To consider the attached report.
The Committee received the Internal Audit Strategy and Plan for 2019/20 with an indicative work programme for the subsequent two years (2020/21 and 2021/22). They noted that the Internal Audit function provided independent and objective assurance and consulting services to Epping Forest District Council. The Internal Audit Strategy summarised the key principles for the Internal Audit Team for the period 2019/20, with some longer term aims. The strategy supported the Audit Plan which set out the work of the Internal Audit function for the year.
The purpose of the Internal Audit Strategy and Plan was to document the Internal Audit team’s approach to provide independent and objective assurance to Members and senior management; ensure the recognition of the key risks the Council faces in meeting its objectives; add value and support to senior management; and to deliver an internal Audit Service that was compliant with the requirements of the Public Sector Internal Audit Standards.
The Chief Internal Auditor noted the key deliverables for the Internal Audit Service during 2019/20 was the delivery of the Audit Plan (to ensure there was sufficient audit coverage); the integrated approach to assurance (providing ongoing assurance to management); the management of commitment (to ensure agreed management responses to audit recommendations); to continually develop their approach (to develop, improve and deliver quality assurance); and to provide business insight (by working more closely with Officers, Members and services).
Internal Audit’s work would help inform each Council’s risk management framework, enabling greater recognition of key mitigating controls and other sources of assurances available. The risks identified in the Audit Plan were shown in appendix A of the report and had been taken, where possible, directly from the Council’s Risk Register.
In addition, an assurance map had been produced (at appendix B of the report) that provided a structured way to identify the main sources and types of risk assurance in the Council.
2018/19 had been the second year of the formal shared service between Broxbourne, Epping Forest and Harlow Councils, with Broxbourne being the host authority and employer of the shared internal audit staff. A Shared Services Board was created and was meeting regularly to oversee the implementation and delivery of the Internal Audit function, assess quality and performance, manage risks and consider major changes to the service.
A Jarvis wondered how many days were programmed in for a normal year’s work, as he thought that the coming year’s programmed days were quite low by normal standards at 438. He was told that there were no set days to deliver the work although Epping had traditionally more days than Broxbourne and Harlow, but the number of days had been reduced partly due to resource and operational issues in the audit team. With broad cross cutting audits hopefully this would produce the assurances that the Committee would want. A Jarvis was concerned that it had dropped from 500 days from when this Council was fairly stable to 438 days when the Council was under more pressure due to transformation. This seemed to be the wrong direction of travel. The Chief Internal Auditor acknowledged this as a valid point, but it was about working smarter, not just doing audits, but going around talking to people and being proactive and advising before problems arose.
N Nanayakkara asked if there was an expectation that in 2021 we would return to a higher number of audit days. She was told that was the intention as this was a one year drop for operational reasons.
Councillor J Whitehouse noted that change management and transformation had been highlighted and now with a lots of staff changes etc. asked if they were covering the business continuity side especially now with smaller teams handling the business processes and the accompanying risks. The Chief Internal Auditor replied that was what they were doing, looking at policies and processes, asking if they had developed new controls for the new environment. An example given in the audit plan was business support section, where they had set aside a large number of days to go in and review their processes.
Councillor Jennings asked what the risk profiles in Appendix B meant, such as A1 (red). He was told that the headings were taken from the current risk register along with the code A1 or B2. Red meant high risk, yellow/orange was a medium risk and green low risk. The next three columns showed the first, second and third line of defence used to mitigate these risks.
Councillor Lion asked how it all fitted together, how did Internal Audit set their priorities and with transformation happening were they linking into the process of re-engineering as the Council were going through a lot of changes? He was told that they prioritised the audit plan on a risk basis. Internal Audit had their own risk assessment that was used and assessed against. As for transformation, they had set aside a period of time to work with the processing team and check what they were doing and advise them where necessary.
Councillor Mohindra noted the reduced number of audit days based on resources, and wondered if they wanted any help from the Executive. He went on to ask how the Chief Internal Auditor would ensure that her team were achieving best practice. The Chief Internal Auditor said that they did not need any help at present as the plan was developed enough to give the assurances needed. And secondly, every five years they were externally audited themselves. They had passed that in 2017 and in the intervening time they reviewed themselves against the Public Sector Internal Audit Standards to ensure they remained compliant.
N Nanayakkara commented that members had noted the reduction in the planned audit days this year. She would like to see the full allocation used, bearing in mind the changes happening over the year, they would need assurance of the effectiveness of core controls. Also she would like to know how things were going with the apprentice they had taken on and if it helped address some of the resourcing issues that they had. The Chief Internal Auditor said that she was pleased with the apprentice they had taken on and were hoping to recruit him as a permanent member of staff. They were then hoping to take on another apprentice after that and then every couple of years train up a new one.
N Nanayakkara noted that a lot of days were set aside for audit committee work and then went on to note that at the last meeting they had asked for something to be put in the Council Bulletin asking members for any input for the proposed plan; had there been any response. She was told that the item was about the work programme and not the Audit Plan. As for the number of days set aside, they were for the five audit committee meetings and the need for the paperwork to first be taken to the Corporate Governance Group and then to attend the meetings.
Lastly Ms Nanayakkara asked at what stage they had scoped the work as set out here. She was told they had to work out when they undertook the audits, and then speak to the Service Directors and Service Managers to find out what they needed to focus on.
That the Internal Audit Strategy and Plan for 2019/20 be approved.