Internal Audit Strategy 2020/2021

“Providing assurance on the management of risks”

Internal Audit Strategy

“Providing assurance on the management of risks”

This document sets out the Internal Audit Strategy 2020/2021 for Stratford-on-Avon District Council. These services are provided by the Internal Audit Team of Warwickshire County Council under a shared service partnership agreement. This document complements the formal contract with Warwickshire County Council for the delivery of Internal Audit, the Audit Charter and the Council’s Risk Management Policy.

Services

All organisations face risks in every aspect of their work: policy making, decision taking, action and implementation, regulation and spending and making the most of their opportunities. The different types of risk are varied and commonly include financial risks, IT risks, supply chain failure, physical risks to people and damage to the organisation’s reputation.

The key to the Council’s success is to manage these risks effectively. The role of the internal audit provider is to help the Council to do this by providing a high quality, comprehensive and cost effective service that complies fully with all relevant professional and regulatory requirements.

Different parts and levels of an organisation play different roles in managing risk, and the interplay between them determines how effective the organisation as a whole is in dealing with risk. The Institute of Internal Auditors uses a three lines of defence model to explain internal audit’s unique role in providing assurance about the controls in place to manage risk:

2

The management of risks is the responsibility of every manager. Sitting outside the processes of the first two lines of defence, audit’s main roles are to ensure that the first two lines of defence are operating effectively and advise how they could be improved.

The role of the Internal Audit Service is, therefore, to support managers by providing the following services:

Assurance

We develop and then deliver a programme of internal audits to provide independent risk based and objective assurance to senior management, the Audit and Standards Committee and ultimately the taxpayers of the area that significant risks are being addressed. To do this, the service will

evaluate the quality of risk management processes, systems of financial and management control and governance processes and report this directly and independently to the most senior level of management. In accordance with regulatory requirements most individual assurance assignments are undertaken using the risk-based systems audit approach and are not usually designed to identify potential frauds.

We give an opinion on how much assurance systems give that significant risks are addressed. We use four categories of opinion: Full, Substantial, Moderate and Limited assurance.

3

A report, incorporating an agreed action plan, will usually be issued for every audit. The results of audits are reported to the relevant managers and to the Council’s Audit and Standards Committee. To assist managers in addressing areas for improvement, recommendations are ranked in order of importance: Fundamental, Significant and Merits Attention.

Advice

Where the Council faces major changes in systems and procedures, we are able to provide advice on the control implications of these changes. The service will act as a critical friend, challenging the design of processes to reduce the risk of project failure.

Our knowledge of the management of risk enables us to challenge current practice, champion best practice and be a catalyst for improvement and provide objective insight so that the Council as a whole achieves its strategic objectives.

So, for example, if a manager is concerned about a particular area of his/her responsibility, working with us could help to identify improvements. Or perhaps a major new project is being undertaken - we can help to ensure that controls are put in place to manage them.

It is more constructive for us to advise on the design of processes during the currency of a change project, rather than to identify problems after the event when often it is too late to make a difference. Timely advice adds more value than untimely criticism.

Irregularities

As a publicly funded organisation, the Council must be able to demonstrate the proper use of public funds. Managers have the responsibility to have systems in place to prevent and detect irregularities. The more complex cases will be investigated by Internal Audit. Minor, straight forward allegations may be referred back to the relevant manager for further investigation with internal audit providing professional support to investigate the matter. We assist by:-

Investigating the allegations; Supporting managers in any subsequent disciplinary action; Liaising as necessary with the Police and insurers; Producing a report identifying control weaknesses to help managers

improve systems to reduce the risk of a recurrence.

4

Challenge

Champion

Catalyst for improvement

Insight

The Council’s Corporate Fraud Officer will continue to concentrate upon fraud in relation to claimants against the Council through Council Tax and will liaise with the DWP where appropriate. He will also review the output from the NFI.

Counter fraud

The service can also undertake specific counter fraud work. This often, however, involves checking large numbers of transactions, for example, travel claims and Procurement Cards, to identify errors and potential frauds. This is time-consuming work and thus these exercises are rarely undertaken.

Context

The Accounts and Audit Regulations 2015 require the Council to have a sound system of internal control which:

facilitates the effective exercise of its functions and the achievement of its aims and objectives;

ensures that the financial and operational management of the authority is effective; and

includes effective arrangements for the management of risk.

The Regulations require accounting systems to include measures to ensure that risk is appropriately managed. Furthermore, the CIPFA/SOLACE governance framework “Delivering Good Governance in Local Government” outlines the need for risk management to be embedded into the culture of the organisation, with members and officers recognising that risk management is part of their jobs.

The requirement for an internal audit function is also contained in the Regulations which require the Council to:

“undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.”

The Council has delegated its responsibilities for internal audit to the Head of Resources & Transformation and Section 151 Officer.

Definition of Internal Auditing

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s

5

operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

The key word in the definition is assurance. The role of audit is not to identify or investigate alleged irregularities; it is to primarily provide reasonable assurance to the organisation (managers, heads of services and the Audit and Standards Committee) and ultimately the taxpayers that the Authority maintains an effective control environment that enables it to manage its significant business risks. We do this by providing risk based and objective assurance, advice and insight. The assurance work culminates in an annual opinion on the adequacy of the Authority’s control environment which feeds into the Annual Governance Statement.

Vision, purpose and values

As a modern, effective Internal Audit service, our aspirations are to:-

Act as a catalyst for improvement at the heart of the organisation;

Influence and promote the ethics, behaviour and standards of the organisation;

Provide an independent and objective opinion on the adequacy of each customers’ arrangements to manage risk;

Develop a risk aware culture that enables customers to make informed decisions;

Be forward thinking; Continually improve the quality of our services.

A key driver of this strategy is the need to meet all our customers’ needs. Our customers will continue to be affected by a variety of local and national issues:-

Increased growth in partnerships; Ever increasing use of technology to deliver services; Flexible working arrangements to make more effective use of

accommodation; The introduction of new ways for customers and the public to

access services; and Pressure to reduce costs while improving quality/effectiveness.

To deliver on our vision we will:-

Continue to develop our staff to ensure we are fully equipped to respond to our customers’ demands;

Continue to invest in modern technology to improve efficiency and effectiveness;

6

Add value and make best use of our resources by focussing on key risks facing our customers;

Increasingly work in partnership with clients to improve controls and performance generally. We must add value and help deliver innovations in service delivery;

Continue to buy in specialist help where necessary.

By embracing these challenges we will be a vital component of the Council’s success.

Workplan 2020/2021

The focus of our work is primarily on the high risk areas as contained in the Council’s risk registers and key corporate processes underpinning the control and governance of the Council. Corporate audits of this nature are a more effective use of limited resources and are key to providing the appropriate assurance to the Council.

7

Figure 1: Key corporate processes

Sound corporate governanceMeans

Doing the right thing….at the right time….in the right way….for the right people

and depends upon

Fina

ncia

l man

agem

ent

HR p

olici

es a

nd p

roce

sses

Perfo

rman

ce m

anag

emen

t

Prog

ram

me

and

proj

ect m

anag

emen

t

Effec

tive

scru

tiny

Com

plyi

ng w

ith le

gisla

tion

Com

miss

ioni

ng a

nd p

rocu

rem

ent

Cont

ract

Man

agem

ent

Busin

ess p

lann

ing

Open

and

tran

spar

ent d

ecisi

on m

akin

g

Man

agin

g pa

rtner

ship

sTo ensure the best use of limited audit resources, audit work needs to be carefully planned. The plan is developed in consultation with senior managers and takes account of the Council’s aims, strategies, key objectives, associated risks, and risk management processes. It also takes into account those topics which have not recently been audited or which feature in the Council’s risk register or which, when last audited, received a low opinion. In addition, auditors regularly attend various professional networking meetings which highlight the wider issues affecting public sector internal audit, and which need to be reflected in the programme of work.

In line with the Council’s objectives, auditors will pay particular attention to providing advice and insight concerning instances of over-control and streamline processes.

To minimise duplication and make the best use of limited resources, we aim to rely on work undertaken by other assurance providers rather than undertake our own detailed checks. If these arrangements are sound, future audit work on the topics covered can be limited.

8

Although our roles and responsibilities are different, the service liaises closely with the Council’s external auditors.

The majority of the audit plan will be provided by the Internal Audit Service of Warwickshire County Council but external parties may be employed to provide support in specialist areas, for example IT Audit, and to cope with peaks in demand.

Our approach for 2020/2021

As in previous years, the plan covers one year. This is accepted best professional practice. The focus of our work continues to be primarily on the high risk areas, key change programmes and key corporate processes. Audits of this nature are a more effective use of limited resources and are key to providing the appropriate assurance to the Council that its overall governance arrangements remain effective.

Based upon the discussions to date and our professional judgement, an indicative priority has been allocated to each potential topic. The Council’s strategic risks and the key planned work to provide assurance on these risks are shown in Annex 1. Annex 2 shows those topics that we are planning to audit together with an illustrative list of topics that we are not planning to audit, based upon the existing level of resources. Demonstrating the assurances planned on each strategic risk and being transparent about auditable topics that cannot be audited are key requirements of internal audit professional standards. In developing the list of planned topics, we have taken into account existing management processes and oversight by support functions such as Finance, HR and Legal. This approach will continue to be further refined in future plans.

There will inevitably be circumstances where the Internal Audit Manager will have to amend the programme, for example, when risks change or a specific project becomes a matter of priority. There may be cases where individual lower priority audits have to be rescheduled because of competing priorities. In-year changes to the plan to reflect such changes are accepted as best practice. The plan will, therefore, be continually reviewed throughout the year to ensure it remains relevant. Changes will be reported to the Audit and Standards Committee and discussed at the regular liaison meetings with the Head of Resources & Transformation and Section 151 Officer.

We adopt a pro-active approach to new initiatives and systems changes. This is because it is more constructive for us to advise on the design of processes during the currency of a change project rather than to identify problems after the event when often it is too late to make a difference. Our general approach on new systems/initiatives is, therefore, to:-

provide advice on the design of processes and controls; and

9

undertake, shortly after the new processes become live, an audit to provide assurance that operation of the revised / new system is sound.

The Council is fortunate in not having a large number of irregularities. Specific provision has not, therefore, been included in the plan for investigations. Should an investigation be required, it will replace a planned job, unless the Council commissions extra days. Note that the service is not responsible for investigating fraudulent benefit claims.

Although internal auditors consider value-for-money issues where relevant during risk based audits, specific value-for-money audits are not usually undertaken and none have been included in this year’s plan.

Quality Assurance and Improvement Programme

The PSIAS require the Internal Audit Manager to develop and maintain a quality assurance and improvement programme (QAIP) covering all aspects of the internal audit activity.

The QAIP includes internal assessments, periodic self-assessments and external assessments. It is not only designed to assess the efficiency and effectiveness of Internal Audits, but also to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the PSIAS and an evaluation of whether internal auditors apply the Code of Ethics. As part of this we have an Audit Manual based on accepted professional practice which, as well being compliant with the PSIAS, builds quality into every stage of the audit process. A summary of the QAIP is shown in Annex 3.

Paul Clarke David AshleyInternal Audit Manager Engagement Manager

March 2020

10

Annex 1

Strategic Risks

Risk Net Risk

Score

Summary of past internal audit

coverage

Responsible Manager

Planned Assignments

Financial Sustainability 8 Strategic, financial & business planning (Budget Process): 2017/18 – Substantial.Procurement: 2018/19 – Limited.Contract Management: 2018/19 – Substantial.Debtors: 2018/19 - Moderate.Creditors: 2018/19 – Substantial.Strategic, financial & business planning: 2019/20 – Advisory.Procurement: 2019/20 – Advisory.Insurance: 2019/20 – Substantial.Economic Growth inc. Capital Expenditure: 2019/20 – In ProgressIT – PCIDSS Compliance:

Head of Resources & Transformation and S151 Officer

Procurement Vehicle parking VAT General Ledger

Risk Net Risk

Score

Summary of past internal audit

coverage

Responsible Manager

Planned Assignments

2019/20 – In ProgressBank Rec: 2019/20 – In ProgressPayroll: 2019/20 - FullTreasury Management: 2019/20 – Substantial.Council Tax:2019/20 – Substantial.

Welfare reforms combined with planned reductions/budget pressures in social care, health and community safety provision by other agencies impact on the most vulnerable members of the Community.

6 Homelessness: 2016/17 – Moderate.Empty Homes:2016/17 – Moderate. Community Safety: 2018/19 – Full.CCTV: 2018/19 - Substantial.Surveillance Devices: 2018/19 – Moderate. Homelessness and Temporary Accommodation: 2019/20 – Substantial.

Head of Customer Services

Housing Benefits

Unable to optimise economic growth in the District.

9 Economic development & tourism:2017/18 – Substantial. Economic Growth inc. Capital Expenditure:

Deputy Chief Executive

NNDR

12

Risk Net Risk

Score

Summary of past internal audit

coverage

Responsible Manager

Planned Assignments

2019/20 – In ProgressInability to progress the Core Strategy and future updates which meet statutory targets and assessed infrastructure needs, including affordable housing.

8 Planning (Development Control):2017/18 – Substantial.CIL: 2018/19 - Substantial.Building Control: 2019/20 – Substantial.

Deputy Chief Executive/ Head of Regulatory Services

New Land Charges System

S106

Safeguarding Children and Vulnerable Adults - inability to take action to avoid abuse, injury or death.

8 Safeguarding: 2016/17 – Substantial.Licencing: 2017/18 – Moderate.Safeguarding: 2019/20 - Substantial

Chief Executive Licencing

Inability to respond to an Emergency facing our communities

8 Emergency Planning:2017/18 – Moderate.

Head of Regulatory Services

Emergency Planning

Inability to maintain services following an event

8 Business Continuity: 2015/16 – Limited.Business Continuity: 2017/18 – Limited.Business Continuity: 2018/19 – Substantial.IT Disaster Recovery: 2018/19 – In Progress

Head of Customer Services

Failure to meet the Health & Wellbeing needs of residents

9 Health and wellbeing: Head of Customer

13

Risk Net Risk

Score

Summary of past internal audit

coverage

Responsible Manager

Planned Assignments

2014/15 – Substantial.Environmental Health: 2018/19 – Substantial.

Services/ Head of Regulatory Services

Gaps in statutory compliance and/or operational weaknesses in Information Governance

6 Information Governance: 2014/15 – Substantial. Information Governance (GDPR): 2018/19 – Substantial.IT – Remote access and mobile devices:2018/19 – Substantial.IT – GDPR:2019/20 – Moderate.

Head of Law & Governance

Complaints Process Consultation Process

Delays in fully implementing a new Land Charges system and implementing required changes

12 2019/20 - Advice Head of Law & Governance

New Land Charges System

BREXIT – managing uncertainty about impact and outcomes

8 None. Chief Executive

14

Annex 2Workplan 2020/2021

1. Planned WorkService Topic Potential control /

governance issueProposed Audit Coverage Indicative

timing (Qtr)

Chief Executive Complaint Process Reputation Review arrangements, including: Governance Communication Independence Appeals Process/Ombudsman

2

Consultation Process

Reputation Review arrangements, including: Governance Communication Data and Findings

1

Deputy Chief Executive

Climate Emergency Reputation The Council has declared a ‘Climate Emergency’ with an aim to be carbon-neutral by 2030. Internal Audit to provide independent advice on the response as it is developed.

1-4

Community Vehicle Parking Previous Limited Opinion Assurance that issues identified in previous Limited Opinion audit

3

Service Topic Potential control / governance issue

Proposed Audit Coverage Indicative timing (Qtr)

and Operational Services

have been satisfactorily addressed and changes are embedded and processes are now operating efficiently and effectively.

Waste Key contract. Review arrangements, including: Performance monitoring and

reporting Appropriate action is taken to

address poor performance Payments to contractor are only

made in accordance with the contract

Re-tendering Arrangements

1

Customer Services

NNDR Key system. Review arrangements, including: Income collection Reconciliations Appeals Refunds Write-offs Shared Service provision Reliefs and Exemptions

2

Housing Benefits Key system. Review arrangements, including: Verification of new applications and

change of circumstances; The payments process;

3

16

Service Topic Potential control / governance issue

Proposed Audit Coverage Indicative timing (Qtr)

Overpayments, classifications and recovery; and

Data validation, quality and performance management processes.

Law & Governance

Land Charges1 Significant change to a high profile system.

Issues with implementing the new system.

Assurance that new system and processes are embedded and operating efficiently and effectively, including security model, speed of response to requests and reconciliations.

Ongoing advice on risk and control implications of the changed processes.

2

Regulatory Services

Emergency planning

Legislative requirements Review arrangements, including: Strategy Resources Communications

4

Licensing Regulatory and welfare Review arrangements, including: 21 The project is ongoing and so the timing may change.

17

Service Topic Potential control / governance issue

Proposed Audit Coverage Indicative timing (Qtr)

arrangements. Income collection and reconciliations

Performance monitoring and reporting

Adherence to legislation and national guidance

s.106 Key System Review arrangements, including: Income collection Administration of s.106

agreements incl. performance monitoring and tracking

Adherence to legislation and national guidance

3

Resources and Transformation

Corporate Property Asset management strategy Review of strategic assets.

Implementation and adherence to legislation and good practice (CIPFA).

3

General Ledger Assurance over the integrity of the General Ledger system

Review of design and operation of controls including:

2

18

Service Topic Potential control / governance issue

Proposed Audit Coverage Indicative timing (Qtr)

including Interfaces and Access controls.

interfaces with feeder systems. access controls. prompt, complete and accurate

clearance of suspense and control accounts.

a clear control framework has been set and this is being rigorously applied.

IT Audits Cyber Security

Remote Working

Microsoft 365

1 - 4

Procurement Key corporate process. Robust process essential to deliver value for money.

Assurance that issues identified in previous Limited Opinion audit have been satisfactorily addressed and changes are embedded and procurement processes are now operating efficiently and effectively.

3

VAT Key process. Accuracy and completeness of returns.

3

In addition to the specific tasks outlined above a small allocation of time has been reserved for:

providing pro-active advice/consultancy on new initiatives and projects on the basis that this is a constructive and effective use of limited resources.

supporting the Senior Management Team in discharging their overall responsibility for risk management.

19

completing 2019/20 audits which have not been finalised as at 31 March 2020.

This plan is indicative and may need changing should priorities / risks change.

20

2. Illustration of auditable topics not planned for 2020/2021

In addition to the coverage of key risk areas discussed at Annex 1 the following medium and low risk topics are not planned for 2020/21. In prioritising these topics we have taken into account a range of factors including the results of previous audits, management requirements for assurance and links to strategic risks. Only audits completed in the last 4 years are shown.

Topic Priority Last audited

Business Continuity M 2018/19 Substantial

CCTV M 2018/19 Substantial

Contract Mangement M 2018/19 Substantial

Creditors (inc P Cards) M 2018/19 Substantial

Data centre security M

Economic Development & Tourism M 2017/18Substantial

Elections M

Environmental Health M 2018/19Substantial

Freedom of information M 2017/18 Substantial

Gypsy & travellers M

HR M 2017/18Substantial

Information Governance M 2018/19Substantial

IT – Disaster Recovery M 2018/19Moderate

Leisure M 2016/17Substantial

Partnerships M

Performance management M 2017/18Substantial

Planning (Community Infrastructure Levy) M 2018/19Substantial

Risk Management M 2018/19

Topic Priority Last auditedModerate

Surveillance Devices M 2018/19 Moderate

Communications / media L

Community Safety L 2018/19 Full

Consultants L

Contact centre L

Health & safety L

Investment management L

IT - Database security & administration L 2017/18Substantial

IT - Development L 2015/16 Substantial

IT change management L 2014/15 Substantial

IT Software licensing L

IT - User access L

Learning, development & training L

Legal services L

Markets L

Members allowances L 2014/15 No Opinion Given

Pest control L

Programme / project management L 2015/16 Moderate

Streetscene L

22

Annex 3QAIP