Local Authority Internal Audit Virtual Forum

29 July 2020

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the interim CEO comments in this capacity, the box is blank but outlined
  • Where the Chair comments in this capacity, the box is highlighted in yellow
  • Where the Regional Director comments in this capacity, the box is highlighted in heather
  • For confidentiality, the identities of all delegates/attendees are anonymised 

 

Interim CEO comment

Thank you for joining this inaugural Local Authority Virtual Forum.

I would like to welcome our Chair for today, who is a member of the Institutes Council.

 

Chair's comments

I have worked in the public sector for a long time and have wanted the Institute to increase its reach and level of engagement with internal auditors in local government. I am delighted that this forum has been established to reach out to heads of internal audit in these exceptional and testing times.

Sometimes I have found, being a head of audit can be quite a lonely job, so I am hoping that this forum will enable that to be less of a case, and a place where we can share our experiences, problems and solutions.

The landscape we audit and the means in which we audit have always changed in an organic manner, but sometimes, as recently, they change in rapid leaps. I am sure the effects of the COVID-19 pandemic will be felt for many years, that is before we consider a second wave or Brexit.

I am looking forward to hearing our guest speakers today, they are going to be sharing their experiences and challenges over the last several months along with the lessons they have learnt and how they see internal audit going forward.

 

Institute's comments

Thank you for joining us today, this forum is a new initiative from the Institute, and I hope that this is going to be just one of many more to come.

Our first speaker is going to share her experiences over the last 19 weeks, the lessons learnt what she is going to take forward into the ‘new normal’.

 
Speaker one

As lockdown approached my team were already mid-way through a restructure, implementing new audit software, completing audits for the year end, and planning the new year. As well as preparing for an audit committee meeting. The council more widely was implementing Oracle – so it was all change. Then lockdown came, everyone diverted to working from home, MS Teams software was rolled out nearly immediately and people were provisioned to ensure they could work successfully at home.

I deployed a few staff firstly to be trained ready to register deaths and secondly to support the logistics of the COVID-19 mortuary being set up. There was also a period of time where I supported the Coroners team, which was a huge eye opener and leveller – I was listening to discussions I had never thought I would experience, around mortuary capacity, body bags and body transport. This will stay with me for a long time. However, in experiencing this, it ensured that I had a sound understanding of the situation, the reality of the situation, and was therefore able to draw this into the audit planning.

The team restructure was completed, with interviews over Zoom, I did these at pace, as I appreciated that the team were already facing an emotional upheaval with the whole COVID-19 situation. No one was at risk of not having a job, but it was still a change. Year end was completed and the new plan was rolled out – however working closely with the S151 Officer and the chair of the audit committee – we decided to extend the years audit plan (2020/21) for a couple more months – so we will finish the plan June 2021 instead of April 2021, where two plans will cross over, but in fact this will focus the teams attention on having an agile and rolling plan and not being fixated around a year programme.

I introduced a COVID-19 related response audit and fraud plan within a few days of lockdown, embracing our continued use of continuous auditing and data analytics, driving us more and more to focus on the data. This has been brilliantly received as we have audited, but with little need to interact with officers during the peak of COVID-19, but still delivering some useful assurance work. I also have work on-going around decision making, the governance and a general post COVID-19 review. However, always bearing in mind that we had to be in a responsive state as a council, so the assurance is around what could we do differently next time, what can we celebrate and learn.

This whole event has forced us to be agile and embrace the concept in our own way but one that works for us as a team, and as a council, and it’s an area we will continue to learn more about and improve how we work.

We have adjusted to this new normal, and it is working, the team are so focused and driven to deliver excellent assurance work. Well-being has been at the forefront of my mind, and as a team we have rallied round and explored working arrangements and the team interactions to support everyone. We have had full team meetings over MS Teams where we have just talked about what we plan to do at the weekend etc. We have all taken the time to phone someone in the team we would not normal chat too, some have met up a for a few socially distanced walks. I myself have children that I have been home schooling, we as a family now have a RAG rating in place around meetings – so they know which ones they can pop in on or those that they definitely cannot. We have had one audit committee virtually, with the next one tomorrow. I find the concept of being live streamed on YouTube a little nerve wracking, and I tell the family this is most definitely a ‘RED’ meeting. However, this is the new normal, where your child popping in on a meeting to ask about their maths homework is usually ok!

As a team we have also taken the opportunity to revise our methodology, consider our strategy, and build our assurance map. The future is looking bright for the team, but we have to think about working in a more efficient and effective way, providing the right assurance. It has been hard, and all my team have worked flat out, but we have learnt a lot. My relationship with the S151 Officer has developed, as she was fairly new in post at the start of lockdown, I now meet with her more frequently than I have ever done before. It’s also worth mentioning that forums like this have been fantastic for me and the team. Due to our location, we have often found it difficult to access CPD – due to distance, cost, and time but now the world has opened up to us!

In conclusion, this time has been a challenge, but I have found so many positives throughout. The key lessons are - think about the well-being of the team, embrace CPD and be agile around the audit work, engage with the key stakeholders, the S151 Officer and the chair of the audit committee with all the new mediums that we have. We need to work with the organisation as they change during this period, reflecting this in our audit plans. 

Institute's comments

A question in the chat box has asked about the number of staff in your team, could you share this to provide some context?

 
Speaker one

We have an internal audit team of eight and six within the fraud team. We are a fairly small team but an effective team they are all professionally qualified, a couple of apprentices who are qualifying – a diverse team from accountants to chartered auditors.

Speaker two

Like many others on this call, I have faced some interesting challenges over recent years, and I have learnt some lessons.

The pandemic has presented me with yet another situation that has caused me to question what internal audit is and what it is for. One key lesson I have already learnt is that when the going gets tough, internal audit gets out of the way. Like a few other services around the council, my emergency plan, quite formally was to redeploy the team in an emergency, and that is what I have done – all 15 staff have temporarily gone to operational roles. We did finish last year’s work. This was a very pragmatic response, and one the organisation required: whatever was set out in the emergency plan, we were asked by the corporate management team at a very early stage to pull back.

It is not just a pragmatic response, it can be justified in principle too. I am committed to internal audit and have spent half of my career doing little else, and firmly believe that it is an important element of good governance. But it is not operationally necessary. Any organisation clearly needs to know if the failure of a service, system or process will jeopardise its operation and its future, and there have been instances of corporate failure where internal audit has failed to give the warnings it should have. But I would argue that the threats and potential failures arising from something so all-encompassing as the coronavirus pandemic should be – and are – sufficiently visible without needing to be pointed out by internal audit.

I think that, in the face of such a significant emergency and unusual circumstances, we have to recognise that internal audit work must be set in the context of the organisation's capacity to be audited, and to respond to audit work. Internal audit's response must match the organisation's and reflect the degree of disruption it is facing.

Locally, I have pulled my team out, but in contrast the local university's internal audit team is continuing to work albeit differently – remotely – the management team has the capacity to support them to do that. Both organisations have had to deal with the significant impact of the pandemic on their own operations, and both seem to have done so very effectively, but the university has been fundamentally able to continue with its business as usual and the council has not, for now.

The council is right on the front line of public health, serves a multitude of vulnerable adults and children, and has experienced a decade in which its capacity has been hollowed-out by austerity, as well as some local difficulties.

At this point, since the start of the new internal audit year, it seems to be that the best thing for me to have done is back away and send my team in to help. I really do not think that there is anything I could tell the senior management team and leadership that they don't already know and have the capacity to address if they aren't doing so already. We finished last year’s work and then got out as soon as we could.

As things stabilise the team will return, and I have just agreed a significantly reduced audit plan for the year. I may need to rethink it yet again, but I think it will be achievable. The evidence I will need for this year is underpinned by two previous years of favourable assurance, substantial assurance over emergency planning, and an understanding that work is going on to recover a stable financial position.

The revised plan is built on the plan we had ready in March, with some new areas added and a lot stripped out. In a nutshell: what is left of the old plan? Finance controls and financial sustainability, business effectiveness (digital strategy, corporate performance). The bulk of the plan is on  safeguarding children and vulnerable adults and the local economic partnership.

What have I added? Decision-making, until recently the council and its committees had not met, and decision making has been very much devolved to individual officers and members of the cabinet. Performance management during the pandemic (deployment of staff and other resources to services during and after the crisis phase). Work around the use of our buildings and their new configuration; new funding flows in and out of the council; urgent procurement of PPE; support for schools and lessons learnt from the organisation's response to COVID-19. Plus: preparations to achieve an effective combined authority. 

Institute's comments

Particularly interested in your new audit plan and some of the things on there – decision making when perhaps decisions have been devolved down, perhaps people haven’t been familiar with making decisions before and are now suddenly in the area of having to make decisions so that is understandable; the procurement of PPE, schools and safeguarding.

One of the questions that has come through from the Heads of Internal Virtual Forum has been on the annual internal audit opinion. Will your audit committee be expecting an opinion of 12 months or over a shorter period, in terms of the delivery of the plan, or how will that work when you get to the end of March 2021?


Speaker two

I had recognised that I might need to reflect a restriction of scope, although the plan at the minute would not require that restriction. I am expecting to be able to report at the end of the year, this is the result for the 2020/21 audit year. I think that it is a valid point in terms of that there may be a restriction of scope, but I am not foreseeing that this will be an issue at the moment.

Speaker three

I have a total of 23 staff, in terms of internal audit and fraud. The experiences in my organisation is not dissimilar in terms of response to those of the previous two speakers. For us things moved quickly, we had an audit committee on 16th March 2020 where our 2020/21 draft audit plan was approved and then a week later – lockdown.

I took a decision to stop audit activity for 2019/20 and also took the decision, that was communicated to the audit committee to suspend the 2020/21 audit plan to give management the space to deal with the crisis. The plan was then revised and taken to the audit committee at the end of May 2020 to take account of the issues.

We were very conscious about the challenges for the council so made the decision to second some of our colleagues to go and support procurement and internal communications. These colleagues contributed so effectively that I had to fight to get them back, they are now all back within the internal audit function - their contributions were valued.

In terms of challenges most of us realise the need for truth and expertise to support decision making. If you consider the decisions, we are talking about in terms of doing the pre and post grant payments, that was a challenge for me. The business and control processes changed so quickly, the challenge was about the ability to support change in the business controls and also the need to ensure that you provide assurance on the adequacy and the stability of those frameworks.

Auditing and investigating remotely, where you were previously spending time with colleagues over a cup of tea, but now you are having to do an investigation over the phone and through Zoom is very challenging.

The phrase, ‘auditing at the speed of risk’ is interesting in that people will tell you problems they are having, they want a decision straightaway and don’t worry about having the evidence they just want to get a view. I think there is an issue in terms of how you engage with senior managers when they are busy trying to deliver emergency challenges.

Also adjusting to new ways of working, keeping your staff motivated, awareness around their mental health with some people struggling to work from home, after being used to working in an office environment with other people.

The technology nightmares, especially for the council members, those early Zoom committee meetings, were difficult, but we got there in the end.

The lessons for me -  I learnt that rather than audit committee members coming to me requesting information, I had to go to them with information that I thought they needed. Therefore, there could be something around increasing the membership, the number of lay members, seeing if we can have an independent chair of audit committees - it is good when the head of audit is supporting the committee, but you also want those people who are holding you to account to have the expertise to look at the complex issues.

One of the things that I found challenging was around the expedience, the quick decision making versus a democratic ability. Senior managers require assurance about the processes but there are some implications around governance.

I also took the opportunity during this period to explore some of our own development such as exploring automating audit and our audit processes. One of the things that I found, was the challenge around internal audit independence, this shouldn’t be an excuse for not supporting the organisation during a crisis – we just need to manage it. The key is to effectively manage this, not to give it as an excuse.

I think everyone will be aware that risk profiles changed quickly and overnight, so we talk about cyber, liquidity, supplier risk, but then we needed to ensure that those critical decisions taken at the time, are evidence based, resulting in sound decisions being made.

Our senior managers want reporting to be factual and to the point. No one is concerned about template reports, the format of the report, all they are interested in are the facts.

Senior managers now need more assurance around COVID-19, and we are doing some work around providing this assurance, supporting them through the recovery. At the moment I sit on the recovery and coordination board which is looking at how the council is going to recover. That is providing a lot of insight around the transformation.

We can still do our job effectively through working remotely. For me, secondment brought new experiences and insight.

The future of internal audit as I see it, is the end of static and inflexible annual reporting. I don’t think there is any room for annual audit plans I think rolling plans and possibly no plans are the way forward. I think we are just out to provide assurance. Reliance on other lines of assurance was key for me when I was doing the annual governance statement. We had to rely so much on assurance from other providers.

I think that a lot of councils could be facing the challenge of financial sustainability, there could be an issue around budgets being reduced at some point. There is going to be some push around shared services, strategic partnerships and increased collaboration just to ensure that you have the leverage to call some of your local colleagues to help to deliver some of the key priorities.

We need technology to support our processes so automation, artificial intelligence, data analytics, I think we need to think about our processes and use the technology available. Internal audit needs to start talking about providing insight and intelligence; the robustness of controls in times of stress, not just in normal times, we are providing assurance in normal times but what about in times of stress, can we manage?

Using risk management to influence strategic decision making, forecasting, and reporting.

A lot of people in the organisation were seconded to do other jobs but I think there will come a time when internal audit staff will be asked, during normal times, to be seconded into key management positions, so that when a crisis comes, they can easily move to provide support. 

Institute's comments

I like the point about preparation for crises in the future by deploying internal auditors on an ongoing basis into areas in the business.

 

Institute regions director: comments

A couple of observations: Auditing at the speed of risk. We have had similar comments across the last 19 weeks of virtual forums. Just about every single function that I have spoken to has had to increase pace at some inordinate level to get across the agenda they have in front of them, planning has changed, scope of work has changed, reporting period has changed. There is a need to learn some lessons for the future out of this. So, a lot of what has been said by all of our speakers has resonated with me.

One point to pick up on, from a question in the chat box, that talks about concerns over staff working in operational areas in the organisation during the pandemic, and then coming back to their internal audit roles.

The Institute undertook a COVID-19 survey and quite a number of the responders reflected the fact that staff had been redeployed through the crisis, not just in public sector, but in all sectors, and everyone is having some challenges here. The response from just about everybody was ‘this has been a reality for us, we have to pick up this reality when we come back to work. We are going to have to work around the fact that you don’t audit your own work.

It is absolutely the case that the bigger the team the more flexible you can be and the smaller the team the more difficult it becomes. As long as you can be sure that your staff can be objective all the way through this and they have the appropriate supervision when they come back to doing internal audit work, that is about as best you can do.

 

Chair's comments

Thank you to all our speakers, some fascinating insights. I have been thinking about my own position and some of the commonalities that come out of that. I am always astonished at the agility of internal audit and how at the drop of a hat internal auditors have been able to change what they do, and how they do it, and that has really come through.

Internal auditors taking on new, different, and challenging roles. It is interesting how we talk about internal annual audit plans, but are they still relevant? We seem to be moving towards more rolling planning and reacting to things as they happen, and the realities and demands of our respective organisations.

Something else that came through to me, how some things have changed a lot and the role of internal audit and auditors either being furloughed or moved to different roles, but at the same time some things have continued and the demands on internal audit, for example, to provide an assurance assessment for the annual governance statement, how do you do that if you do not have your full team or if you haven’t been able to complete all of your work in your audit plan?

It is interesting hearing what speaker three had to say about their audit committee and actually, actively commenting on what they saw internal audit delivering to fulfil the governance requirements, and also this tension between operational roles and independence. I think that I have noticed that those two have been drawing closer and closer, and sometimes internal audit is just this side of the independence line, and it is interesting how that tension has come through. I have found everything that has been said really fascinating and I can certainly relate to a lot of it. 

 

Institute's comments

There have been some great comments in our chat box, each of you answering questions raised. There is something around plans, do we need a plan? What about rolling plans? What does the future look like from a planning perspective? This is a message we perhaps need build upon for future forums.

This is the first of many of these forums. It will be useful, perhaps as we move forward to decide on what subjects we cover perhaps:

  • new and emerging risks and how we tackle them
  • climate change
  • culture and how to audit culture is one of the most important things that we need to think about as internal auditors as we move forward

We have a head of internal audit attending today who, along with the chair of their audit committee did a session at one of our previous forums. It is hoped that they may be able to do this again, here. It would be good to hear from an audit committee chair in terms of what they are looking for in this new normal for their internal audit function as we move forward. What sort of assurance are they looking for, what levels of assurance and where?

One of our polling questions asked today ‘what is the frequency that you have met with your audit committee’? This question was also covered in a COVID-19 survey undertaken by the Institute. Some responses reflected that heads of internal audit hadn’t spoken to their audit committee between lock-down and the end of June. That is concerning from a governance perspective. It is about understanding some of those challenges and hopefully move things forward, we understand that virtual meetings through Zoom for example have been a challenge for some.

Another of our polling questions today was on the frequency of these meetings, whether they should be fortnightly or monthly – the outcome from this was that the majority preferred monthly forums.

Thank you for attending, this has been on our agenda for some time and we wish to continue these and work more closely with our colleagues in local authorities and for you to work more closely with the Institute so that we benefit from working together. 

 


Chat box comments

To speaker one - It would be helpful to know how many there are in the team.

Do you have any concerns on audit staff working in services during the pandemic and then auditing these areas?

  • I would particularly for those of us with smaller teams

We have mirrored what panellist one has done in the main, but with the exception of focusing a great deal of audit resource on providing assurance over the many, many system changes and workarounds adopted by virtually all council services as a result of COVID-19 and lock-down. We suspended the audit plan for six months and will be delivering a revised, refocused audit plan for the second half of the year, with an annual opinion based on this.

Have you reduced the number of days in the plan to reflect the time lost in the year? If so, was there any challenge from senior officers/the audit committee?

  • We will have reduced days. The S151 Officer has been very supportive. His motto is ‘we have to be realistic and provide the best audit service that we can with the resources we have’. This was agreed by the audit committee this morning.

That has largely been my experience, certainly support from the S151 Officer but some challenge from other senior officers.

I won’t be asking the staff who have been redeployed to a service to then later audit that service. I will have to reallocate some work and roles within the team.

Agree with panellist three re auditing at the speed of risk, so important in COVID-19 as assurance is required on the significant new and emerging risks affecting our organisations.

Have any of the speaker’s teams learnt lessons/changed working practices in terms of auditing remotely whilst working from home?

To speaker three, what changes did you see in the organisation’s risk appetite? Was more risk taken to be able to respond to and implement the COVID-19 resilience response? Financial and economic risk is currently the most critical risk for us.

How do those who have rolling plans manage the flexibility of that with the approval needed, especially with members mainly being in recess since the start?

  • We have a rolling plan for the first time and my members have delegated a significant amount of authority to me to flex this. I report quarterly to committee on deliverables and what I am planning for the next quarter, but also have instant access to the chair as required.
  • I am planning to update the rolling plan at each audit committee meeting.
  • I have the authority to flex the plan within reason, working with the S151 Officer, providing updates to the audit committee quarterly.

We are agreeing the audit plan with the audit committee every quarter.