Internal Audit Strategy 2019/2020

“Providing assurance on the management of risks”

Internal Audit Strategy

“Providing assurance on the management of risks”

This document sets outs the Internal Audit Strategy 2019/2020 for Stratford on Avon District Council. These services are provided by the Internal Audit Team of Warwickshire County Council under a shared service partnership agreement. This document complements the formal contract with Warwickshire County Council for the delivery of internal audit, the Audit Charter and the Council’s Risk Management Policy.

Services

All organisations face risks in every aspect of their work: policy making, decision taking, action and implementation, regulation and spending and making the most of their opportunities. The different types of risk are varied and commonly include financial risks, IT risks, supply chain failure, physical risks to people and damage to the organisation’s reputation.

The key to the Council’s success is to manage these risks effectively. The role of the internal audit provider is to help the Council to do this by providing a high quality, comprehensive and cost effective service that complies fully with all relevant professional and regulatory requirements.

Different parts and levels of an organisation play different roles in managing risk, and the interplay between them determines how effective the organisation as a whole is in dealing with risk. The Institute of Internal Auditors uses a three lines of defence model to explain internal audit’s unique role in providing assurance about the controls in place to manage risk:

2

The management of risks is the responsibility of every manager. Sitting outside the processes of the first two lines of defence, audit’s main roles are to ensure that the first two lines of defence are operating effectively and advise how they could be improved.

The role of the Internal Audit Service is therefore to support managers by providing the following services:

Assurance

We develop and then deliver a programme of internal audits to provide independent risk based and objective assurance to senior management, the Audit and Standards Committee and ultimately the taxpayers of the area that significant risks are being addressed. To do this, the service will

evaluate the quality of risk management processes, systems of financial and management control and governance processes and report this directly and independently to the most senior level of management. In accordance with regulatory requirements most individual assurance assignments are undertaken using the risk-based systems audit approach and are not usually designed to identify potential frauds.

We give an opinion on how much assurance systems give that significant risks are addressed. We use four categories of opinion: Full, Substantial, Moderate and Limited assurance.

3

A report, incorporating an agreed action plan, will usually be issued for every audit. The results of audits are reported to the relevant managers and the Council’s Audit and Standards Committee. To assist managers in addressing areas for improvement, recommendations are ranked in order of importance: Fundamental, Significant and Merits Attention.

Advice

Where the Council faces major changes in systems and procedures we are able to provide advice on the control implications of these changes. The service will act as a critical friend, challenging the design of processes to reduce the risk of project failure.

Our knowledge of the management of risk enables us to challenge current practice, champion best practice and be a catalyst for improvement and provide objective insight so that the Council as a whole achieves its strategic objectives.

So, for example, if a manager is concerned about a particular area of his/her responsibility, working with us could help to identify improvements. Or perhaps a major new project is being undertaken - we can help to ensure that controls are put in place to manage them.

It is more constructive for us to advise on design of processes during the currency of a change project rather than identify problems after the event when often it is too late to make a difference - timely advice adds more value than untimely criticism.

Irregularities

As a publicly funded organisation the Council must be able to demonstrate the proper use of public funds. Managers have the responsibility to have systems in place to prevent and detect irregularities. The more complex cases will be investigated by Internal Audit. Minor, straight forward allegations may be referred back to the relevant manager for further investigation with internal audit providing professional support to investigate the matter. We assist by:-

Investigating the allegations; Supporting managers in any subsequent disciplinary action; Liaising as necessary with the Police and insurers;

4

Challenge

Champion

Catalyst for improvement

Insight

Producing a report identifying control weaknesses to help managers improve systems to reduce the risk of a recurrence.

The Council’s Corporate Fraud Officer will continue to concentrate upon fraud in relation to claimants against the Council through Council Tax and will liaise with the DWP where appropriate. He will also review the output from the NFI.

Counter fraud

The service can also undertake specific counter fraud work. However, this often involves checking large numbers of transactions, for example travel claims and Procurement Cards, to identify errors and potential frauds so this is time-consuming work and thus these exercises are rarely undertaken.

Context

The Accounts and Audit Regulations 2015 require the Council to have a sound system of internal control which:

facilitates the effective exercise of their functions and the achievement of its aims and objectives

ensures that the financial and operational management of the authority is effective; and

includes effective arrangements for the management of risk.

The Regulations require accounting systems to include measures to ensure that risk is appropriately managed. Furthermore, the CIPFA/SOLACE governance framework “Delivering Good Governance in Local Government” outlines the need for risk management to be embedded into the culture of the organisation, with members and officers recognising that risk management is part of their jobs.

The requirement for an internal audit function is also contained in the Regulations which require the Council to:

“undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.”

The Council has delegated its responsibilities for internal audit to the Executive Director and S151 Officer.

Definition of Internal Auditing

5

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

The key word in the definition is assurance, the role of audit is not to identify or investigate alleged irregularities, it is to primarily provide reasonable assurance to the organisation (managers, heads of services and the Audit and Standards Committee) and ultimately the taxpayers that the authority maintains an effective control environment that enables it to manage its significant business risks. We do this by providing risk based and objective assurance, advice and insight. The assurance work culminates in an annual opinion on the adequacy of the Authority’s control environment which feeds into the Annual Governance Statement.

Vision, purpose and values

As a modern, effective Internal Audit service, our aspirations are to:-

Act as a catalyst for improvement at the heart of the organisation;

Influence and promote the ethics, behaviour and standards of the organisation;

Provide an independent and objective opinion on the adequacy of each customers’ arrangements to manage risk;

Develop a risk aware culture that enables customers to make informed decisions;

Be forward thinking; Continually improve the quality of our services.

A key driver of this strategy is the need to meet all our customers’ needs. Our customers will continue to be affected by a variety of local and national issues:-

Increased growth in partnerships; Ever increasing use of technology to deliver services; Flexible working arrangements to make more effective use of

accommodation; The introduction of new ways for customers and the public to

access services; and Pressure to reduce costs while improving quality/effectiveness.

To deliver on our vision we will:-

6

Continue to develop our staff to ensure we are fully equipped to respond to our customer’s demands;

Continue to invest in modern technology to improve efficiency and effectiveness;

Add value and make best use of our resources by focussing on key risks facing our customers;

Increasingly work in partnership with clients to improve controls and performance generally. We must add value and help deliver innovations in service delivery;

Continue to buy in specialist help where necessary.

By embracing these challenges we will be a vital component of the Council’s success.

Workplan 2019/2020

The focus of our work is primarily on the high risk areas as contained in the Council’s risk registers and key corporate processes underpinning the control and governance of the Council. Corporate audits of this nature are a more effective use of limited resources and are key to providing the appropriate assurance to the Council.

7

Figure 1: Key corporate processes

Sound corporate governanceMeans

Doing the right thing….at the right time….in the right way….for the right people

and depends upon

Fina

ncia

l man

agem

ent

HR p

olici

es a

nd p

roce

sses

Perfo

rman

ce m

anag

emen

t

Prog

ram

me

and

proj

ect

man

agem

ent

Effec

tive

scru

tiny

Com

plyi

ng w

ith le

gisla

tion

Com

miss

ioni

ng a

nd p

rocu

rem

ent

Cont

ract

Man

agem

ent

Busin

ess p

lann

ing

Open

and

tran

spar

ent d

ecisi

on

mak

ing

Man

agin

g pa

rtner

ship

s

To ensure the best use of limited audit resources audit work needs to be carefully planned. The plan is developed in consultation with senior managers and takes account of the Council’s aims, strategies, key objectives, associated risks, and risk management processes. It also takes into account those topics which have not recently been audited or which feature in the Council’s risk register or which when last audited received a low opinion. In addition, auditors regularly attend various professional networking meetings which highlight the wider issues affecting public sector internal audit, which need to be reflected in the programme of work.

In line with the Council’s objectives auditors will pay particular attention to providing advice and insight concerning instances of over-control, and streamline processes.

To minimise duplication and make the best use of limited resources we aim to rely on work undertaken by other assurance providers rather than undertake our own detailed checks. If these arrangements are sound then future audit work on the topics covered can be limited.

8

Although our roles and responsibilities are different the service liaises closely with the Council’s external auditors.

The majority of the audit plan will be provided by the Internal Audit Service of Warwickshire County Council but external parties may be employed to provide support in specialist areas, for example IT Audit, and to cope with peaks in demand.

Our approach for 2019 / 2020

As in previous years the plan covers one year which is accepted best professional practice. The focus of our work continues to be primarily on the high risk areas, key change programmes and key corporate processes. Audits of this nature are a more effective use of limited resources and are key to providing the appropriate assurance to the Council that its overall governance arrangements remain effective.

Based upon the discussions to date and our professional judgement an indicative priority has been allocated to each potential topic. The Council’s strategic risks and the key planned work to provide assurance on these risks are shown in Annex 1. Annex 2 shows those topics that we are planning to audit together with an illustrative list of topics that we are not planning to audit based upon the existing level of resources. Demonstrating the assurances planned on each strategic risk and being transparent about auditable topics that cannot be audited are key requirements of internal audit professional standards. In developing the list of planned topics we have taken into account existing management processes and oversight by support functions such as Finance, HR and Legal. This approach will be further refined in future plans.

There will inevitably be circumstances where the Internal Audit and Insurance Manager will have to amend the programme, e.g. when risks change or a specific project becomes a matter of priority. There may be cases where individual lower priority audits have to be rescheduled because of competing priorities. In year changes to the plan to reflect such changes are accepted as best practice. The plan will therefore be continually reviewed throughout the year to ensure it remains relevant and changes reported to the Audit and Standards Committee and discussed at the regular liaison meetings with the Executive Director and S151 Officer.

We adopt a pro-active approach to new initiatives and systems changes. This is because it is more constructive for us to advise on design of processes during the currency of a change project rather than identify problems after the event when often it is too late to make a difference. Our general approach on new systems/initiatives is therefore to:-

provide advice on the design of processes and controls; and

9

undertake, shortly after the new processes become live, an audit to provide assurance that operation of the revised / new system is sound.

The Council is fortunate in not having a large number of irregularities. Specific provision has therefore not been included in the plan for investigations. Should an investigation be required, it will replace a planned job unless the Council commissions extra days. Note that the service is not responsible for investigating fraudulent benefit claims.

Although internal auditors consider value-for-money issues where relevant during risk based audits, specific value-for-money audits are not usually undertaken and none have been included in this year’s plan.

Quality Assurance and Improvement Programme

The PSIAS require the Internal Audit and Insurance Manager to develop and maintain a quality assurance and improvement programme (QAIP) covering all aspects of the internal audit activity.

The QAIP includes internal assessments, periodic self-assessments and external assessments and is not only designed to assess the efficiency and effectiveness of Internal Audits, but also to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the PSIAS and an evaluation of whether internal auditors apply the Code of Ethics. As part of this we have an Audit Manual based on accepted professional practice which as well being compliant with PSIAS builds quality into every stage of the audit process. A summary of the QAIP is shown in Annex 3.

Garry Rollason David AshleyInternal Audit and Insurance Manager

Engagement Manager

March 2019

10

Annex 1

Strategic Risks

Risk Net Risk

Score

Summary of past internal audit

coverage

Responsible Manager

Planned Assignments

Financial Sustainability 12 Strategic, financial & business planning (Budget Process): 2017/18 – Substantial.Procurement: 2018/19 – In progressContract Management: 2018/19 – Substantial (Draft).Debtors: 2018/19 Moderate.Creditors: 2018/19 – Substantial.

Executive Director and S151 Officer

Strategic, financial & business planning.

Procurement. Insurance. Economic Growth inc.

Capital Expenditure. Bank Rec. Payroll. Treasury Management.

Welfare reforms combined with planned reductions/budget pressures in social care, health and community safety provision by other agencies impact on the most vulnerable members of the Community.

6 Homelessness: 2016/17 – Moderate.Empty Homes:2016/17 – Moderate. Community Safety: 2018/19 – Full.CCTV: 2018/19 - Substantial.Surveillance Devices: 2018/19 – Moderate.

Head of ICT and Revenues / Head of Planning and Housing

Homelessness and Temporary Accommodation

Risk Net Risk

Score

Summary of past internal audit

coverage

Responsible Manager

Planned Assignments

Unable to optimise economic growth in the District.

9 Economic development & tourism:2017/18 – Substantial.

Executive Director and Head of Paid Service

Economic Growth inc. Capital Expenditure

Inability to progress the Core Strategy and future updates which meet statutory targets and assessed infrastructure needs, including affordable housing.

12 Core Strategy2015/16 – No opinionPlanning (Development Control)2017/18 – Substantial2018/19 – CIL In progress

Executive Director and Head of Paid Service

New Land Charges System.

Building Control.

Safeguarding Children and Vulnerable Adults - inability to take action to avoid abuse, injury or death.

8 Safeguarding2016/17 – SubstantialLicencing2017/18 - Moderate

Executive Director and Head of Paid Service

Safeguarding.

Inability to respond to an Emergency facing our communities

8 Emergency Planning2017/18 - Moderate

Head of Planning and Housing

Inability to maintain services following an event

8 Business Continuity 2015/16 – LimitedBusiness Continuity 2017/18 – LimitedBusiness Continuity – 2018/19 – SubstantialIT Disaster Recovery 2018/19 – In Progress

Head of ICT and Revenues

Failure to meet the Health & Wellbeing needs 6 Health and wellbeing Executive

12

Risk Net Risk

Score

Summary of past internal audit

coverage

Responsible Manager

Planned Assignments

of residents 2014/15 – SubstantialEnvironmental Health – 2018/19 – Substantial (Draft)

Director and s151 Officer

Gaps in statutory compliance and/or operational weaknesses in Information Governance

8 Information Governance2014/15 – Substantial. Information Governance (GDPR) 2018/19 – In ProgressIT – Remote access and mobile devices 2018/19 – Substantial (Draft)

Head of Governance and Democracy and Monitoring Officer

An exceptionally high turnover of elected members as a result of full Council Elections in May 2019

6 Head of Governance and Democracy and Monitoring Officer

Corporate Governance

Delays in fully implementing a new Land Charges system and implementing required changes

12 Head of Governance and Democracy and Monitoring Officer

New Land Charges System

13

Annex 2Workplan 2019/2020

1. Planned WorkService Topic Potential control /

governance issueProposed Audit Coverage Indicative

timing (Qtr)

Executive Director and Head of Paid Service

Strategic, financial & business planning

Overall financial position for local authorities over the medium term is uncertain. Robust process needed to identify costs and benefits of proposals.

Review of arrangements, including: Governance Monitoring of delivery against planned

savings targets Reporting arrangements

Advice during the year on specific projects.

3

Corporate Governance Sound corporate governance processes underpin the Council’s ability to deliver quality services.

Review progress against action plan from peer review.

3

Safeguarding Inability to take action to avoid abuse, injury or death of children and vulnerable adults.

Review arrangements, including: Governance Pre-employment checks Roles and responsibilities Training

2

Economic Growth inc. Capital Expenditure

Significant corporate risk and additional capital funding approved.

Monitor implementation of agreed strategies and use of additional funding, including adherence to any conditions imposed.

2

Executive Insurance Ensure that the Council is Review arrangements, including: 2

Service Topic Potential control / governance issue

Proposed Audit Coverage Indicative timing (Qtr)

Director and S151 Officer

adequately protected. Contracting arrangements Claims processing Appropriateness of cover and

deductibles

Payroll New system implemented during 2018.

Key financial system.

Assurance that new system and processes are now embedded and operating efficiently and effectively. Scope limited to controls operated by the Council, including: New starters and leavers are

processed promptly and accurately Access controls Monitoring Validation of data and exception

reporting BACS processes

2

Treasury Management Major financial process involving significant sums.Cipfa have issued a code of practice on Treasury Management.Optimum returns are obtained consistent with risk appetite.

Assurance on arrangements to manage the Council’s cash flow and the related risks, including: Monitoring of cash flow Compliance with codes of practice Overall governance arrangements

and ensure accuracy of information

2

Bank Reconciliation New system developed in-house scheduled to go live in April.

Assurance that system and processes are embedded and operating efficiently and effectively, including:

3

15

Service Topic Potential control / governance issue

Proposed Audit Coverage Indicative timing (Qtr)

Key financial system. Promptness, accuracy and completeness of reconciliations

Management oversight

Procurement Key corporate process. Robust process essential to deliver value for money.

Assurance that issues identified in previous audit have been satisfactorily addressed and changes are embedded and procurement processes are now operating efficiently and effectively.

4

Governance and Democracy

Land Charges Significant change to a high profile system.

Issues with implementing the new system.

Assurance that new system and processes are embedded and operating efficiently and effectively, including security model, speed of response to requests.

Ongoing advice on risk and control implications of the changed processes.

3

ICT and Revenues

Council Tax Key revenue system. Review arrangements, including: Reduction scheme Income collection Appeals Refunds Write-offs

1

IT Audits Various. 1 - 4

Planning and Housing

Homelessness and Temporary Accommodation

Significant reactive expenditure incurred over previous years.

Review arrangements with Bed and Breakfast establishments and Orbit Housing Association to meet statutory

1

16

Service Topic Potential control / governance issue

Proposed Audit Coverage Indicative timing (Qtr)

obligations.

Technical and Community Services

Grounds Maintenance Contract

Key revenue contract. Review arrangements, including: Performance monitoring and reporting Appropriate action is taken to address

poor performance Payments to contractor are only made

in accordance with the contract

1

Building Control Sound processes required to manage increased level of developments within the District.

Review arrangements, including: Income collection, Performance monitoring, Adherence to legislation and national

guidance

1

In addition to the specific tasks outlined above a small allocation of time has been reserved for:

providing pro-active advice/consultancy on new initiatives and projects on the basis that this is a constructive and effective use of limited resources.

supporting the Executive Directors in discharging their overall responsibility for risk management. completing 2018/19 audits which have not been finalised as at 31 March 2019.

This plan is indicative and may need changing should priorities / risks change following the scheduled Peer Review.

17

2. Illustration of auditable topics not planned for 2019/2020

In addition to the coverage of key risk areas discussed at Annex 1 the following medium and low risk topics are not planned for 2019/20. In prioritising these topics we have taken into account a range of factors including the results of previous audits, management requirements for assurance and links to strategic risks. Only audits completed in the last 4 years are shown.

Topic Priority Last audited

Accounting / General ledger / feeder systems M 2015/16 Substantial

Business Continuity M 2018/19 In Progress

CCTV M 2018/19 Substantial

Contract Mangement M 2018/19 Substantial

Creditors (inc P Cards) M 2018/19 Substantial

Data centre security M

Economic Development & Tourism M 2017/18Substantial

Elections M

Emergency Planning M 2017/18Moderate

Environmental Health M 2018/19Substantial

Freedom of information M 2017/18 Substantial

Gypsy & travellers M

Housing Benefits M 2017/18 Substantial

HR M 2017/18Substantial

Information Governance M 2018/19Substantial

IT – Disaster Recovery M 2018/19In progress

IT- Remote Access & Mobile Devices M 2018/19Moderate

Leisure M 2016/17Substantial

Licensing M 2017/18

Topic Priority Last auditedModerate

NNDR M 2015/16 Substantial

Partnerships M

Payment card standards (PCIDSS) M 2016/17 Limited

Performance management M 2017/18Substantial

Planning (Community Infrastructure Levy) M 2018/19In Progress

Risk Management M 2018/19Moderate

S.106 M 2016/17 Moderate

Surveillance Devices M 2018/19 Moderate

Vehicle Parking M 2018/19In Progress

Waste M 2016/17Substantial

Communications / media L

Community Safety L 2018/19 Full

Consultants L

Contact centre L

Corporate property L

Health & safety L

Investment management L

IT - Database security & administration L 2017/18Substantial

IT - Development L 2015/16 Substantial

IT change management L 2014/15 Substantial

IT Software licensing L

IT - User access L

Learning, development & training L

Legal services L

Markets L

19

Topic Priority Last audited

Members allowances L 2014/15 No Opinion Given

Pest control L

Programme / project management L 2015/16 Moderate

Streetscene L

VAT L

20

Annex 3QAIP