Annual report to the Boardon the Association’s system of internal controls for Kingston and Wimbledon YMCA

For the period ending 31st March 2007

As reviewed by the Audit Committee at their meeting on 23rd July 2007

______

Introduction

This report is intended to help the Board review the effectiveness of the Association’s system of internal control. Although the Association is not required (due to the number of housing units) by regulation to undertake such a review it has determined that, as a matter of good practice, an annual statement should continue to be prepared and presented to the Board for their consideration.

Housing Corporation circular R2 – 25/01 requires the Board to

a)maintain a sound system of internal control which

  • focuses on the significant risks, and
  • provides reasonable assurance of the safeguarding of assets

b)conduct an annual review of the effectiveness of the Association’s system of internal control. The Chief Executive or senior team are required to present an annual report on the effectiveness of the system to assist the Board with this.

c)include a statement on internal controls in the audited financial statements which refers to the board’s annual review.

This report is The Chief Executive’s report referred to under (b) above and has been prepared jointly with the Finance Director.

Identification of Risks

Risk management is central to any system of internal controls. The Board has put in place a system to identify and control risks. The main elements are;

  • A schedule of the key risks faced by the Association including a schedule of actions required in order to minimise these risks. This has been reviewed during the course of the past twelve months utilising a computer package to assist in the management of these risks. Specific responsibility to oversee the management of risks has been delegated to a member of the senior staff team.
  • Updating this by consideration of risks in new pieces of work.
  • The senior team report on key risks regularly to the Board. All Board reports include a paragraph on risk management.
  • A procedure for Incident Reporting has been introduced, including assessing whether the risk register needs updating following a particular incident.
  • Staff are issued with risk identification forms and have been provided with an over-view of the key risks faced by the Association.
  • Departmental Plans have been approved to include the identification of departmental risks and action required to minimise these.
  • An internal audit review has been undertaken in respect of risk identification and risk management utilising interviews with a broad range of staff– this has assessed the system as providing substantial assurance.
  • The Chief Executive and senior team implement the risk management decisions of the Board. The Chief Executive has retained responsibility for the implementation of the Association’s Risk Strategy whilst delegating responsibility for managing risk awareness to the Director of Corporate Services.

The Board has reviewed the schedule of risks and these are included in the Association’s Risk Map. A more detailed review, reducing the number of key risks faced by the Association has recently been carried out which included a seminar on risk awareness.

The control environment

There is a relatively strong culture of commitment to internal control. In particular;

The organisation works within its Vision, Values, Ethos and Mission. These are clearly communicated to staff, volunteers and partner organisations and key stakeholders. They set the tone of the organisational culture. The Values include relationships built on integrity and trust, development of all people in body, mind and spirit, and being forward looking and progressive.

The Board demonstrates a lead in internal control by requiring regular reports on risks, on the controls or actions in place to mitigate risks, and on key performance indicators. The Board also demonstrates a lead in the values of the Association. A balance scorecard approach to the measurement of KPIs was approved by the Board in February 2007 for introduction in the financial year 2007/08.

The Chief Executive and senior staff team are responsible for making the values live within the organisation and thereby for creating a culture in which there is a commitment to internal control. In particular the senior staff team are responsible for specific key areas of control and for the management of other staff with responsibilities for developing and/or operating internal controls. Disregard of control procedures is treated seriously.

Our system of internal controls

The key internal controls within Kingstonand WimbledonYMCA are;

Governance / Operational / Financial / External / Compliance
Memorandum and Articles of Association;
Board Members’ Handbook;
Board member and staff codes of conduct;
A more rigorous code of conduct for the Chief Executive and Senior Staff Team;
Oversight and scrutiny by the Audit Committee;
The approval and review of a range of strategic policies and procedures;
Delegation of approval of non-strategic policies to the SST determined upon a risked based approach;
A twelve months forward plan for the Board;
Regular skills assessment for Board membership;
Procedures for the identification and reduction of fraud. / Risk management process:
An annual budget and operating plan agreed before the start of the financial year;
A strategic five year plan;
A five year business plan;
Written policies and procedures that are regularly reviewed and disseminated to staff and volunteers;
The issuing of key policies and procedures to staff with payslips and the availability of policies on the shared server;
Staff induction;
Job descriptions and person specifications;
Staff recruitment, line management and regular work review processes;
Staff training and development;
A child protection officer accountable directly to the Board;
ICT back up procedures and disaster recovery plans;
Site specific emergency procedures manuals;
A programme of internal audit undertaken on the basis of risk assessment. / Financial Standing Orders;
Monthly income statements and management accounts;
Five year financial projections;
Daily review of bank balances;
Procedures for the authorisation of expenditure;
A Capital Panel in order to oversee capital expenditure;
Procedures for the control of cash;
Procedures for the authorisation of credit card transactions. / The process of internal audit;
External audit reports. / External compliance and regulation from external bodies:-
- The Housing Corporation
- The Charity Commissioners
- OFSTED
- The Commission for Social Care Inspection.
- Partner Local Authorities
- Supporting People Commissioning Bodies;
- Funders

Review of the effectiveness of controls

The Board and the senior team receive assurances that controls are operating as planned from the following sources;

Board overview of the risk management process

Management assurances: reports from managers providing financial and operational information.

Regular planned reviews of key operational areas – catering services, child care and PR and Marketing;

Key Performance Indicators: reports on operational or financial areas identified as significant to achieving the business objectivesutilising a balanced scorecard approach;

External audit management letter.

Reports from other regulators and key stakeholders.

The implementation of the YMCA National Standards.

Housing Corporation compliance reports and reports from CSCI in relation to the Care Homes.

An assurance statement from Internal Audit.

An assurance statement from the Audit Committee.

The external auditors, the Housing Corporation and other external bodies do not have any specific responsibility to identify shortcomings in the system of internal control, so the main source of independent assurance is internal audit.

The following internal audits have been undertaken in the past twelve months with the following levels of assurance provided:-

Corporate Governance/RiskSubstantial

Building MaintenanceAdequate

Human ResourcesAdequate

Investment Management Adequate

VAT and PAYEAdequate

Follow up reportAdequate

The Internal Audit Reports have been reviewed by the Audit Committee and key recommendations have been discussed and implementation followed through.

Kingstonand Wimbledon YMCA is compliant with the Housing Corporation requirements to combat fraud. The Board has established policies that set out the organisation’s commitment to the highest ethical standards. These are combined with codes of conduct for both employees and Board members, which set out detailed policies. A fraud register has been established to maintain details of all actual or attempted fraud. Any entries on the register wil are reviewed by the Audit Committee. All cases in excess of £5000, or which involve a member of the Board or senior team, will be reported to the Housing Corporation. There are procedures in place if fraud or attempted fraud is discovered. One cases of suspected fraud investigated during the course of the year well below the £5,000 reporting threshold.

Whilst the Association has reviewed the internal controls and believe them to be adequate, it is appreciated that further improvement will always be required. Recommendations for improvements will be made to the Board as and when required.

Conclusion: There is sufficient evidence to confirm that adequate systems of control existed and operated throughout the year to manage the main risks faced by Kingstonand Wimbledon YMCA and in order to achieve the charitable and operational objectives of the Association.

Kingstonand WimbledonYMCA

Board’s annual report on internal controls

The Board must make an annual statement on internal control for publication with the accounts. The statement must include;

  • An acknowledgement by the Board that it is responsible for the Association’s system of internal control and for reviewing its effectiveness;
  • An explanation that the system of internal control is designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable, and not absolute assurance against material misstatement or loss;
  • An explanation that the process for identifying, evaluating and managing the significant risks faced by the Association is ongoing, has been in place throughout the year under review and up to the date of approval of the report and accounts, and is regularly reviewed by the Board;
  • A summary of the process the Board has adopted in reviewing the effectiveness of the system of internal controls;
  • A summary of the main policies which the Board has established and which are designed to provide effective internal control; and
  • Information on the process the Board has adopted in addressing material internal control aspects of any significant problems disclosed in the annual report and accounts. Reference to regulatory concerns should also be considered if the Housing Corporation has intervened.

A suggested draft report is attached for the Board’s consideration once it has undertaken its review of controls.

Kingstonand WimbledonYMCA

DRAFT report on internal controls

The Board of Management has overall responsibility for establishing and maintaining the Association’s system of internal control and for reviewing its effectiveness.

The Board recognises that no system of internal control can provide absolute assurance against financial misstatement or loss or eliminate all risk. The system of internal controls is designed to manage key risks and to provide reasonable assurance that planned business objectives and outcomes are achieved. It also exists to give reasonable assurance about the preparation and reliability of financial and operational information and the safeguarding of the Association’s assets and interests.

The Board confirms that there is an ongoing process for identifying, evaluating and managing the significant risks faced by the Association. This approach has operated throughout the year under review up to and including the date of approval of the annual report and accounts.

The process adopted by the Board to review the effectiveness of the system of internal control, together with some of the key elements of the control framework that the Board has established includes:

  • Identification and evaluation of key risks: Risk Management is included as an item on all reports considered by the Board. The Board has reviewed the risk register in the course of the past twelve months.
  • Training on risk management for the Board and Senior Staff Team;
  • The adoption of a Strategic and Business Plan setting out strategic and operational objectives for the period 2006 - 2010;
  • The continuation of a Strategic Building Review in order to ascertain the best use of the Association’s property assets in order to meet the changing needs of our client group;
  • The adoption of an annual operating planand specific departmental plans, with progress being reviewed during the course of the year;
  • The operation of a comprehensive budgeting system and the regular review of financial performance by management and by the Board;
  • The regular review of key performance indicators by management and theBoard;
  • The formal appraisal by the Board of the business case for new opportunities;
  • The appointment of new members of the Board of Management with a range of skills to assist in meeting the Association’s key objectives;
  • A scheme of delegation (reviewed during the course of the year) between the Board of Management, the Chief Executive and Senior Staff Team;
  • A detailed staff training plan based upon the outcomes of Regular Work Reviews and regulatory and operational requirements;
  • The development of a detailed values statements for the Senior Staff Team establishing the culture in which the Association will be managed and extending this to the respective departmental managers.
  • The appointment of a child protection officer with direct access to the Board of Management and statutory authorities.
  • A framework of policies and procedures with which employees must comply. The Board has adopted, amongst others, policies covering financial and accounting procedures, authorisation of transactions, health and safety, protection of children and vulnerable adults, equalities and diversity and various employment polices and procedures, as well as a Code of Conduct for employees. A separate, more detailed Code of Conduct has been introduced for the Chief Executive and Senior Staff Team. Detailed reviews of these polices are carried out at regular intervals.
  • The delegation of operational polices to the Senior Staff Team assessed based upon risk;
  • Up-to-date Criminal Record Bureau Checks for staff and Board members.
  • A robust process of internal audit, undertaken on the basis of risk. The Internal Audit opinion for 2006/07 states:-

“..for the twelve months ended 31st March 2007Kingston and Wimbledon YMCA has adequate and effective risk management, control and governance processes to manage the achievement of the organisation’s objectives.”

The Board confirms that there have been no regulatory concerns which have led the Housing Corporation or other regulatory bodies to intervene, nor any significant failures of internal controls which require disclosure in the financial statements.
Review of risk management and control environment

This section does not form part of the main report. It is part of the evidence of the review of controls and is used to draw the conclusions in the report. It also draws attention to areas where improvements can be made for future years.

This section has been prepared using the Charity Commission Internal Financial Controls self-assessment checklist, the NGO Finance Charities Internal Audit checklist, the Housing Corporation Guidance Notes on Internal Controls Assurance and the Beever and Struthers Corporate Governance Review for Registered Social Landlords (February 2003) to identify questions we should ask ourselves about our internal controls.

Risk management

Does your Association have a policy on risk management and associated procedures?

The Association has a Risk Management Strategy. The main elements of the Risk management process within the Association are:-

  • The existence of a risk register that is regularly reviewed and updated.
  • The completion of a risk analysis for all new areas of work.
  • The reporting of risks and controls to the Board of Management.
  • Risk issues included on all Board papers.
  • A full programme of internal audit based upon key risks.
  • An assessment of the Association’s Risk Appetite.
  • Training on risk awareness for the Board and SST.
  • Details of key incidents within the Association to the audit Committee and whether these require the Risk Register to be updated.
  • The Reporting of failures in controls to the Audit Committee for review.

A review of the Association’s Risk Strategy is currently outstanding. It has been agreed that this will be carried out once Board training has been

Action: continue review of the Risk Map and risk Register. Bring forward the Review of the Risk Strategy to the September meeting of the Audit Committee

Have the main risks faced by the association been identified?

Yes. There is a risk registerthat has identified the key risks facing the Association. This has recently been reviewed by the Board and SST and the number of key risks substantially reduced. Departmental Registers are updated for new pieces of work. Details of mitigating factors and responsibilities for the implementation of controls have been identified and are considered by the Senior Staff Team at regular intervals.

Are the primary means of controlling these risks documented on the risk register?

Yes. –again utilising the “Just Assured” IT system.

Are the controls working and have you obtained assurance they are working?

This is achieved through management reporting to the board. It is of course impossible to say whether all the controls are working, and some will be more effective than others. However no major unidentified risks or control failures have come to light in the past year. Failures in controls are reported to the Audit Committee. No failures in controls have been reported for the period in question.

Assurance is primarily through management assurances and review of financial and other performance indicators by the Board.

Internal Audit has now become a key tool in the provision of assurance – during the course of the last financial year a review was undertaken to assess the awareness of risk management at all levels within the Association – this resulted in substantial assurance being provided to the Board.