Joint Audit and Governance Committee
Report of Internal Audit Manager Author: Victoria Dorman-Smith Telephone: 01235 422430 E-mail: victoria.dorman-smith@southandvale.gov.uk SODC cabinet member responsible: Councillor Leigh Rawlins Tel: 01189 722565 E-mail: leigh.rawlins@southoxon.gov.uk VWHDC cabinet member responsible: Councillor Andy Crawford Telephone: 01235 772134 E-mail: andy.crawford@whitehorsedc.gov.uk   To: Joint Audit and Governance Committee DATE: 15 November 2022	AGENDA ITEM

 

Internal audit: untapped potential

 

Purpose of paper

1. To summarise the key points from the recent Chartered Institute of Public Finance and Accountancy (CIPFA) report titled Internal audit: untapped potential.

2. To seek approval of the proposed actions for internal audit, the senior management team (SMT), and the joint audit and governance committee (JAGC) to undertake to improve the impact of internal audit at South and Vale.

 

Background

3. In May 2022, CIPFA published a report on the untapped potential of internal audit, entitled as such because CIPFA believes that internal audit has a vital role to play in supporting public service organisations to achieve their goals.

4. CIPFA has conducted UK-wide research, sending an open survey to those in the public services, including those in the internal audit profession, management clients and audit committee members.

5. The report examined how internal audit is currently making an impact, identified where it can do more and what is holding it back, as better internal audit means better public services.

Report highlights

 

Section 1: Identifying the impact of internal audit

6. The impact of internal audit can be defined as its ability to support the organisation in achieving its strategic objectives and priorities. This will be through an appropriate mix of assurance, consulting activity and advice. The impact of internal audit will vary across organisations based on assurance needs, organisational culture, and capacity for continual improvement. The impact of internal audit is dependent on the quality of the internal audit team, the framework, and the organisation in which internal audit operates. Each of these will shape expectations of what internal audit can and should deliver.

 

7. There is no ‘formula’ for assessing or quantifying the impact of internal audit, as many of the indicators of an effective internal audit service are, to some extent, subjective.  Indicators of effective internal audit are:

·         Good engagement with senior management and the audit committee, while maintaining independence and objectivity

·         Internal audit plans clearly aligned to the topics that are most important for the success of the organisation.

·         Timely and meaningful assurance, communicated in a way that is understood by stakeholders.

·         The ability to challenge constructively and to help management find solutions.

·         The ability to respond to emerging risks or issues and changing priorities for the organisation.

·         Ability to demonstrate conformance with internal auditing standards.

 

8. However effective and impactful internal audit teams may be, CIPFA research shows they are enhanced when operating in an organisation that understands assurance and the role of internal audit and engages with internal audit to obtain the maximum benefit from the function.

 

Section 2: How internal audit is making an impact

9.   Internal audit’s contribution has improved: In 2008 CIPFA identified an expectation and perception gap between local government internal auditors and their clients. The 2021 research identifies significant progress on closing this gap, which is most notable in terms of the contribution that internal audit makes in supporting the management of the organisation.

 

10. Effective communication: one of the reasons for the improved contribution of internal audit may be better communication between internal auditors and their clients. Effective communication is a core skill required at every stage of the audit process, from explaining the rationale for conducting an audit to exploring options for control improvements with clients. To have impact, internal auditors need to ensure that the communication is consistently of a high standard and meeting client expectations.

 

11. Range of services provided: Internal auditors make an impact through a range of approaches. While most internal audit teams were already offering broad coverage, their clients did not always recognise this. The view of what internal audit delivers:

·         Advisory/consultancy assignments/ad-hoc advice

·         Assurance relating to individual projects

·         Advice on new systems or developments

·         Sharing good practice from, or comparisons with, other departments or organisations

·         Sitting as an independent critical friend on committees or steering groups relating to transformation, projects or major programmes

·         Working with other internal audit teams to provide assurance on partnerships or collaborative ventures

The disparity is most marked in relation to the role of internal audit sitting on project or steering groups and in advice provided on new systems or developments. Heads of audit will have a full understanding of their team’s activities, while clients perhaps only recognise those where they have had direct interaction. There is also a difference in perception between management and audit committees, perhaps reflecting that not all advisory work is reported to the audit committee in detail.

 

Section 3: The potential for internal audit

12. Expectations and understanding: There is a range of expectations of internal audit from management and audit committees, as well as a difference in the perception of what internal audit delivers for the organisation. CIPFA believes that higher expectations by management and audit committees will provide both a challenge and support for internal audit.

 

13. More strategic coverage: A key factor of the impact of internal auditing is the nature of the areas in which internal audit invests its time and focus. The top six areas that should be covered to achieve impactful internal audit in the coming three years, as identified by CIPFA research, are as follows (with cybersecurity scoring most highly):

·         Cybersecurity

·         Digitisation and the greater use of data within the organisation

·         Environmental sustainability/climate change

·         Financial viability (e.g., financial resilience, medium-term financial strategies and decisions around commercial strategies)

·         Culture and ethics

·         Supporting improved risk maturity

 

14. Going beyond assurance: The responses to a question on how internal audit currently contributes to an organisation reflect a somewhat traditional view of internal audit activity, with independent and objective assurance being the highest-ranking response. Other activities that would be expected in a high functioning internal audit team such as providing advice, helping to understand the root cause of weaknesses and audit coverage relating to major change receive a much lower ranking.

 

15. Supporting improved risk maturity: There is a difference between views of the heads of internal audit, management, and audit committees on the organisation’s risk maturity. Management and audit committee members considered that their risk management arrangements were more mature than the view of internal auditors. There is scope to improve arrangements for managing risk: 31% of respondents believe that the impact of internal audit would be enhanced if there was greater support to help the organisation understand risk and its risk maturity.

 

16. Data analysis: The impact of internal audit also comes from the tools used. Where data analytics are not already being used, 68% of internal auditors and 40% of clients think that adding analytics to the audit toolkit would be beneficial. Internal auditors are seeking to use analytics and to upskill team members, but there are also barriers such as multiple legacy systems and challenges to accessing the organisation’s data.

 

17. Consultancy role: The definition of internal auditing recognises that internal audit has both an assurance and consulting role. There are concerns that internal audit undertaking consulting work can impair its independence and objectivity when it needs to later provide assurance in that same area. Internal audit consulting input may not always be a standalone assignment; for many teams, a core element of their advisory role is to attend project or steering groups to act as a critical friend. It is key that internal auditors should not have a decision-making role at any such meeting; however, being present enables internal audit to be aware of progress and make decisions to determine how it can best respond to support the organisation.

Section 4: What is holding internal audit back?

18. The challenges in the report are faced by many public sector organisations. That is not to say that these are faced by all, or that internal audit teams, senior management or audit committees are not seeking solutions or taking action.

 

19. Resourcing: The level of internal audit resourcing is often a difficult one. How much assurance is sufficient? What other assurances exist?

·         43% of internal auditors said that increasing the capacity of internal audit was a priority for improving its impact and effectiveness; however, less than 30% of clients agreed this was a priority.

·         There can be a difference between the levels of assurance an organisation requires (client appetite for assurance) and needs.

·         The assurance needs of organisations are changing and internal audit must be able to respond to this.

·         There are four key factors impairing internal audit’s capacity and ability to recruit, retain or procure the right skills (1. continuing development of the internal audit team, 2. attracting people to the audit profession, 3. culture, and 4. behaviours and soft skills).

 

20. Managing internal audit independence: Independence and objectivity are essential to effective internal audit. Some of the barriers may be factors of perception, which can then impair stakeholders’ views on the quality of internal audit:

·         60% of respondents in local government have other responsibilities: the most common were risk manager, head of counter fraud, and governance. Safeguards must be in place to limit impairments to independence or objectivity.

·         Heads of internal audit must report functionally to a member of the leadership team.

 

21. Audit committees: Low expectations by audit committees:

·         While committees are supportive of the work of internal audit, they are less effective in providing professional oversight and providing challenge.

·         Management needs to be better at responding to internal audit recommendations and that the audit committee has a role to ensure action is taken.

·         Some audit committee chairs and heads of internal audit have regular meetings, and discussions between meetings, along with private sessions. However, this relationship is not in place for all.

·         There is potential for political bias - the 2020 Redmond Review noted that 56% of local authorities had no independent member on the audit committee.

·         While the audit committee should approve the internal audit plan, the plan should ultimately be the work of the head of internal audit setting out their independent view of the assurance priorities for the organisation. The plan should be developed according to the strategic priorities and risks of the organisation, and by consulting key stakeholders such as management and the audit committee.

·         The quality of internal audit must include conforming with relevant professional standards.

·         There is a requirement for an independent external assessment of internal audit to be undertaken at least once every five years.

 

22. Lack of understanding of assurance – immature first and second lines: We asked respondents about the status of an assurance framework or similar mechanism within their organisation. When asked if the organisation has identified how it obtains assurance across the full range of its activities, clients were significantly more positive than heads of internal audit. This may be for a number of reasons, including the understanding of what constitutes an effective assurance map, or that internal auditors may have higher expectations on the formality of such an exercise. Only 48% confirmed that their organisation had identified how it obtains assurance across the full range of its activities. This is surprisingly low, given the concept of assurance maps or frameworks has been in use for over 20 years. There is a need for audit committees to have a key role in overseeing the assurance framework, with internal auditors being integral not only to delivering assurance, but in collecting information and assessing the robustness of other assurance activity to help the committee’s understanding of the assurances available to the organisation. Through this approach, the audit committee acts as a sponsor alongside senior management and can help create a culture of seeking assurance, feedback, and continual improvement to support risk management and decision making.

 

23. The quantum of internal audit resource and assurance: ‘How much assurance is enough?’ is perhaps the million-dollar question, and one to which there is no simple answer. The amount of coverage varies from organisation to organisation and is informed by various factors such as the size and complexity of the organisation, appetite for assurance, and the remit of the internal audit function. This will, in turn, determine the volume and nature of internal audit work and its ability to have an impact.

 

24. Challenges in delivering the annual internal audit opinion: The PSIAS require public sector internal auditors to provide an annual opinion. This should inform the organisation’s annual governance statement. In CIPFA’s experience of quality assessments, a range of approaches exist to underpin the opinion. The variability identified in the quantum of audits underpinning the annual opinion is concerning.

 

25. Organisational culture: It is important to have a culture where internal audit findings are taken as independent, objective, professional advice to be acted on and taken into consideration. The need for a risk management culture to be embedded was also shared, and the ability for internal audit to have a voice at the top table to be able to engage in new initiatives, change or transformation at an early stage.

 

Report conclusion:

26. When internal audit provides support, it does so in a unique way. It provides independent assurance. Achieving this requires a resource base of trained internal auditors supported by modern approaches and professional standards. It needs both capacity and capability.

 

27. Internal audit also needs to work in conjunction with an organisation’s governance, risk, control, and assurance frameworks. A professional team of internal auditors will not have the desired impact in an organisation that doesn’t understand its assurance requirements or have good governance arrangements.

 

28. Assurance requirements are constantly evolving, and internal audit must keep up with the pace of change to stay relevant. Concerns that organisations face such as climate change and increased cyber security and financial risks are areas where internal audit can have a great impact. 

 

27. The report concluded that things need to change and recommended the following:

 

 

Next steps

29. Based on the recommendations raised in the report, an action plan has been developed, outlining the proposed actions for internal audit, SMT and the JAGC to undertake to improve the impact of internal audit (see appendix 1).

 

 

 

 

 

Climate and ecological impact implications

 

30. There are no direct climate or ecological implications arising from this report. However, per the climate action plan, for each individual audit in the 2022/23 internal audit plan, we will include risk considerations for the climate emergency in our audit work.

 

Financial implications

 

31. The proposed action plan can be delivered from within the approved 2022/23 budget, therefore there are no financial implications attached to this report.

 

Legal implications

 

32. None.

 

Risks

 

33. Identification of risk is an integral part of all audits.

 

 

 

 

 

 

Appendix 1: Action Plan

 

Impact area	Ref	Actions(s)	Responsible
			Internal Audit	SMT	JAGC
Effective communication	1.	Promote awareness of internal audit (i.e., what we do, why we do it, and how we do it) across the councils. Options could include: ·         Attending service team meetings to conduct briefings/Q&A sessions. ·         Holding an ‘internal audit awareness week’ via Jarvis and comms emails - perhaps in conjunction with the councils’ second lines of assurance (e.g., legal, risk management, health & safety).	X
	2.	Seek feedback from the senior management team on what improvements they would like to see in relation to internal audit communication.	X	X
More strategic coverage	3.	Review the annual internal audit plan for the following: ·         Reconcile the internal audit plan to the South and Vale corporate risk registers, to ensure that strategic and/or top risks are audited regularly. ·         Audit the councils highest risk areas (e.g., information security, risk management, health & safety) on an annual basis.	X
Supporting improved risk maturity	4.	Review and update the 2022/23 annual internal audit report to ensure that internal audit’s annual opinion on risk management provides clarity over aspects for improvement and identifies opportunities for support.	X
Data analysis	5.	Provide excel training to the internal audit team on data analytics tools and techniques via: ·         Internal knowledge sharing sessions (at team meetings). ·         Encourage the internal auditors to undertake regular independent learning and research (numerous excel training sessions are freely available online). ·         Externally provided training course(s) on more advanced data analysis topics.	X
	6.	Increase data accessibility for individual audits: ·         Where feasible, internal auditors should access data directly from the system on individual audits. ·         Develop ‘internal audit workspaces’ in Unit4 for easy access to data, especially for key financial audits.	X
Consultancy role	7.	Establish a process for the internal audit manager to receive copies of SMT papers on a timely basis. This is to support the internal team in expanding on the projects they get involved in, and the meetings we attend in the capacity of a critical friend.	X	X
Audit committees	8.	Undertake an external quality assessment to assess compliance with PSIAS.	X		X
	9.	Check compliance to updated CIPFA ‘strengthened guidance on audit committees’ report and communicate actions to JAGC.	X		X
Impact area	Ref	Actions(s)	Responsible
			Internal Audit	SMT	JAGC
Audit committees	10.	Review JAGC governance arrangements and consider appointing at least one suitably qualified, independent member to the committee.	X		X
Lack of understanding of assurance	11.	Review latest CIPFA guidance to review and improve assurance arrangements.	X
	12.	Review and update the 2023/24 internal audit plan to ensure that it sets out what other assurances are available and any work internal audit has undertaken to consider the reliability/scope of those assurances. If internal audit has not undertaken any such assessment, this should also be noted. For example, the internal audit plan could include a different aspect of the second line each year to provide assurance on those functions.	X
	13.	Review compliance to the CIPFA requirement for assurance frameworks: ·         Review the latest CIPFA guidance (CIPFA will be publishing guidance on assurance frameworks in). ·         Develop a plan to establish an assurance framework, in collaboration with the assurance team and seek SMT approval.	X	X
Quantum of internal audit resource and assurance	14.	Review and update the 2023/24 internal audit plan to ensure that it provides information on any areas not included within the plan and where the head of internal audit believes that assurance may be required. This should include an explanation of the rationale for non-inclusion, which can be used to inform discussions around prioritisation of the use of internal audit resources to facilitate a meaningful discussion with the JAGC.	X
Annual internal audit opinion	15.	Review and update the annual internal audit opinion on risk management to ensure it complies with PSIAS.	X
	16.	Update internal audit’s approach to supporting risk maturity by benchmarking against other authorities, to leverage best practices.	X
Organisational culture	17.	Establish a formal process for monitoring progress against internal audit recommendations.	X	X	X
Maximising the impact of internal audit	18.	Complete the ten suggested questions that senior management and audit committees should be asking to obtain the maximum impact from internal audit and compare with internal audit manager responses (see appendix 2).	X	X	X
	19.	Review and update the internal audit strategy, to ensure it complies with PSIAS (i.e., Internal audit functions should develop not only a plan of the audit work they will undertake, but also a strategy for their function’s development and how it will flex to meet the future needs of the organisation. This is likely to include the nature of the work, the tools and skills required to undertake it and resources. This should be agreed with top management and the audit committee and progress reported on as part of the quality and improvement programme of the function.)	X

Appendix 2: Maximising the impact of internal audit

 

Suggested questions that senior management and audit committees should be asking to obtain the maximum impact from internal audit. Comparing views on these questions with the head of internal audit may also lead to some useful discussions.

 

No.	Question	Response
Engagement with the organisation
1.	Does internal audit receive the right level of support and engagement from the audit committee?
2.	Does internal audit get good engagement from across the organisation when it plans and conducts audits?
3.	Do managers within the organisation seek advice or assurance from internal audit? What are the drivers of or obstacles to this?
4.	Has the head of internal audit indicated that resources (capability or capacity) need to increase? What steps are being taken to address this?
Quality, impact and continual improvement
5.	Does internal audit conform to PSIAS as demonstrated by an independent external quality assessment undertaken within
6.	What action is internal audit taking to continually improve its quality, engagement and impact for the organisation? Is internal audit considering the skills and competencies it will need in the future as well as now?
Assurance
7.	Is there a clear view of the assurance that internal audit does, and does not, provide? What assurance is provided by other functions or parties? Are there gaps in the assurance that management or the audit committee require?
8.	How do internal audit plans map to the organisation’s strategic priorities and risks?
9.	How is internal audit developing its approach to providing assurance – for example, making greater use of data or undertaking audits with a more strategic focus?
Strategy
10.	What factors currently determine our internal audit strategy? Are we confident that the strategy will deliver our internal audit needs in the future?