REPORT NO: 62/07 CORPORATE SCRUTINY 8th March, 2007 WELLAND INTERNAL AUDIT CONSORTIUM – STRATEGIC AUDIT PLAN 2007/08 TO 2010/11 Report of the Director of Corporate Services STRATEGIC AIM: To be a well managed organisation – 4 To meet the requirements of the CIPFA code of practice for Internal Audit. 5 To improve the efficiency & effectiveness of Corporate support services. 1. PURPOSE OF THE REPORT a. To inform Members of the proposed Strategic Plan of internal audit work for the four years to 31st March 2011; to explain the basis of the planning process and the various elements making up the Plan; and to indicate how the planning and deliver process meet the mandatory requirements implicit in the CIPFA Code of Practice 2. RECOMMENDATIONS 2.1 That the strategic audit plan shown in Appendix A be recommended. 3. STRATEGIC AUDIT PLAN 2007/08 TO 2010/11 Mandatory Requirements 3.1 The CIPFA Code of Practice for Internal Audit has been adopted by the Audit Commission as the quality benchmark used to determine whether the external auditors can place reliance on the work of internal audit. The Code of Practice calls for the development of a Strategic Audit Plan using a risk-based planning approach and for that Plan to be approved by an appropriate Member forum. 3.2 In developing the Plan, there is a requirement to reflect the expectations of the Council’s external auditors. In developing his Audit Opinion, set out in the annual Audit Letter, the external auditor expects to place reliance on the work of internal audit: in particular there is an expectation that internal audit should identify, evaluate and test the key controls established over the Council’s fundamental financial systems. Developing the Strategic Plan 3.3 Through consultation with the Council’s Strategic Management Team and Section 151 Officer, a schedule of audit entities was defined which allowed for audit coverage of all of the Council’s significant risks. Each of the audit entities identified was given a risk rating which reflected the extent to which failures of control within might impact upon the delivery of corporate priorities. Audit entities were categorised as: (i) Financial Systems; 4 Governance & Performance Processes; or 5 Public Facing Services; and the general principle underpinning the planning process was that, within each category, those audit entities with the highest risk rating should be subject to audit first. This principle was modified where it would have resulted in a disproportionate amount of audit work in an individual service area in any one year or where there were sound operational reasons for delaying or bringing forward particular audits. 3.4 Efforts have been made to coordinate, as far as is practical, the Council’s Strategic Audit Plan with those of the other local authorities served by the Consortium. Audits of audit entities common to all clients have been scheduled for delivery within the same financial year to allow for efficiency savings in the design and delivery of those audits and to maximise opportunities to identify and share good practice. Minimum Assurance Provision 3.5 A risk-based assessment of the Council’s key financial systems would indicate that, with the exception of the Benefits System, which is more complex and subject to frequent changes to relevant Regulations, they should be subject to audit no more than once every three years. However, the Council’s external auditors require assurance on an annual basis that those key systems are subject to effective and appropriate control. 3.6 To satisfy the requirements of the external auditor, provision has been made in the Strategic Audit Plan for an annual consultancy exercise “Minimum Assurance Provision”. This exercise requires the identification, for each financial system, of the key controls upon which the external auditor would wish to place reliance and the carrying out of tests sufficient to demonstrate that those controls continue to operate effectively throughout the financial year. It is the opinion of the Head of Consortium that this minimum level of assurance can be provided in significantly fewer days than would be required for full annual audits of all financial systems: the days released would allow for a risk-based programme of audit work covering all relevant aspects of the Council’s activities, including the coverage of all financial systems over a three-year cycle. 3.7 Minimum Assurance Provision has been the subject of prior discussions with the external auditors. In principle, the approach has been deemed acceptable and it has been agreed that the detailed design of the exercise will be the subject of further consultation at the beginning of the coming financial year. ICT Auditing 3.8 The Council is critically reliant on ITC both for the effective delivery of its corporate priorities and for the effective control of its financial processes. A programme of ITC auditing is therefore necessary to support the annual internal audit opinion on the Council’s internal control framework. The Consortium does not have the resources to maintain the skill base required to deliver a comprehensive programme of ITC auditing and a specialist contractor will be engaged to carry out the more technically demanding elements of that programme. A specialist audit needs assessment was undertaken in 2005 and that assessment will form the basis of negotiations with potential partners. The annual allocation within the Plan provides for liaison with the specialist and for the delivery of those ITC audits, identified through the audit needs assessment, that do not demand high levels of technical skill (e.g. back-up arrangements and access control arrangements). 3.9 A further report identifying ITC auditing to be undertaken in 2007/08 and future years will be prepare following the appointment of a suitable specialist contractor. Availability of Resources to Deliver the Plan and Other Audit Services 3.10 It is the opinion of the Head of Consortium that the 325 audit days identified in the Strategic Audit Plan, together with a further 10 each year days of specialist ITC auditing would allow for the provision of an acceptable level of assurance on the Council’s arrangements for internal control, risk management and corporate governance. 3.11 The Consortium’s approved establishment provides for a minimum of 450 audit days per year to be delivered to the Council. This is in line with estimate of audit need set out in the business case for the establishment of the Consortium, allowing 115 days for consultancy and other support commissioned by the Council. It is planned to recruit to fill remaining vacancies within the Consortium by 1st April 2007. The Consortium’s draft budget also contains provision for the engagement of a specialist ITC audit contractor: although it remains to identify the contractor for 2007/08 and future years, the budget is based upon the rates charged by the existing contractor (Worcester City Council) and should finance the necessary number of specialist audit days. 3.12 It is planned that, in 2007/08 and future years, one of the Consortium’s Audit Managers and one Auditor will be based at the Council. This would provide the capacity to respond flexibly to any requests for consultancy or other support beyond the work set out in the Strategic Audit Plan. 4 RISK MANAGEMENT RISK IMPACT COMMENTS Time Medium Progress will be monitored during the year. Viability Medium The team should be fully staffed early in the new year. Finance Low All partners have agreed the budget for 2007/08 Profile Low Internal Audit is by definition internal to the organisation. Equalities Low No specific issues are identified. & Diversity Background Papers Report Author: Richard Gaughran Appendix A – The Strategic Audit Plan Tel No: (01572) 722577 e-mail: firstname.lastname@example.org A Large Print or Braille Version of this Report is available upon request – Contact 01572 722577.
Pages to are hidden for
"WELLAND INTERNAL AUDIT CONSORTIUM - STRATEGIC AUDIT PLAN 200708 TO"Please download to view full document