CHECKLIST FOR ASSESSING CONFORMANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT STANDARDSAppendix 1
Ref / Conformance with the Standard / Y / P / N / Evidence1 / Definition of Internal Auditing
Using evidence gained from assessing conformance with otherStandards, is the internal audit activity:
a)Independent?
b) Objective? / / 1
Using evidence gained from assessing conformance with otherStandards, does the internal audit activity use a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes within the organisation? / / 2
2 / Code of Ethics
Integrity
Using evidence gained from assessing conformance with otherStandards, do internal auditors:
a) Perform their work with honesty, diligence and responsibility?
b) Observe the law and make disclosures expected by the law and theprofession?
c) Not knowingly partake in any illegal activity nor engage in acts thatare discreditable to the profession of internal auditing or to theorganisation?
d) Respect and contribute to the legitimate and ethical objectives of theorganisation? / / 3
Objectivity
Using evidence gained from assessing conformance with otherStandards, do internal auditors display objectivity by not:
a) Taking part in any activity or relationship that may impair or bepresumed to impair their unbiased assessment?
b) Accepting anything that may impair or be presumed to impair theirprofessional judgement?
c) Disclosing all material facts known to them that, if not disclosed, maydistort the reporting of activities under review? / / 4
Confidentiality
Using evidence gained from assessing conformance with otherStandards, do internal auditors display objectivity by:
a) Acting prudently when using information acquired in the course oftheir duties and protecting that information?
b) Not using information for any personal gain or in any manner thatwould be contrary to the law or detrimental to the legitimate and ethicalobjectives of the organisation? / / 5
Competency
Using evidence gained from assessing conformance with otherStandards, do internal auditors display objectivity by:
a)Only carrying out services for which they have the necessaryknowledge, skills and experience?
b) Performing services in accordance with the PSIAS?
c) Continually improving the proficiency and effectiveness and quality of their services, for example through CPD schemes? / / 6
Do internal auditors have regard to the Standards of Public Life’s Seven
Principles of Public Life? / / 7
Standards
3 / Attribute Standards
3.1 / 1000 Purpose, Authority and Responsibility
Does the internal audit charter include a formal definition of:
a) the purpose
b) the authority, and
c) the responsibility
of the internal audit activity consistent with the Public Sector Internal Audit Standards (PSIAS)? / / Included in Audit Charter reported to Audit Committee 23 Feb 2015 / 8
LGAN / Does the internal audit charter define the terms ‘board’ and ‘seniormanagement’, for the purposes of the internal audit activity?
Note that it is expected that the audit committee will fulfil the role of theboard in the majority of instances. / / Charter defines both these terms specifically. / 9
Does the internal audit charter also: / 10
a) Set out the internal audit activity’s position within the organisation? /
LGAN / b) Establish the CAE’s functional reporting relationship with the board? /
LGAN / c) Establish the accountability, reporting line and relationship between the CAE and those to whom the CAE may report administratively? /
LGAN / d) Establish the responsibility of the board and also the role of thestatutory officers (such as the CFO, the monitoring officer and the head of paid service) with regards to internal audit? /
LGAN / e) Establish internal audit’s right of access to all records, assets, personnel and premises and its authority to obtain such information andexplanations as it considers necessary to fulfil its responsibilities? /
LGAN / f) Define the scope of internal audit activities? /
LGAN / g) Recognise that internal audit’s remit extends to the entire controlenvironment of the organisation? /
h) Identify internal audit’s contribution to the review of effectiveness ofthe control environment, as set out in the Accounts and Audit (England) Regulations 2011? /
i) Establish the organisational independence of internal audit? / / Charter also refers to reporting independence
j) Cover the arrangements for appropriate resourcing? /
k) Define the role of internal audit in any fraud-related work? / / Also included in Counter Fraud Strategy
l) Set out the existing arrangements within the organisation’s anti-fraudand anti-corruption policies, to be notified of all suspected or detected fraud, corruption or impropriety? / / Also included in Counter Fraud Strategy
m) Include arrangements for avoiding conflicts of interest if internal auditundertakes non-audit activities? /
n) Define the nature of assurance services provided to the organisation, as well as assurances provided to parties external to the organisation? /
o) Define the nature of consulting services? /
p) Recognise the mandatory nature of the PSIAS? / / Included in Covering Report
Does the chief audit executive (CAE) periodically review the internalaudit charter and present it to senior management and the board for approval? / / Reviewed and updated annually and prepared alongside audit plan.
Audit Committee 24 February 2014
Audit Committee 23 February 2015 / 11
Does the CAE attend audit committee meetings? / / 12
Does the CAE contribute to audit committee agendas? / / CAE presents quarterly monitoring reports on Internal Audit activity, as well as the Annual Report. CAE also
includes items that may be of interest/ affect future role of Audit Committee e.g. Future of Local Audit / 13
3.2 / 1100 Independence and Objectivity
Does the CAE have direct and unrestricted access to senior management and the board? / / Yes as outlined in the Charter / 14
Does the CAE have free and unfettered access to, as well as communicate effectively with, the chief executive or equivalent and the chair of the audit committee? / / Yes as outlined in the Charter / 15
Are threats to objectivity identified and managed at the following levels:
a) Individual auditor? / / Auditors sign declaration of interest.
Auditors sign the Audit Code of Conduct annually which covers the need to make a balanced assessment. To be able to do that auditors should not:-
a)participate in any activity or relationship that would impair that unbiased attitude.
b)Accept anything that would impair their professional judgement.
c)Disclose all material facts that would distort any report. / 16
b) Engagement? / / Attempts to influence the outcome of individual engagements would be reported to Audit and Risk Manager/CAE for investigation.
At engagement level every effort is made to ensure that auditors do not audit an area of work for which they were previously responsible.
Also, where possible, audits are rotated.
Auditor findings and subsequent report are challenged at review stage by lead auditor/CAE.
c) Functional? / / Although CAE has overall responsibility for a number of finance/governance functions, CAE takes no part in those audits. Corporate Director Resources would agree scope/recommendations where there was any negative attempt to influence those audits by the CAE.
d) Organisation? / / Access to information/officers and reporting arrangements allow CAE access to all levels of senior management/members of Audit Committee/Leader of the Council and any external agency.
Although the audit plan is circulated amongst senior managers for comments there is no undue attempt to influence the frequency/timing of audits.
1110 Organisational Independence
Does the CAE report to an organisational level equal or higher to the corporate management team? / / Line manager is Corporate Director of Resources. Individual audit reports sent to corporate directors for information/action. / 17
LGAN / Does the CAE report to a level within the organisation that allows theinternal audit activity to fulfil its responsibilities? / / Individual engagement reports sent to corporate directors. CAE reports to, and attends Audit Committee. / 18
LGAN / Have reporting and management arrangements been put in place thatpreserve the CAE’s independence and objectivity?
This is of particular importance when the CAE is line managed byanother officer of the authority. / / Set out in charter. / 19
LGAN / Does the CAE’s position in the management structure:
a) Reflect the influence he or she has on the control environment?
b) Provide the CAE with sufficient status to ensure that audit plans, reports and action plans are discussed effectively with the board?
c) Ensure that he or she is sufficiently senior and independent to be ableto provide credibly constructive challenge to senior management? / / CAE reports on the entire control environment. Engagement reports are sent to appropriate Corporate Director and Head of Service as well as individual manager. Follow up work is undertaken to ensure agreed recommendations are implemented. If not an escalation procure is in place.
Results of audits are reported to Corporate Governance Group and Audit Committee. No interference with development of audit plan. / 20
Does the CAE confirm to the board, at least annually, that the internal audit activity is organisationally independent?
The following examples can be used by the CAE when assessing theorganisational independence of the internal audit activity:
The board:
a) approves the internal audit charter / / a)23 Feb 2015 / 21
b) approves the risk-based audit plan / / b)23 Feb 2015
c) approves the internal audit budget and resource plan / / c)Members approve the Council’s overall budget and attend budget briefings where they can challenge budget decisions. Internal Audit’s budget and resource plan is reported to Audit Committee at the same time as the Audit Plan is approved and have the opportunity to question the adequacy of the resources.
d)receives communications from the CAE on the activity’s performance / / d)Yes quarterly updates, annual report
e)approves decisions relating to the appointment and removal of the CAE / / e)Appointment and replacement decisions are reported to Audit Committee for
f) seeks reassurance from management and the CAE as to whetherthere are any inappropriate scope or resource limitations. / / f)23 Feb 2015 for CAE assurance
Does the chief executive or equivalent undertake, Countersign, contribute feedback to or review the performance appraisal of the CAE? / / Appraisal undertaken by Corporate Director of Resources. / 22
Is feedback sought from the chair of the audit committee for the CAE’s performance appraisal? / / Not at present, any issues would be raised by the chair, considering how this may be possible in the future. / 23
1111 Direct Interaction with the Board
Does the CAE communicate and interact directly with the board? / / Attends Audit Committee meetings / 24
1120 Individual Objectivity
Do internal auditors have an impartial, unbiased attitude? / / Auditors sign declaration of interest.
Auditors sign the Audit Code of Conduct which covers the need to make a balanced assessment. To be able to do that auditors should not:-
a)participate in any activity or relationship that would impair that unbiased attitude.
b)Accept anything that would impair their professional judgement.
c)Disclose all material facts that would distort any report. / 25
Do internal auditors avoid any conflict of interest, whether apparent or actual? / / Auditors sign declaration of interest.
Auditors sign the Audit Code of Conduct which covers the need to make a balanced assessment. To be able to do that auditors should not:-
a)participate in any activity or relationship that would impair that unbiased attitude.
b)Accept anything that would impair their professional judgement.
c)Disclose all material facts that would distort any report.
Work is assigned by audit managers with declarations of interest/ any previous conflicts etc. in mind. / 26
1130 Impairment to Independence or Objectivity
If there has been any real or apparent impairment of independence orobjectivity, has this been disclosed to appropriate parties (depending on the nature of the impairment and the relationship between the CAE andsenior management/the board as set out in the internal audit charter)? / / There have been no cases where there has been any impairment of independence or objectivity. In the event of any such impairment, such a disclosure would be made. / 27
Have internal auditors assessed specific operations for which they havebeen responsible within the previous year? / / All auditors have been in current post for 6+years therefore there could be no conflict of interest when undertaking an audit engagement. / 28
If there have been any assurance engagements in areas over which theCAE also has operational responsibility, have these engagements been overseen by someone outside of the internal audit activity? / / Only scored a partial on the grounds that current arrangements allow the Audit & Risk Manager to define scope and draft/agree recommendations without direct influence from CAE (albeit views are sought as with any head of service). Arrangements are in place to deal with any conflicts/disagreement between Audit & Risk Manager and CAE which would be used but it has not been necessary to date. / 29
LGAN / Are assignments for ongoing assurance engagements and other auditresponsibilities rotated periodically within the internal audit team? / / Internal Audit is a small team so will not always be possible to rotate especially where specialist skills are required, e.g. computer audits. / 30
LGAN / Have internal auditors declared interests in accordance with organisational requirements? / / Those involved in investigations complete the corporate form as well as the audit form. All auditors complete the audit form. / 31
LGAN / Where any internal auditor has accepted any gifts, hospitality, inducements or other benefits from employees, clients, suppliers orother third parties (other than as may be allowed by the organisation’sown policies), has this been declared and investigated fully? / / There has been no acceptance of gifts etc. to declare and therefore no instances to investigate. / 32
LGAN / Have any instances been discovered where an internal auditor has used information obtained during the course of duties for personal gain? / / There have been no instances where internal auditors have used information for personal gain. / 33
LGAN / Have internal auditors disclosed all material facts known to them which, if not disclosed, could distort their reports or conceal unlawful practice, subject to any confidentiality agreements? / / Some declarations have been made and these appear reasonable. / 34
LGAN / Have internal auditors complied with the Bribery Act 2010? / / Employee responsibilities under this Act is specifically referred to in the Employee Code of Conduct. This is also covered in the “Integrity” section of the Auditors Code of Conduct. / 35
If there has been any real or apparent impairment of independence orobjectivity relating to a proposed consulting services engagement, wasthis disclosed to the engagement client before the engagement was accepted? / / No consulting engagements have been undertaken. / 36
Where there have been significant additional consulting services agreedduring the year that were not already included in the audit plan, wasapproval sought from the board before the engagement was accepted? / / No consulting engagements have been undertaken. / 37
3.3 / 1200 Proficiency and Due Professional Care
1210 Proficiency
Does the CAE hold a professional qualification, such as CMIIA/CCAB or equivalent? / / CIPFA / 38
Is the CAE suitably experienced? / / Extensive experience in local government finance and audit / 39
LGAN / Is the CAE responsible for recruiting appropriate internal audit staff, in accordance with the organisation’s human resources processes? / / 40
LGAN / Does the CAE ensure that up-to-date job descriptions exist that reflectroles and responsibilities and that person specifications define therequired qualifications, competencies, skills, experience and personal attributes? / / Whilst job descriptions specifically may need updating we have a competency framework in place which identify specific roles which is assessed as part of the appraisal process. / 41
Does the internal audit activity collectively possess or obtain the skills, knowledge and other competencies required to perform itsresponsibilities? / / Competency Framework / 42
Where the internal audit activity does not possess the skills, knowledge and other competencies required to perform its responsibilities, does the CAE obtain competent advice and assistance? / / Currently no skill etc. shortages. If this was to occur a case would be made to HoS/Corporate director to obtain additional resources. / 43
Do internal auditors have sufficient knowledge to evaluate the risk offraud and anti-fraud arrangements in the organisation? / / Revised counter fraud strategy discussed at Audit team meeting 11th Feb 2014.
Identifying fraud risks was subject of a presentation during Internal Audit Training Day 4th December 2013.
Work Programmes-identify specific risks of fraud and testing to evaluate them. / 44
Do internal auditors have sufficient knowledge of key information technology risks and controls? / / Specific presentation at Internal Audit Training Day 4 December 2013. / 45
Do internal auditors have sufficient knowledge of the appropriatecomputer-assisted audit techniques that are available to them toperform their work, including data analysis techniques? / / Specific presentation at Internal Audit Training Day 4 December 2013. Auditors use IDEA software in the course of their audit work as and when appropriate. / 46
1220 Due Professional Care
Do internal auditors exercise due professional care by considering the: /
- Objectives are set out in the audit brief for each engagement. Work programmes are specific to each individual audit and identify the extent of testing to be undertaken, taking into account complexity, materiality, significance, adequacy and effectiveness of current arrangements, errors, fraud and non-compliance.
- The Audit Risk Assessment assesses each engagement and takes into account b) c) and d).
- Specific presentation on “Due Professional Care” at Training Day 4 December 2013.
- Auditors consider cost of assurance when making recommendations by linking actions with potential benefits.
- Consultation on audit plan helps to ensure that audit resources are targeted where greatest benefit occurs and prevents unnecessary audits.
a)Extent of work needed to achieve the engagement’s objectives? /
b) Relative complexity, materiality or significance of matters to which assurance procedures are applied? /
c) Adequacy and effectiveness of governance, risk management and control processes? /
d) Probability of significant errors, fraud, or non-compliance? /
e) Cost of assurance in relation to potential benefits? /
Do internal auditors exercise due professional care during a consultingengagement by considering the: