Part One ITEM No.8
REPORT OF THE STRATEGIC DIRECTOR OF
CUSTOMER & SUPPORT SERVICES
TO THE: BUDGET & AUDIT SCRUTINY - AUDIT SUB COMMITTEE
ON Monday, 13 th June 2005
TITLE: INTERNAL AUDIT - ANNUAL REPORT 2004/2005
RECOMMENDATIONS:
Members are asked to note the contents of the report.
EXECUTIVE SUMMARY:
The purpose of this report is to inform members of Internal Audit activity during
2004/2005.
BACKGROUND DOCUMENTS:
(Available for public inspection)
Quarterly Committee reports, Audit Management Information System.
ASSESSMENT OF RISK:
Internal Audit projects are managed within the Unit’s risk based audit protocols aimed at giving assurance regarding the management of the City Council’s key business risks.
SOURCE OF FUNDING:
Existing revenue budget.
COMMENTS OF THE STRATEGIC DIRECTOR OF CUSTOMER AND SUPPORT
SERVICES (or his representative):
1. LEGAL IMPLICATIONS Provided by: Deputy Director of
Customer & support Services and city Solicitor
2. FINANCIAL IMPLICATIONS Provided by: Head of Finance
PROPERTY (if applicable): N/A
HUMAN RESOURCES (if applicable): N/A
CONTACT OFFICER:
Andrew Waine Audit Manager
1

Tel: 0161 793 3357
Email: andrew.waine@salford.gov.uk
WARD(S) TO WHICH REPORT RELATE(S): N/A
KEY COUNCIL POLICIES: N/A
DETAILS: See report attached.
2

1 INTRODUCTION
This Annual Report relates to the final year, 1 st April 2004 – 31 st March 2005, of the four- year strategic audit plan that was approved by the Quality and Performance
Scrutiny Committee at its meeting held on 21 st March 2001.
This report is intended to:

Give a general appreciation of the basis of internal audit

The key performance influences during the year

An overall opinion of the reliability and effectiveness of the internal control environment within the City Council. This opinion is made in light of the work that has been undertaken by the varying disciplines that work within the City Council’s
Internal Audit Section, and,

Informs the Statement on Internal Control, a mandatory document that forms part of the City Council’s Annual Statement of Accounts.
2 THE ROLE OF INTERNAL AUDIT
The current legal basis for the internal audit function in local government is the
Account and Audit Regulations 2003, which state that each authority “ shall maintain an adequate and effective system of internal audit of their accounting records and control systems,”
The CIPFA Code of Practice for internal audit in the United Kingdom (2003) gives the following definition of internal audit: -
“Internal audit is an assurance function that primarily provides an independent and objective opinion to the organisation on the degree to which the internal control environment supports and promotes the achievement of the organisations objectives.
It objectively examines, evaluates, and reports on the adequacy of internal control as a contribution to the proper, economic, efficient and effective use of resources.”
The Institute of Internal Auditors definition of internal audit is as follows:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
3 OBJECTIVES AND SCOPE OF INTERNAL AUDIT
The essence of the internal audit service is also encapsulated in its Mission
Statement, as follows:
“ The mission of Internal Audit is to give management independent advice of any necessary changes to all systems of internal control that have a fundamental bearing on the accomplishment of organisational objectives”
The emphasis placed on internal audit’s role in reviewing all systems, both financial and otherwi se represents the industry’s best practice. The move away from the traditional review of financial systems enables Internal Audit to give an opinion on the adequacy of all systems of internal control.
3

4 SUMMARY OF APPROACH TO WORK
The Internal Audit Section utilises a risk based approach to its work, and it is this approach, which forms the basis of most of the reviews undertaken by the Section.
It has also been appropriate to utilise other techniques such as Systems Based
Audits, Analytical Reviews, a nd flowcharting the City Council’s major systems, which is recognised as an industry standard methodology.
It has also been necessary to update existing pre-populated databases of key risks and controls, particularly for school audits, in the light of influences from external sources and the impact of corporate governance changes.
The Section has long been a pioneer in the use of automated audit software. In order to improve the efficiency of staff and, in the ultimate timely production of reports to our clients, greater use of the technology has been applied, which together with electronic mailing facilities has had a tremendous improvement on service delivery.
In a similar way, further expansion has been made of the Section’s electronic audit planning t ool, which allows the areas within the “audit universe” to be constantly reviewed and re-ranked by risk on a regular basis, thus ensuring the areas of highest risk are subject to audit review as and when necessary.
5 REVIEW OF KEY INFLUENCES IN THE YEAR
Development of the Audit & Risk Management Unit
In the early part of the year, the Audit & Risk Management Unit (ARMU) was formed, replacing the former Business Risk and Control. In essence, this re-classification reflects the impact that risk management has had, and continues to have, on the operations of the City Council. It should be noted that the services provided by the
Unit have not altered other than greater emphasis has been afforded to the arrangements the City Council has in place as regards to its governance procedures.
The City Council will be subject to a number of major influences in the next few years.
Key amongst these will be the impact of Corporate Governance and how it incorporates the “science” into its culture and management systems.
Corporate Governance is defined as “the systems by which organisations are directed and controlled”, which obviously includes measures for the management of risk. Local Authorities have been required to demonstrate compliance with the CIPFA
/ SOLACE Corporate Governance framework from the financial year 2002/2003.
ARMU will act as the “champion” of the City Council’s response in this area.
The Comprehensive Performance Assessment (CPA) framework, places a clear emphasis on the performance of the Authority. This means that the services of the
Authority will come under much greater scrutiny than has hitherto been the case.
External Auditors are required to provide scored judgements of the adequacy of audit arrangements including assessments of:

Financial standing

Internal financial control

Prevention and detection of fraud

Financial statements, and

Legality of financial transactions.
4

The work of Internal Audit has a direct bearing on the CPA scoring of the aforementioned assessments; it is therefore important that Internal Audit are able to demonstrate their contribution to the overall control environment of the City Council by undertaking annual assessments of these key processes.
Audit Commission review of Internal Audit
The City Council is responsible for putting in place proper arrangements for the review of its internal control systems. Internal Audit is an important part of these arrangements and as such should meet the standards set out in CIPFA’s Code of
Practice for Internal Auditors in Local Government.
The Audit Commission, as appointed external auditor, is responsible for reviewing and reporting on the City Council’s arrangements within the Audit Commission Act
1998 and the Code of Audit Practice.
Each year the Audit Commission reviews the work of Internal Audit in order to:

Assess the contribution of internal audit to the internal control environment of the
Authority

Identify areas where reliance can be placed on the work of internal audit, thereby avoiding duplication and ensuring an efficient and effective audit.
External auditors assess the internal audit function each year for the purposes of updating the Council’s annual CPA. In 2004, the Audit Commission assessed the
Council’s internal audit function as four, (out of four), which translates as an overall assessment of good. The Internal Audit Section maintains strong working relationships with the Audit Commission. Annually, the Commission place reliance on the work of its internal counterparts as part of their final accounts procedure.
Salford Community Leisure Limited
At the time of the creation of Salford Community Leisure Limited in 2003, most of the central support services provided by Salford City Council continued to be provided to the newly formed Leisure Trust. During the financial year 2004/05, the Trust decided that it would market test its internal audit services, and invited its current providers to tender.
The Trust Board decided to appoint an external company to provide internal audit services and as such, this service i s not provided by the City Council’s Audit & Risk
Management Unit. However, there are other services within the structure of ARMU, which the Trust has decided to retain.
Partnering Organisations
With effect from 1 st February 2005, the City Council’s Development Services
Directorate entered into a partnering arrangement with Capita and Morrisons to become Urban Vision. The creation of this partnership has had an impact on the work of Internal Audit in that there was, and remains, a requirement to safeguard the
Council’s interests as a partner, whilst also assisting the new organisation in the development of its systems of control. This work will continue during the course of
2005/6 as the partnership develops its business activities, and Internal Audit are ideally placed to respond to its client’s demands.
5

Best Value Performance Indicators
The Audit Plan for the year made provision for the review of the national BVPIs, which the City Council is assessed against in terms of its performance. Internal Audit examined the level of control within the systems, which produce the data to assess the reliability of the information. It is pleasing to report that the majority of indicators examined were found to be reliable in their data production and where appropriate, recommendations were made to enhance existing procedures. This is a key piece of work as the Comprehensive Performance Assessment score of the Council is directly affected by the performance of these key indicators.
Irregularity
Internal Audit is responsible for undertaking irregularity work within the Council. The
Council’s Anti-Fraud and Anti-Corruption Strategy was reviewed during the year and the Budget & Audit Scrutiny – Audit Sub Committee approved the revised strategy in
September 2004. The S trategy is available on the City Council’s Intranet and on the
Internet, and has been publicised by means of posters throughout the Council. In addition, payslip and email reminders have been issued throughout the year to ensure that all staff are aware of the robust mechanisms that the Council has in place to combat fraud and corruption. It is pleasing to report that the number of referrals received during the year showed a 10% reduction on the previous year’s level.
Referrals were made, in the main, regarding fraud and theft matters, in addition to computer misuse, which continued to be reported. Appropriate action has been taken in all cases. Where remedial action has been identified by Internal Audit, actions have been taken by management to strengthen internal controls.
An Investigation Panel has been established comprising the Strategic Director of
Customer and Support Services, Deputy Director of Customer Support Services and
City Solicitor, Head of Human Resources and Assistant Director, Audit & Risk
Management Unit. The Panel receives progress reports on all cases referred to
Internal Audit on a monthly basis, and reviews the appropriateness of actions taken.
Cases that have been referred to directorates for internal investigation are also reported to the Panel, in order that a comprehensive view can be taken to ensure consistency in the robust application of the Anti-Fraud and Anti-Corruption Strategy.
Investment continues to be made in training and development for staff undertaking investigations, and it is hoped that during the coming year, formal fraud investigator accreditation will have been achieved, to complement the computer forensic examination accreditation that is already held.
Computer Audit
The focus for the years’ plan was to be highly flexible and responsive to the needs of our customers in the Council, as well as meeting requests and priorities from the
Audit Commission.
The team continued to expand its skill-set enabling a greater diversity and depth of coverage than was previously possible. The team has continued to work with all directorates, not just IT, to assist in the strategic aim of embedding risk management into their everyday polices and practices.
In addition to delivering a diverse range of audit coverage, encompassing technical, operational and strategic reviews, the team has provided advice and guidance on a number of ongoing projects such as Council Tax / Benefits replacement system, e-
Government and Education / ICT Broadband. Significant pieces of audit work have
6

resulted in recommendations for improved governance over the implementation of the Freedom of Information Act and better co-ordination of the strategy for SAP, the
Council’s main accounting system.
Work commenced during the year on assessing gaps between the Co uncil’s existing security policy and BS7799 standards, which has resulted in the publication of a new
Corporate Information Security Protocol.
Business Continuity planning has progressed beyond the original pilot in Salford
Direct. Incorporating lessons learnt, a model based on the Business Continuity
Institute and PAS56 standards is being rolled-out throughout the City Council. The model is fully embedded in some directorates, with initial trials already having taken place.
Towards the end of the year the focus of the team shifted to allow it to concentrate on delivering key audit services, with ancillary functions such as Business Continuity
Planning and BS7799 work being reassigned to more appropriate teams within the
Council.
6 AUDIT PERFORMANCE IN THE YEAR
Internal Audit Plan Outturn
The Internal Audit Section is required to submit information regarding its performance to the Budget & Audit Scrutiny – Audit Sub Committee on a quarterly basis. This
Committee also receives summaries of each audit report issued within the reporting period.
At the end of the financial year 2004/05, the Internal Audit Plan had attained 101% of its original target.
Quality Control Questionnaires
At the conclusion of each audit assignment, the client is requested to complete a
Quality Control Questionnaire, which enables the way in which audit services are delivered and the perception of the value of the audit process to be monitored.
The questionnaire is structured to allow the customer to specifically comment on:

Consultation/approach

Management of the audit

The Audit Report

General and other comments.
Performance Indicators have been established to measure this level of customer satisfaction. During 2004/05, the responses obtained would indicate the following:

100% of respondents expressed satisfaction with the service

100% of respondents reported the provision of a good service

90% of respondents found the service to be of an excellent quality
Other Performance Data
Key Performance Indicators have been established to demonstrate the efficiency of the audit service. The targets set at the commencement of the year and the performance over the same period is detailed in Table 1 below, together with data from the preceding period:
7

Table 1: Internal Audit Performance Data 2004/5
Indicator Target
(Working Days)
180 Achievement of chargeable days
Draft reports issued within 10 10
Performance
(Working Days)
208
5
2003/4
173
6 days of fieldwork
Final reports issued within 10 days of management response to draft report
10 3.5 9
The Audit Section has achieved a 16% increase in the number of chargeable days over the year against its target. Similarly, there have been improvements in the time taken to distribute the results of our work to clients, which is attributable to changes in working practices.
7 OVERALL INTERNAL AUDIT OPINION
In attempting to give an overall opinion of the control environment pertaining to
2004/2005, it is important to stress the dangers of such an approach. Internal Audit review a variety of systems throughout the year, which forms only a minority of the systems reviewed during the four year Strategic Plan period. Therefore, whilst any opinion given will be largely based on objective criteria, there will inevitably be some element of subjectivity in the final analysis.
th
th
The modern Internal Audit approach, which identifies areas of weakness with a view to assisting rather than criticising management, to allow improvements to be made, is of particular benefit in reviewing areas subject to major change. The reviews of these areas have, therefore, been conducted with an awareness of the pressures placed on staff whilst identifying potential risk to the organisation and proposing practical remedies to reduce these risks. Internal Audit will, therefore, continue to work with management to help to improve the financial control environment, as sound financial controls are fundamental to the achievement of an organisations overall objectives.
It should be emphasised that where weaknesses have been identified, Internal Audit have consulted with clients to agree practical solutions and have found a positive commitment to recommendations to improve processes. Our policy of conducting
Post Implementation Reviews provides the assurance that agreed action has been undertaken.
Most of the major financial systems, such as Council Tax, Housing Benefits, NNDR,
Income Collection, and Treasury Management were found to be well controlled.
8

Audit reviews undertaken in areas of a high operational risk within directorates such as Education and Social Services found a good understanding of risk and risk mitigation, with many processes being well controlled.
The control environment in schools has improved considerably with many examples of good practice being identified. Where weaknesses were identified, agreement was made regarding appropriate recommendations with the Headteacher in most cases.
On the basis of the systems reviewed and reported on by Internal Audit during the year, it is felt that the overall financial, operational, and strategic control environment is of a good standard.
What is particularly pleasing is that the control environment in many areas reviewed shows a year on year improvement. This is a further testament to the City Council’s commitment to the continual improvement to the delivery of quality services.
8 CONTINUED DEVELOPMENTS
Key areas of development for this and future years are likely to be:
 A key role in the development and ongoing operation of the Children’s Services
Directorate

Advising and reviewing the control environment within partnering organisations

The impact of the International Standards on Auditing in obtaining a greater understanding of the systems of internal control, and the assessment of the risk of material misstatement within the published accounts

The further development of Control Risk Self-Assessment techniques

Continued reinforcement of the Anti-Fraud and Anti-Corruption strategy

Greater emphasis on the use of Computer Assisted Audit Techniques within the delivery of audit services

Development and delivery of the Audit Plan that addresses the key business risks of client directorates on a concurrent basis.
9 RECOMMENDATION
Members are asked to note the contents of this report.
9