The official version of this document can be found via the PDF button.
The below content has been automatically generated from the original PDF and some formatting may have been lost, therefore it should not be relied upon to extract citations or propose amendments.
Comptroller & Auditor General Review of Internal Audit
21 March 2014
R.36/2014
Introduction
- Responsibilities for financial management and financial reporting within the States of Jersey (the States') are complex:
- The Chief Executive of the Chief Minister's Department is responsible for preparing a Governance Statement detailing the system of internal control for the States as a whole;
- Individual Accounting Officers have responsibility for the system of internal control and transactions of the bodies for which they are responsible;
- The Minister for Treasury and Resources is responsible for the preparation of financial statements of the States; and
- The Treasurer of the States has a statutory duty to ensure the proper stewardship and administration of the public finances of
Jersey.
The operation of an effective internal audit function is a key part of the system of internal control of an organisation. It provides management with assurance about the design and operation of control, risk management and governance processes.
- The Public Finances (Jersey) Law 2005 establishes the office of Chief Internal Auditor. The Law requires the Chief Internal Auditor to undertake a programme of work to provide assurance that the finances of the States are regulated, controlled and supervised in accordance with legislation.
- Internal Audit is undertaken, under the supervision of the Chief Internal Auditor, partly byan in-house team and partly by a professional accountancy firm under the direction and control of the Chief Internal Auditor.
- In 2012, public sector internal audit standard setters in the United Kingdom, issued Public Sector Internal Audit Standards (PSIAS) for adoption from 1 April 2013. The States of Jersey voluntarily adopted the Standards from 1 January 2013 and reported compliance with the Standards in the annual Internal Audit report issued in January 2014.
Objectives and scope of this review
- The objectives of the review are to:
- assess the framework for internal audit within the States; and
- assess the internal audit work of both the in-house team and the external provider
against:
- the requirements of Public Sector Internal Audit Standards; and
- the requirements of legislation.
- This report focuses on the most significant issues arising from the review. Detailed findings have been discussed with the States Treasurer, Chief Internal Auditor and Chief Executive.
Background
- Internal Audit has undergone a period of change: there have been three Chief Internal Auditors over the last two years and a shift of work away from the external provider towards the in-house team.
- Steps have been taken to develop the Internal Audit function:
- an Internal Audit Charter has been prepared;
- there has been a strong focus on developing relationships with States funded bodies subject to review;
- Internal Audit protocols have been developed; and
- there has been a commitment to adopt the Public Sector Internal Audit Standards.
Compliance with Public Sector Internal Audit Standards
- The Public Sector Internal Audit Standards (PSIAS) cover eleven key areas for the attributes' of internal audit (the characteristics of the internal audit providers) and the performance' of internal audit (the nature of the internal audit activities).
Exhibit 1: Public Sector Internal Audit Standards
Attributes | Purpose, Authority and Responsibility |
Independence and Objectivity | |
Proficiency and Due Professional Care | |
Quality Assurance and Improvement Programme | |
Performance | Managing the internal audit activity |
Nature of work | |
Engagement planning | |
Performing the engagement | |
Communicating results | |
Monitoring progress | |
Communicating the acceptance of risk |
Source: Public Sector Internal Audit Standards (2012)
- The States of Jersey adopted the PSIAS without a comprehensive self- assessment against the Standards or an effective action plan to put in place the arrangements to secure compliance.
- Whilst the Chief Internal Auditor has made progress in developing arrangements over the last few months, it is vital that revised arrangements are embedded to secure real change. A clear improvement programme, based on a comprehensive analysis of the PSIAS and endorsed by all key stakeholders would provide a strong foundation for development of the Internal Audit function.
- My analysis has highlighted a number of areas where the States did not comply fully with the Standards.
Exhibit 2: Key areas of non-compliance with Public Sector Internal Audit Standards
Area of non-compliance | Implication |
The Internal Audit Charter, which sets out the purpose, authority and responsibility of Internal Audit, does not define either the Board' or the senior management team' as required by PSIAS. | There is a lack of clarity about who Internal Audit reports to on each specific area of responsibility. The analysis and subsequent agreement of Internal Audit reporting lines is particularly important in the context of the complex governance arrangements within the States, with responsibilities vested in Ministers, the States Treasurer, the Chief Executive, individual Accounting Officers and the Audit Committee. |
The independence of the Chief Internal Auditor is strengthened by their statutory power to determine the nature and timing of Internal Audit work in the States Treasury without the consent of the States Treasurer. However, there remain insufficient checks and balances on the role of the States Treasurer as line manager of the Chief Internal Auditor. For example:
| There remain potential threats to the independence of the Chief Internal Auditor that might impede their ability to plan, undertake and report audit work without fear or favour. |
Although in its 2014 plan under 10% of Internal Audit work is advisory, from 2012 to 2013 nearly half of work was advisory rather than assurance. | Whilst advisory work provides potentially valuable aid to management, the volume of advisory work means that there is a risk that: insufficient assurance work is undertaken to evaluate risks to the States; and |
Area of non-compliance | Implication |
| insufficient assurance work is undertaken to inform the Chief Internal Auditor's annual opinion. |
There are arrangements in place for identifying threats to independence arising from personal relationships. However, threats to independence can arise from Internal Audit undertaking advisory work. Internal Audit can provide valuable insights when a new system is being implemented. However if, for example, Internal Audit designs systems subsequently subject to review as part of its assurance work, there are threats to its independence. Embedded arrangements are not in place to consider threats to the Internal Audit function arising from the nature of advisory work undertaken by it (as opposed to personal relationships) and the adequacy of safeguards. | There is a risk that advisory work is undertaken which compromises the independence of Internal Audit when undertaking its assurance role. As a result there is an increased risk that the Chief Internal Auditor's annual opinion may not be seen as providing independent assurance to management. |
There is no explicit, transparent process for annual Internal Audit planning. The key to this is identifying the risks relevant to the design and operation of control, risk management and governance processes and developing an audit programme that demonstrates how it addresses those risks. | There is an increased risk that:
|
A number of the areas for Internal Audit specified in the PSIAS have not explicitly been considered by Internal Audit. | There is an increased risk that Internal Audit's work programme does not adequately address areas relevant to the design and operation of controls, risk management and governance processes. |
Area of non-compliance | Implication |
Whilst the external provider has its own comprehensive quality framework, the Chief Internal Auditor has yet to develop a comprehensive quality framework. For example, no timetable has been set for the finalisation of the Internal Audit Manual (including documentation of quality control arrangements) and robust arrangements for the management of the contract with the external provider have yet to be fully developed. | There is an increased risk that Internal Audit's work may not be performed proficiently and with due professional care. |
Whilst Internal Audit utilises specialist skills on contract audit, it does not adequately utilise specialist information technology audit skills to address the significant risks in this area. | There is an increased risk that Internal Audit does not adequately address risks relevant to its responsibilities. |
The mechanism for monitoring progress against Internal Audit recommendations has been undeveloped. It has placed inappropriate reliance on representations by management. | There is an increased risk that non- implementation of Internal Audit recommendations is not identified and the impact evaluated. |
Arrangements in place for Internal Audit to identify and escalate risks to the Corporate Management Board (CMB') where management has accepted risks which may be unacceptable to the States are not developed. | There is an increased risk that States funded bodies take significant risks without the knowledge of senior management. |
R1 Undertake a comprehensive assessment of Internal Audit against the
PSIAS and prepare an improvement programme to address the gaps. Secure sign up from key stakeholders, including the Audit Committee and Chief Executive, to the improvement programme.
R2 Review the role and accountability of Internal Audit in the context of the
States' governance arrangements. Update the Internal Audit Charter in light of this analysis, including by clearly identifying the Board' and senior management team'.
R3 Enhance the safeguards to preserve the independence of the Chief
Internal Auditor, such as:
- giving the Chief Executive and Chair of the Audit Committee a formal role in the performance review of the Chief Internal Auditor; and
- routinely giving the Chief Internal Auditor the opportunity to meet with the Audit Committee without the Chief Executive or Treasurer of the States present.
R4 Ensure that all necessary assurance work is appropriately resourced
before undertaking advisory work.
R5 Develop arrangements to identify the threats to Internal Audit
independence arising from proposed Internal Audit advisory work and identify appropriate safeguards.
R6 Adopt, apply and communicate a transparent risk assessment process
to underpin the annual Internal Audit plan.
R7 In preparing the annual Internal Audit plan and in undertaking individual
pieces of Internal Audit work, explicitly consider whether all the areas specified in the PSIAS are covered.
R8 Develop a comprehensive quality framework; prioritise the finalisation
of the Internal Audit Manual (including documentation of quality control arrangements); and develop robust arrangements for monitoring the performance of the external provider.
R9 Establish areas where specialist skills are required to respond to risks
and either develop or buy in those skills.
R10 Establish arrangements for testing whether Internal Audit
recommendations have been implemented.
R11 Establish formal arrangements for Internal Audit to identify and
escalate to CMB risks accepted by management which may be unacceptable to the States.
Compliance with legislation
- Article 36 of the Public Finances (Jersey) Law 2005 provides that:
- The chief internal auditor must carry out an internal audit of the transactions and internal controls and systems of each States funded body to ensure that the finances of the States are regulated, controlled and supervised in accordance with this Law.
- The times and frequency of those audits shall be determined by the chief internal auditor with the agreement of the Treasurer.
- However the chief internal auditor may carry out such an audit of the Treasury at any time.
- The Chief Internal Auditor's annual plan covers all departments of the States. However, it is not clear from the audit plan or individual pieces of Internal Audit work how the internal audit work undertaken is specifically directed to providing assurance as to regulation, control and supervision in accordance with the Public Finances (Jersey) Law 2005.
R12 Ensure that the annual Internal Audit plan and individual pieces of audit
work demonstrate how internal audit work is directed to providing assurance that the regulation, control and supervision of the States' finances is in accordance with legislation.
Appendix 1: Summary of Recommendations
R1 Undertake a comprehensive assessment of Internal Audit against the
PSIAS and prepare an improvement programme to address the gaps. Secure sign up from key stakeholders, including the Audit Committee and Chief Executive, to the improvement programme.
R2 Review the role and accountability of Internal Audit in the context of the
States' governance arrangements. Update the Internal Audit Charter in light of this analysis, including by clearly identifying the Board' and senior management team'.
R3 Enhance the safeguards to preserve the independence of the Chief
Internal Auditor, such as:
- giving the Chief Executive and Chair of the Audit Committee a formal role in the performance review of the Chief Internal Auditor; and
- routinely giving the Chief Internal Auditor the opportunity to meet with the Audit Committee without the Chief Executive or Treasurer of the States present.
R4 Ensure that all necessary assurance work is appropriately resourced
before undertaking advisory work.
R5 Develop arrangements to identify the threats to Internal Audit
independence arising from proposed Internal Audit advisory work and identify appropriate safeguards.
R6 Adopt, apply and communicate a transparent risk assessment process
to underpin the annual Internal Audit plan.
R7 In preparing the annual Internal Audit plan and in undertaking individual
pieces of Internal Audit work, explicitly consider whether all the areas specified in the PSIAS are covered.
R8 Develop a comprehensive quality framework; prioritise the finalisation
of the Internal Audit Manual (including documentation of quality control arrangements); and develop robust arrangements for monitoring the performance of the external provider.
R9 Establish areas where specialist skills are required to respond to risks
and either develop or buy in those skills.
R10 Establish arrangements for testing whether Internal Audit
recommendations have been implemented.
R11 Establish formal arrangements for Internal Audit to identify and
escalate to CMB risks accepted by management which may be unacceptable to the States.
R12 Ensure that the annual Internal Audit plan and individual pieces of audit
work demonstrate how internal audit work is directed to providing assurance that the regulation, control and supervision of the States' finances is in accordance with legislation.
KAREN McConnell COMPTROLLER & AUDITOR GENERAL
LINCOLN CHAMBERS (1ST FLOOR), 31 BROAD STREET, ST HELIER, JE2 3RR
T: + 44 1534 716800 E: enquiries@jerseyauditoffice.je W: www.jerseyauditoffice.je