Joint Audit and Governance Committee |
|
|
|
|
|
Report of Internal Audit Manager Author: Victoria Dorman-Smith E-mail: victoria.dorman-smith@southandvale.gov.uk SODC cabinet member responsible: Councillor Leigh Rawlins Tel: 01189 722565 E-mail: leigh.rawlins@southoxon.gov.uk VWHDC cabinet member responsible: Councillor Andy Crawford Telephone: 01235 772134 E-mail: andy.crawford@whitehorsedc.gov.uk
To: Joint Audit and Governance Committee DATE: 5 July 2022 |
AGENDA ITEM
9 |
|
|
Internal audit annual report 2021/22
|
(a) That members note the content of the report.
|
Purpose of Report
1. The purpose of this report is to report on the work of internal audit in the year ended 31 March 2022, and to advise the committee of the internal audit manager’s opinion on the overall adequacy and effectiveness of the internal control environments at South Oxfordshire and the Vale of White Horse District Councils.
2. The contact officer for this report is Victoria Dorman-Smith, Internal Audit Manager for South Oxfordshire District Council (SODC) and Vale of White Horse District Council (VWHDC), mobile 07766 780835, email victoria.dorman-smith@southandvale.gov.uk.
Strategic Objectives
3. Delivery of an effective internal audit function will support the councils in meeting their strategic objectives.
Background
4. Standard 2450 of the Public Sector Internal Audit Standards (PSIAS) states that the internal audit manager must produce an annual report that:
· provides an annual internal audit opinion and report that can be used to inform the governance statement.
· confirms the organisational independence of the internal audit activity
· gives his or her opinion on the overall adequacy and effectiveness of the organisation’s control environment.
· discloses any qualifications to that opinion, together with the reason(s) for the qualification.
· presents a summary of the audit work from which the opinion is derived, including reliance placed on work by other assurance bodies.
· draws attention to any issues the head of internal audit judges particularly relevant to the preparation of the Annual Governance Statement.
· compares the work undertaken to the work that was planned and summarises the performance of the internal audit function against its performance measures and targets.
· comments on conformance with the PSIAS; and
· communicates the results of the internal audit quality assurance programme and progress against any improvement plans.
5. The control environment comprises the systems of governance, risk management and internal control. The key elements of the control environment include:
· establishing and monitoring the achievement of the organisation’s objectives.
· ensuring compliance with established policies, procedures, laws and regulations.
· ensuring risk management is embedded in the activity of the organisation, that leadership is given to the risk management process, and staff are trained or equipped to manage risk in a way appropriate to their authority and duties.
· ensuring the economical, effective and efficient use of resources, and for securing continuous improvement in the way in which its functions are exercised, having regard to a combination of economy, efficiency and effectiveness.
· the financial management of the organisation and the reporting of financial management; and
· the performance management of the organisation and the reporting of performance management.
Overall Opinion
6. The internal audit manager is satisfied that sufficient internal audit work has been undertaken to allow a reasonable conclusion to be drawn as to the adequacy and effectiveness of SODC’s and VWHDC’s risk management controls, and governance processes. The internal audit manager’s opinion is based on the risk-based audits carried out during the year at each council and other unplanned work on control systems. No reliance has been placed on the work of other assurance bodies.
7. It is the internal audit manager’s unqualified opinion that based on the areas reviewed during the year, satisfactory assurance can be placed on both councils’ general risk management, control, and governance processes. Overall, there is basically a sound system of internal control at both councils, but there are some weaknesses which may put some system objectives at risk. Out of the 34 planned audits (key financial and operational), 21 audits were completed (either in draft or final report stage), seven audits were not performed, and six audits were deferred, as summarised below:
|
2021/22 |
Planned |
Not Performed |
Deferred |
Completed |
|
Joint |
32 |
5 |
6 |
21 |
|
SODC |
1 |
1 |
0 |
0 |
|
VWHDC |
1 |
1 |
0 |
0 |
|
TOTALS |
34 |
7 |
6 |
21 |
8. It should be noted that the control environment within key financial systems has improved since 2020/21. Five audit reports received a limited assurance rating in 2021/22; however, no limited ratings were issued in 2021/22. Of the 10 planned key financial audits, eight audits were performed, and two audits (payroll and pro-active anti-fraud) were not performed. Analysis of the eight audit ratings in comparison with previous years is as follows:
|
Key financial audit ratings |
Issued in final |
Issued in draft |
||
|
2019/20 |
2020/21 |
2021/22 |
2021/22 |
|
|
Full assurance |
0 |
0 |
2 |
0 |
|
Substantial assurance |
0 |
1 |
0 |
0 |
|
Satisfactory assurance |
4 |
2 |
4 |
2 |
|
Limited assurance |
6 |
5 |
0 |
0 |
|
Nil assurance |
0 |
0 |
0 |
0 |
|
TOTALS |
10 |
8 |
6 |
2 |
9. Notwithstanding the internal audit manager’s overall opinion, internal audit identified several opportunities for improving controls and procedures across the councils which officers have generally responded to positively. A total of 74 recommendations were raised across the eight key financial audits: 32 medium risk and 42 low risk. The two key financial audits given a full assurance rating were accounts receivable and treasury management.
10. Where internal audit identified weaknesses, which require remedial action, recommendations have been made and discussed with officers.
11. A summary of the 2021/22 audits is attached as Appendix 1a and a comparison of the internal audit opinions across both councils against two previous years is as follows. Please note that a joint report counts as two as there can be differing assurance ratings for each council within a joint audit. As of 27 June 2022, out of a total of 34 planned audits for 2021/22, 21 audits have been completed (15 final report stage and 6 draft report stage):
|
Planned audit ratings |
2019/20 |
2020/21 |
2021/22 Final |
2021/22 Draft |
|
Full assurance |
2 (9%) |
0 |
3 (14%) |
0 |
|
Substantial assurance |
0 |
2 |
1 (5%) |
1 (5%) |
|
Satisfactory assurance |
18 (48%) |
6 (34%) |
10 (47%) |
4 (19%) |
|
Limited assurance |
14 (43%) |
10 (56%) |
1 (5%) |
1 (5%) |
|
Nil assurance |
0 |
0 |
0 |
0 |
|
TOTALS |
34 |
18 |
15 |
6 |
Summary of Audit Work
12. For 2021/22, internal audit completed 655 chargeable audit days against a planned 775 days. This includes planned and unplanned assurance and consultancy work, unplanned investigations, ad-hoc advice, audit follow up, and audit management. A comparison of actual days against planned audit days for 2021/22 is attached as Appendix 2.
13. A total of 21 joint planned internal audit reviews have been undertaken (of which, six audits have been issued in draft). Of the 21 completed audits, three achieved a full assurance rating, two achieved a substantial rating, and 14 achieved a satisfactory rating. Limited assurances were issued for 2 audits. No reviews resulted in nil assurance being given.
14. In total 218 recommendations to improve controls and procedures within the councils were made. Of the 218, 6 (3%) were high risk, 98 (45%) were medium risk, and 114 (52%) were low risk.
15. No unplanned contingency or investigation work was undertaken in 2021/22. Ad-hoc advice is provided to service teams and a total of 15 days for SODC and 15 days for VWHDC were utilised.
16. A total of five joint follow-up reviews and one VWHDC were undertaken during 2021/22, utilising 18 days as shown at Appendix 1b. Time has been allocated within the 2022/23 audit plan for further follow-up work of 2021/22 and 2022/23 audits.
Internal Audit Performance
17. The internal audit team comprised three auditors and an interim internal audit manager for the period 1 April 2021 to 26 November 2021. The internal audit manager returned from maternity leave in November 2021, when the interim internal audit manager left the interim position.
18. The performance of internal audit is measured against several indicators. The outturn for 2021/22, including comparison with the previous year, is as follows:
|
Performance Targets |
Actual performance 2021/22 – as at 27 June 2022 |
|
PT1 To issue 90% of audit notifications at least 1 month before start of audit fieldwork |
80% of audits met this target |
|
PT2 To issue 90% of draft audit reports within 5 working days of completion of the exit meeting. |
81% of audits met this target |
|
PT3 To issue 90% of final audit reports within 5 working days of receipt of the auditee’s final responses to draft report and recommendations. |
87% of audits met this target |
|
PT4 To issue 90% of follow-up notifications at least 1 month before start of follow-up work. |
83% of audits met this target |
|
PT5 To follow up 90% of final reports within 6 months of completion of audit. |
50% of audits met this target |
|
PT6 To complete the audit fieldwork and issue draft reports on 100% of key financial system audits within the audit plan. |
100% of audits met this target |
|
PT7 To complete the audit fieldwork and issue draft reports on 80% of all non key financial system audits within the audit plan. |
100% of audits met this target |
|
Performance Targets |
2021/22 Target |
Actual as at 27 June 2022 |
|
PT8 Chargeable (identifiable client and/or specific IA deliverable) |
75% |
63% |
|
PT 9 Non-Chargeable (corporate, not IA deliverable) |
8% |
17% |
|
Lost (i.e. leave, study, sickness) |
17% |
20% |
|
PT 10 Planned Lost |
15% |
15% |
|
PT 11 Unplanned Lost |
2% |
5% |
19. The actual performance of PT1 to PT5 were slightly lower than the target performance due to various reasons. In several cases, increased operational demands (Covid-19 grant administration for example) resulted in longer time taken to complete audit work and obtain management responses etc. which were outside of the internal audit team’s control. Where individual auditor performance can be improved, the internal audit manager has addressed this as part of the Let’s Talk performance management process.
20. Notwithstanding, the internal audit manager considers it to be a good team performance, especially the completion of 100 per cent of key financial and operational audits (PT6 and PT7).
Quality Assurance and Improvement Programme
21. As part of the quality assurance and improvement programme (QAIP) and to assist in monitoring and improving the quality and value of service provided, auditees are asked to complete an audit feedback questionnaire on internal audit’s performance. Responses received in 2021/22 are summarised in Appendix 3.
22. Feedback received by the internal audit manager is discussed with the relevant auditor and where necessary, process improvements are implemented.
23. Two feedback forms were received back but all showed that the service was rated at least satisfactory in all feedback areas, and positive additional comments were provided, so no improvement are considered necessary at this time. However, auditees will be reminded to complete the feedback forms to provide a clearer view of how the service is perceived and any improvements identified.
24. There is ongoing monitoring of the performance and quality of internal audit work throughout the year. All internal audit work is reviewed by the internal audit manager and feedback provided to auditors regarding the quality and audit technique.
25. The PSIAS require the chief audit executive to develop and maintain a quality assurance and improvement programme (QAIP) that covers all aspects of the internal audit activity. The QAIP must include both internal and external assessments and the results of the QAIP and progress against any improvement plans must be reported in the annual report. An internal and external assessment has not been undertaken in 2021/22; however, the internal audit manager will assess the need for assessments in 2022/23.
Issues relevant to the Annual Governance Statement
26. The internal audit function conforms to the Public Sector Internal Audit Standards (2017). There is no non-conformance to the PSIAS Code of Ethics and Standards to be highlighted for inclusion in the annual governance statement for 2021/22.
Financial implications
27. There are no financial implications attached to this report.
Legal implications
28. There are no legal implications attached to this report.
Climate and ecological impact implications
29. There are no climate or environmental implications.
Risk implications
30. Identification of risk is an integral part of all audits.
VICTORIA DORMAN-SMITH
INTERNAL AUDIT MANAGER