Public Sector Internal Audit Standards PDF 146 KB

CORPORATE GOVERNANCE PANEL 26 MARCH 2013PUBLIC SECTOR INTERNAL AUDIT STANDARDS(Report by the Assistant Director - Finance & Resources)1. Introduction1.1 The Public Sector Internal Audit Standards (PSIAS) are due to come intoeffect from 1 April 2013. The Standards, which will be recognised as propernon-statutory practice, have been developed specifically for public sectororganisations in the UK.The PSIAS are based upon the International Professional PracticesFramework (IPPF) published by the Institute of Internal Auditors (IIA).1.2 The IPPF contains both mandatory and strongly recommended guidance.MandatoryThe definition of internal auditingCode of ethicsStandards for the professional practice of internal auditing.Strongly recommended guidancePosition papersPractice advisoriesPractice guidesThe PSIAS are concerned only with the mandatory elements of the IPPF.1.3 Whilst the PSIAS require changes to be made to the current definition ofinternal auditing and the adoption of a new code of ethics for internalauditors, the fact that the internal audit service already meet therequirements of the Cipfa Code of Practice suggest that only minor changesto day to day operational systems will be required.2. Current proper practice:CIPFA Code of Practice for Internal Audit in Local Government2.1 The CIPFA 1 Code of Practice was introduced in 2003 and updated in 2006.It has many similarities to the PSIAS (e.g. ethical standards) and reflectedcurrent best practice at that time.3. Guidance on PSIAS interpretation3.1 CIPFA intended to publish guidance for local authorities on interpretation ofthe PSIAS. At the time of preparing this report, that guidance has not beenpublished.3.2 As the Standards become effective from April, it is considered appropriate toinform the Corporate Governance Panel (the Panel) of the main changes.Once the guidance has been issued, any further significant changes will bereported to a future meeting.1 Chartered Institute of Public Finance & Accounting

4. Significant changes within the PSIAS4.1 Once the PSIAS have been adopted, the Internal Audit Manager will berequired to include in their annual report, details of any non-conformanceand the impact this has had on the overall scope or operation of the internalaudit activity. Any significant deviations must be considered for inclusion inthe annual governance statement. This needs to be borne in mind whenconsidering the following issues.4.2 The definition of internal auditing is as follows.“Internal auditing is an independent, objective assurance andconsulting activity designed to add value and improve the Council’soperations. It helps the Council accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control and governanceprocesses”.4.3 The internal audit manual already contains a set of ethical standards whichare based upon those within the 2006 Cipfa Code. These are to replaced bythose of the IIA (see Annex A).4.4 The IIA code of ethics has been further enhanced with the requirement thatinternal auditors in the public sector must also have regard to the SevenPrinciples of Public Life (known as the Nolan Principles – see Annex A).4.5 There is a formal requirement to prepare an Internal Audit Charter whichincludes the definition of the terms ‘Board’ and ‘senior management’.Council has specifically delegated to the Panel responsibility for “ensuringthe effective arrangements for the system of internal audit of the Council”. Itis therefore proposed that the Panel fulfils the obligations of the PSIASthat refer to the Board (a schedule of Board interactions with the InternalAudit Service is included at Annex B).Senior management are deemed to be the Chief Officers’ ManagementTeam, which will comprise of the Managing Director, together with the twoAssistant Directors.4.6 Terms of reference and an Internal Audit Strategy have been in place since2004. These two documents are to be replaced by the Internal AuditCharter. A separate report is included on the agenda that deals with thismatter.4.7 The PSAIS refers to the Chief Audit Executive (CAE) as the person who isresponsible for effectively managing internal audit in accordance with theinternal audit charter. This will be the Internal Audit Manager.4.8 The CAE is required to maintain organisational independence and this isachieved by them reporting functionally to the board. Examples offunctional reporting involve the board in:approving the internal audit charter;approving the risk based internal audit plan*;approving the internal audit budget and resource plan*;

4.13 Internal auditors must possess the knowledge, skills and othercompetencies needed to perform their individual responsibilities. There is aspecific public sector requirement that the CAE must hold a professionalqualification (IIA or CCAB) and be suitably experienced.4.14 The original IIA Standards do not require the CAE to hold a professionalqualification, rather ‘they are encouraged to demonstrate their proficiency byobtaining appropriate professional certifications and qualifications…”.The current Internal Audit Manager does not hold the professionalqualification required. This was known when they were appointed to the postin 2000. Not meeting this aspect of the Standard is considered to be amatter that is required to be reported to the Panel each year in the internalaudit annual report, and as such, worthy of being highlighted in this report.The current post-holder has 30 years internal audit experience, including 23years in managerial roles. He has a strong commitment to both publicservices and internal audit, and his lack of a formal professional qualificationhas not been detrimental to the delivery of internal audit services or thedevelopment of new initiatives and ideas. Indeed the service is at theforefront in many areas. In my opinion he certainly has the knowledge,skills and other competencies needed to manage and deliver the service.4.15 The CAE must develop and maintain a quality assurance andimprovement programme (QAIP) that covers all aspects of the internalaudit activity. The QAIP must include both internal and externalassessment: internal assessments shall be both ongoing and periodical andexternal assessment must be undertaken at least once every five years.4.16 Internal self-assessments are already undertaken and reported formally tothe Panel. In addition, Panel receive information twice a year on internalaudit performance. The Accounts and Audit (England) Regulations 2011also require that the Council undertake an annual review of theeffectiveness of its internal audit. It is the intention to review the workrequired for the Regulations to see if it may, with amendments, also be usedto evaluate conformance with the PSIAS.4.17 An external assessment is required to be completed against the full PSIASat least once every five years. Draft guidance suggests that this could becarried out by either a peer review, or by undertaking a self-assessment thatis independently reviewed.4.18 The Internal Audit Manager from the Welland Audit Consortium has agreedto undertake a peer review. Whilst it is anticipated that this will have beencompleted prior to the Panels consideration of the Annual GovernanceStatement, much will depend upon the reviewers own commitments.5. Recommendation5.1 It is recommended that the Panel:a. approve the adoption of the Public Sector Internal Audit Standards from1 April 2013;b. approve the procedures by which their functional responsibilities are tobe discharged (Annex C);

c. note that the management of internal audit, risk management andinsurance services is to remain the responsibility of the Internal AuditManager;d. note that the Internal Audit Manager does not hold the professionalqualification required by the Standards but does possess theknowledge, skills and competence to manage and deliver the service.ACCESS TO INFORMATION ACT 1985Public Sector Internal Audit StandardsDraft Local Government Application Note to the PSIAS (August 2012)Contact Officer: David Harwood, Internal Audit Manager 01480 388115

Annex ACode of EthicsPublic sector requirementInternal auditors in UK public sector organisations must conform to the Code of Ethicsas set out below. If individual internal auditors have membership of anotherprofessional body then he or she must also comply with the relevant requirements ofthat organisationThe purpose of The Institute’s Code of Ethics is to promote an ethical culture in theprofession of internal auditing.A code of ethics is necessary and appropriate for the profession of internal auditing,founded as it is on the trust placed in its objective assurance about risk management,control and governance.The Institute’s Code of Ethics extends beyond the definition of internal auditing toinclude two essential components:Components1. Principles that are relevant to the profession and practice of internal auditing;2. Rules of Conduct that describe behaviour norms expected of internal auditors.These rules are an aid to interpreting the Principles into practical applicationsand are intended to guide the ethical conduct of internal auditors.The Code of Ethics provides guidance to internal auditors serving others. ‘Internalauditors’ refers to Institute members and those who provide internal auditing serviceswithin the definition of internal auditing.Applicability and EnforcementThis Code of Ethics applies to both individuals and entities that provide internal auditingservices. For Institute members, breaches of the Code of Ethics will be evaluated andadministered according to The Institute’s Disciplinary Procedures. The fact that aparticular conduct is not mentioned in the Rules of Conduct does not prevent it frombeing unacceptable or discreditable and therefore, the member liable to disciplinaryaction.Public sector requirementInstitute’ here refers to the IIA. Disciplinary procedures of other professional bodies andemploying organisations may apply to breaches of this Code of Ethics.1. IntegrityPrincipleThe integrity of internal auditors establishes trust and thus provides the basis forreliance on their judgement.Rules of ConductInternal auditors:1.1 Shall perform their work with honesty, diligence and responsibility.1.2 Shall observe the law and make disclosures expected by the law and theprofession.1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that arediscreditable to the profession of internal auditing or to the organisation.1.4 Shall respect and contribute to the legitimate and ethical objectives of theorganisation.

Annex A2. ObjectivityPrincipleInternal auditors exhibit the highest level of professional objectivity in gathering,evaluating and communicating information about the activity or process beingexamined.Internal auditors make a balanced assessment of all the relevant circumstances andare not unduly influenced by their own interests or by others in forming judgements.Rules of ConductInternal auditors:2.1 Shall not participate in any activity or relationship that may impair or bepresumed to impair their unbiased assessment. This participation includesthose activities or relationships that may be in conflict with the interests of theorganisation.2.2 Shall not accept anything that may impair or be presumed to impair theirprofessional judgement.2.3 Shall disclose all material facts known to them that, if not disclosed, may distortthe reporting of activities under review.3. ConfidentialityPrincipleInternal auditors respect the value and ownership of information they receive and donot disclose information without appropriate authority unless there is a legal orprofessional obligation to do so.Rules of ConductInternal auditors3.1 Shall be prudent in the use and protection of information acquired in the courseof their duties.3.2 Shall not use information for any personal gain or in any manner that would becontrary to the law or detrimental to the legitimate and ethical objectives of theorganisation.4 CompetencyPrincipleInternal auditors apply the knowledge, skills and experience needed in the performanceof internal auditing services.Rules of ConductInternal auditors:4.1 Shall engage only in those services for which they have the necessaryknowledge, skills and experience.4.2 Shall perform internal auditing services in accordance with the InternationalStandards for the Professional Practice of Internal Auditing.4.3 Shall continually improve their proficiency and effectiveness and quality of theirservices.Public sector requirementInternal auditors who work in the public sector must also have regard to the Committeeon Standards of Public Life’s Seven Principles of Public Life.

Annex AThe Seven Principles of Public Life (the Nolan Principles).SelflessnessIntegrityObjectivityAccountabilityOpennessHonestyLeadershipHolders of public office should act solely in terms of the publicinterest. They should not do so in order to gain financial or otherbenefits for themselves, their family or their friends.Holders of public office should not place themselves under anyfinancial or other obligation to outside individuals or organisationsthat might seek to influence them in the performance of their officialduties.In carrying out public business, including making publicappointments, awarding contracts, or recommending individuals forrewards and benefits, holders of public office should make choiceson merit.Holders of public office are accountable for their decisions andactions to the public and must submit themselves to whateverscrutiny is appropriate to their office.Holders of public office should be as open as possible about all thedecisions and actions they take. They should give reasons for theirdecisions and restrict information only when the wider publicinterest clearly demands.Holders of public office have a duty to declare any private interestsrelating to their public duties and to take steps to resolve anyconflicts arising in a way that protects the public interest.Holders of public office should promote and support these principlesby leadership and example.

Schedule of Board interactions with Internal AuditAnnex B1000 Purpose, Authority and ResponsibilityThe chief audit executive must periodically review the internal audit charter and presentit to senior management and the board for approval.The mandatory nature of the Definition of Internal Auditing, the Code of Ethics and theStandards must be recognised in the internal audit charter.1100 Independence and ObjectivityThe internal audit activity must be independent and internal auditors must be objectivein performing their work.Interpretation:To achieve the degree of independence necessary to effectively carryout the responsibilities of the internal audit activity, the chief auditexecutive has direct and unrestricted access to senior managementand the board.1110 Organisational IndependenceThe chief audit executive must report to a level within the organisation that allows theinternal audit activity to fulfil its responsibilities. The chief audit executive must confirmto the board, at least annually, the organisational independence of the internal auditactivity.Interpretation:Organisational independence is effectively achieved when the chiefaudit executive reports functionally to the board.Examples of functional reporting involve the board:approving the internal audit charter;approving the risk based internal audit plan;approving the internal audit budget and resource plan;receiving communications from the chief audit executive onthe internal audit activity’s performance relative to its plan andother matters;approving decisions regarding the appointment and removal ofthe chief audit executive;approving the remuneration of the chief audit executive; andmaking appropriate enquiries of management and the chiefaudit executive to determine whether there are inappropriatescope or resource limitations.1111 Direct Interaction with the BoardThe chief audit executive must communicate and interact directly with the board. (Note:This safeguards the chief audit executive position, in remaining free from interference indetermining the scope of internal auditing, performing work and communicating results).1130 Impairment to Independence or ObjectivityIf internal auditors have potential impairments to independence or objectivity relating toproposed consulting services, disclosure must be made to the engagement client priorto accepting the engagement.Public sectorrequirementApproval must be sought from the board for any significant additionalconsulting services not already included in the audit plan, prior toaccepting the engagement.

Schedule of Board interactions with Internal AuditAnnex B1312 External AssessmentsExternal assessments must be conducted at least once every five years by a qualified,independent assessor or assessment team from outside the organisation. The chiefaudit executive must discuss with the board:The form of external assessments;The qualifications and independence of the external assessor or assessmentteam, including any potential conflict of interest.1320 Reporting on the Quality Assurance and Improvement ProgrammeThe chief audit executive must communicate the results of the quality assurance andimprovement programme to senior management and the board.1322 Disclosure of Non-conformanceWhen non-conformance with the Definition of Internal Auditing, the Code of Ethics orthe Standards impacts the overall scope or operation of the internal audit activity, thechief audit executive must disclose the non-conformance and the impact to seniormanagement and the board.2010 PlanningThe chief audit executive must establish risk-based plans to determine the priorities ofthe internal audit activity, consistent with the organisation’s goals.2010.A1The internal audit activity’s plan of engagements must be based on a documented riskassessment, undertaken at least annually. The input of senior management and theboard must be considered in this process.2010.A2The chief audit executive must identify and consider the expectations of seniormanagement, the board and other stakeholders for internal audit opinions and otherconclusions.2020 Communication and ApprovalThe chief audit executive must communicate the internal audit activity’s plans andresource requirements, including significant interim changes, to senior managementand the board for review and approval. The chief audit executive must alsocommunicate the impact of resource limitations.2030 Resource ManagementThe chief audit executive must ensure that internal audit resources are appropriate,sufficient and effectively deployed to achieve the approved plan.Public sectorrequirementThe risk-based plan must explain how internal audit’s resourcerequirements have been assessed. Where the chief audit executivebelieves that the level of agreed resources will impact adversely onthe provision of the annual internal audit opinion, the consequencesmust be brought to the attention of the board.2060 Reporting to Senior Management and the BoardThe chief audit executive must report periodically to senior management and the boardon the internal audit activity’s purpose, authority, responsibility and performance relativeto its plan. Reporting must also include significant risk exposures and control issues,including fraud risks, governance issues and other matters needed or requested bysenior management and the board.

Schedule of Board interactions with Internal AuditAnnex B2110 GovernanceThe internal audit activity must assess and make appropriate recommendations forimproving the governance process in its accomplishment of the following objectives:Promoting appropriate ethics and values within the organisation;Ensuring effective organisational performance management and accountability;Communicating risk and control information to appropriate areas of theorganisation; andCoordinating the activities of and communicating information among the board,external and internal auditors and management.2440 Disseminating Results2440.C2During consulting engagements, governance, risk management and control issues maybe identified. Whenever these issues are significant to the organisation, they must becommunicated to senior management and the board.2450 Overall OpinionsWhen an overall opinion is issued, it must take into account the expectations of seniormanagement, the board and other stakeholders and must be supported by sufficient,reliable, relevant and useful information.2600 Communicating the Acceptance of RisksWhen the chief audit executive concludes that management has accepted a level of riskthat may be unacceptable to the organisation, the chief audit executive must discussthe matter with senior management. If the chief audit executive determines that thematter has not been resolved, the chief audit executive must communicate the matter tothe board.

Corporate Governance Panel discharging functional reporting responsibilitiesAnnex CResponsibility Current Position ProposalApproving the internal audit charter. Panel currently receive for comment. Panel to approve.Approving the risk based internal auditplan.Panel currently receive for commentApproving the internal audit budget 5.2 and Panel currently receive information forresource plan.comment.Making appropriate enquiries ofmanagement and the Internal AuditManager to determine whether there areinappropriate scope or resourcelimitations.Panel to approve internal audit plan after consideringsupport or concerns of S151 officer.Panel to approve after considering Internal AuditManagers report and the support or concerns of S151officer.If Panel believe the resources are insufficient theyshould formally refer this to Cabinet.Receiving communications from theInternal Audit Manager on the internalaudit activity’s performance relative to itsplan and other matters.Approving decisions regarding theappointment and……removal of the Internal Audit Manager.Approving the remuneration of theinternal audit manager.Panel currently receive performancemonitoring report.Line manager decision after complying withCouncil’s agreed recruitment procedures.In circumstances other than redundancy,retirement or resignation etc, line managerdecision in accordance with Council’sagreed disciplinary procedures.In accordance with the Council’s approvedgrading scheme. Starting salary within thegrade is determined by the line manager.No change required.The Council’s appointment process is followed. PanelChairman or nominee to be included in any interviewpanel. S151 officer decides appointment afterconsidering comments of Panel nominee, which is thenreported to the Panel for information.Managing Director decision following discussion with theS151 Officer, Chairman of the Panel & ExecutiveLeader. Dismissal reported to the Panel for information.The job description and grade of the post is reported tothe Panel for information. Appointment to a pay point isdetermined by the S151 officer. In determining any payprogression or enhancements that are dependent onperformance, the S151 officer will consider thecomments of the Panel Chairman before reaching adecision.