REPORT NO: 62/07
8th March, 2007
WELLAND INTERNAL AUDIT CONSORTIUM – STRATEGIC AUDIT
PLAN 2007/08 TO 2010/11
Report of the Director of Corporate Services
STRATEGIC AIM: To be a well managed organisation –
4 To meet the requirements of the CIPFA code of practice for Internal
5 To improve the efficiency & effectiveness of Corporate support
1. PURPOSE OF THE REPORT
a. To inform Members of the proposed Strategic Plan of internal audit work for the four years to
31st March 2011; to explain the basis of the planning process and the various elements
making up the Plan; and to indicate how the planning and deliver process meet the
mandatory requirements implicit in the CIPFA Code of Practice
2.1 That the strategic audit plan shown in Appendix A be recommended.
3. STRATEGIC AUDIT PLAN 2007/08 TO 2010/11
3.1 The CIPFA Code of Practice for Internal Audit has been adopted by the Audit Commission
as the quality benchmark used to determine whether the external auditors can place reliance
on the work of internal audit. The Code of Practice calls for the development of a Strategic
Audit Plan using a risk-based planning approach and for that Plan to be approved by an
appropriate Member forum.
3.2 In developing the Plan, there is a requirement to reflect the expectations of the Council’s
external auditors. In developing his Audit Opinion, set out in the annual Audit Letter, the
external auditor expects to place reliance on the work of internal audit: in particular there is
an expectation that internal audit should identify, evaluate and test the key controls
established over the Council’s fundamental financial systems.
Developing the Strategic Plan
3.3 Through consultation with the Council’s Strategic Management Team and Section 151
Officer, a schedule of audit entities was defined which allowed for audit coverage of all of the
Council’s significant risks. Each of the audit entities identified was given a risk rating which
reflected the extent to which failures of control within might impact upon the delivery of
Audit entities were categorised as:
(i) Financial Systems;
4 Governance & Performance Processes; or
5 Public Facing Services;
and the general principle underpinning the planning process was that, within each category,
those audit entities with the highest risk rating should be subject to audit first. This principle
was modified where it would have resulted in a disproportionate amount of audit work in an
individual service area in any one year or where there were sound operational reasons for
delaying or bringing forward particular audits.
3.4 Efforts have been made to coordinate, as far as is practical, the Council’s Strategic Audit
Plan with those of the other local authorities served by the Consortium. Audits of audit
entities common to all clients have been scheduled for delivery within the same financial
year to allow for efficiency savings in the design and delivery of those audits and to
maximise opportunities to identify and share good practice.
Minimum Assurance Provision
3.5 A risk-based assessment of the Council’s key financial systems would indicate that, with the
exception of the Benefits System, which is more complex and subject to frequent changes to
relevant Regulations, they should be subject to audit no more than once every three years.
However, the Council’s external auditors require assurance on an annual basis that those
key systems are subject to effective and appropriate control.
3.6 To satisfy the requirements of the external auditor, provision has been made in the Strategic
Audit Plan for an annual consultancy exercise “Minimum Assurance Provision”. This exercise
requires the identification, for each financial system, of the key controls upon which the
external auditor would wish to place reliance and the carrying out of tests sufficient to
demonstrate that those controls continue to operate effectively throughout the financial year.
It is the opinion of the Head of Consortium that this minimum level of assurance can be
provided in significantly fewer days than would be required for full annual audits of all
financial systems: the days released would allow for a risk-based programme of audit work
covering all relevant aspects of the Council’s activities, including the coverage of all financial
systems over a three-year cycle.
3.7 Minimum Assurance Provision has been the subject of prior discussions with the external
auditors. In principle, the approach has been deemed acceptable and it has been agreed
that the detailed design of the exercise will be the subject of further consultation at the
beginning of the coming financial year.
3.8 The Council is critically reliant on ITC both for the effective delivery of its corporate priorities
and for the effective control of its financial processes. A programme of ITC auditing is
therefore necessary to support the annual internal audit opinion on the Council’s internal
control framework. The Consortium does not have the resources to maintain the skill base
required to deliver a comprehensive programme of ITC auditing and a specialist contractor
will be engaged to carry out the more technically demanding elements of that programme. A
specialist audit needs assessment was undertaken in 2005 and that assessment will form
the basis of negotiations with potential partners. The annual allocation within the Plan
provides for liaison with the specialist and for the delivery of those ITC audits, identified
through the audit needs assessment, that do not demand high levels of technical skill (e.g.
back-up arrangements and access control arrangements).
3.9 A further report identifying ITC auditing to be undertaken in 2007/08 and future years will be
prepare following the appointment of a suitable specialist contractor.
Availability of Resources to Deliver the Plan and Other Audit Services
3.10 It is the opinion of the Head of Consortium that the 325 audit days identified in the Strategic
Audit Plan, together with a further 10 each year days of specialist ITC auditing would allow
for the provision of an acceptable level of assurance on the Council’s arrangements for
internal control, risk management and corporate governance.
3.11 The Consortium’s approved establishment provides for a minimum of 450 audit days per
year to be delivered to the Council. This is in line with estimate of audit need set out in the
business case for the establishment of the Consortium, allowing 115 days for consultancy
and other support commissioned by the Council. It is planned to recruit to fill remaining
vacancies within the Consortium by 1st April 2007. The Consortium’s draft budget also
contains provision for the engagement of a specialist ITC audit contractor: although it
remains to identify the contractor for 2007/08 and future years, the budget is based upon the
rates charged by the existing contractor (Worcester City Council) and should finance the
necessary number of specialist audit days.
3.12 It is planned that, in 2007/08 and future years, one of the Consortium’s Audit Managers and
one Auditor will be based at the Council. This would provide the capacity to respond flexibly
to any requests for consultancy or other support beyond the work set out in the Strategic
4 RISK MANAGEMENT
RISK IMPACT COMMENTS
Time Medium Progress will be monitored during the year.
Viability Medium The team should be fully staffed early in the new year.
Finance Low All partners have agreed the budget for 2007/08
Profile Low Internal Audit is by definition internal to the organisation.
Equalities Low No specific issues are identified.
Background Papers Report Author: Richard Gaughran
Appendix A – The Strategic Audit Plan
Tel No: (01572) 722577
A Large Print or Braille Version of this Report is available upon
request – Contact 01572 722577.