States Assembly | R-95-2015

The official version of this document can be found via the PDF button.

The below content has been automatically generated from the original PDF and some formatting may have been lost, therefore it should not be relied upon to extract citations or propose amendments.

PDF version

Comptroller and Auditor General Internal Audit Follow-up

27 August 2015

R.95/2015

Internal Audit: Follow-up July 2015

Introduction

Background

The operation of an effective internal audit function is a key part of the system of internal control of an organisation. It provides management with assurance about the design and operation of control, risk management and governance processes. In January 2014 the States of Jersey Internal Audit service adopted the Public Sector Internal Audit Standards (PSIAS) as a benchmark of good practice for the organisation and delivery of the internal audit service.
I reviewed Internal Audit's compliance against both the requirements of the standards and of Jersey legislation and issued a report detailing my findings and recommendations in March 2014. I identified that the Chief Internal Auditor, who was then newly in post, had begun to make changes to ensure compliance, but much more needed to be done. I recommended that a comprehensive review of current arrangements against relevant standards was undertaken, followed by the development of a detailed action plan, agreed with stakeholders. This was to ensure that appropriate changes were implemented and embedded in the work of Internal Audit going forward.

Objectives and scope of this review

This review evaluates the States' response to the recommendations made in my report on Internal Audit issued in March 2014. It focuses on:

the adequacy of the arrangements put in place to manage and monitor the implementation of the recommendations made by the Comptroller and Auditor General;
the extent to which the actions identified against each recommendation meet the intended purpose of the recommendation; and
the progress made in implementing agreed recommendations.

The review extends to all internal audit work undertaken, whether by the in-house team or the external provider. The review does not extend to the States' response to any additional recommendations made by the Public Accounts Committee in their follow up of my report.

In addition to recommendations this report contains areas for continuing management action relating to more detailed aspects of implementation.

Compliance with Public Sector Internal Audit Standards

Public Sector Internal Audit Standards (PSIAS) provide a recognised benchmark for securing a high quality internal audit service. In my previous report I identified many areas where full compliance had not been secured and made recommendations for improvement (Exhibit 1).

Exhibit 1: Previous findings on compliance with PSIAS

Public Sector Internal Audit Standard

Areas of non-compliance identified

Attributes (the characteristics of the internal audit providers)

Purpose, Authority and Responsibility
Independence and Objectivity
Proficiency and Due Professional Care
Quality Assurance and Improvement Programme
Managing the internal audit activity

Definition of the Board' or the senior management team' and clarity about who Internal Audit reports to on each specific area of responsibility

Independence and reporting lines of the Chief Internal Auditor Level of advisory work

Transparent risk-based process for annual Internal Audit

planning

Comprehensive quality framework

Performance (the nature of the internal audit activities)

Managing the internal audit activity
Nature of work
Engagement planning
Performing the engagement
Communicating results
Monitoring progress
Communicating the acceptance of risk

Utilising specialist information technology audit skills to address the significant risks in this area

Planning to address a number of specific areas of the PSIAS Mechanism for monitoring progress against Internal Audit recommendations

Identifying and escalating risks to the Corporate Management Board (CMB')

Source: Public Sector Internal Audit Standards (2012)

Good progress has been made in implementing the recommendations that I made in my previous report (see Exhibit 2).

Exhibit 2: Compliance with Public Sector Internal Audit Standards – response to recommendations

Rec No	Recommendation - 2014	Update – 2015	Status	Evaluation
1	Undertake a comprehensive assessment of Internal Audit against the PSIAS and prepare an improvement programme to address the gaps. Secure sign up from key stakeholders, including the Audit Committee and Chief Executive, to the improvement programme.	Internal Audit undertook a gap analysis against the PSIAS in April 2014 and updated it in December 2014. The Chief Internal Auditor developed a Quality Assurance Improvement Plan (QAIP) and presented it to the Audit Committee on 12 May 2014. The Audit Committee receives progress reports on the QAIP. In July 2015 the Audit Committee received the results of an independent review of Internal Audit's progress in complying with the PSIAS. The review concluded that: the self-assessment was rigorous, comprehensive and fair; significant progress has been made since the C&AG's report; and Internal Audit is not yet fully conformant with the PSIAS as new working practices still need to be embedded.	Implemented	A realistic and thorough assessment against PSIAS has been undertaken. This has driven a comprehensive improvement programme that is being implemented.
2	Review the role and accountability of Internal Audit in the context of the States' governance arrangements. Update the Internal Audit Charter in light of this analysis, including clearly identifying the Board' and senior management team'.	The Audit Committee has approved, in the context of the States of Jersey: an updated Internal Audit Charter including definitions of the Board' and senior management team'; and updated Audit Committee Terms of Reference reflecting the roles of the Board' and senior management team'.	Implemented	The role and accountability of Internal Audit has been reviewed and key documents updated. Promoting the purpose and understanding of the role of Internal Audit within the organisation is also supported by the new reporting arrangements of the Chief Internal Auditor, the more systematic approach to audit planning and the professionalisation of its work.
Rec No	Recommendation - 2014	Update – 2015	Status	Evaluation
3	Enhance the safeguards to preserve the independence of the Chief Internal Auditor, such as: giving the Chief Executive and Chair of the Audit Committee a formal role in the performance review of the Chief Internal Auditor; and routinely giving the Chief Internal Auditor the opportunity to meet with the Audit Committee without the Chief Executive or Treasurer of the States present.	Although still line-managed by the Treasurer of the States, the Chief Internal Auditor now reports jointly to the Chief Executive and Treasurer of the States on operational issues. The Chief Internal Auditor continues to have unfettered direct access to the Chief Executive Officer and the Audit Committee Chairman and meets with them on a regular basis. Arrangements to preserve the independence of the Chief Internal Auditor have been reported to the Audit Committee.	Partially Implemented	Changes have been made to safeguard against threats to the independence of the Chief Internal Auditor. However, no structural changes have been made: the new arrangements are not fully embedded and may not be resilient in the face of changes in key positions.
4	Ensure that all necessary assurance work is appropriately resourced before undertaking advisory work.	The Internal Audit Manual now sets out how the service will strike an appropriate balance between compliance and advisory work. The Manual states that no more than 15% of total internal audit resources should be devoted to advisory work. The 2015 Internal Audit plan includes 8% of audit days for planned advisory work. The Chief Internal Auditor has reported to the Audit Committee the required resources for assurance work and the priority given to it. The Chief Internal Auditor continues to monitor management requests for unplanned and reactive advisory work to ensure sufficient resources remain to complete planned assurance work.	Partially implemented	Revised arrangements limit the level of advisory work and therefore reduce the risk of necessary assurance work being displaced. However, the focus in the Audit Manual on a limit on the proportion of advisory work detracts from the underlying principle that all necessary assurance work is resourced before any resources are devoted to advisory work. Attainment of this overarching objective cannot be managed by monitoring percentages.
Rec No	Recommendation - 2014	Update – 2015	Status	Evaluation
5	Develop arrangements to identify the threats to Internal Audit independence arising from proposed Internal Audit advisory work and identify appropriate safeguards.	The Audit Manual now includes a requirement for consideration of threats and appropriate safeguards as part of the individual assignment planning process. All Internal Audit team members and external contractors are required to make an annual declaration of potential conflicts of interest and assignments are allocated from the internal audit work plan to staff who have no declared conflicts. The Chief Internal Auditor maintains a register of these declarations. Testing confirms that the arrangements are operating as designed.	Implemented	Arrangements are in place to identify threats to independence arising from individual pieces of advisory work. However, the register covered only threats arising from the personal circumstances of individual Internal Audit staff and did not extend to other threats and associated safeguards.
6	Adopt, apply and communicate a transparent risk assessment process to underpin the annual Internal Audit plan.	The Internal Audit Manual now addresses how the evaluation of risk should be applied within the planning process. The Audit Manual defines the scope of possible audit activity and risk (the audit universe) at a high level within the revised Internal Audit Manual. The Chief Internal Auditor recognises that further work is required to define the boundaries of the audit universe. The Audit Manual's requirements have been followed in developing the 2015 Internal Audit plan. However, in instances the linkage between the planning file and the finalised Internal Audit plan was difficult to follow.	Implementation in progress	The planning procedures set out in the Audit Manual provide a more transparent and systematic methodology for risk-based audit planning. There is scope for improved documentation of the link from the planning file to the finalised Internal Audit plan.
7	In preparing the annual Internal Audit plan and in undertaking individual pieces of Internal Audit work, explicitly consider whether all the areas specified in the PSIAS are covered.	The Internal Audit Manual now requires that Internal Audit plans include specific reference to the risk areas specified in the PSIAS. All audit compliance reviews included in the 2015 Internal Audit Plan refer to one or more of the risk areas specified in the PSIAS.	Implemented	The revised procedures provide increased confidence that Internal Audit work covers all areas specified in the PSIAS. Enhanced documentation would improve the ability to demonstrate that this requirement was consistently being met.
Rec No	Recommendation - 2014	Update – 2015	Status	Evaluation
		However individual audit files did not always document clearly linkages between audit risks identified, audit tests performed and audit opinions reached.
8	Develop a comprehensive quality framework; prioritise the finalisation of the Internal Audit Manual (including documentation of quality control arrangements); and develop robust arrangements for monitoring the performance of the external provider.	An Internal Audit Manual was issued in July 2014 and re-issued in July 2015 to incorporate changes recommended in the independent review of Internal Audit. The Manual includes details of the arrangements for quality assessment and contract management of the external supplier. The Chief Internal Auditor completed an annual assessment of the external audit provider's quality assurance arrangements in June 2015. Plans to develop the framework further are documented in the Quality Assurance Improvement Plan and monitored by the Audit Committee. Actions already taken or planned include: updating the Financial Direction for Internal Audit; updating the Chief Internal Auditor's job description to align with her responsibilities; developing key performance indicators for Internal Audit; staff training activities; file archiving; introducing time recording procedures; and reviewing the electronic audit documentation system.	Implementation in progress	Significant progress has been made in developing a comprehensive quality framework but arrangements are not yet fully developed or embedded.
Rec No	Recommendation - 2014	Update – 2015	Status	Evaluation
9	Establish areas where specialist skills are required to respond to risks and either develop or buy in those skills.	The Internal Audit Manual requires that the Internal Audit Plan includes an estimate of the resources required to deliver the proposed work, including an assessment of any specialist skills available. Such an estimate has been included in the 2015 Internal Audit Plan.	Implemented	Structured assessment of the need for specialist skills enhances the quality and impact of internal audit work.
10	Establish arrangements for testing whether Internal Audit recommendations have been implemented.	The Audit Manual sets out how the Internal Audit team will follow up recommendations made in previous audits. A one off project to follow up and test progress against previous years' recommendations has been undertaken. Progress on and results of the follow up work are reported to the Audit Committee. All prior year recommendations are being followed up and management assertions tested in accordance with Internal Audit's follow up strategy. Plans are in place routinely to monitor the implementation of Internal Audit recommendations in the future.	Implementation in progress	The value from internal audit work is secured in part through the implementation of recommendations. Internal Audit has now put appropriate arrangements in place to test whether recommendations are being implemented.
11	Establish formal arrangements for Internal Audit to identify and escalate to CMB risks accepted by management which may be unacceptable to the States.	The Chief Internal Auditor seeks to identify risks accepted by management through: risk-based audit planning; follow-up of previous recommendations; and monitoring exemptions from, and non- compliance with, Financial Directions. The Audit Manual provides for escalation of both rejected recommendations and recommendations the implementation of which is overdue where the Chief Internal Auditor judges the inherent risk to be material.	Implemented	Appropriate risk escalation arrangements are in place although they are not yet embedded.

Rec No

Recommendation - 2014

Update – 2015

Status

Evaluation

The Chief Internal Auditor escalates risks accepted by management that are material to the States of Jersey to the Treasurer of the States. If the Treasurer of the States accepts the risks, he escalates them to the Chief Executive. However, these arrangements were not set out in the Audit Manual.

Testing confirms that risks are being identified and appropriately escalated.

Sources: Review of documents, interviews and audit testing

Recommendations

R1 Embed arrangements to secure the operational independence of the Chief Internal Auditor through changes to the job

descriptions of the Chief Internal Auditor, Chief Executive and Treasurer of the States and, if deemed necessary, changes to legislation.

R2 Embed arrangements to ensure that all necessary assurance work is adequately resourced before consideration is given to

advisory work.

R3 Embed appropriate arrangements for monitoring of the quality of internal audit (whether provided in-house or outsourced),

including effective oversight by the Audit Committee of the implementation of the remaining elements of the Quality Improvement Programme.

Areas for management action

A1 Extend the register of threats and safeguards to cover threats to the independence of Internal Audit arising other than from

personal interests and relationships.

A2 Complete the work to improve the specification of the audit universe.

A3 Implement standards for the documentation of risks on the audit planning file and from the audit planning file to the annual

audit plan.

A4 Implement standards for the documentation of how audit work and audit opinions link to identified audit risks. A5 Monitor the effectiveness of arrangements for the escalation of risks accepted by management.

Compliance with legislation

Legislation imposes specific duties on the Chief Internal Auditor (see Exhibit 3).

Exhibit 3: Statutory duties of the Chief Internal Auditor

The chief internal auditor must carry out an internal audit of the transactions and internal controls and systems of each States funded body to ensure that the finances of the States are regulated, controlled and supervised in accordance with this Law.
The times and frequency of those audits shall be determined by the chief internal auditor with the agreement of the Treasurer.
However the chief internal auditor may carry out such an audit of the Treasury at any time.

Source: Article 36, Public Finances (Jersey) Law 2005

In my previous report I concluded that it was not clear how the internal audit work undertaken was specifically directed to providing assurance on regulation, control and supervision of public finances in accordance with legislation. Subsequently, good progress has been made on implementing the recommendation I made.
In Exhibit 4 I evaluate the steps taken and planned in response to the recommendation in my report.

Exhibit 4: Compliance with legislation – response to recommendations

Rec No

Recommendation - 2014

Update – 2015

Status

Evaluation

Ensure that the annual Internal Audit plan and individual pieces of audit work demonstrate how internal audit work is directed to providing assurance that the regulation, control and supervision of the States' finances is in accordance with legislation.

The Internal Audit Manual recognises the statutory duties of the Chief Internal Auditor.

The statutory duties of the Chief Internal Auditor were considered as part of the 2015 audit planning process.

The 2015 audit plan identified individual audit assignments that cover the relevant aspects of the Chief Internal Auditor's statutory duties. However, the linkage on audit files from the audit objectives to individual audit tests is not always as clear as it could be.

Implemented

The Chief Internal Auditor is now able to demonstrate how she discharges her statutory duties.

There is, however, scope for improved documentation.

Area for management action

A6 Implement standards for the documentation of the linkage of audit work to the statutory objectives of the Chief Internal

Auditor.

Conclusion

Internal Audit is a key tool of management in providing assurance on the design and operation of its system of internal control and in supporting change. My previous report identified a significant gap between the arrangements in place within the States and recognised professional good practice. I set out a demanding agenda for change.
I am impressed by the response to my previous report. There has been an honest acceptance of the need for change and my report has been used as a catalyst for that change. Most of my recommendations have been implemented in full. In other areas, recognising the timescales necessary to embed real change, substantial progress has been made and implementation is on track.
A more professional, higher quality and more incisive Internal Audit function is vital as the States embarks on a programme of reform and retrenchment. The States is on the way to securing the Internal Audit it needs.

Appendix 1: Summary of Recommendations

R1 Embed arrangements to secure the operational independence of the Chief Internal Auditor through changes to the job

descriptions of the Chief Internal Auditor, Chief Executive and Treasurer of the States and, if deemed necessary, changes to legislation.

R2 Embed arrangements to ensure that all necessary assurance work is adequately resourced before consideration is given to

advisory work.

R3 Embed appropriate arrangements for monitoring of the quality of internal audit (whether provided in-house or outsourced),

including effective oversight by the Audit Committee of the implementation of the remaining elements of the Quality Improvement Programme.

Appendix 2: Summary - Areas for management action

A1 Extend the register of threats and safeguards to cover threats to the independence of Internal Audit arising other than from

personal interests and relationships.

A2 Complete the work to improve the specification of the audit universe.

A3 Implement standards for the documentation of risks on the audit planning file and from the audit planning file to the annual

audit plan.

A4 Implement standards for the documentation of how audit work and audit opinions link to identified audit risks.

A5 Monitor the effectiveness of arrangements for the escalation of risks accepted by management.

A6 Implement standards for the documentation of the linkage of audit work to the statutory objectives of the Chief Internal

Auditor.

KAREN McCONNELL COMPTROLLER and AUDITOR GENERAL

JERSEY AUDIT OFFICE, LINCOLN CHAMBERS (1ST FLOOR), 31 BROAD STREET, ST HELIER, JE2 3RR

T: 00 44 1534 716800 E: enquiries@jerseyauditoffice.je W: www.jerseyauditoffice.je