Bath & North East Somerset Council

Transcription

1 Government and Public Sector September 2006 Bath & North East Somerset Council

2 Contents Section Page Introduction... 3 Executive Summary... 5 Detailed Findings... 8 Observations and recommendations Appendix A Terms of Reference Appendix B Benchmarking Information Appendix C Summary of Recent Internal Audit Recruitment Advertisements Appendix D Strategic Partnership with Public/Private Sector Providers Code of Audit Practice and Statement of Responsibilities of Auditors and of Audited Bodies We perform our audit in accordance with the Audit Commission s Code of Audit Practice (the Code), which was issued in March This is supported by the Statement of Responsibilities of Auditors and Audited Bodies, which was issued in April Both documents are available from the Chief Executive of each audited body. The purpose of the statement is to assist auditors and audited bodies by explaining where the responsibilities of auditors begin and end, and what is to be expected of the audited body in certain areas. Our reports and audit letters are prepared in the context of this statement and in accordance with the Code. Reports and letters prepared by appointed auditors and addressed to members or officers are prepared for the sole use of the audited body, and no responsibility is taken by auditors to any Member or officer in their individual capacity, or to any third party. A new Code of Audit Practice will be in place for the 2005/06 audit year, together with a new Statement of Responsibilities of Auditors and Audited Bodies, both of which were issued in March 2005

3 Bath & North East Somerset Council Introduction Background 1 External auditors aim to rely on the work of internal auditors to reduce the level of their detailed assessment of controls. We have reported that your internal auditor s work is of a good standard and we have been able to place reliance on it. However Internal Audit has struggled in the last two years to deliver its annual plan - in 2004/05 only 65% of the plan was delivered. This affects the assurance you are given internally and restricts the reliance we can take. 2 A number of factors have contributed to the slippage on the programme including: the need to undertake significant additional unplanned work during the course of the year eg fraud investigations; management capacity within the Internal Audit Department; staff retention and recruitment; and the requirement for the Chief Internal Auditor (now the Chief Audit, Risk & Information Manager) to take on new non audit responsibilities which have proved to be very time consuming eg Freedom of Information Act. 3 Internal audit is a key part of the Authority s overall control environment. This is recognised in the Use of Resources Assessment, part of the Comprehensive Performance Assessment (CPA). An effective internal audit service will have a positive impact on the overall Use of Resources rating of the Council. As part of our risk based approach to audit planning, we agreed with the Authority to conduct a review of the Internal Audit Department. Objectives of the review 4 The objective of our review was to assess the adequacy of the Internal Audit service provided to the Authority against a number of key criteria, set out in the terms of reference at Appendix A. Work performed 5 We reviewed relevant documentation and interviewed the Chief Audit, Risk & Information Manager, Jeff Wring, the Audit Manager, Bill Crane, and members of the Internal Audit team. In addition we also interviewed: Jean Hinks Director of Resources Keith Kirwan - Audit Committee Chair Malcolm Hanney Executive Member for Resources Richard Szadziewski Resources Directorate Andy Cox Risk Manager Dave Thompson Head of Commercial Services Matthew Smith Head of Leisure & Amenity Services 3 PricewaterhouseCoopers LLP

4 Bath & North East Somerset Council 6. Our detailed fieldwork was undertaken in April 2006, and a first draft of this report was shared with the Chief Audit, Risk & Information Manager in June Acknowledgement 7 We would like to thank members, management and staff for their help during this review. 4 PricewaterhouseCoopers LLP

5 Bath & North East Somerset Council Executive Summary Background 8 The Chief Audit, Risk & Information Manager leads on Internal Audit and Risk Management, including the Council-wide development of risk management procedures, strategies and training. Over recent years his responsibilities have expanded to take on responsibility for Information Security, Freedom of Information and Data Protection, and this has had a significant impact on audit resource, particularly at managerial level. A new structure was implemented in 2004 to provide an Audit & Risk Management Service consisting of three teams Internal Audit, Risk Management and Information Management. 9 Requirements on internal audit are changing within the Council, and with new professional requirements. Internal Auditors are now expected to play a key role in helping organisations manage risks across the whole organisation, not just in the Finance Department. Recent developments in international auditing standards, developed particularly as a result of some recent large corporate failures, now mean that external auditors are looking to place more reliance on internal audit documentation and testing of core systems. 10 The Council is much more complex than it was several years ago, with a number of substantial projects involving many different parties. Partnership working is becoming much more prevalent in the public sector, requiring a different approach to assurance over the management of key risks. Findings 11 You have already started to respond to the changing requirements placed on internal audit, and particularly with the establishment of an Audit Committee during 2005, and a focus on risk-based internal auditing. Reporting formats are being developed and improved, and the use of available resource is closely monitored. Customers of Internal Audit expressed to us a high level of satisfaction with audit. Staff are seen as credible, professional and helpful, and reporting formats were considered to be clear with attention focused on providing solutions. 12 The Department has struggled to recruit to replace staff, but at the same time the Chief Audit, Risk & Information Manager has been given extra responsibility for Freedom of Information, Risk Management and Data Protection. There has been little scope to change the focus of work because staff have had to concentrate on the essentials of the work programme and the impact of these new responsibilities. 13 The main findings from our review therefore are as follows: Internal Audit is well respected and audit staff are seen as credible, helpful and professional; but The audit plan is not being fully delivered and Council staff, Management and Members, and indeed the Department itself, would like to see more in terms of proactive audit coverage and approach (e.g. contribution to project teams and focus groups which has been attempted but which is limited by available resource and skills); 5 PricewaterhouseCoopers LLP

6 Bath & North East Somerset Council The failure to deliver the plan is largely due to a lack of resource, and particularly in terms of experienced staff with recognised specialisms (e.g. procurement, finance, computer audit); and Benchmarking information suggests that the cost to the Council per audit day delivered is lower than that of other unitary authorities. The mix of qualified and unqualified staff is in line with that expected, although you have fewer specialist staff than other councils. 14 Resourcing underpins the deliverability of the plan. The Department has tried to address this using contract staff, as they have been unable to recruit permanent staff of sufficient quality. Although some of the contract staff have been very good, there is a lack of long-term commitment and development. More recently the Department has however had more success in recruiting permanent staff. 15 There are two clear approaches to addressing a lack of resources as follows: Firstly you can try and obtain more resource the staff budget is currently 20% underspent due to the vacancy position (NB we acknowledge that income targets of 25k are being placed on internal audit which can only be met by savings in staff expenditure); and Secondly you can look to be more efficient with your existing resource. 16 On the first issue you could consider increasing the advertised salaries for the posts that you are trying to fill. We understand that current salaries are in line with neighbouring authorities. Increasing the advertised salary might draw more and better qualified candidates but would have to be considered in light of the impact on existing staff and your overall financial position. At Appendix C we have provided a summary table analysing the minimum and maximum recruitment salaries for all public sector internal audit vacancies advertised over the past year. 17 In addition, you could also: Approach other public sector auditors to share staff (the NHS is currently going through a period of major rationalisation in terms of organisational structure that should result in some spare audit resource); Tender for the shortfall in the audit plan to be met by a private sector provider on a non-recurring basis, and encourage the use of joint working, which would facilitate skills transfer to the in-house team (this is an approach in place in many of the neighbouring authorities); Adopt a more creative approach to recruitment which might include advertising for specialist performance auditors at an increased salary, but who s funding would be covered by the savings generated by their work; Recruit general finance trainees who spend significant periods in Internal Audit as part of their training contract. Apart from providing additional resource, this allows finance staff to gain an overview of the whole organisation, improving the relationships between Finance and Internal Audit. This approach has been successful in the NHS; and Enter into a long-term strategic partnership with a private sector provider or with another public sector provider in a consortium approach. There are a number of advantages and disadvantages of each approach and these have been summarised at Appendix D. The current budget for internal audit (approximately 380k) would secure at least 1000 days of audit from the private sector, with full access to a range of specialist skills, if totally outsourced. The Council could do better than this by taking a strategic approach. 18 On the efficient use of resources, you could consider: Undertaking fewer, but larger audits. This saves time in planning and reporting but facilitates cross-cutting themes and the sharing of knowledge and best practice across the organisation; 6 PricewaterhouseCoopers LLP

7 Bath & North East Somerset Council The use of audit software. Tests by the Audit Commission and the National Audit Office have estimated that time savings of up to 20% in undertaking audits are possible through the use of automated working papers. Ensuring greater visibility over the relative priorities of planned and unplanned work such that you ensure that you are using your resources appropriately. This could include setting a threshold for unplanned work that once reached requires the Audit Committee to approve any additional work; Charging service users for their time in terms of unplanned work, ensuring both the importance of the work being undertaken, and providing additional financial resource to backfill the planned work; and Reviewing follow-up procedures. Currently all audit recommendations are followed up by an audit visit and requirement to validate evidence of implementation. This could be revised to only followup recommendations above a certain priority and/or to obtain written confirmation of implementation, which would free up resource. 19 Our other main findings from this review are as follows: Conclusion Although a risk-based approach is adopted in audit planning, there is no direct link between the plan and the corporate risk register; The quality of reporting to Audit Committee and members can be improved to ensure that audit findings are highlighted at an appropriate level; and Individual audit assignment reports follow best practice in a number of ways including priority levels for individual findings and for the whole report. The report is also signed by both the Chief Internal Auditor and the audit sponsor providing ownership. Key findings are summarised in a concise audit opinion, but review of three reports indicated that the audit opinion is not always fully representative of the key findings. 20 In conclusion we consider Internal Audit to provide a good service to you within the context of the limited resources available. A number of initiatives are already in train to improve the efficiency and effectiveness of the service (for example, improvements to reporting formats, and investigation of audit software). We have made a number of further recommendations in this regard. We also understand that subsequent to our fieldwork, you have been successful in appointing new members of staff to boost the available audit resource. 21 Whilst the measures outlined above will help you to improve performance in respect of your current delivery, you will need to do more to ensure that internal audit truly adds value to the overall organisation and keeps pace with current developments. Internal Audit departments elsewhere are at the forefront of promoting best practice in corporate governance and the management of risk, being actively involved on developing strategy, and providing advice on major projects. To do this effectively requires specialist skills that you don t currently possess within your internal audit team. There are a number of ways in which you can obtain these skills and we have made some recommendations to illustrate how you might do this. 7 PricewaterhouseCoopers LLP

8 Bath & North East Somerset Council Detailed Findings 22 The findings as per the scope of the terms of reference are as follows: Impact and Effectiveness 23 Jeff Wring, the Chief Audit, Risk & Information Manager, manages the Audit and Risk Management functions, including the development of Council-wide risk management procedures, strategies and training. In addition Jeff also has responsibility for Information Security, Freedom of Information and Data Protection. 24 Internal Audit undertake a risk-based approach to the audit plans whereby all of the approximately 200 systems across the Council are assessed in terms of risk profile. The approach to this varies in alternate years. As a minimum the Chief Audit, Risk & Information Manager will review the budget book, taking into account prior audit findings and the time since the last review. The draft plan is sent to Directors and Heads of Service for comment prior to approval by the Audit Committee. Bi-annually the Chief Audit, Risk & Information Manager attends meetings at Heads of Service and/or Director level to discuss the detail of the plan, and from our discussion with a number of Heads of Service we understand that they are satisfied they are able to contribute. There is however no direct link with the Corporate Risk Register (which we acknowledge is still relatively new) in drawing up the overall plan although when individual audits are scoped, reference is made to the relevant departmental Risk Register (see Observation 4). Mission 25 The strategy for audit and risk management services is part of the wider Finance Services Plan although we understand that Internal Audit may have its own plan for 2006/07. There are a number of key performance indicators in the plan and monthly reporting is via a Balanced Scorecard. From April 2006, a new set of KPIs are to be developed and these will link down to individual staff objectives that will be measured as part of the appraisal process. 26 Internal Audit does not have a formal Service Level Agreement with the rest of the Council but has documented terms of reference setting out roles and responsibilities. These now need to be updated and to be formally approved by the Audit Committee (see Observation 17). Profile and Credibility 27 Discussion with Council members and management demonstrated that Internal Audit provides a good service which is well-respected and helpful in terms of addressing areas of concern. The quality of staff is appropriate for the work undertaken and liaison with operational managers in terms of audit planning is sufficient. Audit findings are discussed with management prior to issue of reports so that reports are accurate and helpful. Reports are produced promptly and are of sufficient quality. 28 However the concern, which is well known to Internal Audit, is that current resourcing difficulties and particularly in terms of specialist staff, result in the department generally only being able to assist you at a relatively basic level (we acknowledge that in certain areas the department has been able to undertake detailed reviews and provide guidance of a specialist nature). The work undertaken relates 8 PricewaterhouseCoopers LLP

9 Bath & North East Somerset Council almost solely to compliance testing and providing assurance that processes and systems are adequate, plus some unplanned special investigations. What Council members and managers told us they would like to see more of is: getting involved earlier in the process - e.g. contributing to work groups, business cases, etc; sharing and promoting best practice; working with staff to turn documented policies into operational procedures; and being engaged at the right level to be more aware of, and contribute to, the key issues for the Council. 29 We understand that Internal Audit are not often invited to sit in on projects and give advice on major decisions, or that where they do they are often unable to provide a representative to attend meetings. 30 The Corporate Audit Committee was established last summer and meets quarterly with Internal Audit represented at each meeting. Only two of these meetings receive specific internal audit reports - a half-yearly progress report and the annual report comprising the outturn for the year and the audit plan for the forthcoming year. At the remaining two meetings annual reports in respect of fraud and risk management are submitted. Review of the content of the internal audit reports to the Audit Committee suggest that these provide only basic progress against the audit plan and although an assessment of scores is given, there is no commentary to give a flavour of key issues and concerns (see Observation 10). 31 We understand that there are plans in place to instigate quarterly meetings with the Audit Committee Chair for both the internal and external auditors. There is also planned to be a private session at the end of each Audit Committee to allow any confidential issues to be discussed between the members and the auditors. Council members reiterated the need for internal audit findings to be shared more widely and thus give both the Department a higher profile within the Council and ensure that any significant findings feed into the Council's governance and risk management arrangements (see Observation 11). 32 Prior to the establishment of the Corporate Audit Committee, we understand that Internal Audit had a much lower profile, and particularly with members such that neither the audit plan or the annual report were received by members (although we understand that the plan would have been approved by the appropriate Executive Member). Cost and Efficiency 33 The time worked by all audit staff is recorded on an excel spreadsheet by the Audit Manager, Bill Crane. Time is recorded in 30 minute units and all time should be charged to job codes. There is an administrative code but we understand that staff are not encouraged to use it. Chargeable time is closely monitored by the Audit Manager. For 2005/06 66% of time was calculated as chargeable, with the remaining time allocated to annual leave, sickness, administration and training. 34 The amount of audit resource available equates to 170 days per member of staff and for the 2004/05 audit year only 65% of the plan was completed. Plan completion has always been a problem due to the amount of unplanned work but performance has in the past been better with completion rates nearer 85%. The reason for the deterioration is due largely to the increased calls on audit time and particularly the loss of experienced staff to areas such as risk management and information security. 35 B&NES Internal Audit Department are members of the CIPFA Benchmarking Club. Information is collated and analysed between a number of named authorities and also all unitary authorities. Full details on this information are provided at Appendix B but for example the average quoted planned cost of an audit day to the Council for 2005/06 was 201, compared to a unitary average of 270. The reason for this is due to two factors - the costs associated with audit staff and amount of work that each delivers. According to the information supplied, the average cost per auditor is 37,546 9 PricewaterhouseCoopers LLP

10 Bath & North East Somerset Council compared to 46,533 as a Unitary average. The average number of days delivered per auditor is 187 compared to the unitary average of 175. You therefore appear to have an Internal Audit Department that costs well below the average, but which is delivering more (in terms of days). One of the reasons for the difference in days delivered relates to training where B&NES staff receive an average of 6 days training a year compared to 11 across other Unitary Authorities which may be a concern. During 2004/05 the Council had significantly more non-chargeable audit days than the unitary average (40.1 compared to 31.9 per auditor). This may be reflective of the additional unplanned tasks that Internal Audit staff take on such as the revision of the financial procedures. (NB Please note that we have not validated the accuracy of the information reported to the Benchmarking Club). Methodologies 36 Internal Audit use guidance and documentation provided by CIPFA in terms of methodologies (e.g. sample sizes) and working papers. Alternative approaches to internal audit (e.g. Focus Groups, Workshops, Controls Risk Self Assessment) do not tend to happen, although some presentations are undertaken to various groups (e.g. schools), usually on areas such as risk management. 37 No use is made of audit software packages although we understand that the Department are currently reviewing the Galileo Audit Tool which is used by a neighbouring Authority. Given the current resourcing difficulties, purchase of an audit software package should result in substantial time savings in undertaking audit work as well as improving consistency of output. For example, both the Audit Commission and the National Audit Office make use of Teammate, and have calculated that potential time savings of 20% in undertaking audits are realisable. Similarly, no use is made of computer assisted audit techniques (CAATs) although we understand that they were used several years ago. CAATs would help in tailoring specific audits to address key risks and thereby again deliver efficiencies (see Observation3). Resource Planning and Management 38 The audit plan includes a contingency figure of 15% to 20% but over recent years achievement of the plan has been seriously undermined by unplanned investigations. The operational plan covers a year and amounts to approximately 1400 days. It is part of a five year strategic plan but this is becoming less relevant as the control environment becomes more dynamic and uncertain. The plan is drawn up on the basis of available resource. The operational plan is divided into quarters and assignments given to individual members of staff. Apart from being assigned to a particular quarter no precise timescales are assigned to individual jobs apart from having to issue a draft report within four months, and the final report within six months, of the issue of the Audit Planning Memorandum. (see Observation 8). Currently Internal Audit deliver approximately 100 audits per year but work is ongoing to reduce the number of audits. (see Observation 9). 39 Delivery of the plan is significantly impacted by unplanned work with 400 unplanned days being delivered in 2004/05 and 375 in 2005/06. At present there is no formal process for approval of unplanned work (thereby delaying or cancelling planned work) other than the Chief Audit, Risk & Information Manager making a decision. Unplanned work often has a fraud or special investigation issue connected with it and by definition needs to be undertaken quickly and with the minimum of publicity. However there is still a concern that in a risk-based internal audit service, more consideration should be given to the relative priorities of planned and unplanned work (see Observation 5). 40 In addition Internal Audit help out with a number of further tasks, all of which impact upon the time available for delivering the plan. This includes documenting financial regulations and policies, including those for schools and delivering training to support this (see Observation 7). Staffing 41 The approved structure of the Department excluding the Chief Audit, Risk & Information Manager should result in 11 Wholetime Equivalent (WTE) staff made up of: 10 PricewaterhouseCoopers LLP

11 Bath & North East Somerset Council 1 Audit Manager 2 Team Leaders 5 Senior Auditors 5 Auditors (some part-time = 3WTE) 42 At the time of our review there was a vacancy at each of the Team Leader, Senior Auditor and Auditor grades, but since completion of our fieldwork staff have been either recruited or promoted such that two vacancies remain only at auditor grade. We understand that it has proved very difficult to recruit experienced auditors resulting in both the Chief Audit, Risk & Information Manager and the Audit Manager being more involved in the detail of audit assignments. The current budgeting round is likely to see 25k taken from the budget as part of council-wide savings. 43 All Audit managers and Team Leaders are either qualified accountants or qualified internal auditors. At senior auditor level staff are either part-qualified or qualified by experience. At auditor level staff are encouraged to study either for AAT or IIA and receive support in the form of day release and distance learning. Staff also attend internal training courses such as project and time management and attend the internal corporate training programme. As part of the annual appraisal process training needs are assessed. It is acknowledged however by the Chief Audit, Risk & Information Manager that there are key deficiencies in skills amongst his staff, and particularly in the areas of IT, Procurement and Finance, which are key areas for you going forward. We are aware that the Chief Audit, Risk & Information Manager has approached neighbouring authorities with the objective of sharing staff to address the skills and resource gaps, and that a way forward is now being discussed. (see Observation 1). We understand that staff turnover is relatively low and that sickness is not a problem. 44 Information on staffing is provided to the Benchmarking Club, and suggests that compared to other Unitary Authorities (see Appendix B, Table 11), B&NES has the expected mix of qualified and unqualified staff. One item to note is that other unitary authorities have a higher percentage of other qualified specialists reinforcing the view that you may be falling behind the trend in having specialist staff to meet the increasing Council and Internal Audit agenda. Analysis of staff in salary bandings (see Appendix B, Table 12) suggest that B&NES staff are generally in lower salary bandings than their colleagues in Unitary Authorities elsewhere. Quality 45 A Quality Assurance Questionnaire is issued to all audit sponsors upon completion of the final report. We understand that the Internal Audit Department receives a high satisfaction rating on those forms returned with an average score of over 90% satisfaction. However there is no monitoring of the response rate. (See Observation 15) Relationships 46 The Chief Audit, Risk & Information Manager meets quarterly with colleagues from North Somerset, Bristol and South Gloucestershire to discuss local issues and concerns. There is also a West of England Group for Local Authority Internal Audit on which B&NES are represented. There are a further number of practitioner sub-groups covering Education, Social Services and Procurement/Contracting, on which B&NES are again represented. These allow the sharing of best practice, and facilitate networking amongst the IA community. Finally Bristol City Council are apparently very proactive in organising training and B&NES regularly attend this. Issues arising from any of these meetings are fed back to the wider Department via the monthly team meetings. 47 In terms of other regulatory bodies and inspectorates, there are no planned programme of meetings and these would be undertaken on an as and when basis. You are increasingly entering into partnership arrangements with external parties and the relationship with regard to the audit arrangements for those organisations, and any relevant regulatory bodies, will become more of an issue over the coming months and years. 48 The Chief Audit, Risk & Information Manager currently reports to the Director of Resources, Jean Hinks. There is no considered best practice in reporting arrangements across local government, with 11 PricewaterhouseCoopers LLP

12 Bath & North East Somerset Council other authorities either operating the same arrangement, or alternatively the S151 Officer, Chief Executive or Chair of the Audit Committee. At the time of our review no regular meetings were held with the Audit Committee Chair and External Audit to allow regular and direct reporting of any issues of concern, although we understand that the Council was planning to instigate such meetings. (See observation 10). Performance 49 The strategy for audit and risk management services is part of the wider Finance Services Plan although we understand that Internal Audit may have its own plan for 2006/07. There are a number of key performance indicators in the plan and monthly reporting is undertaken via a Balanced Scorecard. From April 2006, a new set of KPIs are to be developed and these will link down to individual staff objectives that will be measured as part of the appraisal process. 50 Customer Satisfaction Questionnaires are sent out after each audit with the final report. Performance in terms of customer satisfaction is currently very good (at above 90% satisfaction) and overall performance is one of the indicators on the balanced scorecard. 51 The key concern with performance over recent years has been the failure to deliver the internal audit plan (due largely to vacancies and the significant amount of unplanned work 400 days in 2004/05). Coverage 52 Comparison of the coverage of systems compared to other Unitary Authorities (see Appendix B, Table 7) as per the information reported via the Benchmarking Club reinforces the view that B&NES Audit staff are supplying a satisfactory coverage in certain areas of basic compliance but are unable to provide a full range of services, particularly in IT and Contract Audit. As you enter into more complex and diverse projects and partnerships, this gap in coverage will become more of a concern. 53 There are a number of specific queries that arise from the quoted figures as follows (See Observation 16): In terms of schools audits you are well above the average in terms of days provided per m of turnover during 2004/05 (0.7/ m compared to an Unitary Average of 0.47). The figures for 2005/06 widen this gap (0.77/ m) compared to the planned Unitary average of 0.4/ m); You spend an average of 60 days on review of cash and banking arrangements compared to the Unitary average of 23 days; No time was planned for 2005/06 for IT, Contract or Fraud reviews. 12 PricewaterhouseCoopers LLP

13 Bath & North East Somerset Council Observations and recommendations 1 The definition of categories and priorities of recommendations used in this section are contained in Appendix A. Observation Risk arising Recommendation Management Response 1. Resourcing Lack of staff resources is a key issue for Internal Audit and one that largely prevents it from delivering the audit plan and contributing more widely to the Council agenda. Experienced internal auditors are in demand across the public sector and therefore many internal audit departments are carrying vacancies. Approaches have been made to neighbouring authorities but thus far we understand there has been initial reluctance on their part to share audit staff. The Internal Audit Department are unable to deliver the audit plan and increasing demands are being placed on internal auditors which will exacerbate the situation. In terms of specifically trying to resource audits the Authority could: approach other public sector auditors. For example the NHS is currently undergoing a major restructure which will result in a significant reduction in the number of organisations and consequently the amount of internal audit that is required. There should therefore be spare capacity among NHS internal audit providers and although they probably will not have a local authority background, many of the systems to be audited, and particularly the financial ones, are relatively generic in terms of expected controls and procedures; look to buy in expertise from the private sector. This is a common approach across many local authorities where private sector internal auditors are effectively seconded in to internal audit teams for a set number of days to deliver a range of audits. A Strategic Partnering agreement with another Local Government Internal Audit team(s) is the preferred option at this point. Any agreement would look in the early stages to share knowledge and expertise as well as offering training and learning opportunities in order to test its effectiveness. Current budget status dictates that financial resources would not be available to consider any other form of purchase of skills or days from the private sector. Action JW to Report Progress on discussions with neighbouring Authorities by April 2007 consider the option of a formal strategic partnership with a public or private sector body

14 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 2. Recruitment and Retention Internal Audit is unable to recruit sufficient numbers of experienced staff to deliver the audit plan and meet the wider agenda of the Council. Part of the reason for this may be the perception that the Department's role is restricted to basic compliance review and unplanned assignments (usually fraud or special investigation). The Department are unable to actively contribute to the mitigation of key risks that the Council faces. The Council consider the restructuring of Internal Audit into three teams to cover the areas of compliance, fraud and special investigations, and performance improvement/value for money. It is considered at present by internal audit management that there are opportunities to identify significant savings across the Council but lack of audit resource prevents any structured reviews from being undertaken. Taking the step of establishing a performance improvement/vfm team could address the inevitable concern over resources by setting targets for the team to achieve in terms of identifying savings or income generation ideas, so that the team is self-funding. The nature of the work may also make the role more attractive to potential recruits, whilst trainees could be solely employed on the compliance team. The Internal Audit Team is not large enough to split into teams as suggested and this would lead to inflexibility with use of staff. Individual roles within the team are however being reviewed and responsibility on key issues or themes will be discussed and allocated. i.e. lead role on Fraud or Procurement There is little if any scope for establishing any self-funding teams Action JW to implement individual responsibilities with staff by January 2007 following completion of performance review process 14 pwc

15 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 3. Use of Audit Software No use is made of audit software packages although we understand that you are currently reviewing the Galileo Audit Tool which is used by a neighbouring Authority. Given the resourcing difficulties you are facing, purchase of an audit software package should result in substantial time savings in the undertaking of audits as well as improving consistency of output. For example, both the Audit Commission and the National Audit Office make use of Teammate, and have calculated that potential savings of up to 20% in the time taken to complete an audit are realisable. Inefficiencies in the documentation and completion of audits. You should pursue the procurement of audit software packages and CAATs to drive efficiencies in the audit process. Full agreement to further investigation in relation to Audit Management software. An exercise will take place in Autumn 2006 and the outcomes reported back to the Audit Committee. Similarly, no use is made of computer assisted audit techniques (CAATs) although we understand that they were in use several years ago. CAATs would help in tailoring specific audits to address key risks and thereby again deliver audit efficiencies. Action JW to commence an exercise which will take place in Autumn 2006 and the outcomes reported back to the Audit Committee in January pwc

16 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 4. Risk-based Audit Plans Internal Audit undertake a risk-based approach to audit plans whereby all of the approximately 200 systems across the Council are assessed in terms of their risk profile. The approach to this varies in alternate years. As a minimum the Chief Audit, Risk & Information Manager will go through the budget book and take into account prior audit findings and the time since a system was last audited. The draft plan will then be sent to Directors and Heads of Service for comments prior to approval by the Audit Committee (which was only established in July 2005). Bi-annually the Chief Audit, Risk & Information Manager will attend meetings at Heads of Service and/or Director level to discuss the detail of the plan There is however no direct link with the Corporate Risk Register in drawing up the overall plan although when individual audits are scoped, reference is made to the relevant departmental Risk Register. Key risks may not be sufficiently assessed by audit. Key corporate risks should be mapped against the internal audit plan. Whilst it is accepted that there is no direct link with the Corporate Risk Register there are links to Service Risk Registers. The overall risk assessment methodology will however be reviewed and submitted to the Audit Committee for approval. Action JW to finalise revised methodology in Autumn and report to January 2007 committee 16 pwc

17 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 5. Prioritisation of Work There is no formal process for approval of unplanned work (thereby delaying or cancelling planned work) other than the Chief Audit, Risk & Information Manager making a decision. Unplanned work often has a fraud or special investigation issue connected with it and by definition needs to be undertaken quickly and with the minimum of publicity. However there is still a concern that in a truly risk-based internal audit service, more consideration should be given to the relative priorities of planned and unplanned work. Unplanned work prevents delivery of the Internal Audit Plan. We acknowledge that room will inevitably have to be found in the internal audit plan to undertake unplanned work, and even with significant contingency, this is likely to impact adversely on planned work. To ensure that scarce resources are most effectively used, consideration should be given to adopting a consistent risk-scoring evaluation over both planned and unplanned work so that the relative priorities can be scientifically compared and thereby assurance given that audit resources are being used effectively. Risk assessment does take place through the Chief Audit, Risk & Information Manager. In addition decisions need to be taken quickly with regard to certain unplanned work, i.e. Frauds. To aid transparency each decision to reallocate resources is then reported to the S151 Officer and the Audit Committee NFA required apart from changes to content of report style to Audit Committee to commence Jan Charging for Unplanned Work The amount of unplanned work is constantly increasing and impacts upon achievement of the audit plan. The audit plan is not achieved. You consider imposing a system of internal charging for unplanned work. This would allow internal audit to be resourced to deliver the plan (i.e. internal audit are able to buy in resource to backfill the planned work that would otherwise have been deferred to service the unplanned work). A proposal for charging for unplanned work will be presented to Directors Group in the Autumn. This will focus on the recovery of costs from investigation work and improving the process for compiling the audit plan. Action JW to present proposal in Autumn 06 and update committee in January pwc

18 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 7. Recording of Additional Work Internal Audit currently deliver a number of additional services over and above that required by the audit plan. This includes documentation of financial regulations and procedures and the provision of training to support this. This may assist in improving the control framework but impacts on the delivery of the planned audit programme. Non-delivery of the audit plan. If you are clear that Internal Audit are best placed to document financial procedures and policies and to deliver the relevant training, time should be included in the plan to recognise this. Internal Audit are best placed to deliver these services and they are within the current approved Audit Plan. NFA 8. Timetable for Audit Assignments Apart from being assigned to a particular quarter no precise timescales are assigned to individual jobs except that draft reports are issued within 4 months, and final reports within 6 months, of the issue of the Audit Planning Memorandum. Whilst current arrangements provide flexibility of approach and place a defined deadline on completion of an audit, they appear to be very generous and unspecific in terms of timing which may lead to reports being issued with significant delay. Timings assigned to individual audits should be made more precise. Audit Planning memorandums should specify the start and completion dates for the fieldwork, the issue date for the draft report (which should be no more than two weeks after completion of the fieldwork), the required response date from the auditee (again no more than two weeks from issue of draft) and the subsequent issue of the final report (which should not need to be any more than 1 week after receipt of management responses). The dates quoted in the audit planning memorandum should become a contract between the audit team and the auditee and performance on all milestones should be assessed and measured. The Audit Brief specifies clearly the timeframes for the conduct of the audit which Service Management sign up to. There are inevitable issues in relation to agreeing certain recommendations due to availability of key staff at points in time so delays are possible. However we are reviewing our audit methodology to ensure this is minimised. Action Methodology under review Autumn 2006, any material changes to report to Committee in January pwc

19 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 9. Number of Assignments Undertaken Currently approximately 100 audits per year are delivered but work is on-going to reduce the number. A large number of relatively small audits lead to more audit time being lost through time being required for drafting terms of reference and reports. Internal Audit should reduce the number of assignments undertaken, but increase the scope of each assignment such that: economies are achieved in terms of planning and reporting time; and greater value is delivered as there is greater opportunity for dissemination of best practice and focus on council-wide issues. The current Audit Plan does contain fewer auditable areas however each of the Core Systems will be split into Sub- Systems in order to ensure adequate testing can take place over all Core Systems. NFA 19 pwc

20 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 10. Reporting to Audit Committee The Audit Committee meets quarterly and internal audit is represented at each meeting. Only two of these meetings receive specific internal audit reports (a half-yearly progress report and the annual report comprising the outturn for the year just completed and the audit plan for the forthcoming year) although both an annual fraud and risk management report are submitted at the other two meetings. The content of the internal audit reports to the Committee are very high level and although an assessment of scores is provided, there is no commentary to give a flavour of key issues and concerns. The current reporting formats to audit committee provide no detail on the emerging issues from audit work and do not allow trends to be monitored. A summary progress report should be provided to each audit committee setting out the following: planned work since last audit committee work undertaken since last audit committee and reasons for variance from planned work overall assessment for each area audited (acknowledge that this information is already provided) number and priority of recommendations for each area audited brief detail on any significant recommendations Initial year of reporting to the Audit Committee was focussed on ensuring that roles were understood, setting up the framework for reporting and identifying appropriate content to enable the Committee to perform its role. In future years we can build on that improved understanding and the reporting formats can now be developed with further information as suggested. position regarding implementation of prior year recommendations. The annual report should contain the same information but covering the whole year. Action JW to alter report content for January 2007 update report to committee The Audit Committee may also consider requesting Heads of Service to attend to discuss any issues relating to audits that are graded as unsatisfactory (i.e below a certain score) At the time of our review no regular private meetings were held between Internal Audit, the External Auditors and the Audit Committee Chair to allow regular and direct reporting of any issues of concern. There is no provision for independent reporting to the Audit Committee Chair. The Audit Committee Chair should have periodic and private meetings with both Internal and External Audit. (these could be timed immediately prior to a formal audit committee to minimise the time demands on all parties) 20 pwc

21 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 11. Reporting to Members Council Members interviewed as part of our review stressed the need to be made aware of the findings of audit reports (i.e. not receiving all copies of reports but being notified of high priority recommendations and/or unsatisfactory audit ratings). This will help to ensure that these points are picked up in the Council's overall governance and risk management arrangements. Council Members are not of emerging key risks to the Council. The reporting arrangements to members and senior staff should be reconsidered. For example the Chief Executive and relevant Executive Member could be copied into reports that are rated unsatisfactory or where a very high priority recommendation has been raised. a) Audit Action Plans are being integrated into the Councils QPR Performance Management System. This will allow escalation to Directors and Executive Members where actions are not implemented. b) Reports to the Audit Committee are copied to the Executive and Directors Group Action JW to pilot a)in Autumn 2006 and ensure this is fully operational by March NFA on b) as already actioned 21 pwc

22 Bath & North East Somerset Council Observation Risk arising Recommendation Management Response 12. Assignment Report Formats We reviewed three audit reports relating to reviews of Building Cleaning Services, Catering General and Democratic and Member Services. Areas of best practice were noted in the report in respect of consistency of grading for the overall report and individual recommendations, conciseness of audit opinion and evidence of ownership in terms of the signature of the Chief Audit, Risk & Information Manager and the key management contact. Potential concerns over the reporting format are It is not clear when the work was undertaken The scope of the review in terms of the work completed is not clear Not all of the agreed actions have dates for completion and review of progress will therefore be imprecise There is no assigned individual for each action although the assumption would be that the report owner (i.e. the person The current reporting format does not provide sufficient information relating to the work undertaken and the actions agreed to address the issues raised. Reporting formats should be enhanced to include: Dates of fieldwork Context to recommendations (in terms of sample size and materiality) Scope of work carried out Dates for implementation of management actions Clarity over responsibility for management actions Clear link between audit opinion summary paragraph and high priority findings The current reporting format does allow for all this information to be present however the sample chosen may not have reflected that. The format is being reviewed alongside the audit methodology referred to above. Action As per Issue 8 signing the report) would take responsibility A number of the findings lack context (i.e. errors have been found but we are given no idea of the sample size and/or materiality) There are two high risk exposure recommendations in the Cleaning Services report. The Audit Opinion similarly refers to two "important areas where control needs to be enhanced". Only one of these (salary overpayments) relates to a high risk recommendation, the other (Purchasing Card Guidelines) relates to one of three medium risk recommendations. The high risk recommendation not referred to in the opinion relates to the lack of CRB checks on school cleaners which would seem reputationally to be of significance to the Council and which therefore at the very least should have been referred to in the Audit opinion. The same concern was noted in the Democratic and Member Services report where medium risks were specifically referred to in the audit opinion but some of the high risk recommendations were omitted. 22 pwc