States Assembly | Internal Audit-Report-24 September 2014

The official version of this document can be found via the PDF button.

The below content has been automatically generated from the original PDF and some formatting may have been lost, therefore it should not be relied upon to extract citations or propose amendments.

PDF version

Public Accounts Committee

Internal Audit

Following Up the Report of the Comptroller and Auditor General

Presented to the States on 24th September 2014.

PAC.3/2014

Contents

Chairman's Foreword ......................................................................................................... 5 Key Findings ....................................................................................................................... 7 Recommendations.............................................................................................................. 8

Introduction............................................................................................................ 9
The Purpose and Operation of Internal Audit ...................................................... 10
The Response to the C&AG's Recommendations ............................................... 12
Public Hearings ................................................................................................... 15
Conclusion........................................................................................................... 25

Appendix 1: R.36/2014 - Response of the Treasury and Resources Department ........ 27 Appendix 2: Committee Membership ............................................................................ 77

Appendix 3: Terms of Reference .................................................................................. 78

Chairman's Foreword

I suspect that no author of a report on the subject of internal audit has ever believed that their publication might become a best-seller. On that basis I was not surprised that the Comptroller and Auditor General's publication of a report on the States of Jersey's internal audit function back in March of this year passed with relatively limited public comment. For PAC, however, the report was very significant indeed. We thought that this was possibly the first ever independent review of the internal audit function.

Any organisation of comparable size and complexity to the States of Jersey will always struggle to deliver for its customers unless it has an effective internal audit function. The performance of internal audit is, and will continue to be, key to the success of the public sector reform programme and the securing of value for money for the public.

PAC was most concerned to read that the C&AG had found some significant issues in this area. Having followed up with an investigation of our own, we retain those concerns.

The findings and recommendations in this report speak for themselves and I do not intend to repeat them here. What is important now is that those concerned with the internal audit function consider this report objectively and respond constructively – and with some urgency.

In closing, I wish to thank all those who have contributed to this review.

Deputy T.A. Vallois Chairman

Key Findings

There needs to be greater clarity and understanding within the organisation as to the purpose of internal audit.
The Treasury and Resources Department adopted the Public Sector Internal Audit Standards without first conducting a proper gap analysis to confirm the existing status of the organisation and determine the extent of improvements required.
The lack of a proper gap analysis contributed to the erroneous reporting to the States of Jersey Audit Committee of compliance with the Public Sector Internal Audit Standards.
The States of Jersey has much more to do to achieve and maintain an effective corporate risk management framework.
The Internal Audit function has yet to implement a fully risk-based approach to audit planning.
The States of Jersey governance framework is not yet properly aligned with the Public Sector Internal Audit Standards.
Neither the Chief Executive nor the Treasurer of the States should be fully satisfied that the Internal Audit function is fulfilling its statutory duties.

Recommendations

The Chief Executive should, by the end of February 2015, submit a report to the PAC explaining how the Corporate Management Board has prioritised the achievement of a robust corporate risk management framework. (page 18)
The Chief Internal Auditor must apply a fully risk-based approach to the development of the Internal Audit Plan 2015, as per the commitment made in the updated Internal Audit Charter. (page 19)
The Chief Minister and the Chief Executive should, within 6 months, give serious consideration to the matter of whether the Chief Internal Auditor should continue to report to the Treasurer of the States and, if deemed appropriate, lodge au Greffe' a suitable amendment to the Public Finances (Jersey) Law 2005 . (page 24)
The Chief Executive, the Treasurer of the States and the Chief Internal Auditor should, within the next 3 months, revisit the definition of the Board and Senior Management Team in the Internal Audit Charter to ensure they adequately reflect the role and accountability of Internal Audit in the context of the complex governance arrangements of the States. (page 26)

1 Introduction

During March 2014, the C&AG completed a review of the States of Jersey internal audit function.[1] The review assessed both the internal audit framework and the work of both the in-house internal audit team and the external provider against –

UK Public Sector Internal Audit Standards (PSIAS),[2] and
the requirements of legislation.

The C&AG's report identified 10 specific areas of non-compliance with the PSIAS and stopped short of confirming that the internal audit function was achieving full compliance with Article 36(1) of the Public Finances (Jersey) Law 2005. Twelve recommendations were made to address the most significant issues identified during the course of the review.
Having considered the C&AG's report, we resolved to follow up by considering the Executive response to the 12 recommendations made. We then held a series of public hearings held on 2nd June 2014, during which we invited the Chief Executive, the Treasurer of the States and the Chief Internal Auditor to comment on the following in the context of R.36/2014 –

the purpose and coverage of Internal Audit,
statutory requirements,
the reporting lines of the Chief Internal Auditor, and
quality.

2 The Purpose and Operation of Internal Audit

The PSIAS define the purpose of internal audit function as follows –

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.'

The Public Finances (Jersey) Law 2005, which regulates the administration of the public finances of Jersey, gives the States of Jersey Internal Audit function a statutory basis. Article 35 of the Law establishes the office of Chief Internal Auditor, while Article 36 requires the post holder to -

... carry out an internal audit of the transactions and internal controls and systems of each States funded body to ensure that the finances of the States are regulated, controlled and supervised in accordance with [the Public Finances (Jersey) Law 2005].'

The Chief Internal Auditor calls upon a small internal team and the services of an external provider to assist them in the execution of their statutory duty. During 2013 the balance of work was adjusted, such that a greater proportion was carried out internally.
Reporting arrangements for internal audit are described in Financial Direction 11.1. The Financial Direction repeats that internal audit is a function of the Treasury and Resources Department and confirms that the Chief Internal Auditor is accountable to the Treasurer of the States for the efficient and effective operation of the internal audit function.' On the question of independence, the Financial Direction states, somewhat vaguely, that the Chief Internal Auditor enjoys direct access to the Chief Executive and the Chair and members of the Audit Committee in appropriate circumstances.'

The standards that Internal Audit is to meet were revised in January 2013, when the decision was taken within the Treasury and Resources Department that Internal Audit should comply with the PSIAS.

3 The Response to the C&AG's Recommendations

Given that the C&AG's report had stopped short of confirming that the internal audit function was achieving full compliance with Article 36(1) of the Public Finances (Jersey) Law 2005 and that the report identified specific areas of non-compliance with the PSIAS, we sought confirmation of the remedial action being taken by the Executive.
In May 2014 we received from the Treasury and Resources Department a copy of its response to the C&AG's report (see Appendix 1). The response declared that the 12 recommendations in R.36/2014 were either accepted or, in the case of recommendations 3, 5, 6 and 11, that appropriate measures were already in place but controls would be reviewed and strengthened. An action plan to implement the outstanding recommendations was supplied. Certain clarifications and points of detail within this positive response nevertheless gave us cause for concern.
Recommendation 1 had been accepted on the premise that the PSIAS-focussed gap analysis and corresponding action plan completed during 2013 were already comprehensive and had been strengthened further following receipt of the C&AG's report. This was, in our view, a counterintuitive premise. At the end of 2013, the Audit Committee had been advised that PSIAS had been adopted, yet R.36/2014 subsequently described 10 key areas of non-compliance. The Treasury response of May 2014 confirmed a new PSIAS adoption date of 1st July 2014, with the aim of achieving compliance by December 2014, by which point a new audit manual would have been produced. This restarting of the process would not have been necessary had the original gap analysis and action plan been comprehensive.
The response to Recommendation 2 indicated that the process of aligning the PSIAS with the relatively unique structure, operation and governance arrangements of the States of Jersey had been less than straightforward. The Corporate Management Board (CMB) had effectively been charged with the dual role of board' and senior management team,' with the Audit Committee performing a supporting assurance role. This arrangement invited questions as to precisely what audit matters were to be reported to which team and for what purpose.

Further to the above, the updated Internal Audit Charter included descriptions of the role of Scrutiny and the Public Accounts Committee that were not strictly correct. The role of the PAC in particular had been materially narrowed. There was no recognition of Standing Order 132(1)(c), which allows the Committee to initiate reviews on topics other than those on which the C&AG has reported.
Recommendation 6 had concerned the adoption, application and communication of a transparent risk assessment process to underpin the annual internal audit plan. The response suggested that the production of an audit manual and a follow-up review would be sufficient to supplement existing arrangements, which already involved –

a review of departmental risk registers and meetings between the Chief Internal Auditor and departmental chief officers to discuss where internal audit could assist their department, and
a review of the resulting draft internal audit plan by the Finance Advisory Board, the Corporate Management Board, the Chief Executive, States of Jersey and the Audit Committee.

This response stopped short of offering evidence that risk-based planning was both fully understood and was actively being applied. It suggested instead that tighter instructions to further embed existing practices would be sufficient. In contrast, our provisional view was that the existing practices were themselves less than strong and that further embedding risked aggravating the problem.
We noted that Recommendation 8 had been accepted primarily on the basis of work that would be undertaken to produce a new audit manual in accordance with Recommendation 1. We suspected that, as had been the case prior to the premature claim of PSAIS adoption made in January 2014, the scope of work required to move beyond production of the manual and implement suitable quality control arrangements had been underestimated.

4 Public Hearings

On 2nd June 2014 we held a series of public hearings with the Chief Executive, the Treasurer of the States and the Chief Internal Auditor to test our emerging concerns in respect of the Treasury response to R.36/2014.
Having considered the answers received during those hearings alongside the earlier Treasury response and with reference to the C&AG's report, we have drawn conclusions in 4 areas.

Statutory Requirements

The Public Finances (Jersey) Law 2005 stipulates that the Treasurer of the States has ultimate responsibility for the proper stewardship and administration of the public finances of Jersey.
Although the Treasurer of the States explained to us how she endeavoured to satisfy herself that Internal Audit fulfilled its statutory duties, we consider that her explanation stopped short of providing firm evidence that compliance with the Law was achieved.
The Treasurer advised us that she sought assurance regarding Internal Audit in both informal and formal ways. Informal methods included –

individual quarterly meetings with departmental Accounting Officers and Finance Directors, with the Chief Internal Auditor in attendance, and
feedback from departmental Accounting Officers and Finance Directors regarding the quality of internal audit reports.

At the formal level, the Treasurer sought to maintain an appropriate audit framework that supported the development of a similarly appropriate audit plan, based on input from all individual chief officers and other relevant parties. Decisions to increase the internal capacity of the Internal Audit function and to endorse the adoption of the PSIAS were made by the Treasurer to achieve a strengthening of that audit framework, whilst also achieving a saving in the overall cost of the function. Internal audit could develop improved knowledge of the organisation, which would in turn help to increase departmental confidence in the Internal Audit function.

The Chief Executive engages with Internal Audit because of his overall responsibility for the administration and general management of the public service. He also has an Accounting Officer duty in respect of the Chief Minister's Department. Both the Chief Executive and the Treasurer of the States sign off the States of Jersey Governance Statement.[3] On that basis, the Chief Executive requires assurance in respect of Internal Audit.
The Chief Executive advised us that, in practice, he sought assurance via his contribution to the development of the internal audit plan and through responding positively, in conjunction with the Audit Committee, to the findings contained in each individual internal audit report.
For the reasons outlined below, we consider that both the audit plan and the framework within which it is developed and executed need significant further work.

The Purpose and Coverage of Internal Audit

We identify a lack of clarity as to the purpose of internal audit in the States of Jersey and weaknesses in the processes that determine the coverage of internal audit work.
Whether the States of Jersey approach aligns with the PSIAS definition of internal audit can be evidenced by the balance of internal audit plans and the methodology for their development.

Turning first to the issue of balance, we note that the balance of the internal audit plan for 2013 was recorded as a broadly even split between advisory and assurance work. In contrast, the internal audit plan 2014 had been balanced firmly in favour of assurance work. This was, in our view, a positive development, albeit that we detected signs of an ongoing appetite for advisory work.
Accepting that the PSIAS allow for both advisory and assurance work within the Internal Audit plan, Article 36 of the Public Finances Law confirms the relative importance of the assurance function. The precise percentage split between advisory and assurance work is rather less important than the degree of understanding within the internal audit function as to how independence is maintained when conducting advisory work. An internal audit function should not, for example, be actively involved in the design of the very internal controls that it must later report upon.
The Treasurer advised us that she sought to increase departmental confidence in the Internal Audit, such that there might be an increased tendency for departments to approach it for advice.[4] The Chief Internal Auditor told us that whereas most planned audit work for 2014 was to be compliance focussed, there was capacity for additional reviews to be undertaken on request and, moreover, that requests for advisory reviews were being accepted. This indicated some potential for the balance of work to shift from the declared position, with potential consequences for the evidence base for the Chief Internal Auditor's annual opinion.
Regarding the development of the plan, the job of Internal Audit is made easier if a sound risk management framework exists within the organisation. In this regard, there is work to be done.
The Chief Executive submitted that the process for 2014 was underpinned by an outline risk framework with which all chief officers were required to comply. He nevertheless agreed with the Treasurer of the States and the Chief Internal Auditor that the corporate framework was a work in progress. The Chief Executive also acknowledged that the historical focus had been on individual departments developing, maintaining and updating their own risk registers. We inferred from this answer that certain high level factors, such as the overall population size and its consequent impact on demand for public services, were not being fully assessed in a coordinated way.

External consultants have now been engaged to review the robustness of the corporate risk management framework and to report by September 2014. The consultants are to advise on -

...where the corporate risks are for the States of Jersey, where the corporate risk register sits. Looking at previous work done on business continuity, on health and safety.'[5]

It is possible, therefore, that the Internal Audit function may be better placed to develop its audit plan in 2015.

Recommendation 1: The Chief Executive should, by the end of February 2015, submit a report to the PAC explaining how the Corporate Management Board has prioritised the achievement of a robust corporate risk management framework.

We considered whether Internal Audit was able to compile an effective risk-based plan for 2014 in the apparent absence of a well-developed corporate risk management framework. The Chief Executive described to us a process that built in some of the risks identified in the corporate risk register, together with a selection of specific departmental areas identified via business plans. For their part, both the Treasurer of the States and the Chief Internal Auditor maintained that the plan had taken into consideration legal obligations, key transactions, input from accounting officers, size of budgets and matters raised by States auditors PwC. Although these were relevant individual considerations, nothing we heard from the Chief Internal Auditor gave us confidence that they were being factored into a systematic formal methodology. The above perhaps explains why the Chief Executive felt unable to confirm that the internal audit plan 2014 addressed each of the major risks facing the States of Jersey.[6]

As in previous years, the Audit Committee was engaged in the development of the internal audit plan for 2014. A draft plan was presented to the Audit Committee in November 2013 for consideration and comment. An accompanying resourcing methodology statement recorded that the plan was intended to encompass a significant range' of key corporate risks. It nevertheless stopped short of offering a clear statement of major audit risks in relation to Internal Audit responsibilities.
According to the recently updated Internal Audit Charter, future internal audit plans will be devised using a risk-based approach. The external consultant's report on corporate risk management should provide Internal Audit with a better basis on which to implement such an approach in future. In order for this significant change in approach to happen in time to affect the 2015 internal audit plan, the Chief Internal Auditor and other officers concerned with the internal audit function will need to learn constructively from the report and demonstrate swift and effective application of that learning.

Recommendation 2: The Chief Internal Auditor must apply a fully risk-based approach to the development of the Internal Audit Plan 2015, as per the commitment made in the updated Internal Audit Charter.

Quality

In January 2014 the Audit Committee received the 2013 annual report prepared by the Chief Internal Auditor. Whereas the report stated that the States of Jersey had adopted the PSIAS, the subsequent report by the C&AG revealed that this had been a less than accurate account of the position.
When we invited the Chief Internal Auditor to comment on the account given to the Audit Committee at the beginning of the year, we were simply advised that the Audit Committee had been briefed in May 2014 regarding an updated Quality Assurance and Improvement Programme, the updates having been prompted by the C&AG's report. When we asked the Chief Executive to comment, he submitted that there had been a genuine mistake. R.36/2014 had helpfully identified some gaps' that had hitherto not been spotted. The Treasurer of the States, however, was rather more candid –

Did we do a "how high could we jump" before we set the bar? No, I do not think we did.'[7]

A flawed gap analysis had, according to the Treasurer of the States, resulted in a shortfall in understanding as to the full extent of what good looked like.'[8] It led to a similarly flawed initial Quality Assurance Improvement Programme, the execution of which underpinned the less than accurate claim made to the Audit Committee at the beginning of this year. This was a fundamental and regrettable project management error.
Two recent PAC reports [9] indicate that project management standards across the States of Jersey are generally less than satisfactory. The flawed gap analysis conducted within Internal Audit during 2013 provides further evidence of a pressing need for the organisation to raise its game. We are therefore pleased to have received from the Chief

Executive a report confirming the development and planned execution of an action plan to raise project management standards across the States of Jersey.

Given that the claim of PSIAS compliance risked compromising the Audit Committee in the performance of its assurance function, and given that the Chief Executive leads the CMB (which the Audit Committee exists to advise), we were surprised that the Chief Executive was not more concerned by the misleading reporting.
Looking forward, both the Chief Executive and the Treasurer of the States anticipate a successful second attempt at implementing the PSIAS. The QAIP has reportedly been updated to reflect the action plan at Appendix 1, a new manual is being produced for the Internal Audit function and the intention is to embed the new standards by the end of this year. As we have already indicated, this is a laudable but ambitious timetable, particularly given the timeframe for moving forward on the risk management framework.
There were other reasons to suspect that the timetable for this second attempt at a successful PSIAS implementation might be optimistic. For example, we invited the Chief Internal Auditor to confirm the existence of a well-formed plan for meeting the requirement of the PSIAS for an external review of internal audit. What we were told did not, in our view, constitute a well-formed plan.[10] There was also the admission of the Chief Executive that a structure to assess on a regular basis compliance of Internal Audit against the [new] standards' needed to be put into place. As to what that structure should look like, he considered that it would come in part from increasing awareness among Accounting Officers of the requirements of the PSIAS.[11] We had hoped to hear that the detail of the PSIAS requirements would be left to a Chief Internal Auditor to consider and lead upon, with Accounting Officers focussing instead on the development and embedding of the risk management framework, to which internal audit planning would necessarily be linked.

We were advised by the Treasurer of the States that the quality of internal audit would come not only from adopting the PSIAS but from having proper frameworks in place that are well understood across the organisation.'[12] In this regard, the Treasurer accepted that there was still work to do. Financial Direction 11.1, which described the role, status and structure of Internal Audit, the duties of the Chief Internal Auditor and the duties of other officers, was due to be updated by June 2014.
We note that the update to Financial Direction 11.1 remains outstanding as at the end of August 2014. This delay may, however, prove beneficial in the long run. It will allow the Treasury and Resources Department to take account of a new report by the C&AG concerning Financial Directions.[13] This report concludes, amongst other things, that shorter, sharper, more accessible Financial Directions in a consistent style, supported by training, would improve the design and operation of the States' system of internal control.

Reporting Lines of the Chief Internal Auditor

At present, the Chief Internal Auditor reports to the Treasurer of the States. The Treasurer told us that this existing reporting line should be maintained on the basis that a Treasurer has the professional knowledge, the professional qualifications ... and ... the responsibility for ensuring that the Public Finances Law is properly complied with.' A different reporting line might keep the Chief Internal Auditor away from what is really happening in the finance function across the States.'[14]
The Treasurer's view has merit but it also gives rise to certain complications. There is, for example, a theoretical risk that a Treasurer could seek to influence inappropriately an internal audit plan or any report findings, most notably where the plan or findings concern the Treasury and Resources Department. Given that the proportion of internal audit work affecting the Chief Minister's Department is almost inevitably likely to be lower than that which concerns the Treasury, the potential for conflict is probably greater under the existing arrangement. The fact that the performance review and appraisal of the Chief Internal Auditor is ultimately a matter for a Treasurer inevitably means that a Treasurer has, in theory, at least one lever through which to apply influence. Another potential lever is the requirement for a Treasurer to agree to reviews concerning non-ministerial bodies and all departments other than the Treasury.

Measures are in place to guard against these theoretical levers ever being deployed. The Chief Internal Auditor has direct access to the Chief Executive. Both the Chief Executive and the Chairman of the Audit Committee now have a formal input into the performance review and appraisal process. The Treasurer has for some time applied a protocol under which she is detached from any internal audit concerning her department until such time as a report is finalised.
Notwithstanding the above safeguards, certain potential vulnerabilities remain. The Treasurer's protocol does not affect compliance reports concerning departments other than the Treasury. In this regard, the Treasurer accepts that drafts of reports have on occasion proved controversial within affected departments.[15] Such instances might have generated a call on the Treasurer, as the Chief Internal Auditor's line manager, to intervene. Given that the audit plan for 2014 has rightly adjusted the balance of reviews in favour of compliance rather than advisory work, the scope for such issues to arise will inevitably increase.
The existing internal audit reporting line broadly replicates the position in many other public and private sector organisations. We are nevertheless mindful of an increasing trend in large private sector organisations for the Chief Internal Auditor to be line managed by the Chief Executive.

The States of Jersey is undergoing further change. An amendment to the Employment of States of Jersey Employees (Jersey) Law 2005 has been lodged.[16] If the amending Regulations are adopted, the existing Chief Executive role would be replaced by that of a Chief Executive Officer, who would lead the Chief Officers of Ministerial departments' and who would be empowered to require a Chief Officer to account for administration, management and implementation in his or her Ministerial department.' Successive PACs have called for just such a change to be made and we hereby confirm our support for that particular Regulation.
Given the nature of the role change that the amending Regulations would bring about, we consider that it would be appropriate to reconsider the reporting line of the Chief Internal Auditor once the States have determined whether to adopt them.

Recommendation 3: The Chief Minister and the Chief Executive should, within 6 months, give serious consideration to the matter of whether the Chief Internal Auditor should continue to report to the Treasurer of the States and, if deemed appropriate, lodge au Greffe' a suitable amendment to the Public Finances (Jersey) Law 2005 .

5 Conclusion

Internal audit has a vital role to play in helping the States of Jersey accomplish its objectives. Its ability to evaluate and report competently and objectively on the organisation's risk management, control and governance processes is key to the delivery of efficient public sector operations and the securing of value for money.
There are clearly plans to improve the performance of Internal Audit by implementing the majority of the recommendations made in R.36/2014. It is important that those plans are not only fully aligned with the recommendations made by the C&AG but that they are executed competently and in full. Anything less will put at risk the revised goal of delivering PSIAS compliance by the end of 2014.
The States of Jersey requires a corporate risk management framework that is fit for purpose. Although steps are being taken to put such a framework in place, they warrant being prioritised and, where possible, accelerated.
The Internal Audit function must now implement a fully risk-based approach to audit planning. To do that, it needs to be confident that is has a comprehensive understanding of a risk-based approach. That which we heard in our public hearings and which we read in the documentation supplied by the Treasury and Resources Department leads us to conclude that there have hitherto been material shortfalls in understanding and that these shortfalls contributed to the erroneous claim of PSIAS compliance that was made to the Audit Committee in January 2014.
There are also signs of broader issues with the States of Jersey governance framework. The ongoing attempts to align the PSIAS with the relatively unique structure, operation and governance arrangements of the States of Jersey have revealed a difficulty in determining precisely which entities are to perform the senior management team and board roles. Still more thought needs to be given to the matter of how and where political and officer groups fit into the framework.

Recommendation 4: The Chief Executive, the Treasurer of the States and the Chief Internal Auditor should, within the next 3 months, revisit the definition of the Board and Senior Management Team in the Internal Audit Charter to ensure they adequately reflect the role and accountability of Internal Audit in the context of the complex governance arrangements of the States.

The C&AG has notified us of her intention to follow-up her review of internal audit during 2015. In the circumstances, we will be inviting our successor committee to revisit the topic once the follow-up report has been published and with a view to satisfying itself that the direction of travel is firmly upward.

Appendix 1: R.36/2014 - Response of the Treasury and Resources Department

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
1	Underpinning all of the C&AG's comments and findings is the need for Internal Audit to demonstrate that it complies in all respects with PSIAS.	There is a risk that Internal Audit may not be able to demonstrate that its work meets industry standards of best practice and quality assurance.	R1: Undertake a comprehensive assessment of Internal Audit against the PSIAS and prepare an improvement programme to address the gaps. Secure sign up from key stakeholders, including the Audit Committee and Chief Executive, to the improvement programme	The Chief Internal Auditor (CIA) prepared a gap analysis against PSIAS, using a checklist issued by CIPFA (the Chartered Institute of Public Finance and Accountancy, the main authority on accountancy and financial management for the public services in the UK). This was done by the new Chief Internal Auditor in October 2013 following on from their appointment in August 2013.	Agreed	Action 1: Internal Audit will review and update the October 2013 PSIAS gap analysis in conjunction with the C&AG's recommendations and update the Improvement Programme accordingly. The CIA will work with colleagues to develop the Improvement Programme and consult with the Treasurer and Chief Executive before producing a final draft of the Improvement Programme. Further consultation with the C&AG and the Audit

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

The CIA established a Quality Assurance and Improvement Programme (QAIP) to address the gaps identified in the assessment.

On receipt of the report on Internal Audit the Chief Internal Auditor has reviewed and updated her comprehensive gap analysis and the QAIP, to ensure the Plan includes appropriate and timely action to carry out the recommendations made by the C&AG. The Internal Audit extract, which is contained within the States of Jersey

Committee will then be undertaken and the updated Improvement Programme presented to the Audit Committee on 12 May 2014.

Timescale: 12 May 2014.

Action 2: Internal Audit will adopt a PSIAS-compliant audit manual. The CIA will arrange training and development necessary to support the adoption of the audit manual by the Internal Audit team.

Timescale: June 2014 for adoption of the manual within Internal Audit.

Responsible Officers for Actions 1 and 2: CIA

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Governance Statement (12 March 2014) can be found below:

Internal Audit service

Public Sector Internal Audit Standards (PSIAS) were issued by HM Treasury in 2013 and the States of Jersey objective is to fully adopt these standards by 1 July 2014. PSIAS provides guidance and a benchmark against which the quality of Internal Audit in local government is assessed. The PSIAS are based on the mandatory elements of the Institute of Internal Auditors (IIA)

supported by Internal Audit Contractor.

Action 3: The Financial Direction for Internal Audit (11.1) will be updated and reissued by the Treasurer to include the requirement to carry out internal audit work in accordance with the PSIAS-compliant manual.

Timescale: June 2014 Responsible Officers: The Treasurer of the States.

Action 4: The CIA will carry out a follow up review to ensure that the best practice set out in the audit manual has been embedded. The review will ensure all

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

International Professional Practices Framework (IPPF).

The QAIP now comprises Actions 1 to 10 in the Agreed Action' column to the right.

outstanding actions in the Improvement Programme and agreed actions from the report have been carried out, and review a sample of files for compliance. The CIA will discuss the outcome of the review with the Treasurer and Chief Executive, and present a summary of the findings to the Audit Committee. An independent review will also be undertaken and the findings of this review presented to the CIA and the Treasurer for consideration. (A copy of the independent review's findings will also be made available to the C&AG if needed).

Timescale: December 2014

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
						Responsible Officer: The CIA.
2	The Internal Audit Charter, which sets out the purpose, authority and responsibility of Internal Audit, does not define either the Board' or the senior management team' as required by PSIAS.	There is a lack of clarity about who Internal Audit reports to on each specific area of responsibility. The analysis and subsequent agreement of Internal Audit reporting lines is particularly important in the context of the complex governance arrangements within the States, with responsibilities vested in Ministers, the States Treasurer, the Chief Executive, individual Accounting Officers and the Audit Committee.	R2: Review the role and accountability of Internal Audit in the context of the States' governance arrangements. Update the Internal Audit Charter in light of this analysis, including by clearly identifying the Board' and senior management team'	PSIAS includes a specific requirement that the Internal Audit Charter and Audit Committee Terms of Reference specifically refer to the board' and senior management team' and how Internal Audit reports to each. In UK public bodies the board' usually refers to a board of non-executive directors or elected members, e.g. councillors, and the senior management team' to senior executive officials. Governance arrangements in the States of Jersey are complex in nature and differ from	Agreed	Action 5: The Internal Audit Charter and Audit Committee Terms of Reference are reviewed and updated annually by the Audit Committee as per the existing work forward programme. The Audit Committee will receive the attest updated versions for approval at its meeting of 12 May 2014. These updated versions of the Internal Audit Charter and Audit Committee Terms of Reference will clarify the definition of Board' and senior management team' insofar as they apply to the States of Jersey, describe

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

those in the private sector, the UK government or councils, and these complexities are not reflected in the PSIAS.

Accountability is overseen by three distinct functions in the States of Jersey:

The Scrutiny function, comprising 4 panels composed of a Chair and non-executive States Members. The Scrutiny panels review and comment on the policies and proposed policies of Ministers, promoting democratic accountability and ensuring proposals are

Internal Audit's purpose and position in the organisation, reporting lines, and define Internal Audit's key stakeholders.

The CIA will send the draft Internal Audit Charter and Audit Committee Terms of Reference to the C&AG for information and comment before they are presented at the Audit Committee.

Timescale: Audit Committee Meeting 12 May 2014.

Responsible Officers: CIA supported by Internal Audit Contractor.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

rigorously questioned while still at an early stage;

The Public Accounts Committee (PAC), comprising a Chair and at least four other members. Half of these must be States Members who are not Ministers or Assistant Ministers, and half must be unelected individuals who are members of the community. PAC monitors whether or not public bodies are giving value for money. It assesses whether public funds have been used in line

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

with the purposes intended by the States, and it works to eradicate extravagance and waste. It aims to ensure the best possible financial practices are employed across the States administration and it scrutinises various reports from the Comptroller and Auditor General, including the audit of the annual accounts; and

The Audit Committee, which is a sub group of the Corporate Management Board (CMB). CMB is

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				composed of the States accounting officers and senior managers, but the Audit Committee is composed of three independent members and the Greffier, who is also a member of CMB. The purpose of the Audit Committee is to provide support and advice to assist Accounting Officers in their assurance on the adequacy of controls and governance processes in place. The Audit Committee is an internal function and under the Audit

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				Committee Terms of Reference the CIA reports quarterly to the Audit Committee and the Chairman of the Audit Committee receives all audit reports. The Audit Committee must not usurp or undermine the roles of Scrutiny or the PAC. The Financial Direction 11.1 for Internal Audit sets out the legal responsibilities and reporting arrangements for internal audit.
3	The independence of the Chief Internal	There remain potential threats to the independence of the	R3: Enhance the safeguards to preserve	PSIAS consider arrangements to ensure	Already in place but	Action 6: The Treasurer to request formal feedback from

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Auditor is strengthened by their statutory power to determine the nature and timing of Internal Audit work in the States Treasury without the consent of the States Treasurer. However, there remain insufficient checks and balances on the role of the States Treasurer as line manager of the Chief Internal Auditor. For example:

there is no formal role for the Chief

Chief Internal Auditor that might impede their ability to plan, undertake and report audit work without fear or favour.

the independence of the Chief Internal Auditor, such as:

giving the Chief Executive and Chair of the Audit Committee a formal role in the performance review of the Chief Internal Auditor; and

routinely giving the Chief Internal Auditor the opportunity to meet with the Audit Committee without the Chief Executive or

that the CIA can act with

appropriate independence. Risks to independence are mitigated by the following factors in the States of Jersey:

The CIA does not receive performance related pay so has no incentive to manipulate audit results accordingly;

and

The CIA is protected from undue pressure from management by the Audit Committee's approval of the scope and timing of planned audit work, a specific protocol governing

Internal

Audit will

strengthen existing

controls

further.

the Audit Committee Chairman and Chief Executive, to feed into the CIA's performance review.

Timescale: for the CIA's 2014 annual performance review in December 2014.

Responsible Officer: The Treasurer of the States.

Action 7: The FD for Internal Audit is updated to reflect the CIA's quarterly meetings with the Audit Committee Chair, without other officers present.

Timescale: April 2014

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Executive or the Chair of the Audit Committee in the performance review of the Chief Internal Auditor; and

there are no routine

meetings of the Audit Committee with the Chief Internal Auditor without the Treasurer of the States or Chief Executive present.

Treasurer of the States present.

audit work in Treasury and Resources, open reporting lines to the Chief Executive and Chairman of the Audit Committee (as reflected in the Financial Direction), and second reviews by the external supplier (BDO) of reports with high risk opinions (graded 1 or 2).

The Treasurer has responsibility for reviewing the CIA's performance and uses feedback from the Chief Executive and Chairman of the Audit Committee

Responsible Officer: The Treasurer of the States.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

for this purpose. In future, the Treasurer will obtain feedback on the CIA's performance from the Audit Committee Chairman and the Chief Executive through a formal request.

The Chief Internal Auditor has direct access to the Chief Executive Officer and the Audit Committee Chairman as documented in 2.2.1 of the FD 11.1 Internal Audit'. The CIA already meets with the Chairman formally and without other officers present before every Audit Committee (i.e. at least

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				four times a year) and can request to meet at any other time as necessary.
4	Although in its 2014 plan less than 10% of Internal Audit work is advisory, from 2012 to 2013 nearly half of work was advisory rather than assurance.	Whilst advisory work provides potentially valuable aid to management, the volume of advisory work means that there is a risk that: insufficient assurance work is undertaken to evaluate risks to the States; and insufficient assurance work is undertaken to inform the Chief Internal Auditor's annual opinion.	R4: Ensure that all necessary assurance work is appropriately resourced before undertaking advisory work.	We will not plan to undertake advisory work at the expense of assurance work. So to guard against this we have agreed a maximum of 15% of time available within the Audit Plan for advisory work. In 2014 the planned advisory work amounts to only 6% of the time available. The issue raised in the report is that by carrying out a high volume of advisory work, Internal Audit might not leave enough resource	Agreed	Action 8: The CIA will monitor management requests for unplanned and reactive advisory work to ensure sufficient resources remain to complete planned compliance assurance work. The CIA shall continue to present the risk based Audit Plan to Audit Committee and outline the methodology to the Audit Committee how the Audit Plan has been prepared using a risk based approach. The CIA has agreed with the Treasurer that from 2014 a

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

available for the assurance work needed to support the Chief Internal Auditor's annual opinion on internal controls, for example reviews of compliance with Financial Directions and the internal controls in main financial systems. It is deemed best practice for Internal Audit to conduct some advisory work during the year but this should not be at the expense of compliance work.

Internal Audit uses advisory work to provide additional resources to bolster departments' capability to improve

benchmark of 15% (including planned advisory reviews) of resources is dedicated to advisory work. The CIA will alert the Treasurer and the Audit Committee once the proportion of advisory work nears 15% of audit resources (say 10%) to ensure that additional requests for such work can be managed or additional resources secured. The careful management of advisory work is reflected in the draft revised Terms of Reference to be presented to the Audit Committee on 12 May 2014.

The CIA will continue to inform the Audit Committee if there is a change in the

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

internal controls, especially where new systems and processes are introduced. By providing this advice and support Internal Audit helps mitigate the risk of control failures and helps departments achieve their aims and objectives. For clarification, the assessment of the proportion of advisory work in the report done is based on the number of reports issued rather than the time needed to carry out the work. For example, advisory work carried out by the outsourced internal audit provider BDO in 2013

Audit Plan and the reason for any changes (for example a capital expenditure project maybe delayed to 2015 so the respective audit would also be delayed). For clarification purposes the Audit Plan would not be changed in response to advisory review requests. The Audit Plan has been prepared using a risk based approach and it is imperative that it is delivered so reasonable assurance can be provided on the systems and controls of the States of Jersey.

Timescale: from April 2014

Responsible Officers: CIA and the Treasurer

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

accounted for 34% of their time and all capital expenditure audits in 2013 were compliance audit and no capital expenditure audit was advisory. This is because often compliance audits require more resources that advisory audits.

It is acknowledged that the report did not express concern that the level of advisory work carried out by the Internal Audit team had resulted in too little compliance work to support the annual internal audit reports and opinions for 2012 and 2013 but highlighted that the

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				number of advisory reports issued were approximately half. For both 2012 and 2013 Internal Audit Plans were reviewed and approved by the Audit Committee, who also received regular reports from the CIA on the completion of planned work, both advisory and compliance. However Internal Audit acknowledges that where advisory work is carried out to support management, the risk that there may not be enough resources left to carry out routine compliance reviews needs to be managed. This valued

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				point has already been reflected in the assessment of the 2014 Audit Plan presented to the Audit Committee in November 2013, the CIA confirmed that only 6% of audit resources available in the 2014 internal audit plan has been allocated to planned advisory work which leaves some capacity for other advisory work but not exceeding 15% without approval of the Audit Committee and the Treasurer.
5	There are arrangements in place for identifying threats to independence	There is a risk that advisory work is undertaken which compromises the independence of Internal	R5: Develop arrangements to identify the threats to Internal Audit	This recommendation seeks to mitigate the risk that an auditor could deliver advisory work	Already in place but Internal Audit will	See Actions 1 to 4 for C&AG recommendation R1 and R8. The Audit Planning

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

arising from personal relationships.

However, threats to independence can arise from Internal Audit undertaking advisory work. Internal Audit can provide valuable insights when a new system is being implemented. However if, for example, Internal Audit designs systems subsequently subject to review as part of its assurance work, there are threats to its independence.

Audit when undertaking its assurance role. As a result there is an increased risk that the Chief Internal Auditor's annual opinion may not be seen as providing independent assurance to management.

independence arising from proposed Internal Audit advisory work and identify appropriate safeguards.

providing advice on

setting up controls and

processes then carry out a compliance audit on the

same controls and

processes. This would

entail a self-review threat

i.e. a risk that the auditor

could deliver an opinion

on controls and processes

based on their own advice.

Auditors performing advisory reviews are excluded from carrying out compliance work in the same area. No auditors carried out both advisory and compliance work in the same area during 2012 and 2013, although it is acknowledged that this

strengthen existing controls further.

Memorandum will be included in the PSIAS compliant Internal Audit Manual. Financial Direction

11.1 for Internal Audit will set out the requirement for Internal Audit work to be carried out in accordance with the standards set out in the Manual. Financial Directions derive their legal authority from the Public Finance (Jersey) Law 2005.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Embedded arrangements are not in place to consider threats to the Internal Audit function arising from the nature of advisory work undertaken by it (as opposed to personal relationships) and the adequacy

of safeguards.

was not always documented.

The CIA's QAIP of October 2013 introduced a mandatory Audit Planning Memorandum document for use in compliance audits, which includes a section to formally record any self-review threats associated with the assignment in question. This is a standalone document in every audit file and is already in place following the QAIP review in October 2013. The CIA signs off and reviews the Audit Planning Memorandum to confirm that auditor

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				independence is not compromised before the audit starts on each audit.
6	There is no explicit, transparent process for annual Internal Audit planning. The key to this is identifying the risks relevant to the design and operation of control, risk management and governance processes and developing an audit programme that demonstrates how it addresses those risks.	There is an increased risk that: Internal Audit assurance work does not adequately address relevant risks to the States; and insufficient appropriate assurance work is undertaken to inform the Chief Internal Auditor's annual opinion.	R6: Adopt, apply and communicate a transparent risk assessment process to underpin the annual Internal Audit plan.	The Treasurer and Chief Internal Auditor consider there has been a transparent risk assessment process for annual Internal Audit Planning. In compiling the draft 2013 Internal Audit Plan the CIA reviewed risk registers, met with all relevant chief officers to discuss the risks in their areas and to seek their views on where Internal Audit could be of assistance, this process was also followed for	Already in place but Internal Audit will strengthen existing controls further.	See the Actions 1 to 4 agreed for C&AG recommendation R1. Internal Audit's planning methodology will be included in the PSIAS compliant Internal Audit Manual, including the links between individual risk scores for auditable areas and their inclusion in, or exclusion from the plan.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

the 2014 Internal Audit Plan.

Both Finance Advisory Board and CMB reviewed and discussed the draft Internal Audit Plan, in addition to the consideration of the Plan by the Chief Executive and approval by the Audit Committee.

The CIA presented the draft 2014 Internal Audit plan to the Audit Committee on 25 November 2013. The report accompanying the draft plan includes a narrative describing the risk assessment process

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				for potential assignments underpinning the plan. However the development of the Internal Audit Manual will provide an opportunity to link individual planned assignments to risk scores more clearly in the Internal Audit plan and reports to the Audit Committee to ensure more transparency.
7	A number of the areas for Internal Audit specified in the PSIAS have not explicitly been considered by Internal Audit.	There is an increased risk that Internal Audit's work programme does not adequately address areas relevant to the design and operation of controls, risk management and governance processes.	R7: In preparing the annual Internal Audit plan and in undertaking individual pieces of Internal Audit work, explicitly consider whether all the areas specified in	Internal Auditing Standard (2110) states that: "The internal audit activity must assess and make appropriate recommendations for improving the governance process in its	Agreed	See the Actions 1 to 4 agreed for C&AG recommendation R1. Internal Audit planning methodology will be included in the PSIAS compliant Internal Audit

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

the PSIAS are covered.

accomplishment of the following objectives:

Promoting appropriate ethics and values within the organization;
Ensuring effective organizational performance management and accountability;
Communicating risk and control information to appropriate areas of the organization; and
Coordinating the activities of and communicating information among the board, external and internal auditors, and management".

Manual, including specific cross referencing of planned work to the risk areas specified in PSIAS:

Achievement of the organisation's strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and efficiency of operations and programmes;
Safeguarding of assets;

and

Compliance with laws, regulations, policies, procedures and contracts.

Internal Audit will assess and make appropriate

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Internal Auditing Standard (2120.A1 & 2130.A1) requires that "The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information;" and that "The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems". PSIAS sets out five risk areas that Internal Audit needs to address in its planned work to provide assurance, namely:

recommendations for improving the governance process in its accomplishment of the following objectives:

Promoting appropriate ethics and values within the States of Jersey;
Ensuring effective performance management and accountability;
Communicating risk and control information as appropriate; and
Coordinating the

activities of and communicating information.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Achievement of the organisation's strategic objectives;
Reliability and integrity of financial and operational information;
Effectiveness and

efficiency of operations and programmes;

Safeguarding of

assets; and

Compliance with laws, regulations, policies, procedures and contracts.

As stated in the response to recommendation R6, the CIA presented a report to the November

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

meeting of the Audit Committee explaining the risk based methodology supporting the 2014 draft internal audit plan and noting the risks and areas addressed by the plan, including:

Governance;
Estate management;

Financial management;
Procurement;
Information and communications technology; and
Human resources

The scope of the Internal Audit plan does address implicitly the five risk areas set out in the PSIAS standard on the

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				Nature of Work; however the CIA acknowledges that Internal Audit plan could do more to explicitly cross reference audit work to the risk areas specified in the PSIAS and the Law when presenting the plan to the Audit Committee.
8	Whilst the external provider has its own comprehensive quality framework, the Chief Internal Auditor has yet to develop a comprehensive quality framework. For example, no timetable has been set for the finalisation of the	There is an increased risk that Internal Audit's work may not be performed proficiently and with due professional care.	R8: Develop a comprehensive quality framework; prioritise the finalisation of the Internal Audit Manual (including documentation of quality control arrangements); and develop robust arrangements for monitoring the performance of the	In House Work	Agreed	See the Actions 1 to 4 agreed for C&AG recommendation R1. The quality assurance framework for both in house and outsourced work will be documented in the audit manual. The original timetable for drafting an audit manual was March 2014. The
8				Up to October 2013 all Internal Audit systems and control work was carried out by BDO, with the Internal Audit team working alongside the BDO team to gain experience. This work was completed using the BDO audit manual and quality framework.	Agreed

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Internal Audit Manual (including documentation of quality control arrangements) and robust arrangements for the management of the contract with the external provider have yet to be fully developed.

external provider.

Capital expenditure audits were undertaken entirely in house and it is acknowledged that this work did not follow the BDO manual.

In the QAIP drawn up October 2013 the CIA identified the need for an audit manual which drew together audit policies and procedures and which introduced a suite of standard and mandatory documents to be used for in house audit work, covering assignment planning, fieldwork, reporting, close down and archiving. The standard documents include scope

revised timetable for the completion and adoption of the manual states that the PSIAS compliant manual will be complete by June 2014 and fully embedded by December 2014.

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				to record management review of working papers and reports and the sign off of key stages of the audit. The documents were introduced in November 2013 and will form part of the audit manual. An indicative timetable for drafting the manual was established as March 2014, although this has been extended to ensure that the manual fully reflects the C&AG's findings. Outsourced Work.
				BDO carry out assignments in

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

accordance with their audit manual and quality assurance procedures.

The States of Jersey retendered its internal audit contract in 2012 in order to improve quality standards and value for money. BDO won the new contract. The quality arrangements for BDO and other bidders were assessed as part of the procurement strategy.

Under the new contract the CIA meets fortnightly with BDO to discuss their progress, output and fees.

The CIA completes an

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				annual assessment of BDO's quality assurance arrangements. The last such review was carried out over October and November 2013. The CIA drew up an internal paper setting out the results of this review on 8 November 2013.
9	Whilst Internal Audit utilises specialist skills on contract audit, it does not adequately utilise specialist information technology audit skills to address the significant risks in this area.	There is an increased risk that Internal Audit does not adequately address risks relevant to its responsibilities.	R9: Establish areas where specialist skills are required to respond to risks and either develop or buy in those skills	It is acknowledged that there is the need to ensure that the Internal Audit team has access to sufficient and appropriate skills and resources to deliver their planned audit work. The need for specialist information technology and other skills is considered when developing and delivering the annual	Agreed	See the Actions 1 to 4 agreed for C&AG recommendation R1. Processes to document the assessment of the need for specialist technical input to audit work will be included in the audit manual, for both annual planning and individual audit assignments. Consideration at the

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Internal Audit Plan, although previously more could have been done to document the processes Internal Audit uses to secure specialist skills. Examples of where external expertise with specialist skills is brought in to manage risk include contract management (i.e. EFW) and IT audit specialists which are included below.

Internal Audit calls in BDO to bring in technical expertise from the UK to supplement the in-house team when necessary in addition contractors are considered on specific

planning stage of the audit engagement team shall be documented, including assessment of IT audit specialist resources and other specialist skills required. The 2014 Annual Audit Plan includes planned additional resources for audit engagements as detailed below:

VFM Audit "Get Back to Work" will include specialist VFM auditors from BDO London as part of the engagement team.
A senior capital expenditure auditor will be considered

on audit engagements for the

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

audits as appropriate.

BDO London IT have carried out specialist IT internal audit work for the States, for example:

CS0504 – Information Services: Assess and permission to review e-mail accounts (issued 14 March 2011)
CS0505 – Information Services: Project Management (issued 15 Jan 2013)

In the 2014 Internal Audit plan BDO is responsible for an IT based audit of the

new sewage treatment works and the new hospital due to the scale of these projects.

Collection charges for long term care changes will involve BDO London due to the IT audit specialism need on this engagement.

Action 9: Continue to arrange further audit training for the in-house internal audit team as identified as part of performance development. The CIA should continue to consider the need of specialist skills to ensure there are adequate

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

collection of long term care charges and BDO London will carry out a VFM review of the Get Back to Work initiative. Both IT and VFM audits require specialist skills and need involvement of audit experts in these areas. This is reflected in the 2014 Audit Plan which was presented to the Audit Committee in November 2013.

To ensure audits are appropriately resourced the CIA has also introduced a number of standard audit documents in October 2013 including assessment of IT audit specialist input on all

appropriate resources to complete engagements.

Timescale: by the end of 2014.

Responsible officer: CIA

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

audit assignments and consideration of the audit team's experience to deliver the audit. Where the audit scope includes significant IT controls review, the BDO IT audit specialist working on the States contract reviews and signs off the design of the scope and the resulting report to ensure that there have been adequate specialist input to the audit.

The Internal Audit team have received training as follows:

A day long course in October 2013 on identifying the

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

need for IT specialists in Internal Audit, delivered by a senior lecturer from IIA.

Training on IT controls from the in house IT audit specialist working in the IT team delivered in January and February 2014; and
Further training is planned in 2014 as part of the professional development programme which includes IT, PSIAS

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				update, Procurement and Capital Expenditure.
10	The mechanism for monitoring progress against Internal Audit recommendations has been undeveloped. It has placed inappropriate reliance on representations by management.	There is an increased risk that non- implementation of Internal Audit recommendations is not identified and the impact evaluated.	R10: Establish arrangements for testing whether Internal Audit recommendations have been implemented.	While management are responsible for carrying out internal audit recommendations, it is good practice for Internal Audit to follow up recommendations to check that timely and effective action has been taken as agreed. Internal Audit already follow up recommendations for some categories of work: For each cyclical audit review, the auditor will test evidence that	Agreed	See the Actions 1 to 4 agreed for C&AG recommendation R1. Arrangements for testing whether audit recommendations have been carried out will be documented in the audit manual. Action 10 The CIA has ensured that there are adequate resources needed to complete the one off exercise to follow up 2010- 13 recommendations, which commenced in November 2013 so that does not compromise the level of

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Internal Audit recommendations made in the prior year's audit have been implemented as agreed by management. This was done for all cyclical audits in 2013; and

For each stage of capital expenditure audits, the auditor will test evidence that action has been taken to carry out Internal Audit recommendations made and agreed

planned compliance audits.

Timescale: The CIA will present a report at the 12 May 2014 Audit Committee on the status of the recommendations follow up project, subject to available resources. She will present a further report at the July 2014 Audit Committee meeting setting out the results of testing carried out to date on the evidence that recommendations are complete.

Responsible officer: CIA and the in house audit team.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

at the previous stage of the audit.

The CIA's Quality Assurance and Improvement Programme of October 2013 acknowledges the need to track all recommendations to ensure they are implemented. The CIA has already taken the following action:

Arranged a one off project which commenced in November 2013 to consolidate all

High Level recommendations from 2010-13 and Medium / Low

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Level recommendations from 2011-13. Departments have been requested to confirm action taken to date. Internal Audit will test evidence of implementation for all High Level recommendations and a sample of Medium to Low Level recommendations

. It is noted a number of departments have been completed as part of the

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

project and the completion date of the project is June 2014.

Standard audit documentation introduced in October 2013 includes an archive checklist prompting the auditor to make an appointment with the department 6 months after the audit is complete , in order to review progress in carrying out recommendations

;

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Internal Audit's quarterly progress update reports to the Audit Committee will include a commentary on recommendations completed and outstanding by department; and
The CIA will report twice yearly to the Audit Committee on any concerns or issues arising from progress on implementing recommendations, once at 30 June and

again at 31 December (as part of the CIA's annual report and opinion).

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				In the meantime the CIA can discuss any pressing concerns with the Treasurer, and has open communication as per the Financial Direction with both the Chief Executive and Chairman of the Audit Committee as appropriate.
11	Arrangements in place for Internal Audit to identify and escalate risks to the Corporate Management Board (CMB') where management has accepted risks which	There is an increased risk that States funded bodies take significant risks without the knowledge of senior management.	R11: Establish formal arrangements for Internal Audit to identify and escalate to CMB risks accepted by management which may be unacceptable to the States	It is agreed there is a need to ensure that there are sufficient checks and balances should managers disagree with audit findings and conclusions or refuse to implement audit recommendations.	Already in place but Internal Audit will strengthen existing controls further.	See the Actions1 to 4 agreed for C&AG recommendation R1. Arrangements for escalating significant accepted risks will be documented in the audit manual.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

may be unacceptable to the States are not developed.

Depending on the significance and materiality of the findings and recommendations in question, management could expose the States to an unacceptable risk by not acting on Internal Audit's advice which may need to be escalated.

NB States funded bodies' in this context does not refer to all organisations receiving grants or financial assistance from the States, but to the ministries, departments and other bodies specifically referred to in the Public Finances

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Jersey (Law) 2005.

The CIA attends the CMB Risk Management Sub Group, which is chaired by the Treasurer. The CIA will escalate risks accepted by management which may be unacceptable to the States to this Sub Group.

If the CIA needs to escalate a risk before the next available meeting of the Sub Group she will refer the risk directly to the Treasurer.

In the event of the CIA needing to escalate a risk accepted by the Treasurer that may be unacceptable to the

No	Area of non-	Implication	C&AG	Response	Agreed /	Quality Assurance and
	compliance in the C&AG Report		Recommendations		Not Agreed	Improvement Programme: Agreed Actions
				States, she will report directly to the Chief Executive or Chair of the Audit Committee. This independent reporting route is embedded in the protocol signed by the Treasurer and CIA governing the management of internal audit work in Treasury and Resources.
11	Article 36 of the Public Finances (Jersey) Law 2005 provides that: The chief internal auditor must carry out an internal audit of the transactions and internal controls and systems of each	The Chief Internal Auditor's annual plan covers all departments of the States. However, it is not clear from the audit plan or individual pieces of Internal Audit work how the internal audit work undertaken is specifically directed to providing assurance as to regulation, control and supervision in	R12: Ensure that the annual Internal Audit plan and individual pieces of audit work demonstrate how internal audit work is directed to providing assurance that the regulation, control and supervision of the States' finances is in	The scope of the Internal Audit plan does address implicitly the requirements of the Law internal audit ensures that States finances are regulated, controlled and supervised in accordance with the Law. All planned Internal	Agreed	Internal Audit's actions in response to R7 is that the Internal Audit planning methodology will be included in the PSIAS compliant Internal Audit Manual, including specific cross referencing of planned work to the risk areas specified in PSIAS.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

States funded body to ensure that the finances of the States are regulated, controlled and supervised in accordance with this Law.

The times and frequency of those audits shall be determined by the chief internal auditor with the agreement of the Treasurer.

However the chief internal auditor may carry out such an audit of the Treasury at any time.

accordance with the Public Finances (Jersey) Law 2005.

accordance with legislation

Audit work is directed to providing assurance on the regulation, control and supervision of the States' finances in accordance with the Public Finances (Jersey) Law 2005. It is noted that States Funded Bodies is a legal definition and does not extend to all grants awarded by the States of Jersey. The Audit Universe encompasses all States Funded Bodies for consideration when developing the Annual Audit Plan which was implicit in the methodology in developing the Annual Audit Plan.

To address the requirement of Recommendation R12, the internal audit planning methodology and internal audit reports will indicate which of the headings regulation, control and supervision they provide assurance on. The Internal Audit Manual will codify this requirement.

Area of non-

Implication

C&AG

Response

Agreed /

Quality Assurance and

compliance in the C&AG Report

Recommendations

Not Agreed

Improvement Programme: Agreed Actions

Compliance reviews carried out by Internal Audit evaluate evidence of compliance with Financial Directions, which derive their legal authority from the Public Finances (Jersey) Law 2005.

The CIA acknowledges that Internal Audit plans could do more to cross reference audit work to the three headings specifies in the Law which should be explicit in the presentation of the plan to the Audit Committee.

Appendix 2: Committee Membership

The membership of the Public Accounts Committee (as at the date of the presentation of this report) comprises -

States Members

Deputy Tracey Vallois (Chairman) Senator Sarah Ferguson

Deputy Richard Rondel

Deputy Gerard Baudains

Independent Members John Mills, CBE

Ian Ridgway

Robert Parker

Appendix 3: Terms of Reference

To review the operation of the internal audit function with particular reference to-
1. the requirements of the Public Finances (Jersey) Law 2005,
2. the reporting lines of the Chief Internal Auditor,
3. the purpose and coverage of internal audit work,
4. quality.
To consider the extent to which the recommendations made by the Comptroller and Auditor General in her review of the internal audit function (R.36/2014) have been accepted and, if so, the adequacy of the plans for their implementation.