PAPER D
AUDIT COMMITTEE - 29 JUNE 2006
TITLE OF REPORT AUTHOR: CHIEF INTERNAL AUDITOR
1. This report is to provide the Panel with a summary of Internal Audit performance for the financial year 2005/06. The Committee is invited to note the contents of the report and to seek clarification of any issues arising from internal audit’s performance.
BACKGROUND
2.
It
is appropriate to set out the roles and responsibilities of the Head of
Internal Audit, The Internal Audit Service and the Audit Committee so that the Committee
can better fulfil its scrutiny role over the Internal Audit Service.
3.
The Responsibilities of The Head of Internal Audit
The Chief Internal Auditor
is responsible for:
(a)
developing
a strategic audit plan based on an understanding of the significant risks to
which the authority is exposed;
(b)
developing
an annual audit plan based on the strategic plan and an understanding of the
significant risks to which the authority is exposed;
(c)
submitting
the plans to the Audit Committee for review and agreement;
(d)
implementing
the agreed annual audit plan;
(e)
maintaining
a professional audit staff with sufficient knowledge, skills and experience to
carry out the plan;
(f)
developing
audit staff for redeployment elsewhere in the authority.
4.
Role and Scope of
Internal Audit
The role of Internal Audit is to understand the key
risks of the authority and to examine and evaluate the adequacy and
effectiveness of the system of risk management and internal control as operated
by the authority. Internal Audit, therefore, has unrestricted access to all
activities undertaken in the authority, in order to review, appraise and report
on:
(a)
the adequacy and
effectiveness of the systems of financial, operational and management control
and their operation in practice in relation to the business risks to be
addressed;
(b)
the extent of
compliance with, relevance of, and financial effect of, policies, standards,
plans and procedures established by the Council and the extent of compliance with
external laws and regulations, including statutory reporting requirements;
(c)
the extent to which the
assets and interests are acquired economically, used efficiently, accounted for
and safeguarded from losses of all kinds arising from waste, extravagance,
inefficient administration, poor value for money, fraud or other cause and that
adequate business continuity plans exist;
(d)
the suitability,
accuracy, reliability and integrity of financial and other management
information and the means used to identify measure, classify and report such
information;
(e)
the integrity of
processes and systems, including those under development, to ensure that
controls offer adequate protection against error, fraud and loss of all kinds;
and that the process aligns with the authority’s strategic goals;
(f)
the suitability of the
organisation of the units audited for carrying out their functions, and to
ensure that services are provided in a way which is economical, efficient and
effective;
(g)
the follow-up action
taken to remedy weaknesses identified by Internal Audit review, ensuring that
good practice is identified and communicated widely;
(h)
the operation of the
authority’s corporate governance arrangements.
5.
The Role of the Audit Committee
In keeping with good corporate governance practice, a Committee of elected members should have oversight of the activities of the Internal Audit Service for the following purposes:
v The Committee should monitor Internal Audit’s performance, both in terms of the quality and quantity of its work;
v The Committee should satisfy itself that Internal Audit has devoted its attention to the appropriate issues;
v The Committee should consider the results of Internal Audit reviews to ensure that any significant findings are addressed, including control weaknesses and to ascertain whether, in the opinion of the Chief Internal Auditor, adequate and satisfactory responses have been given by the Authority’s management;
v The Committee should recommend, if necessary, that further attention should be given to some of the issues raised.
The professional environment within which internal audit operates continued to be dynamic during the last financial year. The Office of the Deputy Prime Minister published revised Accounts and Audit Regulations in March 2006 that inter alia introduced the requirement for local authority internal audit sections to produce an annual performance report to the Audit Committee.
In general terms there has been an increasing expectation that internal audit units will become more involved in reviewing risk management and corporate governance arrangements operating in their host organisations. The driver for this comes from H.M. Treasury that is keen to see the roll out of sound corporate governance practices as developed in the private sector some ten years ago across the entire public sector. In this regard, Local Government is behind the Civil Service and the Health Service in being required to adopt these practices.
In October 2002 the original CPA assessment and in particular the Auditor Judgement for the Internal Audit Service was graded as 2 out of a potential maximum score of 4. A score of 2 means generally satisfactory service but with weaknesses. The Audit Commission made a number of recommendations for improvement in the Audit Service which were addressed during financial year 2003/04 and before. The CPA scores were reviewed by the Audit Commission in autumn of 2003 and the score for Internal Audit Services improved from a 2 to a 3. This score was re-confirmed when the Audit Commission reviewed the score again in Autumn 2004. A score of 3 means satisfactory with no major areas of weakness. Under the new CPA regime, internal audit is no longer assessed in this way but forms part of the overall assessment of the authority’s internal control arrangements.
In response to the central government drive to embed risk management in local authorities, during 2005/2006, Audit Services continued to develop a new approach to operational/management audits called risk based auditing. This involves working collaboratively with management to determine service objectives, to identify and assess the risks threatening the achievement of objectives and to identify the management information and performance targets needed to ensure business success. The majority of these audits commence with a risk assessment workshop facilitated by internal audit staff. We revert to a more traditional audit approach when testing the reliability of the management information that informs management decision-making.
7.
Overall Performance Against The Audit Plan
2005/06
7.1 Internal Audit Productivity 2005/06
The table below shows the productivity data for the service for the year. Productivity as measured by chargeable time as a proportion of total time available was 4% lower than planned. This occurred for two reasons:
1. The fewer than expected staff in post meant that the administrative overhead formed a higher proportion of total time than planned.
2. One staff member had a protracted period of sick leave.
An overall productivity percentage of 64% is about the average for unitary authorities.
|
|
PLANNED TIME
2005/06 (DAYS) |
ACTUAL TIME
2005/06 (DAYS) |
VARIANCE (DAYS) |
|
TOTAL TIME |
1771 |
1265 |
- 506 |
|
CHARGEABLE TIME |
1215 |
815 |
- 400 |
|
NON-CHARGEABLE TIME |
556 |
450 |
-106 |
|
CHARGEABLE PERCENTAGE (RATIO OF CHARGEABLE TIME TO TOTAL TIME) |
68.6% |
64.4% |
-4.2% |
7.2 Overall Coverage - Inputs
The table below shows the amount of time devoted to the various categories of audit work compared with the planned time. The original audit plan was based on assumptions regarding the staffing resources that would be available during the year. In the event, these assumptions were not realised and therefore the audit plan was prioritised based on the risk assessments for each planned audit and the expectations of the Audit Commission regarding coverage of core financial systems. The post of ICT auditor was unfilled for the whole year and hence no ICT audits were performed in 2005/06.
|
AUDIT TYPE |
PLANNED
COVERAGE 2005/06 (DAYS) |
COVERAGE TO
31/03/06 (DAYS) |
VARIANCE (DAYS) |
|
Compliance Work |
134 |
112 |
-22 |
|
Financial Systems Audits |
220 |
258 |
+38 |
|
Operational Audits |
300 |
218 |
-82 |
|
Anti-Fraud Audits |
36 |
33 |
-3 |
|
Fraud Investigation Provision/Contingency Allocation |
130 |
117 |
-13 |
|
Contract Audits |
132 |
72 |
-60 |
|
ICT Audits |
155 |
1 |
-154 |
|
ICT Project Audits |
80 |
0 |
-80 |
|
Follow – Up Audits |
27 |
4 |
-23 |
|
TOTAL |
1214 |
815 |
-399 |
7.3 Planned Coverage – Outputs
The table below indicates the extent of completed audit projects against the plan. Overall, 56% of the plan has been achieved. As part of the process to match resources to the plan, a conscious decision was taken not to carry out schools audits during 2005/06 which forms the bulk of planned compliance audits. Historically, schools have been audited every year and therefore it was felt that not to audit the schools for one year was an acceptable risk.
|
Audit Type |
No. Planned
Audits |
No. Completed
Audits |
Planned Time |
Plan time of
completed audits |
Proportion Of
Audit Plan Completed |
|
Compliance Work |
89 |
5 |
134 |
17 |
13% |
|
Financial Systems |
10 |
9 |
220 |
210 |
95% |
|
Operational Audits |
29 |
13 |
300 |
175 |
58% |
|
Anti Fraud Audits |
4 |
2 |
36 |
30 |
83% |
|
Contingency |
0 |
19 |
130 |
130 |
100% |
|
Contracts Audits |
12 |
10 |
132 |
102 |
77% |
|
ICT Audits |
17 |
0 |
155 |
0 |
0% |
|
ICT Project Audits |
3 |
0 |
80 |
0 |
0% |
|
Follow-Up audits |
27 |
10 |
27 |
10 |
37% |
|
TOTAL |
191 |
68 |
1214 |
674 |
56% |
7.4 Assessment of Quality
The internal audit service routinely requests feedback from clients at the closure of an audit assignment. Clients are asked to rate our performance over a range of categories on a scale of 0 to 4 with 0 being poor and 4 being excellent. Our target for 2005/06 was to achieve an overall average score of 3 which equates to “Good”. Our actual average score during 2005/06 was 3.25 which is above our target performance.
7.5 Future Prospects
The performance of the section will significantly improve in 2006/07 onwards following the recruitment of an ICT auditor and two additional trainee internal auditors. This level of resources is in line with the average for unitary authorities based on the number of audit days per million pounds of turnover.
This is the second year that the authority has been obliged to publish a Statement on Internal Control to be published as part of the council’s financial statements. The mechanism for developing the statement relies on Heads of Service producing assurance statements that they are actively managing their risks through the development and maintenance of robust control systems. In circumstances where they are not adequately managing their risks this must be acknowledged in the statement and a plan for remedial action must be identified.
Internal audit’s role as far as the SIC is concerned is to give independent assurance that there are no significant control problems which have not been declared and therefore effectively give assurance that the statements made in the compilation of the SIC are accurate.
Additionally, internal audit, together with colleagues in the Insurance and Risk Management section have worked hard during the year to raise the awareness of risk management across the organisation so that the authority is in a position to sensibly respond to the requirements of the SIC.
(b)
Internal Audit’s Overall Opinion on the State of the
Council’s Internal Control Environment.
During the course of financial year 2005/2006, we have performed audit reviews of the council’s operations and the core financial systems operated by the council in accordance with the agreed annual audit plan for the year. During the course of that work, we found no evidence of significant control weaknesses that would materially damage either the council’s financial standing or its reputation.
Therefore, we can give the Audit Committee reasonable assurance that the internal control system operating in financial year 2005/2006 met the Council’s requirements.
FINANCIAL, LEGAL, CRIME AND DISORDER IMPLICATIONS
9. There are no significant financial or legal implications of this report, given that it is a progress report on the Internal Audit function. The Committee is reminded that the Council is required by statute (the Accounts and Audit Regulations) to have an adequate and effective Internal Audit function.
RELEVANT PLANS, POLICIES, STRATEGIES and PERFORMANCE INDICATORS
10. None
CONSULTATION PROCESS
11. None
BACKGROUND PAPERS USED IN THE PREPARATION OF THIS REPORT
13. Performance management file held by G Richardson - extension 3683