Appendix C NORTH NORFOLK DISTRICT COUNCIL
advertisement
Appendix C NORTH NORFOLK DISTRICT COUNCIL TERMS OF REFERENCE FOR INTERNAL AUDIT FOR 2012/13 1. THE STATUTORY BASIS FOR INTERNAL AUDIT 1.1 The requirement for an Internal Audit Service is outlined within the Accounts and Audit Regulations 2011, which state that “A relevant body must undertake an adequate and effective internal audit of its accounting records and of its system of internal control in accordance with the proper practices in relation to internal control.” 1.2 In addition to clarifying overall arrangements, a further requirement stipulates that Councils conduct a review of the effectiveness of their Internal Audit function at least once a year, and that review should be undertaken by the same body that reviews the Annual Governance Statement. At North Norfolk District Council, this review is undertaken by the Audit Committee. 1.3 The review of systems of Internal Audit, as commented upon in 1.2 above, should ideally include how the function operates and the extent of compliance with the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006. North Norfolk District Council has adopted these particular Standards for Local Authority Internal Audit and they are reiterated in the specification for the Internal Audit Services contract. In addition, the statutory role of Internal Audit has been formally recognised and endorsed within the Council’s Financial Regulations. 2. THE RESPONSIBILITIES AND OBJECTIVES OF INTERNAL AUDIT Internal Audit is an assurance function that primarily provides an independent and objective opinion to the organisation on the control environment comprising risk management, systems of internal control and corporate governance, by evaluating its effectiveness in achieving the organisation’s objectives. As stated in the Council’s Financial Regulations, a continuous Internal Audit, under the direction of the Chief Financial Officer, will be arranged to appraise and review:(i) The completeness, reliability and integrity of information, both financial and operational; (ii) The systems established to ensure compliance with policies, plans, procedures, laws and regulations; (iii) The means of safeguarding assets; (iv) The economy, efficiency and effectiveness with which resources are employed; and, (v) Whether operations are being carried out as planned and objectives and goals are being met. Internal Audit is also responsible for reviewing, appraising and reporting to management: (i) The extent to which the Council’s assets and interests are accounted for and safeguarded from losses of all kinds arising from (a) Fraud and other offences; and (b) Waste, extravagance and inefficient administration, poor value for money or other cause. (ii) The suitability and reliability of financial and other management data developed within the Council. As noted above, Internal Audit has a key role in assisting management regarding the prevention and detection of fraud and abuse. Section 7 of these Terms of Reference details our approach adopted in respect of fraud and corruption related matters, whilst the Council’s Financial Regulations – paragraph 6.16 – Preventing Fraud and Corruption – set out member and officer responsibilities, as well as recognising the key controls put in place to prevent financial irregularities occurring. 3. THE STATUS OF INTERNAL AUDIT, REPORTING LINES AND WORKING RELATIONSHIPS The responsibility for Internal Audit is situated within the Resources Directorate. The Head of Internal Audit reports directly to the Chief Executive (as the Council’s Section 151 Officer) and the Financial Services Manager or their nominated Deputy (in their role as Deputy Section 151 Officer) for administrative purposes, but is independent in respect of the planning and operation of the service. It is important to note that the Head of Internal Audit has direct reporting access to the Chief Executive, Strategic Directors and elected members through the Audit Committee, Cabinet and Full Council. Furthermore, the Head of Internal Audit has the right to report unedited in his/her own name, as he/she considers necessary. Regular meetings and discussions take place between members of the Audit Management Team and the Financial Services Manager or their nominated Deputy, and further liaison can be undertaken with the Chief Executive if necessary, to allow fulfilment of the Council’s Responsible Financial Officer role. Provision also exists for regular reporting by the Head of Internal Audit to the Council’s Audit Committee, some 4-6 times per year to present: The Internal Audit Strategy and accompanying Strategic (3-year) and Annual Audit Plans, together with a Summary of Internal Audit Coverage for the forthcoming financial year. Progress achieved against the agreed Annual Audit Plan together with details of the outcomes of individual audit assignments. Progress achieved against Agreed Action Plans arising from completed reviews subject to final audit reporting. Annually updated Terms of Reference and Code of Ethics for Internal Audit. The findings and conclusions of any Special/Ad-hoc investigations commissioned by either the Audit Committee or Corporate Management Team. The Annual Report of the Head of Internal Audit, within 3 months of the end of the Annual Plan period, which will contain an opinion on the effectiveness of the system of internal control operating at the Council, as well as opinions on the adequacy of arrangements in relation to corporate governance and risk management. All opinions given will be based on the work undertaken by Internal Audit throughout the financial year. These opinions additional inform the Annual Governance Statement The Protocol for Liaison between Internal and External Auditors, updated periodically. The outcomes of Annual Audit Committee Self Assessment exercises. The outcomes of the annual review of the effectiveness of the internal audit function. Internal Audit will also interact with External Audit in accordance with the agreed Protocol for Liaison between Internal and External Auditors, which has been developed to ensure that the services of Internal and External Audit are as integrated as possible, in order to maximise the effectiveness of the overall approach to audit operated within North Norfolk District Council. Internal Audit will also liaise with other Council’s Internal Audit Service providers, where shared service arrangements exist between themselves and North Norfolk District Council. In such cases, a dialogue will be opened with the other Council’s Chief Internal Auditor to agree a way forward regarding the future auditing of ‘shared’ services, which will be both efficient and cost effective for all parties, and cause least disruption to the area being audited. In the event of North Norfolk’s Internal Auditors undertaking work for other Councils outside the Norfolk Internal Audit Consortium, arrangements over liability of internal audit work performed will be covered by either a Hold Harmless letter with Deloitte Public Sector Internal Audit Ltd, or contractual arrangements will be extended through a Standard Letter of Engagement. Conversely, if the other Council’s Internal Auditors are nominated to undertake audit work on behalf of North Norfolk District Council, formal confirmation of their liability/accountability for that work will be required, so that full reliance can be placed upon the audit working papers and report generated in consequence. In addition, North Norfolk’s Head of Internal Audit will review all such work to ensure that it is providing the requisite assurances to feed into his/her annual audit opinion and should it be found that insufficient or inadequate work has been carried out, North Norfolk’s Head of Internal Audit reserves the right to request additional work be undertaken. 4. THE ROLE OF MANAGEMENT IN RELATION TO THE INTERNAL CONTROL ENVIRONMENT AND INTERNAL AUDIT The Chief Executive, Strategic Directors and Service Managers/Heads of Service are responsible for ensuring that the internal control arrangements are sufficient to address the risks facing their services. There is also a duty of care on the Chief Executive, Strategic Directors and Service Managers/Heads of Service, where appropriate, to give due consideration to audit recommendations and respond promptly to such recommendations upon receipt of draft audit reports. Furthermore, where audit recommendations have been accepted, management should be overseeing the implementation of agreed action plans within pre-agreed timescales and provide evidence to Internal Audit that the systems of internal control have been duly strengthened. Following the issue of final audit reports, the Chief Executive, Strategic Directors and/or Service Managers/Heads of Service should feed back to Internal Audit at periodic intervals, details of action taken in respect of agreed recommendations. To assist the monitoring process in relation to the implementation of agreed audit recommendations, the Internal Audit Services contractor will provide the Council’s Performance Team with a copy of all finalised audit reports. These are input on to the TEN performance management system, and managers are requested to update the system with action taken to implement the recommendation, along with details of supporting evidence to this effect, where appropriate. The outcomes of this work are provided to the Internal Audit Contractor, whom, on a 3/6-monthly basis, undertakes verification of all High Priority recommendations and a sample of Medium Priority recommendations reported as being completed, to confirm this position. The Head of Internal Audit or the Deputy Audit Manager will then appraise the Audit Committee on a 6-monthly basis of the current status of agreed actions detailed in final audit reports. 5. INTERNAL AUDIT’S INDEPENDENCE AND ACCOUNTABILITY Internal Audit is sufficiently independent of the activities that it audits to enable its auditors to perform their duties in a manner, which facilitates impartial and effective professional judgements being reached when formulating audit recommendations and opinions on the internal control environment. Internal Auditors have no operational responsibilities and thus, are not required to deliver or manage non-audit services. The Head of Internal Audit has direct access to the Chair of the Audit Committee, as required, and is able to request ad hoc meetings of the Audit Committee, where appropriate. Furthermore, the Head of Internal Audit and the Chair of the Audit Committee have the opportunity for periodic (at least annual) private discussions without the Financial Services Manager or nominated Deputy, Chief Executive or Strategic Directors being present. 6. THE SCOPE OF WORK CARRIED OUT BY INTERNAL AUDIT The scope for Internal Audit is essentially ‘the control environment comprising risk management, control and governance’. As a consequence, Internal Audit will review and evaluate all aspects of the Council’s operations, resources, services and responsibilities in relation to other bodies. It thus follows that the remit of Internal Audit is wide reaching It is not just confined to fundamental financial systems but will examine the entire control environment of the organisation. The Head of Internal Audit or the Deputy Audit Manager will perform an audit needs assessment to determine a minimum acceptable level of audit coverage, which needs to be delivered on an annual basis. This entails carrying out a risk assessment of all potential auditable areas to discern those systems that should be subject to audit scrutiny. When determining where audit input should be concentrated, best practice will be followed, i.e. the organisation’s assurance and monitoring mechanisms, including the latest copy of the Corporate Risk Register will be taken into account prior to the completion of the audit planning process. It is not uncommon for core financial systems to feature in terms of high risk subject areas meriting audit review. However, other non financial systems and functions are usually also identified, which include property services, elections, waste management, planning and development control, foreshore and coastal management / coastal protection plus strategic housing and homelessness, etc. The scope of Internal Audit work will also extend to services provided through partnership arrangements. The Head of Internal Audit will decide, in consultation with all the relevant parties, whether Internal Audit should conduct the work to obtain the required assurance themselves or rely on the assurances provided by other auditors. Internal Audit, where sufficient expertise exists, will provide additional services, encompassing computer audits, contract audits, fraud related and consultancy work. Moreover, the outcomes of this work, where forthcoming, will contribute to the opinion which Internal Audit provides on the control environment. With reference to computer audit requirements, these are determined by the Internal Audit Services contractor, who performs a computer audit needs assessment on a 3-yearly cycle. The assessment is undertaken in consultation with key IT personnel. A total of 40 discrete auditable areas, which together are considered to comprise the key aspects of the IT environment within the Council, are evaluated. A separate analysis is also carried out to complement these areas to determine the Council’s key applications and upcoming projects, with the results of this work additionally feeding into the Needs assessment. Having analysed this information, risk priority ratings are next extracted and used to generate both Strategic and Annual Audit plans. 7. DEALING WITH FRAUD AND CORRUPTION MATTERS Managing the risk of fraud and corruption is the responsibility of management. Audit procedures alone, even when performed with due professional care, cannot guarantee that fraud or corruption will be prevented or detected. Nevertheless, Internal Auditors will be alert in all their work to risks and exposures that could allow fraud or corruption to occur. The authority will not tolerate fraud and corruption in the administration of its responsibilities, whether from inside or outside the authority and this is supported by the Council’s Fraud and Corruption Policy and Whistleblowing Policy. Moreover, the Council’s expectation of propriety and accountability is that members and employees at all levels will lead by example in ensuring adherence to legal requirements, rules, procedures and practices. Individuals must report any concern or suspicion that something has happened or is about to happen, may be fraudulent or corrupt, in the manner outlined in the Fraud and Corruption Policy. Similarly, within the Code of Conduct for Employees, staff are positively encouraged to raise any concerns that they have. The Council also has a Whistle Blowing Policy, approved by Full Council on 16th December 2009, which advocates, as a first step, that staff should normally raise concerns with their immediate manager. If unable to do so for any reason, the officer should then go to any other manager with whom they feel comfortable, bearing in mind the seriousness and sensitivity of the issues involved and who is suspected of the malpractice. Whistleblowing concerns can be raised verbally, or preferably, in writing. Advice and guidance on how to progress specific matters of concern should be addressed to: • • • • • The Monitoring Officer; The Chief Executive; The Head of Internal Audit; Trade Union Representatives; or, Public Concern at Work. The first 3 officers identified above in paragraph 7.4 are essentially those personnel to whom whistleblowing concerns should be formally communicated. A range of steps will then be followed to evaluate whether a whistleblowing investigation should be carried out or alternative action or no action should be taken, and the whistleblower will be advised accordingly in line with procedures laid down in the Whistleblowing Policy. 8. INTERNAL AUDIT RESOURCES The Internal Audit Service is delivered by means of a group agreement between North Norfolk District Council, Great Yarmouth Borough Council, South Norfolk, Breckland and Broadland District Councils and the Broads Authority. All six authorities have signed an agreement under which South Norfolk Council procures the services from an external contractor on behalf of the six organisations. The Head of Internal Audit is responsible for managing the delivery of the Internal Audit Service; acts in the capacity of Contract Manager and is in regular contact with the Internal Audit Services contractor – Deloitte Public Sector Internal Audit Ltd. The service is delivered according to a rolling 3-year Strategic Audit Plan and an Annual Plan developed by the Head of Internal Audit or the Deputy Audit Manager. The Audit Plans are formulated in consultation with the Financial Services Manager or their nominated Deputy, the Chief Executive, and Corporate Leadership Team, and are based upon an audit needs assessment, which is primarily a risk assessment of the various systems and processes within the Council, covering all the organisation’s objectives and activities and their associated risks. Once the relevant systems have been defined, their relative importance for audit purposes is established and the frequency of subsequent audit coverage is identified and incorporated into the Strategic Audit Plan. Annually, the Strategic Audit Plan will be rolled forward taking into account changing risks caused by new developments (e.g. new systems, revisions to existing systems and/or working practices, new legislation, any organisational restructuring, changing priorities/business objectives, expansion of partnerships, etc). The Strategic and Annual Audit Plans set out the number of audit days required to adequately review the areas identified and indicate the priority for each audit assignment, be it high, medium or low. Once planned work requirements have been determined, these will be compared to resource availability. The Head of Internal Audit is responsible for ensuring that Internal Audit resources are sufficient to meet its responsibilities and achieve its objectives. Where there is an imbalance between planned audit coverage and Internal Audit resources to discharge these duties, and it has been concluded that resources are inadequate for the purpose, the Head of Internal Audit will raise his/her concerns with the Financial Services Manager, their nominated Deputy or the Chief Executive (in the absence of the Financial Services Manager or their nominated Deputy) and proposed solutions will be taken forward to the Audit Committee for its consideration, as final approval of the Plans prior to the start of the relevant financial year rests with the Audit Committee. In the event of special investigations arising, or ad hoc reviews being requested, agreement for these variations to original Audit Plans will be discussed and agreed with the Financial Services Manager, their nominated Deputy or the Chief Executive (in the absence of the Financial Services Manager or their nominated Deputy) and Variation Orders will be raised and issued to the Internal Audit Services contractor. Similarly, if original job budgets set subsequently require expansion, the extra days required will be discussed and agreed with the Financial Services Manager, their nominated Deputy or the Chief Executive (in the absence of the Financial Services Manager or their nominated Deputy) and a Variation Order raised and issued to the contractor, to reflect the extension of time. The same arrangements will apply to audits needing to be deleted from Audit Plans. All revisions to the Audit Plans will be notified to the Audit Committee through the Head of Internal Audit’s Progress Report and Annual Report. As specified in the Internal Audit Services contract, appropriate staff in terms of grades, qualifications, skills and experience will be provided by the Internal Audit Services contractor in order to ensure satisfactory delivery of Audit Plan requirements. These staff must comply with a stated level of competence (as outlined in the Internal Audit Services Specification) and will maintain and develop their competence through targeted training and continuing professional development, evidence of which will be provided to the Head of Internal Audit on a periodic basis. These staff must also clearly demonstrate that they have the appropriate competences and skills to deliver audits, when attending Planning Meetings and undertaking initial audit fieldwork meetings with client officers. 9. REPORTING UPON AUDIT ASSIGNMENTS As audit fieldwork is drawing to an end, a debrief meeting will be arranged with client officers to discuss audit outcomes. The debrief meeting should take place 5 days before the fieldwork is completed, to enable the factual correctness of audit findings to be confirmed and to allow an opportunity for client side to respond to internal control weaknesses identified and put forward any additional information not previously submitted to the auditors. Upon completion of the audit fieldwork, an Internal Audit report will then be prepared that: • Provides an opinion on the risks and controls of the area reviewed, and this will contribute to the annual opinion on the control environment, which, in turn, informs the Council’s Annual Governance Statement. • Provides a formal record of points arising from the audit and management responses to issues raised, to include acceptance of audit recommendations with implementation timescales, as well as reasons for rejecting recommendations. • Prompts management to implement agreed actions within targeted dates. The Head of Internal Audit or Deputy Audit Manager approves a draft version of all reports before their formal issue to the responsible Service Manager/Head of Service and Strategic Director. A copy is also supplied to the Financial Services Manager or their nominated Deputy and the Chief Executive. In addition to debrief meetings at the end of audit fieldwork, there will also be the opportunity to have an Exit Meeting involving the Head of Internal Audit, the Deputy Audit Manager, the Financial Services Manager or their nominated Deputy, the relevant Service Manager/Head of Service, Strategic Director and/or Chief Executive, where appropriate, to discuss detailed aspects of draft audit reports and agree action plans. Accountability for management’s response to Internal Audit advice and recommendations lies with the Financial Services Manager or their nominated Deputy, Chief Executive, Strategic Directors and Service Managers/Heads of Service, as appropriate, who can either, accept and implement guidance given or formally reject it. However, if audit proposals to strengthen the internal control environment are disregarded and there are no compensating controls justifying this course of action, an audit comment will be made in the final audit report, reiterating the nature of the risk that remains and recognising that management has chosen to accept this risk. Furthermore, depending on the severity of the risk, the matter may be escalated upwards for the Audit Committee’s attention. Final audit reports will be issued to the relevant Strategic Director, Service Manager/ Head of Service, the Chief Executive, the Financial Services Manager or their nominated Deputy, the relevant Portfolio Holders, the Audit Committee and the External Auditor. In addition, the Financial Services Manager or the Chief Executive (in the absence of the Financial Services Manager or their nominated Deputy) will forward copies of all final audit reports to a designated officer responsible for arranging the input of agreed audit recommendations to the Council’s TEN system. Each audit report is subject to follow up action, as already explained in paragraphs 4.3 and 4.4. Management are requested to comment on progress achieved in relation to agreed actions at regular intervals after the final audit report has been issued. Additionally, Internal Audit will undertake 3/6-monthly follow up visits to verify evidence of action initiated with regards to High Priority recommendations, whilst the Head of Internal Audit and Deputy Audit Manager will also be involved in the process, reporting the outcomes of audit follow up to the Audit Committee on a 6-monthly basis. 10. MONITORING THE OVERALL PERFORMANCE OF INTERNAL AUDIT Internal Audit monitors its performance in a number of ways, which are set out in the Service Specification within the Internal Audit Services Contract. Aspects of the service subject to scrutiny include: • The extent to which the Annual Audit Plan is achieved. • • • • • • Completion of audit projects in accordance with agreed timetables for delivery of audit fieldwork, draft and final reports. Providing an acceptable lead-in time between the finalisation of audit briefs and the commencement of audit fieldwork. Demonstrating that audit coverage has been undertaken in line with original audit brief requirements. Ensuring conclusions and recommendations in audit reports are reasonable, appropriate and practical, and supported by the evidence collected. Comparing proposed audit recommendations to agreed audit recommendations, to verify that recommendations are justifiable and practical; and, Satisfactory post audit feedback is obtained from auditees upon completion of audit projects. Performance is measured against contractual targets and more recently, local performance indicators have been introduced, which further evaluate the quality of the service being provided to North Norfolk District Council, and these are itemised in Appendix D.
