Agenda item

Proposed Internal Audit Strategy & Plan 2019/20

Report of the County Treasurer


The County Treasurer set the context for the Strategy and Plan for the proposed Internal Audit Strategy and Plan 2019/20 that is presented to the Committee on an annual basis for approval. 


There were three key features of the plan which were risk, and the County Treasurer stated that it was his intention to ensure that the Council could evidence risk more obviously throughout Council.  Secondly, the use of data and automation.  The development of continuous controls monitoring (CCM) presented an exciting dilemma in allowing greater accessibility.  However, cyber security presented a threat and a balanced risk must be ensured.  Finally, communication of the Plan.  Audit is an aid to management and the development of the Plan is based upon consultation with a number of senior officers.  The proposed plan had been agreed by all the Senior Leadership Team before being presented to the Committee.  The aim was to make the Plan more user friendly and add value to the operations of the Council. 


The interim Chief Internal Auditor explained that the Accounts and Audit (England) Regulations required authorities to have an “effective internal audit” and this was demonstrated through the establishment of a risk-based Internal Audit Plan.  The Plan was attached as Appendix A to the report.  The interim Chief Internal Auditor gave a presentation that set out how the plan had been prepared and the key highlights for the year ahead.


The aim of the presentation was to demonstrate to the Committee that a robust methodology (detailed in Appendix A of the Plan) had been adopted in formulating the Plan for 2019/20 and to reassure Members that the Plan focussed on the key risks facing the Council and achieved a balance between setting out the planned work for the year, but also retaining flexibility to respond to changing risks and priorities during the year.  The aim was also to provide assurance that there were sufficient resources within Internal Audit to deliver the Plan for 2019/20. 


The Internal Audit Strategy is a key governance document that comes to the Committee every year for endorsement.  Summary details of the internal audit strategy; consultation arrangements in formulating the plan; the risk assessment process; the key principles applied, and audit resource requirements to deliver the Plan in 2019/20 were described.  Fundamental to the Plan was consultation and the Audit Team consulted with Council managers in developing the Plan.  The Plan is owned by the whole Council.   Between January and March 2019 the Audit Managers consulted with over 60 officers within the Council on the contents of the Plan, including SLT, the Director of Corporate Services and the County Treasurer.  All high risk rated audit reviews are generally included in the Plan. However, occasionally there were other high-risk audits that are not included in the Plan.  In such cases, reliance is placed on alternative sources of assurance e.g. Peer Reviews, internal scrutiny or an inspectorate visit.  The aim was not to duplicate assurance.  As part of the Plan, the top risk audits were identified, and the aim was to give assurance over these along with financial management of the Council.  A school’s audit programme was also included based on a formal risk assessment process.  Some time was also set aside for special investigations, counter fraud work and time for general contingency work, so that managers can approach the audit team at any time for help with project work or advice and guidance.    For the County, 2100 days for the County Council and 331 external client days had been allocated for the year.  There had been a slight reduction on last year’s external client allocation of 30 days.  This was because schools who became academies had the freedom to go out to other audit providers for audit work.  The Internal Audit Team can access specialist support from larger internal audit firms if required to assist with resourcing the Audit Plan.


Attention was drawn to the Top Ten risk reviews detailed in the Plan and detailed on pages 71-86 of the agenda pack. New Audit areas added to the Plan this year were the People Strategy, and how this is being embedded in the Council, and the Care Commissioning Programme.  The key financial audits 2019/20 were detailed in Appendix B to the Plan and the governance audits were details on pages 76-82 of the report.  The team would also continue to monitor recommendations made in previous years.  Of particular note was the item on Culture and Ethics. This piece of work will involve a review of Council policies to consider how the ‘Nolan Principles – 7 Principles of Public Life’ had been communicated; a review of the Code of Corporate Governance; the revised Scheme of Delegation; as previously mentioned the People Strategy and from last year, Assurance mapping.  With reference to Assurance Mapping, this work is a continuation from last year.  The Internal Audit Team had used the Three Lines of Defence Model in developing the assurance mapping process.  The aim was to the develop this for the Council to improve the Council’s understanding of processes/controls and risk management.  This would be a lengthy and detailed piece of work that would begin this year focussing on the Council’s top ten risks and would be ongoing, liaising with the Interim Head of Audit and Financial Services to link in risk management.


The Counter Fraud Plan 2019/20 was detailed in Appendix C of the strategy and Plan paper.  455 days had been assigned to this area during the year. This covered five main areas: Strategic Development; Creating an anti-fraud culture; prevent and deter; detection and investigations.  Continuous Controls Monitoring (CCM) involved regular monitoring of the Council’s data for ‘red flags’ that may indicate fraud.  Data analytical and file interrogation software had been procured to assist the Internal Audit Team as detailed in the report to the Committee in March 2019.  It was anticipated that this would add value to the organisation by identifying ‘red flags’.  Typical areas to review included expenses claims; purchasing cards; creditor payments, and mileage claims e.g. duplicate payments.  Increased time had been assigned to CCM in 2019/20 following its successful implementation in 2018/19.  This would help the Council achieve its objectives of improved efficiency; enhanced assurance; strengthening monitoring and providing valuable insight into trends.  It was anticipated that once tests had been completed successfully tools would be given to the second line of defence, management, so that they could do their own monitoring. Clear messages from the CCM programme will be communicated as this will act as a deterrent to people from putting in fraudulent claims. 


Cyber-attack, procurement fraud, bank mandate fraud, creditor payments fraud, direct payments fraud and payroll fraud were the top fraud risks currently faced by the Council. 


The Plan will be delivered by the in-house team with the facility to buy in additional time from private audit companies if required through the framework contract. There was a commitment to ‘grow our own’ with use of the Apprenticeship Levy.  This would involve two auditors being trained in 2019/20. 


During 2019/20 the team would continue to focus on key corporate/transformation projects; key financial systems and procurement and contract management audits such as Amey.  The emphasis would continue to be on flexibility to respond to emerging requests.  Several audits would touch upon the Council’s culture and ethical framework.  There would also be greater visibility and prominence over the assurance that was given relating to how the Council uses and manages its data.  A GDPR checklist would be completed as part of all relevant audit reviews commencing in 2019/20.


Other key highlights during 2019/20 were the counter fraud work; continued development of the CCM programme; and schools compliance work focused on high risk schools.  Our work is conducted in accordance with the Audit Charter and Public Sector Internal Audit Standards (PSIAS).  Throughout the year, there will be regular discussions with WLT on the audit programme, and the team will continue to embrace the ‘agile auditing’ approach, streamlining reporting in some cases, real-time recommendation tracking, identification of emerging risks and contingency time, as appropriate. 


In summing up the Interim Chief Internal Auditor asked if Members were satisfied that a robust methodology had been adopted in formulating the Plan for 2019/20 and that they had been given comfort and assurance that the Plan was balanced and focussed on the key risks facing the Council, that the Plan achieves a balance between setting out the planned work for the year but also  retaining flexibility to changing risks and priorities during the year and finally, that there were sufficient resources within Internal Audit to deliver the Plan for 2019/20. 


Members asked for further detail on the apprenticeships within Internal Audit.  The interim Chief Internal Auditor responded that they were attempting to access the Levy for two current members of staff; one junior member of staff and one member of staff who is part-qualified.  The application process had commenced, and it was hoped that staff would commence training at Birmingham University in September 2019.


Members asked for further details on the risk and possibility of bribery.  The interim Head of Internal Audit responded that the Bribery Act 2010 placed responsibility on organisations to prevent bribery.  Work had taken place on awareness raising and communication.  The Council’s Fraud E learning packages would be rolled out in a few weeks’ time and they emphasised the importance of the risk of bribery and, if bribery is suspected, who it should be reported to.  All services should undertake a mini risk assessment for their staff that detailed the processes to prevent the risk of bribery. 


Members asked if bribery happened frequently in the Council.  This is a theoretical risk and is not a frequent occurrence but there were areas where it could happen e.g. during procurement, and it was important that staff worked within a framework that evidenced what they should do if offered a bribe. 


Members asked with reference to drone software, what the Council’s policy was and how would the Team validate results.  Human intelligence was still needed to investigate, interpret the results and come up with a conclusion.  The Chairman noted that he was interested to hear how the management of risk had a higher profile in the Plan.  The County Treasurer responded that it was not about how Internal Audit would assess risks, but it was about making discussion about risks more commonplace and that normal performance arrangements should include the identification of risk and details of management activity to mitigate risk.  This represented a change in emphasis for the organisation.


RESOLVED: The Internal Audit Plan for 2019/20 was approved.

Supporting documents: