Local Authority Internal Audit Virtual Forum

17 February 2021  

Please note:

• All Institute responses are boxed and highlighted blue
• Where the Chair comments in that capacity, the box is highlighted in yellow
• For confidentiality, the identities of all delegates/attendees are anonymised 

Key takeaways

Audit committee

• Audit committees must be apolitical in their values and behaviour – they must be objective – not focused on political point scoring.
• Ideally the chair should not be from the ruling party.
• Independence, as noted in the Redmond report, is important and there should be independent members on the audit committee.
• The audit committee chair position works best when the person doing the role is from within the council, due to the complexities of the role and understanding needed of wider issues (speakers own view see chat comments for further discussion).
• The chair has to be critical friend of both the HIA and S151 officer – meeting regularly in a relaxed manner with two-way trust.
• Independent members of the committee may have limited experience - within any council it’s reasonable to expect a proportion not to understand the dynamics/governance of the committee and so the role of the chair is to bring everyone together, to help the members understand the complexities sufficiently to enable them to contribute.
• The audit committee must be robust enough to challenge actions being taken. If officers raise a matter and say they will follow up on it in six months, the audit committee should be able to push back and request answers sooner. The audit committee is the last line of defence.

S151 officer

• Internal audit are the eyes and ears into the organisation as they have such a broad view.
• The internal audit ‘nose’ is imperative – the curiosity to pick up on trails is an important skill.
• I connect regularly with my HIA and we triangulate information and shake it around – it informs us in terms of both when things are going awry, where risks are emerging risks, and when controls are at risk.
• I need to know my HIA has the capability to prevent significant issues and stand their ground – grounded in evidence to enable them to rebuff tenacious challenge. The skill of the auditor is to keep going under pressure.
• I need my internal auditors to be experts at risk – processes and frameworks. It’s increasingly important to use risk to drive improvement and outcomes.
• Internal audit have a key role in auditing transformation, using their controls and process expertise to provide assurance when things are being ripped apart.
• Respectful relationships are the most important thing.
• I want to support internal audit to be independent and curious – the multiple reporting lines of the HIA don’t worry me it’s the basis of independence.

Internal audit

• Common practice in Ireland is to transfer non-professional administrative members into internal audit.
• An NOAC report in 2019 found that internal auditors should operate in line with IIA Standards and be professionally qualified – some councils are still progressing this.
• The HIA reports to the chief executive and, administratively, to either a member of the management team, head of finance or director of corporate affairs.
• The audit committee has an independent chair, with three external apolitical experts in addition to internal members.
• To maintain independence, and confirm with the IIA Standards, audit work in areas where individuals have previously worked is not undertaken for twelve months.
• HIAs collaborate with their local government auditor (financial auditing) to produce a plan of work and follow up on recommendations made from the formal audit.
• Despite having a reporting line to the head of finance, I can still provide limited assurance without conflict or compromise – the relationship ensures that the report is seen as a means of effecting productive and valuable change.
• Internal audit review systems under design to provide advice, not make decisions, so there is no compromise for future assurance.
• HIAs need to comply with statutory and internal reporting and internal audit needs to be strong, adequately resourced, appropriately qualified, independent and objective.

Q&A and chat box comments 

• Interestingly, the Welsh Government has just introduced a requirement for all council audit committee chairs to be lay members.
• It's the same position in Ireland, the Chairperson must be an external member.
• Interesting point about the Audit Committee chair not being an independent. Having an independent chair has worked well for my district councils.
• If the chair of the audit committee isn't independent, is there not a risk of the objectivity being compromised if the chair's area is being audited?
• Our Councillors have difficulty navigating the complexity of Council business, so goodness knows how someone from outside could handle it! It implies audit is wholly objective/mechanical whereas internal audit is sometimes very tailored to their organisation?
• I agree - our organisations have many service lines, many service directives, and many income lines - it is not a normal business and is hugely complex.
• I work across two councils and IJBs (integration joint boards) to share internal audit services. My experience of a lay member, as Chair of an audit committee, is that it requires more officer support and information (above and beyond a Councillor who receives all committee reports), though it can be effective if the person has relevant skills and experience. My other Council has the Leader of the Opposition as Chair of the AC. We carry out an annual self-assessment of the Audit Committees to challenge any issues.
• Speaker: It is important that the Chair is a Councillor, as they're required to look at issues across the breadth of the council, rather than simply a narrow-blinkered view. Councillors do not have areas of responsibility; cabinet members have areas and cannot chair audit committees. A Councillor from the non-ruling party brings objectivity and the appointment is also less likely to be a ‘favour for services’ role which is always wrong.  

Q What do you feel is the most important work that audit departments should be undertaking now at the point we are at with Covid-19?

• We’ve had a heated debate on this that is still continuing.
• We are carrying significantly more risk than this time last year, all covid-related – NHS bulges are starting to impact community care – despite government funding it is hard to plan because this is one off funding against reduced revenue, the funding itself is a huge risk with respect to grant administration and actually spending the money. We need to discuss with internal audit how we mitigate these risks as financial and operational risks are heightened now.

Q Over the last year, some internal audit functions have been moved into the first or second line, do any delegates or the panel have experience of this?

• My audit team have continued in their delivery and actually increased and focused work as the risk landscape has changed over the last 12 months. This has all been assisted with good relationships between all the parties involved to allow audit to be agile and support the organisation in the right places.
• Oh my goodness - I couldn’t imagine having to re-direct the audit team!
• Our full audit team of four were reassigned to our Covid-19 Community Support Helpline for a period of 4 months last year. This obviously impacted on the delivery of our audit plan. We are all back to our substantive roles since July 2020 and have not experienced any difficulty in terms of independence and objectivity.

Q I was interested in your comment about using the risk management framework and risk management processes to drive outcomes. We are trying to evolve the processes that we use at my authority to achieve a similar end, so I would be interested in any really practical hints and tips you have to deliver that.

A Being a well-run organisation means that your performance management and risk management are absolutely key at driving the organisation. All you’re doing is managing your outcomes directly, the resources that are delivering those outcomes directly and your risk management framework is part of your assurance framework that you are delivering. So without that in place it can be difficult to make risk management more than a tick box exercise. In the absence of a systematic data-driven, performance driven approach, making sure people talk about risk all the time is one of the first things you can do. Be tenacious about the conversation, it’s not about adding risks to another piece of paper but doing something about them.