Purpose of Report
1. The
purpose of this report is:
·
to explain the process for setting the internal audit plan and for
calculating the resources available; and
·
to set out the internal audit plan for 2024/25.
2. The
contact officer for this report is Victoria Dorman-Smith, Internal
Audit and Risk Manager for South Oxfordshire District Council
(South) and Vale of White Horse District Council (Vale), email
victoria.dorman-smith@southandvale.gov.uk.
Strategic Objectives
3. Delivery
of an effective internal audit function will support the councils
in meeting their strategic objectives.
Background
4. The
definition of internal audit is set out in the Public Sector
Internal Audit Standards (PSIAS):
“Internal
auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organisation’s
operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control,
and governance processes.”
5. Internal
audit may also undertake consulting services at the request of the
councils, subject to there being no impact on the core assurance
work and the availability of skills and resources:
“Consulting
services are advisory in nature and are generally performed at the
specific request of the organisation, with the aim of improving
governance, risk management and control and contributing to the
overall opinion.”
6. Internal
audit supports the head of finance (section 151 officer) in
discharging his/her statutory duties, particularly in relation to
the following legislation:
·
The Local Government Act 1972 states that the section 151 officer
is responsible for ensuring that there are arrangements in place
for the proper administration of the authority’s financial
affairs.
·
The Accounts and Audit Regulations state that ‘A relevant
body must maintain an adequate and effective system of internal
audit of the control environment and systems of internal
control’.
7. The PSIAS
states that the chief audit executive
must prepare a risk-based internal audit plan to determine the
priorities of the internal audit function, consistent with the
organisation’s goals and for plans to receive input from
management. It also states that the plan should outline the
assignments to be carried out and the resource requirements to
deliver the plan. The PSIAS also states that the audit
committee should approve the internal audit plan and monitor
progress against the plan. This document sets out the
proposed internal audit plan for 2024/25.
Developing the Internal Audit Plan 2024/25
8. The PSIAS
refer to the need for the risk-based plan to consider the
requirement to produce an annual internal audit opinion and report
that is used by the organisation to inform its governance
statement. The annual internal audit opinion must conclude on
the overall adequacy and effectiveness of the organisation’s
framework of governance, risk management and control.
9. To support
this, the risk-based plan needs to consider the risk priorities per
the South and Vale corporate risk registers, review of large or
significant income and budget spend and review of the corporate
priorities and objectives.
10.The approach to the audit planning process was agreed by the
head of finance. The following steps were undertaken:
Step 1: The corporate risks are a key focus of our
audit planning to ensure the plan meets the organisation’s
assurance needs and contributes to the achievement of objectives.
The South and Vale corporate risk registers were reviewed as the
starting point for the audit planning process as this represents
management’s assessment of the risks to the councils
achieving their strategic objectives. The top ten corporate risks
for South and Vale is attached in appendix 1, and the need
for internal audit work was considered.
Step 2: Areas of large or significant income and
budget spend across each service area were included as possible
audit areas in the audit universe.
Step 3: The audit universe is attached in appendix
2 and lists possible audit areas at both or either South or
Vale. The audit areas were reviewed and updated to reflect the
current organisational structure and division of responsibilities
across each service area. Each audit was rated by the internal
audit and risk manager and critically reviewed by the head of
finance on several risk factors to give an overall risk score, and
this assists in the assessment of what should be placed in the
audit plan. Although scoring is subjective, and no two people
would score alike the process attempts to introduce a
degree of objectivity into the assessment process.
Step 4: The internal audit and risk manager consulted
with the deputy chief executives and heads of service in February
2024 to obtain insights into the level of risk exposure within each
service area across both councils. Where required, heads of service
requested either an audit or advisory review for specific areas
within their service area in 2024/25 or future years.
Step 5: The internal audit plan for 2024/25 was
finalised with the head of finance and shared with the senior
management team for their information on 13th March
2024.
11.Audit planning is a perpetual process throughout the course of
the year to
11.ensure we can react to new and emerging risks and the potential
changes in the council risk profiles. Internal audit is only one
source of assurance and through the delivery of our plan we will
not, and do not seek to cover all risks and processes within the
organisation.
12.The audit universe and corporate risk registers will be reviewed
regularly by the internal audit and risk manager throughout the
year, and it is possible that changes to the plan may be
required.
13.Any plan changes will be agreed with the head of finance and
reported to the audit committee. In September 2024, the internal
audit and risk manager will consult the deputy chief executives and
heads of service to understand if there are any changes to the
level of risk exposure within each service area across both
councils, since the initial discussions in February 2024. Based on
the outcome of these meetings, the internal audit and risk manager
will assess whether audits need to be added, removed, or amended on
the plan.
Allocation of Resources
14.The resources available to deliver the internal audit plan
2024/25 are arrived at by starting with the number of days
available for all internal audit posts within the team. This is
then reduced by the estimated numbers of days lost through annual
leave, bank holidays (planned) and sickness and other absences
(unplanned). The remaining days available are then allocated
between the various elements of work which are expected to be
carried out in the year to deliver an effective internal audit
service.
15.The calculation of days available and the allocation of days
between different categories of work is attached as appendix
3. The different categories of work are classed as either
chargeable or non-chargeable. Chargeable means the work has an
identifiable client or is directly linked to the delivery of
internal audit services. Non-chargeable means any other work which
is not directly linked to the delivery of internal audit services
(for example: admin, corporate responsibilities, training, staff
briefings).
16.An explanation of the individual variances against the previous
year allocation is provided in appendix 3.
Internal Audit Plan
17.The outputs from the audit planning and allocation of resources
process were prioritised to produce an internal audit plan that
considers the following:
·
the requirement to give an objective and evidenced based opinion on
aspects of governance, risk management and internal control.
·
the requirement for internal audit to add value through improving
controls, streamlining processes, and supporting corporate
priorities.
·
the need to allocate a suitable number of contingency days to
respond to emerging risk, governance, and control matters, or
investigations.
·
to support the head of finance’s requirement for a cyclical
review of key financial systems and processes throughout the
councils.
18.The internal audit plan for 2024/25 is designed and constructed
in such a way to enable the internal audit and risk manager to form
an opinion on the adequacy of each council’s control
environment, taking into consideration available audit resources.
This opinion forms an important independent view of each
council’s operations that feeds into and supports each
council’s annual governance statement.
19.The internal audit plan for 2024/25 is attached in appendix
4 and has been agreed with the head of finance and has been
considered by the senior management team (SMT).
Individual Audits
20.For each audit, not all aspects within a specific area are
necessarily examined. Actual audit coverage is decided at the
time of the audit in consultation with key management and officers.
This ensures that current issues together with recent coverage by
internal audit or external bodies determine the scope of the
work.
21.Audit timings are included in the plan in appendix 4,
which aim to ensure the availability of key management and
officers.
22.Audit reports will provide an overall assurance rating, along
with key findings and management actions.
Follow Up
23.Recommended actions are followed up and reported to the JAGC on
a quarterly basis to provide assurance that the agreed actions
within internal audit reports have been implemented correctly in
the timescales originally offered by management, and that controls
are managing risk more effectively.
Reporting to the Joint Audit and Governance Committee
24.Monitoring of internal audit’s progress against the
internal audit plan along with summarising the outcomes of recent
audit and follow up work will be presented to the joint audit and
governance committee.
25.Following completion of the internal audit plan for 2024/25 we
will produce an annual internal audit report on the work of
internal audit in the year ended 31 March 2025, and to advise the
committee of the internal audit and risk manager’s opinion on
the overall adequacy and effectiveness of the internal control
environments at South and Vale.
Financial Implications
26.The internal audit plan can be delivered from within the
approved 2024/25 budget, therefore there are no financial
implications attached to this report.
Legal Implications
27.There are no legal implications from this report.
Climate and ecological impact implications
28.There are no direct climate or ecological implications arising
from this report.
Equalities implications
29.This report is for information only and therefore there are no
equalities implications.
Risks
30.Identification of risk is an integral part of all our internal
audit work.
Conclusion
31.This report provides details of the process for setting the
internal audit plan 2024/25.
Appendices
Appendix 1 South and Vale Corporate Risks
Appendix 2 Audit Universe 2024/24
Appendix 3 Internal Audit Allocation
2024/25
Appendix 4 Internal Audit Plan 2024/25
