Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Internal Audit Strategy and Annual Plan for 2019/20 was presented for the Committee’s consideration.

The Head of Audit and Risk reported on the main points as follows –

•           That since April, 2017 the Internal Audit Service has adopted a fully risk-based approach to its work with further efficiencies having been achieved by also adopting lean audit which is a methodology based on Systems Thinking.

•           That traditionally, auditing was mostly focused on evaluating the past and ensuring compliance. Compliance is Management’s responsibility with Internal Audit providing assurance on the appropriateness and effectiveness of the Council’s system of internal control as implemented by Management. Specifically, the Internal Audit Service will be providing global assurance to the Committee and senior management on the effectiveness of internal governance and risk processes and providing assurance in support of the Annual Governance Statement.

•           That there are also other sources that can be used to provide assurance that risks are being effectively managed. The three lines of defence model (as described in the report) is a framework that can be used to bring these sources of assurance together and will give assurance to Members, sector regulators and external auditors that appropriate controls and processes are in place and are operating effectively. The Service’s new risk management software (4risk) provides a facility to record the various three lines of assurance in one place, which will be rolled out in 2019/20.

•           That in order to provide a flexible approach and to take account of changes in the organisation and the risk environment, the Internal Audit Service has aligned its work with the corporate risk register and will meet with senior management to discuss their latest risks, concerns and requirements. In this way, the Service will be fully up to date with, and aware of, emerging issues and will be able to focus its resources in areas of greatest priority and risk.

•           Therefore, instead of being a fixed annual plan, the Audit Plan for 2019/20 will change during the year following changes to the corporate risk register. As a result, the Strategy does not provide a definitive list of the projects that the Service will carry out during 2019/20 but provides the audits that the Council has identified as its main priorities currently as listed in Appendix A to the report.

•           That in accordance with the agreed Internal Audit Charter, all risks/issues included within audit reports with Limited or No Assurance ratings (according to the definition of assurance ratings set out in Appendix B to the report) will be followed-up.

•           A new shorter one-page report will aid a new bilingual reporting protocol, which will also for the first time enable the Service to provide final agreed internal audit reports to the Executive Portfolio Holders and members of this Committee thereby increasing transparency and accountability and improving the quality of assurance provided. Agreed action plans will be recorded in a separate operational document shared only between the Service and Internal Audit.

•           The Service has in place a quality assurance and improvement programme to ensure continuing improvement of the Internal Audit Service. The Service will adopt a streamlined suite of performance measures as outlined in Appendix C to the report in order to determine the effectiveness of its work.

•           That delivery of the strategy will enable the Head of Audit and Risk to fulfil the requirement to produce an annual internal audit opinion to support the Annual Governance Statement.

The Committee considered the report and made points as follows –

•           The Committee noted that within the strategy, the focus of the Internal Audit Service’s work has shifted from ensuring compliance (ensuring that policies, processes or procedures are being implemented) to providing assurance (ensuring the appropriateness of policies, processes or procedures for the purpose of managing risk and meeting regulations). The Committee queried whether this expands the Internal Audit function.

The Head of Audit and Risk clarified that based on the Strategy, the Internal Audit Service will not seek to instruct Management on what to do but rather advise Management that what it may or may not be doing is exposing the Council to risk.

•           The Committee noted that agreed action plans will be shared only between the service and Internal Audit meaning that the Committee will not have sight of them. The Committee queried whether this caveat restricts the ability of the Committee to exercise its oversight role in being sure that Management is responding to issues/risks raised in the right way at the right time.

The Head of Audit and Risk clarified that the actions plans resulting from Limited or No Assurance reports will continue to be presented to the Audit Committee. For reviews where the Assurance rating is Reasonable, the risks identified are not likely to be significant enough to warrant their being brought to the Committee’s attention the aim being to ensure that the Audit Committee gains an insight into the key sources of risks at the Council and how they are managed rather than presenting the Committee with each and every risk/action raised. The significance of a risk is determined by the Council’s risk appetite with every risk scored against the Council’s risk matrix. The risk is set at where the Council pitches its Red, Amber and Yellow risks. Areas where Red and Amber risks have been identified are likely to be the subject of a limited assurance audit report and will therefore be brought to the Committee. In accordance with the Council’s risk appetite, areas where the risks are Yellow or moderate do not need to be brought to the Committee’s attention.

•           The Committee queried whether adopting a more strategic approach to managing risk makes the likelihood of a potential issue being missed, greater.

The Head of Audit and Risk said that being a small team, the Internal Audit Service needs to focus on the risks which the Council deems are the most significant which were they to materialise, would most likely affect the organisation’s achievement of its corporate  objectives. The Council has determined that the risks contained within the Corporate Risk Register are the most important, hence the Internal Audit Service’s alignment of its work with the corporate risk register as being the most effective and focused way of ensuring those risks are managed. The Officer said that during 2019/20, the Service will also undertake a piece of work on fraud specifically, areas where the potential for fraud and/or irregularities are greatest. There are therefore several aspects to the Internal Audit Service’s approach to reviewing the effectiveness of the Council’s system for internal control encompassing the corporate risk register, assessing the Council’s vulnerability to fraud as well as horizon scanning to see whether any emerging issues elsewhere could impact on the Council.

•           The Committee noted that monitoring progress against a plan that is constantly changing is recognised as a challenge in the Strategy. The Committee sought clarification of whether the Service still intends to produce a forward programme of activity which will also detail the sequence in which reviews will take place the reasoning being that a structured programme with timescales is more helpful to the Committee in terms of knowing what is being planned, when it will happen and when the Committee will know about it.

The Head of Audit and risk said that the list of priority audit areas as presented takes account of the days available to the Service and that the list represents the sum of what the Service aims to achieve in the period. However, having regard to the fact that circumstances change and that new issues may emerge, areas of lesser priority may fall off the list. The Officer said that it is important that the list of priorities contains an element of flexibility thereby allowing the Internal Audit Service the scope to respond to issues that may appear at short notice. The Internal Audit update report which the Committee receives quarterly will provide the target/actual date of reporting on each area to the Committee and whether this has been achieved.

•           The Committee sought clarification of whether the move towards a risk based audit approach will affect the Service’s productivity in that the Service’s work is more likely to be reactive than planned meaning that  it will be breaking off from whatever assignment it is doing to respond to other things as they arise.

The Head of Audit and Risk said that the Service will not be spending valuable resources on planning reviews long in advance which when the time comes may not be carried out  because they have been superseded by events or by other more important requirements. Whilst the Service is committed to undertaking and concluding a review that has been prepared for, the new agile way of working will enable it to question the scope of audits for their ongoing relevance.

It was resolved to approve the Internal Audit Strategy for 2019/20.

NO ADDITIONAL ACTION WAS PROPOSED.