PAPER C
AUDIT COMMITTEE – 28 JULY 2005
REPORT OF CHIEF INTERNAL AUDITOR
1. This report is to provide the Panel with a summary of Internal Audit performance for the financial year 2004/05. The Committee is invited to note the contents of the report and to seek clarification of any issues arising from internal audit’s performance.
BACKGROUND
2.
It
is appropriate to set out the roles and responsibilities of the Head of
Internal Audit, The Internal Audit Service and the Audit Committee so that the
Committee can better fulfil its scrutiny role over the Internal Audit Service.
3.
The Responsibilities of The Head of Internal Audit
The Chief Internal Auditor
is responsible for:
(a)
developing
a strategic audit plan based on an understanding of the significant risks to
which the authority is exposed;
(b)
developing
an annual audit plan based on the strategic plan and an understanding of the
significant risks to which the authority is exposed;
(c)
submitting
the plans to the Audit Committee for review and agreement;
(d)
implementing
the agreed annual audit plan;
(e)
maintaining
a professional audit staff with sufficient knowledge, skills and experience to
carry out the plan;
(f)
developing
audit staff for redeployment elsewhere in the authority.
4.
Role and Scope of
Internal Audit
The role of Internal Audit is to understand the key
risks of the authority and to examine and evaluate the adequacy and
effectiveness of the system of risk management and internal control as operated
by the authority. Internal Audit, therefore, has unrestricted access to all
activities undertaken in the authority, in order to review, appraise and report
on:
(a)
the adequacy and
effectiveness of the systems of financial, operational and management control
and their operation in practice in relation to the business risks to be
addressed;
(b)
the extent of
compliance with, relevance of, and financial effect of, policies, standards,
plans and procedures established by the Council and the extent of compliance
with external laws and regulations, including statutory reporting requirements;
(c)
the extent to which the
assets and interests are acquired economically, used efficiently, accounted for
and safeguarded from losses of all kinds arising from waste, extravagance,
inefficient administration, poor value for money, fraud or other cause and that
adequate business continuity plans exist;
(d)
the suitability,
accuracy, reliability and integrity of financial and other management
information and the means used to identify measure, classify and report such
information;
(e)
the integrity of
processes and systems, including those under development, to ensure that
controls offer adequate protection against error, fraud and loss of all kinds;
and that the process aligns with the authority’s strategic goals;
(f)
the suitability of the
organisation of the units audited for carrying out their functions, and to
ensure that services are provided in a way which is economical, efficient and
effective;
(g)
the follow-up action
taken to remedy weaknesses identified by Internal Audit review, ensuring that
good practice is identified and communicated widely;
(h)
the operation of the
authority’s corporate governance arrangements.
5.
The Role of the Audit Committee
In keeping with good corporate governance practice, a Committee of elected members should have oversight of the activities of the Internal Audit Service for the following purposes:
v The Committee should monitor Internal Audit’s performance, both in terms of the quality and quantity of its work;
v The Committee should satisfy itself that Internal Audit has devoted its attention to the appropriate issues;
v The Committee should consider the results of Internal Audit reviews to ensure that any significant findings are addressed, including control weaknesses and to ascertain whether, in the opinion of the Chief Internal Auditor, adequate and satisfactory responses have been given by the Authority’s management;
v The Committee should recommend, if necessary, that further attention should be given to some of the issues raised.
The professional environment within which internal audit operates continued to be dynamic during the last financial year. The Office of the Deputy Prime Minister published new Accounts and Audit Regulations in March 2003 that inter alia introduced the requirement for local authorities to include a Statement on Internal Control (SIC) within its published financial statements. This initiative has a wide-ranging impact not just on the work of internal audit but also on all senior managers across the council. The implications of this development are discussed in more detail below.
Aside from specific initiatives such as the SIC, in general terms there has been an increasing expectation that internal audit units will become more involved in reviewing risk management and corporate governance arrangements operating in their host organisations. The driver for this comes from H.M. Treasury that is keen to see the roll out of sound corporate governance practices as developed in the private sector some ten years ago across the entire public sector. In this regard, Local Government is behind the Civil Service and the Health Service in being required to adopt these practices.
In October 2002 the original CPA assessment and in particular the Auditor Judgement for the Internal Audit Service was graded as 2 out of a potential maximum score of 4. A score of 2 means generally satisfactory service but with weaknesses. The Audit Commission made a number of recommendations for improvement in the Audit Service which were addressed during financial year 2003/04 and before. The CPA scores were reviewed by the Audit Commission in autumn of 2003 and the score for Internal Audit Services improved from a 2 to a 3. This score was re-confirmed when the Audit Commission reviewed the score again in Autumn 2004. A score of 3 means satisfactory with no major areas of weakness. Our ambition for the future is to further improve on this score to a 4.
In response to the central government drive to embed risk management in local authorities, during 2004/2005 Audit Services continued to develop a new approach to operational/management audits called risk based auditing. This involves working collaboratively with management to determine service objectives, to identify and assess the risks threatening the achievement of objectives and to identify the management information and performance targets needed to ensure business success. The majority of these audits commence with a risk assessment workshop facilitated by internal audit staff. We revert to a more traditional audit approach when testing the reliability of the management information that informs management decision-making.
7.
Overall Performance Against The Audit Plan
2004/05
7.1 Internal Audit Productivity 2004/05
The table below shows the productivity data for the service for the year. Productivity as measured by productive time as a proportion of total time available showed a significant improvement in 2004/05 compared with results in the recent past. The target of 67.3% was exceeded by over 2%. However, it must be acknowledged that part of this improvement is due to the employment of Agency Staff during the year, who by the nature of their employment terms have limited opportunity to be “non-productive” i.e. they do not get paid for absences for any reason.
|
|
PLANNED TIME
2004/05 (DAYS) |
ACTUAL TIME
2004/05 (DAYS) |
VARIANCE (DAYS) |
|
TOTAL TIME |
1906 |
1893 |
-13 |
|
PRODUCTIVE TIME |
1283 |
1314 |
+31 |
|
NON-PRODUCTIVE TIME |
623 |
579 |
-44 |
|
PRODUCTIVITY PERCENTAGE (RATIO OF PRODUCTIVE TIME TO TOTAL TIME) |
67.3% |
69.4% |
+2.1% |
7.2 Overall Coverage - Inputs
The table below shows the amount of time devoted to the various categories of audit work compared with the planned time. The amount of time devoted to each category of audit work was broadly in line with the Audit Plan for the year. Exceptions were:
a) the audit of core financial systems exceeded the plan as we were obliged to audit some core systems twice within the year to harmonise our outputs with the requirements of the external auditors who seek to rely on our work for the purposes of their audit opinion;
b) contracts audits received less attention than planned but a conscious decision was taken to reduce coverage here to meet the need to cover core systems to the satisfaction of the external auditor. Historically, contract audit has received full coverage so it was a reasonable risk to take to divert resources in this was.
|
AUDIT TYPE |
PLANNED
COVERAGE 2004/05 (DAYS) |
COVERAGE TO
31/03/05 (DAYS) |
WORK IN 2005/06 RELATING TO 2004/05 (DAYS) |
TOTAL COVERAGE (DAYS) |
||
|
Compliance Audits |
130 |
117 |
22 |
139 |
||
|
Financial Systems Audits |
212 |
327 |
21 |
348 |
||
|
Operational Audits |
345 |
304 |
16 |
320 |
||
|
Anti-Fraud Audits |
59 |
37 |
3 |
40 |
||
|
Fraud Investigation Provision/Contingency Allocation |
130 |
176 |
- |
176 |
||
|
Contract Audits |
154 |
73 |
1 |
74 |
||
|
ICT Audits |
125 |
130 |
- |
130 |
||
|
ICT Project Audits |
96 |
135 |
- |
135 |
||
|
Follow – Up Audits |
32 |
15 |
1 |
16 |
||
|
TOTAL |
1283 |
1314 |
64 |
1378 |
||
7.3 Planned Coverage – Outputs
The table below indicates the extent of completed audit projects against the plan. Overall, 87% of the plan has been achieved and those significant areas not audited during 2004/05 have been included in the audit plan for 2005/06. This again is a significant improvement in performance when compared with the recent past.
|
Audit Type |
No. Planned
Audits |
No. Completed
Audits |
Planned Time |
Plan time of
completed audits |
Proportion Of
Audit Plan Completed |
|
|
Compliance Audits |
89 |
81 |
130 |
98 |
75% |
|
|
Financial Systems |
9 |
9 |
220 |
220 |
100% |
|
|
Operational Audits |
25 |
20 |
345 |
285 |
83% |
|
|
Anti Fraud Audits |
6 |
5 |
59 |
56 |
95% |
|
|
Contingency |
- |
- |
130 |
130 |
100% |
|
|
Contracts Audits |
13 |
8 |
154 |
88 |
57% |
|
|
ICT Audits |
17 |
17 |
125 |
125 |
100% |
|
|
ICT Project Audits |
3 |
3 |
96 |
96 |
100% |
|
|
Follow-Up audits |
38 |
30 |
33 |
25 |
76% |
|
|
TOTAL |
200 |
173 |
1292 |
1123 |
87% |
|
Details of the outcomes of individual audits are reported to the Committee at each meeting and a separate report on progress is included on the agenda for this meeting.
7.4 Assessment of Quality
The internal audit service routinely requests feedback from clients at the closure of an audit assignment. Clients are asked to rate our performance over a range of categories on a scale of 0 to 4 with 0 being poor and 4 being excellent. Our target for 2004/05 was to achieve an overall average score of 3 which equates to “Good”. Our actual average score during 2004/05 was 3.25 which is above our target performance.
8.
Benchmarking Comparisons.
The service annually submits data to the Institute of Public Finance benchmarking Club to allow us to monitor our performance against other Internal Audit sections in Unitary Authorities. Attached at appendix A are the benchmarking results for the financial year ended 31st March 2005.
Table one in appendix A compares the IOW performance in terms of costs against the average for unitary authorities. The cost per £m gross turnover shows that on average unitary authorities invested 12% more on internal audit services for the amount of money at risk than did the Isle of Wight Council.
The days per auditor at 171 chargeable days compares favourably with the unitary average at 165.
Table four shows the areas of audit coverage per £m compared with the average for unitary authorities. In general our coverage is in line with other authorities with the significant exception of ICT audit when we were fortunate to be able to deliver the ICT audit plan despite our in-house ICT Auditor being seconded to the Department of Organisational Development part way through the year. Backfilling monies allowed us to buy in temporary staff, which although expensive, at least allowed the plan to be delivered in this financial year.
During the course of the year we had an average of 5.9 full time equivalent staff in post. This resource was augmented by the employment of temporary staff funded by backfilling the salaries of two members of staff seconded to Organisational Development. This gave the service an overall staffing complement of 7.2 full time equivalents for this financial year.
Table 6 shows that in terms of qualified accountants/internal auditors, 59% of our staff are qualified compared with 26% for the average of all other unitaries.
The benchmarking data for 2004/05 shows an overall improvement in the performance of the service over the recent past. If this improvement is sustained, then the service should be performing in line with the average of unitary authorities during the current financial year. However, the prospects for maintaining the level of coverage achieved in 2004/05 are bleak owing to a reduction in FTE staff numbers to 6.2. This situation has arisen due to job evaluation up-gradings which has meant that a vacancy arising from the permanent transfer of a staff member to Organisational Development cannot be filled as there is insufficient budget resource to so do. We are looking at modifying the annual audit plan for 2005/06 to reflect the reduction is staff resource.
The changes made in methodologies have increased the added value delivered by the service and will make a positive contribution to assisting the authority in improving its overall CPA score. We also are geared up to assist in improving the council’s corporate governance and risk management arrangements.
This is the second year that the authority has been obliged to publish a Statement on Internal Control to be published as part of the council’s financial statements. The mechanism for developing the statement relies on Heads of Service producing assurance statements that they are actively managing their risks through the development and maintenance of robust control systems. In circumstances where they are not adequately managing their risks this must be acknowledged in the statement and a plan for remedial action must be identified.
Internal audit’s role as far as the SIC is concerned is to give independent assurance that there are no significant control problems which have not been declared and therefore effectively give assurance that the statements made in the compilation of the SIC are accurate. The SIC and the Chief Internal Auditor’s appraisal of same will be brought to the next meeting of the Audit Committee.
Additionally, internal audit, together with colleagues in the Insurance and Risk Management section have worked hard during the year to raise the awareness of risk management across the organisation so that the authority is in a position to sensibly respond to the requirements of the SIC.
(b)
Internal Audit’s Overall Opinion on the State of the
Council’s Internal Control Environment.
During the course of financial year 2004/2005, we have performed audit reviews of the council’s operations and the core financial systems operated by the council in accordance with the agreed annual audit plan for the year. During the course of that work, we found no evidence of significant control weaknesses that would materially damage either the council’s financial standing or its reputation.
Therefore, we can give the Audit Committee reasonable assurance that the internal control system operating in financial year 2004/2005 met the Council’s requirements.
FINANCIAL, LEGAL, CRIME AND DISORDER IMPLICATIONS
10. There are no significant financial or legal implications of this report, given that it is a progress report on the Internal Audit function. The Committee is reminded that the Council is required by statute (the Accounts and Audit Regulations) to have an adequate and effective Internal Audit function.
RELEVANT PLANS, POLICIES, STRATEGIES and PERFORMANCE INDICATORS
11. None
CONSULTATION PROCESS
12. None
BACKGOUND PAPERS USED IN THE PREPARATION OF THIS REPORT
13. IPF Benchmarking file held by G Richardson - extension 3683
APPENDICES
Appendix A – Benchmark Comparisons
APPENDIX
A
BENCHMARK COMPARISONS 2004/2005 ACTUALS
TABLE ONE – COST ANALYSIS - 2004/2005 ACTUALS
|
IOW |
AVERAGE ALL UNITARIES |
|
|
4.02 |
4.46 |
|
|
£1,037 |
£1,185 |
|
|
171 |
165 |
|
|
£47,083 |
£45,586 |
|
|
£34,861 |
£34,971 |
|
|
£12,222 |
£10,615 |
|
|
7.4 |
7.3 |
TABLE TWO – CHARGEABLE DAYS PER AUDITOR 2004/05 ACTUALS
Chargeable days –
Staff on payroll
|
IOW DAYS |
IOW DAYS/FTE |
AVERAGE ALL
UNITARIES DAYS/FTE |
|
1,611 |
264.1 |
261 |
|
|
Non-Chargeable Days: |
|
|
|
|
59 |
9.7 |
9.6 |
|
|
138 |
22.6 |
29 |
|
|
Special leave |
na |
na |
4.8 |
|
Sickness |
61 |
10.0 |
9.3 |
|
Training – Audit qualification |
47 |
7.7 |
4.6 |
|
Training - other |
29 |
4.8 |
7.8 |
|
Other non-chargeable days |
232 |
38.0 |
30.7 |
|
Chargeable days |
1,045 |
171.3 |
164.5 |
TABLE THREE –
OVERHEAD COSTS – 2004/05 ACTUALS
|
IOW £’000 |
IOW £’000/FTE |
AVERAGE ALL
UNITARIES £’000/FTE |
|
|
Transport and travel |
6 |
0.8 |
0.5 |
|
Other running costs |
22 |
3.1 |
2.1 |
|
Accommodation |
8 |
1.1 |
2.1 |
|
IT |
7 |
1.0 |
2.2 |
|
Other central charges |
45 |
6.3 |
3.8 |
|
Total |
77 |
11.4 |
9.5 |
TABLE FOUR –
AUDIT DAYS PER £M BY TYPE OF AUDIT - 2003/2004 ACTUALS
|
IOW DAYS |
IOW DAYS/£M |
AVERAGE ALL
UNITARIES DAYS/£M |
|
|
282 |
0.86 |
0.84 |
|
|
Assurance work on other systems |
290 |
0.89 |
1.13 |
|
Corporate governance |
87 |
0.27 |
0.26 |
|
Educational Establishment audit |
59 |
0.18 |
0.495 |
|
Other Establishment audit |
64 |
0.20 |
0.26 |
|
Audit of IT Systems |
256 |
0.78 |
0.22 |
|
Fraud etc. |
100 |
0.31 |
0.46 |
|
Contract audit |
44 |
0.13 |
0.21 |
|
Consultancy, advice |
20 |
0.06 |
0.28 |
|
Other |
112 |
0.34 |
0.27 |
|
Total |
1,314 |
4.02 |
4.46 |
TABLE FIVE –
STAFF SALARY BANDINGS AT 31ST MARCH 2005
|
IOW FTE |
IOW % |
AVERAGE ALL UNITARIES % |
|
|
0.5 |
8 |
18 |
|
|
£20 – 25k |
0.0 |
0 |
19 |
|
£25 – 30k |
3.8 |
64 |
23 |
|
£30 – 35k |
0.6 |
10 |
16 |
|
£35 - £40 |
1.0 |
17 |
12 |
|
Total |
5.9 |
|
|
TABLE 6 – AUDIT
STAFF QUALIFICATIONS AT 31ST MARCH 2005
|
IOW FTE |
IOW % |
AVERAGE ALL
UNITARIES % |
|
|
CCAB/MIIA |
3.5 |
59 |
26 |
|
CIPFA DPA/PIIA |
0.9 |
15 |
11 |
|
AAT |
1.0 |
17 |
26 |
|
Other specialists |
0 |
0 |
5 |
|
Part Qual/Trainees |
0 |
0 |
18 |
|
Non-Qualified |
0.5 |
8 |
13 |
|
Total |
5.9 |
100 |
100 |