democracy.stratford.gov.uk · web viewinternal audit. strategy “ providing assurance on the...
TRANSCRIPT
Internal Audit Strategy 2020/2021
“Providing assurance on the management of risks”
Internal Audit Strategy
“Providing assurance on the management of risks”
This document sets out the Internal Audit Strategy 2020/2021 for Stratford-on-Avon District Council. These services are provided by the Internal Audit Team of Warwickshire County Council under a shared service partnership agreement. This document complements the formal contract with Warwickshire County Council for the delivery of Internal Audit, the Audit Charter and the Council’s Risk Management Policy.
Services
All organisations face risks in every aspect of their work: policy making, decision taking, action and implementation, regulation and spending and making the most of their opportunities. The different types of risk are varied and commonly include financial risks, IT risks, supply chain failure, physical risks to people and damage to the organisation’s reputation.
The key to the Council’s success is to manage these risks effectively. The role of the internal audit provider is to help the Council to do this by providing a high quality, comprehensive and cost effective service that complies fully with all relevant professional and regulatory requirements.
Different parts and levels of an organisation play different roles in managing risk, and the interplay between them determines how effective the organisation as a whole is in dealing with risk. The Institute of Internal Auditors uses a three lines of defence model to explain internal audit’s unique role in providing assurance about the controls in place to manage risk:
2
The management of risks is the responsibility of every manager. Sitting outside the processes of the first two lines of defence, audit’s main roles are to ensure that the first two lines of defence are operating effectively and advise how they could be improved.
The role of the Internal Audit Service is, therefore, to support managers by providing the following services:
Assurance
We develop and then deliver a programme of internal audits to provide independent risk based and objective assurance to senior management, the Audit and Standards Committee and ultimately the taxpayers of the area that significant risks are being addressed. To do this, the service will
evaluate the quality of risk management processes, systems of financial and management control and governance processes and report this directly and independently to the most senior level of management. In accordance with regulatory requirements most individual assurance assignments are undertaken using the risk-based systems audit approach and are not usually designed to identify potential frauds.
We give an opinion on how much assurance systems give that significant risks are addressed. We use four categories of opinion: Full, Substantial, Moderate and Limited assurance.
3
A report, incorporating an agreed action plan, will usually be issued for every audit. The results of audits are reported to the relevant managers and to the Council’s Audit and Standards Committee. To assist managers in addressing areas for improvement, recommendations are ranked in order of importance: Fundamental, Significant and Merits Attention.
Advice
Where the Council faces major changes in systems and procedures, we are able to provide advice on the control implications of these changes. The service will act as a critical friend, challenging the design of processes to reduce the risk of project failure.
Our knowledge of the management of risk enables us to challenge current practice, champion best practice and be a catalyst for improvement and provide objective insight so that the Council as a whole achieves its strategic objectives.
So, for example, if a manager is concerned about a particular area of his/her responsibility, working with us could help to identify improvements. Or perhaps a major new project is being undertaken - we can help to ensure that controls are put in place to manage them.
It is more constructive for us to advise on the design of processes during the currency of a change project, rather than to identify problems after the event when often it is too late to make a difference. Timely advice adds more value than untimely criticism.
Irregularities
As a publicly funded organisation, the Council must be able to demonstrate the proper use of public funds. Managers have the responsibility to have systems in place to prevent and detect irregularities. The more complex cases will be investigated by Internal Audit. Minor, straight forward allegations may be referred back to the relevant manager for further investigation with internal audit providing professional support to investigate the matter. We assist by:-
Investigating the allegations; Supporting managers in any subsequent disciplinary action; Liaising as necessary with the Police and insurers; Producing a report identifying control weaknesses to help managers
improve systems to reduce the risk of a recurrence.
4
Challenge
Champion
Catalyst for improvement
Insight
The Council’s Corporate Fraud Officer will continue to concentrate upon fraud in relation to claimants against the Council through Council Tax and will liaise with the DWP where appropriate. He will also review the output from the NFI.
Counter fraud
The service can also undertake specific counter fraud work. This often, however, involves checking large numbers of transactions, for example, travel claims and Procurement Cards, to identify errors and potential frauds. This is time-consuming work and thus these exercises are rarely undertaken.
Context
The Accounts and Audit Regulations 2015 require the Council to have a sound system of internal control which:
facilitates the effective exercise of its functions and the achievement of its aims and objectives;
ensures that the financial and operational management of the authority is effective; and
includes effective arrangements for the management of risk.
The Regulations require accounting systems to include measures to ensure that risk is appropriately managed. Furthermore, the CIPFA/SOLACE governance framework “Delivering Good Governance in Local Government” outlines the need for risk management to be embedded into the culture of the organisation, with members and officers recognising that risk management is part of their jobs.
The requirement for an internal audit function is also contained in the Regulations which require the Council to:
“undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.”
The Council has delegated its responsibilities for internal audit to the Head of Resources & Transformation and Section 151 Officer.
Definition of Internal Auditing
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s
5
operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
The key word in the definition is assurance. The role of audit is not to identify or investigate alleged irregularities; it is to primarily provide reasonable assurance to the organisation (managers, heads of services and the Audit and Standards Committee) and ultimately the taxpayers that the Authority maintains an effective control environment that enables it to manage its significant business risks. We do this by providing risk based and objective assurance, advice and insight. The assurance work culminates in an annual opinion on the adequacy of the Authority’s control environment which feeds into the Annual Governance Statement.
Vision, purpose and values
As a modern, effective Internal Audit service, our aspirations are to:-
Act as a catalyst for improvement at the heart of the organisation;
Influence and promote the ethics, behaviour and standards of the organisation;
Provide an independent and objective opinion on the adequacy of each customers’ arrangements to manage risk;
Develop a risk aware culture that enables customers to make informed decisions;
Be forward thinking; Continually improve the quality of our services.
A key driver of this strategy is the need to meet all our customers’ needs. Our customers will continue to be affected by a variety of local and national issues:-
Increased growth in partnerships; Ever increasing use of technology to deliver services; Flexible working arrangements to make more effective use of
accommodation; The introduction of new ways for customers and the public to
access services; and Pressure to reduce costs while improving quality/effectiveness.
To deliver on our vision we will:-
Continue to develop our staff to ensure we are fully equipped to respond to our customers’ demands;
Continue to invest in modern technology to improve efficiency and effectiveness;
6
Add value and make best use of our resources by focussing on key risks facing our customers;
Increasingly work in partnership with clients to improve controls and performance generally. We must add value and help deliver innovations in service delivery;
Continue to buy in specialist help where necessary.
By embracing these challenges we will be a vital component of the Council’s success.
Workplan 2020/2021
The focus of our work is primarily on the high risk areas as contained in the Council’s risk registers and key corporate processes underpinning the control and governance of the Council. Corporate audits of this nature are a more effective use of limited resources and are key to providing the appropriate assurance to the Council.
7
Figure 1: Key corporate processes
Sound corporate governanceMeans
Doing the right thing….at the right time….in the right way….for the right people
and depends upon
Fina
ncia
l man
agem
ent
HR p
olici
es a
nd p
roce
sses
Perfo
rman
ce m
anag
emen
t
Prog
ram
me
and
proj
ect m
anag
emen
t
Effec
tive
scru
tiny
Com
plyi
ng w
ith le
gisla
tion
Com
miss
ioni
ng a
nd p
rocu
rem
ent
Cont
ract
Man
agem
ent
Busin
ess p
lann
ing
Open
and
tran
spar
ent d
ecisi
on m
akin
g
Man
agin
g pa
rtner
ship
sTo ensure the best use of limited audit resources, audit work needs to be carefully planned. The plan is developed in consultation with senior managers and takes account of the Council’s aims, strategies, key objectives, associated risks, and risk management processes. It also takes into account those topics which have not recently been audited or which feature in the Council’s risk register or which, when last audited, received a low opinion. In addition, auditors regularly attend various professional networking meetings which highlight the wider issues affecting public sector internal audit, and which need to be reflected in the programme of work.
In line with the Council’s objectives, auditors will pay particular attention to providing advice and insight concerning instances of over-control and streamline processes.
To minimise duplication and make the best use of limited resources, we aim to rely on work undertaken by other assurance providers rather than undertake our own detailed checks. If these arrangements are sound, future audit work on the topics covered can be limited.
8
Although our roles and responsibilities are different, the service liaises closely with the Council’s external auditors.
The majority of the audit plan will be provided by the Internal Audit Service of Warwickshire County Council but external parties may be employed to provide support in specialist areas, for example IT Audit, and to cope with peaks in demand.
Our approach for 2020/2021
As in previous years, the plan covers one year. This is accepted best professional practice. The focus of our work continues to be primarily on the high risk areas, key change programmes and key corporate processes. Audits of this nature are a more effective use of limited resources and are key to providing the appropriate assurance to the Council that its overall governance arrangements remain effective.
Based upon the discussions to date and our professional judgement, an indicative priority has been allocated to each potential topic. The Council’s strategic risks and the key planned work to provide assurance on these risks are shown in Annex 1. Annex 2 shows those topics that we are planning to audit together with an illustrative list of topics that we are not planning to audit, based upon the existing level of resources. Demonstrating the assurances planned on each strategic risk and being transparent about auditable topics that cannot be audited are key requirements of internal audit professional standards. In developing the list of planned topics, we have taken into account existing management processes and oversight by support functions such as Finance, HR and Legal. This approach will continue to be further refined in future plans.
There will inevitably be circumstances where the Internal Audit Manager will have to amend the programme, for example, when risks change or a specific project becomes a matter of priority. There may be cases where individual lower priority audits have to be rescheduled because of competing priorities. In-year changes to the plan to reflect such changes are accepted as best practice. The plan will, therefore, be continually reviewed throughout the year to ensure it remains relevant. Changes will be reported to the Audit and Standards Committee and discussed at the regular liaison meetings with the Head of Resources & Transformation and Section 151 Officer.
We adopt a pro-active approach to new initiatives and systems changes. This is because it is more constructive for us to advise on the design of processes during the currency of a change project rather than to identify problems after the event when often it is too late to make a difference. Our general approach on new systems/initiatives is, therefore, to:-
provide advice on the design of processes and controls; and
9
undertake, shortly after the new processes become live, an audit to provide assurance that operation of the revised / new system is sound.
The Council is fortunate in not having a large number of irregularities. Specific provision has not, therefore, been included in the plan for investigations. Should an investigation be required, it will replace a planned job, unless the Council commissions extra days. Note that the service is not responsible for investigating fraudulent benefit claims.
Although internal auditors consider value-for-money issues where relevant during risk based audits, specific value-for-money audits are not usually undertaken and none have been included in this year’s plan.
Quality Assurance and Improvement Programme
The PSIAS require the Internal Audit Manager to develop and maintain a quality assurance and improvement programme (QAIP) covering all aspects of the internal audit activity.
The QAIP includes internal assessments, periodic self-assessments and external assessments. It is not only designed to assess the efficiency and effectiveness of Internal Audits, but also to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the PSIAS and an evaluation of whether internal auditors apply the Code of Ethics. As part of this we have an Audit Manual based on accepted professional practice which, as well being compliant with the PSIAS, builds quality into every stage of the audit process. A summary of the QAIP is shown in Annex 3.
Paul Clarke David AshleyInternal Audit Manager Engagement Manager
March 2020
10
Annex 1
Strategic Risks
Risk Net Risk
Score
Summary of past internal audit
coverage
Responsible Manager
Planned Assignments
Financial Sustainability 8 Strategic, financial & business planning (Budget Process): 2017/18 – Substantial.Procurement: 2018/19 – Limited.Contract Management: 2018/19 – Substantial.Debtors: 2018/19 - Moderate.Creditors: 2018/19 – Substantial.Strategic, financial & business planning: 2019/20 – Advisory.Procurement: 2019/20 – Advisory.Insurance: 2019/20 – Substantial.Economic Growth inc. Capital Expenditure: 2019/20 – In ProgressIT – PCIDSS Compliance:
Head of Resources & Transformation and S151 Officer
Procurement Vehicle parking VAT General Ledger
Risk Net Risk
Score
Summary of past internal audit
coverage
Responsible Manager
Planned Assignments
2019/20 – In ProgressBank Rec: 2019/20 – In ProgressPayroll: 2019/20 - FullTreasury Management: 2019/20 – Substantial.Council Tax:2019/20 – Substantial.
Welfare reforms combined with planned reductions/budget pressures in social care, health and community safety provision by other agencies impact on the most vulnerable members of the Community.
6 Homelessness: 2016/17 – Moderate.Empty Homes:2016/17 – Moderate. Community Safety: 2018/19 – Full.CCTV: 2018/19 - Substantial.Surveillance Devices: 2018/19 – Moderate. Homelessness and Temporary Accommodation: 2019/20 – Substantial.
Head of Customer Services
Housing Benefits
Unable to optimise economic growth in the District.
9 Economic development & tourism:2017/18 – Substantial. Economic Growth inc. Capital Expenditure:
Deputy Chief Executive
NNDR
12
Risk Net Risk
Score
Summary of past internal audit
coverage
Responsible Manager
Planned Assignments
2019/20 – In ProgressInability to progress the Core Strategy and future updates which meet statutory targets and assessed infrastructure needs, including affordable housing.
8 Planning (Development Control):2017/18 – Substantial.CIL: 2018/19 - Substantial.Building Control: 2019/20 – Substantial.
Deputy Chief Executive/ Head of Regulatory Services
New Land Charges System
S106
Safeguarding Children and Vulnerable Adults - inability to take action to avoid abuse, injury or death.
8 Safeguarding: 2016/17 – Substantial.Licencing: 2017/18 – Moderate.Safeguarding: 2019/20 - Substantial
Chief Executive Licencing
Inability to respond to an Emergency facing our communities
8 Emergency Planning:2017/18 – Moderate.
Head of Regulatory Services
Emergency Planning
Inability to maintain services following an event
8 Business Continuity: 2015/16 – Limited.Business Continuity: 2017/18 – Limited.Business Continuity: 2018/19 – Substantial.IT Disaster Recovery: 2018/19 – In Progress
Head of Customer Services
Failure to meet the Health & Wellbeing needs of residents
9 Health and wellbeing: Head of Customer
13
Risk Net Risk
Score
Summary of past internal audit
coverage
Responsible Manager
Planned Assignments
2014/15 – Substantial.Environmental Health: 2018/19 – Substantial.
Services/ Head of Regulatory Services
Gaps in statutory compliance and/or operational weaknesses in Information Governance
6 Information Governance: 2014/15 – Substantial. Information Governance (GDPR): 2018/19 – Substantial.IT – Remote access and mobile devices:2018/19 – Substantial.IT – GDPR:2019/20 – Moderate.
Head of Law & Governance
Complaints Process Consultation Process
Delays in fully implementing a new Land Charges system and implementing required changes
12 2019/20 - Advice Head of Law & Governance
New Land Charges System
BREXIT – managing uncertainty about impact and outcomes
8 None. Chief Executive
14
Annex 2Workplan 2020/2021
1. Planned WorkService Topic Potential control /
governance issueProposed Audit Coverage Indicative
timing (Qtr)
Chief Executive Complaint Process Reputation Review arrangements, including: Governance Communication Independence Appeals Process/Ombudsman
2
Consultation Process
Reputation Review arrangements, including: Governance Communication Data and Findings
1
Deputy Chief Executive
Climate Emergency Reputation The Council has declared a ‘Climate Emergency’ with an aim to be carbon-neutral by 2030. Internal Audit to provide independent advice on the response as it is developed.
1-4
Community Vehicle Parking Previous Limited Opinion Assurance that issues identified in previous Limited Opinion audit
3
Service Topic Potential control / governance issue
Proposed Audit Coverage Indicative timing (Qtr)
and Operational Services
have been satisfactorily addressed and changes are embedded and processes are now operating efficiently and effectively.
Waste Key contract. Review arrangements, including: Performance monitoring and
reporting Appropriate action is taken to
address poor performance Payments to contractor are only
made in accordance with the contract
Re-tendering Arrangements
1
Customer Services
NNDR Key system. Review arrangements, including: Income collection Reconciliations Appeals Refunds Write-offs Shared Service provision Reliefs and Exemptions
2
Housing Benefits Key system. Review arrangements, including: Verification of new applications and
change of circumstances; The payments process;
3
16
Service Topic Potential control / governance issue
Proposed Audit Coverage Indicative timing (Qtr)
Overpayments, classifications and recovery; and
Data validation, quality and performance management processes.
Law & Governance
Land Charges1 Significant change to a high profile system.
Issues with implementing the new system.
Assurance that new system and processes are embedded and operating efficiently and effectively, including security model, speed of response to requests and reconciliations.
Ongoing advice on risk and control implications of the changed processes.
2
Regulatory Services
Emergency planning
Legislative requirements Review arrangements, including: Strategy Resources Communications
4
Licensing Regulatory and welfare Review arrangements, including: 21 The project is ongoing and so the timing may change.
17
Service Topic Potential control / governance issue
Proposed Audit Coverage Indicative timing (Qtr)
arrangements. Income collection and reconciliations
Performance monitoring and reporting
Adherence to legislation and national guidance
s.106 Key System Review arrangements, including: Income collection Administration of s.106
agreements incl. performance monitoring and tracking
Adherence to legislation and national guidance
3
Resources and Transformation
Corporate Property Asset management strategy Review of strategic assets.
Implementation and adherence to legislation and good practice (CIPFA).
3
General Ledger Assurance over the integrity of the General Ledger system
Review of design and operation of controls including:
2
18
Service Topic Potential control / governance issue
Proposed Audit Coverage Indicative timing (Qtr)
including Interfaces and Access controls.
interfaces with feeder systems. access controls. prompt, complete and accurate
clearance of suspense and control accounts.
a clear control framework has been set and this is being rigorously applied.
IT Audits Cyber Security
Remote Working
Microsoft 365
1 - 4
Procurement Key corporate process. Robust process essential to deliver value for money.
Assurance that issues identified in previous Limited Opinion audit have been satisfactorily addressed and changes are embedded and procurement processes are now operating efficiently and effectively.
3
VAT Key process. Accuracy and completeness of returns.
3
In addition to the specific tasks outlined above a small allocation of time has been reserved for:
providing pro-active advice/consultancy on new initiatives and projects on the basis that this is a constructive and effective use of limited resources.
supporting the Senior Management Team in discharging their overall responsibility for risk management.
19
completing 2019/20 audits which have not been finalised as at 31 March 2020.
This plan is indicative and may need changing should priorities / risks change.
20
2. Illustration of auditable topics not planned for 2020/2021
In addition to the coverage of key risk areas discussed at Annex 1 the following medium and low risk topics are not planned for 2020/21. In prioritising these topics we have taken into account a range of factors including the results of previous audits, management requirements for assurance and links to strategic risks. Only audits completed in the last 4 years are shown.
Topic Priority Last audited
Business Continuity M 2018/19 Substantial
CCTV M 2018/19 Substantial
Contract Mangement M 2018/19 Substantial
Creditors (inc P Cards) M 2018/19 Substantial
Data centre security M
Economic Development & Tourism M 2017/18Substantial
Elections M
Environmental Health M 2018/19Substantial
Freedom of information M 2017/18 Substantial
Gypsy & travellers M
HR M 2017/18Substantial
Information Governance M 2018/19Substantial
IT – Disaster Recovery M 2018/19Moderate
Leisure M 2016/17Substantial
Partnerships M
Performance management M 2017/18Substantial
Planning (Community Infrastructure Levy) M 2018/19Substantial
Risk Management M 2018/19
Topic Priority Last auditedModerate
Surveillance Devices M 2018/19 Moderate
Communications / media L
Community Safety L 2018/19 Full
Consultants L
Contact centre L
Health & safety L
Investment management L
IT - Database security & administration L 2017/18Substantial
IT - Development L 2015/16 Substantial
IT change management L 2014/15 Substantial
IT Software licensing L
IT - User access L
Learning, development & training L
Legal services L
Markets L
Members allowances L 2014/15 No Opinion Given
Pest control L
Programme / project management L 2015/16 Moderate
Streetscene L
22
Annex 3QAIP