Audit Process
To receive a presentation on the audit process.
Minutes:
The Panel received a presentation on the Internal Audit Planning Process from Catherine Hickman, Service Manager and Paul Ohsan Ellis, Team Leader Internal Audit, Shared Audit and Investigation Service.
The Panel were informed that the audit planning process currently in operation had evolved as a result of the following:
· 2011 - review of the Audit and Investigation Service
· Challenges of the current financial climate
· To deliver a function that is aligned to a LEAN environment
· Statutory requirements
The Audit Plan had been produced in consultation with CMT, the S151 Officer, External Audit and this Panel. The Internal Audit Plan was a formal mechanism to allow the S151 Officer to discharge their legal responsibilities and also aid the Chief Audit Executive to report to the Audit and Performance Review Panel thier audit opinion on the council’s internal control, risk management and governance environment and this also feeds in to the Annual Governance Statement process which was a statutory document that sits alongside the published set of financial accounts.
The Panel were informed that the audit plan was split into distinct sections:
· Key Financial Systems these were the audits of functions that underpin the council achieving its objectives.
· The Governance Building Blocks that are important key cornerstones of good governance.
· The key risks are those that if unmanaged could have a major impact on the council achieving its objectives and as such are reviewed to ensure that the appropriate treatment measures put in place by management are effective and efficient.
· Auditor Judgements are those that have been identified by management that are not a key risk but management are requesting that internal audit look at these areas.
· Servicing the Business holds areas where audit aid management in achieving their objectives through reviews, advice and consultancy services including key areas such as governance.
The plan was aligned to the Corporate Risk Register (CRR) and the Key Risks shown in the audit plan have been identified using set criteria which included; when they were last reviewed, whether follow up action was required, whether it was a new key risk on the CRR. Key risks to the Council can be fluid and so there was a mechanism in place whereby the Insurance and Risk Manager informed of any changes to the key risks on a monthly basis and where required the audit plan would be amended.
With regards to audit reporting and management responses the Panel were informed how Audit reported their findings and how it assesses the category of risk for the concerns identified. The auditor used the risk criteria for impact as shown in the Council’s Risk Management Strategy. It was at this point that management could challenge the cause and category of risk reported. Once agreed management then responded to the audit management action plan detailing whether they would treat, transfer, tolerate or terminate the risk.
The Panel were shown the audit opinion categories which were:
· Complete and effective
· Substantially complete and generally effective
· Range of Risk Mitigation Controls was incomplete and risks were not effectively mitigated
· There was no effective Risk Management process in place
For 2016/17 a mechanism has been put in place so from the time of issue of the draft report, management would be given one month to implement concerns reported that they are to treat, transfer or terminate and then internal audit would re-visit the service before issuing a final audit opinion. Each internal audit final report is copied to the Insurance and Risk Manager for insertion in to the CRR and therefore the Risk Management cycle was complete.
The Chairman thanked officers for their presentation and the Panel requested that in future reports they would like to see evidence of movement between categories following the issue of draft reports and also evidence of challenge by managers.