Corporate Services department

1
Review of the Effectiveness of the System of
IA Neil Hunter
2
Who Am I?

• Head of Audit Leeds City Council
• Chair of CIPFA NE Region
• Member of CIPFA Council and Board for the Regions
• Been involved with
• Rough guide to SIC, AGS
• The Excellent Auditor (competencies)
• Audit Learning Centre
• Working with CIPFA Audit Panel to finalise
  guidance on the review of effectiveness of IA
• And, judging by the above, a crashing bore!

3
Aim of Session

• To discuss
• The System of Internal Audit
• The Role of the Head of Internal Audit
• If time touch on partnerships

4
Background

• The local public service provision environment is
  changing and to remain relevant and give a useful
  assurance to the many stakeholders Internal
  Audit must evolve with it
• We shouldnt need legislation to tell us that!

5
Regulatory Framework

• Accounts and Audit Regulations 2006, Regulation 4
  - Relevant body should conduct a review at least
  once a year of its system of internal control.
  Are partnerships/outsourced services part of the
  system of Internal Control?
• Accounts and Audit Regulations 2006, Regulation 6
  - Relevant body should conduct an annual review
  of the effectiveness of their system of internal
  audit.
• Code of Practice for IA in LG in the UK
• 1.2.1 Scope of IA remit includes the orgs entire
  control environment
• 10.4.2 (a) HOA annual report (timed for SIC) must
  include opinion on the adequacy
  effectiveness of control environment
• 10.4.2 (c) Present a summary of the work from
  which the opinion is derived, including
  reliance placed on work by other assurance
  bodies.

6
Possible Issues

• Control environment systems of governance, risk
  management and internal control (whatever that
  means) have you determined and agreed the
  boundaries of this?
• How do we deal with new stuff that we havent
  traditionally audited (and what are)
  Partnerships?
• Have we access/skills to gain that assurance?

7
Possible Issues

• Head of Audit may struggle to give useful annual
  opinion based on traditional audit plan and own
  work (I do) almost not possible unless we take
  a very broad view of a risk based plan
• Can we place reliance upon other assurances
• How do we make this new (unclear) legislation
  actually add value to the organisation? Its
  objective is to strengthen governance and
  accountability within relevant bodies!

8
Key Question (1)

• Can the Head of IA give an added value, relevant
  assurance on the organisations ICE based on audit
  plan work alone? Does the existing opinion truly
  reflect the entire ICE?
• My guess
• Possibly but probably not yet and not without a
  clear understanding of where other assurances may
  exist and some evidence that they are robust
• And would such an opinion add value to the
  stakeholders?

9
Key Question (2)

• Could the system of IA be a suite of assurances
  needed by the Audit Committee to support the AGS
  and opinion on the ICE?
• If yes do these assurances need an independent
  reality check? If yes again, who is best placed
  to do it (and how do we get the resources and
  skills?)
• Assuming we think its IA, challenged by the Audit
  Committee how do we demonstrate that we are
  both fit for purpose and our assurance can be
  relied on?

10
Minimum Standards!

• Such as
• The CIPFA Toolkit for Local Authority Audit
  Committees 2006
• The Code of Practice for IA in Local Government
  in the UK 2006

11
So - What is the Suggested System of IA?

• The most confusing diagram in the world - ever
• (but I am an auditor so please forgive me!)

12
(No Transcript)
13
Triangulation

• Directors/Managers to give assurances, e.g.
• Objectives aligned to Corporate Priorities
• Risk register and MIS/PIs linked and monitored
• Corporate policies /procedures communicated/embedd
  ed/complied with
• Can give evidence based assurance
• Key Functions to give assurances, e.g.
• Policies and procedures current, communicated,
  embedded (some monitoring?) across organisation
• Head of Audit to give opinion based on
• Risk based Audit Plan (inc. partnerships etc.)
• Review of Directorates governance arrangements
• Review of key Functions Governance arrangements

14
The System of Internal Audit

• The System of Internal Audit is that which an
  effective Audit Committee (or equivalent) relies
  upon to provide timely assurances on the overall
  adequacy and effectiveness of the organisations
  entire control environment, which in turn will
  support the conclusions in the Annual Governance
  Statement.
• To support his/her opinions on the overall
  adequacy and effectiveness of the organisations
  entire control environment, the Head of Audit
  must deliver a Risk Based Plan that is
  sufficiently robust to confirm that assurances
  provided as part of the System of Internal Audit
  can be relied upon by the Audit Committee.
• It is essential that both the Audit Committee (or
  equivalent) and the Internal Audit function are
  compliant with the appropriate Code of Practice
  or best practice standard.
• The Review of the Effectiveness of the System of
  Internal Audit is
• Confirmation that both the Audit Committee and
  Internal Audit functions are compliant with the
  appropriate Code of practice or best practice
  standard, and
• An assessment of the extent to which the Audit
  Committee can place reliance upon the assurances
  it receives on the adequacy and effectiveness of
  the entire control environment throughout the
  year.

15
Summary

• Even without the legislation the Head of IA
  should be doing this.
• Must have fit for purpose IA function and Audit
  Committee.
• Head of IA must be satisfied that any other
  assurances (e.g. directors, functions,
  partnerships) taken into account must be
  underpinned by a robust process to evidence that
  assurance

16
Summary

• The HIA could be the focal point for an
  assessment of the whole framework of assurances
  available to management/ governors.
• The "system of internal audit" could be the
  internal audit service, whose scope encompasses
  this framework of controls even if we do not do
  the work in each area of control.
• If we get it right - the review of the system of
  internal audit could be a review of the internal
  audit function - but firstly facing inwards (fit
  for purpose) and secondly facing outwards, to the
  scope of its work.

17
Just a Comment on Partnership Assurances

• Key lines of enquiry for use of resources 2008
• 4.2 (Sound ICE) level 2 - The Council has
  identified its significant partnerships and has
  appropriate governance arrangements in place for
  each of them.
• 4.2 level 4 - Governance arrangements with
  respect to partnerships are subject to regular
  review and updating and
• The Council obtains assurance on a risk basis of
  the viability of its significant
  contractors/partners business continuity plans.

18
Problem Resources!..

• If we are happy all partnerships are included on
  a central register (after audit review of system)
  then
• If we are happy there are good (and appropriate)
  organisational generic governance protocols
  adopted (and embedded) by departments to
  manage partnerships, then..
• It just requires a simple risk based plan of key
  partnerships to get IA assurance on for the
  annual opinion

19
Possible Assurances

• Risk Based Assessment of key partnerships
  appropriate assurances!
• None take the risk
• Assurance on outcome monitoring controls PIs,
  Customer Outcomes (CAA)
• Assurance from appropriate Audit Committee or
  Governing Body
• Assurance from other appropriate audit body or
  review body internal and/or external audit?
• But need agreement for independent audit/open
  book reviews in key partnerships?
• CIPFA COP Compliant
• Your organisations own IA service