 |
|||
 |
|||
 |
|||||
 |
|||||
 |
|||||
1 Purpose and commitment to professional standards
1.2 The internal audit service enhances City of York Council’s:
· successful achievement of its objectives
· governance, risk management, and control processes
· decision-making and oversight
· reputation and credibility with its stakeholders
· ability to serve the public interest.
1.3 City of York Council’s internal audit service is most effective when:
· Internal auditing is performed by competent professionals in conformance with The Institute of Internal Auditors’ Global Internal Audit Standards (UK public sector).
· The internal audit service is independently positioned, with direct accountability to the Audit & Governance Committee.
· Internal auditors are free from undue influence and committed to making objective assessments.
1.4 City of York Council can expect to see its internal audit service demonstrate integrity, competence, and due professional care, align with its strategies, objectives, and risks, demonstrate quality and continuous improvement, be insightful, proactive, and future-focused, communicate effectively, and contribute to organisational improvement.
1.5 City of York Council’s internal audit service will adhere to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, which are the Global Internal Audit Standards in the UK Public Sector and Topical Requirements. The chief audit executive will report annually to the Audit & Governance Committee and senior management regarding the internal audit service’s conformance with the standards, which will be assessed through a quality assurance and improvement programme.
2 The internal audit mandate
2.1 There is a statutory duty on the council to undertake an internal audit of the effectiveness of its risk management, control and governance processes. The Accounts and Audit Regulations 2015 also require that the audit takes account of public sector internal auditing standards or guidance. The Chartered Institute of Public Finance and Accountancy (CIPFA) is responsible for setting standards for proper practice for local government internal audit.
2.2 CIPFA has determined that the Global Internal Audit Standards are a suitable basis for the practice of internal auditing in UK local government, subject to interpretations and requirements set out in its application note[1]. Taken together, the Global Internal Audit Standards and the application note represent proper practice for internal audit in local government. This charter sets out how internal audit at City of York Council will be provided in accordance with this proper practice.
2.3 The charter should be read in the context of the wider legal and policy framework which sets requirements and standards for internal audit, including the Accounts and Audit Regulations, the application note, the code of practice[2], and the council’s constitution, regulations and governance arrangements.
3 Definitions
3.1 The Global Internal Audit Standards define internal auditing as follows:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
3.2 The Global Internal Audit Standards include reference to the roles and responsibilities of the “board” and “senior management” in relation to the governance of internal audit. Each organisation is required to define these terms in the context of its own governance arrangements. For the purposes of the Global Internal Audit Standards in the UK Public Sector (hereon in referred to as the “GIAS (UK public sector)”) these terms are defined as follows at City of York Council:
“Board” – the Audit & Governance Committee fulfils the responsibilities of the board in relation to internal audit standards and activities.
“Senior management” – in the majority of cases, the term senior management in the GIAS (UK public sector) should be taken to refer to the Director of Governance in their role as Monitoring Officer. This includes all functions relating directly to overseeing the work of internal audit. In addition, senior management may also refer to any other director of the council individually (including the Chief Operating Officer and Director of Finance) or collectively as the Council Management Team (CMT) in relation to GIAS (UK public sector) requirements for:
· internal audit to have direct and unrestricted access to senior management for reporting purposes
· consulting on risks affecting the council for audit planning purposes
· approving the release of information arising from audit work to any third party.
3.3 The GIAS (UK public sector) also refer to the “chief audit executive”. This is taken to be the Head of Internal Audit (Veritau).
4 Scope of internal audit activities
4.1 The scope of internal audit work will encompass the council’s entire control environment[3], comprising its systems of governance, risk management, and control.
4.2 The scope of audit work also extends to services provided through partnership arrangements, irrespective of what legal standing or particular form these may take. The Head of Internal Audit, in consultation with all relevant parties and taking account of audit risk assessment processes, will determine what work will be carried out by the internal audit service, and what reliance may be placed on the work of other internal and external providers of assurance and advisory services auditors.
5 Responsibilities and objectives
5.1 The Head of Internal Audit has the responsibility to:
· At least annually, develop a risk-based internal audit work programme that considers the input of the Audit & Governance Committee and senior management. Discuss the work programme with the Audit & Governance Committee and senior management and submit the programme to the Audit & Governance Committee for review and approval.
· Communicate the impact of resource limitations on the internal audit work programme to the Audit & Governance Committee and senior management.
· Review and adjust the internal audit work programme, as necessary, in response to changes in City of York Council’s business, risks, operations, programs, systems, and controls.
· Communicate with the Audit & Governance Committee and senior management if there are significant interim changes to the internal audit work programme.
· Ensure internal audit engagements are performed, documented, and communicated in accordance with the GIAS (UK public sector) and relevant laws and/or regulations.
· Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of internal audit services to the Audit & Governance Committee and senior management periodically and for each engagement, as appropriate.
· Ensure the internal audit service collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the GIAS (UK public sector) and to fulfil the internal audit mandate.
· Develop, implement, and maintain a quality assurance and improvement programme that covers all aspects of the internal audit service. The programme will include external and internal assessments of the internal audit service’s conformance with the GIAS (UK public sector), as well as performance measurement to assess the internal audit service’s progress toward the achievement of its objectives and promotion of continuous improvement.
· Communicate with the Audit & Governance Committee and senior management about the internal audit service’s quality assurance and improvement programme, including the outcomes of internal assessments and external assessments.
· Identify and consider trends and emerging issues that could impact City of York Council and communicate to the Audit & Governance Committee and senior management as appropriate.
· Consider emerging trends and successful practices in internal auditing.
· Establish and ensure adherence to methodologies designed to guide the internal audit service.
· Ensure adherence to City of York Council’s relevant policies and procedures unless such policies and procedures conflict with the internal audit charter or the GIAS (UK public sector). Any such conflicts will be resolved or documented and communicated to the Audit & Governance Committee and senior management.
· Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the Head of Internal Audit cannot achieve an appropriate level of coordination, the issue must be communicated to senior management and, if necessary, escalated to the Audit & Governance Committee.
5.2 In addition to the responsibilities set out above to meet the requirements for the practice of internal auditing in local government, the Head of Internal Audit is also required to provide an annual report to the Audit & Governance Committee. The report will be used by the committee to inform its consideration of the council’s annual governance statement. The report will include:
· the Head of Internal Audit’s opinion on the adequacy and effectiveness of the council’s framework of governance, risk management, and control
· any qualifications to the opinion, together with the reasons for those qualifications (including any impairment to independence or objectivity)
· any particular control weakness judged to be relevant to the preparation of the annual governance statement
· a summary of work undertaken to support the opinion, including any reliance placed on the work of other assurance providers
· an overall summary of internal audit performance and the results of the internal audit service’s quality assurance and improvement programme
· a statement on conformance with the GIAS (UK public sector).
5.2 To support the opinion, the Head of Internal Audit will ensure that an appropriate programme of audit work is undertaken. In determining what work to undertake, the internal audit service should:
· adopt an overall strategy, setting out how the service will be delivered in accordance with this charter
· draw up an indicative risk-based programme of work on an annual basis following consultation with the Audit & Governance Committee and senior management. The programme of work will also reflect the requirements of the charter, the strategy, and proper practice
· update the programme of work throughout the year to reflect emerging risks, changes to priorities and the need to appropriately schedule work
· consider trends and emerging issues that may impact the organisation.
5.3 In undertaking this work, the responsibilities of the internal audit service will include:
· providing assurance to the Audit & Governance Committee and senior management on the effective operation of governance arrangements and the internal control environment operating at the council[4]
· objectively examining, evaluating, and reporting on the probity, legality and value for money of the council’s arrangements for service delivery
· reviewing the council’s financial arrangements to ensure that proper accounting controls, systems, and procedures are maintained and, where necessary, make recommendations for improvement
· helping to secure the effective operation of proper controls to minimise the risk of loss, the inefficient use of resources, and the potential for fraud and other wrongdoing
· acting as a means of deterring all fraudulent activity, corruption and other wrongdoing; this includes conducting investigations into matters referred by councillors, officers, and the public, and reporting findings of those investigations to the relevant officers and councillors, as appropriate, for action
· advising the council on relevant counter fraud and corruption policies and measures.
5.4 The Head of Internal Audit will ensure that the service is provided in accordance with proper practice as set out above and in accordance with any other relevant standards – for example, council policy and legal or professional standards and guidance.
5.5 In undertaking their work, internal auditors should have regard to:
· the purpose of internal auditing, and standards as set out in the GIAS (UK public sector) and reflected in this charter
· the codes of any professional bodies of which they are members
· standards of conduct expected by the council
· the Committee on Standards in Public Life’s Seven Principles of Public Life.
6 Organisational independence
6.1 It is the responsibility of corporate directors, directors, assistant directors, heads of service, and service managers to maintain effective systems of risk management, internal control, and governance. Auditors will have no responsibility for the implementation or operation of systems of control and will remain sufficiently independent of the activities audited to enable them to exercise objective professional judgement.
6.2 Audit advice and recommendations will be made without prejudice to the rights of internal audit to review and make further recommendations on relevant policies, procedures, controls and operations at a later date.
6.3 The Head of Internal Audit will put in place measures to ensure that individual auditors remain independent of areas they are auditing for example by:
· rotation of audit staff
· ensuring staff are not involved in auditing areas where they have recently been involved in operational management, or in providing consultancy and advice[5].
7 Accountability, reporting lines, and relationships
7.1 Internal audit services are provided under contract to the council by Veritau[6]. Staff undertaking internal audit work are employed directly by Veritau. The Director of Governance (Monitoring Officer) acts as client officer for the contract and is responsible for overall monitoring of the service.
7.2 In its role in providing an independent assurance service, Veritau has direct access to councillors and senior managers and can report uncensored to them as considered necessary. Such reports may be made to:
· Council, Executive, or any committee (including the Audit & Governance Committee)
· Chief Operating Officer
· Director of Governance (Monitoring Officer)
· Director of Finance (Section 151 Officer)
· Other corporate directors, directors, assistant directors, heads of service and service managers.
7.3 The Director of Finance (Section 151 Officer) has specific responsibilities for ensuring that the council has effective systems of risk management and internal control. The role includes a responsibility to ensure that the council has put in place arrangements for effective internal audit. In recognition of the importance of the relationship between the Director of Finance (Section 151 Officer) and internal audit (recognised in the standards), a protocol has been drawn up setting out the relationship between them. This is included in Appendix 1.
7.4 The Head of Internal Audit will report independently to the Audit & Governance Committee on:
· the proposed allocation of audit resources
· any significant risks and control issues identified through audit work
· their annual opinion on the council’s control environment.
7.5 The Head of Internal Audit will informally meet in private with the chair of the Audit & Governance Committee, or the committee as a whole, as required. Meetings may be requested by committee members or the Head of Internal Audit.
7.6 The Audit & Governance Committee will oversee (but not direct) the work of internal audit. This includes commenting on the scope of internal audit work and approving the internal audit work programme. The committee will also protect and promote the independence and rights of internal audit to enable it to conduct its work and report on its findings as necessary[7].
8 Fraud, consultancy services and non-audit services
8.1 The primary role of internal audit is to provide audit assurance services to the council. However, the service is also required to undertake fraud investigation and other consultancy work to add value and help improve governance, risk management and control arrangements.
8.2 The prevention and detection of fraud and corruption is the responsibility of corporate directors, directors, assistant directors, heads of service, and service managers. However, all instances of suspected fraud and corruption must be notified to Veritau, who will agree the course of action to be taken in consultation with the relevant senior officer and other advisors (for example, human resources). Where appropriate, cases of suspected fraud or corruption will be investigated by Veritau.
8.3 Veritau also carry out other consultancy related work where this is of value to the council. This is generally at the request of council officers. It includes, for example, advice on designing efficient and effective processes. The scope of consulting work will be agreed with the relevant corporate director or service manager. Consulting work will only be carried out where it represents good value, there are sufficient resources and skills within Veritau to undertake the work, and where it does not compromise the assurance role or the independence of internal audit. Details of all significant consultancy assignments completed will be reported to the Audit & Governance Committee.
8.4 Where Veritau provides non-audit services (for example information governance), appropriate safeguards will be put in place to ensure audit independence and objectivity are not compromised. These safeguards include the work being performed by a separate team with different line management arrangements. Separate reporting arrangements will also be maintained. The Head of Internal Audit will report any instances where audit independence or objectivity may be compromised to the Director of Finance (Section 151 Officer) and the Audit & Governance Committee. The Head of Internal Audit will also take steps to limit any actual or perceived impairment that might occur (for example, by arranging for the audit of these services or functional activities to be overseen externally).
9 Resourcing
9.1 As part of the audit planning process the Head of Internal Audit will review the resources available to internal audit, to ensure that they are appropriate and sufficient to meet the requirement to provide an opinion on the council’s control environment. Where resources are judged to be inadequate or insufficient, recommendations to address the shortfall will be made to the Director of Finance (Section 151 Officer) and to the Audit & Governance Committee.
10 Rights of access
10.1 To enable it to fulfil its responsibilities, the council gives internal auditors employed by Veritau the authority to:
· enter all council premises or land, at any reasonable time
· have access to all data, records, documents, correspondence, or other information - in whatever form - relating to the activities of the council
· have access to any assets of the council and to require any employee of the council to produce any assets under their control
· be able to require from any employee or councillor any information or explanation necessary for the purposes of audit.
10.2 Corporate directors, directors, assistant directors, heads of service, and service managers are responsible for ensuring that the rights of Veritau to access premises, records, and personnel are preserved, including where the council’s services are provided through partnership arrangements, contracts or other means.
11 Review
11.1 This charter will be reviewed periodically by the Head of Internal Audit. Any recommendations for change will be made to the Director of Finance (Section 151 Officer) and the Audit & Governance Committee, for approval.