Ten questions for audit committees

1. How can we be a more effective Audit Committee?

The audit committee in local government plays a crucial role in assisting the council to fulfil its governance and oversight responsibilities.

The role of the audit committee is normally to seek assurance that the council’s financial reporting, internal controls, governance, and risk management are effective and can be relied upon by councillors and citizens. The audit committee is the committee of the council to which has been delegated the task of looking into such matters in detail. 

The audit committee is most effective when it is unencumbered by other tasks, such as scrutiny, ‘general purposes’ or standards. This gives the audit committee a role which does not involve it in policy-setting or decision-making and it therefore has a free hand to advise.

The audit committee is also independent and, as the matters it deals with are normally apolitical, it should rise above politics. The Chair of Audit needs to ensure that the committee is not used to make political points. 

The audit committee’s main support comes from the council’s auditors. The Chief Internal Auditor (or equivalent) is very often the senior officer who supports the audit committee, and it is of great importance to the audit committee that they have confidence in that individual and in the internal audit service they run. 

The audit committee should seek to ensure that internal audit has both the capacity and capability to operate as an independent appraisal function within the council and is independently reporting to the audit committee and administratively to the Chief Executive or Chief Finance Officer. 

The external auditors will invariably report primarily to the audit committee. Again, they should be seen as the audit committee ally, and vice versa.

The audit committee needs to ensure that it is properly briefed, and all of its members receive both the necessary induction and ongoing training to undertake the committee’s role. The papers the committee receives need to be relevant, readable, and timely and where matters need to be revisited regularly (such as on an annual cycle), the work programme should allow for this. 

To assess its effectiveness, the audit committee should review what it has accomplished and whether it has fulfilled its responsibilities annually or seek an external review. The results of the assessment, either conducted internally or externally, should be available in the annual report from the audit committee to Full Council. 

When considering its effectiveness, the committee could reflect on:

1. the behaviours and qualities of its members e.g. are they objective, curious, and perceptive 
2. whether the committee is covering all the topics included in its terms of reference 
3. whether sufficient time is allocated in the meeting to allow discussion, question, and challenge in relation to the papers received
4. the skills of its members - are there any skill gaps (e.g. finance, risk, corporate governance, audit etc)
5. whether there are robust relationships with management, internal audit, and external audit
6. whether the management information provided to the committee is relevant, readable, and timely e.g. provided in sufficient time to allow the papers to be read before the meeting.

One of the key starting points for such a review is to ensure that the audit committee’s Terms of Reference in the council’s constitution reflect the requirements for local authority audit committees as set out by The Chartered Institute for Public Finances and Accounting (CIPFA). These articulate the role and responsibility of the audit committee. 

The most effective audit committees operate as a team, which allows individual members to take different roles depending on their backgrounds, interests, or mode of thinking, and to understand the behaviours and qualities essential as a member of an audit committee. The chair takes a leadership role not just at meetings but between meetings and engages with member colleagues and officers to raise issues. 

2. What are we missing as an audit committee?

To understand what the audit committee may be missing, a good starting point would be to review the Terms of Reference to see whether the committee is conforming with these. For example:

• Management should review the CIPFA guidance annually and bring to the attention of the audit committee any changes to the guidance.
• Are all the matters listed in the committee’s Terms of Reference coming to the audit committee on a regular basis and at least annually? 
• Are there regular discussions regarding the business-critical risks facing the council? Are all such risks presented on a frequent basis for discussion?
• Are you clear as an audit committee as to what the issues are on which assurance is required, and who is providing the assurance e.g. internal audit, external audit, officers, external third parties in relation to the matters concerned? 
• Is it clear which managers should be covering the financial reporting, or is it the responsibility of external audit? 
• How can we ensure that any gaps we find are filled? 

This exercise may identify areas which should be in the Terms of Reference but are not. In this instance the committee might apply to full council to supplement its Terms of Reference accordingly. 

An expert facilitator, perhaps a former auditor or member of an audit committee, could help the audit committee to ‘map’ its activities against the Terms of Reference and guide the audit committee on such matters as appropriate frequency for consideration of key issues or levels of detail to be expected. The process is sometimes called ‘assurance mapping.’

The broader question – how can we know what we don’t know – is of course much more difficult to answer. It is not the role of an audit committee to have perfect oversight over everything, but to satisfy itself that the risk management processes, and internal controls are in place and the culture of the organisation enables an environment of transparency and visibility where things come to light and are dealt with appropriately. 

The recruitment of independent (co-opted) members with specialist backgrounds in, say, accounting or risk management is strongly recommended as a way of supplementing the skills of the committee.

3. How do we get assurance for ourselves and others regarding governance, risk management, internal control, and the accuracy of financial reporting? 

Assurance can never be absolute: effective assurance seeks to conclude whether the audit evidence obtained is sufficient to reasonably conclude on the efficiency and effectiveness of an organisation's risk, governance, and internal control processes.

To auditors, ‘assurance’ has a technical meaning, albeit one that is discussed and debated. The Global Internal Audit Standards 2024 define assurance as:

‘A statement intended to increase the level of stakeholders’ confidence about an organisation’s governance, risk management, and control processes over an issue, condition, subject matter, or activity under review when compared to established criteria.’

The LGA definition, in its emerging Assurance and Improvement Framework for Local Government states:

‘Assurance is information, evidence and evaluation of how local authorities are delivering their duties, functions and outcomes, which can be used to hold them to account and may give confidence.’

In other words, assurance is a matter of evidence, which is why it is important that an audit committee, not being in a position to collect much evidence of its own, can rely on its auditors. 

In everyday language, the word ‘reassurance’ is more commonly used. The Institute for Governance has this to say on the relationship between assurance and reassurance: 

‘Assurance is based on information, evidence, and triangulation. Reassurance is based on opinion, professional expertise, and trust. Boards should not purely be getting assurance nor reassurance but a balance.’ 

This suggests that where the evidence does not give assurance, an audit committee will look particularly to its responsible officers e.g. the Section 151 Officer and/or the Chief Executive for their expertise and will rely on the trust they have in those officers to re-establish assurance by taking appropriate action to address any non-compliance or lack of evidence. 

The idea of ‘triangulation’ is also important. Evidence from more than one source that something is working provides greater assurance than a single source. Contradictory evidence needs to be treated sceptically and looked into. 

To the elected members who form the bulk of local authority audit committees, and the independent co-opted (lay) members who support them, assurance and reassurance can be thought of in much more personal terms. While it is vital to look to the evidence provided by auditors (internal and external), only a consensus view of the audit committee can say whether they are assured and reassured. 

To this end committee members need to apply a similar standard of ‘professional scepticism’ that auditors apply. Audit committee members should be on the look-out for things that fall short of expected standards 

• Do managers answer questions fully and clearly, or is it waffle? 
• Do managers respond to matters raised? 
• Do they do what they say they will do to the stated timescale? 

The role of the audit committee is distinct from that of a scrutiny committee. The scrutiny committee looks at policies and delivery whilst the audit committee looks at systems and controls, but also the audit committee needs to maintain that sceptical mindset – we don’t know if it’s working if there is no evidence it is working.

4. What is management doing to ensure there is an effective culture that promotes compliance with good governance which will lead to effective assurance?

Having asked this question of management, the types of responses that you should be receiving include;

Management is expected to participate in discussions with the audit committee and the head of internal audit and contribute to setting expectations in relation to the assurance internal audit provides relating to corporate governance. 

Management should be providing an assurance to the audit committee that the culture the council has is appropriate to enable it to serve its community and achieve its strategic objectives. Culture is broadly defined as being the shared attitudes, behaviours, principles, and values that drive action and purpose within the council and its people. Corporate culture is commonly referred to as being ‘the way things are done around here’ and impacts on the extent of compliance with good governance and controls. The way the council is led has an important bearing on its culture and it is important that a council’s leaders, political and managerial, model and exemplify the behaviour they expect from everyone else.

The audit committee should be questioning the assurance provided by management as to the authority’s culture and seeking evidence from management, via the results from, for example, quarterly staff surveys, that the culture is fit for purpose.

It is therefore vital that internal auditors work with senior management to monitor, assess, and provide independent assurance on the council’s culture.

Management should be able to provide answers to the following questions for the audit committee:

• What is the council doing to set expectations in relation to behaviours which support good governance?
• How is the council sustaining, enhancing, and maintaining the corporate culture? 
• How is the council communicating and articulating the espoused culture, behaviours, and values? 
• Has the culture been sufficiently defined by the council and have clear expectations been set?

The role of management and the chief executive in particular in spearheading the organisational culture is of particular importance and this requires checking, testing, and measuring, including use of staff surveys. 

Management should report to the audit committee that they have identified, managed, and mitigated principal risks. For example, there should be a risk register detailing the principal risks with details regarding the risk owners. The risk register should be presented to the committee by management and discussed, often being a standing item. 

Management should ensure that the council has a whistleblowing policy which reflects good practice, including overall responsibility at a senior level of management. Management should report to the audit committee on issues raised, how they have been addressed and the impact on the council’s culture, and the audit committee should consider whether to include any issues relating to whistleblowing in its report to Full Council. Audit committees should seek regular assurance from management that their councils are operating appropriate and effective whistleblowing practices.

5. How does management support and promote the role of audit (internal and external)? 

Management will agree with the auditors’ appropriate performance indicators, monitor the auditors’ performance and report to the audit committee the performance of both the internal and external auditors, highlighting in particular any areas of concern regarding performance. 

Management’s approach to audit directly influences the way audit is seen by the whole organisation; management can make or mar a culture of compliance by not taking audit seriously. Management should respond to internal and external audit recommendations, setting out the actions they need to take and their reasons if they decide not to action them. The audit committee should monitor to ensure this happens and seek explanations from management if action is not forthcoming. 

Internal audit will also use the risks the council is facing to inform its internal audit programme of work and its annual internal audit conclusion (opinion). Management should review the internal auditor’s audit plans, budget, and resources. All of these issues, however, should be subject to the audit committee’s approval. 

Many councils do not have internal audit professionals with the technical skills (e.g. cyber security, artificial intelligence) to meet the demands of the council, or they may not have a large enough internal audit function and/or budget to meet the internal audit-related needs of the council. As a result, management may outsource internal audit services to support specific areas of the internal audit function. 

Management should ensure that there are appropriate quality controls in relation to the outsourced function.

Management should brief the audit committee regarding the external auditor’s programme of work and confirm to the committee that all appropriate services within the council will support the work of the external auditors, providing any information / data they request.

Management should provide the audit committee with responses to the recommendations made by external audit. The committee will want to ensure that external audit’s views are treated seriously. Where management disagrees with the views of the external auditor, audit committee should take its own view and not automatically side with one or the other.

6. How does management provide practical support to the audit committee in its work?

Management plays a crucial role in providing practical support to the audit committee. To help the committee stay focused and effective, a leading practice is to create a formal “responsibilities checklist and calendar” for the coming year, aligned with the audit committee’s terms of reference, as well as a strawman agenda for each audit committee meeting scheduled in the year ahead.

These are some ways in which management can effectively support the committee:

• Knowledgeable and objective members
  • Knowledgeable and impartial committee members enable informed discussion. 
  • Management should have in place an appropriate induction / onboarding programme in place for new members and an ongoing training programme to build knowledge for existing members. 
  • Onboarding should cover the basics of the role and function of the audit committee, and how to operate effectively as a committee. How much information a new audit committee member needs will, of course, vary depending on their knowledge about the council and the community it serves. Good practice would be for additional briefings to be offered with chief risk officer, head of internal audit and external auditors to gather valuable information about the council. Other information should come in the form of reports on risk and other topics. 
• A focused agenda
  • The audit committee should be proactive in setting its agendas. While input and support from management and the internal and external auditors is essential, the audit committee should have final say. 
  • Well-prepared agendas lead to productive discussions. Management should collaborate with the committee chair to set clear agendas, prioritise items, and allocate sufficient time for discussions. This will include clearly showing those items where a decision is required, those items for information/noting (which should be kept to a minimum) and standing agenda items where there is no update.
  • Members of the audit committee should receive good quality papers, which provide the right amount of detail to be informative but not too much that members get lost in information that is not relevant.
• Recognition and support
  • Management needs to acknowledge the audit committee’s importance and provide papers when requested within the time window agreed. 
  • Management of appropriate seniority with relevant roles (lead responsibility for governance, finance, and risk) should be attending audit committee regularly. The three corporate statutory officers (chief executive, chief finance officer (section 151 officer), and monitoring officer) should be fully engaged with the work of the committee.
  • Support from management enhances the committee’s influence. Management should publicly acknowledge the committee’s work, provide necessary resources, and actively engage with its members.

In summary, management’s active involvement, commitment, and provision of necessary resources are essential for the effective functioning of the audit committee.

7. What is internal audit’s role, scope, and mandate? How should internal audit be resourced (capacity and capability)? What is the relationship between the audit committee and internal audit?

In the new 2024 Global Internal Audit Standards (Domain III - Governing the internal audit function) there is a requirement for the head of internal audit to work closely with the audit committee to establish the internal audit function, position it independently, and oversee its performance. 

The internal audit function is only able to fulfil the purpose of internal auditing when the head of internal audit reports to the audit committee, is qualified, and is positioned at a level within the organisation that enables internal audit to discharge its services and responsibilities without interference.

The internal audit function receives its mandate from the audit committee. The mandate specifies the authority, role, and responsibilities of the internal audit function and is documented in the service’s charter. The internal audit function delivers the mandate by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, and control processes throughout the council, in every internal audit engagement, irrespective of the topic.

The audit committee, in conjunction with management, needs to ensure that internal audit has unrestricted access, to data, records, information, personnel, and physical properties necessary to fulfil its terms of reference.

The audit committee needs to satisfy itself that the internal audit charter clearly documents the purpose of internal auditing, the commitment to adhering to the Global Internal Audit Standards, the independence and objectivity of the internal audit function and how this is delivered, the scope of internal audit work, the internal audit quality and assurance programme and its responsibility to delivery of the annual internal audit conclusion (opinion). 

The scope of internal audit services, detailed in the internal audit charter, covers the entire breadth of the council for which the internal audit function is responsible for providing services. This may include all activities, assets, and personnel of the organisation or may be restricted to a subset according to geography or other division. The scope may specify the nature of internal audit services (for example, assurance only or assurance and advisory, focus on the financial area, compliance with laws and/or regulations). 

Audit committee oversight is essential to enable the overall effectiveness of the internal audit function. Achieving this requires collaborative and interactive communication between the audit committee and the head of internal audit as well as the audit committee’s support in ensuring the internal audit function has sufficient resources to fulfil the internal audit mandate.

A discussion of resources between the audit committee and the head of internal audit typically occurs at least annually in connection with presentation of the internal audit plan; having a quarterly discussion is a leading practice. 

8. How does internal audit set its audit plan? Is internal audit providing assurance around business-critical risks? Does it contain the internal audit topics you would expect to see?

The Institute of Internal Auditors (the professional body for the internal audit profession) has recently produced a new set of standards which state that the head of internal audit must create an internal audit plan that supports the achievement of the council’s objectives. 

The audit committee is responsible for approving the internal audit annual risk-based plan. To enable the committee to approve the plan it needs to satisfy itself that the internal audit plan is based on a documented assessment of the council’s strategies, objectives, and risks. The assessment must be performed at least annually.

The audit committee should review the risk register provided by management alongside the internal audit risk-based plan provided for approval and question any missing risks.

The audit committee as part of the approval process may, as appropriate, provide input to the plan e.g. considering if all the principal risks are being covered. If not, it will seek a response from internal audit as to why not. 

The internal audit plan should include evaluation of the council’s governance, risk management and control processes, and should consider coverage of information technology governance, fraud risk, the effectiveness of the council’s compliance and ethics programmes, and other high-risk areas. The plan also needs to be dynamic and updated in a timely way in response to changes in the council’s business, risks operations, programs, systems, controls, and culture.

The plan should ensure that all key risk areas are covered over a period of time, if not every year, then over a period of years. 

The internal audit team should be suitably resourced and skilled, and a workforce plan should be in place to show how suitable staff will be recruited and developed to meet the changing needs of the organisation and the changing risk environment within which it operates. 

The head of internal audit must discuss the internal audit plan, including significant interim changes, with the audit committee and management. The plan and significant changes to the plan must be approved by the audit committee.

The audit committee and management in collaboration with the head of internal audit should keep continuously appraised of the council’s risk management framework and of new and emerging risks as appropriate. This will include risk being a regular agenda item with management updating the risk register as appropriate. If the council’s environment is dynamic, for example there are issues around provision of services and financial stability, the internal audit plan may need to be updated as frequently as every six months, or even quarterly. 

As the audit committee receives information regarding the business-critical risks associated with the delivery of the council’s objectives and services, it should compare the risks to the topics (risk areas) included on the internal audit plan. An opportunity to challenge either the internal audit plan or managements risk registers then presents itself. For example, why is internal audit looking at a particular risk area if it isn’t included on the council’s risk register?

Management should be using its insights and knowledge to support the audit committee to carry out its direct responsibility for oversight of the external auditor. This would include evaluating the auditor’s performance, partner rotation, and reviewing external audit plans. 

9. How do we know we have an effective internal audit function? What is the feedback from management regarding internal audit? 

Audit committee oversight is essential to enable the overall effectiveness of the internal audit function. Achieving this principle requires collaborative and interactive communication between the audit committee and the head of internal audit as well as the audit committee’s support in ensuring the internal audit function obtains sufficient resources to fulfil the internal audit mandate. 

Public Sector Internal Audit Standards (‘PSIAS’) require the Head of Internal Audit to develop and maintain a quality assurance and improvement programme (QAIP) that covers all aspects of the internal audit activity, and which includes the Audit Committee’s direct review of the External Quality Assessment (EQA). Every five years peers should externally independently assess the internal audit function.

The head of internal audit must develop, implement, and maintain a quality assurance and improvement programme that covers all aspects of the internal audit function. The programme includes two types of assessments, external assessments and internal assessments. At least annually, the chief audit executive must communicate the results of the internal quality assessment to the audit committee and management. The results of the external quality assessments must be reported when completed.

The head of internal audit’s communications to the audit committee and management regarding the internal audit function’s quality assurance and improvement programme should include: 

• The scope, frequency, and results of internal and external quality assessments 
• Action plans that address deficiencies and opportunities for improvement, including timelines for completion. Actions should be agreed with the audit committee. 
• Progress toward completing the agreed-upon actions. 

An assessment of the internal audit function’s quality may consider:

• The level of contribution to the improvement of governance, risk management, and control processes. 
• Productivity of internal audit staff (for example, planned hours compared to actual hours on projects or time used on audit projects compared to administrative time). 
• Compliance with internal audit laws and/or regulations. 
• Cost efficiency of the internal audit processes.
• Strength of relationships with senior management and other key stakeholders.

A useful indicator of internal audit effectiveness may be the extent to which its recommendations are valued and acted upon my management. 

The head of internal audit must develop and conduct internal assessments of the internal audit function’s conformance with standards and progress toward achievement of performance objectives. Internal assessments must be documented and included in the assessment conducted by an independent assessor as part of the council’s external quality assessment.

The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team. The requirement for an external quality assessment may also be met through a self-assessment with independent validation. The audit committee should consider the responsibilities and regulatory requirements of the internal audit function and the head of internal audit, as described in the internal audit terms of reference, when defining the scope of the external quality assessment.

Mechanisms commonly used for ongoing monitoring include feedback from internal audit stakeholders, including management, regarding the efficiency and effectiveness of the internal audit team. Feedback may be solicited immediately after the engagement or periodically (for example, semi-annually or annually) through survey tools or discussions between the chief audit executive and management. 

10. How should internal and external auditors work together to complement each other? Is the relationship effective? What are the 2-3 things we should be most worried about?

External auditors should not place absolute reliance upon evidence provided by the internal auditors. They should ensure they maintain their own independence, objectivity, and professional scepticism. However, the external auditor can choose to use evidence from the work of internal audit when conducting its own auditing work, if its planned testing covers relevant areas, and if an assessment of internal audit’s structure and quality control procedures indicate that it can be relied upon. 

The head of internal audit and the partner responsible for external audit should ensure appropriate and regular communication and sharing of information.

In 2024, local authorities face a multitude of challenges that demand innovative solutions and strategic planning. The most pressing issues will vary for each authority, but the following will be relevant everywhere:

1. Financial constraints

Council budgets are under strain due to increasing demands for services and limited resources. Balancing fiscal responsibility with meeting community needs is an ongoing challenge.

2. Cybersecurity

Protecting sensitive data and critical infrastructure from cyber threats is paramount. Councils must invest in robust cybersecurity measures to safeguard against breaches and disruptions.

3. Digital transformation

The accelerated pace of technological advancement presents both opportunities and challenges for councils. Adopting digital tools and platforms is essential for improving service delivery, enhancing communication, and streamlining administrative processes. However, ensuring inclusivity in digital strategies is vital, bridging the digital divide and ensuring all residents can benefit from technology.