Please Contact: Ian Vargeson
Please email: ian.vargeson@north-norfolk.gov.uk
Please Direct Dial on: 01263 516047
7 March 2013
A meeting of the Audit Committee of North Norfolk District Council will be held in the
Committee Room at the Council Offices, Holt Road, Cromer on Tuesday 19 March 2013 at
2.00 pm
Members of the public who wish to ask a question or speak on an agenda item are
requested to arrive at least 15 minutes before the start of the meeting. It will not always be
possible to accommodate requests after that time. This is to allow time for the Committee
Chair to rearrange the order of items on the agenda for the convenience of members of the
public. Further information on the procedure for public speaking can be obtained from
Democratic Services, Tel: 01263 516047, Email: democraticservices@north-norfolk.gov.uk
Sheila Oxtoby
Chief Executive
To: Mr N D Dixon, Mr B Jarvis, Mrs A Moore, Miss B Palmer, Mr R Reynolds and Mr D
Young
All other Members of the Council for information.
Members of the Management Team, appropriate Officers, Press and Public
If you have any special requirements in order to attend this meeting, please let us
know in advance
If you would like any document in large print, audio, Braille, alternative format or in a
different language please contact us
Chief Executive: Sheila Oxtoby
Strategic Directors: Nick Baker and Steve Blatch
Tel 01263 513811 Fax 01263 515042 Minicom 01263 516005
Email districtcouncil@north-norfolk.gov.uk Web site northnorfolk.org
AGENDA
1.
TO RECEIVE APOLOGIES FOR ABSENCE
2.
PUBLIC QUESTIONS
To receive public questions, if any
3.
ITEMS OF URGENT BUSINESS
To determine any items of business which the Chairman decides should be
considered as a matter of urgency pursuant to Section 100B(4)(b) of the Local
Government Act 1972.
4.
DECLARATIONS OF INTEREST
Members are asked at this stage to declare any interests that they may have in any
of the following items on the agenda. The Code of Conduct for Members requires
that declarations include the nature of the interest and whether it is a disclosable
pecuniary interest.
5.
MINUTES
(Page 1)
To approve as a correct record, the minutes of the meeting of the Audit Committee
held on 04 December 2012.
6.
AUDIT UPDATE AND ACTION LIST
(Page 6)
To monitor progress on items requiring action from the meeting of 04 December
2012, including progress on implementation of audit recommendations.
7.
CERTIFICATION REPORT (2011/12) – REPORT TO THOSE CHARGED WITH
GOVERNANCE
(Page 7)
To receive the Certification Report (2011/12)
8.
EXTERNAL AUDIT PLAN 2012/13
(Page 23)
To discuss the External Audit Plan 2012/13
9.
INTERNAL AUDIT’S TERMS OF REFERENCE, PERFORMANCE INDICATORS,
CODE OF ETHICS, STRATEGY, AUDIT PLANS AND SUMMARY AUDIT
COVERAGE INFORMATION FOR 2013/14
(Page 44)
(Appendix 1 – p. 49) (Appendix 1a – p.57) (Appendix 2 – p.59) (Appendix 3 – p. 63)
(Appendix 4 – p.68) (Appendix 5 – p.72) (Appendix 6 – p.75) Appendix 7 – p. 88)
Summary:
This report provides an overview of the stages followed prior to
the formulation of the Strategic Audit Plan for 2013/14 to
2015/16, and the Annual Audit Plan for 2013/14.
The Annual Audit Plan will then serve as the work programme
and initial terms of reference for the Council’s Internal Audit
Services Contractor, Deloitte Public Sector Internal Audit Ltd,
and provide the basis upon which the Internal Audit Consortium
Manager will subsequently give Audit Opinions on the systems
of internal control and risk management, and corporate
governance arrangements at North Norfolk District Council for
the year 2013/14.
The report additionally aims to clarify the links between Internal
Audit’s Terms of Reference, Performance Indicators, Strategy,
and its Strategic and Annual Audit Plans, as well as detailing the
way in which Internal Audit will operate at the Council in the year
ahead. Current Internal Audit provisions mirror requirements
specified in the CIPFA Code of Practice for Internal Audit in
Local Government and Statement on the Role of the Head of
Internal Audit in Public Service Organisations. However, from
1 April 2013 onwards, new Public Sector Internal Audit
Standards will come into force which will supersede CIPFA’s
Code of Practice. Once detailed guidance is published, all
aspects of service delivery will be reassessed to ensure that
there is proper migration to the new requirements and audit
documentation will then be updated to reflect these revised
obligations and how we will be responding to them and
demonstrating compliance in the new financial year.
Conclusions:
In reviewing and approving the audit documentation attaching to
this report, the Audit Committee is making appropriate
provisions to ensure that the Internal Audit requirements as
stated in the Accounts and Audit Regulations 2011 are being
properly met, and due support is being given to securing an
Internal Audit Service which is compliant with professional
standards.
Recommendations:
The Committee is requested to approve:
• Internal Audit’s Terms of Reference and
Performance Indicators for 2013/14;
• Internal Audit’s Code of Ethics for 2013/14;
• Internal Audit’s Strategy for 2013/14;
• The Strategic Audit Plan for 2013/14 to 2015/16;
• The Annual Audit Plan for 2013/14; and,
• The Summary of Internal Audit Coverage for
2013/14.
Cabinet member(s):
Wards:
Contact Officer,
telephone number,
and e-mail:
All
All
Sandra King, Internal Audit Consortium Manager
01508 533863
scking@s-norfolk.gov.uk
10.
11.
BUSINESS CONTINUITY
(Page 83)
Summary:
Six monthly update on business continuity planning, the
progress made to date, ability to respond to any disruptive
events that have recently occurred and the outline of future
objectives.
Recommendations:
That members note the contents of the report.
Cabinet member(s):
All
Contact Officer,
telephone number,
and e-mail:
Ward(s) affected:
All
Richard Cook
01263 516269
richard.cook@north-norfolk.gov.uk
AUDIT COMMITTEE WORK PROGRAMME
(Page 87)
To review the Audit Committee Work Programme
12.
EXCLUSION OF THE PRESS AND PUBLIC
To pass the following resolution, if necessary:
“That under Section 100A(4) of the Local Government Act 1972 the press and public
be excluded from the meeting for the following items of business on the grounds that
they involve the likely disclosure of exempt information as defined in paragraphs 3
and 4 of Part I of Schedule 12A (as amended) to the Act.”
AUDIT COMMITTEE
Minutes of a meeting of the Audit Committee held on 4 December 2012 in the
Committee Room, Council Offices, Holt Road, Cromer at 2.00 pm.
Members Present:
Committee:
Mr N D Dixon (Chairman)
Miss B Palmer
Mr D Young
Officers in
Attendance:
The Head of Finance, the Head of Internal Audit, The Civil Contingencies
Manager (for minute 38), the Policy and Performance Management
Officer (for minute 39) and the Democratic Services Officer (ITV).
Members and officers stood in silent tribute in memory of Mr Johnson, Leader of the
Council, and his wife.
28. CHAIRMAN’S ANNOUNCEMENT
The Chairman welcomed Miss B Palmer to her first meeting of the Audit Committee.
29. APOLOGIES
Mrs A M Moore, Mr R Reynolds.
28. PUBLIC QUESTIONS
None received.
29. ITEMS OF URGENT BUSINESS
None
30. DECLARATIONS OF INTEREST
None
31. MINUTES
The Minutes of the meeting of the Audit Committee held on 18 September 2012 were
approved as a correct record.
32. AUDIT UPDATE AND ACTION LIST
Members were updated on progress on actions arising from the minutes of the meeting
of 18 September 2012.
a) Training on the Final Accounts had been delivered and would continue as an annual
event.
Audit Committee
1
1
4 December 2012
b) External Audit fee: Members noted the letter received from the External Auditors and
the reasons given for the setting of current fee levels, which accorded with Audit
Commission guidance. Charges under the scale fee for 2012/13 compared
favourably with those for the previous year, taking account of the rebate awarded by
the Audit Commission towards costs incurred as part of the transition to IFRS. The
Head of Financial Services pointed out that PriceWaterhouseCoopers LLP had a 5
year contract, which could be extended for two years. Although effectively the choice
of the Audit Commission, this contract had been seen as a good move when entered
into in June, the company having previously been the Council’s external auditors.
The Head of Internal Audit added that a working protocol which affected the level of
internal testing had a positive effect on regulating fees.
c) Inconsistencies regarding Rights of Access to records, assets, personnel and
premises notified to the Monitoring Officer had been considered by the Constitution
Working Party; a report was due to be presented to Council on 19 December.
d) Fraud Risk: the Head of Financial Services was liaising with the Monitoring Officer
and further consultation with officers was necessary. Members were anxious to
establish a timeline for this work and the Head of Financial Services agreed to
pursue a report to the next Committee meeting, in March.
e) Business Continuity: a progress report was given under a separate agenda item (see
minute 38).
Other actions had been completed as set out in the report.
33. ANNUAL AUDIT LETTER
The Head of Financial Services explained that the letter summarised work undertaken in
the previous financial year and that there were no issues arising. The Chairman
observed that the letter, as well as reporting the certification of the accounts as true and
accurate and having been presented in accordance with the regulations, indicated an
overall improvement in the direction of travel.
RESOLVED
To note the Annual Audit Letter in respect of the 2001/12 audit.
34. PROGRESS REPORT ON INTERNAL AUDIT ACTIVITY, SEPTEMBER TO MIDNOVEMBER
The Head of Internal Audit pointed out that the report related to progress for the period
from September to mid-November, rather than April to October, as referred to on the
agenda paper. Adequate assurance levels had been awarded to the five audits
completed since the last report. There was a change to the number of planned audit
days for the year, with the previously revised figure of 226 days having now been
reduced to 214.5 days; this was primarily due to the deferral of Phase Two work on the
Revenues and Benefits Shared Services Partnership to allow more time for data merging
and subsequent internal audit scrutiny. However, the Head of Internal Audit explained
that, since writing the progress report, there had been further developments. The
Revenues and Benefits Shared Services Partnership Joint Committee had decided to
move North Norfolk data back to North Norfolk’s CIVICA system, as there had been
problems with the new CIVICA platform hosted by King’s Lynn and West Norfolk
Borough Council. This had created additional auditing requirements, which were
currently in the process of being confirmed and called into question previously agreed
arrangements for auditing North Norfolk’s Revenues and Benefits systems for 2013/14
Audit Committee
2
2
4 December 2012
onwards, as set out in the Partnership Agreement. Members asked to be kept informed
of any revised provisions and the Head of Internal Audit agreed to include a brief
synopsis on the situation when submitting her strategic audit planning proposals and
Audit Strategy for 2013/14 which would be presented to the Committee in March 2013.
Members noted progress reported on the Partnerships and Council Tax and NNDR
audits and were informed that the fieldwork in relation to the Payroll & HR audit and
Exchequer Services audit would be starting in January 2013.
In considering the report on Procurement, Mr Young asked for an update on the
Procurement Officer vacancy. The Head of Financial Services stated that interviews
were taking place later in the week for a post which would cover these duties; in the
meantime, the services of the Procurement Officer at King’s Lynn and West Norfolk had
been used.
In reply to a further question from Mr Young, the Head of Internal Audit confirmed that a
commitment to reinstate the ICT Strategy Group had been given by management and
future audit verification work would look into whether the Group was meeting regularly.
The Chairman drew attention to the colour-coded map of audit assurances attached to
the agenda for the first time. There was general agreement that this information, in this
format, was very helpful and should continue to be provided.
RESOLVED
a) To note the outcomes of the five audits completed between September and midNovember, together with the recent amendments made to the Annual Audit Plan for
2012/13
b) That a brief synopsis of the work on data merging on the Revenues and Benefits
Shared Services Partnership audit be included in the Audit Strategy and brought to
the next meeting.
35. THE STATUS OF AGREED AUDIT RECOMMENDATIONS DUE FOR
IMPLEMENTATION BY SEPTEMBER 2011
The Head of Internal Audit reported on progress on implementing audit
recommendations in the first half of the financial year. It was noted that there were no
high priority recommendations requiring implementation in the first half of the financial
year. In addition there had been an increase in the percentage of completed
recommendations and a significant reduction in the percentage of outstanding
recommendations. There had been issues with 13 recommendations where
management had not provided details of the latest position reached. The Head of
Financial Services then gave a verbal update on these particular recommendations,
recognising that 11 had now been put into effect, while the status of the other two
remained to be confirmed.
In reply to a question from Mr Young concerning instances of management responses
not having been received, the Head of Internal Audit said that this had not been a cause
for concern at year end, but had proved problematic in the first six months of 2012/13.
The Head of Financial Services added that managers had been made aware of the
Audit Committee
3
3
4 December 2012
priority to be given to providing responses to their audit recommendations and that
implementation of recommendations had seen a marked improvement.
RESOLVED
To note management action taken, where additional feedback is required and those
areas where further work is necessary prior to audit recommendations being fully
implemented.
36. BUSINESS CONTINUITY
The Civil Contingencies Manager reported that the top level Business Continuity Plan
had been completed and subjected to a peer review. A few minor amendments were
needed and managers would be asked to check the flow charts for their services before
submission to the Performance and Risk Management Board. This would be done by the
end of December.
Referring to team plans, he mentioned that Revenues and Benefits was the only area
without a draft; this was, however, likely to be completed shortly. All teams would have
produced plans by 21 December. Once adopted, these would be subject to annual
review.
The continued sickness absence of a colleague had impacted upon delivery and some
elements of business continuity, particularly in training and exercising, had not advanced
as had been hoped. For this reason, a Business Continuity (BC) consultant had been
approached to provide some short-term help, within the saving on staff salary. This
assistance would allow a peer review of the authority’s BC plans and procedures as well
as delivering initial BC training to staff. The opportunity would also be taken to explore,
with the consultant, whether there was a commercial value to delivering Environmental
Health-based specialist knowledge, such as health and safety, commercial waste, food
safety, licensing and BC to local businesses.
Following questions regarding the use of Fakenham Connect for disaster recovery, the
Civil Contingencies Manager said that outstanding work on fire alarms and computer
installation, needed to enable the facility to be fully used for this purpose, would be
completed as soon as possible.
RESOLVED
a) That the report be noted.
b) A further progress report be made to the Committee’s March meeting.
37. REVIEW OF THE PERFORMANCE MANAGEMENT FRAMEWORK
The Policy and Performance Management Officer stated that, following completion of the
Annual Action Plan and Performance Indicators, a new system was now in place which
facilitated performance management of the Plan and its components. The Cabinet and
the Overview and Scrutiny Committee were managing performance at the Council
through quarterly reporting and decision making. The third quarter report would be made
in February.
Audit Committee
4
4
4 December 2012
The system showed performance against targets, for every activity, with a dedicated
page for each service plan. Each service manager would be seen quarterly to make sure
appropriate adjustments were made regularly on updating and delivery. All performance
and risk management information was now easily accessible in one place.
The 2011/12 annual report had been published on the Council’s website.
The Chairman recalled that this had been presented to the Committee at its June
meeting, just after changes had been approved by the Cabinet and Council. Recognising
the need for continual updating, to ensure effectiveness, review and implementation was
now complete.
The Committee was then given a demonstration of the new system and how this could
be accessed by Members for all performance information and, particularly, in order to
identify the status of any action against target. The facility was available through both the
web and the intranet and details would shortly be circulated via the Members’ Bulletin.
RESOLVED
To note the verbal report of the Policy and Performance Management Officer.
38. AUDIT COMMITTEE WORK PROGRAMME
RESOLVED
To note the Work Programme.
The meeting ended at 3.40 pm.
______________________
Chairman
Audit Committee
5
5
4 December 2012
Agenda Item
6
AUDIT COMMITTEE 04 DECEMBER 2012 – ACTIONS ARISING FROM THE
MINUTES
1. Constitution
To flag up inconsistencies regarding Rights of
Access to records, assets, personnel and premises
to the Constitution Working Party.
Members
The Constitution was reviewed by the
Constitution Working Party and a revised version
was approved at Full Council on 19th December
2012
2. Fraud Risk
The Head of Finance was liaising with the
Monitoring Officer regarding a review of the Council’s
Counter Fraud and Whistleblowing Policies, followed
by re-launch through staff and Member briefings.
Monitoring
Officer
Head of Finance
The Counter Fraud Policy is likely to come to the
September meeting, after going to Cabinet. The
Head of Finance will provide an oral update at the
March meeting on what is happening in practical
terms pending the new policy. The Whistleblowing
policy will come to the June 2013 meeting.
3. Data Merging
That a brief synopsis of the work on data merging on
the Revenues and Benefits Shared Services
Partnership Audit be included in the Audit Strategy
and brought to the next meeting
4. Business
Continuity
To receive an update in March
On the agenda – a brief written report will be
provided
6
Richard Cook
www.pwc.co.uk
Annual Certification Report
to those charged with governance
2011/12
Government and
Public Sector –
Annual Certification
Report to those
charged with
governance
North Norfolk District Council
January 2013
7
The Members of the Audit Committee
Council Offices
Holt Road
Cromer
Norfolk
NR27 9EN
January 2013
Ladies and Gentlemen
Annual Certification Report (2011/12)
We are pleased to present our Annual Certification Report which provides members of the Audit
Committee with a high level overview of the results of certification work we have undertaken at North
Norfolk District Council in 2011/12.
We have also summarised our fees for 2011/12 certification work in Appendix A.
Results of Certification work
For the period ended 31 March 2012 we certified four claims and returns worth a final net total of
£56,284,722. Of these, none were amended following certification work,, however, one required a
qualification letter to set out matters arising. We set out further details in the attached report.
We identified a number of matters relating to the Council’s arrangements for preparation of claims
and returns during the course of our work, some of which were of a minor nature. The most
important of these matters have been brought to your attention in this report.
We ask the Audit Committee to consider:

the adequacy of the proposed management action plan for 2011/12 set out in Appendix B,
and;

the adequacy of progress made in implementing the prior year action plan in Appendix C.
Yours faithfully
PricewaterhouseCoopers LLP
PricewaterhouseCoopers LLP, The Atrium, St Georges Street, Norwich NR3 1AG
T: +44 (0) 1603 615244, F: +44 (0) 1603 631060, www.pwc.co.uk
PricewaterhouseCoopers LLP is a limited liability partnership registered in England with registered number OC303525. The regi
registered
stered office of PricewaterhouseCo
PricewaterhouseCoopers
LLP is 1 Embankment Place, London WC2N 6RH. PricewaterhouseCoopers LLP is authorised and regulated by the Financial Services Authority for designated
investment business.
8
Table of Contents
Introduction
4
Scope of work
4
Statement of Responsibilities of Grant-Paying Bodies, Authorities, the Audit Commission and Appointed Auditors in
Relation to Claims and Returns
4
Code of Audit Practice and Statement of Responsibilities of Auditors and of Audited Bodies
4
Results of Certification Work
6
Claims and returns certified
6
Matters arising
6
Appendix A
10
Certification Fees
10
Appendix B
12
2011/12 Management Action Plan
12
Appendix C
13
2010/11 Management Action Plan – Progress made
13
PwC
3
9
Introduction
Scope of work
Grant-paying bodies pay billions of pounds in subsidies and grants each year to local authorities and often require certification, by an
appropriately qualified auditor, of the claims and returns submitted to them. Certification work is not an audit but a different kind of assurance
engagement which reaches a conclusion but does not express an opinion. This involves applying prescribed tests, as set out within Certification
Instructions (“CIs”) issued to us by the Audit Commission, which are designed to give reasonable assurance that claims and returns are fairly
stated and in accordance with specified terms and conditions; where this is not the case matters are raised in a ‘qualification letter’.
The Audit Commission is required by law to make certification arrangements for grant-paying bodies when requested to do so and sets thresholds
for claim and return certification, as well as the prescribed tests which we as local government appointed auditors must undertake. We certify
claims and returns as they arise throughout the year to meet the certified claim/return submission deadlines set by grant-paying bodies. Our role
is to act as ‘agents’ of the Audit Commission when undertaking certification work; certification work is not an audit but a different form of
assurance engagement, the precise nature of which will vary according to the claim or return; we are required to carry out work and complete the
auditor certificate in accordance with the arrangements and requirements set by the Commission.
We consider the results of certification work when performing other Code of Audit Practice work at the Authority, including for our conclusions
on the financial statements and on value for money.
Statement of Responsibilities of Grant-Paying Bodies, Authorities, the Audit Commission and Appointed Auditors in
Relation to Claims and Returns
In November 2010 the Audit Commission updated the ‘Statement of Responsibilities of Grant-Paying Bodies, Authorities, the Audit Commission
and Appointed Auditors in Relation to Claims and Returns’. This is available from the Audit Commission’s website. The purpose of this Statement
is to summarise the Audit Commission's framework for making certification arrangements and to assist grant-paying bodies, authorities, and the
Audit Commission’s appointed auditors by summarising their respective responsibilities and explaining where their different responsibilities
begin and end.
Code of Audit Practice and Statement of Responsibilities of Auditors and of Audited Bodies
In March 2010 the Audit Commission issued a revised version of the ‘Statement of Responsibilities of Auditors and of Audited Bodies’. It is
available from the Chief Executive of each audited body and on the Audit Commission’s website. The purpose of the Statement is to assist auditors
and audited bodies by explaining where the responsibilities of auditors begin and end and what is to be expected of the audited body in certain
areas. Reports and letters prepared by appointed auditors and addressed to members or officers are prepared for the sole use of the audited body
and no responsibility is taken by auditors to any member or officer in their individual capacity or to any third party.
PwC
4
10
Results of Certification Work
PwC
5
11
Results of Certification Work
Claims and returns certified
A summary of the claims and returns certified during the year is set out in the table below. In one case a qualification letter was required to set out
matters arising from the certification of the claim/return. None of the claims/returns were amended following the certification work undertaken.
All deadlines for submission of certified claims/returns were met. Fee information for the claims and returns is summarised in Appendix A.
Claims and returns certified in 2011/12
CI Reference
Scheme Title
Form
Original
Value (£)
Final Value
(£)
Amendment
Qualification
BEN01
Housing and Council Tax
Benefits Scheme
MPF720A
35,212,018
35,212,018
No
Yes
LA01
National Non Domestic
Rates Return
NNDR3
21,072,704
21,072,704
No
No
Matters arising
The significant issues identified are discussed below.
PwC
6
12
Weaknesses in internal control
Claim/Return
Housing and Council
Tax Benefits Subsidy
(BEN01)
Issue
Final claims on form
MPF720A are to be
completed and sent to
DWP and to the auditor
appointed by the Audit
Commission by 30 April
2012.
PwC did not receive a hard
copy of the claim form;
however this did not
prevent us from starting
our work as agreed.
Risk
Recommendation
Failure to comply with
certification instructions can
result in delayed payment of
claims and fines for noncompliance.
All hard-copy claims and returns should be submitted to
the appointed auditor for certificaion in accordance with
the certification instructions.
Delays in providing required
documentation to the appointed
auditors may lead to increased
fees for certification work.
Non compliance with regulations/ terms and conditions
Our work on the Housing and Council Tax Benefit Subsidy (BEN01) (certification deadline 30 November 2012) was conducted in accordance with
the relevant certificate instructions issued by the Audit Commission.
We identified several matters regarding non-compliance with regulations / terms and conditions which we wish to raise with those charged with
governance. The risks of not addressing these issues and our recommendations for improvement are set out in the table below.
PwC
7
13
Compliance issues
Issue
Claim/Return
Housing and
Council Tax
Benefits Subsidy
(BEN01)
Errors were identified
including:





Expenditure
misclassification;
Incorrect application
of service charges;
Incorrect entry of
data into the subsidy
form;
Data input
incorrectly into the
calculation of benefit
resulting in under /
overpayment of
benefit; and
Insufficient
documentation
maintained on file to
support benefit
assessment.
Risk
Recommendation
These errors could have a
financial impact on the subsidy
amount receivable from the
DwP.
We recommend that the Authority considers why the
errors identified in our testing occurred on a case-by-case
basis and implement corrective measures as appropriate.
Due to the errors identified, we
have been required to perform
additional testing which
impacts on the grant
certification fee.
Similar issues were raised
in the prior year Annual
Certification Reports in
2010/11 and 2009/10.
Our work on the National Non Domestic Rates Return (NNDR) (certification deadline 28 September 2012) was conducted in accordance with the
relevant certificate instructions issued by the Audit Commission. These require for observations raised during the certification work to be reported
within a covering qualification letter. There were no such observations and no qualification letter for this return.
Prior Year Recommendations
We have reviewed progress made in implementing the certification action plan for 2010/11. Details can be found in Appendix C.
PwC
8
14
Appendices
PwC
9
15
Appendix A
Certification Fees
The fees for certification of each claim/return are set out below:
Claim/Return
BEN01 Housing and Council Tax
Benefits Scheme
LA01 National Non Domestic Return
(NNDR)
HOU21 Disabled Facilities Grant
Total
2011/12
(£)
56,065
2010/11
(£)
55,500
Comment
2,600
4,500
No CI Part B testing was carried out
in 2011/12
0
1,000
We were not required to certify this
return in 2011/12
58,665
61,000
These fees reflect the Authority’s current performance and arrangements for certification. It may be possible to reduce fees should the Authority
improve its performance by:




Coordination: assigning a key member of staff with responsibility to liaise with auditors and claim/return preparers in order to
coordinate and improve certification arrangements across the authority;
Use of Audit Commission documentation tools: ensuring that for the BEN01 certification work, all additional 40+ testing is
documented in the workbooks provided
Review: improving accuracy of claims/returns submitted for certification requiring independent review; and
Documentation: improving working papers and quality of evidence available to support the claim/return.
Prior to the commencement of 2011/12 certification work we discussed with the Council the ways in which we can help to improve the level of
communication around issues we experience in the completion of our certification work, issues which may impact ultimately impact on
certification fees.
We will continue to seek ways in which we can improve the overall level of liaison with senior officers regarding the progress of certification work,
time and issues.
PwC
10
16
At the same time, we welcome closer scrutiny by officers of any certification claims submitted to us for review and continued efforts to ensure that
the quality of evidence available to support claims/returns is appropriate. The Council’s performance may also be improved by ensuring prior
year qualification issues are reviewed and controls assessed to mitigate against similar errors occurring in future periods.
We are happy to discuss how we may assist further with your improvement, for example we can perform specific focussed, risk-based work in this
area should that be required.
PwC
11
17
Appendix B
2011/12 Management Action Plan
Issue
Claim/Return
Housing and
Council Tax
Benefits Subsidy
(BEN01)
Housing and
Council Tax
Benefits Subsidy
(BEN01)
Final claims on form MPF720A are
to be completed and sent to DWP
and to the auditor appointed by the
Audit Commission by 30 April
2012.
PwC did not receive a hard copy of
the claim form; however this did
not prevent us from starting our
work as agreed.
Errors were identified including:





Expenditure
misclassification;
Incorrect application of
service charges;
Incorrect entry of data into
the subsidy form;
Data input incorrectly into
the calculation of benefit
resulting in under /
overpayment of benefit;
and
Insufficient documentation
maintained on file to
support benefit
assessment.
Recommendation
Management Response
Responsibility
(implementation date)
All hard-copy claims and
returns should be submitted to
the appointed auditor for
certificaion in accordance with
the certification instructions.
This is acknowledged, however
due to delays in receiving and
implementing software releases
this has meant there has been
some delay.
Revenues and Benefits Manager
(30/04/2013)
We recommend that the
Authority considers why the
errors identified in our testing
occurred on a case-by-case
basis and implement corrective
measures as appropriate.
This recommendation has been
noted. Training is on-going for
Benefit Assessors and it is
anticipated that with the
implementation of the new
software that user error will be
reduced.
PwC
18
Revenues and Benefits
Manager (on-going)
Appendix C
2010/11 Management Action Plan – Progress made
Claim/Return Issue
(deadline)
Recommendation
Management response
Housing and
Council tax
benefit subsidy
BEN01
(30 Nov 2011)
All claims and returns should be
submitted promptly and by the
stated deadline. We accept that
in the case of the BEN01 claim the
Authority were awaiting “fixes”
from the software provider.
BEN01 - as stated the authority was
waiting fixes from the software
supplier that impacted on the
Revenues &
accuracy of the subsidy return. Fixes Benefits Manager
were not received until 9/6 these had
to be loaded, tested, run on live and
then individual accounts reviewed
and amended.
Disabled facilities
HOU21
(31 Oct 2011)
The Authority did not comply
with all required deadlines for
submission of claim forms to
the grant paying bodies and
appointed auditor as specified
in the relevant certification
instructions:


BEN01, received 16
June 2011 (deadline
31 May 2011) ; and
HOU21, received 12
August 2011
(deadline 30 June
2011).
Responsibility
(Implementati
on date)
31 May 2012
Recommendation
Status
Open - similar issues
were encountered
during the 2011/12
certification work.
Re-reported above.
The Benefits software is to be
replaced in 2012/13 which should
mitigate such issues for the 2012/13
return but not the 2011/12 return
which will be run on the existing
software.
Similar issues were raised in
the prior year Annual
Certification Report 2009/10.
HOU21 – Diary reminders have been
Completed
added to outlook calendars for both
staff inputting claims information
and those responsible for final
authorisation of the claim to ensure
that the required timescales are met
for 2012.
PwC
19
No longer applicable
as the requirement
to complete this
return has been
removed.
Claim/Return Issue
(deadline)
Housing and
Council tax
benefit subsidy
BEN01
(30 Nov 2011)
Recommendation
Management response
Our certification work
identified errors including:
 Expenditure
misclassification; and
 Data input incorrectly
into the calculation of
benefit.
We recommend that the Authority
considers the reasoning behind
why the errors identified in our
testing occurred on a case-by-case
basis and puts in place appropriate
corrective measures. Such
measures may include:
 Liaising with the housing
benefit system provider
Similar issues were raised in
(current and new when
the prior year Annual
applicable) to improve
Certification Report 2009/10,
system overpayment
however overall the number of
identification;
issues identified in 2010/11 is
a reduction on the previous
 Improving benefit assessor
year.
training; and
 Increasing the frequency
of internal quality review
checks.
Glossary
PwC
20
The Benefits software is to be
replaced in 2012/13. The
replacement system deals more
effectively with overpayment
classification. It is generally a more
user friendly system reducing the
need to re key information which will
reduce errors.
Responsibility
(Implementati
on date)
May/June 2012
Project Plan
The system will not impact the
subsidy return for 2011/12.
Additional training on overpayment
classification has been provided.
Completed
Internal quality reviews will be
reviewed as part of the
implementation of the new system.
June/July 2012
Revenues &
Benefits Manager
Recommendation
Status
Open - similar issues
were encountered
during the 2011/12
certification work.
Re-reported above.
Particular care needs
to be given in
relation to the new
benefit system and
the issues faced as
part of the move to
the partnership with
the Borough Council
of King’s Lynn and
West Norfolk.
Audit Commission Definitions for Certification work
Abbreviations used in certification work are:‘appointed auditor’ is the auditor appointed by the Audit Commission under section 3 of
‘claims’ includes claims for grant or subsidies and for contractual payments due under agency
the Audit Commission Act 1998 to audit an authority’s accounts who, for the purpose of
certifying claims and returns under section 28 of the Act, acts as an agent of the Commission. In
this capacity, whilst qualified to act as an independent external auditor, the appointed auditor
acts as a professional accountant undertaking an assurance engagement governed by the
Commission’s certification instruction arrangements;
agreements, co-financing schemes or otherwise;
‘assurance engagement’ is an engagement performed by a professional accountant in
‘Commission’ refers to either the Audit Commission or the Grants Team of the Audit Policy
which a subject matter that is the responsibility of another party is evaluated or measured
against identified suitable criteria, with the objective of expressing a conclusion that provides
the intended user with reasonable assurance about that subject matter;
and Regulation Directorate of the Commission which is responsible for making certification
arrangements and for all liaison with grant-paying bodies and auditors on certification issues;
‘auditor’ is a person carrying out the detailed checking of claims and returns on behalf of the
‘grant-paying bodies’ includes government departments, public authorities, directorates
appointed auditor, in accordance with the Commission’s and appointed auditor’s scheme of
delegation;
and related agencies, requiring authorities to complete claims and returns;
‘authorities’ means all bodies whose auditors are appointed under the Audit Commission
‘returns’ are either:
Act 1998, which have requested the certification of claims and returns under section 28(1) of
that Act;
-
returns in respect of grant which do not constitute a claim, for example, statements of
expenditure from which the grant-paying body may determine grant entitlement; or
returns other than those in respect of grant, which must or may be certified by the
appointed auditor, or under arrangements made by the Commission;
‘certification instructions’ (‘CIs’) are written instructions from the Commission to
‘Statement’ is the Statement of responsibilities of grant-paying bodies, authorities, the
appointed auditors on the certification of claims and returns;
Audit Commission and appointed auditors in relation to claims and returns, available from
www.audit-commission.gov.uk;
‘certify’ means the completion of the certificate on a claim or return by the appointed auditor
‘underlying records’ are the accounts, data and other working papers supporting entries
in accordance with arrangements made by the Commission;
on a claim or return.
PwC
21
This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of
care for any use of or reliance on this document by anyone, other
er than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relate s (if any),
or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance.
© 2013 PricewaterhouseCoopers
aterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the
context requires, other member firms of PricewaterhouseCoopers International Limited , each of which is a separate and independent legal entity.
PwC
22
www.pwc.co.uk
North Norfolk District
Council
External Audit Plan 2012/13
2012/13
Government and Public
Sector
March 2013
23
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Members of the Audit Committee
North Norfolk District Council
Council Offices
Holt Road
Cromer
Norfolk
NR27 9EN
Ladies and Gentlemen,
We are pleased to present our Audit Plan, which shows how your key risks and issues
drive our audit and summarises how we will deliver. We look forward to discussing it
with the Audit Committee, as those charged with governance, so that we can ensure
we provide the highest level of service quality.
We would like to thank Members and Officers of the Council for their help in putting
together this Plan.
If you would like to discuss any aspect of our Audit Plan please do not hesitate to
contact either Julian Rickett or Aphrodite Antoniades.
Yours faithfully,
PricewaterhouseCoopers LLP
PricewaterhouseCoopers LLP, The Atrium, St Georges Street, Norwich, NR3 1AG
T: +44 (0) 1603 615244, F: +44 (0) 1603 631060, www.pwc.co.uk
PricewaterhouseCoopers LLP is a limited liability partnership registered in England with registered number OC303525. The registered office
of PricewaterhouseCoopers LLP is 1 Embankment Place, London WC2N 6RH. PricewaterhouseCoopers LLP is authorised and regulated by the
Financial Services Authority for designated investment business.
24
Contents
Introduction
1
Risk Assessment
3
Audit approach
8
Risk of fraud
10
Your team and independence
12
Communicating with you
14
Audit fees
15
Appendix 1 - Other engagement information
16
In March 2010 the Audit Commission issued a revised version of the ‘Statement
of responsibilities of auditors and of audited bodies’. It is available from the
Chief Executive of each audited body and on the Audit Commission’s website.
The purpose of the statement is to assist auditors and audited bodies by
explaining where the responsibilities of auditors begin and end and what is to
be expected of the audited body in certain areas. Our reports are prepared in
the context of this Statement. Reports and letters prepared by appointed
auditors and addressed to members or officers are prepared for the sole use of
the audited body and no responsibility is taken by auditors to any Member or
officer in their individual capacity or to any third party.
25
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Introduction
The purpose of this plan
This plan:

is required by International Standards on Auditing (ISAs);

sets out our responsibilities as external auditor under the Audit Commission’s requirements;

gives you the opportunity to comment on our proposed audit approach and scope for the 2012/13 audit;

records our assessment of audit risks, including fraud, and how we intend to respond to them;

tells you about our team; and

provides an estimate of our fees.
We ask the Audit Committee to:

consider our proposed scope and confirm that you are comfortable with the audit risks and approach;

consider and respond to the matters relating to fraud; and

approve our proposed audit fees for the year.
Our work in 2012/13
We will:

audit the annual report and statutory accounts, assessing whether they provide a true and fair view;

check compliance with International Financial Reporting Standards (IFRS);

check compliance with the code of practice on local authority accounting;

consider whether the disclosures in the Annual Governance Statement (AGS) are complete;

see whether the other information in the accounts is consistent with the financial statements;

report on the Authority’s arrangements for securing economy, efficiency and effectiveness in its use of
resources; and

tell you promptly when we find anything significant during the audit, directly to management and as
soon as practicable to the Audit Committee throughout the year.
We are required to report information on your accounts to the National Audit Office (NAO) which is used as part of
the assurance process for compiling the Whole of Government Accounts (WGA).
1
26
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Risk assessment
We considered the Council’s operations and assessed:

business and audit risks that need to be addressed by our audit;

how your control procedures mitigate these risks; and

the extent of our financial statements and value for money work as a result.
Our risk assessment shows:

those risks which are significant, and which therefore require special audit attention under auditing
standards; and

our response to significant and other risks, including reliance on internal and other auditors, and review
agencies.
Responsibilities
Officers and members of each local authority are accountable for the stewardship of public funds. It is our
responsibility to carry out an audit in accordance with the Audit Commission’s Code of Audit Practice (the Code),
supplemented by the Statement of Responsibilities of Auditors and of Audited Bodies. Both documents are
available from the Chief Executive or the Audit Commission’s website.
It is your responsibility to identify and address your operational and financial risks, and to develop and implement
proper arrangements to manage them, including adequate and effective systems of internal control. In planning
our audit work, we assess the significant operational and financial risks that are relevant to our responsibilities
under the Code and the Audit Commission’s Standing Guidance. This exercise is only performed to the extent
required to prepare our plan so that it properly tailors the nature and conduct of audit work to your circumstances.
It is not designed to identify all risks affecting your operations nor all internal control weaknesses.
2
27
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Risk Assessment
Risk Assessment Results
We have undertaken an audit risk assessment which guides our audit activities. It allows us to determine where our
audit effort should be focused and whether we can place reliance on the effective operation of your controls. Risks
to the accounts and our true and fair audit opinion are categorised as follows:

Significant
Risk of material misstatement in the accounts due to the likelihood, nature and
magnitude of the balance or transaction. These require specific focus in the year.

Elevated
Although not considered significant, the nature of the balance/area requires specific
consideration.

Normal
We perform standard audit procedures to address normal risks in any material
financial statement line items.
Auditing Standards require us to include two fraud risks as Significant:

Management override of controls:
“Management is in a unique position to perpetrate fraud because of management’s ability to manipulate
accounting records and prepare fraudulent financial statements by overriding controls that otherwise
appear to be operating effectively. Although the level of risk of management override of controls will
vary from entity to entity, the risk is nevertheless present in all entities. Due to the unpredictable way in
which such override could occur, it is a risk of material misstatement due to fraud and thus a significant
risk.” ISA 240 paragraph 31; and

Revenue recognition:
“When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based
on a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue,
revenue transactions or assertions give rise to such risks.” ISA 240 paragraph 26.
Both are considered as part of our risk assessment.
3
28
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Summary of audit risks
A summary of the audit risks identified for 2012/13 is set out below, with further information provided on the
pages that follow.
Categorisation for
accounts risks
Value for
money
conclusion
Potential impact
upon PwC work
Accounts
true and fair
opinion
Risk arising
Management override of controls

Significant
Income and expenditure recognition

Significant
Property, Plant and Equipment: Valuation

Elevated
Savings Requirements including localisation of
business rates and council tax benefit


Elevated
4
29
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Detail of risks identified
Risk
Management Override of Controls
Accounts
audit risk
Audit approach

We will perform procedures to:
 test the appropriateness of journal entries;
In any organisation, management may be
in a position to override the financial
controls that are in place. A control
breach of this nature may result in a
material misstatement. For all of our
audits, we are required to consider this as
a significant risk and adapt our audit
procedures accordingly.




For North Norfolk District Council, as the
pressure to deliver savings increases, so
does the risk of management override.
Revenue and Expenditure
Recognition
review accounting estimates for biases and
evaluate whether circumstances producing
any bias, represent a risk of material
misstatement due to fraud;
evaluate the business rationale underlying
significant transactions;
perform ‘unpredictable’ procedures; and
may perform other audit procedures if
necessary.
We will:

There is a risk that the Council could
adopt accounting policies or treat income
and expenditure transactions in such a
way as to lead to material misstatement in
the reported revenue and expenditure
position.

seek to place reliance on internal audit
work on key income and expenditure
controls;

test key income and expenditure controls
to confirm if they are operating effectively;

evaluate the accounting policies for income
and expenditure recognition;

test the appropriateness of journal entries
and other adjustments;
review accounting estimates for income
and expenditure, for example, provisions;
and
perform analytical review on income and
expenditure at year end and reconcile your
management information to the
information presented in the accounts on a
gross basis.


5
30
North Norfolk District Council – External Audit Plan 2012/13
Risk
Property, Plant and Equipment:
Valuation
Accounts
audit risk
March 2013
Audit approach


Property, plant and equipment (PPE) represents
the largest balance in the Council’s balance sheet.
The Council measures its properties at fair value
involving a range of assumptions and the use of
external valuation expertise. ISAs (UK&I) 500 and
540 require us, respectively, to undertake certain
procedures on the use of external expert valuers
and processes and assumptions underlying fair
value estimates.
Property, Plant and Equipment is the
largest figure on your Balance Sheet.
Economic conditions continue to be
uncertain, which has a potential impact
upon the valuation of your property, plant
and equipment. Although you are only
required to re-value your assets at least
once every 5 years, there is a requirement
to assess the carrying value of your assets
for impairment every year.
Specific areas of risk include:

The accuracy and completeness of detailed
information on assets.

Whether the Council’s assumptions underlying
the classification of properties are
appropriate.

Whether properties that are not programmed
to be revalued in the year might have
undergone material changes in their fair
value.

The valuer’s methodology, assumptions and
underlying data, and our access to these.
Where asset valuations are undertaken in-year we
will:

agree the source data used by your valuer
to supporting records.

assess the work of your Valuer through use
of our own internal specialists where
required; and

agree the outputs to your Fixed Asset
Register and accounts.
Where any changes to valuation bases are proposed
we will work with you to understand and evaluate
the rationale you are using on a timely basis.
Where assets are not re-valued in year, we will
review your impairment assessment, and evaluate
whether your assets are held at an appropriate
value in your accounts at the year-end.
6
31
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Other Audit Code responsibilities risks
Below is an example of work we may undertake as part of our other Audit Code responsibilities.
Audit Code
risk
Risk
Audit approach

Savings Plans
We will review your savings plan.

The Council continues to need to achieve
significant savings to meet its medium
term financial plan, following a reduction
in central government funding.
We will consider how the Council manages the
plan, and will investigate the reasons behind any
significant variations from the plan.
We will specifically consider:






your record in delivering savings;
the governance structure in place to
deliver the targets (including extent of
Member involvement);
the level and extent of accountability;
project management arrangements;
monitoring and reporting; and
progress on delivering the plan.
We will consider the accounting implications of
your savings plans and would welcome early
discussion of any new and unusual proposals. In
particular, we will consider the impact of the
efficiency challenge on the recognition of both
income and expenditure.

7
32
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Audit approach
Code of Audit Practice
Under the Audit Commission’s Code there are two aspects to our work:

Accounts, including a review of the Annual Governance Statement; and

Use of Resources.
We are required to issue a two-part audit report covering both of these elements.
Accounts
Our audit of your accounts is carried out in accordance with the Audit Commission’s Code objective, which requires
us to comply with International Standards on Auditing (ISAs) (UK & Ireland) issued by the Auditing Practices
Board (APB). We are required to comply with them for the audit of your 2012/13 accounts.
We plan and perform our audit to be able to provide reasonable assurance that the financial statements are free
from material misstatement and give a true and fair view. We use professional judgement to assess what is
material. This includes consideration of the amount and nature of transactions.
Our audit approach is based on a thorough understanding of your business and is risk-driven. It first identifies and
then concentrates resources on areas of higher risk and issues of concern to you. This involves breaking down the
accounts into components. We assess the risk characteristics of each component to determine the audit work
required.
Our audit approach is based on understanding and evaluating your internal control environment and where
appropriate validating these controls, if we wish to place reliance on them. This work is supplemented with
substantive audit procedures, which include detailed testing of transactions and balances and suitable analytical
procedures.
Materiality
We plan and perform our audit to be able to provide reasonable assurance that the financial statements are free
from material misstatement and give a true and fair view. We use professional judgement to assess what is
material. This includes consideration of the amount and nature of transactions.
Our audit approach is based on an understanding of your business and is risk-driven. It first identifies and then
concentrates resources on areas of higher risk and issues of concern to you. This involves breaking down the
accounts into components. We assess the risk characteristics of each component to determine the audit work
required.
Materiality is another factor which helps us to determine our audit approach. Materiality is more than just a
quantitative concept. Judgements about materiality are subjective and may change during the course of the
engagement. The judgements about materiality are often implicit, and will be reflected in our assessments of risk
and our decisions about which business units or locations, account balances, disclosures and other items are of
greater or lesser significance.
We identify and assess the risks of material misstatement at two levels: the overall financial statement level; and in
relation to financial statement assertions for classes of transactions, account balances and disclosures. Specifically,
under our integrated audit methodology, we are required to identify three quantitative materiality thresholds as set
out in the table below.
8
33
North Norfolk District Council – External Audit Plan 2012/13
March 2013
These help us to plan the nature, timing and extent of our work and to evaluate the significance of any unadjusted
differences identified from our audit procedures.
Type of materiality
What is it used for?
Overall materiality
Overall materiality represents the level at which we would consider qualifying
our audit opinion.
Planning materiality
This is the level to which we plan our audit work and identify significant
accounts.
De minimis threshold
ISA (UK&I) 450 (revised) requires that we record all misstatements identified
except those which are “clearly trivial”. Matters which are clearly trivial are
matters which we expect not to have a material effect on the financial
statements even if accumulated. When there is any uncertainty about whether
one or more items are clearly trivial, the matter is considered not to be clearly
trivial.
We propose to treat misstatements less than £50,000 as being clearly trivial.
We will include a summary of any uncorrected misstatements identified
during our audit in our year-end ISA (UK&I) 260 report.
Use of Resources
Our Use of Resources Code responsibility requires us to carry out sufficient and relevant work in order to conclude
on whether you have put in place proper arrangements to secure economy, efficiency and effectiveness in the use of
resources.
In accordance with recent guidance issued by the Audit Commission, in 2012/13 our conclusion will be based on
two criteria:

The organisation has proper arrangements in place for securing financial resilience; and

The organisation has proper arrangements for challenging how it secures economy, efficiency and
effectiveness.
We will be carrying out sufficient work to allow us to reach a conclusion on your arrangements based on your
circumstances.
Internal Audit
We also aim to rely on the work done by internal audit wherever this is appropriate. We will ensure that a
continuous dialogue is maintained with internal audit throughout the year. We receive copies of all relevant
internal audit reports, allowing us to understand the impact of their findings on our planned audit approach.
We plan to rely on the work of internal audit in the following areas:






Revenue and receivables
Purchasing and payables
Payroll and pensions
Housing and Council Tax benefit
Council Tax
National Non-Domestic Rates (NNDR)
9
34
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Risk of fraud
International Standards on Auditing (UK&I) state that we as auditors are responsible for obtaining reasonable
assurance that the financial statements taken as a whole are free from material misstatement, whether caused by
fraud or error. The respective responsibilities of auditors, management and those charged with governance are
summarised below:
Auditors’ responsibility
Our objectives are:

to identify and assess the risks of material misstatement of the financial statements due to fraud;

to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to
fraud, through designing and implementing appropriate responses; and

to respond appropriately to fraud or suspected fraud identified during the audit.
Management’s responsibility
Management’s responsibilities in relation to fraud are:

to design and implement programmes and controls to prevent, deter and detect fraud;

to ensure that the entity’s culture and environment promote ethical behaviour; and

to perform a risk assessment that specifically includes the risk of fraud addressing incentives
and pressures, opportunities, and attitudes and rationalisation.
Responsibility of the corporate governance committee
Your responsibility as part of your governance role is:
• to evaluate management’s identification of fraud risk, implementation of antifraud measures and creation
of appropriate “tone at the top”; and
• to investigate any alleged or suspected instances of fraud brought to your attention.
Conditions under which fraud may occur
Management or other employees have an incentive
or are under pressure
Incentive / pressure
Why commit
fraud?
Opportunity
Rationalisation/attitude
Circumstances exist that provide opportunity –
ineffective or absent control, or management
ability to override controls
Culture or environment enables management to
rationalise committing fraud – attitude or values
of those involved, or pressure that enables them
to rationalise committing a dishonest act
10
35
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Your views on fraud
We enquire of the Committee:

Whether you have knowledge of fraud, either actual, suspected or alleged, including those involving
management?

What fraud detection or prevention measures (e.g. whistleblower lines) are in place in the entity?

What role you have in relation to fraud?

What protocols / procedures have been established between those charged with governance and
management to keep you informed of instances of fraud, either actual, suspected or alleged?
11
36
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Your team and independence
Your audit team has been drawn from our government and public sector team based in the South East. Your
audit team consists of the key members listed below, but is further supported by our specialists both in the
sector, and across other services:
Audit Team
Responsibilities
Engagement Partner
Julian Rickett
3rd year on the audit
01603 883321
Julian.c.rickett@uk.pwc.com
Engagement Leader responsible for independently delivering the
audit in line with the Code of Audit Practice, including agreeing
the Audit Plan, ISA (UK&I) 260 report and Annual Audit Letter,
the quality of outputs and signing of opinions and conclusions.
Also responsible for liaison with the Chief Executive and
Members.
Engagement Manager
Aphrodite Antoniades
1st year on the audit
01603 883170
Aphrodite.antoniades@uk.pwc.com
Manager on the assignment responsible for overall control of the
audit engagement, ensuring delivery to timetable, delivery and
management of targeted work and overall review of audit outputs.
Completion of the Audit Plan, ISA (UK&I) 260 report, Annual
Audit Letter and governance aspects of the VFM conclusion work.
Team Leader
Phil Beecher
2nd year on the audit
01603 883383
Philip.e.beecher@uk.pwc.com
Team Leader on the assignment responsible for control and
direction of the on-site audit team and day to day communication
with the finance team.
Our team members
It is our intention that, wherever possible, staff work on the North Norfolk District Council audit each year,
developing effective relationships and an in depth understanding of your business. We are committed to
properly controlling succession within the core team, providing and preserving continuity of team members.
We will hold periodic client service meetings with you, separately or as part of other meetings, to gather
feedback, ensure satisfaction with our service and identify areas for improvement and development year on
year. These reviews form a valuable overview of our service and its contribution to the business. We use the
results to brief new team members and enhance the team’s awareness and understanding of your requirements.
Independence and objectivity
As external auditors of the Authority we are required to be independent of the Authority in accordance with the
Ethical Standards established by the Auditing Practices Board (APB). These standards require that we disclose
to those charged with governance all relationships that, in our professional judgement, may reasonably be
thought to bear on our independence.
We have a demanding approach to quality assurance which is supported by a comprehensive programme of
internal quality control reviews in all offices in the UK. Our quality control procedures are designed to ensure
that we meet the requirements of our clients and also the regulators and the appropriate auditing standards
12
37
North Norfolk District Council – External Audit Plan 2012/13
March 2013
within the markets that we operate. We also place great emphasis on obtaining regular formal and informal
feedback.
We have made enquiries of all PricewaterhouseCoopers’ teams providing services to you and of those
responsible in the UK Firm for compliance matters.
There are no matters which we perceive may impact our independence and objectivity of the audit team.
Relationships and Investments
Senior officers should not seek or receive personal financial or tax advice from PwC. Non-executives who
receive such advice from us (perhaps in connection with employment by a client of the firm) or who also act as
director for another audit or advisory client of the firm should notify us, so that we can put appropriate conflict
management arrangements in place.
Independence conclusion
At the date of this plan we confirm that in our professional judgement, we are independent accountants with
respect to the Council, within the meaning of UK regulatory and professional requirements and that the
objectivity of the audit team is not impaired.
13
38
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Communicating with you
Communications Plan and timetable
ISA (UK&I) 260 (revised) ‘Communication of audit matters with those charged with governance’ requires
auditors to plan with those charged with governance the form and timing of communications with them. We
have assumed that ‘those charged with governance’ are the Audit Committee. Our team works on the
engagement throughout the year to provide you with a timely and responsive service. Below are the dates when
we expect to provide the Audit Committee with the outputs of our audit.
Stage of the audit
Audit planning
Annual
Certification
Audit findings
Audit reports
Other public
reports
Output
Audit Fee Letter
Date
December 2012
Audit Plan
March 2013
Annual certification report (relating to claims and returns
certified in the previous year)
March 2013
Internal control issues and recommendations for improvement
(if applicable - may form part of the Audit Memorandum)
ISA (UK&I) 260 report incorporating specific
reporting requirements, including:

Any expected modifications to the audit report;

Uncorrected misstatements, i.e. those misstatements
identified as part of the audit that management have chosen
not to adjust;

Material weaknesses in the accounting and internal control
systems identified as part of the audit;

Our views about significant qualitative aspects of your
accounting practices including accounting policies,
accounting estimates and financial statements disclosures;

Any significant difficulties encountered by us during the
audit;

Any significant matters discussed, or subject to
correspondence with, Management;

Any other significant matters relevant to the financial
reporting process; and

Summary of findings from our use of resources audit work
to support our value for money conclusion
Financial Statements including Use of Resources
Annual Audit Letter
A brief summary report of our work, produced for Members
and to be available to the public.
Throughout the
audit
September 2013
September 2013
October 2013
14
39
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Audit fees
The Audit Commission has provided indicative audit fee levels for the 2012/13 financial year. The base fee scale
for your audit is £107,250.
The fee is broken down as follows:
2012/13
2011/12
Financial statements including Whole of Government
Accounts and Use of Resources Conclusion
71,250
118,750
Certification of claims and returns
36,000
59,040
107,250
177,415
3,100
0
0
0
110,350
177,415
Total audit fee
Contingent Fees for IT systems work*
Non-audit work
Total
*Amount to cover work required to consider the controls that were operating to ensure data integrity during the
data migration to the new Revenues and Benefits systems, for the Shared Services Partnership Agreement, and
then back to the original system.
We have based the fee level on the following assumptions:








Officers meeting the timetable of deliverables, which we will agree in writing;
We are able to place reliance, as planned, upon the work of internal audit;
Working papers and financial statements have been reviewed by officers before providing for audit;
The quality of working papers is appropriate;
We are able to draw comfort from your management controls;
In respect of the grant claim budget – no additional sampling required and no amendments or
qualifications;
No significant changes being made by the Audit Commission to the use of resources criteria on
which our conclusion will be based; and
Our use of resources conclusion and accounts opinion being unqualified.
If these prove to be unfounded, we will seek a variation order to the agreed fee, to be discussed in advance with
you.
Certification of grant claims
Our fee for the certification of grant claims is based on the amount of time required to complete individual grant
claims at standard hourly rates. We will discuss and agree this with the Head of Financial Services and her team.
15
40
North Norfolk District Council – External Audit Plan 2012/13
March 2013
Appendix 1 - Other engagement
information
The Audit Commission appoint us as auditors to North Norfolk District Council and the terms of our
appointment are governed by:


The Code of Audit Practice; and
The Standing Guidance for Auditors.
There are four further matters which are not currently included within the guidance, but which our firm’s
practice requires that we raise with you.
Electronic communication
During the engagement we may from time to time communicate electronically with each other. However, the
electronic transmission of information cannot be guaranteed to be secure, virus or error free and such
information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or otherwise be adversely
affected or unsafe to use.
PwC partners and staff may also need to access PwC electronic information and resources during the
engagement. You agree that there are benefits to each of us in their being able to access the PwC network via
your internet connection and that they may do this by connecting their PwC laptop computers to your network.
We each understand that there are risks to each of us associated with such access, including in relation to
security and the transmission of viruses.
We each recognise that systems and procedures cannot be a guarantee that transmissions, our respective
networks and the devices connected to these networks will be unaffected by risks such as those identified in the
previous two paragraphs. We each agree to accept the risks of and authorise (a) electronic communications
between us and (b) the use of your network and internet connection as set out above. We each agree to use
commercially reasonable procedures (i) to check for the then most commonly known viruses before either of us
sends information electronically or we connect to your network and (ii) to prevent unauthorised access to each
other’s systems.
We shall each be responsible for protecting our own systems and interests and you and PwC (in each case
including our respective directors, members, partners, employees, agents or servants) shall have no liability to
each other on any basis, whether in contract, tort (including negligence) or otherwise, in respect of any error,
damage, loss or omission arising from or in connection with the electronic communication of information
between us and our reliance on such information or our use of your network and internet connection.
The exclusion of liability in the previous paragraph shall not apply to the extent that such liability cannot by law
be excluded.
Access to audit working papers
We may be required to give access to our audit working papers to the Audit Commission or the National Audit
Office for quality assurance purposes.
Quality arrangements
We want to provide you at all times with a high quality service to meet your needs. If at any time you would like
to discuss with us how our service could be improved or if you are dissatisfied with any aspect of our services,
please raise the matter immediately with the partner responsible for that aspect of our services to you. If, for any
16
41
North Norfolk District Council – External Audit Plan 2012/13
March 2013
reason, you would prefer to discuss these matters with someone other than that partner, please contact Paul
Woolston, our Audit Commission Lead Partner at our office at 89 Sandyford Road, Newcastle Upon Tyne, NE1
8HW, or James Chalmers, UK Head of Assurance, at our office at 7 More London, Riverside, London, SE1 2RT.
In this way we can ensure that your concerns are dealt with carefully and promptly. We undertake to look into
any complaint carefully and promptly and to do all we can to explain the position to you. This will not affect
your right to complain to the Institute of Chartered Accountants in England and Wales or to the Audit
Commission.
Events arising between signature of accounts and their publication
ISA (UK&I) 560 (revised) places a number of requirements on us in the event of material events arising between
the signing of the accounts and their publication. You need to inform us of any such matters that arise so we can
fulfil our responsibilities.
If you have any queries on the above, please let us know before approving the Audit Plan or, if arising
subsequently, at any point during the year.
17
42
In the event that, pursuant to a request which North Norfolk District Council has received under the
Freedom of Information Act 2000, it is required to disclose any information contained in this report, it
will notify PwC promptly and consult with PwC prior to disclosing such report. North Norfolk District
Council agrees to pay due regard to any representations which PwC may make in connection with such
disclosure and North Norfolk District Council shall apply any relevant exemptions which may exist under
the Act to such report. If, following consultation with PwC, North Norfolk District Council discloses this
report or any part thereof, it shall ensure that any disclaimer which PwC has included or may
subsequently wish to include in the information is reproduced in full in any copies disclosed.
This report has been prepared for and only for North Norfolk District Council in accordance with the Statement
of Responsibilities of Auditors and of Audited Bodies (Local Government) published by the Audit Commission
in March 2010 and for no other purpose. We do not accept or assume any liability or duty of care for any other
purpose or to any other person to whom this report is shown or into whose hands it may come save where
expressly agreed by our prior consent in writing.
© 2013 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to
PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context
requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate
and independent legal entity.
43
Audit Committee
19 March 2013
Agenda Item No_____9________
INTERNAL AUDIT’S TERMS OF REFERENCE, PERFORMANCE INDICATORS, CODE OF
ETHICS, STRATEGY, AUDIT PLANS AND SUMMARY AUDIT COVERAGE INFORMATION
FOR 2013/14
Summary:
This report provides an overview of the stages followed prior to
the formulation of the Strategic Audit Plan for 2013/14 to
2015/16, and the Annual Audit Plan for 2013/14. The Annual
Audit Plan will then serve as the work programme and initial
terms of reference for the Council’s Internal Audit Services
Contractor, Deloitte Public Sector Internal Audit Ltd, and provide
the basis upon which the Internal Audit Consortium Manager will
subsequently give Audit Opinions on the systems of internal
control and risk management, and corporate governance
arrangements at North Norfolk District Council for the year
2013/14.
The report additionally aims to clarify the links between Internal
Audit’s Terms of Reference, Performance Indicators, Strategy,
and its Strategic and Annual Audit Plans, as well as detailing the
way in which Internal Audit will operate at the Council in the year
ahead. Current Internal Audit provisions mirror requirements
specified in the CIPFA Code of Practice for Internal Audit in
Local Government and Statement on the Role of the Head of
Internal Audit in Public Service Organisations. However, from
1 April 2013 onwards, new Public Sector Internal Audit
Standards will come into force which will supersede CIPFA’s
Code of Practice.
Once detailed guidance is published, all
aspects of service delivery will be reassessed to ensure that
there is proper migration to the new requirements and audit
documentation will then be updated to reflect these revised
obligations and how we will be responding to them and
demonstrating compliance in the new financial year.
Conclusions:
In reviewing and approving the audit documentation attaching to
this report, the Audit Committee is making appropriate
provisions to ensure that the Internal Audit requirements as
stated in the Accounts and Audit Regulations 2011 are being
properly met, and due support is being given to securing an
Internal Audit Service which is compliant with professional
standards.
44
Audit Committee
Recommendations:
Cabinet member(s):
Wards:
Contact
Officer,
telephone
number,
and e-mail:
19 March 2013
The Committee is requested to approve:
• Internal Audit’s Terms of Reference and Performance
Indicators for 2013/14;
• Internal Audit’s Code of Ethics for 2013/14;
• Internal Audit’s Strategy for 2013/14;
• The Strategic Audit Plan for 2013/14 to 2015/16;
• The Annual Audit Plan for 2013/14; and,
• The Summary of Internal Audit Coverage for 2013/14.
All
All
Sandra King, Internal Audit Consortium Manager
01508 533863
scking@s-norfolk.gov.uk
1.
BACKGROUND
1.1
In accordance with statutory and best practice requirements, Internal Audit’s
Terms of Reference, Code of Ethics and Strategy are revisited annually, and
updated, where appropriate, after which an Annual Audit Needs Assessment is
performed, which further informs the Strategic Audit Plan and enables it to be
rolled forward by 12 months. From this amended documentation, it is then
possible to extract the Annual Audit Plan for the new financial year. This report
thus contains the outcomes of the review process that has been performed in
Quarter 4 of 2012/13, to determine the audit approach to be adopted in 2013/14,
whilst also setting out the parameters within which the Internal Audit Services
contractor will work alongside the audit management team to deliver internal
audit coverage at the Council throughout the coming year.
1.1.
As for other factors influencing where audit focus should be directed in 2013/14,
our Strategy and Summary of Audit Coverage for next year comment on the
nature of key issues taken into account when determining audit coverage and
provide an overview of those operational aspects which we consider should be
given priority in terms of our scrutiny.
We note that the Council has recently
completed a management restructuring exercise culminating in the appointment
of 8 new Heads of Service.
The Revenues and Benefits Shared Services
Partnership has also been subject to a number of developments during 2012/13
and more work is envisaged in the new financial year and added to this
backdrop, we further appreciate the implications of a number of new schemes,
ranging from administering a local Council Tax Benefits scheme, applying
Housing Benefit caps, rolling out a Business Rates retention scheme,
implementing a Community Infrastructure Levy and managing the Home Bonus
scheme. All place additional financial and administrative commitments on the
Council and have been recognised when carrying out our latest audit needs
assessment exercise. Moreover, in accordance with our Audit Strategy, we
confirm that we will adopt a flexible approach towards such initiatives and their
impact on corporate priorities, reassessing how we can support the Council as it
repositions services to meet these new challenges.
45
Audit Committee
19 March 2013
2.
INTERNAL AUDIT’S TERMS OF REFERENCE, 2013/14
2.1
The Terms of Reference for Internal Audit are attached at Appendix 1, whilst
accompanying performance indicators against which the Internal Audit Service
will be evaluated are listed at Appendix 1a. Our terms of reference form the
basis under which Internal Audit operates at the Council. This year, we will be
subject to changing professional standards and as yet have not received the
detailed guidance as to how they should be implemented. The Standards are
based on the mandatory elements of the Institute of Internal Auditors (IIA)
International Professional Practices Framework (IPPF) and have been introduced
to promote further improvement in the professionalism, quality, consistency and
effectiveness of Internal Audit across the public sector. Upon receipt of CIPFA
guidance applying to the new professional auditing standards, we will reassess
all aspects of our working practices to align them to the revised requirements.
3.
INTERNAL AUDIT’S CODE OF ETHICS, 2013/14
3.1
The Code of Ethics sets out the expected behaviours of Internal Audit Staff and
can be found at Appendix 2. We have found it necessary to completely rewrite
our previous Code of Ethics, so that it now accords with the new regime that
should be operating from 2013/14 onwards as specified within the Public Sector
Internal Audit Standards, whilst also continuing to comply with requirements laid
down in CIPFA’s Statement on the Role of the Head of Internal Audit. The
reworked Code is more explicit about the four main principles and the rules of
conduct that must be observed.
4.
INTERNAL AUDIT STRATEGY, 2013/14
4.1
The Internal Audit Strategy, at Appendix 3, sets out how Internal Audit develops
and delivers Strategic and Annual risk-based Audit Plans. This year, when
setting the ground rules for populating both the Strategic and Annual Audit Plans,
we have conducted an audit job budgets’ rationalisation exercise to ensure that
we are adopting a more standardised approach to the number of planned days
required to undertake specific audits at Consortium sites. The comparative work
confirmed there were some inconsistencies regarding days allocated and also
that some audits were being packaged in different ways, hence the exercise has
now enabled greater uniformity across the Consortium in terms of days required
to complete individual audit projects and the service provisions/operational
arrangements selected for audit scrutiny.
4.2
The Strategy also acknowledges that the Revenues and Benefits Shared
Services Partnership with Kings Lynn and West Norfolk Borough Council
experienced some operational setbacks in 2012/13.
As a consequence, a
number of outstanding issues currently face management at both Councils and
until such time as greater clarity as to the future direction of the partnership is
forthcoming, it has been agreed with management to provide a contingency in
the 2013/14 Annual Audit Plan to permit, going forward, some review of shared
processes and governance arrangements pertaining to the partnership.
46
Audit Committee
19 March 2013
5.
THE STRATEGIC AUDIT PLAN, 2013/14 TO 2015/16
5.1
The Strategic Audit Plan, at Appendix 4, provides an overview of the envisaged
audit coverage over the next three years, based on our Audit Needs Risk
Assessment. However, when reviewing this document it should be appreciated
that whilst it is useful in providing an overview and indicating where service
reviews are recommended to take place, new Central Government initiatives
impacting on local government service delivery may subsequently require
significant revisions to be made to this Plan in future years. Our Audit Needs
Assessment work each year essentially identifies the requisite level of audit
coverage based on the existing conditions and anticipated changes valid at the
time of completing each exercise.
6.
THE ANNUAL AUDIT PLAN, 2013/14
6.1
The Annual Audit Plan is included at Appendix 5. This is a sub-set of the overall
Strategic Audit Plan, again derived from the Audit Needs Risk Assessment.
Having produced an outline Annual Audit Plan, we have consulted with the Head
of Finance, the Corporate Leadership Team and the Corporate Management
Team to discuss and agree overall audit coverage, the potential timing of reviews
and, wherever possible, minimise disruption to staff when undertaking audit work
in the course of the forthcoming year. Our consultations with management did
result in several changes to our original timetabling proposals to ensure that
2013/14 audits will be as constructive as possible when they are performed.
6.2
The new Annual Audit Plan envisages a total of 213 days to be delivered in
2013/14, compared with 216.5 days attaching to the revised Audit Plan for
2012/13, although original provisions for 212 days had been approved by the
Audit Committee on 6 March 2012.
7
SUMMARY OF PROPOSED AUDIT COVERAGE, 2012/13
7.1
The Summary of Audit Coverage, included at Appendix 6, provides an oversight
into the type of issues that will be considered within each audit undertaken, and
why the individual service has been selected for audit scrutiny in the forthcoming
year. The information supplied at this stage is designed to provide an overall
framework for next year’s audit, although it is the more detailed planning work
performed by the Internal Audit Services contractor in conjunction with service
management that provides a greater insight into the relative key controls and
risks facing the service and where audit input would be most beneficial.
8
LEVELS OF ASSURANCE AWARDED FROM 2008/09 ONWARDS
8.1
In addition to the audit planning information presented here, it is also important to
take into account how the internal control environment at the Council has been
developing year-on-year and where proposed audit input will provide the Council
with appropriate independent assurance during 2013/14.
Appendix 7 is
therefore included to highlight the historical and current position, as well as future
coverage being put forward. Crosses appearing within the table at Appendix 7
have been used to indicate where audits have been identified for delivery in
2013/14, as well as confirming those audits progressing currently as part of the
2012/13 Annual Audit Plan.
47
Audit Committee
19 March 2013
9.
OPTIONS
9.1
The Audit Plans presented have been derived from the Annual Audit Needs
Assessment undertaken by the Internal Audit Consortium Manager. Failure to
support these plans, and potentially consider further reductions in the audit
coverage, could result in the Internal Audit Consortium Manager not being able to
provide the requisite annual audit opinions, and may lead to the Council’s
External Auditors having to increase the work they are required to perform.
10.
RISK IMPLICATIONS
10.1
As mentioned above at paragraph 9.1, a failure to approve the Plans presented
could result in additional risks to the authority, through the Internal Audit
Consortium Manager not being able to provide the necessary opinions, and the
External Auditors being required to perform additional audit testing. There is
also the risk that reductions in Internal Audit coverage could lead to ongoing
weaknesses in the internal control environment at the Council not being detected
and reported upon, and subsequently resolved through remedial work being
taken.
11.
FINANCIAL IMPLICATIONS
11.1
Steps have been taken when formulating Internal Audit coverage for the year
ahead, to ensure that the proposals put forward are affordable and do not exceed
the approved audit budget for 2013/14.
Appendices attached to this report:
Appendix 1: Terms of Reference for Internal Audit for 2013/14
Appendix 1a: Performance Indicators for the Internal Audit Service
Appendix 2: Internal Audit – Code of Ethics for 2013/14
Appendix 3: Internal Audit Strategy for 2013/14
Appendix 4: Strategic Audit Plan – April 2013 to March 2016
Appendix 5: Annual Audit Plan – April 2013 to March 2014
Appendix 6: Summary of Internal Audit Coverage for 2013/14
Appendix 7: Levels of Assurance Awarded from 2008/09 onwards
48
Appendix 1
NORTH NORFOLK DISTRICT COUNCIL
TERMS OF REFERENCE FOR INTERNAL AUDIT FOR 2013/14
1.
1.1
THE STATUTORY BASIS FOR INTERNAL AUDIT
The requirement for an Internal Audit Service is outlined within the Accounts and
Audit Regulations 2011, which state that “A relevant body must undertake an
adequate and effective internal audit of its accounting records and of its system of
internal control in accordance with the proper practices in relation to internal control.”
1.2
In addition to clarifying overall arrangements, a further requirement stipulates that
Councils conduct a review of the effectiveness of their Internal Audit function at least
once a year, and that review should be undertaken by the same body that reviews the
Annual Governance Statement. At North Norfolk District Council, this review is
undertaken by the Audit Committee.
1.3
An analysis of systems of Internal Audit, as commented upon in 1.2 above, should
ideally include how the function operates and the extent of compliance it is able to
demonstrate with regards to CIPFA’s Statement on the Role of the Head of Internal
Audit in Public Sector Organisations and newly published Public Sector Internal Audit
Standards (PSIAS), which are being introduced from 1 April 2013 to replace CIPFA’s
Code of Practice for Internal Audit in Local Government The new PSIAS are based
on the mandatory elements of the Institute of Internal Auditors (IIA) International
Professional Practices Framework (IPPF) and are intended to promote further
improvement in the professionalism, quality, consistency and effectiveness of Internal
Audit across the public sector. The Internal Audit Consortium Manager will shortly
be revisiting working practices (originally designed to satisfy the CIPFA Code of
Practice for Internal Audit in Local Government) to ensure provisions going forward
are compliant with the new professional standards and will submit updated
documentation to the Audit Committee for formal endorsement in due course.
2.
2.1
THE RESPONSIBILITIES AND OBJECTIVES OF INTERNAL AUDIT
Internal Audit is an assurance function that primarily provides an independent and
objective opinion to the organisation on the control environment (comprising systems
of internal control and risk management plus corporate governance arrangements) by
evaluating its effectiveness in achieving the organisation’s objectives.
2.2
As stated in the Council’s Financial Regulations, a continuous Internal Audit, under
the direction of the Chief Financial Officer, will be arranged to appraise and review:(i)
The completeness, reliability and integrity of information, both financial and
operational;
(ii)
The systems established to ensure compliance with policies, plans,
procedures, laws and regulations;
(iii)
The means of safeguarding assets;
(iv)
The economy, efficiency and effectiveness with which resources are
employed; and,
(v)
Whether operations are being carried out as planned and objectives and
goals are being met.
2.3
Internal Audit is also responsible for reviewing, appraising and reporting to
management:
(i)
The extent to which the Council’s assets and interests are accounted for and
safeguarded from losses of all kinds arising from
(a) Fraud and other offences; and
(b) Waste, extravagance and inefficient administration, poor value for money
or other cause.
(ii)
The suitability and reliability of financial and other management data
developed within the Council.
49
2.4
As noted above, Internal Audit has a key role in assisting management regarding the
prevention and detection of fraud and abuse. Section 7 of these Terms of Reference
details our approach adopted in respect of fraud and corruption related matters, whilst
the Council’s Financial Regulations – paragraph 6.16 – Preventing Fraud and
Corruption – set out member and officer responsibilities, as well as recognising the
key controls put in place to prevent financial irregularities occurring.
3.
THE STATUS OF INTERNAL AUDIT, REPORTING LINES AND WORKING
RELATIONSHIPS
The Internal Audit Service at North Norfolk District Council is delivered by means of a
Group Agreement that exists between North Norfolk, South Norfolk, Breckland and
Broadland District Councils, Great Yarmouth Borough Council and the Broads
Authority, collectively known as Norfolk Internal Audit Consortium. All authorities
have signed an agreement under which South Norfolk Council procures the services
from an external contractor (Deloitte Public Sector Internal Audit Ltd) on behalf of the
six organisations. The current contract has been in place since 1 October 2007 and
is due to expire on 30 September 2014.
3.1
3.2
The Internal Audit Consortium Manager based at South Norfolk Council is
responsible for managing the delivery of the Internal Audit Service; acts in the
capacity of Contract Manager and is in regular contact with the Internal Audit
Services contractor – Deloitte Public Sector Internal Audit Ltd.
3.3
At South Norfolk Council, Internal Audit is situated within the Corporate Resources
Department. The Internal Audit Consortium Manager reports directly to the Deputy
Chief Executive for administrative purposes. In addition to this, the Internal Audit
Consortium Manager has direct reporting access to the Chief Executive,
Management Team, and elected members through the Finance, Resources, Audit
and Governance Committee, Cabinet and Full Council, and has the right to report
unedited in her own name, as she considers necessary.
3.4
At North Norfolk District Council, the responsibility for Internal Audit lies with the Head
of Finance, who controls and directs a continuous Internal Audit on account of their
being the designated “Responsible Financial Officer/Section 151 Officer” at the
authority. The Internal Audit Consortium Manager reports directly to the Section 151
Officer for administrative purposes, but is independent in respect of the planning and
operation of the service. The Internal Audit Consortium Manager meets with the
Section 151 Officer at periodic intervals in order to assist the latter with the discharge
of their statutory responsibilities, and there is additional consultation as and when
required, when finalising audit reports relating to individual assignments featured in
North Norfolk District Council’s Annual Audit Plan.
3.5
Provision also exists for regular reporting by the Internal Audit Consortium Manager
to the Council’s Audit Committee, some 4-6 times per year to present:
ƒ The Internal Audit Strategy and accompanying Strategic (3-year) and Annual
Audit Plans, together with a Summary of Internal Audit Coverage for the
forthcoming financial year.
ƒ Progress achieved against the agreed Annual Audit Plan together with details of
the outcomes of individual audit assignments.
ƒ Progress achieved against Agreed Action Plans arising from completed reviews
subject to final audit reporting.
ƒ Annually updated Terms of Reference and Code of Ethics for Internal Audit.
ƒ The findings and conclusions of any Special/Ad-hoc investigations commissioned
by either the Audit Committee or Corporate Management Team.
ƒ The Annual Report of the Head of Internal Audit within 3 months of the end of the
Annual Plan period, which will contain an opinion on the effectiveness of the
systems of internal control operating at the Council, as well as an opinion on the
adequacy of arrangements in relation to corporate governance and risk
management, provided on a 2-yearly cycle. All opinions given will be based on
50
ƒ
ƒ
ƒ
work undertaken by Internal Audit throughout the relevant financial years. These
opinions additionally inform the Annual Governance Statement.
The Protocol for Liaison between Internal and External Auditors, updated
periodically.
The outcomes of Annual Audit Committee Self Assessment exercises.
The outcomes of the annual review of the effectiveness of the internal audit
function.
3.6
Internal Audit will also interact with External Audit in accordance with the agreed
Protocol for Liaison between Internal and External Auditors, which has been
developed to ensure that the services of Internal and External Audit are as integrated
as possible, in order to maximise the effectiveness of the overall approach to audit
operated within North Norfolk District Council.
3.7
Internal Audit will also liase with other Council’s Internal Audit Service providers,
where shared service arrangements exist between themselves and North Norfolk
District Council. In such cases, a dialogue will be opened with the other Council’s
Chief Internal Auditor to agree a way forward regarding the future auditing of ‘shared’
services, which will be both efficient and cost effective for all parties, and cause least
disruption to the area being audited.
3.8
In the event of North Norfolk’s Internal Auditors undertaking work for other Councils
outside the Norfolk Internal Audit Consortium, arrangements over liability of internal
audit work performed will be covered by either a Hold Harmless letter with Deloitte
Public Sector Internal Audit Ltd, or contractual arrangements will be extended through
a Standard Letter of Engagement.
Conversely, if the other Council’s Internal
Auditors are nominated to undertake audit work on behalf of North Norfolk District
Council, formal confirmation of their liability/accountability for that work will be
required, so that full reliance can be placed upon the audit working papers and report
generated in consequence. In addition, North Norfolk’s Internal Audit Consortium
Manager will review all such work to ensure that it is providing the requisite
assurances to feed into her annual audit opinion and should it be found that
insufficient or inadequate work has been carried out; North Norfolk’s Internal Audit
Consortium Manager reserves the right to request additional work is undertaken.
4.
THE ROLE OF MANAGEMENT IN RELATION TO THE INTERNAL CONTROL
ENVIRONMENT AND INTERNAL AUDIT
The Chief Executive, Corporate Directors and Heads of Service are responsible for
ensuring that the internal control arrangements are sufficient to address the risks
facing their services.
4.1
4.2
There is also a duty of care on the Chief Executive, Corporate Directors and Heads of
Service, where appropriate, to give due consideration to audit recommendations and
respond promptly to such recommendations upon receipt of draft audit reports.
Furthermore, where audit recommendations have been accepted, management
should be overseeing the implementation of agreed action plans within pre-agreed
timescales and provide evidence to Internal Audit that the systems of internal control
have been duly strengthened. Following the issue of final audit reports, the Chief
Executive, Corporate Directors and/or Heads of Service should feed back to Internal
Audit at periodic intervals, details of action taken in respect of agreed
recommendations.
4.3
To assist the monitoring process in relation to the implementation of agreed audit
recommendations, the Internal Audit Services contractor will provide the Council’s
Performance Team with a copy of all finalised audit reports. These are input on to
the TEN performance management system, and managers are requested to update
the system with action taken to implement the recommendation, along with details of
supporting evidence to this effect, where appropriate. The outcomes of this work are
provided to the Internal Audit Contractor, whom, on 2 occasions during the financial
year, undertakes verification of all High Priority recommendations and a sample of
51
Medium Priority recommendations reported as being completed, to confirm this
position.
4.4
The Internal Audit Consortium Manager or the Deputy Audit Manager will then
appraise the Audit Committee on a twice yearly basis of the current status of agreed
actions detailed in final audit reports.
5.
5.1
INTERNAL AUDIT’S INDEPENDENCE AND ACCOUNTABILITY
Internal Audit is sufficiently independent of the activities that it audits to enable its
auditors to perform their duties in a manner, which facilitates impartial and effective
professional judgements being reached when formulating audit recommendations
and opinions on the internal control environment.
5.2
Internal Auditors have no operational responsibilities and thus, are not required to
deliver or manage non-audit services.
5.3
The Internal Audit Consortium Manager has direct access to the Chair of the Audit
Committee, as required, and is able to request ad hoc meetings of the Audit
Committee, where appropriate. Furthermore, the Internal Audit Consortium Manager
and the Chair of the Audit Committee have the opportunity for periodic (at least
annual) private discussions without the Head of Finance, Chief Executive or
Corporate Directors being present.
6.
6.1
THE SCOPE OF WORK CARRIED OUT BY INTERNAL AUDIT
The scope for Internal Audit is essentially ‘the control environment comprising risk
management, control and governance’. As a consequence, Internal Audit will review
and evaluate all aspects of the Council’s operations, resources, services and
responsibilities in relation to other bodies. It thus follows that the remit of Internal
Audit is wide reaching It is not just confined to fundamental financial systems but will
examine the entire control environment of the organisation.
6.2
The Internal Audit Consortium Manager or the Deputy Audit Manager will perform an
audit needs assessment to determine a minimum acceptable level of audit coverage,
which needs to be delivered on an annual basis. This entails carrying out a risk
assessment of all potential auditable areas to discern those systems that should be
subject to audit scrutiny.
When determining where audit input should be
concentrated, best practice will be followed, i.e. the organisation’s assurance and
monitoring mechanisms, including the latest copy of the Corporate Risk Register will
be taken into account prior to the completion of the audit planning process. It is not
uncommon for core financial systems to feature in terms of high risk subject areas
meriting audit review.
However, other non financial systems and functions are
usually also identified, which include Homelessness and Housing Strategy, Tourism
and Economic Development, Development Management, Waste Management,
Elections and Electoral Registration, Property Services, Car Parking and Markets,
etc.
6.3
The scope of Internal Audit work will also extend to services provided through
partnership arrangements. The Internal Audit Consortium Manager will decide, in
consultation with all the relevant parties, whether Internal Audit should conduct the
work to obtain the required assurance themselves or rely on the assurances provided
by other auditors.
6.4
Internal Audit, where sufficient expertise exists, will provide additional services,
encompassing computer audits, contract audits, fraud related and consultancy work.
Moreover, the outcomes of this work, where forthcoming, will contribute to the opinion
which Internal Audit provides on the control environment.
6.5
With reference to computer audit requirements, these are determined by the Internal
Audit Services contractor, who performs a computer audit needs assessment on a 3yearly cycle. The assessment is undertaken in consultation with key IT personnel. A
52
total of 36 discrete auditable areas, which together are considered to comprise the
key aspects of the IT environment within the Council, are evaluated. A separate
analysis is also carried out to complement these areas to determine the Council’s key
applications and upcoming projects, with the results of this work additionally feeding
into the Needs assessment. Having analysed this information, risk priority ratings are
next extracted and used to generate both Strategic and Annual Audit plans.
7.
7.1
DEALING WITH FRAUD AND CORRUPTION MATTERS
Managing the risk of fraud and corruption is the responsibility of management. Audit
procedures alone, even when performed with due professional care, cannot
guarantee that fraud or corruption will be prevented or detected.
Nevertheless,
Internal Auditors will be alert in all their work to risks and exposures that could allow
fraud or corruption to occur.
7.2
The authority will not tolerate fraud and corruption in the administration of its
responsibilities, whether from inside or outside the authority and this is supported by
the Council’s Fraud and Corruption Policy and Whistleblowing Policy. Moreover, the
Council’s expectation of propriety and accountability is that members and employees
at all levels will lead by example in ensuring adherence to legal requirements, rules,
procedures and practices. Individuals must report any concern or suspicion that
something has happened or is about to happen, may be fraudulent or corrupt, in the
manner outlined in the Fraud and Corruption Policy. Similarly, within the Code of
Conduct for Employees, staff are positively encouraged to raise any concerns that
they have.
7.3
The Council also has a Whistle Blowing Policy, which advocates, as a first step, that
staff should normally raise concerns with their immediate manager. If unable to do
so for any reason, the officer should then go to any other manager with whom they
feel comfortable, bearing in mind the seriousness and sensitivity of the issues
involved and who is suspected of the malpractice.
7.4
Whistleblowing concerns can be raised verbally, or preferably, in writing. Advice and
guidance on how to progress specific matters of concern should be addressed to:
•
•
•
•
•
The Monitoring Officer;
The Chief Executive;
The Internal Audit Consortium Manager;
Trade Union Representatives; or,
Public Concern at Work.
7.5
The first 3 officers identified above in paragraph 7.4 are essentially those personnel
to whom whistleblowing concerns should be formally communicated. A range of
steps will then be followed to evaluate whether a whistleblowing investigation should
be carried out or alternative action or no action should be taken, and the
whistleblower will be advised accordingly in line with procedures laid down in the
Whistleblowing Policy.
8.
8.1
INTERNAL AUDIT RESOURCES
As confirmed previously, the Internal Audit Service is delivered by means of a group
agreement between North Norfolk, South Norfolk, Breckland and Broadland District
Councils, Great Yarmouth Borough Council and the Broads Authority.
All six
authorities have signed an agreement under which South Norfolk Council procures
the services from an external contractor on behalf of the six organisations.
8.2
The service is delivered according to a rolling 3-year Strategic Audit Plan and an
Annual Plan developed by the Internal Audit Consortium Manager or the Deputy Audit
Manager. The Audit Plans are formulated in consultation with the Head of Finance,
the Corporate Leadership Team and the Corporate Management Team, and are
based upon an audit needs assessment, which is primarily a risk assessment of the
various systems and processes within the Council, covering all the organisation’s
53
objectives and activities and their associated risks. Once the relevant systems have
been defined, their relative importance for audit purposes is established and the
frequency of subsequent audit coverage is identified and incorporated into the
Strategic Audit Plan. Annually, the Strategic Audit Plan will be rolled forward taking
into account changing risks caused by new developments (e.g. new systems,
revisions to existing systems and/or working practices, new legislation, any
organisational restructuring, changing priorities/business objectives, expansion of
partnerships, etc).
8.3
The Strategic and Annual Audit Plans set out the number of audit days required to
adequately review the areas identified and indicate the priority for each audit
assignment, be it high, medium or low.
8.4
Once planned work requirements have been determined, these will be compared to
resource availability. The Internal Audit Consortium Manager is responsible for
ensuring that Internal Audit resources are sufficient to meet its responsibilities and
achieve its objectives. Where there is an imbalance between planned audit coverage
and Internal Audit resources to discharge these duties, and it has been concluded
that resources are inadequate for the purpose, the Internal Audit Consortium
Manager will raise her concerns with the Head of Finance and proposed solutions will
be taken forward to the Audit Committee for its consideration, as final approval of the
Plans prior to the start of the relevant financial year rests with the Audit Committee.
8.5
In the event of special investigations arising, or ad hoc reviews being requested,
agreement for these variations to original Audit Plans will be discussed and agreed
with the Head of Finance and Variation Orders will be raised and issued to the
Internal Audit Services contractor. Similarly, if original job budgets set subsequently
require expansion, the extra days required will be discussed and agreed with the
Head of Finance and a Variation Order raised and issued to the contractor, to reflect
the extension of time. The same arrangements will apply to audits needing to be
deleted from Audit Plans. All revisions to the Audit Plans will be notified to the Audit
Committee through the Internal Audit Consortium Manager’s Progress Report and
Annual Report.
8.6
As specified in the Internal Audit Services contract, appropriate staff in terms of
grades, qualifications, skills and experience will be provided by the Internal Audit
Services contractor in order to ensure satisfactory delivery of Audit Plan
requirements. These staff must comply with a stated level of competence (as
outlined in the Internal Audit Services Specification) and will maintain and develop
their competence through targeted training and continuing professional development,
evidence of which will be provided to the Internal Audit Consortium Manager on a
periodic basis.
These staff must also clearly demonstrate that they have the
appropriate competences and skills to deliver audits, when attending Planning
Meetings and undertaking initial audit fieldwork meetings with client officers.
9.
9.1
REPORTING UPON AUDIT ASSIGNMENTS
As audit fieldwork is drawing to an end, a debrief meeting will be arranged with client
officers to discuss audit outcomes. The debrief meeting should take place 5 days
before the fieldwork is completed, to enable the factual correctness of audit findings
to be confirmed and to allow an opportunity for client side to respond to internal
control weaknesses identified and put forward any additional information not
previously submitted to the auditors.
9.2
Upon completion of the audit fieldwork, an Internal Audit report will then be prepared
that:
Provides an opinion on the risks and controls of the area reviewed, and this will
contribute to the annual opinion on the control environment, which, in turn,
informs the Council’s Annual Governance Statement.
•
54
•
•
Provides a formal record of points arising from the audit and management
responses to issues raised, to include acceptance of audit recommendations with
implementation timescales, as well as reasons for rejecting recommendations.
Prompts management to implement agreed actions within targeted dates.
9.3
The Internal Audit Consortium Manager or Deputy Audit Manager approves a draft
version of all reports before their formal issue to the responsible Head of Service and
Corporate Director. A copy is also supplied to the Head of Finance.
9.4
In addition to debrief meetings at the end of audit fieldwork, there will also be the
opportunity to have an Exit Meeting involving the Internal Audit Consortium Manager,
the Deputy Audit Manager, the Head of Finance, the relevant Head of Service,
Corporate Director and/or Chief Executive, where appropriate, to discuss detailed
aspects of draft audit reports and agree action plans.
9.5
Accountability for management’s response to Internal Audit advice and
recommendations lies with the Head of Finance, Chief Executive, Corporate Directors
and Heads of Service, as appropriate, who can either, accept and implement
guidance given or formally reject it. However, if audit proposals to strengthen the
internal control environment are disregarded and there are no compensating controls
justifying this course of action, an audit comment will be made in the final audit report,
reiterating the nature of the risk that remains and recognising that management has
chosen to accept this risk. Furthermore, depending on the severity of the risk, the
matter may be escalated upwards for the Audit Committee’s attention.
9.6
Final audit reports will be issued to the relevant Corporate Director, Head of Service
and Head of Finance, the relevant Portfolio Holders, the Audit Committee and the
External Auditor. In addition, the Head of Finance will forward copies of all final audit
reports to a designated officer responsible for arranging the input of agreed audit
recommendations to the Council’s TEN system.
9.7
Each audit report is subject to follow up action, as already explained in paragraphs
4.2 and 4.3. Management are requested to comment on progress achieved in
relation to agreed actions at regular intervals after the final audit report has been
issued. Additionally, Internal Audit will undertake follow up visits on 2 occasions per
year to verify evidence of action initiated with regards to High Priority
recommendations, whilst the Internal Audit Consortium Manager and Deputy Audit
Manager will also be involved in the process, reporting the outcomes of audit follow
up to the Audit Committee on 2 separate occasions during each financial year.
10.
10.1
MONITORING THE OVERALL PERFORMANCE OF INTERNAL AUDIT
Internal Audit monitors its performance in a number of ways, which are set out in the
Service Specification within the Internal Audit Services Contract. Aspects of the
service subject to scrutiny include:
•
•
•
•
•
•
•
The extent to which the Annual Audit Plan is achieved.
Completion of audit projects in accordance with agreed timetables for delivery of
audit fieldwork, draft and final reports.
Providing an acceptable lead-in time between the finalisation of audit briefs and
the commencement of audit fieldwork.
Demonstrating that audit coverage has been undertaken in line with original audit
brief requirements.
Ensuring conclusions and recommendations in audit reports are reasonable,
appropriate and practical, and supported by the evidence collected.
Comparing proposed audit recommendations to agreed audit recommendations,
to verify that recommendations are justifiable and practical; and,
Satisfactory post audit feedback is obtained from auditees upon completion of
audit projects.
55
10.2
Performance is measured against contractual targets and more recently, local
performance indicators have been introduced, which further evaluate the quality of
the service being provided to North Norfolk District Council, and these are itemised in
Appendix 1a.
56
Appendix 1a
Performance Indicators for the Internal Audit Service
Internal Audit performance is monitored as detailed below.
Indicator
% audit recommendations
accepted by management
Target
90%
% high priority
recommendations
implemented
100%
Number of days between the
issue of Internal audit briefs
and commencement of audit
fieldwork
10 working
days
Number of days between the
expected completion of audit
fieldwork (as per the audit
brief) and actual completion
of audit fieldwork
Number of days between the
completion of audit fieldwork
and issue of draft report
0 working days
Number of days between the
issue of the draft and final
report
Number of days between the
completion of the fieldwork
and issue of a final report
15 working
days
10 working
days
Purpose
Acceptance of audit recommendations by
management ensures that where
improvements are required to the internal
control environment, appropriate action will
be taken to secure these enhancements.
However, there can be occasions where
recommendations are disputed. In these
cases, there may be justifiable reasons for
management not supporting the
recommendation, e.g. compensating controls
have been put in place. Conversely,
management can take the decision to accept
the risks identified, particularly if insufficient
resources preclude action being taken.
However, this will mean that there are
vulnerabilities in systems of internal control,
which are not being addressed.
Management’s commitment in implementing
high priority recommendations ensures that
high profile risks/fundamental flaws in
systems of internal control are suitably
resolved.
Management should have sufficient time to
consider and shape audit objectives driving
review work before the fieldwork starts.
Hence, adequate consultation is permitted
enabling management to make a
contribution to terms of reference thereby
ensuring the audit adds value to their service
area.
This indicator seeks to check that audit
fieldwork finishes in a timely manner and
thus audits progress as expected, and there
are no unnecessary delays.
The draft report is the first stage after which
management will have written confirmation
of the audit outcomes. Issue on a timely
basis provides better opportunity for
management to be able to comment, and
also ensures that the audit plan is delivered
as expected.
Delivery of a timely final report ensures that
management can commence the process of
addressing internal control weaknesses.
This is a combination of the two performance
indicators above and reflects the total time
incurred in completion of the audit process.
25 working
days
57
Indicator
Average score given to audit
feedback
Target
Adequate
Compliance with the new
Professional Internal Audit
Standards coming into effect
from 1 April 2013
Full
Compliance with the CIPFA
Statement on the Role of the
Head of Internal Audit
Purpose
This is the main indicator of audit quality and
is based upon the feedback received by
management for individual audit
assignments, which range on a 6-point
basis, namely poor, weak, less than
adequate, adequate, good and excellent.
These new standards encompass the
mandatory elements of the Institute of
Internal Auditors (IIA) International
Professional Practices Framework.
At each site, we aim to work towards full
compliance with the self-assessment
checklist (to be published shortly) and use
this to inform our annual review of the
effectiveness of internal audit.
This Statement sets out what CIPFA
considers being best practice for Heads of
Internal Audit in terms of providing a
summary of the core responsibilities entailed
in the role to support the Council in achieving
its objectives, by giving assurance on its
internal control arrangements and playing a
key part in promoting good corporate
governance. A checklist has been
developed from the guidance, which is
completed annually and feeds into our
review of the effectiveness of internal audit.
Full
58
Appendix 2
NORTH NORFOLK DISTRICT COUNCIL
INTERNAL AUDIT – CODE OF ETHICS FOR 2013/14
1.
Introduction
1.1
This Code of Ethics sets the minimum standards for the performance and
conduct of North Norfolk District Council’s Internal Auditors. It is intended to
clarify the standards of conduct expected from the Internal Auditors when
carrying out their duties and promote an ethical, professional culture at all
times when undertaking audit duties.
This Code applies to all staff
responsible for delivering Internal Audit within North Norfolk, South Norfolk,
Broadland and Breckland District Councils, Great Yarmouth Borough Council
and the Broads Authority, but does not supersede or replace the requirement
on individual auditors to comply with their own professional bodies’ Codes of
Ethics, as qualified members or student members, as well as any
organisational Codes of Ethics or Conduct relating to their employer or the
client authorities they serve.
There are four main principles, which must be observed in addition to having
due regard to the Committee on Standards of Public Life’s ‘Seven Principles
of Public Life’. The principles involved are as follows:
•
•
•
•
Integrity;
Objectivity;
Confidentiality; and,
Competency.
2.
Integrity
2.1
Principle
2.1.1
The integrity of Internal Auditors establishes trust and thus provides the basis
for reliance on their judgement.
2.2
Rules of Conduct
North Norfolk District Council’s Internal Auditors shall:
2.2.1
Perform their work with honesty, diligence and responsibility.
2.2.2
Observe the law and make disclosures expected by the law and the
profession.
2.2.3
Not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organisation.
2.2.4
Respect and contribute to the legitimate and ethical objectives of the
organisation.
59
2.3
Summary
2.3.1
Thus North Norfolk District Council’s Internal Auditors will demonstrate
integrity in all aspects of their work. Their relationship with colleagues and
external contacts should be one of honesty and propriety. Such conduct will
both support and develop an environment of trust, which provides the basis
for reliance on all activities carried out by the Internal Auditors.
3.
Objectivity
3.1
Principle
3.1.1
Internal Auditors exhibit the highest level of professional objectivity in
gathering, evaluating and communicating information about the activity or
process being examined.
3.1.2
Furthermore, Internal Auditors make a balanced assessment of all the
relevant circumstances and are not unduly influenced by their own interests
or by others in forming judgements.
3.2
Rules of Conduct
North Norfolk District Council’s Internal Auditors shall:
3.2.1
Not participate in any activity or relationship that may impair or be presumed
to impair their unbiased assessment.
This participation includes those
activities or relationships that may be in conflict with the interests of the
organisation.
3.2.2
Not accept anything that may impair or be presumed to impair their
professional judgement.
3.2.3
Disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.
3.3
Summary
3.3.1
Objectivity is a state of mind that has regard to all considerations relevant to
the activity or process being examined without being unduly influenced by
personal interest or the views of others. North Norfolk District Council’s
Internal Auditors will display professional objectivity at all times when
providing opinions, assessments and recommendations.
4.
Confidentiality
4.1
Principle
4.1.1
Internal Auditors respect the value and ownership of information they receive
and do not disclose information without appropriate authority unless there is a
legal or professional obligation to do so.
60
4.2
Rules of Conduct
North Norfolk District Council’s Internal Auditors shall:
4.2.1
Be prudent in the use and protection of information acquired in the course of
their duties.
4.2.2
Not use information for any personal gain or in any manner that would be
contrary to the law or detrimental to the legitimate and ethical objectives of
the organisation.
4.3
Summary
4.3.1
North Norfolk District Council’s Internal Auditors will therefore utilise
information received in the appropriate manner and for the purpose it was
originally requested and provided, as prescribed by the requirements of the
above Rules of Conduct, and will additionally take suitable steps to safeguard
all information made available.
5.
Competency
5.1
Principle
5.1.1
Internal Auditors apply the knowledge, skills and experience needed in the
performance of internal auditing services.
5.2
Rules of Conduct
North Norfolk District Council’s Internal Auditors shall:
5.2.1
Engage only in those services for which they have the necessary knowledge,
skills and experience.
5.2.2
Perform internal auditing services in accordance with the International
Standards for the Professional Practice of Internal Auditing.
5.2.3
Continually improve their proficiency and effectiveness and quality of their
services.
5.3
Summary
5.3.1
North Norfolk District Council’s Internal Auditors will not accept or perform
work that they are not competent to undertake, unless they have received
adequate training and support to carry out the work to an appropriate
standard.
5.3.2
It is also essential that the Internal Audit Consortium Manager as Head of
Internal Audit operates in accordance with the best practice guidance
recommended in CIPFA’s Statement on ‘The Role of the Head of Internal
Audit’ and undertakes an annual compliance check against the core principles
stated therein.
61
6.
Operational Arrangements
6.1
Achieving Compliance with the Code of Ethics
6.1.1
On an annual basis, the Internal Audit Consortium Manager, the Deputy Audit
Manager and the Deloitte Auditors will revisit the Code of Ethics to reinforce
their understanding of and confirm their on-going commitment to the
obligations placed upon them as specified in this document, and ensure that
they continue to fully comply with these when discharging their day-to-day
duties in relation to North Norfolk District Council.
6.2
Securing Integrity
6.2.1
In order to be assured that the Internal Auditors demonstrate integrity in all
aspects of their work, quality control processes have been developed to
protect North Norfolk District Council’s position in this matter.
6.3
Maintaining Audit Objectivity
6.3.1
In addition, it is essential that Internal Audit personnel are able to
demonstrate independence and hence, objectivity.
To this end, Internal
Audit staff are obligated to declare potential conflicts of interest as they arise,
so as to enable other staff to be assigned to specific reviews, thereby
avoiding any compromising of independence. Audit objectivity will also be
upheld, in so far as Internal Auditors will not be able to carry out audits in an
area where they have had previous operational roles within the last 12
months.
6.4
Observing Confidentiality
6.4.1
A breach of confidentiality by an Internal Auditor will not be tolerated and will
result in the expulsion of the individual from the Internal Audit Services
contract.
6.5
Demonstrating Competency
6.5.1
It is a pre-requisite that all Internal Audit staff are aware of and understand:
• The organisation’s aims, objectives, risk and governance arrangements;
• The purpose, risks and issues affecting the service area to be audited;
• The terms of reference for the audit assignment so that there is a proper
appreciation of the parameters within which the review will be conducted;
and,
• The relevant legislation and other regulatory arrangements that relate to
the service areas to be audited, e.g. Statutes, the Authority’s Scheme of
Powers delegated to Officers, the Authority’s Financial Regulations and
Standing Orders relating to Contracts, Partnership/Service Level
Agreements, Internal Strategies/Policies/Procedural Notes.
62
Appendix 3
NORTH NORFOLK DISTRICT COUNCIL
INTERNAL AUDIT STRATEGY FOR 2013/14
1
1.1
INTRODUCTION AND OVERVIEW
The objectives of North Norfolk District Council’s Internal Audit Strategy are
set out in Internal Audit’s Terms of Reference, although they can essentially
be summarised as follows:
‘To deliver a risk-based audit plan in a professional, independent manner, to
provide the organisation with an opinion on the level of assurance it can place
upon the internal control environment, systems of risk management and
corporate governance arrangements, and to make recommendations to
improve these provisions, where further development would be beneficial’.
1.2
Internal Audit’s Terms of Reference are reviewed annually by the Internal
Audit Consortium Manager and then presented to the Audit Committee for
formal approval.
The Terms of Reference for 2012/13 received the
endorsement of the Audit Committee on 6 March 2012, whereas the Terms of
Reference for 2013/14 are attached today (19 March 2013) for consideration
and approval by the Audit Committee.
1.3
In accordance with contractual arrangements - each year, an Audit Needs
Assessment is completed by the Internal Audit Consortium Manager or the
Deputy Audit Manager as part of the audit planning process, culminating in
the development of a 3-year Strategic Audit Plan, with an Annual Audit Plan
being extracted from the latter for adoption in the succeeding financial year.
1.4
A Computer Audit Needs Assessment is also performed on a 3-yearly basis
by the Internal Audit Services contractor, and the outcomes of this exercise
additionally feed into the rolling 3-year Strategic Audit Plan and the Annual
Audit Plan for the new financial year.
2
WHAT THE INTERNAL AUDIT STRATEGY SETS OUT TO ACHIEVE
The purpose of the Internal Audit Strategy is to establish the nature of the
methodology to be adopted by Internal Audit to facilitate:
ƒ
How the service will be delivered to the Council.
ƒ
The provision to the Head of Finance (as Section 151 Officer) of an audit
opinion each year concerning the Council’s systems of internal control,
and on a 2-yearly basis, an audit opinion relating to systems of risk
management and corporate governance arrangements.
ƒ
Ensuring that appropriate evidence has been collected in support of the
audit opinions expressed, after which the latter should be used to inform
the authority’s Annual Governance Statement.
ƒ
The audit of the Council’s systems of internal control and risk
management, and corporate governance arrangements through Strategic
and Annual Audit Plans is undertaken in a way that affords suitable
priority to the Council’s objectives and risks.
ƒ
Audit resources have been appropriately identified to deliver an Internal
Audit Service, which meets required professional standards, provides
acceptable minimum levels of audit coverage and optimises the use of
audit time available.
2.1
63
ƒ
ƒ
3
3.1
Providing annual scrutiny of the fundamental financial systems to provide
assurance that the proper arrangements for financial control are in place,
work which External Audit can then place reliance upon.
Supporting senior management at the Council as much as possible and
adding value.
DEVELOPMENT OF THE CURRENT INTERNAL AUDIT STRATEGY
The formulation of the present Internal Audit Strategy is essentially risk
driven, whilst also acknowledging that the primary issues to the Council at
present are the ongoing need to deliver financial savings and legislative
changes, and this in itself generates additional risks for the authority. As a
result, consultation has been undertaken with the Council’s Section 151
Officer, Corporate Leadership Team and Corporate Management Team to
discuss the focus of future audit coverage and review the sequencing of audit
projects to maximise their value to the authority. In undertaking the Audit
Needs Assessment, we have also considered a number of core documents
that enhance our understanding of the audit risk environment at the Council,
including:
Corporate Documentation
• Local Code of Corporate Governance and Annual Governance Statement
for 2011/12
• The Statement of Accounts for 2011/12
• Corporate Risk Register (latest available version received February 2012)
• Corporate Plan 2012/15
• Financial Strategy 2013-14 (Cabinet, 12 November 2012)
• Half Yearly Treasury Management Report 2012/13 (Cabinet, 12
November 2012)
• Treasury Annual Report 2011/12 (Cabinet, 11 June 2012)
• Debt Recovery 2011/12 (Cabinet, 11 June 2012)
• Community Asset Transfer Policy (Cabinet, 12 November 2012)
• North Norfolk Housing Strategy 2012/15 (Cabinet, 10 September 2012)
• Housing Allocation Scheme (Cabinet, 13 December 2012)
• Empty Home Pilot and Policy (Cabinet, 13 December 2012)
• Council Tax Support Scheme 2013/14 (Cabinet, 7 January 2013)
• Tourist Information Report (Cabinet, 7 January 2013)
• Destination Management Organisation (DMO for North Norfolk District
Council) (Cabinet, 7 January 2013)
• Big Society Fund Report (Cabinet, 7 January 2013)
• Planning Peer Challenge – Position Statement (Prepared by Steve Blatch,
Corporate Director)
External Audit Documentation
• Audit Report for 2011/12 Statement of Accounts, incorporating the Value
for Money Conclusion
• Report to those Charged with Governance (ISA60 (UK&I 260) – 2011/12
Audit
• Annual Audit Letter – 2011/12 Audit
Other Documentation
• On an ongoing basis, Internal Audit maintains an oversight of issues that
may affect the audit risk the Council faces; this includes attending training
events, receiving briefings and updates on topical matters from Deloitte
64
Public Sector Internal Audit Ltd and subscribing to CIPFA’s quarterly
newsletter – Audit Viewpoint and TIS Online services, etc.
3.2
Seven key risk factors have then been applied to potential auditable areas
and their impact on the organisation evaluated in terms of:
• Materiality – the value of annual direct income/expenditure associated
with the systems/activities;
• Materiality – an estimate of the number of transactions processed by the
systems/activities per annum;
• Significance – the significance of the systems to the objectives and
activities of the Council;
• Complexity of the organisation’s systems/activities in terms of their
operation and auditability;
• Modifications to the organisation’s systems/activities or the likelihood of
changes (i.e. new arrangements) being introduced within the duration of
Audit Plans being put forward;
• Inherent risk, i.e. the likelihood of threats, error or malpractice to the
organisation, because of the nature of its business activity, the regulatory
framework, its size, its growth, its history, etc; and,
• Profile of auditable areas, reflecting on the political sensitivity of the
systems/activities.
3.3
With reference to inherent risk, the Audit Needs Assessment is cognisant of
those areas where historically, there has been the potential for fraud and
corruption, e.g.
o Housing Benefits
o Provision of Discounts (e.g. Council Tax Discounts)
o Awarding of Grants – Community Grants, Private Sector Housing and
other Direct Payments
o Cash Collection
o Car Parking Income
o Credit Income
o Creditor Payments
o Contracts and Procurement
o Loans and Investments
o Payroll, expense claims and recruitment
o Disposal of Assets
o Awarding of Planning Consents
o Awarding of Licences
o Gifts and Hospitality
3.4
The risk factors have been weighted to produce a risk score, expressed as a
percentage that is, in turn, translated into a risk rating of Very High, High,
Medium or Low. Once risks have been categorised, it is then possible to
determine the frequency with which areas identified, should be subject to
audit scrutiny.
Low risk systems will be examined on a 5-yearly cycle.
Medium risk assessed systems should be reviewed on a 3-yearly basis; high
risk areas will be audited on a 2-yearly cycle, and Very High risk will be
scrutinised on an annual basis.
3.5
In order to extract savings on internal audit costs to the Council, this year we
have also embarked on an audit job budgets rationalisation exercise, the
findings of which were discussed with the Section 151 Officer on 25 January
2013. This task entailed carrying out comparative work on all clients’ Audit
65
Plans (past and present) to ensure that in the future, Norfolk Internal Audit
Consortium members are charged the same number of days for their audits,
whereas previously there had been some minor anomalies between client
sites. Thus, North Norfolk District Council’s new Strategic Plan now contains
the reworked job budget allocations for individual assignments.
3.6
Prior to finalising our assessment, we have also been mindful of changes
within the Council occurring throughout the year, including further
organisational restructuring work resulting in the appointment of 8 new Heads
of Service, plus the ongoing development of the Revenues and Benefits
Shared Services Partnership with Kings Lynn and West Norfolk Borough
Council.
An element of audit work in relation to the latter could not be
delivered in 2012/13 due to operational issues arising, and as a
consequence, 5 days are being carried across to the 2013/14 Audit Plan to
support audit scrutiny of shared processes and governance arrangements
adopted by the partnership.
3.7
As mentioned previously in paragraph 1.4, a Computer Audit Needs
Assessment is also performed by the Internal Audit Services contractor in
parallel to the Audit Needs Assessment work carried out by the Internal Audit
Consortium Manager or the Deputy Audit Manager. The Computer Audit
Needs Assessment effectively evaluates the key risks affecting the IT
environment within the Council and having identified risk priority ratings, it is
then possible to use this information to populate a Strategic Computer Audit
Priority Analysis and Annual Computer Audit Plans. This exercise was last
carried out in November 2010 and will be repeated in 2013/14.
4
FORMULATION OF THE STRATEGIC AND ANNUAL AUDIT PLANS
Having outlined our approach, as detailed in Section 3 of the Strategy, we
duly confirm that prior to completing the Annual Audit Needs Assessment for
2013/14, we have been working closely with key personnel to agree a
minimum level of audit coverage, which will enable the Internal Audit
Consortium Manager to provide the requisite annual opinions for 2013/14,
whilst also taking into account any additional needs raised by senior
management, where internal audit input would be appreciated over the
course of the year.
4.1
4.2
The formal audit planning process for 2013/14 commenced in January 2013.
Future audit coverage proposals were extracted as a consequence of the
audit needs assessment exercise and these were then extensively discussed
with the Section 151 Officer over the telephone and via meetings and email
exchanges taking place between 25 January and 27 February 2013, as well
as canvassing the views of the Corporate Leadership Team and Corporate
Management Team between 6 February and 28 February 2013, the
outcomes of which have been used to confirm the adequacy of audit
coverage formulated for 2013/14 onwards, obtain acceptance to any updated
audit requirements put forward and agree the composition of the Annual Audit
Plan for 2013/14, with indicative timings for carrying out the relevant reviews.
In addition, we have also consulted with External Audit, providing them with
draft copies of the new Strategic and Annual Audit Plans, prior to their
presentation to the Audit Committee.
4.3
The next phase in the process involves discussion of the Strategic and
Annual Audit Plans with the Audit Committee, prior to obtaining formal
endorsement of the audit coverage recommended. Once approved by the
66
Committee, the Internal Audit Consortium Manager or Deputy Audit Manager
will instruct the Internal Audit Service contractor (Deloitte Public Sector
Internal Audit Ltd) to adopt the Annual Audit Plan as their work programme for
2012/13.
5
5.1
5.2
REVIEWING PLANNED AUDIT COVERAGE TO ENSURE ITS ON-GOING
ADEQUACY
Audit Planning is a dynamic process and the environment in which North
Norfolk District Council operates is frequently subject to change, whether
through the introduction of new systems, the enhancement/modification of
existing systems, revised statutory requirements applying to the organisation
or other developments affecting the way in which the Council conducts its
business. As a consequence, Internal Audit Plans are continually monitored
by the Internal Audit Consortium Manager and/or Deputy Audit Manager to
ensure that they remain timely and comprehensive in their proposed
coverage. Throughout the coming year therefore, the Plans may have to be
amended to reflect any changing priorities that might surface and possibly,
have to react to existing risks that may subsequently escalate, diminish,
disappear or be superseded by new risks, as they affect North Norfolk District
Council.
For this reason, flexibility will be shown towards planned audit
coverage, to ensure that it is constantly responsive to changing needs and
new requirements.
As outlined in the Terms of Reference for Internal Audit, any changes that are
made to the Internal Audit plans during the year will be subject to the
agreement of the Section 151 Officer and subsequently communicated to the
Audit Committee.
67
Appendix 4
North Norfolk District Council - Strategic Audit Plan - April 2013 - March 2016
Description of audit
Strategic risk - Reference
Audit Days
Delivered 2012/13
Assessed audit risk
Frequency of coverage
2013/14
2014/15
2015/16
Days planned
Days planned
Days planned
ANNUAL OPINION AUDITS
Review of Corporate Governance and Risk Management arrangements
9
Work to support the preparation of the Annual Governance Statement
Follow up previous systems audit recommendations
003 (CR), 005 (CR)
High
2-yearly
8
10
Very High
Annual
15
10
15
8
Annual
Not applicable
8
8
8
001 (CR), 004 (CR),
015 (CR)
High
2-yearly
17
009 (CR)
High
High
2-yearly
2-yearly
12
High
2-yearly
High
Ad-hoc request by
management
High
2-yearly
High
2-yearly
FUNDAMENTAL FINANCIAL SYSTEMS
Head of Finance
Accountancy services - control accounts, banking, bank reconciliation, asset
management / capital expenditure, budgetary control and treasury
management
Creditors - ordering and payments and insurance
Receipt, handling and banking of remittances, tourist information centres, etc
15
Council Tax and NNDR
20
Housing benefit/CTB
Revenues and Benefits Partnership - Data Transfer, Governance and Risk
20
2.5
011 (CR), 012 (CR),
015 (CR)
011 (CR)
Sundry Debtors
17
13
12
20
20
5
2-yearly
10
10
Head of Organisationation Development
Payroll, human resources and officers expenses
19
003 (CR), 005 (CR),
006 (CR)
19
Page 1 of 4
68
Appendix 4
North Norfolk District Council - Strategic Audit Plan - April 2013 - March 2016
Description of audit
Audit Days
Strategic risk - Reference
Delivered 2012/13
Assessed audit risk
Frequency of coverage
2013/14
2014/15
2015/16
Days planned
Days planned
Days planned
OTHER SYSTEMS AUDIT
Head of Economic and Community Development
Tourism & Economic Development
Foreshore & coastal management / Coastal Protection
Homelessness and Housing Strategy
15
Affordable Housing Initiatives/ Home Options
002 (CR)
010 (CR)
Medium
Medium
High
3-yearly
3-yearly
2-yearly
010 (CR)
Medium
3-yearly
Medium
3-yearly
004 (CR)
High
2-yearly
004 (CR), 010 (CR)
Medium
3-yearly
007 (CR)
Medium
3-yearly
Medium
3-yearly
Medium
3-yearly
Private Sector Housing - Disabled Facilities Grants (to be undertaken in
conjunction with Broadland Council) & discretionary improvement grants
Localism and Communities - including focus on Community Right to Bid
10
10
14
10
8
10
Head of Development Management & Head of Economic and
Community Development
Development Management includes planning applications, planning
enforcement, s106 agreements, Community Infrastructure Levy and Land
Charges
22
Head of Assets and Leisure & Head of Economic and Community
Development
Partnerships
7
10
Head of Assets and Leisure & Head of Environmental Health
Parks and Open Spaces, plus Woodland Management
10
Head of Customer Services
Media and Communications
005 CR)
10
Page 2 of 4
69
Appendix 4
North Norfolk District Council - Strategic Audit Plan - April 2013 - March 2016
Description of audit
Audit Days
Strategic risk - Reference
Delivered 2012/13
Assessed audit risk
Frequency of coverage
2013/14
2014/15
2015/16
Days planned
Days planned
Days planned
OTHER SYSTEMS AUDIT
Head of Environmental Health
Waste Management including contract / agreement monitoring, income
collection and monitoring, refuse collection, street cleansing, recycling,
clinical waste, abandoned vehicles and grounds maintenance
Environmental Health Services includes emergency planning, food safety,
environmental protection, pest control, dog warden, licensing and pollution
control
High
2-yearly
18
Medium
3-yearly
19
Medium
Medium
3-yearly
3-yearly
Medium
High
3-yearly
2-yearly
18
Head of Assets and Leisure
Sports Halls/Centres & Sports Development
Leisure Complexes, Other Sports, Arts & Entertainment, including Pier
Pavilion
Property services
Car parking & markets
10
19
001 (CR)
12
10
12
16
16
Head of Organisational Development
Elections and Electoral Registration
Performance management, corporate policy and business planning including
annual action plans
10
Medium
3-yearly
12
015 (CR)
High
2-yearly
10
008 (CR)
Medium
3-yearly
Low
5-yearly
8
Medium
3-yearly
10
Head of Legal
Freedom of Information and Data Protection
8
Business Manager (Corporate and Democratic Services)
Democratic Services - Member Services, Training, Allowances and
Expenses
Head of Finance
Procurement
12
Ad Hoc Procedural Review
2
TOTAL DAYS PER ANNUM FOR SYSTEMS AUDIT
009 (CR)
178.5
168
186
156
Page 3 of 4
70
Appendix 4
North Norfolk District Council - Strategic Audit Plan - April 2013 - March 2016
Description of audit
Audit Days
Strategic risk - Reference
Delivered 2012/13
Assessed audit risk
Frequency of coverage
2013/14
2014/15
2015/16
Days planned
Days planned
Days planned
4
4
4
30
30
COMPUTER AUDIT
Head of Customer Services
Follow up of previous computer audit recommendations
4
Annual
Not applicable
Computer audit needs assessment
5
Provision for computer audit coverage pending results of needs assessment
Management Issues
Project Management
7
IT Security
Data Centre, Back Up, Disaster Recovery
10
Medium
4-yearly
008 (CR)
Very High
2-yearly
013 (CR)
Very High
2-yearly
High
3-yearly
13
Application Systems
Cedar Financial Application
9
Document Imaging - Civica (Revenues and Benefits)
Revenues and Benefits - Civica
012 (CR)
Medium
4-yearly
10
High
3-yearly
13
High
3-yearly
Cash Receipting Application
8
TOTAL DAYS PER ANNUM FOR COMPUTER AUDIT
38
45
34
34
216.5
213
220
190
TOTAL AUDIT DAYS PER ANNUM
Page 4 of 4
71
Appendix 5
North Norfolk District Council
Annual Audit Plan - April 2013 to March 2014
2013/14
Client Officer
Identification of areas to be audited
Quarter 1
Assessed Audit Frequency of
Risk
audit coverage
Days
Planned
Apr
May
Quarter 2
Jun
Jul
Aug
Sep
Quarter 3
Oct
Nov
Quarter 4
Dec
Jan
Feb
Mar
ANNUAL OPINION AUDITS
HEAD OF FINANCE
Work to support the preparation of the
Annual Governance Statement
Very High
Annual
15
N/A
Annual
8
Accountancy Services
High
2-yearly
17
Receipt, handling and banking of
remitances, tourist information centres, etc
High
2-yearly
12
Sundry Debtors
High
2-yearly
10
Follow up previous systems audit
recommendations
15
4
4
FUNDAMENTAL FINANCIAL SYSTEMS
HEAD OF FINANCE
Revenues and Benefits Partnership - Data Ad-hoc request
Not applicable
Transfer, Governance and Risk
by management
5
Tourism and Economic Development
Medium
3-yearly
10
Private Sector Housing - Disabled
Facilities Grants (to be undertaken in
conjunction with Broadland Council) &
discretionary improvement grants
Medium
3-yearly
8
17
12
10
5
OTHER SYSTEMS AUDIT
HEAD OF ECONOMIC
AND COMMUNITY
DEVELOPMENT
Page 1
72
10
8
February 2013
Appendix 5
North Norfolk District Council
Annual Audit Plan - April 2013 to March 2014
2013/14
Client Officer
Identification of areas to be audited
Quarter 1
Assessed Audit Frequency of
Risk
audit coverage
Days
Planned
Apr
May
Quarter 2
Jun
Jul
Aug
Quarter 3
Sep
Oct
Nov
Quarter 4
Dec
Jan
Feb
Mar
OTHER SYSTEMS AUDIT
HEAD OF
DEVELOPMENT
MANAGEMENT & HEAD
OF ECONOMIC AND
COMMUNITY
DEVELOPMENT
Development Management includes
planning applications, planning
enforcement, s106 agreements,
Community Infrastructure Levy and Land
Charges
Medium
3-yearly
22
HEAD OF
ENVIRONMENTAL
HEALTH
Waste Management including contract /
agreement monitoring, income collection
and monitoring, refuse collection, street
cleansing, recycling, clinical waste,
abandoned vehicles and grounds
maintenance
High
2-yearly
18
Medium
3-yearly
19
High
2-yearly
16
Medium
3-yearly
8
Environmental Health Services includes
emergency planning, food safety,
environmental protection, pest control, dog
warden, licensing and pollution control
HEAD OF ASSETS AND
Car parking and markets
LEISURE
HEAD OF LEGAL
Freedom of Information and Data
Protection
TOTAL SYSTEMS AUDIT DAYS
168
Page 2
73
22
18
19
16
8
23
0
8
16
18
18
26.00
10
0
27
22
0
February 2013
Appendix 5
North Norfolk District Council
Annual Audit Plan - April 2013 to March 2014
2013/14
Client Officer
Identification of areas to be audited
Quarter 1
Assessed Audit Frequency of
Risk
audit coverage
Days
Planned
Apr
May
Quarter 2
Jun
Jul
Aug
Sep
Quarter 3
Oct
Nov
Quarter 4
Dec
Jan
Feb
Mar
COMPUTER AUDIT
STRATEGIC DIRECTOR - IT Security, Procurement and End User
INFORMATION
Controls
Very High
2-yearly
13
Medium
4-yearly
10
Revenues and Benefits Application Civica
High
3-yearly
13
Computer audit needs assessment
N/A
3-yearly
5
5
Computer Audit Follow up
N/A
Annual
4
2
Document Imaging - Civica (Revenues and
Benefits)
13
10
13
2
TOTAL COMPUTER AUDIT DAYS
45
0
0
0
10
0
13
20
0
0
0
0
2
TOTAL DAYS FOR SYSTEMS AND COMPUTER AUDIT IN 2013/14
213
23
0
8
26
18
31
46
10
0
27
22
2
Page 3
74
February 2013
Appendix 6
Summary of Internal Audit Coverage for 2013/14
The following table sets out the proposed coverage of each audit identified in the Annual Audit Plan for 2013/14. The more detailed scoping
of reviews will be determined at the planning stage for each audit, with terms of reference being confirmed in audit briefs, drawn up in
consultation with client officers.
Systems Audits
Title
Description
Work to support the Annual
Governance Statement 2013/14
This audit is used to assist the Head of Internal Audit to produce the Annual Report and Opinion for 2013/14.
Essentially, testing will be performed on the Council’s key controls (that have not otherwise been tested as
part of the Annual Audit Plan) to highlight any significant control weaknesses. In addition, where
appropriate, there will be top up testing in relation to core financial systems reviewed in detail earlier in the
year, to ensure that audit samples cover a full year of transactions.
We will work closely with the External Auditors to ensure that our sample testing is sufficient for their
purposes, and hence they are able to place maximum reliance on our work.
Accountancy Services
An audit of Accountancy Services was last undertaken in 2011/12, received an adequate assurance level
and resulted in the raising of 1 medium and 2 low priority recommendations, whereby management agreed
in future to document investment decisions, undertake timely completion of bank reconciliations and retain
supporting documentation explaining budget variances.
This audit essentially plays a key role in assessing that the Council’s finances are being appropriately
managed. Given that fundamental financial systems are being scrutinised, the outcomes of our review work
will also be shared with External Audit, who will be looking to place reliance on our testing and findings.
Key areas of focus will be:
• Treasury Management arrangements
• Control accounts – the majority of control accounts are evaluated during individual systems reviews;
this audit reviews any additional control accounts, including the suspense accounts
• Banking and Bank Reconciliation procedures, including banking contracts and processes
75
Appendix 6
Summary of Internal Audit Coverage for 2013/14
•
•
•
Asset Register Management, including reconciliation to property service records
Budgetary Control, and preparation of the annual budget
General Ledger maintenance and journal entry controls.
It is further appreciated that in November 2012, Cabinet approved a new Community Asset Transfer Policy
and we will look for compliance with this, when reviewing Asset Management controls.
Receipt, handling and banking of
remittances, tourist information
centres, etc
The last detailed systems review carried out in this area was in 2011/12. We were able to award an
adequate assurance to the provisions in place at that time, and put forward 5 audit recommendations – 3
medium and 2 low priority, all of which were accepted by management.
This particular audit will examine operational arrangements to ensure that receipt of payments (by a range of
methods including direct debits, BACS, CHAPS, postal/ telephone/ website payments using debit/credit
cards, as well as payments handled by the North Norfolk Information Centre in Cromer, the seasonal TIC’s
operating in Sheringham, Wells and Holt and via a PDQ machine at the Information Centre in Fakenham)
are made in a secure manner, and are promptly and accurately recorded on the cash receipting system. In
order to confirm the probity of arrangements, we will analyse:
o Policies and procedures
o Physical security surrounding the making of payments
o Receipting of monies
o Posting of income
o Reconciling income.
This fundamental financial system review will again inform the work of the Council’s External Auditors.
76
Appendix 6
Summary of Internal Audit Coverage for 2013/14
Sundry Debtors
In September 2011, we found some weaknesses in the internal control environment applying to Sundry
Debtors as a limited audit opinion was given on conclusion of our work and 10 recommendations raised,
comprising 6 medium and 4 low priority. Issues were noted in all aspects aside from writing off debts and
risk management of sundry debtors.
In the course of this audit, we will revisit:
o Policies and procedures
o The raising of Sundry debtors, refunds and transfers
o The processing of suspense items
o Income monitoring and the recovery of outstanding debts
o Writing off outstanding debts.
Prior to embarking on the audit, we will also take into account the content of the Report on Debt Recovery
for 2011/12 that was presented to Cabinet in June 2012.
This is again a core financial system, and we will be liaising with External Audit regarding work done and
findings made, adopting their sampling requirements so that they can rely on our work.
Revenues and Benefits –
Shared Services Partnership
with Kings Lynn and West
Norfolk BC – Data Transfer,
Governance and Risk
We completed Phase 1 of our work in July 2012, which primarily involved undertaking verification checks on
the accuracy and adequacy of data transfer from the existing NNDC Civica Revenues and Benefits system
to a new Open Revenues (CIVICA) platform used by the new Shared Services Partnership.
The Phase 2 work, originally scheduled for Autumn 2012 subsequently had to be suspended due to data
merging problems.
Depending on developments in 2013/14, and further clarification being provided by management regarding
the future direction of the shared service, we anticipate that some audit input will be required during the year
in relation to shared processes and governance arrangements for the partnership, hence we will be liaising
closely with management as to where independent assurance would be most beneficial. We will also
maintain contact with our Internal Audit colleagues at Kings Lynn and West Norfolk BC to ensure that,
wherever appropriate, we can place reliance on any work they carry out in this area and conversely, they
can take assurance from work that we have performed, ensuring all the while there is no duplication of effort.
77
Appendix 6
Summary of Internal Audit Coverage for 2013/14
Tourism and Economic
Development
We previously examined Tourism and Economic Development in 2009/10, our work culminating in the issue
of an adequate audit opinion and 4 audit recommendations – 3 medium and 1 low priority.
It is noted that a considerable number of new initiatives have been discussed at Cabinet since September
2012, all relating to these service areas, namely:
o ‘Enterprise Norfolk’, whereby the Council is keen to contribute to the funding of a Business Start Up
Support Programme over the next 2 years with Norfolk County Council, to assist a minimum of 300
beneficiaries and create 50 business starts.
o Destination Management Organisation for North Norfolk, whereby the Council is pursuing working in
partnership with Visit North Norfolk Coast and Countryside Ltd, providing a funding contribution over
the next 3 years to deliver NNDC tourism services for the district.
Private Sector Housing Disabled Facilities Grants
(DFG’s) (to be undertaken in
conjunction with Broadland
Council)
At the detailed scoping meeting with management, we will explore where audit resources would be best
targeted to give independent assurance.
This area was previously scrutinised in 2010/11 and warranted an adequate audit opinion at that time.
DFG’s are a grant administered between the Welfare Authority (Norfolk County Council) and the district
Housing Authorities. If adaptation work is requested this would also involve Social Care Occupational
Therapists.
North Norfolk, South Norfolk and Broadland Council’s are the first phase of a countywide programme to
place Social Care staff into housing teams to allow better assessments, faster solutions and increased
understanding between authorities. A consistent model is sought for each Integrated Housing Adaptation
Team, however it is recognised that there does need to be flexibility to recognise local processes.
A report of the project to date will be provided in April by the County Disabled Facilities Grant Project Officer,
and this will be a useful basis upon which to further scope the audit.
This audit will be carried out in conjunction with Broadland Council only (as DFG’s were evaluated at South
Norfolk Council in 2012/13) and will review the robustness of new methods of working.
78
Appendix 6
Summary of Internal Audit Coverage for 2013/14
Development Management
includes planning applications,
planning enforcement, s106
agreements, Community
Infrastructure Levy and Land
Charges
Waste Management including
contract / agreement monitoring,
income collection and
monitoring, refuse collection,
street cleansing, recycling,
clinical waste, abandoned
vehicles and grounds
maintenance
Environmental Health Services
includes emergency planning,
food safety, environmental
protection, pest control, dog
warden, licensing and pollution
control
We have been advised that the Planning Service is hosting a Local Government Association / Planning
Advisory Service Peer Challenge in mid February 2013 to support, promote and improve the authority’s
Planning Service, and in particular, the Development Management Service. It is hoped that the review of
staffing structures, processes, negotiation with developers and planning enforcement activity with a team of
External Specialists will enable an Improvement Plan to be formulated, which can resolve service delivery
problems which have been steadily increasing since 2010/11.
Our audit is recommended to commence in Quarter 4 of 2013/14, to comment upon the new operational
arrangements put in place following the Peer Review, providing an independent focus on internal control
systems relating to planning application processes, planning enforcement, building control, income
processing, section 106 agreements and new this year – the Community Infrastructure Levy – a new levy
that local authorities can choose to charge on new developments in their area, with the money generated in
consequence being used to support further development by funding infrastructure that the Council, local
community and neighbourhoods want. If time permits, Land Charges represents a further area where audit
coverage might additionally be included.
Due to the material nature of the waste service to the Council, the management of the service is subject to
audit scrutiny on a 2-yearly basis; hence the last time this service was reviewed in 2011/12. Our previous
audit had looked at the new waste management contract which had just commenced and resulted in a
limited audit opinion being given based on control weaknesses found in overall contract monitoring
processes.
This next audit will provide an independent assessment as to current contract monitoring arrangements,
covering the service elements of refuse collection, street cleansing, recycling and grounds maintenance, as
well as income collection provisions.
Our last inspection of Environmental Health Services took place in 2010/11 and generated an adequate
assurance in respect of Licensing, Contaminated Land, Pest Control, Stray and Lost Dogs, plus Emergency
Planning (excluding Business Continuity).
We will consult with management as to where our focus needs to be directed in 2013/14, although Food
Safety is an aspect that we have not previously evaluated and thus we would recommend that it is one
element where independent scrutiny might be beneficial. Consultation with the Head of Environmental
79
Appendix 6
Summary of Internal Audit Coverage for 2013/14
Car parking & markets
Health when developing strategic audit planning proposals for 2013/14 has established that the FSA
conducts regular audits in this area, so we will review the latest reports produced by this body in relation to
Council activity to ascertain whether we can take assurance from their work before finalising terms of
reference for our audit.
We previously examined these operational areas in 2011/12 and noted a number of weaknesses in the two
systems of internal control, subsequently reflected in the limited opinion that we gave and the 9
recommendations raised in consequence - 4 medium priority relating to Car Parks, and 3 medium and 2 low
priority concerning Markets.
This audit will thus analyse the internal controls currently exercised over the Council’s pay and display car
parks, via shared service arrangements put in place with Kings Lynn and West Norfolk BC from 01/04/2011
for a period of 5 years.
Additionally, audit input will be given to the Council’s management of weekly markets at Stalham,
Sheringham and Cromer, recognising that this service came back under the Council’s control from 01/04/11,
after having been formerly outsourced to (NCS) NORSE.
Freedom of Information and
Data Protection
It is noted that the Information Commissioner’s Office (ICO) can undertake advisory visits and audits on
behalf of public and private companies, public authorities and government departments, examining whether
there are effective data protection/information governance policies and procedures in place and if these are
being properly followed, ensuring compliance with the principles of the Data Protection Act. However, ICO
resources are limited in terms of the input that can be provided to organisations, e.g. just 32 local authorities
have been reviewed in the last 2 years. In consequence, having noted best practice findings and
observations published on the ICO website, an Internal Audit examination of activities in this area is
advocated, which also encompasses the authority’s response to the Freedom of Information Act.
This audit will therefore review the way in which the Council manages its responsibilities in relation to
freedom of information requests and will also analyse operational arrangements governing the registration of
systems and data with the Information Commissioner’s Office, data security provisions generally with some
reference to data transfer arrangements, management of manual data and development/compliance with
data retention requirements across the Council.
80
Appendix 6
Summary of Internal Audit Coverage for 2013/14
Computer Audits
IT Security
Document Imaging - Civica
(Revenues and Benefits)
Revenues and Benefits
Application - Civica
This audit will look at IT Security and includes the following:
• ICT Security Policies;
• Practices for the securing of IT Hardware;
• Hardware de-commissioning;
• Mobile Device Security (USB Drives, Mobile Devices); and
• Encryption.
The Document imaging application is used by Revenues and Benefits and is a key resource in delivering an
effective service to the residents of the District and was highlighted as a key application during the de-brief
following the initial analysis. Any weaknesses in the application controls could have a significant impact on
the Council’s ability to deliver an effective service and depending on the type of weakness could see the
Council in breach of legislative requirements. The areas covered in this audit will include:
• Access Controls;
• Document Imaging Process;
• Data Processing and Document Routing;
• Data Output;
• Interfaces;
• Management Trails; and
• Support Arrangements and Change Controls.
The Civica application is the Council’s Revenues and Benefits application. This audit will cover the
application controls for the key modules within the application including National Non Domestic Rates
(NNDR), Council Tax and Housing Benefits. The areas covered in each of these modules include:
• Access Controls;
• Data Input;
• Data Processing;
• Data Output;
• Interfaces;
• Management Trails; and
• Support Arrangements and Change Controls.
81
Appendix 6
Summary of Internal Audit Coverage for 2013/14
Computer Audit Needs
Assessment
It is also timely to undertake a new Computer Audit Needs Assessment (CANA), which takes into account
the current infrastructure and IT requirements at the Council to help develop a strategic, risk based
Computer Audit plan to cover the next three years.
In the course of the CANA, we assess the risk in terms of a number of audit areas so that audit types are
distinguished by different audit risk objectives, e.g. Applications, Management issues and Infrastructure.
The nature of auditable areas differs between audit types, e.g. for an application audit the auditable area can
be within a specific installation, for Management and Infrastructure audits it can be Council wide,
departmental, outsourced, or some combination of these, and impact on a variety of corporate risks.
The Risk Assessment model takes account of four assessment categories to produce a risk index for each
auditable area. The auditable area is scored in each category using assessment criteria to gauge the degree
of risk or materiality associated with the particular area. The table below summarises the four assessment
categories and what each is intended to measure.
Assessment Category
Measure
Corporate Importance – Objectives/Priorities
Corporate materiality
Corporate Sensitivity – Impact
Political materiality
Inherent Risk
Inherent vulnerability
Control Risk
Control effectiveness
The auditable areas will then be classified into four bands according to their significance. These bands will
subsequently be used to determine the priority and frequency of audits to be undertaken in future years.
The Needs Assessment basically analyses 36 discrete auditable areas which together are considered to
comprise the key aspects of the IT environment within the Council. A separate analysis is also carried out to
complement these areas to determine the Council’s key applications and upcoming projects Resultant
findings are then used to populate Strategic and Annual Computer Audit Plans.
82
Name of Committee
Date of Committee
Audit
19-03-13
Agenda Item No______10_______
Business Continuity
Summary:
Six monthly update on business continuity planning, the
progress made to date, ability to respond to any disruptive
events that have recently occurred and the outline of future
objectives.
Conclusions:
Recommendations:
That members note the contents of the report.
Cabinet member(s):
Ward(s) affected:
All
All
Contact Officer, telephone number, Richard Cook
01263 516269
and e-mail:
richard.cook@north-norfolk.gov.uk
1.
Introduction
Part of the Civil Contingencies team’s (CCT) role is to ensure that the Authority has a
robust and effective business continuity plan (BCP) in place. As reported previously
CCT are working with Service Managers to ensure that all relevant plans are up to date
and appropriate.
1.
Team Business Continuity Plans
All teams should produce a Business Impact Assessment (BIA), this will allow an
analysis of the team to be carried out and give an indication that a team delivers a
critical service or not. At this stage only teams with critical elements will be required to
produce a team BC plan, although non critical teams will be encouraged to complete the
plans too.
83
Name of Committee
Date of Committee
Audit
19-03-13
At this stage the following teams have completed their BC documentation:
BC Doc’s
No BC Docs
Environmental Health
(Commercial, Envro
Protection, Civil
Contingencies,
Environmental Servs)
Licensing (partly done)
Finance
Revenues & Benefits
(Meeting 4th March
Payroll
Elections (Have Election
Plan)
HR
Housing Options
Waste
Customer Services
IT
Web/Media
Property Services
Non Critical Services
Sustainability
Reprographics
Economic Development
Policy and Performance
Legal
Planning Development
Building Control
Assets & Leisure (Part)
Housing Strategy
Revision dates have now been reported to the TEN policy and performance system to
help managers manage the review of their BC plans.
A spread sheet is being produced as part of the analysis of all the BC documentation
and this will allow the authority to see what staffing levels, equipment and specific
84
Name of Committee
Date of Committee
Audit
19-03-13
functions will be required at each period of the disruption. This information will allow for
a more strategic view to be taken with the BC planning in the event of an incident.
2.
Business Continuity Working Group (BCWG)
The BCWG continue to meet and have now started to peer review the new plan ready
for the next revision date.
3.
Disruptive Events
Snow and Ice weather disruption, the Crisis Management group met and decided to
reduce staffing levels to a minimum to reduce the risk to staff traveling. A de-brief
feedback form has been passed to managers and a report will be produced on how the
incident went.
4.
Corporate BC Plan
The NNDC Corporate Business Continuity Plan has now been signed off. The CCM has
completed one to one training with all the managers who have a responsibility under the
new BC plan. Other key staff such as, the evacuation co-ordinator and customer
services, have also been initially trained on their roles and responsibilities.
All staff training has been arranged and this will be delivered by James Allison an
external business consultant in conjunction with the CCM. Part of this process will be
an independent review of the authorities BC management arrangements. In addition a
small BC related article will be promulgated in the Staff Briefing document.
5.
Disaster Recovery (DR) and Work Action Recovery (WAR) Site
A feasibility review of the Fakenham Connect building has been carried out and it shows
the benefit and enhanced resilience this facility would give the Authority. CLT have
agreed that this process can move on.
The DR suite for NNDC is now in place and is at the final testing stage. Kings Lynn will
also be housing their DR suite at Fakenham and this gives the added benefit that if we
lose the internet line from the Cromer Offices we will be able to direct out internet traffic
out via Kings Lynn independent of the Cromer offices and in addition Kings Lynn will be
contributing to any costs for the DR Facility.
The main area of the Fakenham building will be used to house the WAR site and work
is on-going to make this operational for up to 30 staff to be able to deliver the Authorities
critical services in the event of the loss of the Cromer offices. This will be in addition to
having the ability to have 70 staff working remotely. So in the event of the loss of the
Cromer offices we would be able to get 100 members of staff operational in a very small
time scale. This facility can also be used by the authority as a remote working site,
small conference area. In addition it could provide the authority other benefits during
85
Name of Committee
Date of Committee
Audit
19-03-13
BC incidents such as serve weather as staff could work from this location rather than
traveling to Cromer.
This facility is also being offered as a shared asset to Kings Lynn and their
Emergency Planning Officer is keen to take up this offer to boast their resilience.
If this proves to be successful the offer of the assets use will also be offered to the other
Norfolk authorities.
86
Agenda Item 11
Agenda Item 12
AUDIT COMMITTEE WORK PROGRAMME 2012 - 2013
MARCH 2013
JUNE 2012
SEPTEMBER
2013
PWC
Audit Plan (PWC)
Annual Grant
Certification Report
Internal Audit
Quarterly
Summaries of
completed audits –
not provided this
month as only one
report available.
Audit Plan
Annual Review of
the Effectiveness of
Internal Audit
DECEMBER 2013
PWC 2012/13
Annual
Governance
report
(ISA260)
Protocol for
liaison between
internal and
external auditors
Annual Audit Letter
(PWC)
Quarterly
Summaries of
completed audits
Half yearly progress
reports on the overall
performance of the
audit contract
Annual Report and
Opinion
Report on follow-up
work
Status of agreed
actions
NNDC
Risk
Monitoring Officer’s
Report
Statement of
Accounts (+
informal training)
Business Continuity
Review
Business
Local Code of
Continuity
Corporate
Governance and
Action Plan – update
Annual Governance
Statement 2012/13
– update
Corporate Risk
Register
Business Continuity
Plan Review
87
Business Continuity
Appendix 7
North Norfolk District Council
Map of Audit Assurances provided since 2008/09
2008-09
2009-10
2010-11
2011-12
2012-13
Adequate
Adequate
Adequate
Adequate
X
2013-14
Annual Opinion Audits
Corporate Governance and
Risk Management
Ethical Governance
Fundamental Financial Systems
Sundry Debtors
Remittances
Accountancy Services
Housing Benefits
Council Tax / NNDR
Exchequer/Creditors
Payroll / HR
Budgetary Control
Revenues and Benefits
Partnership - Data Transfer,
Governance and Risk
One-off audit
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Limited
Adequate
Adequate
Adequate
Adequate
Adequate
Good
X
X
X
X
X
X
X
Incorporated into accountancy
Good
Adequate
Head of Economic and Community Development
Tourism and Economic
Development
Foreshore and coastal
management / Coastal
Change and Pathfinder
Management
Adequate
Homelessness and Strategic
Housing
Affordable Housing
Adequate
Private Sector Housing and
Disabled Facilities Grants
Adequate
Communities and Safety
Adequate
X
X
Good
Adequate
Adequate
Good
Adequate
X
Absorbed into future audits concerning Localism and
Communities
Limited
Head of Development Management & Head of Economic and Community Development
Development Management,
Planning, s106 Agreements,
Community Infrastructure
Levy and Land Charges
Adequate
X
Head of Assets and Leisure & Head of Economic and Community Development
Partnerships
Limited
Head of Environmental Health
Waste Management
Environmental Health
Limited
Head of Assets and Leisure
Sports Halls/Centres
Leisure Complexes
Property Services
Car Parking and Markets
Adequate
Adequate
Limited
Limited
Adequate
Adequate
Adequate
Limited
Limited
X
X
Adequate
Adequate
Adequate
Limited
Head of Assets and Leisure & Head of Enviornmental Health
Parks and Open Spaces
Limited
Head of Organisational Development
Elections / Electoral
Registration
Data Quality
Adequate
Performance Management,
Corporate Policy, Planning
Adequate
X
Adequate
Good
Good
Discontinued as NI's ending
Deferred to 2012/13
Adequate
February 2013
88
Appendix 7
North Norfolk District Council
Map of Audit Assurances provided since 2008/09
Business Manager (Corporate and Democratice Services)
Legal Services, Data
Protection, Freedom of
Information
Head of Legal
Whistleblowing
Concessionary Fares
Adequate
Head of Finance
Projects and Procurement
Car Allowances
Adequate
Adequate
Unsatisfactory
X
One-off audit
Function transferred to County Council
Adequate
Adequate
One-off audit
IT Audits
General Ledger/Cedar
Financials Application
Project Management
General IT Controls
Cash Receipting
Document Imaging - Civica Revenues and Benefits
IT Security
IT Security, Procurement and
End User Controls
Software Licensing
Revenues and Benefits
Application
Network Infrastructure
Business Continuity
Data Centre, Back Up,
Disaster Recovery
Data Consistency
Payroll and Personnel
Content Management
X
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
X
X
Adequate
Adequate
Limited
X
Limited
Adequate
Adequate
Adequate
Adequate
February 2013
89