Comhairle nan Eilean Siar

EXTERNAL QUALITY ASSESSMENT

OF THE

INTERNAL AUDIT SERVICE

Final Report

20 November 2015

Index and Report Distribution List

Page SECTION 1 - EXECUTIVE SUMMARY 1-2 SECTION 2 - DETAILED FINDINGS 2-4 SECTION 3 - ACKNOWLEDGEMENTS 5 SECTION 4 - ACTION PLAN 6 APPENDIX A - SUMMARY OF ASSESSMENT OF KEY AREAS 7-8 APPENDIX B - DOCUMENTATION AND RECORDS EXAMINED 9 APPENDIX C - EXTERNAL QUALITY ASSESSMENT – QUESTIONNAIRE 10

Date of Visit

2 – 3 November 2015

Draft Report Issued

20 November 2015

Management Response Received

20 November 2015

Final Report Issued

20 November 2015

Issued to:

Malcolm Burr

Chief Executive

Robert Emmott

Director of Finance and Corporate Resources

Paul Macaskill

Chief Internal Auditor

Cllr Angus McCormack

Chair of Audit and Scrutiny

Committee

Cllr Donald Manford

Vice-Chair of Audit and

Scrutiny Committee

1

1. EXECUTIVE SUMMARY

1.1 Background

Introduction This report has been prepared following a review of compliance with the Public Sector Internal Audit Standards (PSIAS) 2013 and the International Professional Practices Framework (IPPF) on which the PSIAS has been based. The purpose of this report is to provide an overview of the Comhairle nan Eilean Siar’s (CnES) arrangements for the operation and management of its Internal Audit service. The PSIAS applies to all internal audit service providers, whether in-house, shared services or outsourced. Indeed, it should be acknowledged upfront that this particular review is very timely, given that internal audit within public bodies in Scotland became a statutory function on 10th October 2014, which brings Scotland into line with the rest of the United Kingdom. The PSIAS define internal audit as “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” The PSIAS requires, as outlined in Standard 1300 “Quality Assurance and Improvement Programme”, that: “External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation….External assessments can be in the form of a full external assessment, or a self-assessment with independent external validation”. This report details the findings from the external quality assessment (EQA) undertaken in November 2015 by the Chief Internal Auditor (CIA) of Orkney Islands Council.

1.2 Scope

The purpose of this EQA is to provide an independent assessment of the extent to which the Internal Audit Service complies with the PSIAS. The methodology for this EQA, takes the form of a validated self-assessment. As such we have undertaken the following work in arriving at our opinion:

review of the latest self-assessment and supporting evidence provided by the CIA;

canvassed the opinions of key stakeholders such as Chair and Vice-Chair of the Audit Committee, Directorate, and Chief Executive;

undertook a series of tests using a standard checklist; and

undertook a review of guidance and process documents and a sample of files (See Appendix B).

As part of our review of the internal audit service, we issued questionnaires to a sample of key stakeholders using the service, these included the Chair and Vice-Chair of the relevant committee responsible for Audit matters. The confidential responses were sent directly back to the review team. A sample questionnaire can be seen in Appendix C of the report.

2

Limitations We have not undertaken any specific work to assess the effectiveness of the Council’s Audit Committee. Our view as to the extent of compliance with the PSIAS cannot be taken as any assurance on the strength of the control environment. It should also be noted that this report does not include detailed findings from the sample file reviews undertaken but that these findings have been used to support our opinions given.

1.3 Areas of Good Practice Identified

Full compliance with the PSIAS

Qualified Internal Auditors with extensive local authority experience;

Internal Audit staff who are enthusiastic, experienced and focused on providing a good and professional service;

Well defined procedures which ensures that the service provided is robust, reliable and efficient in carrying out audit activity.

The ability of External Audit to place reliance on the work of Internal Audit. 1.4 Conclusion and Main Findings

The overall conclusion is arrived at following completion of the comprehensive EQA Checklist and based on the work we have undertaken, it is our opinion that the Internal Audit Service fully conforms with the PSIAS. Our review has noted that steps have been taken to formalise a number of procedures in order to ensure that compliance with the PSIAS is fully supported and can be clearly evidenced. The final element of this shall be the approval of a Scheme of Delegation for Internal Audit. The amendment to the Scheme of Delegation shall further define the authority of internal audit and promote the organisational independence of the service.

A summary evaluation of each ‘Standard’ can be seen in Appendix A of the report.

2. FEEDBACK AND EQA FINDINGS 2.1 Purpose, Authority and Responsibility

The Internal Audit Charter clearly defines the purpose, authority and responsibility of the internal audit activity. The Charter is approved by the Audit and Scrutiny Committee who are the ‘Board’ and is communicated to senior management. The Charter is reviewed annually.

2.2 Organisational Independence

Management arrangements are in place to promote the independence and objectivity of internal audit. The CIA reports functionally to the Board and communicates and interacts directly with the Board. The CIA contributes to the Board agendas, attends all meetings and presents all internal audit reports. The CIA holds regular discussions with the Chair of the Board. These meetings tend to be informal in that they are not planned beforehand and are not minuted.

3

The ability to report independently to the Board is not currently reflected in the Standing orders of CnES, and although it is the case in practice, this requires to be formalised in order to strengthen the position of internal audit within CnES. This matter was highlighted in the Internal Audit Annual Report & Assurance Statement for 2014-2015 in June 2015.

Since the publication of the annual report steps have been taken to formalise the position. The CIA has issued reports in his own name. A draft Scheme of Delegation has been prepared for Internal Audit and it is expected that this will be in place by 31 March 2016. Once approved, the Scheme shall define the authority of the CIA which shall further ensure and promote the organisational independence of internal audit. A recommendation is not required within this report regarding this matter, as in practice, the CIA reports directly to the Board. The authority of the CIA has already been established in the Internal Audit Charter, the Terms of Reference for the Audit and Scrutiny Committee and within the Job description for the CIA.

Other areas of good practice were noted in respect of organisational independence. The Chair and Vice-Chair of the Audit and Scrutiny Committee have input into the Staff and Development Appraisal of the CIA. Arrangements are in place to promote objectivity through the avoidance or declaration of actual or perceived conflicts of interest.

2.3 Proficiency and Due Professional Care

All auditors within Internal Audit possess the required qualifications, skills and other competencies required to execute their individual responsibilities in a professional manner. The team does not include a qualified computer auditor. Therefore, the services of a Computer Auditor are hired each year to obtain competent assistance in completing a planned computer audit assignment.

Due professional care is exercised in planning and carrying out audit assignments.

2.4 The Quality Assurance and Improvement Programme

There are comprehensive procedures in place for the ongoing monitoring of the performance of internal audit. This involves management and review procedures undertaken by the CIA as part of the day to day activity of the Service.

The CIA has completed a thorough self-assessment and addressed issues where there was a requirement to improve compliance to the PSIAS.

The results of the quality and assurance programme were reported in the Internal Audit Annual Report and Assurance Statement of 2014-15.

2.5 Managing the Internal Audit Activity Internal audit adds value to the organisation through the assurance services it provides. The audit activity is closely managed. A risk based plan is prepared in order to enable an annual internal audit opinion to be given. The CIA reports frequently to the Board, both via progress reports and by presenting all internal audit reports which have been issued.

4

2.6 Nature of Work

Internal audit plan and deliver assignments in order to evaluate and contribute to the improvement of governance, risk management and control processes. A systematic and disciplined approach is taken to planning and executing audit assignments.

2.7 Engagement Planning

Audit assignments are well planned and each assignment commences with the preparation of a terms of reference. The terms of reference includes scope, control objectives, information requirements and other instructions. These control objectives then filter through to the audit programme documentation and testing schedules to ensure that the audit activity is appropriately focused.

2.8 Performing the Engagement

The audit files have a set structure which assists the completion of each audit. The audit work completed is recorded in detail with supporting evidence held on file.

There are document retention policies in place and audit engagements are supervised by the CIA.

2.9 Communicating Results Internal audit reports include details of the audit objectives and scope as well as applicable conclusions, recommendations and action plans. The reports are issued to all relevant parties. The CIA issues an Internal Audit Annual Report and Assurance Statement which includes his overall opinion on governance, risk and internal controls. This report informs the Annual Governance Statement.

2.10 Monitoring Progress There is an effective and efficient system in place for following up agreed audit

recommendations. The results of follow up work completed are reported promptly to management and to the Audit and Scrutiny Committee. These results feed into the Internal Audit Annual Report and Assurance Statement and to the annual audit planning process.

2.11 Communicating the Acceptance of Risks

The Internal Audit Section has a procedure in place to record and report where a manager has decided to accept a level of risk and has therefore not agreed to implement an audit recommendation. This procedure includes appropriate mechanisms for reporting the situation to management and to the Audit and Scrutiny Committee.

2.12 Stakeholder Questionnaires

The responses received to the stakeholder questionnaires have been analysed as part of the review. The results raised no concerns regarding the Internal Audit compliance to the PSIAS.

5

3. ACKNOWLEDGEMENTS We would like to thank the staff and Members of CnES for the co-operation and goodwill that we received during the course of our review.

Olwen Sinclair BA FCCA Chief Internal Auditor

For and on behalf of Orkney Islands Council School Place Kirkwall Orkney KW15 1NY 20 November 2015

6

4. ACTION PLAN

Ref.No.

Finding Recommendation Priority Management Comment Manager

Responsible Date to be Completed

No actions recommended

Key to Grading of Recommendations Priority:

1. Critical

2. Requires addressing

3. Housekeeping

4. Value for Money

7

SUMMARY OF CONFORMANCE WITH THE PSIAS – Appendix A

Reference Assessment Area Fully Conforms

Generally Conforms

Partially Conforms

Does Not Conform

Section A Definition of Internal Auditing

- - -

Section B Code of Ethics

-

- -

Section C Attribute Standards

1000 Purpose, Authority and Responsibility

- - -

1100 Independence and Objectivity

- - -

1200 Proficiency and Due Professional Care

- - -

1300 Quality Assurance and Improvement Programme

- - -

Section D Performance Standards

2000 Managing the internal Audit Activity

- - -

2100 Nature of Work

- - -

2200 Engagement Planning

- - -

8

Reference Assessment Area Fully Conforms

Generally Conforms

Partially Conforms

Does Not Conform

2300 Performing the Engagement

- - -

2400 Communicating Results

- - -

2500 Monitoring Progress

- - -

2600 Communicating the Acceptance of Risks

- - -

9

DOCUMENTATION AND RECORDS EXAMINED - Appendix B

- Internal Audit Charter

- Internal Audit Anti-Fraud, Corruption, Bribery and Irregularity Strategy and Response Arrangements

- Audit and Scrutiny Committee Terms of Reference

- A sample of Audit and Scrutiny Committee agendas, reports and minutes

- Internal audit job descriptions, person specifications and performance appraisal documents

- Internal Audit Annual Report & Assurance Statement 2014-15

- CnES Employment handbook (relevant extracts only)

- Internal Audit Manual

- Internal audit work plans

- Audit Universe

- Internal Audit Needs Assessment and Risk Based Strategic Audit Plan 2013-16

- Sample of Internal Audit files

- Quality Assurance and Improvement Programme and related documents

- Declarations of conflicts of interest

- Annual Governance Statement, September 2014

- Assurance Mapping Exercise

- File Retention Policy

- Internal audit year end responsibilities document

- Certificate of Risk Acceptance and Election not to implement an internal audit recommendation

- Follow up Control Sheet 2015-16

- Galileo records for audit management

Appendix C

External Quality Assessment - Stakeholder Questionnaire

To ensure your Council’s internal audit service conforms to the Definition of Internal Auditing, the Code

of Ethics and the Public Sector Internal Audit Standards (PSIAS), external assessments must be carried

out at least once every five years by a qualified, independent assessor from outside the organisation.

The external assessment process supplements the periodic self-assessments carried out internally by

your internal audit service. The first external assessment must be carried out by 31 March 2018.

One of the objectives of the PSIAS is to establish a framework for providing internal audit services, which

add value to the organisation, leading to improved organisational processes and operations. To assess

whether or not this objective has been met and feed in to the external assessment process, we are

requesting the opinion of key stakeholders, via this questionnaire, of the internal audit service. The

questionnaire, which has been developed from the PSIAS, contains questions relating to the attribute

and performance standards considered relevant for this information gathering exercise. With a view to

achieving continuous improvement, your answers will also be compared against your Council’s Chief

Audit Executive’s view of the level of service provided as well as any evidence available to support this.

Your assessment team may contact you for further information.

The independent assessment team selected to review the Internal Audit Service at your organisation is

from Orkney Islands Council. The review will be led by Olwen Sinclair, Chief Internal Auditor, Tel:

(01856) 886306. Please complete this questionnaire and return it to olwen.sinclair@orkney.gov.uk by 26

October 2015. Your views are fundamental to the successful completion of this external assessment

process and will assist, going forward, with the continuous improvement of the internal audit service

within your local authority.

No Partly Yes Not able to comment

1000 Purpose, Authority and Responsibility

Does the Internal Audit Plan focus on areas that matter to the organisation?

Do internal audit findings and recommendations help the organisation achieve its objectives?

Are internal audit findings and recommendations valued by stakeholders?

Does the internal audit service have a high profile within the organisation?

Is the internal audit service considered to be a key strategic partner throughout the organisation?

The 4 key principles relevant to the internal auditing profession are integrity, objectivity, confidentiality and competency. Does the internal audit service demonstrate compliance with these?

Does the internal audit service also have due regard to the principles of openness, honesty, leadership, selflessness and accountability?

Is the internal audit service fair, impartial and unbiased?

Does the internal audit service protect the information it receives?

Have you had sight of the Internal Audit Charter?

2

No Partly Yes Not able to comment

1100 Independence and Objectivity

Does the Chief Audit Executive have direct and unrestricted access to the Chief Executive and Chair of the Audit Committee (or equivalent)?

Are priorities for and objectives of audit engagements discussed with senior management and stakeholders as appropriate?

1200 Proficiency and Due Professional Care

Does the Chief Audit Executive demonstrate that he / she has sufficient knowledge and experience?

Do you believe that members of the internal audit service collectively (whether in-house, outsourced / co-sourced or a combination) possess the knowledge, skills and other competencies required to meet audit objectives and comply with the PSIAS?

Do you believe that all members of the internal audit service (whether in-house, outsourced / co-sourced or a combination) exercise due professional care?

2000 Managing the Internal Audit Activity

Do you believe that the internal audit service adds value to the organisation through the assurance and consultancy services it provides?

Do you believe that the internal audit service contributes to the efficiency and effectiveness of the organisation’s governance arrangements, including risk management and the internal control environment in general?

Are you given the opportunity to formally feed in to the internal audit planning process? e.g. through stakeholder meetings, client feedback questionnaires, informal discussions with the Chief Audit Executive.

As a key stakeholder, are you given the opportunity to communicate your expectations of the internal audit service to the Chief Audit Executive?

Do you believe that the internal audit plan takes in to account the organisation’s risk management framework, or where a sufficiently developed framework does not exist, the Chief Audit Executive’s own assessment of risk?

Do you believe that the assignments contained within the internal audit plan are clearly linked to the risks and priorities of the organisation?

Is the internal audit plan flexible enough to respond timeously to changes in the organisation’s risk profile?

3

No Partly Yes Not able to comment

2400 Communicating Results

Do Internal Audit Reports communicate the engagement’s scope and objectives as well as overall conclusions, associated risks, recommendations / action plans?

Are Internal Audit Reports accurate, objective, clear, concise, constructive, complete and timely?

Are you comfortable that Internal Audit Reports include all significant and relevant information and observations to support conclusions and recommendations?

Are all Internal Audit Reports, whether in full or abridged, reported to key stakeholders including the organisation’s Audit Committee or equivalent?

Are key stakeholders advised when recommendations made are not agreed in full so that residual risks are known and can be appropriately managed?

Overall assessment

In overall terms, do you believe that the internal audit service within your Council adds value to the organisation, leading to improved organisational processes and operations?

Please enter any further comments you may have below .

Completed by

Position held

Date

Thank you for completing this questionnaire.