Local Authority Internal Audit Virtual Forum

12 January 2022


Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

CEO's welcome

Thank you for joining us. The topic for today is ‘Risk appetite and the annual audit plan’. The timing is particularly relevant as HIAs start to draft their annual internal audit opinion. The annual internal audit plan leads to the overall opinion which is the professional judgement of the HIA based primarily on the results of individual internal audit engagements, supported in some instances by incorporating other reliable assurance information. It is for a specific time interval determined by an organisation, most commonly a year. Risk appetite helps organisations establish a threshold of impacts they are willing and able to absorb in pursuit of objectives.


Chair's opening comments

Welcome to our Local Authority Forum.

Internal Auditors in Local authorities are at this time of the year turning our thoughts to planning for the next financial year. Different councils are at different stages of risk maturity, and we need to consider whether our council has defined what its risk appetite is. Risk appetite provides a framework which enables an organisation to make informed management decisions. By defining both optimal and tolerable positions, councils can clearly set out both the target and acceptable positions when pursuing their strategic objectives.

And, of course, all of our work throughout the year leads to an overall opinion in the AGS. The overall opinion is the Head of Audit’s opportunity to demonstrate the unique value of internal audit including its independence and objectivity.


Key takeaways

Holly Sykes, Cornwall Council

  • Public Sector has traditionally been risk averse, but to enable it to work more dynamically in an increasingly commercial environment, and ultimately be successful, it’s recognised that the public sector cannot be risk averse and needs to take more risk.
  • It is important to take a balanced approach to risk and opportunity in regard to the delivery of outcomes. Having a conscious and also dynamic approach to an organisations risk appetite can support informed decision making.
  • The role of internal audit in this journey is to consider the maturity of the organisation in regards to risk and therefore formulate a response.
  • Internal audit provides assurance on the effectiveness of risk management processes. On a regular basis, and evaluates the management and reporting of key risks.
  • Internal audit have a role to support the organisation in understanding what they do with risk management – we are the experts, and so can support our clients by deciphering their approach and enabling their understanding.
  • The role of internal audit feeds directly into the audit planning cycle.
  • The Head of Audit needs to consider the skills of their team – to balance the great experience of the team with the career progression and development of less experienced team members.
  • This year, I am launching an assurance certification process. I am asking senior officers to consider what assurances they have in place and where the assurance comes from. The results will then be slotted into the assurance map and, as the audit plan is developed, it will take into consideration the assurance map and where it would be appropriate for the effectiveness of assurance to be reviewed. The long-term impact of this work is that the internal audit plan is directed into the areas where it is most needed.
  • The assurance map is everyone’s business.
  • An overall opinion is mandatory in the public sector to inform and be part of the organisation’s annual governance statement, as detailed in the public sector internal audit standards (PIAS). It is therefore essential to have enough assurance to pull from, in order to reach this conclusion.
  • Risk appetite is intrinsically linked to the audit plan, which then links to opinion.

Chair's closing comments

Councils are on a journey regarding culture around risk management – we need to bridge the gap with those in our organisations who see risk management as an impediment to their day job, when in fact it is part of what they do on a day-to-day basis.


Institute's closing comments

A public sector event organised by the South West region will take place on 16th March.

The Audit and Risk awards are open and the closing date for nominations is 16th February.

Our next LA Forum meeting will take place on 23 February 2022 and will look at how ‘How to conduct a fraud risk assessment’. Details of all upcoming local authority forums can be found here.

Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith on email at liz.sandwith@iia.org.uk


Q&A

Q: You talked about target risk and assurances, your internal audit plan and your opinion, and your insurance certification project. Do you share all of those documents with your audit committee?
A: I do informal sessions, prior to the audit committee, which allows me to give them all the background briefing. I find that having informal sessions with them allows them to see all the things that are going on in the background.
Q: At our council, there is an implied risk appetite at the individual risk level as we have target scores. We don't currently have an organisational risk appetite. Do you think that there is value in an organisational risk appetite in addition?
A: It depends on how mature the different elements of the organisation are. However, the more granular target risks and the appetite at directorate level are more significant in terms of decision making.
Q: Risk appetite is something I've thought about for some time, but a difficulty for me is whether a large and complex authority can have one risk appetite? Children’s services would have a very different risk appetite to our commercial Team. I suspect we would need multiple appetites and that adds to the difficulty implementing something. At present, we have target scores for each risk.
A: Large complex councils may approach things on a directorate basis. However, it may be helpful to consider a more thematic approach. Having one appetite is a challenge and you do need to look at the different parts of the organisation and how they’re all working.Q: I'm comfortable with risk in relation to audit work, but I think management generally struggle to find value in risk management. And it shouldn't need an industry behind it to work!
A: There is a danger with risk management that it becomes its own special project which is why it could be helpful to push the assurance framework and how the assurance map fits in.Q: Can I ask how risk management is corporately managed? Where does it sit? Is that with internal audit? If so, how do you provide assurance on something that is internal to the team.......sort of auditing yourself? We have this issue and are currently wondering where it should sit.

A: In Cornwall Council’s audit committee, the risk manager will come and talk about risk so that the Head of Audit is there to talk about audit. The risk reporting line will also be different to the audit reporting line. Many organisations are resource strapped with these issues having to be managed as best it is possible.

Q: In the private sector, the 2nd line risk function would monitor the implementation of controls to bring a residual risk back in line with the relevant risk appetite, leaving internal audit to provide assurance over the operation of controls for high inherent risks (which are within appetite). Due to resource issues, I can't operate this model in local authority - does anyone have a well enough resourced risk team which actually performs a 2nd line role?

A: Many organisations and local authorities are going through resource cuts, so this aspect is very challenging. The assurance framework is very important because of this. It may put the onus back on to individual managers.

Q: Very interesting. We are trying to develop this more at our audit clients but have struggled with buy-in. Have you linked the assurance areas in your assurance map directly to risks in the corporate risk register or have you developed your own assurance areas?

A: It is based on the strategic risks and feeds back to the risk appetite and to the plan.

Q: As part of my work overseeing the AGS, I've previously asked Directors to identify what assurances they receive and how often...but rather informally....so 'll ask the question on everyone's lips....Can you please share your questionnaire?
A: Yes no problem. Here are instructions for how to complete the questionnaire and here is the corporate assurance form.

Q: A question regarding the assessment of risk management when it sits in internal audit. Our insurer’s agreed to a consultancy resource when they tendered, which we tapped into. We declare the conflict risk in our plan and annual report.

A: It depends on your budget if you bring in external consultants, but the concept is interesting.

Chat box comments:

  • We are trying to progress key risk indicators as a contribution to establishing what our risk appetite is at our council. We are also using target risk and then trigger levels to prompt further mitigations to bring back within tolerances. In effect, the tolerances represent our appetite for our key operational risks.
    Excellent presentation, thank you. The Government Finance Function have issued a Risk Appetite Guidance Note that echoes the points you have set out.
  • Thank you to the presenter for your useful insight. As a Risk Management Officer myself, I resonate with many of your experiences.
  • Risk management tends to be valuable where risk and controls are well articulated and clear link to objectives. Often you see local authority corporate risk registers articulate failed objectives/controls as the risks. I am, therefore, not surprised that people are not interested in it.
  • From my perspective as a Risk Management Officer, the perception of risk (particularly its value) has completely changed in light of the pandemic. Colleagues are now taking more risk-based decisions and risk management has really come to the forefront of the Council's work.
  • Our audit planning and reporting is at the control level now, which enables us to report on where risks are being well managed as well as those that aren't being well managed. These are all linked into the strategic risk register. This helps alleviate the cottage industry issue as all of the reporting is through one process.