PAPER D

 

 

PURPOSE

 

The purpose of this report is to inform the Audit Panel of the proposed internal audit activity for the next three years.

 

ACTION REQUIRED BY AUDIT PANEL   The audit panel is requested to :   (i)                  endorse the methodology used to construct the audit plan; (ii)                consider the relative priorities, frequencies and amounts of time devoted to areas of council activity; (iii)               note the reservations made in this report about audit resources; and (iv)              make recommendations about the priorities of the audit teams work.

 

BACKGROUND 

 

The council is the largest employer on the island, spending and receiving around £327 million per annum and employing around 5,000 staff. In addition, it manages its own pension fund valued at £150 million. The council seeks to achieve its objectives through the maintenance of a comprehensive system of risk management that should ensure that services are delivered in a proper, economic, efficient and effective manner. Internal audit’s role is to assess the adequacy and effectiveness of the risk management system and in particular the quality of the internal control arrangements designed to mitigate risks. Internal audit is part of the control regime and being a finite resource, needs to plan and allocate resources in a rational and systematic way in order to ensure that all the council’s activities receive an appropriate amount of attention.

 

The strategic audit plan that is attached to this report at Appendix A is the result of a systematic planning process that has involved:

  

v      A risk assessment process using a computerised planning system

v      Consultation with stakeholders including heads of service and the audit commission.

 

 

The plan sets out the specific activities to be audited, the audit approach to be adopted and the time needed to execute the audit. Clearly, there are some activities and systems that need to be audited more frequently than others. This is illustrated by the approach to the council’s main financial systems such as the main accounting system where we need to be able to give annual assurance that these systems are operating in line with management’s expectations and can be relied upon to provide accurate information for the production of the authority’s published financial statements.  Resource allocation to other areas of the plan and in particular the frequency of review is based on risk assessment and available audit resources, the idea being to match risk with internal audit resource.

 

From IPF benchmarking data, the audit resources available to the Isle of Wight Council are still 30% below the average for unitary authorities at 7.6 ftes against the unitary average of 10ftes. As a consequence, resources are only adequate to provide the most basic coverage and as can be seen many lower risk activities will not be audited in the next three years. Moreover, we do not have the capacity to perform value for money audits due to the overarching requirements of the need to provide assurance regarding risk management arrangements.

 

Existing audit resources, after making allowances for training and other indirect activity are included in summary in the plan. The number of available days totals 1,283 which broadly matches the resource rationed plan.

 

RELEVANT PLANS, POLICIES, STRATEGIES AND PERFORMANCE INDICATORS

 

None

 

CONSULTATION PROCESS

 

The strategic plan has been consulted on with Heads of Service, Strategic Directors and the Audit Commission.

 

BACKGROUND PAPERS USED IN THE PREPARATION OF THIS REPORT

 

Audit planning file held by G. Richardson

 

Contact point: G.B. Richardson, Chief Internal Auditor, 3683

 

 

GB RICHARDSON

Chief Internal Auditor

 

Foreword

 

STRATEGIC AUDIT PLAN 2004 – 2007

 

 

Internal Audit is a statutory function for which the council must make provision under the Accounts and Audit Regulations 2003. The council has delegated this responsibility to the Chief Financial Officer, who is the council’s responsible financial officer under section 151 of the Local Government Act 1972 for the proper administration of the council’s financial affairs.

 

The council’s statutory duty to ensure probity and value for money in the conduct of its business is achieved through the maintenance of a comprehensive system of risk management and internal control. The system of internal control is comprised of policies, plans and control procedures designed and applied to ensure that the council’s objectives are met. Internal audit is part of this control regime which, through its status, professionalism and organisational independence should be able to offer an independent and objective appraisal of the adequacy and effectiveness of the risk management and internal control system in supporting the achievement of organisational objectives.

 

To be effective internal audit needs to plan its work having regard to the relative risks associated with the councils business since audit resources are finite and must be distributed in some rational way. Much of the plan is therefore designed to prevent things going wrong by pro-actively testing that the council’s arrangements for managing risks are effective in delivering organisational objectives. Individual audits have been risk assessed using a computerised audit planning system that ranks each audit project against a series off weighted risk criteria producing a risk score for each audit. The higher the risk score, the more frequently the area will be audited. The heaviest weighting in the risk model is given to the extent to which an activity will contribute to the achievement of the council’s strategic vision.

 

Equally, it is important that the plan is not produced in isolation without major stakeholders having the ability to influence the plan’s content and relative priorities. This plan has been developed in consultation with senior managers in all directorates, because managers and administrators in directorates are ultimately responsible for achieving control. It is they who know what potentially can go wrong, understand their particular subject best of all and know what developments are coming in the future. The plan therefore takes account of the views of those being audited, especially in terms of developing issues, the preferred timings of audits and the amount of time that directorates feel is appropriate for particular areas.

 

The Audit Commission (the Council’s external auditor) is one of the key stakeholders of our service and has also been consulted about the plan. They rely heavily on our assurance work regarding core financial systems to enable them to place reliance on the outputs and hence complete their audits of the published financial statements in a timely and efficient manner. The frequency of core systems audits therefore deviates from the norm as far as using risk as the basis for audit resource allocation in that we have to review core systems each year regardless of the perceived level of risk to support our external audit colleagues.

 

There is provision in the plan to support the contracting process. Our traditional role has been to test the effectiveness of controls that operate within the whole tendering and contracting process. We intend to continue to concentrate on this aspect of our work but if the need arises for us to become more directly involved in any one particular procurement process, we shall.

 

There is an increasing need to pay particular attention to developments in Information Communications Technology (ICT). The plan makes provision for two strands of ICT audit coverage. The first involves using an internationally recognised set of ICT audit standards called COBIT to assess all aspects of the management arrangements over the ICT function over the three years plan period. The second strand involves auditing ICT projects under development in real time to give ongoing assurance that projects are on course to be successfully implemented. Examples of the projects we will be involved with are the E Procurement initiative, the customer relationship management system and the new social services case management system, SWIFT.

 

At the front of the attached strategic plan is a table showing how the expected productive time for financial year 2004/05 was computed, taking account of unavoidable lost time such as annual leave and bank holidays. This shows that inter alia, we expect an average productive contribution of 167 days per staff member.

 

The content of the plan has been prepared in the context of existing staff resources which unfortunately are inadequate to deliver any more than the most basic of internal audit coverage, barely satisfying statutory obligations.  The accountancy and internal auditing profession has long recognised that the greatest “added value” that can be derived from internal audit activity is through its review of operations and how resources are managed. Thus the best practice guidelines suggest that operational auditing is the core business of internal auditing. The table below indicates the audit coverage we are able to provide with existing resources:

 

 

AUDIT SCOPE	Capacity	Capability
Financial Systems Audit	F	F
Compliance Audit	P	F
Risk based operational audits	P	F
ICT Audit	F	F
Contract Audit	F	F
Value for Money Audits	U	F

 

Key: F = Full

        P = Partial

        U = Unable

 

The staff resources available to the Isle of Wight Council’s Audit Service compare unfavourably with other unitary authorities. The average staffing level for unitary authorities nationally is 5 productive audit days per annum per £1m of turnover. By this measure, the Isle of Wight would need 10 full time equivalent auditors to equate with the average for all unitary authorities. The current budget supports 7.6 full time equivalent auditors or some 2.4 f.t.e.s below the average. A significant potential contributor to the improvement of the council’s performance is, therefore, not being adequately resourced to fulfil this valuable role. It is also difficult to see how the service can achieve the highest ranking under the CPA regime when the scope of its work is of necessity restricted.

 

This document sets out where internal audit will direct its attention over the next three years based on existing resources. It includes information on the risk rating of the audit, the frequency of review, and the estimated time budget to perform the assignment. The Plan looks ahead for three years and although care has been taken to make it as relevant and up to date as possible, it will inevitably change.

 

GB Richardson

Chief Internal Auditor

 

 

July 2004

 

Expected Audit Resources 2004/2005
	AUDITOR	CIA	AUDITOR	AUDITOR	AUDITOR	AUDITOR	AUDITOR	AUDITOR	ADMIN.	TOTAL
Total Days Available	261	261	170	212	212	204	261	261	64	1906
Less:
Annual Leave	20	25	16	20	28	16	20	26	5.5	176.5
Bank Holidays	11.5	11.5	8	10	10	8	11.5	11.5	6.25	88.25
Training	10	10	10	10	28	10	10	10	1	99
Management	10	60								70
Administration	12	15	11	12	12	11	15	15	30	133
Sickness	5	5	10	10	5	10	5	5	1	56
Total Indirect Time	68.5	126.5	55	62	83	55	61.5	67.5	43.75	622.75
Net Productive Time	192.5	134.5	115	150	129	149	199.5	193.5	20.25	1283.25
Productivity % excl A/L and B/H	84	60	79	82	74	83	87	87	39	78
Productivity %	74	52	68	71	61	73	76	74	32	67
Average WTEs	7.30
Maximum Productive Days WTE	175.72

 

 

STRATEGIC AUDIT PLAN	RISK	FREQ.	2004/05	2005/06	2006/07
	RATING	YEARS	DAYS	DAYS	DAYS
COMPLIANCE AUDITS:
EDUCATION AND COMMUNITY DEVELOPMENT
SCHOOLS
Primary Education	C	1	45.5	48	40.5
Middle Schools	B	1	13	10.5	20.5
High Schools	B	1	5	5	5
Special Schools	C	1	3.5	1	1
Education Other
Nursery Education/Early Years	C	4
School Meals	D	5
Special needs	C	4	3
AV Unit	C	4	3
Teachers Pay	A	2	3		3
PLASC	B	3		3
School Bank Accounts Year End Reconciliation	D	5
School Handbook	D	5
COMMUNITY SERVICES
Leisure Centres	C	4		12	3
One Card System	C	4		3
Tourist Information Centres	B	3		3
Libraries	D	5
Archives	D	5
Parks and Gardens	B	3	5
Beaches and Esplanades	A	2	3		3
Ventnor Botanic Gardens	C	4			3
Museums	C	4		6.5
Arts and Theatres	C	4	6
Branstone Farm	D	5
School Music Services	D	5
IW County Music Centre	D	5
Pop Festival	A	1	3	3	3
	RISK	FREQ.	2004/05	2005/06	2006/07
FINANCIAL SERVICES DEPARTMENT	RATING	YEARS	DAYS	DAYS	DAYS
Bankline	A	1	2	2	2
VAT	D	5
Controlled Stationery	D	5
Bank Reconciliation	C	4
Petty Cash	D	5
Banking Arrangements	D	5
Inventories/Assets	C	4			3
ENVIRONMENTAL SERVICES
Highways
Other Highways Income	D	5
Cowes Ferry	B	3			3
Public Transport Support	A	2	6		6
Coastal Protection
SCOPAC	D	1	1	1	1
Certification checks	B	1	1	1	1
Consumer Protection
Licensing	C	4	3
Administration	C	4		3
Planning
Developmental Control	B	3	3
Property Services
Markets	C	4			3
FIRE AND RESCUE	RISK	FREQ.	2004/05	2005/06	2006/07
	RATING	YEARS	DAYS	DAYS	DAYS
Fire and Rescue
Retained Firefighters Pay	B	3		3
Fire Safety	C	4			3
Ryde Training Centre	D	5
Annual Leave Arrangements	D	5
SOCIAL SERVICES AND HOUSING
Childrens Services Resources
Fostering	B	3	3
Section 17	A	2	3		3
Service Centre	B	3			3
Adult Operations
Direct Services
Resource Centres	A	2	3		3
Westminster House (LD)	D	5
Home care services including alarms	A	2	3
Daycare Elderly/Other Services	C	4		3
Fieldwork
Pooled Budgets for Nursing Care	B	3	3
Residential Care	B	3			5
CSDP/Occupational Therapists	C	4		3
Mental Health Day Centres	B	3	3
Finance and Administration
Neighbourhood Offices	C	4
Central Services
Support Services at HQ	C	4			3
ESF/SRB Grants	C	4		3
Contracts/SLAs including Meals on Wheels	C	4		6
Housing
Improvement Grants	A	2	3		3
	RISK	FREQ.	2004/05	2005/06	2006/07
CORPORATE SERVICES	RATING	YEARS	DAYS	DAYS	DAYS
Policy
Grants to Outside Bodies	D	5
Births, Deaths & Marriages Registrars	D	5
Legal and Democratic Services
Members Allowances	C	4		3
CORPORATE ISSUES
Car Loans/Removal Expenses	D	5
Travelling & Subsistence	D	5
Telephone Services	D	5
TOTALS			130	123	124

 

 

FINANCIAL SYSTEMS	RISK	FREQ.	2004/5	2005/6	2006/7
	RATING	YEARS	DAYS	DAYS	DAYS
Main Systems
Main Accounting	C	1	20	20	20
Housing Benefit	A	1	40	40	40
Council Tax	B	1	20	20	20
NNDR	D	1	10	10	10
Creditors	B	1	30	30	30
Customer Accounts	C	1	20	20	20
Payroll	B	1	20	20	20
Pension Benefits/Contributions	C	1	20	20	20
Corporate Finance
Pension Investments	D	4		20
Formula Spending Share (FSS)	A	2		20
Treasury Management	B	2		10
Insurance and Risk Management	D	4
Capital	B	2	20		20
TOTAL			200	230	200

 

 

OPERATIONAL AUDITS	RISK	FREQ.	2004/05	2005/06	2006/07
	RATING	YEARS	DAYS	DAYS	DAYS
EDUCATION
Overall Management Arrangements	A	2	20		10
Education
Behavioural Support	C	4			10
Education Welfare	B	3		10
Home to School Transport	C	4			10
Youth and Community	A	2	10		5
Student Services	C	4			10
Financial Services	D	5		5
Schools Inspectorate	A	2	10		5
Community Development
Wight Leisure	A	2	10		5
IW Tourism	A	2	10		5
Libraries	C	4			10
Museums	C	4			10
Arts and Theatres	C	4			10
ENVIRONMENT SERVICES
Overall Management Arrangements	A	2	20		10
Maintenance
Highway Maintenance	B	3		10
Waste Management	B	3			10
Cleansing and Litter Management	C	4	10
Public Conveniences	D	5	10
Electrical Services	C	4		10
Design
Development Control	C	4			10
Car Parks	D	5		10
Road Safety	D	5		10
County Transport	D	5		5
Rights of Way	C	4			10
	RISK	FREQ.	2004/05	2005/06	2006/07
Coastal Management	RATING	YEARS	DAYS	DAYS	DAYS
Coastal Protection	A	2	10		5
Consumer Protection
Environmental Health General	A	2	10		5
Trading Standards	D	5		5
Bereavement Services	C	4			10
Planning
Planning Policy	C	4			10
Development Control	B	3		10
Building Control	D	5		5
Countryside Services	C	4			10
Property Services
Industrial Sites	C	4			10
Building Maintenance	C	4			10
Property Management - New System	A	3	10
Energy	D	5		5
FIRE AND RESCUE SERVICE
Overall Management Arrangements	A	2		20
Emergency Planning & Community Safety
Emergency Planning & Community Safety	C	4			10
SOCIAL SERVICES AND HOUSING
Overall Management Arrangements	A	2	20		10
Childrens Services
Childrens Services	A	2	10		10
ISP/New Care Leavers Grant	B	3		10
Fostering and Adoption	B	3		10
Childrens Disability Team	B	3		10
Adult Services	RISK	FREQ.	2004/05	2005/06	2006/07
	RATING	YEARS	DAYS	DAYS	DAYS
Homecare Services	A	2	10
Care Management & Needs Assessment	A	2	10
Learning Difficulties (Ryde)	B	3		10
Drug Action Team
Drug Action Team	C	4	10
Mental Health
Management of Mental Health Services	B	3		10
Housing
Supporting People	B	1	10	10	10
Homelessness	A	2	10		10
Enforcement	D	5		5
CORPORATE SERVICES
Overall Management Arrangements	A	2	20		10
Economic Development
Economic Development	B	3		10
Human Resources
Human Resource Management	A	2	10		10
The Learning Centre	A	2		10
Legal and Democratic Services
Legal Services - General	D	5		10
Local Land Charges	D	5		5
Electoral Services	C	4			10
Business Services
Customer Service Centre/Post Room	D	5		5
Print Unit	D	5	10
Policy	RISK	FREQ.	2004/05	2005/06	2006/07
	RATING	YEARS	DAYS	DAYS	DAYS
Town & Village Forums	C	4			10
CORPORATE ISSUES
Partnerships	A	1	10	10	10
Agenda 21/ISO 140000	B	1	20	20	20
Crime and Disorder	B	3		10
CORPORATE GOVERNANCE
Overall Management Arrangements
Governance Framework	A	1	25	20	20
Risk Management System	A	1	25	20	20
Performance Indicators	A	1	25	20	20
Provision for corporate risk reviews	B	1		100	100
TOTAL			355	410	470

 

 

ANTI FRAUD AUDITS	RISK		2004/5	2005/6	2006/7
	RATING		DAYS	DAYS	DAYS
Reviewing Policies & Procedures
Gifts and Hospitality	C			1
Codes of Conduct	B			5
Registers of Interest	D				1
Financial Regulations	D				5
Standing Orders as to Contracts	D				5
ICT Security	B			5
Anti-Fraud & Corruption Policy	B		3
Confidential Reporting	B		3
Fraud and Irregularity Procedure	B		3
Fraud awareness training workshops	B		10	10	10
Pro-Active Fraud Detection Work
Granting of Permissions	A		30
Claims Based Payments	A			30
Contract Awards	A				30
NFI	A		10		10
TOTAL			59	51	61

 

 

	RISK	FREQ.	2004/5	2005/6	2006/7
	RATING	YEARS	DAYS	DAYS	DAYS
CONTRACTS AUDITS
ONGOING WORK
Final Accounts	A	1	20	18	18
Contracts Administration			10	10	10
Pre Tender Work	A	1	14	12	12
Contracts Advice	B	1	5	5	5
Current Contracts	A	1	12	12	12
Post Contract Reviews	A	1	5	5	5
Financial Evaluations	A	1	5	5	5
SPECIFIC PROJECTS
Service Contracts Monitoring	A	1	7	15	15
Use of Consultants	A	2	25		15
Section 106 Agreements	C	4	20
Provision for Collaborative Working	B	3	6
Social Services Contracting Processes	A	3	15
Education Contracting Processes	A	3		15
Leisure Contracting Processes	A	3		10
Form of Contract Use	B	3			10
Coast Protection Capital	B	3			20
TOTAL			144	107	127

 

 

	RISK	FREQ.		2004/5	2005/6	2006/7
	RATING	YEARS		DAYS	DAYS	DAYS
ICT AUDIT PLAN
Define a strategic IT plan	B	3		10
Define the information architecture	B	3		10
Determine the technology direction	B	3		10
Determine the IT organisation and relationships	B	3			10
Manage the IT investment	A	2			10
Communicate management aims and directions	B	3				10
Manage human resources	B	3			5
Ensure compliance with external requirements	A	1		10	10	10
Assess risk	A	1		5	5	5
Manage projects	B	2			10
Manage quality	A	1		5	5	5
Identify automated solutions	B	3				10
Acquire and maintain application software	B	2			10
Acquire and maintain technology infrastructure	A	1		10	10	10
Develop and maintain procedures	B	2			10
Install and accredit systems	B	2			10
Manage changes	A+	1		5	5	5
Define and manage service levels	B	3		10
Manage third party services	B	3			10
Manage performance and capacity	B	2		10		10
Ensure continuous service	A+	1		5	5	5
Ensure systems security	A+	1		10	10	10
Identify and allocate costs	B	2			10
Educate and train users	B	3				10
Assist and advise customers	B	3				10
Manage the configuration	A	1		5	5	5
Manage problems and incidents	A	1		5	5	5
Manage data	A+	1		5	5	5
Manage facilities	A	1		5	5	5
Manage operations	A+	1		5	5	5
TOTAL				125	160	125

 

 

PROJECT AUDITS	RISK		2004/05	2005/06	2006/07
	RATING		DAYS	DAYS	DAYS
Gags (DIP/CRM/BPR/Info Mgt/FOWG)	A		68	68	68
eGovernment (IEG,ePIPS,ePROCUREMENT,eForms etc	A		20	7
ACCISS Replacement	B		8	7
TOTAL			96	82	68

 

 

FOLLOW - UP AUDITS			2004/05	2005/06	2006/07
			DAYS	DAYS	DAYS
TOTAL			32.5	50	50

 

 

STRATEGIC PLAN 2004 - 2007			2004/05	2005/06	2006/07
			DAYS	DAYS	DAYS
SUMMARY SHEET
Compliance Audits			130	123	124
Financial Systems Audits			200	230	200
Operational Audits			355	410	470
Anti Fraud and Corruption Audits			59	51	61
Contracts Audits			144	107	127
ICT Audits			125	160	125
Project Audits			96	82	68
Follow-Up Audits			32.5	50	50
Contingency			130	130	130
TOTAL			1271.5	1343	1355