Statement of internal control
Scope of responsibility
Respectively as accounting officer, and Chair of the Trustee Board, we have joint responsibility for maintaining a sound system of internal control that supports the achievement of Citizens Advice’s policies, aims and objectives, whilst safeguarding the funds and assets for which the accounting officer is personally responsible, in accordance with the responsibilities assigned in Government Accounting and the Management Statement agreed with BERR. The accounting officer is accountable to the Performance Review and Audit Committee, the Trustee Board and BERR for managing the risk of Citizens Advice.
The purpose of the system of internal control
The system of internal control is designed to manage risk to a reasonable level rather than to eliminate the risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of Citizens Advice’s policies, aims and objectives, to evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically. The system of internal control has been in place in Citizens Advice for the year ended 31 March 2008 and up to the date of approval of the annual report and accounts, and accords with Treasury guidance.
Capacity to handle risk
Citizens Advice has a structured risk management process and responsibility lies with the Executive Board for the identification, assessment and management of the risks.
The risk and control framework
The Risk Management Strategy:
- explains the organisation’s approach to risk management
- provides risk definitions
- raises awareness of the principles and benefits involved in the risk management process
- identifies the main reporting procedures and promotes good risk management practice within Citizens Advice.
The Trustee Board has approved the Risk Management Strategy and reviews the Risk Register. Citizens Advice has identified high level and operational level risks. The high-level risks are reviewed by the Executive Board, Performance Review and Audit Committee and Trustee Board. Operational level risks are managed by senior managers and monitored by the Finance Team which has the authority to escalate issues to the high level risk register.
Risks are identified and evaluated in the following ways:
- Executive Board risk management workshops are held.
- Periodic reviews are performed by each risk owner in order to assess the likelihood and impact, relevance of risks, current strategies applied and the strength of the strategies. The residual risk is identified and action plans are created to further mitigate risk.
- Clearly documented financial and management procedures and guidelines.
- A Performance Review and Audit Committee (PRAC).
- An Internal Audit function.
- Comprehensive budgeting systems and financial reporting which indicate financial performance against the budget and forecast, and which are reviewed and agreed by the Performance Review and Audit Committee and the Trustee Board.
Citizens Advice has a balanced approach to ‘risk taking’ and adopts an active approach to the mitigation of risk. In the annual review of the high-level risk register it was noted that 38 per cent (2007: 40 per cent) of net risks were high, 38 per cent medium (2007: 40 per cent), and 24 per cent low (2007: 20 per cent).
The most significant risks faced by Citizens Advice going forward have been identified as being:
- Not succeeding in the implementation of the Access strategy and thereby failing to get the benefit of improved access.
- The bureaux network not responding successfully to the increased competitive environment.
- Business continuity risks around premises and/or staff being made ineffective (e.g. pandemic flu or a terrorist attack).
- The reputation of the service being adversely affected by scenarios either totally or partially outside of the organisation’s control.
- Downtime and/or supplier failure in terms of the delivery of IT services.
- Longer-term stability around levels of core funding for Citizens Advice.
- Not effectively realising the changes required in terms of an accommodation strategy and plans around how and where we work.
Citizens Advice manages risk by focusing on strategic objectives and taking a balanced scorecard perspective.
David Harker OBE
Review of effectiveness
Citizens Advice has engaged BDO Stoy Hayward to provide the current programme of internal audits. The auditors operate to standards defined in the Government Internal Audit Manual.
The internal auditors report regularly on internal audit activity within Citizens Advice. The work of the internal auditors is informed by an analysis of the risks to which the organisation is exposed and annual audit plans are based on this analysis. These are endorsed by the Executive Board, Performance Review and Audit Committee and the Trustee Board. A database of all audit recommendations is held and progress is monitored by the Performance Review and Audit Committee, who meet six times a year. The internal auditors’ annual report includes their independent opinion on the adequacy and effectiveness of the system of internal control.
The accounting officer has responsibility for reviewing the effectiveness of the system of internal control. The review of the effectiveness of the system of internal control is informed by the work of the internal auditors and comments made by the external auditors in their management letter and other reports. A plan to address weaknesses and ensure continuous improvement of the system is in place.
To conclude, we can confirm that the major risks to which the charity is exposed, as identified by the trustees, have been reviewed and systems or procedures have been established to manage those risks.
The Revd. Hilary Watkins MBE
30 July 2008