Annexure A

Amatole District Municipality

Strategic and Annual Internal Audit Plan

September 2002

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Contents
1 2
2.1 2.2 2.3

Introduction and Background Risk Analysis

Identification of strategic risks Detailed strategic risk analysis Results and interpretation of workshop outputs

3 4 5
5.1 5.2 5.3 5.4

Risk Management Internal Audit Strategy Proposed risk based internal audit coverage
Three-year audit strategy Annual internal audit plan for the year ended June 2003 Timing of the internal audit coverage, for October 2002 to June 2003 Estimated internal audit hours for the year ending June 2003

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Introduction and background

The Internal Audit unit has conducted a Risk Assessment for the Municipality and this will serve as the basis for namely:
! ! !

A rolling three year strategic internal audit plan; A annual internal audit plan for the first year of the rolling plan; and Plans indicating the proposed scope of each audit in the annual audit plan.

In order to assist in the preparation of the three-year risk based audit strategy and annual audit plan a number of detailed strategic risk workshops/ sessions were conducted with the various Departments in the Municipality, by the Internal Audit section. This report presents the outputs obtained from the detailed strategic risk workshops conducted in various Departments within the Amatole District Municipality. The purpose of performing a detailed strategic risk workshop is to compile a risk assessment, with a view to focusing internal audits efforts on the highest risk areas to which the Municipality is exposed. As Internal Audit at Amatole District Municipality we are pleased to provide you with the results from the risk assessment, as well as the proposed Internal Audit Strategy and Annual Internal Audit Plan for the year- ended June 2003, which are directly based on the risk assessments. Specifically this report contains:
!

The results of the detailed strategic risk assessment conducted in the Municipality during August and September 2002; A three year internal audit strategy for the Municipality: The annual internal audit plan for the first year of the strategic plan; and The plans indicating the proposed scope for each audit in the annual internal audit plan.

! ! !

We as the Internal Audit team would like to thank management and key staff of various departments for their patience, assistance and co-operation during the whole exercise.

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Risk Analysis

2.1

Identification of strategic risks

A risk assessment questionnaire was circulated to all Heads of Departments and the Municipal Manager by the Internal Audit unit prior to the Internal Audit performing the detailed strategic risk workshops/sessions at a Departmental level. In the questionnaire the HODs and the Municipal Manager were requested to identify the key risks that kept them awake at night. The purpose of identifying these risks was to ensure that the concerns of the HODs were addressed and raised during the detailed strategic risk workshop/sessions as well as to focus the workshop participants attention on these key issues.

2.2

Detailed strategic risk analysis

A detailed strategic risk analysis was conducted at the Departmental level from the 26th August 2002. The objectives for conducting facilitated detailed strategic risk workshops/sessions with Departments senior management and key staff were several, namely to: ! !

Identify and assess using accepted methodologies, the major strategic risks faced by the Departments and Municipality; Identify and assess the risk management responses or controls implemented and relied upon by management, to ensure that Municipality achieves its objectives; Allow management to identify any actions required to mitigate risks and/or improve controls; and to Provide the basis for developing a risk based audit strategy and annual internal audit plan that will focus on the issues that threaten the Municipalitys objectives so as to allow internal audit to add value to the Municipality.

Municipality Objectives In the identification of strategic risks, the Municipality objectives were identified. This ensures that the material risks that could have an impact on the objectives of the Municipality are identified. The Municipalitys objectives are captured in the Departmental scorecards and are part of the risk database documents for various Departments:
!

To ensure that the Municipality invests in the skills of its employees to fulfil its roles, in line with its skills development plan. To create a healthy working environment within ADM to ensure representivity in line with the Municipalitys employment equity plan To ensure that revenue is maximally collected and sustainably managed. To ensure that Amatole Districts programmes are aligned to the IDP

! ! ! !

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

To form some strategic partnerships with various service providers and stakeholders involved in service delivery within the ADMs area through the establishment of service providers forum, to ensure that IDP targets are met; To ensure that all support initiatives, programmes and projects by all spheres of government and other institutions within ADM area are co-ordinated. To develop in partnership with relevant stakeholders and adopt a Land Reform and Settlement Plan. ADM to responsibility for developing a district wide environment strategy together with the local municipalities and other role players. To develop in partnership with other relevant stakeholders an Integrated Waste Management Plan, To ensure public is given the necessary information and opportunity to influence the running of the District Municipality.

! !

! !

Workshop participation In order to ensure that the strategic risks were correctly identified and assessed it was agreed that the workshop participants should comprise of the Head of Municipality and his/her senior management team. In addition, to ensure focused participation and maximise the value of the workshop outputs, it was requested that the workshop participants should number approximately eight (not exceeding ten) participants. Members of the senior management team in various Departments including the Director of each Department attended the workshop. The workshop provided for lively debate and active participation by the participants. While significant effort was given to ensuring that the major strategic risks were covered in the workshop, the limited time and the reliance on the knowledge of the participants may not have identified all the issues that need to be reviewed. However, the workshop outputs form a good basis for the development of the strategic and annual internal audit plan.

Workshop Preparation In preparing for the workshops participants as well as internal audit were asked to perform some preliminary work. In particular various Departments were asked to complete a questionnaire and identify the key strategic risks facing their Departments while Internal Audit was asked to identify what they felt were the key risks facing the Departments. The information provide, together with the IDP was used to develop and pre-populate a risk data base that was confirmed, altered and refined during the workshop so as to ensure that the risks identified reflected the actual risks faced by the Departments. The key risks identified in the questionnaire by the various Departments and incorporated in the database were:
!

Uncertainties

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

Delays in project deliveries Poor leave administration within Department Misuse of Council resources Access to ADM building Non compliance to Legislation Lack of sufficient funding Lack of good corporation and capacity in local municipalities Uncertainties on powers and functions Non existence of Policies on Service Delivery Unclear role and future of Roads Agency function Low staff morale Lack of capacity for the performance of ADM mandate Temporal arrangements of Section 18 Notice Poor asset management Newly formulated and adopted procurement policy Unmatched revenue targets Non existence of Employment Equity plan Lack of skills development plan and staff performance review system Unclear job evaluation system used Fraud and corruption within the Municipality Inadequate inter- Departmental relations Understaffing Lack of reliable working resources for Health and Protections services Poor Code of Conduct by staff members Non- Uniform conditions of service of staff Poor payroll administration Poor recruitment process Lack of employee assistance programme

Internal audit also identify their perceived risks, which were included in the database.

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

2.3

Results and interpretation of workshop outputs

Besides delivering a risk based rolling three-year internal audit strategy and annual internal audit plan, the results of the workshop were further analysed to provide some insight as to the nature of the key risks that threaten the Municipalitys objectives. The identified risks were firstly analysed in terms of inherent risk, and secondly how effective management perceives the current controls, which are in place to manage the identified risks are. The workshop participants also identified how effective the controls should actually be in managing the identified risks, namely the desired control effectiveness. The bar graph in each instance indicates the percentage of total inherent risk. The control effectiveness (actual and desired) is plotted over the inherent risk value to provide a view of the priority of addressing the risk. The gap between the two values indicates the opportunity or need for improvement, which should be read in conjunction with the inherent risk value identified i.e. the higher the inherent risk value and the larger the need for control effectiveness improvement, the more management and internal audit attention the risk should attract. In assessing the risks and controls the following parameter were used:

Inherent Risk Risk Ranking High high likelihood / High impact Medium Medium likelihood / medium impact Low Low likelihood / low impact Control Effectiveness Category Description Very Good Good Satisfactory Weak Could not be more effectively implemented to mitigate the risk. The risk is effectively controlled and mitigated There is room for some improvement in the control system The risk appears to be controlled but there are major deficiencies

Factor 10 7 5 3 1

Factor 0.10 0.20 0.35 0.60 0.80

Unsatisfactory The control system is ineffective

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Risk Risk 1 2 3 Low staff morale Uncertainties Lack of human resources capacity and inefficient management of existing resources Lack of working resources capacity in performance of ADM mandate Fraud and corruption 6 7 Unclear role and future of the Roads Agency function Delays in projects delivery

4 5

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Interpretation of results The participants identified various key strategic risks as outlined in the risk database above. Of the risks identified, the Internal Audit for the purpose of drafting its plan has analysed and grouped the risk into seven risk and all ranked as high. The high-risk areas identified include:
! ! ! !

Uncertainties Low staff morale Lack of human resources and inefficient management of existing resources. Lack of working resources and capacity for ADM to fulfil its mandate

Of interest is the fact that some of the high-risk areas identified relate to external issues. For the purpose of compiling an Internal Audit plan the Internal Audit is going to focus on areas that relate to internal issues. The participants ranked the balance of the risks as medium / high to medium. In evaluating the current control environment the participants combined for all Departments felt that the control environment currently operates at a weak to satisfactory level. In addition the participants felt that they would like to see most of the controls operating at a very good level i.e. the controls could not be more effectively implemented to minimize risk.

Internal audit focus The workshop outputs represented graphically below, provides the internal audit function with the direction and guidance required in preparing their risk based audit strategy and annual internal audit plan Internal audit should focus its initial assurance activities on the high-risk areas and specifically those that are perceived, by management to be poorly controlled. For example, risk 4: - Lack of relevant reliable / complete and secure information systems represents a high-risk area with a control environment that is perceived to be weak to unsatisfactory. As a result this area will become a priority area for internal audit. In the same way, risk 3: - Lack of human resources capacity and inefficient management of current resources is a high/medium risk area with a unsatisfactory perceived control effectiveness, and should also attract internal audits immediate attention in the first year. This process of analysis and prioritisation is applied to all the risks identified and analysed during the workshop and a risk based audit strategy developed that will focus on the key areas / risks that management feels are important. As a result internal audits efforts will be geared towards adding value to the Municipality by focusing on those areas that are important to management and that will assist the Municipality in achieving its objectives.

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

ADM Risk Assesment Bucket Graph

Control Effectiveness Very Good 0.10 Good 0.20 Satisfactory 0.35 Weak 0.60 Unsatisfactory 0.80

1.00 10.00 0.80 Inherent Risk 0.60 5.00 0.40 0.20 0.00 1 2 3 4 Risks 5 6 7 0.00 Control Effectiveness

Inherent Risk

Control Effectiveness Actual

Control Effectiveness Desirred

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Risk Management

The Municipality is required to maintain an effective, efficient and transparent system of financial and risk management and internal control. The management of the Municipality must facilitate risk assessment to determine the material risks to which the institution may be exposed and evaluate the strategy for managing these risks. Given above together with the fact that the Municipalitys risk environment is continuously changing, would suggest that a mechanism should be created where the Municipalitys risks are assessed on a continuous basis and the strategy for managing the identified risk adapted and managed accordingly. It must be borne in mind that risk management is the responsibility of management and not internal audit. However due to the nature of internal audits activities and their training internal audit often assists management in these activities by maintaining the risk database and facilitating the identification of the risks. To effectively identify and manage risks many organisations establish risk committees (also best practice) whose aim is the identification and management of the risks faced by an organisation on an ongoing basis. The main objective of the Risk Committee is to review and assess the effectiveness of risk management and control processes within the organisation and to present their findings to the Council, often via the Audit Committee. The main functions of the Risk Committee are to:
! !

Identify and agree the risk profile of each Municipality. Establish and maintain a common understanding of the risk universe that needs to be addressed in order to achieve strategic objectives. Ensure that management has effectively identified the key risks and incorporated them into their activities. Assess the appropriateness of management responses to significant risks. Consider the control environment directed towards the proper management of risk. Co-ordinate the organisations assurance efforts to avoid duplication, ensure adequate coverage of the risks and decide on what assurance efforts are appropriate to provide the coverage. Assess the adequacy of the assurance efforts provided by management, internal audit and external audit, and specialist consultants (as and when used). Consider (discuss, debate) the results/reports of the combined assurance efforts by all assurance providers (internal audit, auditor general and management) and to ensure that appropriate action is taken to address identified areas for improvement. Keep abreast of all changes to the risk management and control system and ensure the risk profile and common understanding is updated, as appropriate.

! ! !

! !

10

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Report to the Management or Audit Committee on the work undertaken in establishing and maintaining the understanding of the risks that need to be managed and the adequacy of action taken by management to address identified areas for improvement.

The Audit Committee will be responsible for ensuring that the primary objective and functions of the Risk Committee as set out above are adequately and effectively achieved. Senior management is responsible for ensuring that the actions emanating from the Risk Committee is addressed, by allocating the appropriate resources. Membership The Risk Committee is a function of senior management and representation on the committee should include managers accountable for risk management and the appropriate assurance providers. The Municipal Manager could chair the committee. Other members may include the senior managers from the various programmes within the Municipality and Internal Audit. Other members of management, staff and third parties may be invited to be present as and when required. Meetings The type of business as well as the intervals at which the audit committee meet, will dictate the frequency of scheduled meetings. Best practice in this regard is four times per annum. The Risk Committee should meet at least as often as the Audit Committee, usually prior to such Audit Committee meetings to review its reporting to this meeting. The Risk Committee may meet more often dependent on the circumstances. A key principle is that the Risk Committee meets approximately two weeks prior to the Audit Committee, to discuss and clear representations that will be made to the Audit Committee. Assurance providers The Risk Committee decides on the most appropriate assurance provider for the identified risks. Where internal audit is identified as the most appropriate assurance provider, the Audit Committee must finally approve the scope of coverage. Management may be engaged as assurance providers as part of its ongoing activities or as part of an identified special project.

The following minimum standards should, however, apply to all designated assurance providers:

11

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

! !

They must have the required professional competence to complete the review. The Risk Committee must be satisfied that the approach to be adopted in providing the assurance will be effective. The management report must include the objectives of the review, how the review was performed and the results against the stated objectives of the review.

The Risk Committee must ensure adequate objectivity is achieved and potential conflicts of interest minimised. If the Auditor General is to be relied upon for assurance, the Risk Committee should inform them of this reliance to determine from the external auditors whether or not such reliance is appropriate from the work they perform or will perform. Planning The risk management plans need to consider the top risks identified in the business. For example, the top 10 or 20 most significant risks should be deliberated on an annual basis. In practice, a maximum of five to six risk topics can be productively discussed at one meeting. The Risk Committee will then decide on the intervals at which they should discuss the various risks, taking into account any other forums where the risks are considered. Should operational risks be adequately covered in other management/director forums they may be excluded from the Risk Committees deliberations. In practice some risks are discussed at every meeting, and other less often e.g. once every 18 months. Part of the planning process is to ensure that the relevant assurance providers are scheduled to complete their investigation, audit or research and be able to report back at the appropriate Risk Committee meeting. To ensure that changes in the environment are considered in the risk assessment on a timely basis, New risks identified should be a standard agenda item. The risks, as the Risk Committee discusses them, lead to a continuous update of:
! ! !

the risk assessment; managements response; and the status of the controls in place.

12

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Standards and procedures

!

The scope of operations of the Risk Committee should be detailed in a Risk Committee Charter, which is specifically tailored to the individual organisations requirements. The charter should include details on: Objectives Roles and responsibilities Structure, reporting lines and relationships Membership (including background and experience requirements) Processes and procedures Authority to access information and conduct reviews

! ! ! !

The Risk Committee requires a formal agenda and minutes. All members should be provided the opportunity to add items to the agenda beforehand. All participants are expected to fully participate. Submissions to the committee are completed in sufficient time to ensure members may consider the issues raised by the time the Risk Committee meeting takes place. The annual internal audit plan should be considered by the Risk Committee, and a recommendation made to the Audit Committee, on the acceptance or otherwise thereof. This includes an assessment of whether or not sufficient resources are available to conduct the audit plan required by the combined assurance strategy/plan. Progress against the combined assurance strategy/plan and the internal audit plan is also monitored at these meetings.

Risk management is managements responsibility and the formal process described above is an efficient and effective way of dealing with risk management,

13

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Internal Audit Strategy

Risk based planning The internal audit plan as well as the internal audit fieldwork will be focused on the risks to which the Municipality is exposed. Best practice internal audit also dictates that a specific strategy is developed, which best directs internal audit efforts to where the Municipality needs it most, at any given time. This means that the correct balance of risk based versus cyclical based audits needs to be found. This balance depends on the maturity of an organisations systems and processes, the extent to which policies and procedures (and hence internal controls) are entrenched and complied with, and the general strength of the wider control environment. Best practice is that the internal audit of the Municipality spends approximately 60% of its time on riskbased audits, with the balance on cyclical based audits, and ad hoc requests. However these limits should be seen as a guideline only and would be adjusted to best suit the Municipality.

Risk based audits Given the results from the risk assessments, which indicate only a satisfactory-to-weak control environment, we feel that it may be appropriate to for the internal audit function to focus its attention on the high risk areas but concentrate on ensuring that the key controls are in place and adhered to. This can be adjusted depending on the results from the first audits, given that the audit plan is flexible, dependant on management and on Audit Committee approval. Cyclical audits As mentioned, internal audit may decide to focus its attention on certain medium to lower risk areas, for example to achieve general or specific improvements in the control environment or culture. These cyclical audits are normally be conducted on a yearly basis with the aim of monitoring and maintaining (through the reports issued and actions taken) a sound internal control environment.

Ad hoc requests It is important that internal audit set aside time in their annual plan to attend to ad hoc management requests. However before accepting these requests internal audit will assess the requests against the identified / planned audits of the high-risk areas and prioritise the requests based on how much value can be added, comparatively, prior to deciding whether or not to accept the requests. It is important to note that the audit strategy and plan presented overleaf remains risk based, which ensures that the resources are still utilised effectively and efficiently.

14

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

5
5.1

Proposed risk based internal audit coverage

Three-year audit strategy

Area Planning and oversight
Risk workshops Strategic level Done Review and update Ongoing Ongoing Review and update Ongoing Ongoing

Details of coverage

2002/3

2003/4

2004/5

Audit Committee Meetings Management meetings

Attendance of audit committee meetings General meetings with management (HOD) on a regular basis to assess audit coverage requirements based on changing risks Liaison with the audit general regularly

Ongoing Ongoing

Auditor General

Ongoing

Ongoing

Ongoing

Risk based audits

1 Low staff morale 2 Uncertainties H H H H H H H Ongoing Planned Planned Planned Planned Planned Planned Planned Planned Ongoing Ongoing Planned Planned Planned

3 Lack of human resources and inefficient management of existing resources 4 Lack of working resources and capacity for ADM to fulfil its mandate 5 Fraud and corruption 6 Unclear role and future of the Roads Agency function 7 Delays in project delivery

15

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

Area
Cyclical Reviews 1. Fixed Assets 2 Financial discipline reviews Ongoing Activities Fraud and Corruption Policies and procedures ! !

Details of coverage

2002/3

2003/4

2004/5

Review of key fixed asset controls Review of key financial controls

Planned Planned

Planned Planned

Planned Planned

Ongoing monitoring and review of adherence to the Fraud Prevention Policy and Plan

Ongoing

Ongoing Ongoing

Ongoing Ongoing

The levels of adherence will be addressed during all audits. Ongoing This will include an assessment of whether or not the policies and procedures themselves require change. .

It should be noted that the following factors would have a direct influence in the planning and execution of this three-year strategic internal audit plan: " " " " Availability of Internal Audit staff Changes in the risk environment of the Municipality the risk environment should be assessed on an annual basis; Approval and acceptance of this plan by the Audit Committee; The materiality of ad-hoc requests could have a significant impact on the normal audit planning and timing process.

16

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

5.2

Annual internal audit plan for the year ended June 2003
1. Internal audit administration
Ongoing review and monitoring of plans, work papers and reports, liaison with management, Audit Committee, and external audit. Maintain progress and adjust internal audit plans and combined assurance strategy. Attend Audit Committee meetings. Liaise with Auditor General.

An effective Internal Audit function requires staff planning and co-ordination and most importantly interaction with management, the Auditor General and the Audit Committee. As a result the Internal Auditor for each Municipality will budget for this interaction in the annual audit plan. 2. Risk workshop and risk assessments performed
Perform a Strategic Risk Assessment by way of workshops and interviews, to identify the key strategic risks. Completed the strategic level. Compiled the Strategic and Annual Audit Plans.

The strategic risk assessment has been completed but needs to constantly updated and reviewed on an ongoing basis. If risk management structures have not been set up internal audit will still assume the responsibility to ensure that its audit focus and activities remain relevant and add value as a result the need to monitor the risk environment remains and this activity should be budgeted for. 3. Risk based reviews planned
Risk Area Low staff morale (H) Audit Scope ! ! ! ! Uncertainties (H) ! ! ! ! Lack of working resources and capacity for ADM to fulfil its mandate (H) ! ! ! ! Lack of Human Resources capacity and management of current resources (H) ! Contract employment for continuous services Consistency of policies and employee benefits Employee Assistance programmes Information sharing and communication channels Establishment of Land and Housing section Capacity of local municipalities and support thereof Alternative fiscal plans should Buffalo City become a Metro Service agreements for Agency functions IDP targets review Review of service level agreements Participation on local government development forums Steps taken to ensure commitment from external stakeholders Accuracy of personnel database (including completeness of personnel, reconciliation to PAYDAY including testing for fictitious employees) Adherence to appointment procedures Payroll administration (including salary changes, responsibility codes, accuracy of payments including deductions, )

! !

17

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

3. Risk based reviews planned

Risk Area Audit Scope ! ! ! ! Termination procedures (including removal from system) Leave administration and records Overtime procedures and payments PAYDAY controls

Risk based audit activities will form the majority of the planned audit effort. However as the risk assessment process and risk based audit is new and has not been operational within the Municipality, initial emphasis should be on ensuring sound controls and discipline is exercised in the areas identified as high risk. For this reason the emphasis of the audit scope has been on financial discipline. The actual coverage (extent and detail) is determined during the planning stage of each audit identified, taking into account the circumstances and managements input. By adopting this approach each audit can be tailored for effectiveness and efficiency. 4. Cyclical based reviews
Fixed Assets Financial Discipline and Procurement Procedures Reviews Legal Compliance review Review of key fixed asset controls Review of key financial controls and procurement procedures

Review of compliance to key aspects of the Systems Act, MFMB and LGTA etc.

The intention of these reviews is to maximise internal audits coverage through control self assessment questionnaires. These key control questionnaires will be developed by internal audit and will identify the key controls that should be in place. The questionnaires will be circulated to the appropriate management representatives for completion. On the return of the questionnaires internal audit assesses the responses and by way of random checks verifies the accuracy and integrity of the responses. This approach has two benefits, namely, educates management as to what key controls should be in place and maximises audit coverage and the assessment of the general control environment. 5. Management requests and assistance
As requested from time to time.

Any value adding internal audit function must set aside time to address management requests. However before accepting these requests they should be assessed in terms of importance against the planned audit activities.

The annual audit plan for the first year of the three-year audit strategy internal audit has been designed with an emphasis on financial discipline based on the high-risk areas identified. As mentioned above this is because it may be appropriate to for the internal audit function to focus its attention on the high risk areas but concentrate on ensuring that the key financial controls and hence discipline required to successfully manage the Municipality are in place. Once the key controls are in place and operating as intended to the satisfaction of both management and the audit committee, internal audit should then focus its attention on

18

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

operational areas (in the second and third years of the internal audit strategy). This approach, it is felt will add the most value to the Municipality a key aspect of the role of internal audit. Timing of the internal audit coverage, for October 2002 to June 2003 The audit coverage timing, presented below has been structured to allow for effective auditing to begin in October 2002. This will allow the internal audit function to begin update and involve the Audit Committee in this whole process.
Activity Individual risk based reviews Low staff morale (H) Uncertainties (H) Lack of working resources and capacity for ADM to fulfil mandate (H) Lack of human resources capacity and management of current resources (H) Cyclical Reviews Fixed Assets Financial Discipline and Procurement Reviews Legal Compliance Review Ongoing activity Fraud and corruption Policies and procedures Follow-ups, Database updating management assistance July Aug Sept Oct Nov Dec Jan Feb Mar April May Jun

19

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

5.3

Estimated internal audit hours for the year ending June 2003
The following serves as a template to be applied and completed by Internal Audit when planning and scheduling the execution of internal audit work. Available Hours Activity Risk analysis and updating risk database Risk Based Reviews
Low staff morale (H) Uncertainties (H) Lack of working resources and capacity for ADM to fulfil its mandate (H) Lack of Human Resources Capacity and management of current resources (H)

XXXXXX Actual Hours

Cyclical Reviews

Fixed Assets Financial Discipline Reviews Legal compliance review

Ad Hoc Management Requests Audit Committee Reporting Follow-up activities Liaison and meetings Study leave Annual leave Training

20

Amatole District Municipality Internal Audit Unit- Risk Assessment September2002

21