Annex A
1.1 The full role and scope of the Council’s Internal Audit Service is set out within the Internal Audit Charter and Terms of Reference (attached as Appendix B).
1.2 The mission of Internal Audit, as defined by the Chartered Institute of Internal Auditors (CIIA), is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight. Internal Audit is defined as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
1.3 The organisation’s response to internal audit activity should lead to a strengthening of the control environment, thus contributing to the overall achievement of organisational objectives.
2. Risk Assessment and Audit Planning
2.1 East Sussex County Council’s Internal Audit Strategy and Annual Audit Plan is updated annually and is based on a number of factors, especially management’s assessment of risk (including that set out within the strategic and departmental risk registers) and our own risk assessment of the Council’s major systems and other auditable areas. This allows us to prioritise those areas to be included within the audit plan on the basis of risk.
2.2 The annual planning process has once again involved consultation with a range of stakeholders to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered. In order to ensure that the most effective use is made of available resources, to avoid duplication and to minimise service disruption, efforts will continue to be made to identify, and where possible, rely upon, other sources of assurance available. The following diagram sets out the various sources of information used to inform our 2023/24 audit planning process:
2.3 Through this process, we have been able to identify key areas for audit activity in 2023/24, including strategic risks and issues, key priority projects and programmes, priority service reviews, key financial systems, and grant claims. The remainder of the direct audit days are earmarked as emerging risks/contingency which enables us to respond to the rapidly changing risk landscape across the Authority.
2.4 In order to ensure audit and assurance activity is properly focussed on supporting the
delivery of the Council’s priorities, the audit plan has taken into account the key corporate priority outcomes of the Council as set out within the Council Plan. These are:
· Helping people help themselves;
· Keeping vulnerable people safe;
· Driving sustainable economic growth; and
· Making best use or resources in the shrot and long term.
2.5 In producing the audit plan (which is set out in Appendix A to this report) the following key principles continue to be applied:
· Key financial systems are subject to a cyclical programme of audits covering, as a minimum, compliance against key controls;
· Previous reviews which resulted in ‘minimal assurance’ or ‘partial assurance’ audit opinions will be subject to a specific follow-up review to assess the effective implementation by management of agreed actions; and
· Any reviews which we were unable to deliver during the previous financial year will be considered once again as part of our audit planning risk assessment, and prioritised as appropriate.
2.6 It should be noted that the 2023/24 audit plan is more flexible than ever before. This is in part due to uncertainties over timing of the go-live of the new ERP system, and also because the changing nature of the risk landscape across the public sector. Given the likelihood of the plan needing to flex within the year ahead we have identified, at the end of Appendix A, a number of additional audit assignments that may, on a risk-prioritized basis, be drawn into our workload if planned audits are postponed or cancelled.
2.7 In addition, formal action tracking arrangements are in place to monitor the implementation by management of all individual high-priority agreed actions, with the results of this work reported to CMT and the Audit Committee on a quarterly basis.
2.8 Since 2018, East Sussex County Council, Surrey County Council and Brighton and Hove City Council have been working together to establish and develop the Orbis Internal Audit Partnership. In doing this, we are able to deliver high quality and cost effective assurance services to each partner, drawing upon the wide range of skills and experience from across the various teams. The size and scale of the partnership has also enabled us to invest in specialist IT Audit and Counter Fraud services, to the benefit of each partner council and external fee paying client.
3. Key Issues
3.1 In times of significant transformation, organisations must both manage change effectively and ensure that core controls remain in place. In order to respond to the continued reduction in financial resources and the increased demand for services, the Council needs to consider some radical changes to its service offer in many areas.
3.2 Internal Audit must therefore be in a position to give an opinion and assurance that covers the control environment in relation to both existing systems and these new developments. It is also essential that this work is undertaken in a flexible and supportive manner, in conjunction with management, to ensure that both risks and opportunities are properly considered. During 2023/24, a number of major organisational initiatives and/or risks will feature within the audit plan, with the intention that Internal Audit is able to provide proactive advice, support and assurance as these programmes progress. These include:
· Modernising Back Office Systems (MBOS) programme (SAP replacement)
· Adult Social Care and Health – Regulatory Changes
· Workforce Capacity and Working Arrangements
· Managing Service Demand
· Supplier Failure
· Ukraine Funding
· Health and Safety
· Highways Maintenance Contract Management
· Recovery and Resilience (including Cyber Security) Arrangements
3.3 As explained previously, in recognition of current uncertainties and that in some cases, sufficient information regarding the full extent of future changes and associated risks may not yet be known, the 2023/24 audit plan will, as in previous years, include a proportion of time classified as ‘Emerging Risks’. This approach has been adopted to enable Internal Audit to react appropriately throughout the year as new risks materialise and to ensure that expertise in governance, risk and internal control can be utilised early in the change process.
3.4 In view of the above, Internal Audit will continue to work closely with senior management and Members throughout the year to identify any new risks and to agree how and where audit resources can be utilised to best effect.
3.5 Other priority areas identified for inclusion within the audit plan include:
· Procurement Regulatory Changes
· Property Services Programme Management
· Adult Social Care Debt Management and Recovery
· Schools
· Childrens Services Quality Assurance Framework
3.6 The results of all audit work undertaken will be summarised within quarterly update reports to CMT and the Audit Committee, along with any common themes and findings arising from our work.
4. Counter Fraud
4.1 Managing the risk of fraud and corruption is the responsibility of management. Internal Audit will, however, be alert in all its work to risks and exposures that could allow fraud or corruption and will investigate allegations of fraud and corruption in line with the Council’s Anti-Fraud and Corruption Strategy.
4.2 The Chief Internal Auditor should be informed of all suspected or detected fraud, corruption or irregularity in order to consider the adequacy of the relevant controls and evaluate the implication for their opinion on the control environment.
4.3 In addition, Internal Audit will promote an anti-fraud and corruption culture within the Council to aid the prevention and detection of fraud. Through the work of the Counter Fraud Team, Internal Audit will maintain a fraud risk assessment and deliver a programme of proactive and reactive counter fraud services to help ensure that the Council continues to protect its services from fraud loss. This will include leading on the National Fraud Initiative data matching exercise on behalf of the Council.
5. Matching Audit Needs to Resources
5.1 The overall aim of the Internal Audit Strategy is to allocate available internal audit resources so as to focus on the highest risk areas and to enable an annual opinion to be given on the adequacy and effectiveness of the Council’s governance, risk and control framework.
5.2 In addition to this, resources have been allocated to the external bodies for whom Orbis Internal Audit also provide internal audit services, at an appropriate charge. These include Horsham District Council, Elmbridge District Council, East Sussex Fire Authority and South Downs National Park.
5.3 Internal audit activities will be delivered by a range of staff from across the Orbis Internal Audit Service, maximising the value from a wide range of skills and experience available. In the small number of instances where sufficient expertise is not available from within the team, mainly in highly technical or specialist areas, the option of engaging externally provided specialist resources will continue to be considered.
5.4 The following table summarises the level of audit resources expected to be available for the Council in 2023/24 (expressed in days), compared to the equivalent number of planned days in previous years. As can be seen, there is a slight reduction in the number of planned days from 2022/23 to reflect current recruitment challenges. We see this as a temporary adjustment to ensure prudent planning in 2023/24. It is not a reflection of any change in risk profile of the organisation and we anticipate resource levels returning to previous levels in future years. In the meantime, wherever possible, we will look to source additional capacity from outside of the service. It should also be noted that part of the reduction in days relates to reduced pension fund coverage (from 100 to 75 days) as agreed with the Chief Finance Officer. Despite the minor reduction, the overall level of planned resource continues to be considered sufficient to allow Internal Audit to deliver its risk-based plan in accordance with professional standards[1] and to enable the Chief Internal Auditor to provide his annual audit opinion.
Table 1: Annual Internal Audit Plan – Plan Days
|
2020/21 |
2021/22 |
2022/23 |
2023/24 |
ESCC Audit Plan Days |
1,350 |
1,495 |
1,495 |
1,445 |
East Sussex Pension Fund Plan Days |
100 |
100 |
100 |
75 |
Total |
1,450 |
1,595 |
1,595 |
1,520 |
6. Audit Approach
6.1 The approach of Internal Audit is to use risk-based reviews, supplemented in some areas by the use of compliance audits and themed reviews. All audits have regard to management’s arrangements for:
· Achievement of the organisation’s objectives;
· Reliability and integrity of financial and operational information;
· Effectiveness and efficiency of operations and programmes;
· Safeguarding of assets; and
· Compliance with laws, regulations, policies, procedures and contracts.
6.2 In addition to these audits, and the advice on controls given on specific development areas which are separately identified within the plan, there are a number of generic areas where there are increasing demands upon Internal Audit, some of which cannot be planned in advance. For this reason, time is built into the plan to cover the following:
· Contingency – an allowance of days to provide capacity for unplanned work, including special audits and management investigations. This contingency also allows for the completion of work in progress from the 2022/23 plan;
· Advice, Management, Liaison and Planning - an allowance to cover provision of ad hoc advice on risk, audit and control issues, audit planning and annual reporting, ongoing liaison with service management and Members, and audit management time in support of the delivery of all audit work, planned and unplanned.
6.3 In delivering this strategy and plan, we will ensure that liaison has taken place with the Council’s external auditors, Grant Thornton, to ensure that the use of audit resources is maximised, duplication of work is avoided, and statutory requirements are met.
7. Training and Development
7.1 The effectiveness of the Internal Audit Service depends significantly on the quality, training and experience of its staff. Training needs of individual staff members are identified through a formal performance and development process and are delivered and monitored through on-going management supervision.
7.2 The team is also committed to coaching and mentoring its staff, and to providing opportunities for appropriate professional development. This is reflected in the high proportion of staff holding a professional internal audit or accountancy qualification as well as numerous members of the team continuing with professional training during 2023/24.
8. Quality and Performance
8.1 With effect from 1 April 2013, all of the relevant internal audit standard setting bodies, including CIPFA, adopted a common set of Public Sector Internal Audit Standards (PSIAS). These are based on the Institute of Internal Auditors International Professional Practices Framework and replace the previous Code of Practice for Internal Audit in Local Government.
8.2 Included within the new Standards is the requirement for the organisation to define the terms ‘Board’ and ‘senior management’ in the context of audit activity. This has been set out within the Internal Audit Charter, which confirms the Audit Committee’s role as the Board.
8.3 The PSIAS require each internal audit service to maintain an ongoing quality assurance and improvement programme based on an annual self-assessment against the Standards, supplemented at least every five years by a full independent external assessment. The outcomes from these assessments, including any improvement actions arising, will be reported to the Audit Committee, usually as part of the annual internal audit report. The results of our latest external assessment, completed by the Chartered Institute of Internal Auditors (IIA) in autumn 2022, are being reported to Audit Committee in March 2023.
8.4 For clarity, the Standards specify that the following core principles underpin an effective internal audit service:
· Demonstrates integrity;
· Demonstrates competence and due professional care;
· Is objective and free from undue influence (independent);
· Aligns with the strategies, objectives, and risks of the organisation;
· Is appropriately positioned and adequately resourced;
· Demonstrates quality and continuous improvement;
· Communicates effectively;
· Provides risk-based assurance;
· Is insightful, proactive, and future-focused;
· Promotes organisational improvement.
8.5 In addition, the performance of Orbis Internal Audit continues to be measured against key service targets focussing on service quality, productivity and efficiency, compliance with professional standards, influence and our staff. These are all underpinned by appropriate key performance indicators as set out in Table 2 below.
8.6 At a detailed level, each audit assignment is monitored and customer feedback sought. There is also ongoing performance appraisals and supervision for all Internal Audit staff during the year to support them in achieving their personal targets.
8.7 In addition to the individual reports to management for each audit assignment, reports on key audit findings and the delivery of the audit plan are made to the Audit Committee on a quarterly basis. An Annual Internal Audit Opinion is also produced each year.
8.8 Whilst Orbis Internal Audit liaises closely with other internal audit services through the Sussex and Surrey audit and counter fraud groups, the Home Counties Chief Internal Auditors’ Group and the Local Authority Chief Auditors’ Network, we are continuing to develop joint working arrangements with other local authority audit teams to help improve resilience and make better use of our collective resources.
Table 2: Performance Indicators
Aspect of Service |
Orbis IA Performance Indicators |
Target |
Quality |
|
By end April
By end July. To inform Annual Governance Statement (AGS)
90% satisfied |
Productivity and Process Efficiency |
|
90% |
Compliance with Professional Standards
|
|
Conforms
Conforms |
Outcomes and degree of influence |
|
97% for high priority actions |
Our Staff |
|
80% |
Orbis Chief Internal Auditor