Meeting documents

            Meeting: Audit Committee (County Hall, Durham - Committee Room 1B - 06/06/2008 09:00:00 AM)

                  Item: A3 The Work of Internal Audit in relation to Year Ended 31 March 2008

Report of the Head of Internal Audit and Risk Management

1. The purpose of this report is to give Members an insight into the work carried out by Internal Audit during the year ended 31st March 2008 and prior to the preparation of the Annual Governance Statement (AGS) (previously Statement on Internal Control), which forms an integral part of the Statement of Accounts.

2. In order to provide the signatories to the AGS, i.e. the Leader of the Council, Chief Executive and County Treasurer, with a degree of assurance on this matter, as the Head of Internal Audit, I am required to provide an independent opinion on the adequacy and effectiveness of the systems of internal control operating within the Council. In reaching my opinion, in paragraph 18, I have drawn upon both historic sources of assurance and Internal Audit’s review of the Council’s governance arrangements.

Background

3. Internal Audit is an assurance function that provides an independent and objective opinion to the Council on governance, control, and risk management by evaluating their effectiveness in helping to achieve the Council’s objectives. It objectively examines, evaluates, and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources.

4. The Internal Audit Charter which was approved by the Audit Committee on 10 December 2007 establishes and defines the role, authority, scope of work, organisational independence, resource requirements, and reporting lines of Internal Audit. To safeguard my independence, the Internal Audit Charter has formalised the route for me to report concerns to the County Treasurer, Chief Executive and Members, where necessary. The well established systems of control that are in place across the range of the Council’s functions have, over the years, obviated the need for me to use this route of direct access and it is pleasing to be able to report that 2007/08 has been no exception.

5. Managing the risk of fraud and corruption within the Council is the responsibility of the Chief Executive supported by the Acting Director of Corporate Services and County Treasurer, though internal auditors will be alert in all their work to risks and exposure that could allow fraud or corruption to occur. Arrangements are established to ensure that I am notified of all suspected or detected fraud, corruption, or impropriety which enables me to determine the most appropriate course of action. I use this information to inform the internal audit work programme.

The relationship between Internal and External Audit

6. Although internal and external audit have different roles and responsibilities there are areas of overlap in the work they are required to undertake. Under the Audit Commission’s Code of Audit Practice for external audit and the requirements of the International Standards on Auditing, external audit is required to place reliance on the work of Internal Audit where possible to support its conclusions. It is therefore imperative that the work of internal and external audit is co-ordinated through close co-operation. The existing protocol between internal and external audit has recently been reviewed to ensure the optimum use of both resources.

7. In accordance with the requirements of the Code of Practice on Local Authority accounting, this report outlines the level of assurance that Internal Audit is able to provide, based on the work completed during the year. The work during the year provides, where necessary:
· a statement on the effectiveness of the system on internal control in meeting the Authority’s objectives,
· details of major findings where action has not been taken.

8. It should be noted, however, that this assurance can never be absolute. The most that Internal Audit can do is to provide a reasonable assurance that there are no major weaknesses in the systems of internal control.

Areas reviewed in delivering the risk based 2007/08 Audit Plan

Systems and Regularity Audits.

9. The move from focusing on financial internal control to placing a greater emphasis on giving assurance on core areas of the business started in 2004/05 is now established. Resources are targeted at high level reviews of corporate governance arrangements as well as core financial systems such as income and debtors, creditors payments, payroll, budgetary control and financial reporting, and non financial systems work including risk management and partnership arrangements. Audit resources are finite, however, and in order to maintain coverage across all areas of review, planning is undertaken that ensures that no area of significant risk will be outstanding in excess of six years.

10. To facilitate this change in focus within schools, the move towards implementing control self-assessment has been extended, on a phased basis, from Secondary to Primary Schools. This complements the Department for Children, Schools and Families (DCSF) regulations that made achievement of the Financial Management Standard a compulsory requirement for Secondary Schools by March 2007 and Primary Schools by March 2010. Internal Audit has been recognised as an approved ‘External Assessor’ by the DCSF, and the results of audit compliance reviews enable the County Treasurer to produce an Assurance Statement for annual submission to the DCSF.

The Audit of Information Technology

11. The audit of IT is of crucial importance to the work of both internal and external auditors, as systems become increasingly IT based. Internal Audit continues to build upon its knowledge and skills base in what continues to be a growing area of change and has been recognised in a recent review by External Audit as being ‘unusually robust’. Examples of IT audits carried out during the year include reviews of Unix security, network management, Internet security, the process for backing up systems, IT purchasing / disposal arrangements, business continuity and the progress made in achieving compliance with international standards on information security. Internal Audit has also had a formal role to play in reviewing the implementation of the Oracle Financials system, which has a planned ‘go live’ date of October 2008.

Reporting Arrangements for Audit Work Undertaken

12. Internal Audit has defined its reporting arrangements within the Internal Audit Charter. Quarterly progress reporting to Members of the Audit Committee is central to ensuring transparency in the work of Internal Audit.

Reporting of key observations

13. Our work in this financial year has resulted in the issuing of 1,278 recommendations including 8 critical (fundamental control issues which could impact across the Authority and should be addressed immediately), and 295 of high priority (fundamental Service / Establishment control issues which should be addressed immediately). Follow up work in relation to the 1,095 recommendations agreed with Service Managers is progressing and we have now confirmed that 233 of these recommendations have been implemented.

Performance against targets in 2007/08

14. I reported in December 2007, the necessity to reduce the number of audit days by 746 to realign activities to resources. Internal Audit has delivered 1,463 productive audit days during 2007/08 equivalent to 98% of the revised total days planned. Of the 159 reports issued, 131 were delivered within fifteen working days, which at 82% falls short of our 90% internal target. Performance against the Internal Audit effectiveness targets is strong with 99.6% of recommendations being accepted. Analysis of the forty five customer satisfaction surveys returned in relation to work completed, rated the performance of Internal Audit across three review areas as good at 1.31 (very good = 1, good = 2, satisfactory =3, poor =4). A summary of work undertaken by Service is included for Members’ information as Appendix 2.

Review of Governance Arrangements

15. To assist the Council in assessing and developing its governance arrangements, Internal Audit review annually, in the lead up to the production of the AGS, the effectiveness of the main systems of internal control. In undertaking this review of the Council’s governance arrangements, Internal Audit is continuing to utilise a number of approaches;
· building upon work previously undertaken within the Council
· discussing governance issues, face to face, with Chief Officers and Managers from a range of service areas within the Council
· issuing questionnaires to Members and Officers
· placing reliance on work done within the Council by other internal and external sources of assurance.

16. Members may recall from the previous meeting of the Audit Committee on 13 March 2008 that the Corporate Risk Management Group (CRMG) has now assumed responsibility for both the progression of issues identified within the governance action plan and consideration, together with Internal Audit, of the content of future statements prepared.

Fraud and Irregularity Work

17. All fraud has to be reported to the Audit Commission and detailed reports are required for frauds in excess of £10,000. It is pleasing to report that there have been no such cases under investigation in 2007/08.

Opinion

18. The work of Internal Audit in the financial year 2007/08 has enabled me to conclude that the key financial systems continue to provide an adequate basis for effective control ensuring the efficient, effective, and economic operation of the Council’s affairs. With regard to the limited work that has been undertaken by Internal Audit in respect of the systems of non-financial control, no significant control weaknesses have been identified or brought to our attention by Senior Officers who have responsibility for these controls.

Conclusion

19. A primary role for Internal Audit is to assist the Treasurer in satisfying the Council’s statutory obligations under Section 151 of the Local Government Act 1972. In addition, it aids management by helping to ensure that adequate systems of internal control are in place and are complied with. Fulfilling this latter role depends very much upon the co-operation of Members and staff in all Services and I would like to extend my thanks to all colleagues for the continued assistance given to Internal Audit staff during the year.

Recommendations

20. Members are requested to note the report.

Local Government Reorganisation (Does the decision impact upon a future Unitary Council?) No Finance There are no direct financial implications arising for the Council as a result of this report, although we aim through our audit planning arrangements to review core systems in operation and ensure through our broad programme of work that the Council has made safe and efficient arrangements for the proper administration of its financial affairs. Staffing None Equality and Diversity None Accommodation None Crime and disorder None Sustainability None Human rights None Localities and Rurality None Young people None Consultation None Health None To view appendix 2, please refer to PDF attachment hard copies located in the Record Office or Corporate Services.