|
Internal Audit Plan 2024-25 |
|
|
|
|
|
|
|
|
|
|
|
South Hams District Council
Audit and Governance Committee
28 March 2024 |
||
|
|
||
|
Report to: |
Audit and Governance Committee |
||||||
|
Date: |
28 March 2024 |
||||||
|
Title: |
Proposed Internal Audit Plan for 2024-25 |
||||||
|
Portfolio Area: |
Cllr Julian Brazil – Leader of the Council |
||||||
|
Wards Affected: |
All |
||||||
|
Urgent Decision: |
N |
Approval and clearance obtained: |
Y |
||||
|
|
|
||||||
|
Author: |
Paul Middlemass |
Role: |
Audit Manager |
||||
|
Contact: |
Paul.Middlemass@devon.gov.uk 07736 155687 Tony.Rose@devon.gov.uk 01392 383000 |
||||||
|
Recommendations: It is recommended that: The proposed Internal Audit Plan for 2024-25 at Appendix A be approved.
|
1. Executive summary
1.1 The purpose of this report is to provide Members with the opportunity to review and comment upon the proposed internal audit plan for 2024/25.
1.2 The audit plan sets out the proposed audit resource allocated to each audit area, although the plan needs to remain flexible to respond to changing risks and priorities of the Authority given the significant changes across the public sector and the country.
2. Background
2.1 All principal Local Authorities, including South Hams District Council, are subject to the Accounts and Audit (England) Regulations 2015, which state:
“A relevant authority must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance”.
2.2 The Public Sector Internal Audit Standards require that the Head of Internal Audit must “establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals”. When completing these plans, the Head of Internal Audit should take account of the organisation’s risk management framework. The plan should be adjusted and reviewed, as necessary, in response to changes in the organisation’s business, risk, operations, programs, systems and controls. The plan must take account of the requirement to produce an internal audit opinion and assurance framework.
2.3 This audit plan has been drawn up, therefore, to enable an opinion to
be provided at the end of the 2024/25 year in accordance with the above
requirements.
2.4 Whilst South Hams District Council and West Devon Borough Council operate as two unique councils, services are delivered by one integrated organisation. To reflect those shared services working arrangements, the 2024/25 audit plan is presented as one combined plan. Where there are risks or issues that relate specifically to one council and not the other, the audit plan will be varied to include those areas of work as appropriate.
3. Outcomes/outputs
3.1 We have created a four-year plan to ensure all core council areas are periodically audited which we have discussed with management. More significant or important areas are audited more frequently in their period. The focus of the paper in this meeting is on the plan for the year 2024/25. Member input to the plan is useful to ensure that the audit plan will cover areas of most concern. That said, the plan will be reviewed and amended in year as required to reflect emerging issues.
4. Options available and consideration of risk
No alternative operation has been considered as the failure to develop a risk-based plan to determine the priorities of internal audit activity which is consistent with the priorities of the organisation would be contravene the Public Sector Internal Audit Standards and the Accounts and Audit Regulations 2015.
5. Proposed Way Forward
On agreement to the plan, we will undertake our audits while agreeing audit timing to ensure our work is delivered at the most appropriate time for the council.
6. Implications
|
Implications
|
Relevant |
Details and proposed measures to address |
|
Legal/Governance
|
Y |
The Accounts and Audit Regulations 2015 issued by the Secretary of State require every local authority to undertake an effective internal audit to evaluate the effectiveness of its risk management, control, and governance processes, considering public sector internal auditing standards. The work of the internal audit service assists the Council in maintaining high standards of public accountability and probity in the use of public funds. The service has a role in promoting robust service planning, performance monitoring and review throughout the organisation, together with ensuring compliance with the Council’s statutory obligations. |
|
Financial
|
Y |
There are no additional or new financial implications arising from this report. The cost of the internal audit team is in line with budget expectations. |
|
Risk |
Y |
The work of the internal audit service is an intrinsic element of the Council’s overall corporate governance, risk management and internal control framework. |
|
Supporting Corporate Strategy |
Y |
This plan and the work of Internal; Audit supports all the Council’s corporate strategy themes. |
|
Climate Change – Carbon / Biodiversity Impact |
Y |
None directly arising from this report. The Internal Audit function, managed by Devon Audit Partnership is mindful of the need to minimise travel in completing the internal audit plan. Where possible, desk-top review of documents, and the use of electronic records, is used to support the audit process, although it is inevitable that on-site verification may be required at times. The team use an audit management system (Ideagen) which enables managerial review to take place remotely, thus also saving the need for travel. |
|
Comprehensive Impact Assessment Implications
|
||
|
Equality and Diversity |
N |
There are no specific equality and diversity issues arising from this report. |
|
Safeguarding
|
N |
There are no specific safeguarding issues arising from this report. |
|
Community Safety, Crime and Disorder |
N |
There are no specific community safety, crime and disorder issues arising from this report. |
|
Health, Safety and Wellbeing |
N |
There are no specific health, safety and wellbeing issues arising from this report. |
|
Other implications |
N |
There are no other specific implications arising from this report. |
Supporting Information
Appendices:
Appendix A – Draft Internal Audit Plan for 2024-25
Background Papers:
None
Approval and clearance of report
|
Process checklist |
Completed |
|
Portfolio Holder briefed |
Yes |
|
SLT Rep briefed |
Yes |
|
Relevant Exec Director sign off (draft) |
Yes |
|
Data protection issues considered |
Yes |
|
If exempt information, public (part 1) report also drafted. (Committee/Scrutiny) |
N/A |
|
Internal Audit Plan 2024-25 |
|
|
|
|
|
|
|
|
|
|
|
South Hams District Council
Audit and Governance Committee
28 March 2024 |
||
|
|
||
|
Introduction Internal auditing is defined by the Public Sector Internal Audit Standards (PSIAS) which set out the requirements of a ‘Board’ and of ‘senior management’. For the purposes of the internal audit activity within the Council the role of the Board within the Standards is taken by the Council’s Audit and Governance Committee and senior management is the Council’s Leadership Team. This Council’s Internal Audit Charter formally describes the purpose, authority, and principal responsibilities of the Council’s Internal Audit Service, which is provided by the Devon Audit Partnership (DAP) as represented in the audit framework (at Appendix 2), and the scope of Internal Audit work. The PSIAS refer to the role of “Chief Audit Executive”. For the Council this role is fulfilled by the Head of Devon Audit Partnership. The Audit and Governance Committee, under its Terms of Reference contained in the Council’s Constitution, is required to review the Internal Audit Plan to provide assurance on the governance framework (see Appendix 3). The Chief Audit Executive is responsible for developing a risk-based plan which considers the organisation’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organisation as represented in Appendix 4. The audit plan represents the proposed internal audit activity for the year and an outline scope of coverage. At the start of each audit the scope is discussed and agreed with management with the view to providing Senior Management and members with assurance on the control framework to manage the risks identified. The plan will remain flexible, and any changes will be agreed formally with management and reported to Audit and Governance Committee. Expectations of the Audit and Governance Committee for this annual plan Members are requested to consider: · the annual governance framework requirements. · the basis of assessment of the audit work in the proposed plan. · the resources allocated to meet the plan. · proposed areas of internal audit coverage in 2024-25. Following consideration of the above, the Audit and Governance Committee are required to approve the proposed audit plan. Tony Rose Head of Audit Partnership
|
Contents |
|
Introduction |
|
|
Development of the Plan |
|
|
Audit Plan Summary
Fraud Prevention and Detection |
|
|
Partnership working with other auditors |
|
|
|
|
|
Appendices |
|
|
1 – Detailed audit plan 2 – Audit Framework |
|
|
3 – Annual Governance Framework |
|
|
4 – Audit Needs Assessment |
|
|
5 – Audit delivery Cycle |
|
|
6 – Sector Risk Model |
Development of the Internal Audit Plan
This year’s audit plan has been developed through discussions with Senior Management, and consideration of the Council’s risk register and plan. It is also informed by previous audit findings, and our awareness of current themes in Devon and elsewhere.
Within the plan, we have provided good coverage of Council Corporate risks, and current public sector risks (see Appendix 6). Audit coverage for the year is in the region of 426 days compared to 436 planned for 2023/24. To help identify future resource requirements and ensure good coverage of risk areas over the period we maintain an indicative four-year plan, but our focus for this meeting is to agree the audit days for 2023/24. The plan is a combined plan for South Hams and West Devon, but it indicates those audits relevant to each council only.
We have provided coverage of all Corporate Risks and include Follow Up audits for any Limited Assurance opinion audits provided in 2023/24.
Audit Plan Summary
Our audit plan at Appendix 1 is grouped into the different management areas as shown in this chart, with the number of days to be provided. The specific audits for each area are detailed in the plan. We also provide detail on when it was last audited, and the assurance opinion provided.
Within the management areas, we identify the following types of audits:
Key Financial Systems audits focused on the process and systems dealing with most of the Council’s income and expenditure and which have a significant impact on the reliability and accuracy of the annual accounts. These include Payroll, Creditors, Main Accounting System, Council Tax, Housing Benefit. This work will provide assurance that core controls continue to be effective despite the changing environment. We also undertake work to certify grants.
Risk based audits, particularly those relating to:
· Strategic Riskwhich has a significant impact on the council.
· Operational Risk which may impact on individual service areas.
|
|
|
We provide indicative days for each audit to show the expected time to complete the audit. However, actual time to deliver may vary depending on the findings, but also other factors such as ease of audit access. The timing of the audit will be agreed with the business area to ensure it does not impact on business operations. Most of the audits will be delivered by the two auditors directly employed by the council, who are managed by DAP. Some other audits will be undertaken using specialised DAP resource, such as for Cyber Security.
In accordance with the PSIAS, the plan is flexible, to reflect and respond to the changing risks and priorities of the Authority. As a result, it will be regularly reviewed and updated to ensure it remains valid and appropriate. As a minimum, the plan will be reviewed in six months’ time to ensure it continues to reflect the key risks and priorities.
Detailed terms of reference will be drawn up and agreed with management prior to the start of each assignment – in this way we can ensure that the key risks to the operation or function are considered during our review.
Appendices 1 to 5 provide more detail on the framework underpinning the internal audit plan.
Other Essential Activity
This includes areas such as Audit Management, support to the National Fraud Initiative and Grant work. During 2023/24, auditor resource continued to support additional Covid-19 business grant work above what was included in the plan resulting in the requirement to carry over work into 2024/25. We have estimated 20 days for this work.
We also include Audit Management in this area. This is work supporting effective and efficient audit services to the Council and ensuring the internal audit function continues to meet statutory responsibilities. In some instances, this work will result in a direct output (i.e., an audit report) but in other circumstances the output may simply be advice or guidance. It includes:
· Preparing the internal audit plan and monitoring implementation.
· Preparing and presenting monitoring reports to Leadership and the Audit and Governance Committee.
· Assistance with the Annual Governance Statement.
· Liaison with other inspection bodies such as External Audit.
· Financial Regulations Exemptions, and waivers.
· Corporate Governance - Internal Audit has become increasingly involved in corporate governance and strategic issues; this involvement is anticipated to continue.
Fraud is a recognised risk area for the public sector and effective counter fraud activity assists in the protection of public funds and accountability. Our Counter Fraud Service continues to support work by the council to identify its fraud risks and consider effectiveness of its controls. To support this the authority is encouraged to agree a separate plan of counter fraud work. An annual Counter Fraud Assessment is also provided by our Counter Fraud Manager.
Our Counter Fraud service also oversees investigations, instances of suspected fraud and irregularities referred to it by managers and can also carry out testing of systems considered most at risk to fraud. Our services will liaise with the Council to focus resource on identifying and preventing fraud before it happens. This work is informed by the Fraud Strategy for Local Government “Fighting Fraud Locally”, and the publication “Protecting the English Public Purse”. Additional guidance recently introduced by CIPFA, in their ‘Code of practice on managing the risk of fraud and corruption’, and the Home Office ‘UK Anti-Corruption Plan’, are also relevant.
We continue to work to develop effective partnership working arrangements between ourselves and other audit agencies where appropriate and beneficial. We participate in a range of internal audit networks, both locally and nationally, which provide for a beneficial exchange of information and practices. This often improves the effectiveness and efficiency of the audit process, through avoidance of instances of “re-inventing the wheel” in new areas of work which have been covered in other authorities. The most significant partnership working arrangement that we currently have with other auditors continues to be that with the Council’s external auditors, One West, and Audit Southwest (Internal Audit for NHS).
Appendix 1: SHWD Proposed Internal Audit Plan 2024-25
Appendix 3 - Annual Governance Framework Assurance
The
Annual Governance Statement provides assurance that:
o The Authority’s policies have been complied with in practice.
o high quality services are delivered efficiently and effectively.
o ethical standards are met.
o laws and regulations are complied with.
o processes are adhered to.
o performance statements are accurate.
The statement relates to the governance system as it is applied during the year for the accounts that it accompanies. It should:
· be prepared by senior management and signed by the Chief Executive.
· highlight significant events or developments in year.
· acknowledge the responsibility on management to ensure good governance.
· indicate the level of assurance systems and processes can provide.
· provide a narrative on the process followed to
ensure that governance arrangements remain effective.
This will include comment upon.
o The Authority.
o 
Audit
and Governance Committee.
o Risk Management.
o Internal Audit
o Other reviews / assurance
· Provide confirmation that the Authority complies with CIPFA’s recently revised International Framework – Good Governance in the Public Sector. If not, a statement is required stating how other arrangements provide the same level of assurance.
Appendix 4 - Audit
Needs Assessment
Our process to create the audit plan includes discussions with management, review of risk registers, consideration of previous work. We also consider the Audit Universe we maintain for the council. Ultimately, our requirement is to undertake a broad-based audit plan of work that supports provision of an end of year assurance report to support the council’s own governance statement.
The result is the
Internal Audit Plan set out earlier in this report.
|
December |
March |
June |
September |
December |
|
|
||||
|
Date |
Activity |
|
Dec / Feb |
Meetings with management to discuss the plan |
|
Mar |
Internal Audit Plan presented to Audit & Governance Committee |
|
Mar |
Internal Audit Governance Arrangements reviewed by Audit & Governance Committee |
|
Mar/Apr |
Year-end field work completed |
|
April |
Annual Performance reports written |
|
May / June
|
Annual Internal Audit Report presented to Audit & Governance Committee |
|
Apr to Mar |
Progress Reports presented to each Audit & Governance Committee |
|
Dec |
Internal Audit Plan preparation commences |
|
Tony Rose Head of Audit Partnership T 01392 383000 M 01752 306719 E Tony.D.Rose@devon.gov.uk |
Paul Middlemass Audit Manager M 07736 155 687 E Paul.Middlemass@devon.gov.uk |
Jo Mccormick Deputy Head of Audit Partnership T 01392 383000 M 07961650617 E Joanne.Mccormick@devon.gov.uk |
|
Julie Hopley Auditor: Tel: 01822 813376 E Julie.hopley@swdevon.gov.uk |
||
|
Matt Croughan Senior Auditor Tel: 01803 861416 E matthew.croughan@swdevon.gov.uk |
 |
Appendix 6 Sector Risk Model (European organisations polled by the Institute of Internal Auditors – Risk in Focus 2024)
Key Risk areas of organisations who responded:
Cyber security remains the number one concern for almost everyone.
Human Capital – staffing has become more important given shortages in professional and other manpower.
Changes in laws and regulations are also important although a slight reduction since last year.
Macroeconomic and geographical uncertainty has slightly reduced in importance.
Climate change has reduced as a key risk area.
