Local Authority Internal Audit Forum

26 August  

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the CEO comments in that capacity, the box is blank but outlined
  • Where the Chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised 

 

CEO comment

Thank you for joining this, the second Local Authority internal Audit Virtual Forum.

I would like to welcome our Chair for today, who is an elected member of the Institutes Council and Liz Sandwith, the Institutes Chief Professional Practices Advisor.

 

Chair's comments

On behalf of the Institute can I welcome you all to this second Local Authority Internal Audit Forum. This Forum only started over a month ago and already we have over 80 internal auditors representing councils across England, Scotland, Wales and Ireland.

Today we are looking at what internal audits stakeholders are going to be expecting as we emerge from COVID-19 and move into the recession and then look forward to the challenges around climate change.

We have three speakers today:

  1. A head of internal audit who will explore the challenges in meeting stakeholder expectations.
  2. A Section 151 Officer who will share with us what they as a key stakeholder of internal audit is expecting from them in the coming months.
  3. An audit committee chair who will also share with us their expectation of internal audit in the short, medium, and longer term.

The Institute has a range of content on the website available to members and non-members – guidance, research reports, position papers, on-line courses, and Internal Audit Codes of Practice.

The Institute is about to release a report on Risk Management – Risk in Focus 2021 – due to be launched on 22 September 2020. The subject of the next Forum will be risk management, we will look at the top 10 risks facing internal audit and organisations as detailed in the Risk in Focus 2021 report.

 
Speaker one

It is important not to get caught up in the politics, sticking to the facts and ensuring that those facts are discussed proportionality, correctly and scrutinised effectively.

Top takeaways from the 1st speaker

1. Engage with the chair of the audit committee on a regular basis. The chair has a very strong understanding of risk, control and internal audit and the value of internal audit to the organisation.

2. The head of internal audit has an independent reporting line to the CEO and the chair of the audit committee. Regular one-to-one meetings with the CEO take place to provide a flavour of what is happening, what the audit work is highlighting and how the delivery of the agreed internal audit plan is progressing.

3. Engagement with the chair of the audit committee takes place on a monthly basis in advance of the audit committee meeting, but with a clear understanding that there is an ad hoc arrangement for anything urgent to be discussed more frequently, as appropriate.

4. Engagement with leaders of the council eg to present the internal audit annual opinion (red opinion in the case of the speaker’s local authority). This was carried out through:

a. Ensuring that the CEO and the board had a clear understanding of what was coming and why, and the rationale supporting the opinion.

b. Meeting with the leaders of the council, taking them through the basis of the annual internal audit opinion for the year.

c. After engaging with the CEO, the board, and the leaders of the council, the opinion was then taken to the chair of the audit committee.

5. How did this help at the audit committee? The engagement prior to the audit committee was very effective. At the audit committee there were no surprises, the different political parties came together. The administration raised an amendment to the annual audit opinion requesting that the directors and the board and the CEO go away, and come back with a plan as to how they were going to improve the control environment, to move away from a red internal audit annual opinion in future years.

Because of that stakeholder engagement the administration essentially challenged themselves, and when it got to committee, members were all very much aligned. There was consensus in terms of political understanding of where the council needed to go to make improvements.

The feedback to the internal audit team in terms of stakeholder engagement was fantastic, the message was that there had been no surprises, internal audit had engaged with everyone that they needed to engage with. The opposition and the administration were all, in full political agreement and a fantastic outcome for the audit committee, demonstrating the value of stakeholder engagement.

6. What happened after this? The rebased annual internal audit plan will be going to the next audit committee. Conversations are starting to be held, one with the CEO – whilst managing independence and objectivity, providing the CEO a bit of a steer around some of the key things that he should be thinking about strategically, and things to help move the annual internal audit opinion away from a red opinion.

A meeting has been scheduled with the chair of the audit committee. This will be to confirm that the shape of  audit plan provides the right balance of assurance between COVID-19, BAU controls and a strategic element  around adaptation and renewal, as to the shape of what the council will look like as we emerge from COVID-19 and redesign our services. We are keen to see this done safely and in a controlled manner with risk considered as part of those strategic decisions.

Speaker two

Over the next three-month period

1. If they are not already happening, that all the normal processes of reporting are taking place eg the audit committee is meeting, it is receiving all the reports – that part of the structure is still there.

2. Revisions to the internal audit plan to cover practical issues such as tests that are unable to be completed because of remote working; internal audit visits that cannot take place or adaptations as work is being undertaken remotely etc.

3. There have been and probably will continue to be, two kinds of changes to risks relating to COVID-19, one set – new risks that relate to new activity eg giving out grants to businesses and potential fraud risks etc around this, and secondly changes to pre-existing risks on the risk register – due to additional work demands, possibly taking your eye off the ball or because processes are being operated differently, so in effect the controls that you think you have in place are not working properly.

Moving forward 6 – 12 months

1. Organisations will still be operating differently during this period. There will still be some pandemic response taking place. The impact on the economy will be seen more fully, eg the end of the furlough period and unemployment and in the same period Brexit as well. During this time, it would be helpful if internal audit challenges the areas that have been operating in an emergency mode with workarounds. People may carry on doing things in this way as things move forward unless a stop is put to it and audit will help to challenge this.

2. Assurance mapping or looking at gaps in controls will be really important. People may be forgiving now in these unusual times that things are not running as normal, but in the longer term, this won’t be acceptable from the point of view of the customer and the council.

In 18 months’ time

1. It will be much more difficult to understand the context that councils will be in within this timeframe. There could be continuing amounts of work in new areas such as social care. Flexibility will still be needed and one of the lessons that has been learnt through recent events is the speed of adaptation of processes to remote working.

2. It will probably be easier if everyone was either office based, or everyone was working remotely, somewhere in the middle is likely to bring some problems of its own. You can take an analogy from that and think about other things that the council is doing. Things won’t be back to normal and the audit plan will have to change to take account of this.

3. There may be a reorganisation of the council that involves different ways of working and working with different tiers, such as the NHS, if there is for example, mass vaccinations.

Risk 

In the longer term, keep discussing with stakeholders what they see as the main risks, and the reason for this. In uncertain times this is even more important, talking to many people will give you different opinions, and possibly a better idea of some of the probabilities of risks materialising. In a static environment everyone may agree on what the risks are, in a more dynamic environment they won’t necessarily agree, and the value of internal audit is in spotting the things that might be a problem. It is important that managers and heads of service understand that internal audit are trying to think about risk and that they have been listened to, the connection is important.

Speaker three

CIPFA quote (The Role of the HIA in public sector organisations 2019 – Principles 1 & 2)

"Internal audit heads should be expected to: champion best practice in governance, objectively assessing the adequacy and effectiveness of governance and management of risks and comment on responses to emerging risks and developments."

As a councillor and with an audit background that sums it up and it is something that you should remind yourself, and the audit committee about as you get sucked into BAU, you sometimes forget that.

Support - internal audit should not see themselves as an isolated unit, but it may feel like that for small teams. There is a need for support and as member of an audit committee and audit committee chair I see it as my role to provide that support.

Expectations - internal audit is a service for both management and the CEO and also for the audit committee members. What the audit committee does is hold internal audit to account as well as giving them visibility, backing up internal audit and holding managers to account to ensure findings are addressed.

Culture - is much more important than what is written in books and control manuals. We are struggling as an internal audit function in how to audit culture, how can internal audit help improve the culture, it is more than just saying all the boxes haven’t been ticked – this is an area we will come back to after COVID-19.

Managing risk - in the council this is a team effort. One of things that the audit committee would appreciate is more concise reporting and work is ongoing to achieve this. A similar exercise is going on for the risk registers to achieve more focus.

Looking forward

1. COVID-19 has brought a lot of change and this brings risk, in the 3-6 months I will be keen for management and more precisely internal audit to look at:

a. How good the IT systems and controls are on remote working.

b. Home working versus office working – have there been any other major changes in controls, what has been temporarily changed and the risks around this.

c. Reduced performance in areas where there are shortages of staff through illness or not being able to recruit.

d. Vendor risk (subcontractors) – do managers understand the small print in the contracts, what it means, why it matters and the risks associated with this.

e. The completeness of liabilities due to COVID-19, some contracts will have a different legal implication now, some of the things that seemed like BAU are not because of COVID-19.

f. Insurance - to provide an objective view, it seems that insurance for pandemic type risks and the knock-on effects may not be fit for purpose and might be worth looking at.

2. As an opposition councillor, how to keep up to date with what is going on in the council is important, I have meetings with several senior officers in the council, with COVID-19 this has made it more difficult. It is important for internal audit to do this as well, especially working remotely.

3. More use of data analytics looking for trends and patterns.

4. The development of process understanding, quite often internal audit has a better understanding of processes than management – this doesn’t seem to be reflected in what is coming through from internal audit who must be seeing it, so why aren’t they reporting it to management to improve or to the audit committee?

5. Reputational risk appears on a lot on the risk registers, but we don’t see much internal audit work in this area. The council has a good reputation with the public based on what they can see re COVID-19 but over the next 12-months what will be exposed will be important?

6. Debt management is an area I think internal audit should look at - councils are borrowing more and more money, so the liability side of the balance sheet is more and more important.

7. Opportunities – for internal audit to go through controls that have been in place for a long time and are no longer needed.

Institute's comments

Thank you very much for attending, there have been a lot of comments and questions in the chat box which is great to see.

Our next meeting will be on the 23rd September.

The Chair and I are keen to hear from you regarding topics for future session. We would like to create an agenda for the coming months so you can readily identify the must attend sessions from your personal perspective.

Thank you again for attending, and we hope you have a good evening ahead.

Any ideas or suggestions for what we might include in future agendas please contact Liz Sandwith (liz.sandwith@iia.org.uk)


Chat box comments

Speaker one

It would be good to get an idea about the nature of the COVID-19 audits that have been undertaken. 

  • I can share the link to the paper that went to audit committee in June that outlines our COVID-19 assurance. 

How will you balance providing help to the council in improving its controls against ensuring independence to provide assurance? 

  • I am always very clear in discussions that I am happy to provide guidance as a critical friend, but that decisions are absolutely for management to make, and that the outcomes of our audits are absolutely based on fact. I do feel that internal audit has a role to provide in terms of consultancy/advice, but that we need to be really clear with management where that line is.

How are you going to engage with officers about the BAU controls? 

  • Once the plan has been agreed, it is posted on our internal audit section of the council's intranet, and we also attend directorate risk and assurance committees to discuss progress with current audits and planned audits. We then prepare and send terms of reference that outline the planned scope of each of our audits. The real value added though is the face to face discussions with directors at their monthly risk and assurance committees. 

What were the barriers to completing your audit plan last year and what was the view of the audit committee on this? (or was the focus all on the red opinion?) 

  • It was essentially COVID-19 as we had circa 14 audits in progress when COVID-19 impacted. We made the decision to stop these audits to enable the council to focus on implementing their resilience activities. The majority of these audits will be completed as part of our 20/21 annual plan going to committee in September.
  • Link to Edinburgh Council Audit Committee Live webcast in August - annual internal audit opinion is item 8a https://edinburgh.public-i.tv/core/portal/webcast_interactive/502922 

For the organisations where I am head of internal audit I have continued to attend risk management committee meetings and have found this face to face contact to be very useful in terms of engaging with them about BAU controls. During the pandemic I have also been having monthly one to one meetings with each of the owners of strategic risks and again these have been very useful. 

Speaker three

Absolutely agree with the speaker’s comments re culture and managing risk.

Agree with the speaker re commentary on opportunities - a must for internal audit.