< Governance and Accountability

Non-statutory guidance

For internal audit at smaller authorities

Introduction

        1. A smaller authority is required by Regulation 5(1)of the Accounts and Audit Regulations 2015 to ‘undertake an effective internal audit to evaluate the effectiveness of its risk
          management, control and governance processes, taking into account public sector internal auditing standards or guidance.’
        2. The public sector internal audit standards, issued in 2013, have not been applied to smaller authorities. The information in this section of the Practitioners’ Guide is therefore the non- statutory ‘guidance’ referred to in Regulation 5(1), and needs to be taken into account by smaller authorities in undertaking an effective internal audit.
        3. Overview of internal audit

        4. Internal auditing is an independent, objective assurance activity designed to improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
        5. The purpose of internal audit is to review and report to the authority on whether its systems of financial and other internal controls over its activities and operating procedures are effective.
        6. The internal audit function must be independent from the management of the financial controls and procedures of the authority which are the subject of review. The person or persons carrying out internal audit must be competent to carry out the role in a way that meets the business needs of the authority. It is for each authority to decide, given its circumstances, what level of competency is appropriate, and to keep this issue under review.
        7. Internal audit is an on-going function, undertaken regularly throughout the financial year, to test the continuing existence and adequacy of the authority’s internal controls. It results in an annual assurance report to members designed to improve effectiveness and efficiency of the activities and operating procedures under the authority’s control. Managing the authority’s internal controls is a day-to-day function of the authority’s staff and management, and not the responsibility of internal audit.
        8. Internal audit does not involve the detailed inspection of all records and transactions of an authority in order to detect error or fraud.

        9. TOP

          Appointing an internal audit provider

        10. It is a matter for the authority to determine how best to meet the statutory requirement for internal audit, having regard to its business needs and circumstances.
        11. There are two key principles an authority should follow in sourcing an internal audit provider: independence and competence.
        12. Independence

        13. Independence requires the absence of any actual or perceived conflict of interest. It means that whoever carries out the internal audit role does not have any involvement in or responsibility for the financial decision making, management or control of the authority, or with the authority’s financial controls and procedures.
        14. It follows, for example, that the circumstances in which a member could demonstrate that they are sufficiently independent of the financial decision making and procedures of the authority are difficult to envisage. Such a member would need to exclude themselves entirely from key financial decisions by the authority in order to maintain their independence. Similarly, it would not be appropriate for any individual or firm appointed by the authority to assist with the authority’s accounting records, preparation of financial statements or the annual return, to be also appointed to undertake the internal audit function. Conflicts of interest must be avoided, such as in cases where an external provider of accounting software or services to the authority, also offers internal audit services through an associate company, firm or individual.

        15. TOP

          Competence

        16. There is no requirement for a person providing the internal audit role to be professionally qualified, but essential competencies to be sought from any internal audit service include:
          • understanding basic book-keeping and accounting processes;
          • understanding the role of internal audit in reviewing systems rather than undertaking detailed checks that are more appropriately the responsibility of management;
          • awareness of relevant risk management issues; and
          • understanding proper practices in relation to governance and accounting requirements within the legal framework and powers of smaller authorities.
        17. There are various ways for an authority to source an internal audit service, for example:
          • Appointing a local individual or a member of a panel of individuals administered by a local association or branch of NALC, SLCC or ADA. An individual will need to demonstrate adequate independence and competence to meet the needs of the authority.
          • Employing a competent internal auditor with sufficient organisational independence and status to undertake the role.
          • Purchasing an internal audit service from a principal local authority.
          • Purchasing an internal audit service from a local firm or specialist internal audit practice. The firm needs to have an understanding of the local government legal framework and a number of professional firms offer a service to public bodies, authorities and commercial companies. For the largest authorities a specialist contractor appointment may be appropriate.

          TOP

          Scope of internal audit

        18. It is a matter for the authority to determine the necessary scope and extent of its internal audit. When securing an internal audit service, the authority should make sure that it is proportionate to the needs, size and the circumstances of the authority.
        19. The work of internal audit should be subject to an engagement letter on first appointment by the authority, setting out the terms of the appointment. Engagement terms may include:
          • roles and responsibilities;
          • audit planning;
          • reporting requirements;
          • assurances around independence and competence;
          • access to information, members and officers;
          • period of engagement;
          • remuneration; and
          • any other matters required for the management of the engagement by the authority.
        20. Each authority should set out its key financial and other controls, usually in the form of standing orders and financial regulations. The smaller the authority, the less onerous these need to be. Similarly, the scope of internal audit at smaller authorities will be correspondingly less than at larger ones. The more complex the authority is or becomes, in terms of its organisation, range of services and number of employees the wider ranging the scope of internal audit may be.
        21. It is not possible to draw up a standard internal audit programme to cover all authorities. This is because the audit programme must address the particular needs of each authority.
          Internal audit’s function is to test and report to the authority on whether its specific system of internal control is adequate and working satisfactorily.

        22. TOP

          Annual internal audit report

        23. The duties of internal audit relate to reporting on the adequacy and effectiveness of an authority’s system of internal control. The minimum reporting requirement for internal audit to the smaller authority is met by completing the annual internal audit report on page 5 of the annual return. Internal audit may also report in greater detail to the authority as required.
        24. The annual internal audit report focuses on ten internal control objectives covering an authority’s key financial and accounting systems and concludes whether, in all significant respects, the internal control objectives were being achieved throughout the financial year to a standard adequate to meet the needs of the authority.
        25. The annual internal report will inform the authority’s response to assertions 2 and 6 in the annual governance statement.

        26. TOP

          Reviewing internal audit

        27. Authorities should from time to time carry out a review of the effectiveness of their overall internal audit arrangements. The review should take place at least once every three years and also in the year of any change of internal audit provider or responsible finance officer. Any review should balance the authority’s internal audit needs and usage. It should be designed to provide sufficient assurance for the authority that standards are being met and that the work of internal audit is effective. Authorities judge the extent and scope of the review by reference to their own individual circumstances.
        28. The review should be designed to assure the authority that it has maintained the standards of an adequate and effective internal audit of its risk management, control and governance processes. It should include, as a minimum, making an assessment of each of the following:
          • the scope of internal audit;
          • independence;
          • competence;
          • relationships with the clerk and the authority; and
          • audit planning and reporting.
        29. The review should be undertaken by the authority. It should not be undertaken by the external auditor or as part of the external auditor’s review of the annual return, nor can it be delegated to an officer. Clearly it cannot be undertaken by internal audit, although it is good practice to seek their involvement in the process. Authorities may wish to set up a small working party to carry out the review or utilise an existing committee. Whatever approach is followed, the results should be reported to a full meeting of the authority.
        30. There is no single approach to review of internal audit that will suit all authorities. Much will depend upon the size of the authority and arrangements it already has in place for conducting the wider review of its system of internal control and risk management generally. The areas described above in paragraph 4.23 will normally be the starting point, but the effectiveness of internal audit should not be judged solely by the extent of compliance with expected standards. The review is primarily about effectiveness, not process. In essence, the focus of this review should be on the quality of delivery of the internal audit service, i.e. reliable assurance about the authority’s internal controls and its management of risk.
        31. As with any review, it should be evidence based. Wherever possible this should be gathered throughout the year. Sources may include:
          • previous review and action plan;
          • annual report by internal audit;
          • periodic reports from internal audit, including internal audit plan, monitoring reports, and the results of any investigations;
          • any reports by the external auditor; and
          • the results of any other external reviews of internal control.
        32. If the review identifies any areas for development or change in internal audit, an action plan should be produced for the authority to manage the remedial process. The action plan should set out the areas of improvement required, any proposed remedial actions, the people responsible for delivering improvement, and the deadlines for completion of the actions.

        TOP

        < Governance and Accountability