CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Ref 1 2 Conformance with the Standard Definition of Internal Auditing Using evidence gained from assessing conformance with other Standards, is the internal audit activity: a) Independent? b) Objective? Using evidence gained from assessing conformance with other Standards, does the internal audit activity use a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes within the organisation? Code of Ethics Integrity Using evidence gained from assessing conformance with other Standards, do internal auditors: a) Perform their work with honesty, diligence and responsibility? b) Observe the law and make disclosures expected by the law and the profession? c) Not knowingly partake in any illegal activity nor engage in acts that are discreditable to the profession of internal auditing or to the organisation? d) Respect and contribute to the legitimate and ethical objectives of the organisation? Objectivity Using evidence gained from assessing conformance with other Standards, do internal auditors display objectivity by not: a) Taking part in any activity or relationship that may impair or be presumed to impair their unbiased assessment? b) Accepting anything that may impair or be presumed to impair their professional judgement? c) Disclosing all material facts known to them that, if not disclosed, may distort the reporting of activities under review? Y P N Appendix 1 Evidence 1 2 3 4 1 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Confidentiality Using evidence gained from assessing conformance with other Standards, do internal auditors display objectivity by: a) Acting prudently when using information acquired in the course of their duties and protecting that information? b) Not using information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation? Competency Using evidence gained from assessing conformance with other Standards, do internal auditors display objectivity by: a) Only carrying out services for which they have the necessary knowledge, skills and experience? 3 3.1 LGAN b) Performing services in accordance with the PSIAS? c) Continually improving the proficiency and effectiveness and quality of their services, for example through CPD schemes? Do internal auditors have regard to the Standards of Public Life’s Seven Principles of Public Life? Standards Attribute Standards 1000 Purpose, Authority and Responsibility Does the internal audit charter include a formal definition of: a) the purpose b) the authority, and c) the responsibility of the internal audit activity consistent with the Public Sector Internal Audit Standards (PSIAS)? Does the internal audit charter define the terms ‘board’ and ‘senior management’, for the purposes of the internal audit activity? Note that it is expected that the audit committee will fulfil the role of the board in the majority of instances. Does the internal audit charter also: Appendix 1 5 6 7 Included in Audit Charter reported to Audit Committee 23 Feb 2015 8 Charter defines both these terms specifically. 9 10 2 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS a) Set out the internal audit activity’s position within the organisation? LGAN b) Establish the CAE’s functional reporting relationship with the board? LGAN c) Establish the accountability, reporting line and relationship between the CAE and those to whom the CAE may report administratively? LGAN d) Establish the responsibility of the board and also the role of the statutory officers (such as the CFO, the monitoring officer and the head of paid service) with regards to internal audit? LGAN e) Establish internal audit’s right of access to all records, assets, personnel and premises and its authority to obtain such information and explanations as it considers necessary to fulfil its responsibilities? LGAN f) Define the scope of internal audit activities? LGAN g) Recognise that internal audit’s remit extends to the entire control environment of the organisation? h) Identify internal audit’s contribution to the review of effectiveness of the control environment, as set out in the Accounts and Audit (England) Regulations 2011? i) Establish the organisational independence of internal audit? j) Cover the arrangements for appropriate resourcing? k) Define the role of internal audit in any fraud-related work? Also included in Counter Fraud Strategy l) Set out the existing arrangements within the organisation’s Also included in Counter Fraud Appendix 1 Charter also refers to reporting independence 3 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS anti-fraud and anti-corruption policies, to be notified of all suspected or detected fraud, corruption or impropriety? 3.2 Strategy m) Include arrangements for avoiding conflicts of interest if internal audit undertakes non-audit activities? n) Define the nature of assurance services provided to the organisation, as well as assurances provided to parties external to the organisation? o) Define the nature of consulting services? p) Recognise the mandatory nature of the PSIAS? Does the chief audit executive (CAE) periodically review the internal audit charter and present it to senior management and the board for approval? Does the CAE attend audit committee meetings? Does the CAE contribute to audit committee agendas? 1100 Independence and Objectivity Does the CAE have direct and unrestricted access to senior management and the board? Does the CAE have free and unfettered access to, as well as communicate effectively with, the chief executive or equivalent and the chair of the audit committee? Appendix 1 Included in Covering Report Reviewed and updated annually and prepared alongside audit plan. Audit Committee 24 February 2014 Audit Committee 23 February 2015 CAE presents quarterly monitoring reports on Internal Audit activity, as well as the Annual Report. CAE also includes items that may be of interest/ affect future role of Audit Committee e.g. Future of Local Audit 11 12 13 Yes as outlined in the Charter 14 Yes as outlined in the Charter 15 4 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Are threats to objectivity identified and managed at the following levels: a) Individual auditor? Auditors sign declaration of interest. Auditors sign the Audit Code of Conduct annually which covers the need to make a balanced assessment. To be able to do that auditors should not:a) participate in any activity or relationship that would impair that unbiased attitude. b) Accept anything that would impair their professional judgement. c) Disclose all material facts that would distort any report. b) Engagement? Attempts to influence the outcome of individual engagements would be reported to Audit and Risk Manager/CAE for investigation. At engagement level every effort is made to ensure that auditors do not audit an area of work for which they were previously responsible. Also, where possible, audits are rotated. Auditor findings and subsequent report are challenged at review stage by lead auditor/CAE. Appendix 1 16 5 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS c) Functional? d) Organisation? 1110 Organisational Independence Does the CAE report to an organisational level equal or higher to the corporate management team? LGAN Does the CAE report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities? LGAN Have reporting and management arrangements been put in place that preserve the CAE’s independence and objectivity? This is of particular importance when the CAE is line managed by another officer of the authority. Does the CAE’s position in the management structure: a) Reflect the influence he or she has on the control environment? LGAN Appendix 1 Although CAE has overall responsibility for a number of finance/governance functions, CAE takes no part in those audits. Corporate Director Resources would agree scope/recommendations where there was any negative attempt to influence those audits by the CAE. Access to information/officers and reporting arrangements allow CAE access to all levels of senior management/members of Audit Committee/Leader of the Council and any external agency. Although the audit plan is circulated amongst senior managers for comments there is no undue attempt to influence the frequency/timing of audits. Line manager is Corporate Director of Resources. Individual audit reports sent to corporate directors for information/action. Individual engagement reports sent to corporate directors. CAE reports to, and attends Audit Committee. Set out in charter. 17 CAE reports on the entire control environment. Engagement reports are sent to appropriate 20 18 19 6 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS b) Provide the CAE with sufficient status to ensure that audit plans, reports and action plans are discussed effectively with the board? c) Ensure that he or she is sufficiently senior and independent to be able to provide credibly constructive challenge to senior management? Does the CAE confirm to the board, at least annually, that the internal audit activity is organisationally independent? The following examples can be used by the CAE when assessing the organisational independence of the internal audit activity: The board: a) approves the internal audit charter b) approves the risk-based audit plan Corporate Director and Head of Service as well as individual manager. Follow up work is undertaken to ensure agreed recommendations are implemented. If not an escalation procure is in place. Results of audits are reported to Corporate Governance Group and Audit Committee. No interference with development of audit plan. 21 a) 23 Feb 2015 b) 23 Feb 2015 c) approves the internal audit budget and resource plan d) receives communications from the CAE on the activity’s performance e) approves decisions relating to the appointment and removal of the CAE Appendix 1 c) Members approve the Council’s overall budget and attend budget briefings where they can challenge budget decisions. Internal Audit’s budget and resource plan is reported to Audit Committee at the same time as the Audit Plan is approved and have the opportunity to question the adequacy of the resources. d) Yes quarterly updates, annual report e) Appointment and replacement decisions are 7 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Appendix 1 reported to Audit Committee for 23 Feb 2015 for CAE assurance f) seeks reassurance from management and the CAE as to whether there are any inappropriate scope or resource limitations. f) Does the chief executive or equivalent undertake, Countersign, contribute feedback to or review the performance appraisal of the CAE? Is feedback sought from the chair of the audit committee for the CAE’s performance appraisal? Appraisal undertaken by Corporate Director of Resources. 22 Not at present, any issues would be raised by the chair, considering how this may be possible in the future. 23 Attends Audit Committee meetings 24 Auditors sign declaration of interest. Auditors sign the Audit Code of Conduct which covers the need to make a balanced assessment. To be able to do that auditors should not:a) participate in any activity or relationship that would impair that unbiased attitude. b) Accept anything that would impair their professional judgement. c) Disclose all material facts that would distort any report. 25 Auditors sign declaration of interest. Auditors sign the Audit Code of 26 1111 Direct Interaction with the Board Does the CAE communicate and interact directly with the board? 1120 Individual Objectivity Do internal auditors have an impartial, unbiased attitude? Do internal auditors avoid any conflict of interest, whether apparent or actual? 8 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Appendix 1 Conduct which covers the need to make a balanced assessment. To be able to do that auditors should not:a) participate in any activity or relationship that would impair that unbiased attitude. b) Accept anything that would impair their professional judgement. c) Disclose all material facts that would distort any report. Work is assigned by audit managers with declarations of interest/ any previous conflicts etc. in mind. 1130 Impairment to Independence or Objectivity If there has been any real or apparent impairment of independence or objectivity, has this been disclosed to appropriate parties (depending on the nature of the impairment and the relationship between the CAE and senior management/the board as set out in the internal audit charter)? Have internal auditors assessed specific operations for which they have been responsible within the previous year? If there have been any assurance engagements in areas over which the CAE also has operational responsibility, have these engagements been overseen by someone outside of the internal audit activity? There have been no cases where there has been any impairment of independence or objectivity. In the event of any such impairment, such a disclosure would be made. All auditors have been in current post for 6+years therefore there could be no conflict of interest when undertaking an audit engagement. Only scored a partial on the grounds that current arrangements allow the Audit & Risk Manager to define scope and draft/agree recommendations without direct influence from CAE (albeit views are sought as with any head of 27 28 29 9 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS LGAN Are assignments for ongoing assurance engagements and other audit responsibilities rotated periodically within the internal audit team? LGAN Have internal auditors declared interests in accordance with organisational requirements? LGAN Where any internal auditor has accepted any gifts, hospitality, inducements or other benefits from employees, clients, suppliers or other third parties (other than as may be allowed by the organisation’s own policies), has this been declared and investigated fully? Have any instances been discovered where an internal auditor has used information obtained during the course of duties for personal gain? LGAN LGAN LGAN Have internal auditors disclosed all material facts known to them which, if not disclosed, could distort their reports or conceal unlawful practice, subject to any confidentiality agreements? Have internal auditors complied with the Bribery Act 2010? If there has been any real or apparent impairment of independence or objectivity relating to a proposed consulting services engagement, was this disclosed to the engagement client before the engagement was accepted? service). Arrangements are in place to deal with any conflicts/disagreement between Audit & Risk Manager and CAE which would be used but it has not been necessary to date. Internal Audit is a small team so will not always be possible to rotate especially where specialist skills are required, e.g. computer audits. Those involved in investigations complete the corporate form as well as the audit form. All auditors complete the audit form. There has been no acceptance of gifts etc. to declare and therefore no instances to investigate. Appendix 1 30 31 32 There have been no instances where internal auditors have used information for personal gain. Some declarations have been made and these appear reasonable. 33 Employee responsibilities under this Act is specifically referred to in the Employee Code of Conduct. This is also covered in the “Integrity” section of the Auditors Code of Conduct. No consulting engagements have been undertaken. 35 34 36 10 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS 3.3 LGAN LGAN Where there have been significant additional consulting services agreed during the year that were not already included in the audit plan, was approval sought from the board before the engagement was accepted? 1200 Proficiency and Due Professional Care 1210 Proficiency Does the CAE hold a professional qualification, such as CMIIA/CCAB or equivalent? Is the CAE suitably experienced? Appendix 1 No consulting engagements have been undertaken. 37 CIPFA 38 Extensive experience in local government finance and audit 39 Is the CAE responsible for recruiting appropriate internal audit staff, in accordance with the organisation’s human resources processes? Does the CAE ensure that up-to-date job descriptions exist that reflect roles and responsibilities and that person specifications define the required qualifications, competencies, skills, experience and personal attributes? Does the internal audit activity collectively possess or obtain the skills, knowledge and other competencies required to perform its responsibilities? Where the internal audit activity does not possess the skills, knowledge and other competencies required to perform its responsibilities, does the CAE obtain competent advice and assistance? Do internal auditors have sufficient knowledge to evaluate the risk of fraud and anti-fraud arrangements in the organisation? Do internal auditors have sufficient knowledge of key 40 Whilst job descriptions specifically may need updating we have a competency framework in place which identify specific roles which is assessed as part of the appraisal process. Competency Framework 41 Currently no skill etc. shortages. If this was to occur a case would be made to HoS/Corporate director to obtain additional resources. Revised counter fraud strategy discussed at Audit team meeting 11th Feb 2014. Identifying fraud risks was subject of a presentation during Internal Audit Training Day 4th December 2013. Work Programmes-identify specific risks of fraud and testing to evaluate them. Specific presentation at Internal 43 42 44 45 11 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS information technology risks and controls? Do internal auditors have sufficient knowledge of the appropriate computer-assisted audit techniques that are available to them to perform their work, including data analysis techniques? 1220 Due Professional Care Do internal auditors exercise due professional care by considering the: a) Extent of work needed to achieve the engagement’s objectives? b) Relative complexity, materiality or significance of matters to which assurance procedures are applied? c) Adequacy and effectiveness of governance, risk management and control processes? d) Probability of significant errors, fraud, or non-compliance? e) Cost of assurance in relation to potential benefits? Audit Training Day 4 December 2013. Specific presentation at Internal Audit Training Day 4 December 2013. Auditors use IDEA software in the course of their audit work as and when appropriate. Appendix 1 46 47 Objectives are set out in the audit brief for each engagement. Work programmes are specific to each individual audit and identify the extent of testing to be undertaken, taking into account complexity, materiality, significance, adequacy and effectiveness of current arrangements, errors, fraud and noncompliance. The Audit Risk Assessment assesses each engagement and takes into account b) c) and d). Specific presentation on “Due Professional Care” at Training Day 4 December 2013. Auditors consider cost of assurance when making recommendations by linking actions with potential benefits. Consultation on audit plan helps to ensure that audit 12 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Appendix 1 resources are targeted where greatest benefit occurs and prevents unnecessary audits. LGAN LGAN 3.4 Do internal auditors exercise due professional care during a consulting engagement by considering the: a) Needs and expectations of clients, including the nature, timing and communication of engagement results? b) Relative complexity and extent of work needed to achieve the engagement’s objectives? c) Cost of the consulting engagement in relation to potential benefits? 1230 Continuing Professional Development Has the CAE defined the skills and competencies for each level of auditor? Does the CAE periodically assess individual auditors against the predetermined skills and competencies? Do internal auditors undertake a programme of continuing professional development? Do internal auditors maintain a record of their professional development and training activities? 1300 Quality Assurance and Improvement Programme Has the CAE developed a Quality Assurance and Improvement Programme (QAIP) that covers all aspects of the internal audit activity and enables conformance with all aspects of the PSIAS to be evaluated? Does the QAIP assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement? No consulting engagements have been undertaken. 48 Audit competency framework in place for all levels of auditor over and above corporate competencies. Appraisal process undertaken by team managers and CAE Code of conduct-20 hours CPD linked to appraisal process Appraisal (New requirement for 2013/2014 so will be shown in 2014 Appraisal) 49 Programme has been developed that includes a balanced scorecard for monitoring conformance with the standard and an assurance cycle. Both of these identify key sources of assurance that will allow an overall judgement to be given on compliance. The measures included in the scorecard will identify opportunities for improvement. 53 50 51 52 54 13 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS LGAN Does the CAE maintain the QAIP? If the organisation is a ‘larger relevant body’ in England, does it conduct a review of the effectiveness of its internal audit at least annually, in accordance with the Accounts and Audit (England) Regulations 2011 section 6(3)? 1310 Requirements of the Quality Assurance and Improvement Programme Does the QAIP include both internal and external assessments? LGAN 1311 Internal Assessments Does the CAE ensure that audit work is allocated to staff with the appropriate skills, experience and competence? Do internal assessments include on-going monitoring of the internal audit activity such as: a) Routine quality monitoring processes? b) Periodic assessments for evaluating conformance with the PSIAS? There is also a self-assessment included in the framework to identify areas for improvement. Finally there is the peer review which may also identify areas for improvement. The balance scorecard measures are maintained and reported regularly. Annual Peer review Appendix 1 55 56 At present the peer review is included. The requirement for an external assessment came about in April 2013 and the requirements was an assessment every 5 years therefore 1st external assessment by March 2018 57 This is managed by the Lead Auditor who allocate assignments based on the experience and knowledge of each auditor. 58 59 Review process/final report sign off for individual engagements. Quality Assurance checklist Satisfaction Surveys Self-assessment/Peer Review both undertaken against this 14 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS LGAN LGAN LGAN LGAN LGAN LGAN LGAN Does on-going performance monitoring include comprehensive performance targets? Are the performance targets developed in consultation with appropriate parties and included in any service level agreement? Does the CAE measure, monitor and report on progress against these targets? Does on-going performance monitoring include obtaining stakeholder feedback? Are the periodic self-assessments or assessments carried out by people external to the internal audit activity undertaken by those with a sufficient knowledge of internal audit practices? Sufficiency would require knowledge of the PSIAS and the wider guidance available such as the Local Government Application Note and/or IIA practice advisories, etc. Does the periodic assessment include a review of the activity against the risk-based plan and the achievement of its aims and objectives? 1312 External Assessments Has an external assessment been carried out, or is planned to be carried out, at least once every five years? Has the CAE considered the pros and cons for the different types of external assessment (i.e. ‘full’ or self-assessment plus ‘independent validation’)? Has the CAE discussed the proposed form of the external assessment and the qualifications and independence of the assessor or assessment team with the board? Has the CAE agreed the scope of the external assessment with an appropriate sponsor, such as the chair of the audit committee, the CEO or the chief executive? Has the CAE agreed the scope of the external assessment with the external assessor or assessment team? Has the assessor or assessment team demonstrated its competence in both areas of professional practice of internal checklist. Yes these are included in the balance scorecard. No SLA’s in place but targets are discussed with relevant stakeholders. Monthly meeting with team leaders/staff meeting to discuss performance against plancontained in Monthly report. Customer satisfaction surveys are distributed. Appendix 1 60 61 62 63 64 Peer Review carried out by members of Corp Governance Group. Monitoring of progress against the plan is periodically reported. 65 Intention to comply prior to March 2018 Intention to comply prior to March 2018 66 Intention to comply prior to March 2018 68 Intention to comply prior to March 2018 69 Intention to comply prior to March 2018 Intention to comply prior to March 2018 70 67 71 15 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS auditing and the external assessment process? Competence can be determined in the following ways: a) experience gained in organisations of similar size b) complexity c) sector (i.e. the public sector) d) industry (i.e. local government), and e) technical experience. Note that if an assessment team is used, competence needs to be demonstrated across the team and not for each individual member. How has the CAE used his or her professional judgement to decide whether the assessor or assessment team demonstrates sufficient competence to carry out the external assessment? Does the assessor or assessment team have any real or apparent conflicts of interest with the organisation? This may include, but is not limited to, being a part of or under the control of the organisation to which the internal audit activity belongs. 1320 Reporting on the Quality Assurance and Improvement Programme Has the CAE reported the results of the QAIP to senior management and the board? Note that: a) the results of both external and periodic internal assessment must be communicated upon completion b) the results of on-going monitoring must be communicated at least annually c) the results must include the assessor’s or assessment team’s evaluation with regards to the degree of the internal audit activity’s conformance with the PSIAS. Has the CAE included the results of the QAIP and progress against any improvement plans in the annual report? Appendix 1 Intention to comply prior to March 2018 72 Intention to comply prior to March 2018 73 As part of annual reporting process to Corporate Governance Group and Audit Committee the results of the QAIP will be reported alongside the annual audit opinion. 74 As part of annual reporting process to Corporate Governance Group and Audit Committee the results of the QAIP will be reported alongside the annual audit opinion. 75 16 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS 4 4.1 1321 Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” Has the CAE stated that the internal audit activity conforms with the PSIAS only if the results of the QAIP support this? 1322 Disclosure of Non-Conformance Has the CAE reported any instances of non-conformance with the PSIAS to the board? Has the CAE considered including any significant deviations from the PSIAS in the governance statement and has this been evidenced? Performance Standards 2000 Managing the Internal Audit Activity Do the results of the internal audit activity’s work achieve the purposes and responsibility of the activity, as set out in the internal audit charter? Does the internal audit activity conform with the Definition of Internal Auditing and the Standards Do individual internal auditors, who are part of the internal audit activity, demonstrate conformance with the Code of Ethics and the Standards? Appendix 1 76 No evidence to suggest there is any non-conformance. This has been considered but as there weren’t any there is nothing to disclose. 77 Evidence provided through the QAIP. 79 See Charter for definitionreference made in Annual Report. Evidence provided in the QAIP. Separate Code of Conduct for auditors any issues would be addressed through appraisals or by using the council’s disciplinary process. 80 Does the internal audit activity add value to the organisation and its stakeholders by 78 81 82 a) Providing objective and relevant assurance? b) Contributing to the effectiveness and efficiency of the governance, risk management and internal control processes? a)Satisfaction Surveys provide feedback on relevance of work b)Specific Corporate Governance Audits. Testing in service audits provides feedback such as information governance. Managers use feedback from audit reports to manage services and inform their governance statements. 2010 Planning 17 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Has the CAE determined the priorities of the internal audit activity in a risk-based plan and are these priorities consistent with the organisation’s goals? Does the risk-based plan take into account the requirement to produce an annual internal audit opinion? Does the risk-based plan take into account the organisation’s assurance framework? Does the risk-based plan incorporate or is it linked to a strategic or high-level statement of: a) How the internal audit service will be delivered? b) How the internal audit service will be developed in accordance with the internal audit charter? c) How the internal audit service links to organisational objectives and priorities? Does the risk-based plan set out how internal audit’s work will identify and address local and national issues and risks? In developing the risk-based plan, has the CAE taken into account the organisation’s risk management framework and relative risk maturity of the organisation? Appendix 1 Audit risk assessment recognises linkages with corporate objectives. Yes risk assessments ensures those areas with higher impact are reviewed more frequently and ensure audits from across the whole authority are undertaken each year. 4 year plan aims to cover all areas of Council activity-key systems audited each year. One of the specific measures in the scorecard has been developed to identify the minimum level of cover required to provide this assurance. This is considered as part of the risk assessment e.g. any corporate/dept risks in service area, known information quality issues etc Audit plan is presented alongside audit charter which provides all of these linkages. 83 Not specifically but it does identify that they will be considered, this is done by virtue of the audit risk assessment , e.g. 2014 flood audit Our current corporate risk framework does not require any recording of well managed/low level service risks where a lot of 87 84 85 86 88 18 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS If such a risk management framework does not exist, has the CAE used his or her judgement of risks after input from senior management and the board and evidenced this? LGAN our testing would be based, because of this we have our own risk assessment. Audit are represented at Risk Action Group where higher level risks to the Council are discussed. Audit feedback any Urgent/Substantial audit recommendations to the group. We rely on an audit risk assessment plus feedback from heads of service to develop the plan. Our current risk framework does not require any recording of well managed/low level service risks where a lot of our testing would be based. Does the risk-based plan set out the: Appendix 1 89 90 a) Audit work to be carried out? Yes including a high level summary of each review b) Respective priorities of those pieces of audit work? Each audit is given a priority rating c) Estimated resources needed for the work? LGAN Does the risk-based plan differentiate between audit and other types of work? LGAN Is the risk-based plan sufficiently flexible to reflect the The estimated time is shown in the plan The detailed plan shows the audit work we will undertake. Other types of work are reflected in a reduced level of available resources (e.g. admin contingency) and the unplanned contingency. There are a small number of contingencies which may be more consultancy type activity. Contingency available for 91 92 19 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS changing risks and priorities of the organisation? LGAN Does the CAE review the plan on a regular basis and has he or she adjusted the plan when necessary in response to changes in the organisation’s business, risks, operations, programmes, systems and controls? Is the internal audit activity’s plan of engagements based on a documented risk assessment? Is the risk assessment used to develop the plan of engagements undertaken at least annually? additional work. The report recognises that the plan may need to change. CAE/Audit & Risk Manager & Lead Auditors discuss plan on a monthly basis. Yes as documented through quarterly reports/previous annual report. We rely on an audit risk assessment plus feedback from heads of service to develop the plan. Risk assessment is continually updated after audit completion on the audit system. The system generates a plan based on this assessment. In developing the risk-based plan, has the CAE also considered the following: Appendix 1 93 94 95 96 a) Any declarations of interest (for the avoidance for conflicts of interest)? This is done on an assignment level b) The requirement to use specialists, eg IT or contract and procurement auditors? We have recognised specialists in post c) Allowing contingency time to undertake ad hoc reviews or fraud investigations as necessary? 50 days unplanned provision set aside d) The time required to carry out the audit planning process effectively as well as regular reporting to and attendance of the board, the development of the annual report and the CAE opinion? Is the input of senior management and the board considered in the risk assessment process? Allocation made within the plan to undertake this type of work. Does the CAE identify and consider the expectations of senior management, the board and other stakeholders for Yes this is a specific element within the audit risk assessment, management concerns. Introduction of a standard set of tests allows us to undertake 97 98 20 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS internal audit opinion and any other conclusions? Does the CAE take into consideration any proposed consulting engagement’s potential to improve the management of risks, to add value and to improve the organisation’s operations before accepting them? Are consulting engagements that have been accepted included in the risk-based plan? 2020 Communication and Approval Has the CAE communicated the internal audit activity’s plans and resource requirements to senior management and the board for review and approval? Has the CAE communicated any significant interim changes to the plan and/or resource requirements to senior management and the board for review and approval, where such changes have arisen? Has the CAE communicated the impact of any resource limitations to senior management and the board? 2030 Resource Management Does the risk-based plan explain how internal audit’s resource requirements have been assessed? LGAN Has the CAE planned the deployment of resources, especially the timing of engagements, in conjunction with management to minimise abortive work and time? LGAN If the CAE believes that the level of agreed resources will impact adversely on the provision of the internal audit opinion, has he or she brought these consequences to the consistent testing against a level of expectation. Managers do not have to accept a recommendation if they are prepared to accept an increased level of risk. The audit charter identifies that we would only undertake a consulting engagement if this criteria would be met, to date no consulting engagements have been undertaken N/A Appendix 1 99 100 Plan has been agreed by CGG who represent senior management and the audit committee Individual changes are often discussed with a senior manager in the first instance and then reported to audit committee. Yes Audit Committee 23 February 2015 –no resource limitations identified. 101 Yes-see also covering report to Audit Committee 23 February 2015 This is managed by Lead Auditors on a review by review basis, successful completion of plans demonstrates relative success. It was judged that there was sufficient resource available to allow an opinion to be formed, 104 102 103 105 106 21 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS attention of the board? This may include an imbalance between the work plan and resource availability and/or other significant matters that jeopardise the delivery of the plan or require it to be changed. 2040 Policies and Procedures Has the CAE developed and put into place policies and procedures to guide the internal audit activity? LGAN LGAN Has the CAE established policies and procedures to guide staff in performing their duties in a manner than conforms to the PSIAS? Examples include maintaining an audit manual and/or using electronic management systems. Are the policies and procedures regularly reviewed and updated to reflect changes in working practices and standards? 2050 Co-ordination Does the risk-based plan include the approach to using other sources of assurance and any work that may be required to place reliance upon those sources? LGAN Has the CAE carried out an assurance mapping exercise as part of identifying and determining the approach to using other sources of assurance? Appendix 1 where there was an imbalance this would be brought to the attention of senior management and audit committee. ISO, there is an intention to develop a more user friendly audit manual once we have finalised changes for 2014/2015. MKinsight , the software system used by Internal Audit to record testing etc. requires audits to be conducted in a certain way that conforms to the standards. Regular review undertaken with changes introduced at the start of each year, therefore annual review. 107 We do not currently have any pre-agreed arrangements to rely on any specific other sources of assurance (i.e. in a similar way as DBC do with us), so whilst other sources of assurance may be utilised on an audit by audit/test by test basis this does not require any formal arrangements to be set out in the plan e.g. quality assurance checks or time for agreeing scopes/briefs. This has been considered but there are some issues regarding being able to confirm details of testing etc. undertaken by other agencies to be able to give us 110 108 109 112 22 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS LGAN 4.2 Does the CAE meet regularly with the nominated external audit representative to consult on and coordinate their respective audit plans? 2060 Reporting to Senior Management and the Board Does the CAE report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility and performance relative to its plan? Does the periodic reporting also include significant risk exposures and control issues, including fraud risks, governance issues and other matters needed or requested by senior management and the board? Is the frequency and content of such reporting determined in discussion with senior management and the board and are they dependent on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management or the board? 2070 External Service Provider and Organisational Responsibility for Internal Auditing Where an external internal audit service provider acts as the internal audit activity, does that provider ensure that the organisation is aware that the responsibility for maintaining and effective internal audit activity remains with the organisation? 2100 Nature of Work Does the internal audit activity evaluate and contribute to the confidence in their work. Main area of co-ordination is with the external auditor, who we meet with regularly to discuss work and areas of overlap to keep duplication to a minimum. See above. Does the CAE share information and coordinate activities with other internal and external providers of assurance and consulting services? Appendix 1 113 114 Quarterly reporting to CGG and the Audit Committee. If there were any particular performance issues that arose or any themes that were evident as a result audit testing then these would be reported to CGG and Audit Committee As and when they arise, revised use of the audit system will make identification of trends easier. 115 Senior management see all relevant audit reports – recommendations are prioritised by degree of urgency. Details of 3 star recommendations and above provided to Audit Committee. 117 Internal audit service is delivered in-house. 118 Where weaknesses are identified 119 116 23 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS improvement of the organisation’s governance, risk management and internal control processes? Does the internal audit activity evaluate and contribute to the improvement of the above using a systematic and disciplined approach and is this evidenced? recommendations are made and the implementation of those recommendations followed up. Each audit is based on a work programme of testing specific to the service being tested. This follows the same process for each audit with work reviewed at appropriate stages. 2110 Governance Does the internal audit activity: Appendix 1 120 121 a) Promote appropriate ethics and values within the organisation? b) Ensure effective organisational performance management and accountability? c) Communicate risk and control information to appropriate areas of the organisation? d) Coordinate the activities of and communicate information among the board, external and internal auditors and management? Does the internal audit activity assess and make appropriate recommendations for improving the governance process as part of accomplishing the above objectives? Has the internal audit activity evaluated the: a) design b) implementation, and c) effectiveness of the organisation’s ethics-related objectives, programmes Testing undertaken with an awareness for a risk of fraud or wrong-doing, where issues are identified recommendations would be made. Specific audit on performance management and testing included in all service audits. Analysis of recs made circulated to service groupings Testing would include how information is reported to CMT, external auditors and members and how these groups work in practice. Recommendations would be made where it was felt processes could be improved amongst these groups. Yes where appropriate Employees Code of Conduct, scheme of delegation, gifts and hospitality is be covered by specific audit work. 122 123 24 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS LGAN and activities? Has the internal audit activity assessed whether the organisation’s information technology governance supports the organisation’s strategies and objectives? Has the CAE considered the proportionality of the amount of work required to assess the ethics and information technology governance of the organisation when developing the risk-based plan? 2120 Risk Management Has the internal audit activity evaluated the effectiveness of the organisation’s risk management processes by determining that: a) Organisational objectives support and align with the organisation’s mission? b) Significant risks are identified and assessed? Appendix 1 Specific IT Strategy Audit 124 As per risk assessment e.g. complexity of systems, likelihood of fraud, known information issues etc. 125 126 Specific Council Plans Audit Audit attends Risk Action Group and provides feedback from audit work to the Group. Also specific risk management audit. Risk management audit undertaken and support through membership of Risk Action Group. c) Appropriate risk responses are selected that align risks with the organisation’s risk appetite? d) Relevant risk information is captured and communicated in a timely manner across the organisation, thus enabling the staff, management and the board to carry out their responsibilities? Has the internal audit activity evaluated the risks relating to the organisation’s governance, operations and information systems regarding the: a) Achievement of the organisation’s strategic objectives? Specific audits of council plans and performance management framework. Individual reviews will assess performance which subsequently feeds into the achievement of council objectives b) Reliability and integrity of financial and operational Individual audit reviews, standard Only to the extent it fits with SBC requirements 127 25 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS information? audit programme used. c) Effectiveness and efficiency of operations and programmes? d) Safeguarding of assets? Standard audit programme used. Standard audit programme used. e) Compliance with laws, regulations, policies, procedures and contracts? Has the internal audit activity evaluated the potential for fraud and also how the organisation itself manages fraud risk? Standard programme, individual requirements also included in programmes Specific fraud audit Fraud covered as part of Audit risk assessment No consultancy engagement undertaken. Do internal auditors address risk during consulting engagements consistently with the objectives of the engagement? Are internal auditors alert to other significant risks when undertaking consulting engagements? Do internal auditors successfully avoid managing risks themselves, which would in effect lead to taking on management responsibility, when assisting management in establishing or improving risk management processes? Appendix 1 No consultancy engagement undertaken. Yes, there are processes in place i.e. duplicate payments used to manage risks but the responsibility for reviewing and responding to that information rests with the service provider.. 2130 Control Has the internal audit activity evaluated the adequacy and effectiveness of controls in the organisation’s governance, operations and information systems regarding the: 128 129 130 131 132 a) Achievement of the organisation’s strategic objectives? Specific audits of council plans and performance management framework. Individual reviews will assess performance which subsequently feeds into the achievement of council objectives b) Reliability and integrity of financial and operational information? Individual audit reviews, see standard programme 26 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS 4.3 c) Effectiveness and efficiency of operations and programmes? Standard programme d) Safeguarding of assets? Standard programme e) Compliance with laws, regulations, policies, procedures and contracts? Standard programme, individual requirements also included in programmes No consultancy engagement undertaken Do internal auditors utilise knowledge of controls gained during consulting engagements when evaluating the organisation’s control processes? 2200 Engagement Planning Do internal auditors develop and document a plan for each engagement? Does the engagement plan include the engagement’s: a) Objectives? b) Scope? c) Timing? d) Resource allocations? Each audit has an audit assignment sheet prepared by the relevant audit manager based on the risk assessment and discussions with service managers Previously this document was limited to timing and resource allocations although the audit programme associated with the audit would evidence the scope. New format for 2014 includes objectives. Do internal auditors consider the following in planning an engagement, and is this documented: Appendix 1 133 134 135 136 a) The objectives of the activity being reviewed? This is understood when designing the testing programme b) The means by which the activity controls its performance? c) The significant risks to the activity being audited? This sits within the corporate framework Audit risk assessment d) The activity’s resources? e) The activity’s operations? This is discussed when planning the timing of the engagement The specifics of how the service 27 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Appendix 1 operates are included in the scope of work in the brief and the auditor notes in the programme. Existing controls are assessed as part of the review f) The means by which the potential impact of risk is kept to an acceptable level? g) The adequacy and effectiveness of the activity’s governance, risk management and control processes compared to a relevant framework or model? See above h) The opportunities for making significant improvements to the activity’s governance, risk management and control processes? Where an engagement plan has been drawn up for an audit to a party outside of the organisation, have the internal auditors established a written understanding with that party about the following: a) Objectives? b) Scope? c) The respective responsibilities and other expectations of the internal auditors and the outside party (including restrictions on distribution of the results of the engagement and access to engagement records)? For consulting engagements, have internal auditors established an understanding with the engagement clients about the following: a) Objectives? b) Scope? c) The respective responsibilities of the internal auditors and the client and other client expectations? For significant consulting engagements, has this understanding been documented? 2210 Engagement Objectives Have objectives been agreed for each engagement? This is considered whenever a recommendation is made. This mainly relates to audits undertaken on behalf of DBC of the functions operated by Xentrall. Regular discussion (Monthly meeting) with auditors from DBC to discuss scope and findings. Attendance at DBC Audit Committee. 137 No consultancy engagement undertaken 138 No consultancy engagement undertaken 139 140 Have internal auditors carried out a preliminary risk assessment of the activity under review? Audit briefs prepared for each audit, plus pre-audit discussion documented. Audit risk assessment undertaken. 141 28 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS LGAN Do the engagement objectives reflect the results of the preliminary risk assessment that has been carried out? Have internal auditors considered the probability of the following, when developing the engagement objectives: a) Significant errors? b) Fraud? c) Non-compliance? d) Any other risks? Have internal auditors ascertained whether management and/or the board have established adequate criteria to evaluate and determine whether objectives and goals have been accomplished? If the criteria have been deemed adequate, have the internal auditors used the criteria in their evaluation of governance, risk management and controls? If the criteria have been deemed inadequate, have the internal auditors worked with management and/or the board to develop appropriate evaluation criteria? If the value for money criteria have been referred to, has the use of all the organisation’s main types of resources been considered; including money, people and assets? Do the objectives set for consulting engagements address governance, risk management and control processes as agreed with the client? Are the objectives set for consulting engagements consistent with the organisation’s own values, strategies and objectives? 2220 Engagement Scope Is the scope that is established for the engagement sufficient to satisfy the engagement’s objectives? Does the engagement scope include consideration of the following relevant areas of the organisation: a) Systems? b) Records? c) Personnel? Appendix 1 The audit brief and subsequent objectives of the audit use information from the audit risk assessment These elements are all included in the audit risk assessment therefore they feed into the programme and the brief as discussed above. 142 Council Plans Audit/Performance Management Audit assess these points specifically and are undertaken annually. Results of this testing feed specifically into the annual opinion. We have not considered the criteria to be inadequate so not applicable. How these are used has been covered in the standard programme. No consultancy engagement undertaken 144 No consultancy engagement undertaken 149 Assignment brief provides detailed information on the scope of testing. Standard Programme used for all service audits includes testing on these areas. 150 143 145 146 147 148 151 29 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS d) Premises? Does the engagement scope include consideration of the following relevant areas under the control of outside parties, where appropriate: a) Systems? b) Records? c) Personnel? d) Premises? Where significant consulting opportunities have arisen during an assurance engagement, was a specific written understanding as to the objectives, scope, respective responsibilities and other expectations drawn up? Where significant consulting opportunities have arisen during an assurance engagement, were the results of the subsequent engagement communicated in accordance with the relevant consulting Standards? For a consulting engagement, was the scope of the engagement sufficient to address any agreed-upon objectives? If the internal auditors developed any reservations about the scope of a consulting engagement while undertaking that engagement, did they discuss those reservations with the client and therefore determine whether or not to continue with the engagement? During consulting engagements, did internal auditors address the controls that are consistent with the objectives of those engagements? During consulting engagements, were internal auditors alert to any significant control issues? 2230 Engagement Resource Allocation Have internal auditors decided upon the appropriate and sufficient level of resources required to achieve the objectives of the engagement based on: a) The nature and complexity of each individual engagement? b) Any time constraints? c) The resources available? 2240 Engagement Work Programme Appendix 1 Some individual audits have addressed this ie Family Support – mileage claims, Client Financial Services – personal budgets. 152 No consultancy engagement undertaken 153 No consultancy engagement undertaken 154 No consultancy engagement undertaken 155 No consultancy engagement undertaken 156 No consultancy engagement undertaken 157 No consultancy engagement undertaken 158 Lead Auditors judgement – expected duration of each audit shown on Audit Plan, detail provided in the audit brief. 159 30 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Have internal auditors developed and documented work programmes that achieve the engagement objectives? Do the engagement work programmes include the following procedures for: a) Identifying information? b) Analysing information? c) Evaluating information? d) Documenting information? Were work programmes approved prior to implementation for each engagement? 4.4 Were any adjustments required to work programmes approved promptly? 2300 Performing the Engagement Have internal auditors carried out the following in order to achieve each engagement’s objectives: a) Identify sufficient information? b) Analyse sufficient information? C) Evaluate sufficient information? d) Document sufficient information? 2310 Identifying Information Have internal auditors identified the following in order to achieve each engagement’s objectives: a) Sufficient information? b) Reliable information? c) Relevant information? d) Useful information? 2320 Analysis and Evaluation Have internal auditors based their conclusions and engagement results on appropriate analyses and evaluations? LGAN Have internal auditors remained alert to the possibility of the Appendix 1 Each audit has a programme of work defined. All included in the auditor notes for each specific audit. 160 Programmes are written by Lead Auditors and reviewed by Audit & Risk Manager. See above 162 All managed through the audit process and the review process. Where auditors fail to meet this criteria the audit would fail the review process and additional work would need to be undertaken. 164 All managed through the audit process and the review process. Where auditors fail to meet this criteria the audit would fail the review process and additional work would need to be undertaken. 165 All managed through the audit process and the review process. Where auditors fail to meet this criteria the audit would fail the review process and additional work would need to be undertaken. This would be assessed by the 166 161 163 167 31 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS following: a) intentional wrongdoing b) errors and omissions c) poor value for money d) failure to comply with management policy, and e) conflicts of interest when performing their individual audits, and has this been documented? 2330 Documenting Information Have internal auditors documented the relevant information required to support engagement conclusions and results? LGAN Appendix 1 Lead Auditor during the review process, they would consider the possibilities and ensure testing has assessed these. All managed through the audit process and the review process. Where auditors fail to meet this criteria the audit would fail the review process and additional work would need to be undertaken. See Above, in addition to this a reminder of the required standards was delivered at the audit training day in December 2013. Shared storage area – access restricted to audit staff only. As and when required to date the only access requirements have been from external audit. Yes retention policy in place. 168 Based on external auditors requirements - 2 years plus current. 173 Audit system includes a point by point review process with an audit trail. In addition to this the electronic file includes a review process. There is now an additional level of review by the 174 Are working papers sufficiently complete and detailed to enable another experienced internal auditor with no previous connection with the audit to ascertain what work was performed, to re-perform it if necessary and to support the conclusions reached? Does the CAE control access to engagement records? Has the CAE obtained the approval of senior management and/or legal counsel as appropriate before releasing such records to external parties? Has the CAE developed and implemented retention requirements for all types of engagement records? Are the retention requirements for engagement records consistent with the organisation’s own guidelines as well as any relevant regulatory or other requirements? 2340 Engagement Supervision Are all engagements properly supervised to ensure that objectives are achieved, quality is assured and that staff are developed? 169 170 171 172 32 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS Is appropriate evidence of supervision documented and retained for each engagement? 4.5 LGAN LGAN LGAN LGAN LGAN 2400 Communicating Results Do internal auditors communicate the results of engagements? 2410 Criteria for Communicating Do the communications of engagement results include the following: a) The engagement’s objectives? b) The scope of the engagement? c) Applicable conclusions? d) Recommendations and action plans, if appropriate? Has the internal auditor discussed the contents of the draft final report with the appropriate levels of management to confirm factual accuracy, seek comments and confirm the agreed management actions? If recommendations and an action plan have been included, are recommendations prioritised according to risk? Appendix 1 Audit 7 Risk Manager at both the draft and final stage. Information held on the system or with the final version of the report. 175 Final report 176 Yes 177 Draft reports are circulated for comments before being issued as finals. 178 Priority rating for the recommendation is linked to corporate risk management process. Management provide relevant comments to each recommendation. 179 Yes where management have taken a decision to accept an increased level of risk this is documented. Where that increased level of risk is inappropriate this is escalated through service management and on to Audit Committee if required. Yes 181 If recommendations and an action plan have been included, does the communication also state agreements already reached with management, together with appropriate timescales? If there are any areas of disagreement between the internal auditor and management, which cannot be resolved by discussion, are these recorded in the action plan and the residual risk highlighted? Do communications disclose all material facts known to them in their audit reports which, if not disclosed, could distort their reports or conceal unlawful practice, subject to confidentiality 180 182 33 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS LGAN LGAN requirements? Do the final communications of engagement results contain, where appropriate, the internal auditor’s opinions and/or conclusions, building up to the annual internal audit opinion on the control environment? When an opinion or conclusion is issued, are the expectations of senior management, the board and other stakeholders taken into account? Appendix 1 Yes each audit is given an opinion. 183 These have been taken into account when designing the programme however there are times when after discussing the findings of audits the original opinion has been altered to reflect expectations. (Not Audit Committee or other stakeholders) Contained in Audit Report 184 The audit report does not just focus on issues it reflects good practice too. Standard paragraph in the Audit Report. 186 Not Applicable. 188 When an opinion or conclusion is issued, is it supported by sufficient, reliable, relevant and useful information? Where appropriate, do engagement communications acknowledge satisfactory performance of the activity in question? When engagement results have been released to parties outside of the organisation, does the communication include limitations on the distribution and use of the results? If the CAE has been required to provide assurance to other partnership organisations, has he or she also demonstrated that their fundamental responsibility is to the management of the organisation to which they are obliged to provide internal audit services? 2420 Quality of Communications Are communications: a) Accurate? b) Objective? c) Clear? d) Concise? e) Constructive? f) Complete? g) Timely? 2421 Errors and Omissions If a final communication has contained a significant error or 185 187 189 Satisfaction Survey On the rare occasion where a 190 34 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS omission, did the CAE communicate the corrected information to all parties who received the original communication? 2430 Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing” Do internal auditors report that engagements are ‘conducted in conformance with the PSIAS’ only if the results of the QAIP support such a statement? 2431 Engagement Disclosure of Non-conformance Where any non-conformance with the PSIAS has impacted on a specific engagement, do the communication of the results disclose the following: a) The principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved? b) The reason(s) for non-conformance? c) The impact of non-conformance on the engagement and the engagement results? 2440 Disseminating Results Has the CAE determined the circulation of audit reports within the organisation, bearing in mind confidentiality and legislative requirements? Has the CAE communicated engagement results to all appropriate parties? Before releasing engagement results to parties outside the organisation, did the CAE: a) Assess the potential risk to the organisation? b) Consult with senior management and/or legal counsel as appropriate? c) Control dissemination by restricting the use of the results? Where any significant governance, risk management and Appendix 1 final report is re-issued it is reissued to all who received the original report. Decision taken not to include statements such as this in the individual report. Feels it hampers the readability and useful of the report if contains too much superfluous data. 191 Not applicable – non complance with the PSIA’s wouldn’t impact on a specific engagement. 192 Yes all reports are issued to the relevant Director, Head of Service and Service Manager. Where there are specific results eg finance the relevant statutory officer (or their representative) is included. Yes see above 193 The only external distribution is to the external auditor, this enables them to place reliance on our work and limit their work (and subsequent fees) as a result. 195 No consulting engagements 196 194 35 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS control issues were identified during consulting engagements, were these communicated to senior management and the board? 2450 Overall Opinion Has the CAE delivered an annual internal audit opinion? Does the annual internal audit opinion conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control? Does the annual internal audit opinion take into account the expectations of senior management, the board and other stakeholders? Is the annual internal audit opinion supported by sufficient, reliable, relevant and useful information? currently undertaken. 23 June 2014 Yes 197 198 Yes 199 Yes – completion of plan, significance of recs, audit opinions, any fraudulent activity come to light etc? 200 Does the communication identify the following: LGAN Appendix 1 201 a) The scope of the opinion, including the time period to which the opinion relates? b) Any scope limitations? c) The consideration of all related projects including the reliance on other assurance providers? d) The risk or control framework or other criteria used as a basis for the overall opinion? Where a qualified or unfavourable annual internal audit opinion is given, are the reasons for that opinion stated? Has the CAE delivered an annual report that can be used by the organisation to inform its governance statement? Does the annual report incorporate the following: a) The annual internal audit opinion? b) A summary of the work that supports the opinion? No qualified or unfavourable opinion has been given. If it was then the reasons for arriving at that conclusion would be given. Timing of Annual report, June, allows the opinion to be used in the governance statement (Sept) Yes all covered in the annual audit report- 202 203 204 36 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS LGAN c) A disclosure of any qualifications to the opinion? LGAN d) The reasons for any qualifications to the opinion? LGAN e) A disclosure of any impairments or restriction in scope? LGAN f) A comparison or work actually carried out with the work planned? g) A statement on conformance with the PSIAS? LGAN h) The results of the QAIP? LGAN i) Progress against any improvement plans resulting from the QAIP? LGAN j) A summary of the performance of the internal audit activity against its performance measures and targets? k) Any other issues that the CAE judges is relevant to the preparation of the governance statement? 2500 Monitoring Progress Has the CAE established a process to monitor and follow up management actions to ensure that they have been effectively implemented or that senior management have accepted the risk of not taking action? Where issues have arisen during the follow-up process, has the CAE considered revising the internal audit opinion? 4.6 Do the results of monitoring management actions inform the risk-based planning of future audit work? Appendix 1 A follow-up process is in place. 205 Decision taken not to revise audit opinions in case of follow up. If a full audit is undertaken then a revised opinion would be issued if it was appropriate to do so. Not specifically. Initial audit opinion and level of recommendations does inform the risk assessment, if recs 206 207 37 CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDS 4.7 Does the internal audit activity monitor the results of consulting engagements as agreed with the client? 2600 Communicating the Acceptance of Risks If the CAE has concluded that management has accepted a level of risk that may be unacceptable to the organisation, has he or she discussed the matter with senior management? If, after discussion with senior management, the CAE continues to conclude that the level of risk may be unacceptable to the organisation, has he or she communicated the situation to the board? haven’t been implemented this assessment is still valid. Where recs have been implemented this should become apparent at next audit with a change in opinion and or change in level of recs therefore impacting on the risk assessment. There is a risk that focus on previous weaknesses results in issues elsewhere in the system. No consulting engagements undertaken. In cases such as these there is an escalation procedure where the matter would be discussed with senior service managers. The escalation process allows for instances such as these to be reported to the Audit Committee. Appendix 1 208 209 210 38