AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Local Authority Internal Audit Virtual Forum

25 January 2023

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised
Institute welcome | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA UK and Ireland

An overall opinion is the professional judgement of the HIA based primarily on the results of individual internal audit engagements, supported in some instances by incorporating other reliable assurance information. HIAs are encouraged to provide an overall opinion in line with PSIAS Standard 2450. It is mandatory for HIA’s in the public sector.

All organisations have defined accountabilities for governance, risk management and internal control, such as audit committees and boards/councils. These bodies are often required to sign-off or make statements on the adequacy and effectiveness of these matters yet they work remotely from the day-to-day of the organisation and need support, a trusted advisor internal audit.

Individual internal audit engagements provide targeted micro-assurance. The overall opinion is different; it is macro-assurance over a defined period of time. This requires HIAs to bring these disparate assurance threads together using themes, trends, evidence and professional judgement to provide holistic, strategic insight into an organisation.

Chair opening comments | Piyush Fatania, Head of Audit, Risk, Assurance and Insurance at Gloucestershire County Council and Chartered IIA Council member

The annual opinion is one of internal audit’s most important outputs. Providing a realistic opinion it’s also one of its most challenging activities. What happens when it all goes wrong such as having to provide an unfavourable position, you find yourself with insufficient data or on the receiving end of difficult conversations? The Chartered IIA’s guidance is very useful | Things to consider when preparing your annual internal audit opinion.

Developing the annual opinion starts with the preparation of the internal audit plan. When making adjustments, breadth and depth of assurance should always be considered, in addition to the reliability of other sources of assurance, to ensure sufficient data come year end. 

Our speaker today is, Khalid Hamid, Director, CIPFA.

Click here for the slides.

  • The annual opinion is not just a year end activity.
  • A HIA must
    • invest in building good relationships all year round.
    • maintain good awareness of the organisation and the wider environment.
    • minimise surprises through regular communication with the audit committee and leadership team.
    • ensure everyone understands that internal audit delivers both assurance and advisory activities.
    • consider credibility at all times.
    • always speak truth to power. Be frank. Be constructive.
    • Check out the CIPFA statement on the role of the head of internal audit
  • A risk-based internal audit plan is key.
    • highlight the audits that are key to providing your opinion.
    • constantly monitor the risk and control framework.
    • continuously improve risk management maturity.
    • invest in assurance mapping – know your three lines.
  • Explain the criteria used as the basis for your opinion.
  • Explain definitions, methodology, be clear and educate.
  • Use credible frameworks to define your scope.
    • Governance – eg CIPFA Solace
    • Risk management – eg ISO31000
    • Internal control – eg COSO
  • The PSIAS Standards are principle driven for consistency.
  • Conformance is important but so is credibility.
  • Refresh yourself on the messages from CIPFA’s report | Internal Audit: Untapped Potential
  • There is still a lot of advocacy needed.
  • What are you doing to raise the profile of internal audit?

 

Chair closing comments

Education of stakeholders is important. Credibility is important. People do not challenge and downplay the expert opinions of professionals like a legal officer or a doctor; it should be the same for internal auditors. Internal audit needs to be trusted too.

 Institute close | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA

Our next session is 1st March 2023 when the topic is Creating the audit plan. Exploring linkages to the annual opinion, nature of plan – rolling/fixed, and the balance of different types of work undertaken.

Useful reference for members |Things to consider when preparing your annual internal audit opinion

 Poll responses

 

LA Forum Poll responses

 

 

Chat comments including Q&A

Question | Is there merit in trying to get the HIA raised in profile and to be on the same footing as the s151 Officer and Monitoring Officer?

Responses

  • s151 Officer has responsibility for the framework but not necessarily the IA function in the legislation
  • there are legal considerations with the officer roles but at a practical level it is a good thing to consider

Question |Any thoughts on whether the delay in 'sign-off' of accounts by the External Auditor could have an impact on alignment / giving a year end HIA opinion?

Responses

  • Our opinion feeds into the AGS and I don't believe the AGS should be as closely associated with the Accounts as it is often seen to be. It should really be a standalone document and not published alongside/as part of the accounts. 
  • In my organisation the external auditors have not formally signed off the accounts, they have provided a progress report which has been reported to AC along with the AGS which can be used to help inform assurance
  • It has the potential to impact as there is a credibility gap with External Audit at the moment, any timeliness issues will add to that with ramifications for internal audit too.

Question |I would be interested in your thoughts where Heads of Internal Audit also have responsibility for other functions (such as risk management) as this then impacts on the ability to provide independent advice on risk maturity etc.

Responses

  • We are often seen as the "competent person".
  • I have risk management, insurance, and health & safety responsibility.  We have arrangements in place to ensure independence and ensure I am excluded from the audit process in these areas. These arrangements are reflected in our audit charter.
  • It is about safeguards and checks/balances where it does happen and the HIA being able to be clear when they are acting in different situations.
  • Refer to CIPFA’s Untapped Potential report.
  • There is an issue with internal audit undertaking 2nd line activities, the degree to which this impacts the opinion is down to professional judgement.
  • In an ideal world internal audit should be a standalone function but councils have a shrinking pool of capacity which is how things often end up with the HIA. We need to push back on ownership/accountability and differentiate responsibility.
  • The flipside is if HIAs only want to provide assurance and no advisory work it can be seen as a negative.
  • Ensure remit of internal audit is approved by audit committee.
  • Maintain independence and focus on assurance. Additional accountabilities shouldn’t be performance punishment (doing a good job/reliable). Create safeguards such as an audit bubble without any HIA involvement in the audit review to provide assurance on what the HIA is accountable for. Audit committee could see that independence had been considered and HIA had received recommendations from own team – it worked well.

Question |The HIA Opinion should be influenced by other sources of assurance provided to the organisation. It is always difficult to do this as we often do know have full knowledge of the other assurance providers or what they have actually covered. Bear in mind that I don't have an approved plan which enables us the flexibility to perhaps get the balance easier.  Much of the validation is done by myself or principal auditor

Responses

  • Agree - we're experimenting on this area this year - I have 'other assurance provider' files for all the key areas that I give an opinion on and information gets 'dropped' into these as they become known - some need to be substantiated and others don't.  The aim is to look at these at year end and see what it's actually telling me, and how each contributes to the overall opinion.
  • It is getting the right balance of spending internal audit resources on validating/assessing the effectiveness of the other assurance providers and saving time by being able to give a light touch or leaving out of the internal audit plan the areas that are well covered by other assurance providers.
  • I don’t agree any longer with annual plans so we have adopted an Internal Audit Rolling Plan, a continuous risk assessment and a rolling opinion. I think the effort in compiling an annual plan, only for it to change is inefficient. I also thing mapping assurance through various views, strategic risks, corporate objectives etc is key. The continuous risk assessment with a rolling plan and opinion, in our experience, provokes more discussion at Committee and ensures regular meetings with CLT's.
  • We develop an annual plan but our approach mirrors the above re: rolling risk assessment and re-prioritisation of risk areas.
  • I agree with the ‘rolling plan comments’ and this is where would like to move our partners to. Getting them there is the tricky bit.

Question |Are HIA clear enough on what is covered by the HIA and what is excluded - ie what are we not providing an opinion/assurance on or what is outside of scope for us?

Response | I was once told to change an opinion when in the NHS or they would put us out to tender - quick escalation to Audit Committee and that went no further!!

Question |Does anybody provide an indicative opinion to Audit Committee at any point in the year?

Responses

  • No, but we do have quarterly updates which help to build a picture up. 
  • No, we also provide quarterly updates to clients and AC on the progress made in delivering the Internal Audit Plan, which includes the assurance opinion of each internal audit activity, but this does not provide an overall quarterly assurance opinion - this is only provided at the end of each internal audit year.
  • We have been asked to provide interim opinions previously in the NHS for CCGs.  This was generally Jan/Feb
  • I think there is merit in this to reflect the pace of change.
  • We provide an interim opinion in our quarterly update reports.
  • In LAs as we have to provide assurance for the AGS once a year an annual opinion works and isn't necessarily tied to a formally agreed plan of work agreed up front at the start of the year. It should be a statement at a point in time based on the work carried out by internal audit and the HIA knowledge of the organisation through other means.

Question |A key challenge in producing an opinion for a County Council is the size and structure of the organisation - in terms of limited assurance reports these normally relate to a specific activity or Service, so key to explain in the annual opinion how these are considered within the overall opinion (e.g. level of risk to the organisation, are the issues restricted just to that service area etc), ie it is not automatic that 5-6 limited assurance opinions for individual audits mean that the overall opinion for the wider Council must be limited. Would however be interested in how people approach this.

Responses

  • Even in a District the opinion may not be universal, and I often give a narrative comment rather than a meaningful one-word global opinion. To me the opinion is more that the Council is good/bad etc it is better to be more descriptive
  • We plan and link our assurances to 8 themes of corporate health for the opinion | Corporate Governance, Risk Management, Financial Control, Change Programme and Project Management, IT and IS, Asset Management (Human and Physical), Procurement, Commissioning and Partnerships and Counter Fraud Arrangements
  • We call it the reasonable assurance model.

Question | Two quick questions from me - given the time it takes sometimes to finalise reports, we include the opinions / outcomes from draft reports (where we are happy they are deemed factually accurate) - assume there are no issues with this. Also, we currently include an overall opinion and a sub-breakdown of assessments on Financial and Non-Financial systems - we are thinking this is probably overkill - any views on this?

Response | I will only give one overall opinion on Financial Systems (Financial Governance) - based on our audit work + other things (other assurance providers etc.)

Question | what does "a high-level statement of how the internal audit service will be developed and delivered in accordance with the Charter" actually look like in practice?

Response | ran out of time to answer this