Joint Audit and Governance Committee |
|
|
|
|
|
Report of Internal Audit Manager Author: Victoria Dorman-Smith E-mail: victoria.dorman-smith@southandvale.gov.uk SODC cabinet member responsible: Councillor Leigh Rawlins Tel: 01189 722565 E-mail: leigh.rawlins@southoxon.gov.uk VWHDC cabinet member responsible: Councillor Andy Crawford Telephone: 01235 772134 E-mail: andy.crawford@whitehorsedc.gov.uk
To: Joint Audit and Governance Committee DATE: 15 November 2022 |
AGENDA ITEM |
|
|
Internal Audit Follow-Up Process
Purpose of paper
1. To seek approval for the adoption of the revised internal audit follow-up process.
Background
2. In line with the Public Sector Internal Audit Standards (PSIAS), the chief audit executive (in these councils the Internal Audit Manager) must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. Responsibility to resolve issues and manage agreed actions lies with management.
3. Internal audit undertake follow-up engagements for all internal audits within six calendar months of the date of issue of the final internal audit report. The purpose of these follow-up engagements is to provide independent confirmation that action is being taken and that risks are being managed effectively. For audits which are performed annually, follow-ups are undertaken as part of the next internal audit review.
4. There is no formal monitoring and reporting of internal audit recommendations which have not been implemented following completion of the six-monthly follow-up engagement. Lack of regular monitoring of recommendations increases the likelihood that actions are not implemented on a timely basis, exposing the councils to risk.
Revised Follow-Up Process
5. It is recommended that the follow-up process outlined below is implemented to formally monitor progress against agreed actions after completion of the six-monthly follow-up engagement:
Step 1: Quarterly (i.e., February, May, August, and November), the internal audit manager shall email the open recommendations tracker to action owners and their service managers and/or heads of service requesting an update of progress against agreed actions (incl. high, medium, and low risk items).
Step 2: Action owners shall provide the internal audit manager with their updates, along with supporting information for actions that have been fully implemented.
Step 3: The internal audit manager shall collate responses and update the recommendations tracker and the internal audit recommendations database.
Step 4: The status of progress against agreed management actions shall be reported by the internal audit manager to the joint audit and governance committee (JAGC) for their consideration (i.e., January, March, July, and September).
Step 5: the internal audit manager shall escalate non-responses to the deputy chief executives, section 151 officer, and/or monitoring officer, as appropriate, and suitable next steps will be taken.
6. Points to note:
· Action owners shall be asked to provide their responses within two weeks of distributing the recommendations tracker.
· The internal audit manager shall issue a reminder to action owners and their service managers and/or heads of service; however, late, or non-responses shall be reported to the JAGC.
· Requests for revised implementation due dates must be reviewed and agreed by the internal audit manager.
7. The roles and responsibilities in the follow-up process are summarised below:
Internal audit manager: track implementation of actions and report progress to the JAGC.
Action owners: implement agreed actions, manage associated risk(s) and provide quarterly status updates to the internal audit manager.
Senior management team: support the internal audit manager in tracking agreed actions and accept the risk of not taking actions.
Deputy chief executives, S151 officer, monitoring officer: support the internal audit manager in responding to non-responses and maintain oversight of open recommendations.
Joint audit and governance committee: monitor progress of agreed actions to ensure that the actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively.
Recommendations
8. It is recommended that the revised follow up process is adopted to provide senior management and the JAGC assurance that the agreed actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively.
Climate and ecological impact implications
9. There are no direct climate or ecological implications arising from this report. However, per the climate action plan, for each individual audit in the 2022/23 internal audit plan, we will include risk considerations for the climate emergency in our audit work.
Financial implications
10. None.
Legal implications
11. None.
Risks
12. Identification of risk is an integral part of all audit work.