1
advertisement
Appendix F NORTH NORFOLK DISTRICT COUNCIL INTERNAL AUDIT STRATEGY FOR 2012/13 1 1.1 INTRODUCTION AND OVERVIEW The objectives of North Norfolk District Council’s Internal Audit Strategy are set out in Internal Audit’s Terms of Reference, although they can essentially be summarised as follows: ‘To deliver a risk-based audit plan in a professional, independent manner, to provide the organisation with an opinion on the level of assurance it can place upon the internal control environment, systems of risk management and corporate governance arrangements, and to make recommendations to improve these provisions, where further development would be beneficial’. 1.2 Internal Audit’s Terms of Reference are reviewed annually by the Head of Internal Audit and then presented to the Audit Committee for formal approval. The Terms of Reference for 2011/12 received the endorsement of the Audit Committee on 8 March 2011, whereas the Terms of Reference for 2012/13 are attached today (6 March 2012) for consideration and approval by the Audit Committee. 1.3 In accordance with contractual arrangements - each year, an Audit Needs Assessment is completed by the Head of Internal Audit or the Deputy Audit Manager as part of the audit planning process, culminating in the development of a Strategic Audit Plan, with an Annual Audit Plan being extracted from the latter for adoption in the succeeding financial year. In previous years, we have formulated rolling 5-year Strategic Audit Plans but this year will be trialling a 3-year Strategic Audit Plan. Consultations with Section 151 Officers across the Norfolk Internal Audit Consortium have indicated the need to continue to provide a forecast of future audit coverage but given the changing environment which local government currently faces, adopting a shorter timeframe was favoured, and the end date of the Plan effectively ties in with the financial year when the existing Internal Audit Services Contract with Deloitte Public Sector Internal Audit Ltd is due to expire. 1.4 A Computer Audit Needs Assessment is also performed on a 3-yearly basis by the Internal Audit Services contractor, and the outcomes of this exercise additionally feed into the rolling 3-year Strategic Audit Plan and the Annual Audit Plan for the new financial year. 2 WHAT THE INTERNAL AUDIT STRATEGY SETS OUT TO ACHIEVE The purpose of the Internal Audit Strategy is to establish the nature of the methodology to be adopted by Internal Audit to facilitate: How the service will be delivered to the Council. The provision to the Council’s Section 151 Officer of audit opinions each year concerning the Council’s systems of internal control and risk management, and corporate governance arrangements. Ensuring that appropriate evidence has been collected in support of the audit opinions expressed, after which the latter should be used to inform the authority’s Annual Governance Statement. 2.1 3 3.1 The audit of the Council’s systems of internal control and risk management, and corporate governance arrangements through Strategic and Annual Audit Plans is undertaken in a way that affords suitable priority to the Council’s objectives and risks. Audit resources have been appropriately identified to deliver an Internal Audit Service, which meets required professional standards, provides acceptable minimum levels of audit coverage and optimises the use of audit time available. Providing annual scrutiny of the fundamental financial systems to provide assurance that the proper arrangements for financial control are in place, work which External Audit can then place reliance upon. Supporting senior management at the Council as much as possible and adding value. DEVELOPMENT OF THE CURRENT INTERNAL AUDIT STRATEGY The formulation of the present Internal Audit Strategy is essentially risk driven, whilst also acknowledging that the primary issues to the Council at present are the ongoing need to deliver financial savings and legislative changes, and this in itself generates additional risks for the authority. As a result, greater consultation has been undertaken with the Council’s Deputy Section 151 Officer and the Corporate Leadership Team to discuss the focus of future audit coverage and review the sequencing of audit projects to maximise their value to the authority. In undertaking the Audit Needs Assessment, we have also considered a number of core documents that enhance our understanding of the audit risk environment at the Council, including: Corporate Documentation • The Annual Governance Statement for 2010/11 • The Statement of Accounts for 2010/11 • Corporate Risk Register (latest available version received December 2011) • New / Reshaped Risks for 2012 – to be presented to the Performance and Risk Management Board in March 2012 • Report on Partnerships and the Partnership Risk Register (presented to Audit Committee on 13 September 2011) • Corporate Plan 2012-15 • Treasury Management Strategy Statement and Investment Strategy 2012/13 to 2014/15 (Cabinet, 6 February 2012) • 2012/13 Base Budget and Projects for 2013/14 to 2015/16 (Cabinet 6 February 2012) • Materials Recycling Facility (MRF) Contract Procurement (Cabinet, 6 February 2012) • Report on Revenues and Benefits Shared Service (Cabinet, 28 November 2011) • 2011/12 Revised Budget (Cabinet, 28 November 2011) • The Council’s Approach to Localism and the Establishment of the Big Society Fund (Cabinet, 28 November 2011) External Audit Documentation • External Audit Plan 2011/12 (issued February 2012) • Certification Report (2010/11) – Report to those charged with Governance (issued February 2012) • • • Audit of the Statement of Accounts for the year ended 31 March 2011 and the Annual Summary of Recommendations (issued November 2011) Annual Audit Letter – 2010/11 Audit (issued November 2011) Report to those charged with Governance (ISA60 (UK&I)) – 2010/11 Audit (issued September 2011) Other Documentation • On an ongoing basis, Internal Audit maintains an oversight of issues that may affect the audit risk the Council faces; this includes attending training events, receiving briefings and updates on topical matters from Deloitte Public Sector Internal Audit Ltd and subscribing to CIPFA’s quarterly newsletter – Audit Viewpoint and TIS Online services, etc. 3.2 Seven key risk factors have then been applied to potential auditable areas and their impact on the organisation evaluated in terms of: • Materiality – the value of annual direct income/expenditure associated with the systems/activities; • Materiality – an estimate of the number of transactions processed by the systems/activities per annum; • Significance – the significance of the systems to the objectives and activities of the Council; • Complexity of the organisation’s systems/activities in terms of their operation and auditability; • Modifications to the organisation’s systems/activities or the likelihood of changes (i.e. new arrangements) being introduced within the duration of Audit Plans being put forward; • Inherent risk, i.e. the likelihood of threats, error or malpractice to the organisation, because of the nature of its business activity, the regulatory framework, its size, its growth, its history, etc; and, • Profile of auditable areas, reflecting on the political sensitivity of the systems/activities. 3.3 With reference to inherent risk, the Audit Needs Assessment is cognisant of those areas where historically, there has been the potential for fraud and corruption, e.g. o Housing Benefits o Provision of Discounts (e.g. Council Tax Discounts) o Awarding of Grants – Community Grants, Private Sector Housing and other Direct Payments o Cash Collection o Car Parking Income o Credit Income o Creditor Payments o Contracts and Procurement o Loans and Investments o Payroll, expense claims and recruitment o Disposal of Assets o Awarding of Planning Consents o Awarding of Licences o Gifts and Hospitality 3.4 The risk factors have been weighted to produce a risk score, expressed as a percentage that is, in turn, translated into a risk rating of Very High, High, Medium or Low. Once risks have been categorised, it is then possible to determine the frequency with which areas identified, should be subject to audit scrutiny. Low risk systems will be examined on a 5-yearly cycle. Medium risk assessed systems should be reviewed on a 3-yearly basis; high risk areas will be audited on a 2-yearly cycle, and Very High risk will be scrutinised on an annual basis. 3.5 From our review of associated documentation, as identified in paragraph 3.1, and having kept abreast of developments at the Council, we have identified several other factors that have significant bearing on the assessed audit risks and resultant proposed audit coverage going forward. Key items acknowledged as impacting on the planning process have been as follows: • • • • 3.6 The appointment of the new Chief Executive and Strategic Leadership team and the major management restructure now taking place at the Head of Service/Service Manager level, which is expected to be completed by April 2012. The continuing work to create a shared Revenues and Benefits service with Kings Lynn and West Norfolk Borough Council. Although we are mindful of the longer term national changes to Revenues and Benefit, audit assurance over the shared service will be critical to the authority given the expenditure incurred during the year, and to ensure we provide the requisite support to External Audit. Having already entered into provisional discussions with the auditors from Kings Lynn and West Norfolk to review the audit approach across the two Councils, we will continue to liaise and work with our counterparts to ensure the audit service provided to both authorities remains economic and efficient over the next 12 months, until such time as the new service delivery model is rolled out and future auditing requirements have been confirmed. It is further noted that the Corporate Leadership Team fully appreciates the risks involved in moving into such a shared service provision with a partner Council, and has already instructed Internal Audit to formulate terms of reference for reviewing the developing arrangements and migration towards this deliverable. The audit time required to conduct such an undertaking has yet to be fully determined however, which is why the Strategic and Annual Audit Plans for 2012/13 do not presently contain reference to this project, its envisaged scope and the days allocated to deliver this piece of work. The Council’s intention to join the CNC Building Control Partnership by August 2012 has also been taken into account. As mentioned previously in paragraph 1.4, a Computer Audit Needs Assessment is also performed by the Internal Audit Services contractor in parallel to the Audit Needs Assessment work carried out by the Head of Internal Audit or the Deputy Audit Manager. The Computer Audit Needs Assessment effectively evaluates the key risks affecting the IT environment within the Council and having identified risk priority ratings, it is then possible to use this information to populate a Strategic Computer Audit Priority Analysis and Annual Computer Audit Plans. This exercise was last carried out in November 2010 and will be repeated in 2013/14. To date, there has been some switching of computer audit assignments between 2011/12 and 2012/13 to utilise planned days that became available when some systems reviews did not go ahead as envisaged. This effectively enabled 5 key computer audits to be delivered in 2011/12, with 4 further assignments earmarked for 2012/13 and 3 other pieces of work to be delivered in the course of 2013/14. 3.7 We have already undertaken detailed planning work in relation to the Cedar Financial Application, as noted in our most recent Progress Report on Internal Audit Activity and are arranging completion of the requisite review work linked to this important application in 2012/13. 3.8 Added to this, the Corporate Leadership Team are particularly interested in pursuing a combined computer audit review of Project Management and the Cash Receipting Application during 2012/13 and we are currently examining how this might be achieved in terms of providing robust assurances over the two areas, whilst also generating cost savings for the authority in complying with this request. 3.9 In view of the comments already expressed at paragraph 3.5 of this Strategy, we hereby seek to draw attention to the fact that computer audit scrutiny of the Civica application and the Document Imaging system scheduled for 2013/14 may not necessarily go ahead as originally envisaged, due to the advancing development of Revenues and Benefits Shared Services between North Norfolk District Council and Kings Lynn and West Norfolk Borough Council, and the adoption of a significantly altered service delivery model from April 2013 onwards. As mentioned previously, we will thus be liaising with the Internal Audit Service at Kings Lynn and West Norfolk in 2012/13, to explore the likely impact on future computer auditing requirements and which body of auditors will be responsible for this work under the new arrangements. 4 FORMULATION OF THE STRATEGIC AND ANNUAL AUDIT PLANS Having outlined our approach, as detailed in Section 3 of the Strategy, we duly confirm that prior to completing the Annual Audit Needs Assessment for 2012/13, we have been working closely with key personnel to agree a minimum level of audit coverage, which will enable the Head of Internal Audit to provide the requisite annual opinions for 2012/13, whilst also taking into account any additional needs raised by senior management, where internal audit input would be appreciated over the course of the year. 4.1 4.2 The formal audit planning process for 2012/13 commenced in early December 2011. Future audit coverage proposals were extracted as a consequence of the audit needs assessment exercise and these were then extensively discussed with the Deputy Section 151 Officer via a series of meetings and email exchanges taking place between 21 December 2011 and 20 February 2012, the outcomes of which have been used to further refine requirements subsequently taken forward to the Corporate Leadership Team. 4.3 There has also been consultation with the External Audit Manager in the course of Quarter 4 of 2011/12, as well as a meeting with the Chair of the Audit Committee on 13 February 2012 to canvass their views on the focus of audit scrutiny in the coming year. The resultant feedback received was next used to update the draft planning proposals, which were debated by the Corporate Leadership Team at a meeting with the Head of Internal Audit and the Deputy Section 151 Officer on 20 February 2012. This last meeting with senior management essentially obtained officer acceptance that audit resources were being properly targeted and hence, appropriately maximised for 2012/13 onwards. On this basis, the final composition of the Annual Audit Plan for 2012/13, with indicative timings for carrying out the relevant reviews, were confirmed. 4.4 The next phase in the process involves discussion of the Strategic and Annual Audit Plans with the Audit Committee, prior to obtaining formal endorsement of the audit coverage recommended. Once approved by the Committee, the Head of Internal Audit or Deputy Audit Manager will instruct the Internal Audit Service contractor (Deloitte Public Sector Internal Audit Ltd) to adopt the Annual Audit Plan as their work programme for 2012/13. 5 REVIEWING PLANNED AUDIT COVERAGE TO ENSURE ITS ON-GOING ADEQUACY Audit Planning is a dynamic process and the environment in which North Norfolk District Council operates is frequently subject to change, whether through the introduction of new systems, the enhancement/modification of existing systems, revised statutory requirements applying to the organisation or other developments affecting the way in which the Council conducts its business. As a consequence, Internal Audit Plans are continually monitored by the Head of Internal Audit and/or Deputy Audit Manager to ensure that they remain timely and comprehensive in their proposed coverage. Throughout the coming year therefore, the Plans may have to be amended to reflect any changing priorities that might surface and possibly, have to react to existing risks that may subsequently escalate, diminish, disappear or be superseded by new risks, as they affect North Norfolk District Council. For this reason, flexibility will be shown towards planned audit coverage, to ensure that it is constantly responsive to changing needs and new requirements. 5.1 5.2 As outlined in the Terms of Reference for Internal Audit, any changes that are made to the Internal Audit plans during the year will be subject to the agreement of the Deputy Section 151 Officer and/or the Chief Executive, and subsequently communicated to the Audit Committee.
