Purpose and mission
The purpose of Rochford District Council’s internal audit function is to provide independent, objective assurance and consulting services designed to add value and improve the Council’s operations. The mission of internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight. The internal audit function helps Rochford District Council accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.
Standards for the Professional Practice of Internal Auditing
To ensure that authorities make arrangements for the proper administration of their financial affairs, the Accounts and Audit (England) Regulations 2015 make statutory provision for a local authority to undertake an adequate and effective internal audit of its documents and records and of its system of internal control in accordance with proper internal audit practices.
These ‘proper internal audit practices’ are the Public Sector Internal Audit Standards (PSIAS).
The objectives of the PSIAS are to:
- define the nature of internal auditing in the UK public sector
- set basic principles for carrying out internal audit in the UK public sector
- establish a framework for providing internal audit services, which add value to the Council, leading to improved organisational processes and operations
- establish the basis for the evaluation of internal audit performance and to drive improvement planning
To meet the above objectives, the PSIAS requires the Council to have a documented and agreed Internal Audit Charter which in effect acts as the agreement between the Internal Audit service and the Council.
This Charter defines the following terminology contained within the PSIAS:
- the board as the Audit Committee
- senior management as the Leadership Team collectively and all Assistant Directors, the Section 151 Officer, the Managing Director and the Strategic Director individually
The Chief Audit Executive (CAE) is the person tasked with directly managing the Internal Audit function. This is currently an employee of another local authority engaged under a memorandum of understanding until 31 March 2023.
The CAE reports functionally to the Audit Committee and administratively (i.e. dayto-day operations) to the Assistant Director Resources (ADR) / S151 Officer.
To establish, maintain, and assure that Internal Audit has sufficient authority to fulfil its duties, the Audit Committee will:
- Approve the Internal Audit Charter.
- Approve the risk-based Internal Audit Annual Audit Plan.
- Receive communications from the CAE on internal Audit’s performance relative to its plan and other matters.
- Make appropriate inquiries of management and the CAE to determine whether there is inappropriate scope or resource limitations.
Financial Regulations provide Internal Audit with the right of access at any reasonable time to all records, documents and correspondence relating to any transactions of the Council, and to require any employees of the Council to produce cash, stores or any other Council property under their control. Internal Audit can also request explanations, as considered necessary, to confirm the correctness of any matter under examination.
The CAE has the right to direct and unrestricted access (i.e. outside of line management) to, and freedom to report in their own name and without fear of favour, to the following:
- Managing Director and Strategic Director
- Section 151 Officer
- Monitoring Officer
- Any other member of the Leadership Team
- Chair of the Audit Committee
Independence and objectivity
In order to preserve its objectivity and independence, Internal Audit will not assume operational responsibilities for, and will remain independent of, the activities it audits or reviews.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others. Auditors are required to have due regard to the standards expected within the “Seven Principles of Public Life”
Where the CAE has, or is expected to have, roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence or objectivity.
Internal Audit employees will ensure that they conduct work with due professional care and in line with the requirements of the PSIAS, having due regard to the Chartered Institute of Public Finance & Accountancy’s Local Government Application Note in this respect. Staff will also look to comply with the code of ethics for internal auditors and the core principles for internal audit.
In accordance with the Council’s Officer Code of Conduct, internal auditors must declare interests that can impact on objectivity. Implications of the Bribery Act must be considered, and auditors must not accept gifts, hospitality, inducements or other benefits other than those permitted by the Council’s Code, for which the appropriate registration of such items must be completed. Information obtained during the course of an audit engagement must not be used for personal gain by an internal auditor or made available to third parties unless specific authority is in place to do so.
To ensure objectivity, individual auditors will not be permitted to carry out audit work in areas where they have had operational responsibility within the same financial year or longer until a suitable period has elapsed as determined by the CAE.
Subject to available operational resources, audit engagements will be rotated within the Internal Audit Team to prevent over-familiarity and complacency that could influence objectivity and effectiveness. Potential for conflicts of interest or impairment to objectivity or independence will be considered as part of pre-audit work and documented as part of that work.
Scope of Internal Audit activities
The scope of Internal Audit includes all of the Council’s operations, resources, services and responsibilities in relation to other bodies. Where agreements allow, this includes all contractors and other bodies commissioned to deliver services on behalf of the Council.
The CAE also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The internal audit function may perform advisory and related client service activities, the nature and scope of which will be agreed with the client.
Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
Internal Audit may also provide consultancy services, such as advice and guidance on new design and implementation control, particularly through periods of organisational change. Consultancy services are advisory in nature and are generally performed at the specific request of the management, with the aim of improving governance, risk management and control and contributing to the annual audit opinion. During consultancy engagements, governance, risk management and control issues may be identified. Whenever these issues are significant to the Council, they will be communicated to senior management and the Audit Committee.
Any consultancy advice will be given without prejudice as to future coverage of, and opinion, on the relevant activity on which advice has been given.
The CAE is responsible for the preparation of a risk-based Annual Audit Plan and has overall responsibility for its management. The Audit Committee considers and approves (but does not direct) the proposed Annual Audit Plan. This means the Audit Committee can and should challenge whether the Plan is sufficient and adequately focused.
The CAE is responsible for ensuring that the resources available to internal audit are enough to meet its responsibilities and achieve its objectives. Resources can be either in-house staff or specialist external providers. If the CAE concludes resources are insufficient, he must formally report this to senior management and the Audit Committee.
Senior Management will review and comment on the Annual Audit Plan prior to it being presented to the Audit Committee for consideration and approval to ensure effective audit coverage of the key issues affecting their service areas.
Individual audit engagements will be undertaken in line with procedures maintained by Internal Audit to ensure consistency in structure and approach. The approach to testing must be appropriate and of sufficient size and intensity to draw valid conclusions. Working papers must be maintained to justify conclusions reached and enable another independent auditor to repeat the work and come to the same conclusion.
Where prior audit work has identified good controls and procedures and there have not been significant changes in those procedures or key personnel since the last engagement then the level of testing may be reduced, whilst ensuring the underlying controls are still in place.
In carrying out its duties Internal Audit will work constructively with management and staff. During an engagement, management and staff are required to co-operate fully with the auditors.
If significant control failings are identified in testing, this fact will be referred to the CAE and brought to the attention of relevant management during the engagement for immediate action.
All audit and consultancy outcomes will be fully discussed with operational management at the conclusion of an engagement. Management responses will be recorded and considered for the purposes of completing a final report of the engagement.
An Audit Report will be produced and presented to the relevant Assistant Director to obtain confirmation as to content and relevance. This will be done as soon as practicable after completion of field work. The report will contain recommendations to address any weaknesses in controls or procedures identified in the Audit Engagement. An action plan, confirmed by the relevant Assistant Director, with realistic dates for implementation will be agreed.
After the report and action plan, if applicable, has been agreed by the relevant Assistant Director, copies of the report will be issued for information to the Section 151 Officer, Directors and the relevant Portfolio Holder.
Management are responsible for responding formally to Internal Audit recommendations by both accepting and implementing the recommendations or formally reject them, explaining the reasons for so doing. If Internal Audit and management fail to reach agreement on issues or recommendations which Internal Audit consider to be of material importance, the final audit report will reflect the position of both and attention will be drawn specifically to these issues or recommendations in order that senior management and the Audit Committee may consider the options and give direction to an appropriate action.
For clarity, management, not Internal Audit, are responsible for establishing and maintaining a proper and effective control environment and for managing risk within their area of operations.
Internal Audit’s role in fraud, bribery and corruption
If evidence or suspicion of fraud, bribery or corruption is identified during an engagement the matter will be reported immediately to the ADR/ CAE / S151 Officer as appropriate without further reference to line management, for consideration and timely progression in line with the Council’s Anti-Fraud & Corruption Policy & Strategy.
If evidence of fraud, bribery or corruption is identified during an engagement the matter will be reported to the Audit Committee. Such updates will be provided in a private and confidential session as allowed by the local government legislation and written in a manner which protects the integrity of action taken or to be taken in connection with the prevention, investigation or prosecution of crime.
Audit procedures alone, even when performed with due professional care, cannot guarantee that fraud, bribery and corruption will be detected.
Line management bears primary responsibility for the prevention and detection of fraud, bribery and corruption. Internal Auditors will, however, be alert in all their work to risks and exposures that could allow fraud, bribery or corruption.
Quality assurance and improvement programme
Internal Audit will maintain a quality assurance and improvement programme that covers all aspects of internal audit activity. The programme will include an evaluation of the internal audit function’s conformance with the PSIAS and an evaluation of whether internal auditors apply The Institute of Internal Auditors’ Code of Ethics. The programme will also assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement.
The CAE will communicate to senior management and the Audit Committee on the quality assurance and improvement programme, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation.
An external assessment of the Internal Audit service was conducted in January 2018, the result of which was reported to the Audit Committee in May 2018, as part of the CAE’s Annual Report.