Annexe A
Internal Audit Strategy and
Annual Audit Plan 2022-2023
1. Role of Internal Audit
1.1 The full role and scope of the Council’s Internal Audit Service is set out within the Internal Audit Charter and Terms of Reference.
1.2 The mission of Internal Audit, as defined by the Chartered Institute of Internal Auditors (CIIA), is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight. Internal Audit is defined as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
1.3 The organisation’s response to internal audit activity should lead to a strengthening of the control environment, thus contributing to the overall achievement of organisational objectives.
2. Risk Assessment and Audit Planning
2.1 East Sussex County Council’s Internal Audit Strategy and Annual Audit Plan is updated annually and is based on a number of factors, especially management’s assessment of risk (including that set out within the strategic and departmental risk registers) and our own risk assessment of the Council’s major systems and other auditable areas. This allows us to prioritise those areas to be included within the audit plan on the basis of risk.
2.2 With the gradual return to business as usual, tempered by residual measures to counter the ongoing Covid 19 pandemic, our 2022/23 plan focuses primarily on the core assurance areas (such as key financial systems), the highest priority service reviews, grant claims and known key priority projects/programmes across the council. The remainder of the direct audit days are earmarked as emerging risks/contingency. Appropriate provision has also been made for counter fraud activities, which will continue in 2022/23 as normal. By continuing this approach, we will deliver the planned work on core assurance areas as well as adding audit activities to our plan throughout the year as new risks and priorities emerge. All of our work will be regularly and comprehensively reported to both the Corporate Management Team (CMT) and the Audit Committee, and will enable us to maximise our responsiveness and focus our resources on the most relevant and priority areas.
2.3 It is important to note that this planning strategy for the year ahead will not result in any reduced internal audit coverage for the Council. The approach is simply intending to help ensure we remain as reactive as possible to the rapidly changing risk landscape across the Authority in continuing unprecedented times.
2.4 The annual planning process has once again involved consultation with a range of stakeholders, to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered. In order to ensure that the most effective use is made of available resources, to avoid duplication and to minimise service disruption, efforts will continue to be made to identify, and where possible, rely upon, other sources of assurance available. The following diagram sets out the various sources of information used to inform our 2022/23 audit planning process:
2.5 In order to ensure audit and assurance activity is properly focussed on supporting the
delivery of the Council’s priorities, the audit plan has taken into account the key corporate priority outcomes of the Council as set out within the Council Plan. These are:
· Helping people help themselves;
· Keeping vulnerable people safe;
· Driving sustainable economic growth; and
· Making best use or resources.
2.6 In producing the audit plan (which is set out in Appendix A to this report) the following key principles continue to be applied:
· Key financial systems are subject to a cyclical programme of audits covering, as a minimum, compliance against key controls;
· Previous reviews which resulted in ‘minimal assurance’ or ‘partial assurance’ audit opinions will be subject to a specific follow-up review to assess the effective implementation by management of agreed actions; and
· Any reviews which we were unable to deliver during the previous financial year will be considered once again as part of our audit planning risk assessment, and prioritised as appropriate.
2.7 In addition, formal action tracking arrangements are in place to monitor the implementation by management of all individual high-priority agreed actions, with the results of this work reported to CMT and the Audit Committee on a quarterly basis.
2.8 Since 2018, East Sussex County Council, Surrey County Council and Brighton and Hove City Council have been working together to establish and develop the Orbis Internal Audit Partnership. In doing this, we are able to deliver high quality and cost effective assurance services to each partner, drawing upon the wide range of skills and experience from across the various teams. The size and scale of the partnership has also enabled us to invest in specialist IT Audit and Counter Fraud services, to the benefit of each partner council and external fee paying client.
3. Key Issues
3.1 In times of significant transformation, organisations must both manage change effectively and ensure that core controls remain in place. In order to respond to the continued reduction in financial resources and the increased demand for services, the Council needs to consider some radical changes to its service offer in many areas.
3.2 Internal Audit must therefore be in a position to give an opinion and assurance that covers the control environment in relation to both existing systems and these new developments. It is also essential that this work is undertaken in a flexible and supportive manner, in conjunction with management, to ensure that both risks and opportunities are properly considered. During 2022/23, a number of major organisational initiatives will feature within the audit plan, with the intention that Internal Audit is able to provide proactive advice, support and assurance as these programmes progress. These include:
· Modernising Back Office Systems (MBOS) programme (SAP replacement)
· Climate Change/Carbon Reduction
· Adult Social Care Reform
· Children’s ‘Edge of Care’
· Highways Contract Reprocurement
· UK Community Renewal Fund / UK Shared Prosperity Fund
3.3 As explained previously, in recognition of current uncertainties and that in some cases, sufficient information regarding the full extent of future changes and associated risks may not yet be known, the 2022/23 audit plan will, as in previous years, include a proportion of time classified as ‘Emerging Risks’. This approach has been adopted to enable Internal Audit to react appropriately throughout the year as new risks materialise and to ensure that expertise in governance, risk and internal control can be utilised early in the change process.
3.4 In view of the above, Internal Audit will continue to work closely with senior management and Members throughout the year to identify any new risks and to agree how and where audit resources can be utilised to best effect.
3.5 Other priority areas identified for inclusion within the audit plan include:
· Contract Management
· Use of Consultants
· Health and Safety
· Home to School Transport
· Elective Home Education
· Waste Management
· External Funding, Grants and Loans
3.6 The results of all audit work undertaken will be summarised within quarterly update reports to CMT and the Audit Committee, along with any common themes and findings arising from our work.
4. Counter Fraud
4.1 Managing the risk of fraud and corruption is the responsibility of management. Internal Audit will, however, be alert in all its work to risks and exposures that could allow fraud or corruption and will investigate allegations of fraud and corruption in line with the Council’s Anti-Fraud and Corruption Strategy.
4.2 The Chief Internal Auditor should be informed of all suspected or detected fraud, corruption or irregularity in order to consider the adequacy of the relevant controls and evaluate the implication for their opinion on the control environment.
4.3 In addition, Internal Audit will promote an anti-fraud and corruption culture within the Council to aid the prevention and detection of fraud. Through the work of the Counter Fraud Team, Internal Audit will maintain a fraud risk assessment and deliver a programme of proactive and reactive counter fraud services to help ensure that the Council continues to protect its services from fraud loss. This will include leading on the National Fraud Initiative data matching exercise on behalf of the Council.
5. Matching Audit Needs to Resources
5.1 The overall aim of the Internal Audit Strategy is to allocate available internal audit resources so as to focus on the highest risk areas and to enable an annual opinion to be given on the adequacy and effectiveness of the Council’s governance, risk and control framework.
5.2 In addition to this, resources have been allocated to the external bodies for whom Orbis Internal Audit also provide internal audit services, at an appropriate charge. These include Horsham District Council, Elmbridge District Council, East Sussex Fire Authority and South Downs National Park.
5.3 Internal audit activities will be delivered by a range of staff from across the Orbis Internal Audit Service, maximising the value from a wide range of skills and experience available. In the small number of instances where sufficient expertise is not available from within the team, mainly in highly technical or specialist areas, the option of engaging externally provided specialist resources will continue to be considered.
5.4 The following table summarises the level of audit resources expected to be available for the Council in 2022/23 (expressed in days), compared to the equivalent number of planned days in previous years. As can be seen, the overall level of resource is comparable with the previous year but remains dependent on our continued ability to recruit and retain high calibre staff (see Section 7 below). This level of resource continues to be considered sufficient to allow Internal Audit to deliver its risk-based plan in accordance with professional standards[1] and to enable the Chief Internal Auditor to provide his annual audit opinion.
Table 1: Annual Internal Audit Plan – Plan Days
|
|
2019/20 |
2020/21 |
2021/22 |
2022/23 |
|
Plan Days |
1,400 |
1,450 |
1,595 |
1,595 |
6. Audit Approach
6.1 The approach of Internal Audit is to use risk-based reviews, supplemented in some areas by the use of compliance audits and themed reviews. All audits have regard to management’s arrangements for:
· Achievement of the organisation’s objectives;
· Reliability and integrity of financial and operational information;
· Effectiveness and efficiency of operations and programmes;
· Safeguarding of assets; and
· Compliance with laws, regulations, policies, procedures and contracts.
6.2 In addition to these audits, and the advice on controls given on specific development areas which are separately identified within the plan, there are a number of generic areas where there are increasing demands upon Internal Audit, some of which cannot be planned in advance. For this reason, time is built into the plan to cover the following:
· Contingency – an allowance of days to provide capacity for unplanned work, including special audits and management investigations. This contingency also allows for the completion of work in progress from the 2021/22 plan;
· Advice, Management, Liaison and Planning - an allowance to cover provision of ad hoc advice on risk, audit and control issues, audit planning and annual reporting, ongoing liaison with service management and Members, and audit management time in support of the delivery of all audit work, planned and unplanned.
6.3 In delivering this strategy and plan, we will ensure that liaison has taken place with the Council’s external auditors, Grant Thornton, to ensure that the use of audit resources is maximised, duplication of work is avoided, and statutory requirements are met.
7. Training and Development
7.1 The effectiveness of the Internal Audit Service depends significantly on the quality, training and experience of its staff. Training needs of individual staff members are identified through a formal performance and development process and are delivered and monitored through on-going management supervision.
7.2 The team is also committed to coaching and mentoring its staff, and to providing opportunities for appropriate professional development. This is reflected in the high proportion of staff holding a professional internal audit or accountancy qualification as well as numerous members of the team continuing with professional training during 2022/23.
8. Quality and Performance
8.1 With effect from 1 April 2013, all of the relevant internal audit standard setting bodies, including CIPFA, adopted a common set of Public Sector Internal Audit Standards (PSIAS). These are based on the Institute of Internal Auditors International Professional Practices Framework and replace the previous Code of Practice for Internal Audit in Local Government.
8.2 Included within the new Standards is the requirement for the organisation to define the terms ‘Board’ and ‘senior management’ in the context of audit activity. This has been set out within the Internal Audit Charter, which confirms the Audit Committee’s role as the Board.
8.3 The PSIAS require each internal audit service to maintain an ongoing quality assurance and improvement programme based on an annual self-assessment against the Standards, supplemented at least every five years by a full independent external assessment. The outcomes from these assessments, including any improvement actions arising, will be reported to the Audit Committee, usually as part of the annual internal audit report. For clarity, the Standards specify that the following core principles underpin an effective internal audit service:
· Demonstrates integrity;
· Demonstrates competence and due professional care;
· Is objective and free from undue influence (independent);
· Aligns with the strategies, objectives, and risks of the organisation;
· Is appropriately positioned and adequately resourced;
· Demonstrates quality and continuous improvement;
· Communicates effectively;
· Provides risk-based assurance;
· Is insightful, proactive, and future-focused;
· Promotes organisational improvement.
8.4 In addition, the performance of Orbis Internal Audit continues to be measured against key service targets focussing on service quality, productivity and efficiency, compliance with professional standards, influence and our staff. These are all underpinned by appropriate key performance indicators as set out in Table 2 below.
8.5 At a detailed level, each audit assignment is monitored and customer feedback sought. There is also ongoing performance appraisals and supervision for all Internal Audit staff during the year to support them in achieving their personal targets.
8.6 In addition to the individual reports to management for each audit assignment, reports on key audit findings and the delivery of the audit plan are made to the Audit Committee on a quarterly basis. An Annual Internal Audit Opinion is also produced each year.
8.7 Whilst Orbis Internal Audit liaises closely with other internal audit services through the Sussex and Surrey audit and counter fraud groups, the Home Counties Chief Internal Auditors’ Group and the Local Authority Chief Auditors’ Network, we are continuing to develop joint working arrangements with other local authority audit teams to help improve resilience and make better use of our collective resources.
Table 2: Performance Indicators
|
Aspect of Service |
Orbis IA Performance Indicators |
Target |
|
Quality |
|
By end April
To inform Annual Governance Statement (AGS)
90% satisfied |
|
Productivity and Process Efficiency |
|
90% |
|
Compliance with Professional Standards
|
|
Conforms
Conforms |
|
Outcomes and degree of influence |
|
95% for high priority |
|
Our Staff |
|
80% |
Russell Banks
Orbis Chief Internal Auditor