1
advertisement
Appendix F NORTH NORFOLK DISTRICT COUNCIL INTERNAL AUDIT STRATEGY FOR 2011/12 1 1.1 INTRODUCTION AND OVERVIEW The objectives of North Norfolk District Council’s Internal Audit Strategy are set out in Internal Audit’s Terms of Reference, although they can essentially be summarised as follows: ‘To deliver a risk-based audit plan in a professional, independent manner, to provide the organisation with an opinion on the level of assurance it can place upon the internal control environment, systems of risk management and corporate governance arrangements, and to make recommendations to improve these provisions, where further development would be beneficial’. 1.2 Internal Audit’s Terms of Reference are reviewed annually by the Head of Internal Audit and then presented to the Audit Committee for formal approval. The Terms of Reference for 2010/11 received the endorsement of the Audit Committee on 9 March 2010, whereas the Terms of Reference for 2011/12 are attached today (8 March 2011) for consideration and approval by the Audit Committee. 1.3 In accordance with contractual arrangements - each year, an Audit Needs Assessment is completed by the Head of Internal Audit or the Deputy Audit Manager as part of the audit planning process, culminating in the development of a rolling 5-year Strategic Audit Plan, with an Annual Audit Plan being extracted from the latter for adoption in the succeeding financial year. 1.4 A Computer Audit Needs Assessment is also performed on a 3-yearly basis by the Internal Audit Services contractor, and the outcomes of this exercise additionally feed into the rolling 5-year Strategic Audit Plan and the Annual Audit Plan for the new financial year. 2 WHAT THE INTERNAL AUDIT STRATEGY SETS OUT TO ACHIEVE The purpose of the Internal Audit Strategy is to establish the nature of the methodology to be adopted by Internal Audit to facilitate: How the service will be delivered to the Council. The provision to the Council’s Section 151 Officer of 3 audit opinions each year concerning the Council’s systems of internal control and risk management, and corporate governance arrangements. Ensuring that appropriate evidence has been collected in support of the audit opinions expressed, after which the latter should be used to inform the authority’s Annual Governance Statement. The audit of the Council’s systems of internal control and risk management, and corporate governance arrangements through Strategic and Annual Audit Plans is undertaken in a way that affords suitable priority to the Council’s objectives and risks. Audit resources have been appropriately identified to deliver an Internal Audit Service, which meets required professional standards, provides acceptable minimum levels of audit coverage and optimises the use of audit time available. 2.1 3 3.1 Providing annual scrutiny of the fundamental financial systems to provide assurance that the proper arrangements for financial control are in place, work which External Audit can then place reliance upon. Supporting senior management at the Council as much as possible and adding value. DEVELOPMENT OF THE CURRENT INTERNAL AUDIT STRATEGY The strategy is risk driven in so far as it relies on an Audit Needs Assessment, which analyses North Norfolk District Council’s operations, resources, services and responsibilities in relation to other bodies, to identify where future audit input needs to be focused. In the course of undertaking the Audit Needs Assessment, aside from taking into account the results of previous internal audit work carried out at the authority, the following information has been examined: Corporate Documentation • The Annual Governance Statement for 2009/10 • The Statement of Accounts for 2009/10 • The Risk Management Framework, revised August 2010 • Financial Strategy, 2011/12 to 2014/15 • Budget Monitoring Report 2010/11 – Period 6 • 2010/11 Revised Budget, November 2010 • General Fund Capital Programme report, Period 6 2010 • Report on Car Park Management, September 2010 • Waste, Recycling and Associated Services Contract Award, October 2010 • Corporate Risk Register, as at November 2010 External Audit Documentation • 2009/10 Report to those charged with governance, September 2010 • 2009/10 Summary of recommendations, November 2010 • Audit of the Statement of Accounts for the year ended 31 March 2010 3.2 Seven key risk factors have then been applied to potential auditable areas and their impact on the organisation evaluated in terms of: • Materiality – the value of annual direct income/expenditure associated with the systems/activities; • Materiality – an estimate of the number of transactions processed by the systems/activities per annum; • Significance – the significance of the systems to the objectives and activities of the Council; • Complexity of the organisation’s systems/activities in terms of their operation and auditability; • Modifications to the organisation’s systems/activities or the likelihood of changes (i.e. new arrangements) being introduced within the duration of Audit Plans being put forward; • Inherent risk, i.e. the likelihood of threats, error or malpractice to the organisation, because of the nature of its business activity, the regulatory framework, its size, its growth, its history, etc; and, • Profile of auditable areas, reflecting on the political sensitivity of the systems/activities. 3.3 With reference to inherent risk, the Audit Needs Assessment is cognisant of those areas where historically, there has been the potential for fraud and corruption, e.g. o Housing Benefits o Provision of Discounts (e.g. Council Tax Discounts) o Awarding of Grants – Community Grants, Private Sector Housing and other Direct Payments o Cash Collection o Car Parking Income o Credit Income o Creditor Payments o Contracts and Procurement o Loans and Investments o Payroll, expense claims and recruitment o Disposal of Assets o Awarding of Planning Consents o Awarding of Licences o Gifts and Hospitality 3.4 The risk factors have been weighted to produce a risk score, expressed as a percentage that is, in turn, translated into a risk rating of Very High, High, Medium or Low. Once risks have been categorised, it is then possible to determine the frequency with which areas identified, should be subject to audit scrutiny. Low risk systems will be examined on a 5-yearly cycle. Medium risk assessed systems should be reviewed on a 3-yearly basis; high risk areas will be audited on a 2-yearly cycle, and Very High risk will be scrutinised on an annual basis. 3.5 From our review of associated documentation, as identified in paragraph 3.1, and having kept abreast of ongoing developments at the Council, we have identified several other factors that have significant bearing on the assessed audit risks and resultant proposed audit coverage going forward. Key items acknowledged as impacting on the planning process have been as follows: • • • In October 2010, Full Council awarded the management of the waste service contract to a new contractor, Kier Street Services Ltd. The new contract envisages a number of changes to the previous arrangements operating, including innovative and changed working methods, new services including glass collection, increased trade recycling and wood recycling. The Cabinet meeting of September 2010 agreed to the establishment of a shared service arrangement with Kings Lynn and West Norfolk Borough Council for the management of the Council’s car parks. As part of the agreement, it was recommended that an internal audit review should be undertaken within the first 12 months of the new arrangements. Management are considering making a number of smaller changes within services which in turn has impacted on our consideration of the most effective timing of audit review, and potential audit budgets. This includes changes to sales systems within the Council-run sports halls; a review of the Council’s tourism offerings and consideration of the merging of the exchequer and sundry debtors teams. 3.6 As mentioned previously in paragraph 1.3, a Computer Audit Needs Assessment is also performed by the Internal Audit Services contractor in parallel to the Audit Needs Assessment work carried out by the Head of Internal Audit or the Deputy Audit Manager. The Computer Audit Needs Assessment effectively evaluates the key risks affecting the IT environment within the Council and having identified risk priority ratings, it is then possible to use this information to populate a Strategic Computer Audit Priority Analysis and Annual Computer Audit Plans. The outcomes of the exercise for the period from 2011/12 to 2013/14 were available in November 2010, and although the outcomes of this review are yet to be finalised, a suggested allocation of audit coverage has been made based on the conclusions of this review. From 2014/15, a provision of 40 days has been made for future computer audit work, in addition to the allocated 4 days for computer audit follow up. 4 FORMULATION OF THE STRATEGIC AND ANNUAL AUDIT PLANS Prior to the commencement of the formal audit planning process for 2011/12, initial discussions were held with the Section 151 Officer in November 2010 to review future audit coverage. The outcomes of this meeting were used to inform the audit needs assessment, which did not result in any significant changes to the audit plan, which has been subsequently discussed with the Senior Management Team on 11 February 2011. 4.1 4.2 The next phase involves discussion of the Strategic and Annual Audit Plans with the Audit Committee, prior to obtaining formal endorsement of the audit coverage recommended. Once approved by the Committee, the Head of Internal Audit or Deputy Audit Manager will instruct the Internal Audit Service contractor (Deloitte Public Sector Internal Audit Ltd) to adopt the Annual Audit Plan as their work programme for 2011/12. 5 REVIEWING PLANNED AUDIT COVERAGE TO ENSURE ITS ON-GOING ADEQUACY Audit Planning is a dynamic process and the environment in which North Norfolk District Council operates is frequently subject to change, whether through the introduction of new systems, the enhancement/modification of existing systems, revised statutory requirements applying to the organisation or other developments affecting the way in which the Council conducts its business. As a consequence, Internal Audit Plans are continually monitored by the Head of Internal Audit and/or Deputy Audit Manager to ensure that they remain timely and comprehensive in their proposed coverage. Throughout the coming year therefore, the Plans may have to be amended to reflect any changing priorities that might surface and possibly, have to react to existing risks that may subsequently escalate, diminish, disappear or be superseded by new risks, as they affect North Norfolk District Council. For this reason, flexibility will be shown towards planned audit coverage, to ensure that it is constantly responsive to changing needs and new requirements. 5.1 5.2 A key consideration has been the ongoing work to develop a shared service for the revenues and benefits service, in partnership with Kings Lynn and West Norfolk and Great Yarmouth Borough Councils, and South Norfolk District Council. Although a business case for the arrangements has recently been developed, it is not clear at present as to the timing and nature of any new arrangements. As a result, we have sought to maintain a “status quo” position with regards any future auditing arrangements in this area, although acknowledge that should any significant developments materialise over the forthcoming year, our audit approach may need to alter. 5.3 As outlined in the Terms of Reference for Internal Audit (Appendix 1), any changes that are made to the Internal Audit plans during the year will be subject to the agreement of the Financial Services Manager or the Deputy Chief Executive, and subsequently communicated to the Audit Committee. 6 AREAS NOT CONSIDERED FOR AUDIT SCRUTINY 6.1 In undertaking our review of the Council’s Audit Needs, we have identified that the Council have assessed strategic and operational risks which we do not intend to scrutinise. These risks, and the reasons as to why Internal Audit will not be providing assurances in these areas, are identified below. • • • • • • • Central Government Funding uncertainty (risk 1) – we will look at some aspects of the controls to support this risk, including corporate and service planning and budget monitoring. However, other elements fall within the scope of External Audit’s Value for Money Conclusion. Efficiency Agenda (risk 5) – we will review services that have undertaken change due to the risk this presents. However, we do not audit the Council’s change management process at present, whilst, as the risk itself recognises, the External Audit Value for Money Conclusion will also assess aspects of this work. Concessionary Fares (risk 9) – this service is transferring to the County Council, and therefore has been removed from the audit plan. Local Development Framework (risk 13) – the LDF is subject to separate independent review by the Planning Inspectorate; we do not duplicate their work with further internal audit scrutiny. Local Government Review (risk 18) – this is outside the scope of Internal Audit review, and at present there are no planned government intentions to pursue local government review. Housing Stock Transfer Warranties (risk 19) – we will review the controls to ensure the adequacy of the Council’s insurance arrangements; however, claiming against housing stock warranties is again outside the scope of Internal Audit review, as should disputes arise these are likely to be subject to legal, rather than audit action. Equalities and Diversity (risk 20) – we do not review equalities as this is potentially subject to independent examination by the Equalities Commission.
