Joint Audit and Governance Committee
Report of Internal Audit Manager Author: Victoria Dorman-Smith Telephone: 01235 422430 E-mail: victoria.dorman-smith@southandvale.gov.uk SODC cabinet member responsible: Councillor Leigh Rawlins Tel: 01189 722565 E-mail: leigh.rawlins@southoxon.gov.uk VWHDC cabinet member responsible: Councillor Andy Crawford Telephone: 01235 772134 E-mail: andy.crawford@whitehorsedc.gov.uk   To: Joint Audit and Governance Committee DATE: 29 March 2022	AGENDA ITEM

 

Internal audit plan 2022/2023

 

Recommendation(s)   (a) That members approve the internal audit plan 2022/23

 

Purpose of Report

1.            The purpose of this report is:

·       to explain the process for setting the internal audit plan and for calculating the resources available; and

·       to set out the proposed internal audit plan for 2022/23.

 

2.            The contact officer for this report is Victoria Dorman-Smith, Internal Audit Manager for South Oxfordshire District Council (SODC) and Vale of White Horse District Council (VWHDC), email victoria.dorman-smith@southandvale.gov.uk.

 

Strategic Objectives

 

3.            Delivery of an effective internal audit function will support the councils in meeting their strategic objectives.

 

 

 

Background

 

4.            The definition of internal audit is set out in the Public Sector Internal Audit Standards (PSIAS): “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.  It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.  It may also undertake consulting services at the request of the councils, subject to there being no impact on the core assurance work and the availability of skills and resources.

 

5.            Internal audit supports the head of finance (section 151 officer) in discharging his/her statutory duties, particularly in relation to the following legislation:

·       The Local Government Act 1972 states that the section 151 officer is responsible for ensuring that there are arrangements in place for the proper administration of the authority’s financial affairs.  

·       The Accounts and Audit Regulations state that ‘A relevant body must maintain an adequate and effective system of internal audit of the control environment and systems of internal control’.

 

6.            The PSIAS states that the head of internal audit should prepare a risk-based internal audit plan, and for plans to receive input from management.  It also states that the plan should outline the assignments to be carried out and the resource requirements to deliver the plan.  The PSIAS also states that the audit committee should approve the internal audit plan and monitor progress against the plan.  This document sets out the proposed internal audit plan for 2022/23, together with potential audit reviews in 2023/24 and 2024/25.

 

The Audit Planning Process

 

7.            The PSIAS refer to the need for the risk-based plan to consider the requirement to produce an annual internal audit opinion and report that is used by the organisation to inform its governance statement.  The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.  

 

8.            To support this, the risk-based plan needs to consider the risk priorities per the SODC and VWHDC corporate risk registers, review of large or significant income and budget spend and review of the corporate priorities and objectives.

 

9.            The approach to the audit planning process was agreed by the head of finance.  The following steps were undertaken:

Step 1: The SODC and VWHDC corporate risk registers have been reviewed as the starting point for the audit planning process as this represents management’s assessment of the risks to the councils achieving their strategic objectives.  Checks have been performed to ensure that the top eight risks on the SODC corporate risk register and the top seven risks on the VWHDC corporate risk register are reviewed regularly by internal audit.

Step 2: Areas of large or significant income and budget spend across each service area have been reviewed to ensure that they are included as a possible audit area in the SAA.

Step 3: The SAA is attached in appendix 1 and lists every possible audit area at both or either SODC or VWHDC.  The audit areas have been reviewed and updated to reflect the current organisational structure and division of responsibilities across each service area.  Each audit has been rated by the internal audit manager and critically reviewed by the head of finance on several risk factors to give an overall risk score, and this assists in the assessment of what should be placed in the annual internal audit plan.  Although scoring is subjective, and no two people would score alike the process attempts to introduce a degree of objectivity into the assessment process. 

Step 4: Meetings have been held between the internal audit manager and deputy chief executives and heads of service in February 2022 to obtain insights into the level of risk exposure within each service area across both councils.  In addition, heads of service have requested that, where required, specific function(s) within their service area are reviewed as part of the planned assurance or consultancy work for 2022/23 or future years.

Step 5: The proposed internal audit plan for 2022/23 has been finalised with the head of finance and shared with the senior management team for their information on 9^th March 2022.

 

10.         Due to the changing environment that exists in Local Government, there is a need for an element of flexibility in the internal audit plan due to potential changes in the council risk profiles and the potential for emerging risks.  The SAA and corporate risk registers will be reviewed regularly by the internal audit manager throughout the year, and it is possible that changes to the internal audit plan may be required. Any changes (e.g. due to changes to the council risk profiles or due to management requests) will be agreed with the head of finance and reported to the audit committee.  In September 2022, meetings will be held between the internal audit manager and deputy chief executives and heads of service to understand if there have been any changes to the level of risk exposure within each service area across both councils, since the initial discussions in February 2022.  Based on the outcome of these meetings, the internal audit manager will assess whether audits need to be added, removed or amended on the internal audit plan.

 

Allocation of Audit Resources

 

11.         The resources available to deliver the internal audit annual plan 2022/23 are arrived at by starting with the number of days available for all internal audit posts within the team.  This is then reduced by the estimated numbers of days lost through annual leave, bank holidays (planned) and sickness and other absences (unplanned).  The remaining days available are then allocated between the various elements of work which are expected to be carried out in the year to deliver an effective internal audit service. 

 

12.         The calculation of days available and the allocation of days between different categories of work is attached as appendix 2.  The different categories of work are classed as either chargeable or non-chargeable.  Chargeable means the work has an identifiable client or is directly linked to the delivery of internal audit services.  Non-chargeable means any other work which is not directly linked to the delivery of internal audit services (for example: admin, corporate responsibilities, training, staff briefings).

 

13.         An explanation of the individual variances against the previous year allocation is provided in appendix 2.

 

Internal Audit Plan

 

14.         The outputs from the audit planning and allocation of resources process have been prioritised to produce an internal audit plan that considers the following:

·       the requirement to give an objective and evidenced based opinion on aspects of governance, risk management and internal control.

·       the requirement for internal audit to add value through improving controls, streamlining processes and supporting corporate priorities.

·       the need to allocate a suitable number of contingency days to respond to emerging risk, governance and control matters.

·       the need to allocate a suitable number of investigation days for fraud or whistleblowing purposes.

·       to support the head of finance’s requirement for a cyclical review of key financial systems and processes throughout the councils.

 

15.         The internal audit plan for 2022/23 is designed and constructed in such a way to enable the internal audit manager to form an opinion on the adequacy of each council’s control environment, taking into consideration available audit resources.  This opinion forms an important independent view of each council’s operations that feeds into and supports each council’s annual governance statement. 

 

16.         The proposed internal audit plan for 2022/23 is attached in appendix 3 and has been agreed with the head of finance and has been considered by the senior management team (SMT). 

 

Individual Audits

 

17.         For each audit, not all aspects within a specific area are necessarily examined.  Actual audit coverage is decided at the time of the audit in consultation with key management and officers.  This ensures that current issues together with recent coverage by internal audit or external bodies determine the scope of the work.

 

18.         An estimated start date for each audit is included in the internal audit plan in appendix 3, which aims to ensure the availability of key management and officers.  We will. however, seek to agree a date which is convenient to the officers involved during the scoping of each review.

 

19.         Upon completion of the audit fieldwork, the auditor will draft a report and arrange to meet with the auditees, to ensure factual accuracy of the audit observations and findings and to ensure a proper understanding of the risks to which any action plan relates.

 

20.         A formal audit report will be issued for all planned assurance audit work, which will provide an overall assurance rating, along with key observations and recommendations for each audit objective.  However, upon identification of any high-risk issues, internal audit will immediately notify management during the course of the audit to enable appropriate remedial action to be taken prior to being formally published in the audit report.

 

Follow Up Reviews

 

21.         For annual audits (i.e., key financial topics), follow ups are completed as part of the next internal audit review.  For all other planned assurance work, the timing of the follow up is dependent upon available audit resources, however, internal audit will aim to complete the follow up review within six months of distribution of the final audit report.

 

22.         For consultancy work, the completion of follow ups will be agreed with key management and officers.

 

23.         For any open recommendations remaining after completion of the follow up, regular monitoring of recommended actions will be performed by internal audit and reported to committee.

 

Reporting to the Joint Audit and Governance Committee

 

24.         Monitoring of internal audit’s progress against the internal audit plan along with summarising the outcomes of recent audit and follow up work will be presented to the joint audit and governance committee.

 

25.         Following completion of the internal audit plan for 2022/23 we will produce an annual internal audit report on the work of internal audit in the year ended 31 March 2023, and to advise the committee of the internal audit manager’s opinion on the overall adequacy and effectiveness of the internal control environments at SODC and VWHDC.

 

Climate and Ecological Impact Implications

 

26.         There are no direct climate or ecological implications arising from this report. However, per the climate action plan, for each individual audit in the 2022/23 internal audit plan, we will include risk considerations for the climate emergency in our audit work.

 

Financial Implications

 

27.         The internal audit plan can be delivered from within the approved 2022/23 budget, therefore there are no financial implications attached to this report.

 

Legal Implications

 

28.      None

 

Risk Implications

 

29.       Identification of risk is an integral part of all audits.

 

 

VICTORIA DORMAN-SMITH

INTERNAL AUDIT MANAGER