Agenda item

To present the external assessment report in relation to the Isle of Anglesey Internal Audit Service together with an associated Action Plan.

The report of the Head of Audit and Risk incorporating the results of the external assessment of the Isle of Anglesey County Council’s Internal Audit Service along with an Action Plan to respond to the areas for improvement identified was presented for the Committee’s consideration.

The Head of Audit and Risk reported that the PSIAS require the chief audit executive to develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity. The quality assurance and improvement programme must include both internal and external assessments. The assessment must be conducted at least once every five years by a qualified independent reviewer from outside the organisation, either by a full external assessment or a self-assessment validated by an external reviewer. The Welsh Chief Auditors Group (WCAG) has collaborated to undertake a peer review approach to the external assessment with a self-assessment validated by an external reviewer. Denbighshire County Council’s Head of Internal Audit was nominated by WCAG to undertake the assessment of the Isle of Anglesey County Council’s Internal Audit Service and this was carried out in March, 2017.

The Officer said that whilst the results of the external assessment as conducted by Denbighshire’s Head of Internal Audit documented under Appendix A to the report, provides assurance that Anglesey’s Internal Audit service generally conforms with the Standards, the external assessor  highlights three areas where conformance is partial and raises seven areas for improvement. Most notable is the absence of an audit assurance framework to ensure that Internal Audit’s work focuses on key areas. The Internal Audit Service will undertake a complete review of the service’s approach and practices in the current financial year with a view to having an assurance framework in place in 2018/19.In addition notwithstanding it was fully compliant at the time of the external assessment, the chief audit executive’s additional responsibilities for risk management and insurance as from April, 2017 has jeopardised continued compliance with Standard 1100 in relation to the independence and objectivity of the audit function. However, the PSIAS have also been revised with effect from April, 2017.  Standard 1112 in respect of Chief Audit Executive Roles Beyond Internal Auditing now recognises that chief audit executives may have operational responsibilities other than for internal audit. The Internal Audit Charter will be updated to reflect the new arrangements and the revised version will be presented to the Committee in September, 2017.

The Officer confirmed that an Action Plan has been developed to address the areas of partial conformance and those areas identified for improvement and this is appended to the external assessment report. The intention is that for the future the Audit Plan will be risk assessed continually so that only areas of high risk will be audited meaning that areas of low risk, and with them the occurrence of slippage should taper off .

The Committee considered the information presented and it raised the following points -

•           The Committee sought clarification of whether similar standards would be applied to internal audit reports particularly in relation to the implementation of recommendations. The Head of Audit and Risk confirmed that she would reviewing the whole audit approach during the year to include reporting arrangements. The Officer said that performance standards need to be meaningful and that she would consult with the Committee about its expectations and requirements for performance reporting so that it can be assured about the effectiveness of the Internal Audit service in monitoring the adequacy of the Council’s system of internal control.

•           The Committee noted that as part of the review of Internal Audit, the audit approach would be focussed on identified high risk areas with the result that areas of lower risk would drop off the Audit Plan. The Committee sought clarification of whether there was a danger inherent in this strategy that unreviewed lower risk areas could generate high risks and it asked about the steps being taken to mitigate against this possibility. The Head of Audit and Risk said that in the Assurance Mapping Framework which is designed to identify what assurance is provided and from where that has been obtained, time is a key factor in the sense that the longer an area goes without review, the riskier it becomes. Low risk areas will be picked up eventually because over time they will automatically become higher risk by virtue of not having been reviewed.  There are a number of criteria in the risk assessment and Assurance Mapping Framework that are used to establish what areas require audit coverage at the time and this will be updated continually.

•           The Committee sought clarification of Internal Audit’s approach to fraud and the safeguards it has in place to minimise the risk of losses from fraud. The Head of Audit and Risk said that the Council is a member of the National Fraud Network through which it is alerted to potential acts of fraud. The Council has good relationship with other local authorities with which it conducts meetings to discuss any emerging risks. The Council is also a member of CIPFA. Maintaining these contacts means that the Council is kept well briefed about the risks affecting the sector and this information feeds into the assurance mapping framework thereby enabling timely action to be taken if and when required.

The Performance Audit Manager, WAO said that the nature of fraud risk is changing. Technological developments and the increasing digitisation of services means that organisations that conduct business electronically including councils, are more exposed to the risk of fraud and the losses arising from fraud. However, the Wales Audit Office does pass on to local authority Audit Services any intelligence it has on potential sources of fraud.

It was resolved to accept and to note the results of the external assessment of the Internal Audit Service and the Head of Audit and Risk’s Action Plan developed to address the improvement areas identified.

NO FURTHER ACTIONS ENSUING