Joint Audit and Governance Committee |
|
|
|
|
|
Report of Internal Audit and Risk Manager Author: Victoria Dorman-Smith E-mail: victoria.dorman-smith@southandvale.gov.uk South cabinet member responsible: Councillor Pieter-Paul Barker Tel: 01844 212438 E-mail: pieter-paul.barker@southoxon.gov.uk Vale cabinet member responsible: Councillor Andy Crawford Telephone: 01235 772134 E-mail: andy.crawford@whitehorsedc.gov.uk
To: Joint Audit and Governance Committee DATE: 4 July 2023 |
AGENDA ITEM |
|
|
Internal audit annual report 2022/23
|
(a) Members are asked to consider the annual internal audit opinion and report
|
Purpose of Report
1. The Public Sector Internal Audit Standards (PSIAS) require the chief audit executive to provide an annual internal audit opinion and report that can be used by the organisation to inform its governance statement. This report provides that opinion for South Oxfordshire District Council (South) and Vale of White Horse District Council (Vale).
2. The contact officer is Victoria Dorman-Smith, Internal Audit and Risk Manager for South and Vale, email victoria.dorman-smith@southandvale.gov.uk.
Strategic Objectives
3. Delivery of an effective internal audit function will support the councils in meeting their strategic objectives.
Why an Overall Opinion is Required
4. The Public Sector Internal Audit Standards (PSIAS) (Standard 2450) states:
Extracted from ‘Public Sector Internal Audit Standards Updated March 2017 – 2450 Overall Opinions’.
5. Standard 2450 also states that the overall opinion must be supported by sufficient, reliable, relevant, and useful information, and will include:
· the scope including the time period to which the opinion pertains
· scope limitations
· consideration of all related projects including the reliance on other assurance providers
· a summary of the information that supports the opinion
· the risk or control framework or other criteria used as a basis for the overall opinion, and
· the overall opinion, judgment or conclusion reached, and
· the reasons for an unfavourable overall opinion must be stated.
How an Overall Opinion is Formed
6. Internal audit's risk-based plan must consider the requirement to produce an annual internal audit opinion. Accordingly, the internal audit plan must incorporate sufficient work to enable the internal audit and risk manager to give an opinion on the overall adequacy and effectiveness of South and Vale’s framework of governance, risk management and control. Internal audit must therefore have sufficient resources to deliver the plan.
Quality Assurance and Improvement Programme
7. A quality assurance and improvement programme is designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The programme also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. PSIAS states:
Extracted from ‘Public Sector Internal Audit Standards Updated March 2017 - 1320 Reporting on the Quality Assurance and Improvement Programme’.
Overall Opinion 2022/23
8. Based on the work undertaken during the year, the internal audit and risk manager has reached the overall opinion that there is a satisfactory system of governance, risk, internal control. Findings indicate that overall, arrangements are satisfactory, although some enhancements have been recommended. In forming this opinion, the internal audit and risk manager has considered the following:
· The level of coverage provided by internal audit work was considered adequate to support the opinion.
· The 2022/23 internal audit plan, approved by Joint Audit and Governance Committee (JAGC), was informed by internal audit's own assessment of risk in addition to consultation with the senior management team, to ensure it aligned to key risks and objectives of South and Vale.
· The changing risk environment within the councils has been considered during the year.
· There were no changes to statutory officer roles during the year.
· Work has been planned and performed to obtain sufficient information and explanation to give reasonable assurance that South and Vale control environments are operating effectively.
· Internal audit independence and objectivity has not been subject to any impairment in fact or appearance; nor has the scope of our work been restricted in any way.
· A risk management framework exists that informs the internal audit plan.
· Insight gained from internal audit interactions with the senior management team and JAGC.
· The number of audits that have resulted in assurance ratings of either “limited” or “nil” assurance. One audit received limited assurance (information security) and no audits received a ‘no assurance’ rating. To reach the overall opinion, the findings of audits at draft report stage have been considered.
· The degree to which recommended actions have been implemented to address concerns over risk and control weaknesses within the councils.
· Although some audits were not deemed as “assurance audits” (i.e., consultancy and advice work) this work is included in the assessment of the governance, risk, and control framework.
9. The South and Vale internal audit plan is a 12-month plan, with a mid-year reassessment. The annual opinion is based on internal audit work completed in the 12 months from 1 April 2022 to 31 March 2023. The outcomes of this work start on page 4 of this report.
10. The opinion is provided on the understanding that:
· The opinion does not imply that internal audit has reviewed all risks, controls, and governance arrangements at South and Vale. The opinion is substantially derived from risk-based internal audit work and as such, it is only one component that is considered when producing the South and Vale annual governance statements.
· No system of control can provide absolute assurance against material misstatement or loss, nor can internal audit give absolute assurance.
· Implementation of agreed actions is essential if the benefits of the control improvements detailed in each individual audit report are to be realised.
11. Overall, management is making sufficient progress with the implementation of actions to address the risks and weaknesses that internal audit has identified during 2022/23. In total 143 joint recommendations to improve controls and procedures within the councils were made in 2022/23. Of the 143, 13 (9%) were high risk, 41 (29%) were medium risk, and 89 (62%) were low risk. As of 15 June 2023, there are 124 open actions, of which 63 are past due. 42 actions remain open from prior year (5 2018/19, 17 2019/20, and 20 2021/22); however, through quarterly monitoring we are assured that progress against these actions is being made. We also have a formal escalation process, which we can enforce should this be required.
Information to Support the Overall Opinion
Audit Coverage and Performance Against Plan
12. Table 1 below summarises the assurances provided from the internal audit coverage in 2022/23. These assurance ratings inform the annual opinion.
13. The control environment within the key financial systems has improved since 2020/21. In 2022/23, all key financial audits received either a substantial or satisfactory assurance rating. No limited ratings were issued in either the current or previous years, an improvement on the four limited assurance ratings issued in 2020/21. Since the payroll service was brought back in-house in April 2020, the control environment has improved from limited assurance to substantial in the current period. Analysis of the key financial assurance ratings since 2020/21 is summarised in table 2:
14. Table 3 summarises the 2022/23 internal audit plan and their outcomes, including audits in progress (either fieldwork or draft report stage) and progress of recommendations raised:
Value Added Work
Performance Measures
16. The performance of internal audit is measured against several indicators. The outturn for 2022/23 is as follows:
|
Performance Targets |
2022/23 performance |
|
PT1 To issue 90% of audit notifications at least 1 month before start of audit fieldwork |
61% of audits met this target |
|
PT2 To issue 90% of draft audit reports within 5 working days of the exit meeting. |
65% of audits met this target |
|
PT3 To issue 90% of final audit reports within 5 working days of receipt of management comments. |
90% of audits met this target |
|
PT4 To complete the audit fieldwork and issue draft reports on 100% of key financial audits. |
100% of audits met this target |
|
PT5 To complete the audit fieldwork and issue draft reports on 80% of operational audits. |
75% of audits met this target |
17. Performance targets: actual performance of PT1 and PT2 were slightly lower than the target performance due to various reasons. In several cases, organisational priorities resulted in longer time taken to complete audit work and obtain management responses etc. which were outside of the internal audit team’s control. Due to focusing on the best interests of auditees when conducting our planned engagements, we have sometimes missed the PT1 and PT2 targets. We will reassess the relevance of our performance targets in the coming year. PT5 is slightly lower than target performance, which is partly due to the business continuity audit being on hold due to operational demands.
18. Feedback: to assist in monitoring and improving the quality and value of service provided, feedback forms are sent to auditees on all engagements. The feedback form contains 12 questions regarding the internal audit service provided and asks auditees to score each on a scale of 1 to 5 (1=very poor, 2=poor, 3=satisfactory, 4=good, 5=very good). Of the 23 feedback forms sent, only 6 (26%) have been returned, with an overall average score of 58 out of 60. Feedback received in 2022/23 is summarised in appendix 1. Feedback received by the internal audit and risk manager is discussed with the team, and where necessary, process improvements are implemented.
19. Quality assurance: there is ongoing monitoring of performance and quality of internal audit work, and all work undergoes our internal review process.
Quality Assurance and Improvement Programme
20. External assessments: the PSIAS state that external assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. The internal audit and risk manager will investigate independent assessor options in 2023/24.
21. Internal assessments: per the PSIAS internal assessments must include ongoing monitoring of the performance of the internal audit activity. In recent year, the internal audit function has seen positive development in some key areas, including more efficient auditing of key financial systems, working closely with the head of legal and democratic services and the risk management function (second line of assurance). There are several improvement areas which are underway, namely: assurance map, recommendations database, reporting templates, and internal audit team training and development.
22. Conformance with PSIAS: the internal audit function conforms to the Public Sector Internal Audit Standards (2017). There is no non-conformance to the PSIAS Code of Ethics and Standards to be highlighted for inclusion in the annual governance statement for 2022/23.
Financial implications
23. There are no financial implications attached to this report.
Legal implications
24. There are no legal implications attached to this report.
Climate and ecological impact implications
25. There are no climate or environmental implications.
Risk implications
26. Identification of risk is an integral part of all audits.
VICTORIA DORMAN-SMITH
INTERNAL AUDIT AND RISK MANAGER