Agenda Item 6 - Appendix A

Internal Audit
Plan
2019/2020
 Appendix A

Background

All local authorities must make proper provision for internal audit in line with the 1972 Local
Government Act (S151) and the Accounts and Audit Regulations 2015. The latter states that
authorities must “undertake an effective internal audit to evaluate the effectiveness of its risk
management, control and governance processes, taking into account public sector internal auditing
standards or guidance”.

The guidance accompanying the Regulations recognises both the Public Sector Internal Audit
Standards (PSIAS) 2017 and the CIPFA Local Government Application Note for the UK PSIAS as
representing “public sector internal audit standards”. The standards define the way in which the
Internal Audit Service should be established and undertakes its functions.

The standards also requires that an opinion is given on the overall adequacy and effectiveness of the
Council’s control environment comprising risk management, control and governance, which is informed
by the work undertaken by the Service.

The Shared Service Internal Audit function conforms to the International Standards for the Professional
Practice of Internal Auditing.

What is Internal Auditing?

The role of the internal auditor is to provide independent, objective assurance to management that key
risks are being managed effectively. To do this, the internal auditor will evaluate the quality of risk
management processes, systems of internal control and corporate governance frameworks, across all
parts of an organisation, and to provide an opinion on the effectiveness of these arrangements. As well
as providing assurance, an internal auditor’s knowledge of the management of risk enables them to act
as a consultant and provide support for improvement in an organisation's procedures. For example, at
the development stage of a major new system where the internal auditor can help management to
ensure that risks are clearly identified and appropriate controls put in place to manage them.

Why is assurance important?

By reporting to senior management that important risks have been evaluated, and highlighting where
improvements are necessary, the internal auditor helps senior management to demonstrate that they
are managing the organisation effectively on behalf of their stakeholders. Hence, internal auditors,
along with senior management and the external auditors are a critical part of the governance
arrangements of our organisation, our work significantly contributing to the statutory Annual
Governance Statement (AGS).

Development of the 2019/2020 Internal Audit Plan

To enable the above, the Chief Internal Auditor is required to produce an Annual Risk Based Internal
Audit Plan to determine the priorities of the internal audit activity. The proposed activity should be
consistent with the organisation’s priorities and objectives and taking into account the organisation’s
risk management framework, including risk appetite levels set by management and internal audit’s own
judgement of risks.
How did we develop the plan - Risk Based Internal Audit Planning (RBIAP)

To ensure our internal audit resources continue to be focussed accordingly, particularly during periods
of organisational change, it is essential that we understand our clients’ needs, which means building
relationships with our key stakeholders, including other assurance/challenge providers, in order to gain
crucial insight and ongoing ‘intelligence’ into the strategic and operational change agendas within our
organisation.

This insight is not only identified at the initial development stages of the plan but dialogue continues
throughout the financial year(s) which increases the ability for the Internal Audit Service to adapt more
closely to meet the assurance needs of the Council, particularly during periods of significant change.

Our plan therefore needs to be dynamic and should be flexible to meet these needs.

How did we achieve the above?

To ensure that an effective plan is developed, a consultation process took place with the Audit and
Standards Committee, Corporate Team, Heads of Service and Service Managers to establish
priorities. The proposed activity from all sources was collated and matched against the internal audit
resources available and prioritised accordingly.

A flexible audit plan - Risk and Control Assurance Programme

The Audit Plan is stated in terms of estimated days input to the Council of 463 audit days, which is
comparable to last year. By continuing to apply RBIAP principles; this level of input, with the ability to
commission internal audit resources from current audit framework agreements as required, is
considered acceptable to provide the assurance the Council needs. We will however, continue to
reassess our resources required against the Council’s priorities and risks and will amend the plan
throughout the year as required, reporting any key changes to the Audit and Standards Committee.

The Chief Internal Auditor will however, continue to reassess internal audit resources required against
the Council’s priorities and risks and will amend the Plan throughout the year as required, with any
additional activity required above the core provision agreed with the S151 Officer, reporting any key
changes to the Audit and Standards Committee.

Overview of Internal Audit’s Risk and Control Assurance Programme

In order to provide a high level overview of the proposed Risk and Control Assurance Programme the
charts below highlight the allocation of audit resources (excluding time allocated for management
activities e.g. Committee report compilation; Committee attendance and other) per:

 Functional service area; and

 Category of review.
The key points to note within the proposals are:

 There is a proportional split, based on risk, between each of the functional service and Council
wide areas to enable the provision of the Chief Internal Auditor’s annual audit opinion - due to
the current transformational change programme being delivered by the Council, more focus has
been directed to governance (including a review of the effectiveness of the governance
arrangements for driving forward any key improvement actions / plans emanating from the Local
Government Association Peer Review), fundamental financial systems and Council wide
compliance with key corporate requirements;

 Continued focus on ICT risks and counter fraud activity, which includes the use of Data
Analytics to help support more efficient and effective internal audit practices;
 Continued emphasis on providing assurance that the Council’s key strategic and operational
risks are being effectively managed;
 Undertaking follow up audits where a limited assurance opinion on the control environment was
provided in 2018/19 (e.g. capital programme follow up review); and

 Taking into consideration other assurance providers.

The detail supporting this overview is attached at Attachment 1 which shows:

 Audit activity per service area;

 Name of the audit activity;

 Reason for the audit i.e. as a result of RBIAP and link to the Council’s Strategic Risk Register,
statutory requirements etc;

 Outline scope of the review (please note that a detailed terms of reference is agreed with the
client prior to the commencement of every audit to ensure audit activity is continually focused on
the key risks and is undertaken within agreed time periods, to ensure our service adds value to
the Council); and

 The priority of the audit i.e. priorities 1 and 2. Priority 1 reflects statutory requirements i.e. grant
certification, a limited assurance follow-up review, activities that may have been subject to a
previous investigation / irregularity, or as deemed necessary by the Chief Internal Auditor to
enable an opinion on the control environment to be provided. Priority 2 activities are the
remaining identified activities. The aim being that all priority 1 activities would be delivered
within the year with the priority 2 audits being reassessed in the eventuality of any new
emerging risk areas highlighted where assurances may be required, or where additional fraud
investigations/irregularities materialise.
Internal Audit Plan 2019/20 Attachment 1

Council Wide

Audit Reason for Outline Scope Priority

Audit

Annual Identified as part Local authorities are required to prepare a governance statement in order to report Priority 1
Governance of Risk Based publicly on the extent to which they comply with their own code of governance on an
Statement Internal Audit annual basis, including how they have monitored and evaluated the effectiveness of
(2018/19) Planning (RBIAP) their governance arrangements in the year, and on any planned changes in the
coming period.
Strategic Risk
Register (SRR) This review will seek to determine the robustness of the governance, internal control
Cross Cutting and risk management arrangements as detailed within the statements of
Risk (CCR) all compliance.

Local Identified as part Peer Challenge is a core element of the LGA sector-led improvement offer to local Priority 1
Government of RBIAP authorities. The basis of the offer is that local authorities have a corporate peer
Association challenge every 4-5 years. The Council has committed to participating in a peer
(LGA) Peer SRR CCR 1, 10, review during the latter part of 2018/19. The peer challenge offers an opportunity to
Review 17, 19 validate the direction of travel and approach being taken by the Council, and test,
stretch and further evolve thinking for the future.

This audit will seek to determine the effectiveness of the governance arrangements
for driving forward any key improvement actions / plans emanating from the peer
review.
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

Corporate Risk Identified as part The Council’s Excelsis system is used to record and report progress against the Priority 1
and Performance of RBIAP Council’s Corporate Delivery Plan, Annual Service plans, Cross cutting plans,
Reporting Performance Indicators and Risks.
SRR all
Internal Audit will review the operating effectiveness of the current corporate risk and
performance management arrangements.

Freedom of Identified as part The Freedom of Information Act 2000 provides members of the public access to Priority 2
Information of RBIAP information that is held by local authorities. It does this in two ways:

SRR CCR 4  The Council is obliged to publish certain information about its activities; and

 Members of the public are entitled to request information from the Council.

This audit will review the effectiveness of the control environment for handling
requests to ensure that the Council is able to fulfil its legal obligations.
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

LGA and Identified as part The Council has committed to participating in a peer review during the latter part of Priority 2
Workforce Plan of RBIAP 2018/19. The peer challenge offers an opportunity to validate the direction of travel
transitional and approach being taken by the Council, and test, stretch and further evolve
arrangements SRR CCR 1, 4, thinking for the future. In addition, a series of service reviews are being delivered as
10,17, 18, 19 part of the Workforce Plan.
Consultancy Internal Audit will provide professional advice and support to the change programme
to ensure that as part of the transformation programme the control environment is
not compromised.
Internal Audit Plan 2019/20 Appendix 1

Customer Services

Audit Reason for Outline Scope Priority

Audit

Creditors Identified as part The Council's creditor (accounts payable) function is maintained by the Revenue Priority 1
of RBIAP section. The objective of the accounts payable function is to pay valid supplier
invoices in respect of goods or services received within agreed payment terms. In
SRR CCR 1, FIN 2017/18 creditors were responsible for circa £31.7m of payments (inclusive of VAT),
27 (operational) it is therefore important to have robust and effective controls.

This audit will review the effectiveness of the arrangements for setting up new
vendors, vendor changes and invoice control.

Multi Services Identified as part The multi services contract provides for the provision of waste and recycling, street Priority 1
Contract of RBIAP and building cleaning, grounds maintenance, fleet management and maintenance
services and represents a significant service provision to the Council both in terms of
SRR CCR 9 financial and reputational exposure.

During 2017/18 Internal Audit undertook a consultancy review to advise upon the
effectiveness of the Council’s contract management and monitoring arrangements.
The findings emanating from the review resulted in a number of recommendations
being made in order to strengthen the governance, financial, performance, and risk
management arrangements.

This review will seek to determine the effectiveness of the contract management
arrangements.
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

Complaints Identified as part The Council defines a complaint as ‘an expression of dissatisfaction with the Priority 2
Handling of RBIAP Council, its service or its staff’.

SRR CCR 4 It is important that complaints are taken seriously, promptly, and if justified, to put the
matter right as soon as possible.

This audit will review the effectiveness of the Council’s handling of complaints.

Council Tax Identified as part The Welfare Reform Act 2012 abolished Council Tax benefit. Under the Local Priority 2
Support Scheme of RBIAP Government Finance Act 1992 local authorities are required to develop a local
Council Tax Support scheme which protects pensioners.
SRR CCR 1, R &
B 1 (operational) The Council has recently consulted on the scheme for 2019/20 as the current
Council Tax Support Scheme was due to end on 31st March 2019.

This review will seek to determine whether there are effective arrangements in place
for administering the agreed 2019/20 scheme.
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

Small Business Identified as part Some business properties are eligible for discounts on their National Non Domestic Priority 2
Rate Relief of RBIAP rates (business rates) and this is called ‘business rates relief’. Small business rate
relief is applicable if the business:
SRR CCR 1, R &
B 1 (operational)  Property’s rateable value is less than £15,000; and

 Only uses one property (however relief could still be applied if more than one
property is used where certain criteria is met).

This review will seek to determine whether there are effective arrangements in place
for administering the scheme.
Internal Audit Plan 2019/20 Appendix 1

Development Services

Audit Reason for Outline Scope Priority

Audit

Planning Identified as part The Council is the area’s local planning authority, responsible for determining Priority 1
Applications of RBIAP whether development in the local environment (constructing or altering buildings, or
use of land) is suitable and in accordance with local and national policy. National
SRR CCR 1 government is keen to ensure continuing improvement in the planning system, and
measures the Council’s performance on the speed and quality of decisions on
applications for major development.

This audit will consider the effectiveness of the arrangements in accepting,

validating, publicising and determining planning applications.
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

Gloucestershire Identified as part Stroud District Council and Gloucester City Council have collaborated to provide a Priority 2
Building Control of RBIAP shared local government building control service known as the Gloucestershire
Partnership Building Control Partnership. The Partnership was established on 1st July 2015
SRR CCR 1, through a Section 101 Agreement, with staff becoming employed by Stroud District
DEV17 Council acting as the host Authority. The Building Control function comprises of two
(operational) elements:

 Plan vetting and inspection of applications, which is a statutory Council

function in direct competition with the private sector; and

 Enforcement of Building Control legislation and regulations.

This review will seek to determine whether there are effective governance, risk
management and monitoring arrangements in place for the Partnership and that
these are operating effectively.
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

Private Sector Identified as part The Council's Private Sector Housing Renewal Team works towards warm, safe, Priority 2
Housing - Empty of RBIAP healthy homes for all the district’s homeowners and private tenants. The team
Homes covers all housing which is not owned by the Council, including leasehold properties,
SRR CCR 1 privately rented accommodation, housing association properties and those which are
owner occupied. Most of Stroud District’s residents (89%) live in properties which
are privately owned or privately rented (source – Private Sector Housing Renewal
Policy).

Properties which are left vacant for extended periods of time can cause problems for
the local environment, the surrounding community and attract anti-social behaviour,
as well as being a wasted resource which could be used to provide much needed
homes.

This review will seek to determine whether there are effective arrangements in place
to encourage owners to bring their properties back into use and ultimately to deter
them from leaving their homes empty.
Internal Audit Plan 2019/20 Appendix 1

Financial Services

Audit Reason for Outline Scope Priority

Audit

Capital Identified as part A capital programme is a set of capital projects that a Council plans to undertake Priority 1
Programme of RBIAP within a given timetable and should be based on an approved Capital Strategy,
which in turn should be linked to the Council’s Asset Strategy.
Limited
Assurance Follow During 2017/18 Internal Audit undertook a review of this area. The findings resulted
Up in a limited assurance opinion being given in respect of the risk identification maturity
and control environment, leading to a series of recommendations aimed at
SRR CCR 13, 16 strengthening the governance framework and ensuring alignment with best practice.

In light of the above, it was agreed that Internal Audit would undertake a follow-up
review during 2019/20.

Medium Term Identified as part The Council’s Medium Term Financial Plan (MTFP) sets out the Council’s financial Priority 1
Financial Plan of RBIAP position for the next four years covering the period from 2019/20 – 2022/23. The
MTFP is integral to the Council’s financial planning since it forecasts how it will
SRR CCR 1, 3, 4 remain financially resilient as an organisation.

This review will seek to determine the robustness of the governance framework,
assumptions, and compilation process used for the development of the Council’s
Medium Term Financial Plan.
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

VAT outputs Identified as part Value added tax (VAT) is a tax on transactions affecting most entries in the Council's Priority 2
of RBIAP accounting system. It is the Council's responsibility to make correct VAT returns to
HMRC detailing input and output tax. It is therefore essential that there are
SRR CCR 1, FIN appropriate controls over the VAT that shall be charged on any supply of goods or
3 (operational) services made in the United Kingdom, where it is a taxable supply, in the course of
Council business.

This review will seek to determine whether there are adequate internal control
arrangements in place to ensure that output VAT is correctly applied.
Internal Audit Plan 2019/20 Appendix 1

Tenant and Corporate Services

Audit Reason for Outline Scope Priority

Audit

Housing Identified as part The Council’s housing service delivers a variety of services to tenants and plays a Priority 1
Revenue of RBIAP key role in supporting the strategic aims of the Council, including: housing, economic
Account Delivery development and health and well being.
Plan SRR CCR 5, FIN
9 (operational) The Council has developed a business plan which sets out the Council’s considered
direction, service priorities, financial model and approach to the management of
business risks and opportunities which includes an action plan.

This review will seek to determine whether the agreed actions are being actively
progressed in line with the stated target delivery dates.

ICT Identified as part The ICT audits will be identified following the ICT audit needs assessment. The Priority 1
of RBIAP assessment will be compiled by the internal Audit Service ICT audit specialists and
will consider input from both Council officers and External Audit.
Assurance
required by Audit
and Standards
Committee

SRR CCR 4
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

Leavers Process Identified as part The Council recognises that employment may be ended for a variety of reasons. If Priority 1
of RBIAP handled effectively it can reduce any negative impact caused by such actions
whether the ending of employment is initiated by the employee or the Council.
SRR CCR 4
It is important that a consistent and proactive approach is applied to managing the
process of ending employment contracts for staff leaving the Council and ensuring
compliance with current legislation.

This review will seek to determine the effectiveness of the Council’s arrangements
for managing the process for when employees leave the Council.

Housing Stock - Identified as part

The Council has circa 5,000 domestic properties. Void management is the term used Priority 2
void of RBIAP to define how the Council deals with a vacant property to ensure that rent loss is
management minimised and the most effective use is made of the Council’s housing stock in order
SRR CCR 1, TNS to meet housing need.
20 (operational)
This review will seek to determine whether there are effective arrangements in place
to ensure good management of the Council’s void properties, to limit void periods in
order to maximise rental income, and provide a quality service to meet housing
need.
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

Littlecombe Identified as part The Littlecombe development is a mixed-use regeneration scheme providing 600 Priority 2
Scheme of RBIAP new homes, community facilities and other commercial opportunities. The Council
took ownership of the site from the South West Regional Development Agency in
SRR CCR 1 2011. The Council has a partnership agreement with a national property
development company and is entitled to 85% of the net development profit at
completion of the scheme.

This review will seek to determine whether there are effective governance and
financial management arrangements in place and that these are in compliance with
the development agreement.

Local Identified as part The Department for Communities and Local Government published the Local Priority 2
Government of RBIAP Government Transparency Code in 2015. Local authorities are required to publish
Transparency various data online in a number of required formats e.g. expenditure exceeding
Code SRR CCR 4 £500, grants to voluntary, community and social enterprise organisations, senior
salaries and fraud.

The responsibility for posting accurate, complete and up to date data is spread
across the Council. Often people submitting freedom of information requests are
directed to this information to enable them to extract the information they require
directly so it is important that this information is correct.

This audit will review the arrangements established by the Council to meet the
requirements of the Code.
Internal Audit Plan 2019/20 Appendix 1

Counter Fraud

Audit Reason for Outline Scope Priority

Audit

Fraud To support the Allocation to continue the development and implementation of the Council’s Anti- Priority 1
Investigation / Annual Fraud and Corruption arrangements based on latest best practice. This also includes
Detection Governance an allocation for increasing the profile and awareness of anti–fraud, conducting pro-
Statement (AGS) active counter-fraud reviews and undertaking investigations as required.

Protect the Public

Purse
National Fraud Statutory To continue to co-ordinate activity as part of the Cabinet Office’s NFI (a national data Priority 1
Initiative (NFI) Requirement matching exercise that compares data/records i.e. payroll, licences, housing waiting
list, single person discounts, creditors etc.) for a wide range of public services,
To support the including ensuring that matches are investigated promptly and thoroughly and
Annual reporting of results.
Governance
Statement
Fraud Risk To support the The CIPFA Counter Fraud Centre has issued guidance on actions to be taken to Priority 1
Management Annual ‘Manage the Risk of Fraud and Corruption’ within an organisation.
Governance
Statement This allocation is to continue to self assess against the criteria set out in the
guidance and develop a fraud risk register in order to direct/prioritise our counter
Informs the Risk fraud and internal audit resources/activity accordingly.
Based Internal
Audit Plan
Internal Audit Plan 2019/20 Appendix 2

Management Activity to Support the Audit Opinion

Audit Reason for Outline Scope Priority

Audit

Audit and Public Sector This allocation covers Member reporting procedures, mainly to the Audit and Priority 1
Standards Internal Audit Standards Committee, plan formulation and monitoring and regular reporting to and
Committee / Standards meeting with, the Chair and Vice Chair of the Audit and Standards Committee and
Member / Officer (PSIAS) Statutory the Chief Financial Officer.
and Chief Requirement
Financial Officer
Reporting
Provision of To support an This allocation allows auditors to facilitate the provision of risk and control advice Priority 1
Internal Control / effective control which is regularly requested by officers within the Council.
General Advice environment
Quality Public Sector The Accounts and Audit Regulations 2015 states that Internal Audit should conform Priority 1
Assurance and Internal Audit to ‘proper practices’ and it is advised that proper practice for internal audit is
Improvement Standards currently set out in the Public Sector Internal Audit Standards (PSIAS) 2017.
Programme (PSIAS) Statutory
(QAIP) Requirement This allocation is to undertake an annual self assessment and when required,
includes the commission and deliver an external quality assessment, against the new standards.
annual review of To support the
the effectiveness AGS The next external assessment is due in 2020.
of Internal Audit
and the external
assessment
Internal Audit Plan 2019/20 Appendix 1

Audit Reason for Outline Scope Priority

Audit

External Working Activity to support Attendance / work in relation to the Local Authorities Chief Auditor Network (National Priority 1
Groups the audit opinion Group), Midland Counties and Districts Chief Internal Auditors Group and the Fraud
and ICT Groups to enable networking and to share good practice.

External Audit Management The External Auditor and the Chief Internal Auditor regularly meet to discuss plans Priority 1
Liaison activity to support and audit findings, to ensure that a “managed audit” approach is followed in relation
the audit opinion to the provision of internal and external audit services.

Carry Forwards Audit Activity This allocation provides for the completion of various 2018/2019 audits which require Priority 1
outstanding finalising.
Recommendation Activity to support Whilst it is management’s responsibility to manage the risks associated with their Priority 1
Monitoring the audit opinion outcomes/objectives, this allocation enables Internal Audit to monitor management’s
progress with the implementation of high priority recommendations.

Internal Working Activity to support Internal Audit is frequently asked to nominate representatives for working groups to Priority 2
Groups the audit opinion advise on risk and control.