BUSINESS ASSURANCE STRATEGY AND WORK PLAN FOR

Transcription

1 Audit Committee APPENDIX C 18 March 2014 Agenda Item No. 6 BUSINESS ASSURANCE STRATEGY AND WORK PLAN FOR Purpose 1.1 The pupose of this report is to provide the committee with details of the overall strategy and approach for providing assurance to the committee in future along with the assurance wok plan for Recommendations 2.1 The committee is recommended to approve the Business Assurance Strategy and Assurance Plan for attached at Appendix 1. 3 Supporting Information 3.1 The work plan has been developed based on discussions with Directors and some Heads of Service. There is a strong focus on the key areas of strategic risk to the council and this is reflected by most areas having a corporate focus rather service specific. 3.2 There is still some basic financial systems testing work to complete each year in order to provide assurance to the external auditors. This work is part of the managed audit arrangement which keeps the external audit fees lower. 3.3 The draft strategy and work plan was discussed at a Corporate Board Meeting in February Corporate Board were asked to review the plan and confirm that they agree with the areas to be covered in the work plan. 3.6 The Business Assurance Plan will be reviewed on a quarterly basis to allow for flexibility to pick up new areas of risk or organisational change. This will be reported to the committee as part of the progress report. 4 Options considered 4.1 None 5 Reasons for Recommendations 5.1 The Assurance Strategy and Plan fulfil requirements of the Public Sector Internal Audit Standards which came into force on 1 April Resource Implications 6.1 The plan will be delivered within current resources.. Contact Officer: Evelyn Kaluza, Business Assurance Manager Background papers: none C1

2 Assurance Strategy and Plan 2014/15

3 Assurance Strategy This document sets out the Assurance Strategy for 2014/15 for Aylesbury Vale District Council. Background The Business Assurance Services Team was formed in March It was previously known as Audit, Risk and Performance and also included the Fraud Investigation Team which are now part of the Revenues and Benefits Service. The team has an extensive knowledge of the Council s services, its culture, operations and risk profile. It is therefore in an excellent position to provide the assurance that Corporate Board and the Audit Committee require in order to protect and strengthen every aspect of the business from people to performance, systems to strategy, business plans to business resilience. With just a small team of five staff the priority is to maximise resources and target areas of highest risk and where they will be able to add most value. Context The Council has a statutory responsibility to have in place arrangements to manage risks. The Accounts and Audit (England) Regulations 2011 state that a local authority is responsible for ensuring that its financial management is adequate and effective and that it has a sound system of internal control which facilitates the effective exercise of its functions and includes arrangements for the management of risk. The internal audit element of the service is also governed by the new Public Sector Internal Audit Standards which came into force on 1 April All internal audit assurance and consulting services fall within the scope of the Definition of Internal Auditing which is: an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. For the Business Assurance Services where the standards refer to the Chief Audit Executive this is the Business Assurance Manager. Part of the requirements of the 2

4 Standard is to have an internal audit charter which defines the purpose, authority and responsibility of internal audit. For AVDC this is defined in the Business Assurance Services Terms of Reference attached at Appendix B. Purpose, Vision and Values Our vision is to provide a high quality cost-effective service, which adapts and responds to the Authority s needs based on achieving a high standard of professionalism and expertise in service delivery. Our goal is to enable Aylesbury Vale District Council to stay resilient over time and to meet the changing needs of the organisation and its customers by: Improving the organisations capacity to anticipate and prepare for new risk and opportunities Providing intelligence on risk and performance to support decision makers Acting as a catalyst for improvement at the heart of the organisation Influencing and promoting the ethics, behaviour and standards of the organisation Providing an independent and objective opinion on the adequacy of risk management and internal control arrangement Developing a risk aware culture that enables services to make informed decisions To deliver our vision we will: Continue to develop our staff to ensure we are fully equipped to respond to our customer s demands. Be forward thinking Continually improve the quality of our services Add value and make best use of our resources by focussing on key risks facing our customers. Increasingly work in partnership with customers to improve controls and performance generally. We must add value and help deliver innovations in service delivery 3

5 Where Business Assurance Services can add value Improved Service Delivery We can help services assess the likely impact of risks to ensure that the risks are avoided or at least that adequate arrangements are in place to deal with them. We can review areas of high risk to provide assurance that controls and actions to manage risks are effective. Managing Change We can provide services with intelligence on changing trends in external risks which may impact on services. We can help departments to assess the risks of major changes occurring which might impact on resource requirements and how they deliver services. By doing so departments can develop contingency plans to maintain services if things go wrong, and consider ways of responding to the demand for services during periods of change through for example, good communication with customers. More Efficient Use of Resources Prioritisation: we can help to identify those areas that may be over-controlled or overregulated so that resources can be released to address higher risk areas. Better Project Management We can help with risk assessment at the feasibility and appraisal stage and can help to develop forecasts; maximise the allocation of risk to the parties best able to manage them; and help clarify responsibilities for managing identified risks. Minimising waste, fraud and poor value for money We can help with providing assurance on performance, processes and systems which support the key objectives and outcomes of services. In doing this we can assess their reliability and how they may need to be improved. Where fraud or irregularities are detected the service can assist in investigation any allegations. 4

6 Assurance Planning Assurance can come from many sources within the Council and part of the role of Business Assurance Service is to map out where those assurances come from in order to identify any gaps and this will help determine the scope of some of assurance reviews that need to be planned. There are broadly three main categories of assurance modelled below and by working towards defining these across areas of risk it will help the council understand how each contributes to the overall level of assurance and how best they can be integrated and mutually supportive. Some of the work of the team falls into level 2 such as developing the risk management and performance management frameworks. Level 3 is only undertaken by the Business Assurance Team and external audit. The third level assurance is independent and operates to the Public Section Internal Audit Standards. FIRST LEVEL Management Assurance at this level comes directly from those responsible for delivering specific objectives, projects or operational areas. These people know the business, culture and day to day challenges which ensure that risks are identified at the lowest level Responsibilities include identifying risks and improvement actions SECOND LEVEL Corporate Groups and specialists THIRD LEVEL internal, external audit Assurance at this level comes from other management areas or disciplines which are not directly responsible for delivery of the those areas. This includes areas where reviews are undertaken to ensure that specific areas of risk are being managed, For example Information Security, Heath and Safety. Responsibilities include designing policies, setting direction and ensuring compliance Assurance at this level comes from more independent and objective sources such as internal and external audit. Responsibilities include independent challenge, reporting on assurance 5

7 Business Assurance Plan 2014/15 General Approach The focus of our assurance work is primarily on the corporate objectives, high risk areas and change programmes. The plan is based on discussions with Directors and Heads of Service and Chair of the Audit Committee. The nature of the work is split between value protection and value enhancement. Value protections is where we provide assurance against existing governance, risk and control arrangements and typically follow a traditional controls assurance process. Value enhancement is focused on assessing future risks such as looking at new projects or looking for opportunities for efficiency savings or improving quality. There will always be a requirement of a level of value protection assurance to satisfy the Audit Committee and external audit who rely on the work in order to make their overall opinion. Strategy Delivering Future Value Efficiency Savings Process Improvement Improving Business Performance Systems development Investment Decisions Emerging Risks Assessing the future governance, risk, control Business systems Projects and contracts Safeguarding assets Compliance Assessing existing governance, risks, controls 6

8 Areas of Focus for To make use of the limited resources the plan has to focus on the highest risk areas. This assessment is based on discussions with individual directors and Heads of Service and highlights the key corporate issues as well as any service specific issues. The Business Assurance Manager will also take into account any weaknesses identified in the previous year as well as the Service Risk Assurance process. The annual Assurance Plan will be approved by Corporate Board and the Audit Committee. The work against the plan will be monitored on a quarterly basis and will remain flexible in order to meet changes or new areas of risk that may arise. The key areas of focus for are highlighted in Appendix A. 7

9 Appendix A Business Assurance Services Plan 2014/15 AREAS TO REVIEW Value Enhancement Area to Review Outline Scope Priority New Business Model follow up Risk Culture/Appetite Strategic Risk - Are the arrangements set up in 2013 working effectively to ensure savings are identified and delivered Following on from work in 2013/14 to establish risk appetite framework as part of decision making Strategic risk does the organisation have the right skills Organisational High capacity/resilience - staff and people in place to meet future model of operation Major Projects Strategic risks all major projects will have some review or involvement from BAS team Aylesbury Centre High Swan Pool High Depot High Town Centre High Policy Compliance Software Evaluate options and lead on business case High Officer Code of conduct New Transparency Requirements Replacement Finance System Debt Management itrent management information Promote awareness of code and review sharing and disclosing of information through social media New requirements from 1 April. Assess progress and review quality of information Ongoing involvement in procurement process for the replacement of APTOS Review debt management responsibilities and arrangements across the council which are currently split Review how new management information is being used or developed High High Medium Medium Medium Medium Low Value Protection Area to Review Outline Scope Priority Housing Benefit and Work relied on by External Audit - Follow up 2013 review High Revenues and repeat key controls testing Core Financial Systems Work relied on by External Audit - Follow up 2013 review High and repeat key controls testing IT project management Review governance, risk and control processes High Data Quality (Corporate Review data quality of key areas where information is High Scorecard, Recycling and Waste) relied on for funding/income Use of web applications Delays in corporate file sharing approach result in increased use of web applications which may expose High Information Management Security Council to risk Lead on investigations and continue to advise through IGG High

10 Area to Review Outline Scope Priority Car Parking Income Work relied on by External audit - The increase in income Medium to over 2m has brought this into external audit s threshold for review. A review of key cash reconciliation processes will be undertaken Corporate Credit Card Review process and controls to ensure there are no Medium weaknesses which could expose council to financial loss through fraud or error Contract procedures Review to ensure revised contract procedures are being Medium followed Fraud Data matching Use of IDEA software to match data not covered by NFI Medium Land Line calls/costs Review process and controls to ensure there are no weaknesses which could expose council to financial loss Low Money Laundering (Credits/Refunds) VAT Rail Travel Accounts - Chiltern Rail Business Travel Account & Oyster Card through fraud or error Review process and controls to ensure there are no weaknesses which could expose council to financial loss through fraud or error Review process and controls to ensure there are no weaknesses which could expose council to financial loss Review process and controls to ensure there are no weaknesses which could expose council to financial loss through fraud or error Low Low Low 9

11 Appendix B Business Assurance Services Terms of Reference (Internal Audit Charter)

12 Introduction and Purpose The Business Assurance Service has been established by the Council as a key component of its governance framework. For the purposes of this charter Internal Audit refers to the work of the team which is governed by the Public Sector Internal Audit Standards. Internal Auditors in the Council are known as Assurance Officers but for the purpose of this charter are referred to as Internal Audit. Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the Council. It assists the Council in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the Council s risk management, control, and governance processes. Statutory Basis of Internal Audit Within local government there is a statutory requirement for an internal audit function. The 2003 Accounts and Audit Regulations (as amended by the 2006, 2009 and 2011 Regulations) require that a local authority must undertake an adequate and effective internal audit of its accounting records and of its system of internal control in accordance with the proper practices in relation to internal control. In addition, the Council s Chief Finance Officer has a statutory duty under Section 151 of the Local Government Act 1972 to establish a clear framework for the proper administration of the authority s financial affairs. The S151 officer relies, amongst other sources, upon the work of internal audit in reviewing the operation of systems of internal control and financial management. Role The internal audit activity is established by the Audit Committee. The internal audit activity s responsibilities are defined by the Audit Committee, via this Charter, as part of their oversight role. The Council shall appoint a Chief Audit Executive which in this council is the Business Assurance Services Manager who shall determine the priorities of, effectively manage and deliver the internal audit service in accordance with this Charter. The Business Assurance Services Manager shall: ensure they have a comprehensive understanding of the Council s systems, structures and 11

13 operations so allowing the preparation of strategic and annual risk based audit plans that are closely aligned to the need to provide assurance against the Council s business objectives as contained within its themes and aims, principal risks and framework of assurance. review and adjust the plans as necessary, in response to changes in the Council s risks, operations, programs, systems and controls. report annually the impact and consequence of any resource limitations across the strategic plan period to the Audit Committee, ensure that all audit work is completed to high standards and in accordance with the standards, practices and procedures as set out in the internal audit manual. undertake an annual review of the development and training needs of internal audit staff and arrange for appropriate training to be provided. put in place arrangements that ensure internal audit is notified of all suspected or detected instances of fraud, corruption or impropriety and in conjunction with the Investigations Manager: o promote a counter-fraud culture within the Authority o determine the most appropriate method of investigating allegations. o establish effective relationships with managers at all levels. Professionalism Internal audit governs itself by adherence to The Chartered Institute of Internal Auditors (CIIA) mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing ( the Standards ). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity s performance. The Institute of Internal Auditors Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the internal audit activity will adhere to the Council s relevant policies and procedures and the internal audit activity s standard operating procedures manual. Mandatory public sector specific standards were introduced on 1 April 2013, through a joint venture between the Chartered Institute of Public Finance and Accountancy (CIPFA) and the CIIA. These new Public Sector Internal Audit Standards (PSIAS) are based on the mandatory elements of the CIIA existing standards, with additional public sector requirements. Each job role within the team structure will detail skills and competencies within the approved job description and person specification. In line with Council s Annual Talent Review policy and the 12

14 PSAIS, each member of the team will be assessed against these predetermined competencies and annual objectives. Any development and training plans will be regularly reviewed, monitored and agreed with officers. This assessment will also take into account competency changes as needed i.e. to reflect changing technology and legislation. Auditors are also required to maintain a record of their continual professional development in line with their professional body. Authority The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free, and unrestricted access to any and all of the organisation s records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Audit Committee and senior management. Organisation Internal audit has direct access to senior management, the Audit Committee, the Chief Executive and the Chair of the Audit Committee. The Section 151 Officer and the Audit Committee will jointly agree the level of internal audit resource to be deployed at the Council. The Business Assurance Services Manager will communicate and interact directly with the senior management and the Audit Committee, including in executive sessions and between meetings as appropriate. Outside of formal senior management meetings and meetings of the Audit Committee, the Business Assurance Services Manager will have unrestricted access to the Chief Executive and to the Chair of the Audit Committee. For line management purposes, the Business Assurance Services Manager will report to the post of Director with the responsibility for Finance. The Director will approve all decisions regarding the performance evaluation, appointment, or removal of the Head of Assurance Services, in consultation with the Chief Executive. Relationship with Members & Senior Management 13

15 Audit Committee Audit Committee is responsible for overseeing the effectiveness of the internal audit function, and holding the Business Assurance Services Manager to account for delivery, through the receipt of regular updates and reports. The Audit Committee is responsible for the effectiveness of the governance, risk and control environment within the Council, holding managers to account for delivery. Senior Management Corporate Board shall fulfill the role of senior management, as defined by the PSIAS. Senior management are responsible for helping shape the programme of assurance work through an analysis and review of key risks to the achieving the Council s objectives and priorities. Senior management provide leadership and direction for the Council. Independence and Objectivity The internal audit activity will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude. Internal Auditors must remain independent; therefore auditors will be independent of the activities audited to enable staff to perform their duties in a way that allows them to make impartial, objective and effective professional judgements and recommendations. As such, audit staff will not have any operational responsibilities. Further to this, audit staff will not assess specific operations for which they have had any responsibility within the previous year. The Business Assurance Services Manager is also responsible for the delivery of the Performance Management Framework, Insurance and Risk Management services. All three areas have a key part to play in mitigating the risks facing the Council. Responsibility for these operational areas is recognised by senior management and the Audit Committee. With the exception of insurance and risk management, internal audit staff will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment. The Business Assurance Services Manager will confirm to the Audit Committee, at least annually, the organisational independence of the internal audit activity. Conflicts of Interest 14

16 Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments. In addition to the ethical requirements of the various professional bodies, each auditor is required to proactively declare any potential conflict of interest prior to the commencement of each audit assignment. Each member of the team will receive a copy of the Code of Ethics and sign up to an annual declaration to confirm that they will work in compliance with the Code of Ethics as well as Councils standards and policies such as the Council s Codes of Conduct. Where potential areas of conflict may arise during the year, the auditor will also be required to disclose this. It is critical that all Auditors maintain high. Business Assurance Services have procured an arrangement with an external firm to provide additional internal audit days on request; this arrangement will be used for the internal audit of any functions also directly managed by the Business Assurance Services Manager. Responsibility and Scope The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organisation s governance, risk management, and internal control processes in relation to the organisation s defined goals and objectives. Internal control objectives considered by internal audit extend to the entire control environment of the organisation and include: Consistency of operations or programs with established objectives and goals, and effective performance Effectiveness and efficiency of operations and employment of resources Compliance with significant policies, plans, procedures, laws, and regulations Reliability and integrity of management and financial information processes, including the means to identify, measure, classify, and report such information Safeguarding of assets Internal audit is responsible for evaluating all processes of the organisation including governance processes and risk management processes. It also assists the Audit Committee in evaluating the quality of performance of external auditors and ensuring a proper degree of coordination with internal audit is maintained. 15

17 Due to its detailed knowledge and understanding of risks and controls, internal audit is well placed to provide advice and support on emerging risks and issues. As a result, internal audit may perform consulting and advisory services as appropriate for the organisation. It may also evaluate specific operations at the request of the Audit Committee and senior management, as appropriate. Any significant additional consultancy services which are not already included in the assurance plan will need to be approved by the Audit Committee. Based on its activity, internal audit is responsible for reporting significant risk exposures and control issues identified to the Audit Committee and to senior management, including fraud risks, governance issues, and other matters needed or requested by these bodies. This ensures Internal audit plays a key role in providing assurance to the Audit Committee and senior management on the effectiveness of the entire control environment. Role in Anti-Fraud The primary responsibility for the prevention and detection of fraud lies with management. In support of this internal auditors must be alert to the possibility of intentional wrong doing, errors and omissions. Internal auditors must have sufficient knowledge to identify indicators of fraud or corruption in any engagement work they do. The responsibilities of the Business Assurance Service includes developing and promoting the Counter Fraud and Corruption policy, conducting fraud risk assessments, raising awareness of emerging fraud issues and investigating allegations of fraud and corruption, other than those allegations specifically relating to council tax, NNDR and benefits which are investigated by a separate team which is not under the control of the Business Assurance Services Manager. Business Assurance Services also share information with relevant partners, including with government via the National Fraud Initiative, to increase the likelihood of detecting fraudulent activity, and of reducing the risk of fraud to all. The Business Assurance Services Manager should be notified of all suspected or detected fraud, corruption or impropriety so that the impact upon control arrangements can be evaluated. Assurance Plan At least annually, the Business Assurance Services Manager will submit to the Audit Committee the assurance plan for review and approval, including risk assessment criteria. The assurance plan will 16

18 take into account resource requirements for the next financial year. The Business Assurance Services Manager will communicate the impact of resource limitations and significant interim changes to senior management and the Audit Committee. The assurance plan will be developed based on a prioritisation of the key risks facing the council including input of senior management. Prior to submission to the Audit Committee for approval, the plan will be discussed with appropriate senior management. Any significant deviation from the approved plan will be communicated through the periodic activity reporting process. Reporting and Monitoring The Business Assurance Services Manager will arrange for a written report to be prepared and issued following the conclusion of each internal audit engagement; this will be distributed as appropriate. The internal audit report will include management s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management s response will include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations and will report to the Audit Committee on the results of this activity. The Business Assurance Services Manager will consider any request from external stakeholders for reports on the results of internal audit activity, in consultation with senior management. The Business Assurance Services Manager will arrange for quarterly update reports to the Audit Committee to advise on the results of each internal audit engagement and other relevant assurance work, and provide an annual report to the Audit Committee giving an opinion on the internal control environment. Periodic Assessment In accordance with section 6 of the Accounts and Audit (England) Regulations 2011, the Audit Committee will make arrangements for the conduct of a review of the effectiveness of internal audit. The review is designed to ensure that the opinion given in the Annual Report of the Business Assurance Services Manager may be relied upon as a key source of evidence in the Annual Governance Statement. 17

19 Every five years an external assessment will be required to be performed by qualified and independent assessors. This could be another council or a private sector company. Review of the Audit Charter This charter will be subject to annual review by the Business Assurance Services Manager and any changes presented to Audit Committee for approval each year. Evelyn Kaluza Business Assurance Services Manager March 2014 (Date of next review: March 2015) 18

20 Plan Version March 2014 Appendix B