Management includes:

No Surprises - Early Warning Systems

  • Identify, assess and prioritize risks
  • Install appropriate control processes and information
  • Promote organizational learning and knowledge transfer

Effective Responses - Good Reactions

  • Integrate risks into planning and decision-making
  • Strategically reduce exposure levels to acceptable levels
  • Rapidly respond to issues and reduce negative impacts

Greater Chance of Success - Better Outcomes

  • Maximize chances of achieving objectives
  • Improve ability to anticipate and prepare for change

Risk Management Levels:

Current practitioners have quantified five levels of risk management in an organization.

Risk Management Levels

For the business planning year 2003/04, the Business Systems and Control Group will be applying a risk assessment tool to the issues and goals identified during the business planning process. However, this is only one step on the path to an integrated risk management approach.

Applying the Methodology:

  1. Conduct a diagnostic which measures the extent to which the organization has implemented risk management by comparison to best practices.
    • The organization has identified important risks and risk management priorities
    • The organization has established roles and responsibilities for risk management
    • The organization is applying an integrated approach for risk management
    • The organization develops an integrated approach for risk management

    The Business Systems and Control Group used HRM's 2003/04 business planning process to determine the general level of understanding of "risk management" across the organization. Managers tended to focus on outcomes rather than the events when considering the element of risk and as a result, most likely define risk differently. Best practice recommends a common definition of risk, defined risk tolerances, regular scanning of the environment, formal assessment and monitoring. Currently, the HRM does not practice a formal risk management program.

  2. Assess organizational culture

    Best practice suggests using the Criteria of Control Framework (COCO) of CICA. This includes identification and measuring the organization's attributes of purpose, commitment, capability and learning and monitoring.

  3. Develop a risk profile which involves the identification, analysis, assessment and prioritization of risk and determining if risk exposures should be further reduced.

    The risk assessment tool and approach developed by Business Systems and Control will provide a basic framework for completing a risk profile. It has been designed to assess environmental, process and decision-making risk factors under the umbrella of the Corporate Goals of Excellence in Governance, Excellence in Service Delivery, Safe Communities and Health, Vibrant & Sustainable Communities.

  4. Design an Integrated Risk Management Model which must involve all elements of risk and the managing stakeholders. Risk factors extend beyond financial issues as can be seen in the Corporate Goals categories.

Design an Integrated Risk Management Model

Pilot and implement the model in one business unit prior to full roll-out across the organization is the best practice approach.

At this time, the risk assessment tool will be used across the organization prior to developing a full risk management model. This exercise will introduce the subject of enterprise risk management and develop the link between the HRM Scorecard and risk management. It will provide further information on the level of familiarization of the participants with risk management which can be used to design and implement an appropriate risk management model for the HRM.

Vision For The Future:

Preliminary Identification of Potential Risk Category and Training Areas:

  1. Legal Issues
    • Governance structure - Nova Scotia Municipal Government Act, Fed, By-laws, Policies
    • Conflict of Interest
    • Personal Liability, culpability
    • Organizational Liability, culpability
  2. Property Issues
    • Self- insurance
    • Claims
    • Tangible Assets
  3. Human Resources
    • Due Diligence (Safety)
    • Duty to Accommodate
    • Case Management
    • Knowledge Capital
  4. Stewardship
    • Mis-appropriation
    • Effectiveness - performance
    • Efficiency measures (HRM Scorecard)
  5. Opportunities
    • Identification
    • Measurement model (cost/benefit)
    • Establishment of risk tolerance policy

The preferred approach would be to establish a cross-functional team composed of experts in the identified topics. Business Unit involvement would be requested from:

  • Legal Services
  • Police Services
  • Fire Services
  • Human Resources
  • Health and Safety, Organizational Development, Total Compensation
  • Financial Services
  • Business Planning, Business Systems and Control, Accounting, Procurement Services
  • Real Property and Asset Management Services
  • Governance Services

Over a period of one to two years, the cross-functional team would:

  • Identify the specific training needs and prioritize these needs based on greater residual risk to the organization's objectives
  • Develop topic specific training modules
  • Develop an implementation plan which may include the coordination and/or direct provision of training
  • Develop on-going monitoring structure to ensure all new employees receive appropriate risk management training

 

Definitions

Audit Objectives are broad statements developed by internal auditors and define intended audit accomplishments.

Audit Scope refers to the activities covered by an internal audit. Audit scope includes, where appropriate:

  1. Audit Objectives
  2. Nature and extent of auditing procedures performed
  3. Time period audited
  4. Related activities not audited in order to delineate the boundaries of the audit.

Auditable Activities consist of those subjects, units, or systems which are capable of being defined and evaluated. Auditable activities may include:

  1. Policies, procedures, and practices.
  2. Cost centres, profit centres, and investment centres.
  3. General ledger account balances.
  4. Information systems (manual and computerized.)
  5. Major contracts and programs.
  6. Organizational units such as product or service lines.
  7. Functions such as information technology, purchasing, marketing, production, finance, accounting, and human resources.
  8. Transaction systems for activities such as revenues, collection, procurement, disbursement, inventory and cost accounting, production, treasury, payroll, and capital assets.
  9. Financial statements.
  10. Laws and regulations.

Charter of Business Systems and Control is a formal written document which defines the section's purpose, authority and responsibility. The charter should:

  1. establish the section's position within the organization
  2. authorize access to records, personnel, and physical properties relevant to the performance of an audit or review
  3. define the scope of activities for Business Systems and Control.

Compliance refers to the ability to reasonably ensure conformity and adherence to organization policies, plans, procedures, laws, regulations, and contracts.

Conflict of Interest refers to any relationship which is or appears to be not in the best interest of the organization. (See policy) A conflict of interest would prejudice an individual's ability to carry out their duties and responsibilities objectively.

Findings are pertinent statement of facts. They emerge by a process of comparing what should be with what is.

Independence allows internal auditors to carry out their work freely and objectively. This concept requires that internal auditors be independent of the activities they audit. Independence is achieved through organizational status and objectivity.

Management Consulting
The rendering of independent advice and assistance about the process of management to clients with management responsibilities.

Management Consultant
An individual who provides independent advice and assistance about the process of management to clients with management responsibilities.

Objectivity is an independent mental attitude which requires internal auditors to perform audits in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others.

Outside Service Provider refers to a person or firm, independent of the organization, who has special knowledge, skill, and experience in a particular discipline.

Risk is the probability that an event or action may adversely affect the organization or activity under audit.

Risk Assessment is a systematic process for assessing and integrating professional judgements about probable adverse conditions and/or events. The risk assessment process should provide a means of organizing and integrating professional judgments for development of the audit work schedule.

Risk Factors are the criteria used to identify the relative significance of, and likelihood that, conditions and/or events may occur that could adversely affect the organization.

Scope Limitations is a restriction placed upon the internal auditing department that precludes the department from accomplishing its objectives and plans. Among other things, a scope limitation may restrict the:

  1. Scope defined in the charter.
  2. Access to records, personnel, and physical properties relevant to the performance of audits.
  3. Approved work schedule.
  4. Performance of necessary auditing procedures.
  5. Approved staffing plan and financial budget.

Significant is the level of importance or magnitude assigned to an item, event, information, or problem by the internal auditor.

 

 
Back to top