What audits, reviews, advice, and support IA actually provide will be significantly influenced by the status and context of the council. The audit planning process will have determined that
Of increasing significance to authorities is their resilience, financially and organisationally. There is a legitimate role for IA to provide assurances regarding resilience, in how the MTFS has been created and managed, the robustness of the annual budgets, how savings and efficiencies are being delivered, the success of major transformational change programmes and the delivery of major projects. These of course will vary significantly between authorities, but it is increasingly important that IA is contributing to the achievement and success of the most corporately significant matters.
The relationship between IA and the S151 Officer is of particular importance. The audit of the core financial systems will appear in the audit plan every year in some form. This work aims to provide significant assurance to the S151 Officer and wider senior management team of the integrity and robustness of the control framework of the systems that handle large numbers of transactions and account for all the authority’s income and expenditure. Audit coverage of the core financial systems may well be established and captured in a specific audit strategy / approach. Such a strategy would also be discussed with the council’s external auditors.
The core financial systems typically cover:
- accounts payable / purchase to pay
- accounts receivable / income
- payroll (employee admin / organisational management)
- main accounting / budget management
- housing rents
- council tax
- Non-Domestic Rates
- housing benefits
- Treasury management
- fixed assets
- insurance.
Looking at the various Best Value and Peer Challenge reports or the Reports in the Public Interest issued by external auditors, there is a common theme of a general lack of effective ‘scrutiny’ and challenge. Whilst there are many opportunities for this to happen through normal management and executive arrangements, the reports raise a question regarding how IA was used. A highly effective IA cannot of course guarantee that major failings will be avoided, but it should make a significant impact in minimising the risk. This is of course predicated on the culture of the authority enabling IA and importantly listening to it.
Alongside the key areas of strategic activity, IA will undertake a range of other audits, reviews and provide advice or consultancy support. The HoIA will ensure there is adequate provision for the management of the IA function itself, the actual planning process, reporting and liaising with management, attending, and reporting to the audit committee, undertaking quality assurance work, and maintaining the Quality Assurance and Improvement Programme (QAIP) as required by the PSIAS.
The IA plan is also likely to contain reviews or independent input to major project boards and partnership arrangements. The governance of major projects, contracts, partnerships, collaborations, or joint ventures feature regularly in critical external reports where costs may have gone out of control, governance over decision-making is weak or there is a critical delay in implementation that then undermines any benefits that were expected. This is another key space for IA. It is a good practice to have an experienced senior member of the IA Team, if not the HoIA, to be part of any major initiative of the authority. Having such a role should not fetter the independence of the auditor but it should be clear from the outset what role they are performing. Having this formally captured in the relevant terms of reference is key, such that roles and responsibilities are not blurred, and true independent and objective advice, support and challenge can be given.
The integrity of IT systems is an increasing risk. The HoIA should have regular discussions with the Head of IT to keep abreast of changes in the IT infrastructure, such as moving systems to the cloud, new IT system procurements and enhancements, and the cyber resilience of the authority Alongside the Head of IT, the HoIA should also have regular discussions with the council’s statutory Data Protection Officer. Their roles are in many ways similar, and any mutual assurance from their respective activities should be shared.
A growing area where IA may be able to give assurance is around the authority’s sustainability and environmental responsibilities and commitments, another area likely to feature on a strategic risk register. It is also probably only a matter of time before the public sector will be required to report on their ‘ESG’ (Environment, Social and Governance) responsibilities.
Furthermore, the way we all work has changed since the pandemic and has presented the need for councils to review and change policies, procedures, guidance, systems, and controls. It has certainly changed the processes of supervision and management. IA should be aware of those changes, indeed be consulted on them, and give assurance on their effectiveness and how they are being complied with.
In general terms, there is increased pressure on councils to take managed risks. IA can assist in advising where the risks are if policies are changed, for example allowing greater officer or member delegations and/or raising various thresholds. It is management’s responsibility to manage those risks.
There are also likely to be a myriad of smaller audits to deliver that ‘diagonal slice’ and for IA to have a periodic ‘presence’. For example, periodic audits will take place in remote sites like museums or other cultural sites where there may still be significant cash taken, valuable assets managed and where the public attend introducing issues such as health and safety.
A good checklist for where IA coverage should be targeted would be the list of corporate objectives, key strategies, and major policy areas. Whether through a specific audit or providing advice through involvement in a ‘board’ or ‘steering group,’ there is likely to be great value that IA can provide
Below is an example of an audit assurance approach to consider the broader perspective of a strategy:
- What is the ‘problem’ the strategy is seeking to address? What’s driving it?
- Is it articulated in a clear way and understood by appropriate staff/stakeholders – so there is a clear buy-in to it and how is it woven / linked into other working practices, policies, procedures, reporting.
- How is it being communicated, so everyone understands their duties, roles and responsibilities and contribution?
- What are the core ‘ingredients’ to make it successful - money, people, systems, data, contracts / 3rd parties, performance management, risk management, decision-making, governance, reporting, escalating, dependencies (e.g. on other strategies?), any fraud vulnerabilities?
- How is progress / delivery being monitored and reported? Are action plans effective and driving progress and accountability? How are Business Units being held to account for their input to the strategy?
- Is there a ‘board’ that oversees the strategy? How does this work? Is the strategy formally reviewed?
- What are the critical success factors / KPIs that will say ‘job done’? How will delivery / success be sustained longer-term?
- What will drive the next strategy?
Given the focus of IA work should be risk based, an area that requires independent assurance is the corporate risk management approach itself. If IA can rely on the effectiveness of the actual risk management process, then this will support the creation of an effective and appropriate IA plan.
One activity that ideally IA should not be involved in however is writing the Annual Governance Statement (AGS) which is a job for management. A more appropriate use of IA is to undertake an independent assessment of how the review of governance effectiveness has been undertaken, what issues and improvements have been identified and that effective actions have been identified and delivered.
Like all plans, the IA plan is prepared at a point in time and will change due to changed corporate priorities, staffing issues, urgent requests and planned jobs taking longer than anticipated. The IA plan needs to be constantly reviewed and adjusted. It is also common practice for the IA plan to contain a contingency of unallocated days to accommodate plan pressures without unduly impacting on the planned work. The level of contingency is normally between 5-10 per cent.
Any significant plan changes should be shared and discussed with senior management and the audit committee to give assurance that sufficient work will be completed to enable the HoIA to provide that annual opinion and report. Any material resource issues should be discussed as a matter of urgency with the S151 Officer.
Ultimately, the HoIA should be able to demonstrate the delivery of the plan and present the annual report to management and the audit committee that highlights the following:
- How coverage has aligned to the strategic risks, concerns, and issues of the Authority.
- The contribution to assurance in respect of the Authority’s governance framework and in support of the Annual Governance Statement.
- Coverage of the core financial systems in support of the S151 Officer and validation of grant claims (for example, government funded).
- Support to any major transformation programmes.
- Assurance on any changes to working styles and practices to ensure compliance and maintenance of effective controls.
- Assurance regarding the council’s partnership governance arrangements and environmental programme and commitments.
- Project governance and overall project and performance management including management of assets;
- Key areas of advice given, particularly in specialist areas like procurement, contracts, IT and project/programme management.
- Assurance work in respect of information governance, information management and support the council’s Data Protection Officer and the results of any specifically commissioned reviews.
The HoIA will have calculated the core ‘capacity’ of the IA Team in determining a total of ‘productive days,’ taking account of leave, provisions for training, sickness absence, corporate activities, recruitment, performance management, management / team meetings etc. The HoIA therefore has a number of days to deliver the IA plan.
The IA plan may contain those days allocated to specific pieces of work. This is always indicative, a guide for the HoIA to have a general sense of what is going to be achievable over the course of the plan period. It is the responsibility of the HoIA to deliver appropriate and sufficient assurances through pieces of audit work such that professional standards are met, and the authority receives an evidence based and well-rounded assurance opinion. It is of course the responsibility of the HoIA to demonstrate that they have delivered the plan in as an efficient and effective way possible.