This content has been automatically generated from the original PDF and some formatting may have been lost. Let us know if you find any major problems.
Text in this format is not official and should not be relied upon to extract citations or propose amendments. Please see the PDF for the official version of the document.
Public Accounts Committee Internal Audit
Chief Executive, States of Jersey
MONDAY, 2nd JUNE 2014
Panel:
Deputy T.A. Vallois of St. Saviour (Chairman) Senator S.C. Ferguson (Vice Chairman) Deputy R.J. Rondel of St. Helier
Mr. I. Ridgway
Mr. J. Mills, CBE
Mr. R. Parker
Witness:
Chief Executive, States of Jersey
Also present:
Comptroller and Auditor General Deputy Comptroller and Auditor General
[13:34 – Commencement and introductions]
Deputy R.J. Rondel:
If we focus on the requirements of the Public Finances (Jersey) Law 2005 to start with, how do you satisfy yourself that the Internal Audit discharges its responsibilities under the law?
Chief Executive, States of Jersey:
I think the Public Finances Law is fairly clear in terms of what it sets out in the roles of the Internal Audit function. The Public Finances Law sets that out but then in more definition is the Code of Financial Direction; it sets out more detail. So those 2 provide the framework under which the Internal Audit function works. So the law is there for that purpose. In terms of how I satisfy myself, it is obviously reviewing the audit reports as they are produced, working with the Chief Internal Auditor at timely points to assess the following as audit work that is going to be undertaken. So work to be undertaken; looking at reports that come through and then working with the Audit Committee as the reports come through, trying to make sure that the overall governance and control framework is in place.
Deputy R.J. Rondel:
But is there a link that refers to the actual law that you follow? How do you refer to the law when making your responsibilities under the law?
Chief Executive, States of Jersey:
Sorry, I am not quite following you. The Public Finances Law is setting out the role of the Chief Internal Auditor and the function of the accounting officers. So my role is to ensure that the accounting officers certainly discharge their functions, although they are set up under the law slightly separate to myself, as I am sure you have discussed here on many occasions, but, in terms of the role of the Chief Internal Auditor, there is a reporting line to the Treasurer, which is set out. But also, under the Financial Direction, I am certainly there to ensure that the Chief Internal Auditor has a line to me and works with me to ensure that the reports that are being undertaken are then carried out in a timely and proper way.
Deputy T.A. Vallois:
You stated that the law and the Financial Direction provides the framework. Do you think that is sufficient and clear enough to satisfy yourself that Internal Audit is discharging its responsibilities?
Chief Executive, States of Jersey:
I think, looking back, the answer probably is it is not as tight as it could be. I think, looking forward, having the new framework, the work that has been undertaken prior to and now following the Comptroller and Auditor General's report in re-assessing the position of the Internal Auditor, the role, responsibilities and reporting line of the Audit Committee, I am certainly far more comfortable that we have a much more rigid and much better structured framework to ensure that we have compliance. There is more work to be done but, certainly when I look at the report that the Chief Internal Auditor has produced as a result of the PSIAS (Public Sector Internal Audit Standards) that we are going to comply to and linking that to the recommendations from the Comptroller and
Auditor General's report, I am pleased with the progress that has been made. As I said, there is
more work to be done but I feel we are now on a much stronger footing than we have been for some time.
Deputy R.J. Rondel:
Have you identified further work that has to be done?
Chief Executive, States of Jersey:
Well, we have said that we are going to be applying PSIAS standards by July of this year. We are on track to do that. There is obviously work then to make sure ... We have to look at how they have been implemented and then it is inevitable that it is going to take some time to get full implementation for control of the process. Although we will be adopting them, I think it will take a bit longer to get them fully up to speed. I am certainly not going to say they are all going to be in and fully running by July and everything will be complete. There is more work to be done and certainly, when I look at the amount of work that is required to implement all the recommendations from the C&AG (Comptroller and Auditor General) report and compliance with PSIAS standards, I think it would be wrong of me to say it is all going to be complete and ready by July, but we are certainly on track to get it completed.
Senator S.C. Ferguson:
Are you intending to go on a refresher course so that you understand fully the implications of internal audit?
Chief Executive, States of Jersey:
Not a refresher course, but certainly looking at the standards that are required, that we have to comply with, and looking at delivering the recommendations in the C&AG, I think it is an area which not only myself but, I think, all of the management board needs to be aware of and have a refresher on. So I think there is a role to look at for the management board to make sure they are fully aware of PSIAS standards, how they work in the department and what the functions are. I would not want to just say: "Oh, we are complying with PSIAS," and just say: "That is it." If we are going to implement something, we have to make sure that accounting officers, in particular, are trained to develop it. For me personally, a refresher course, no; but I think we as a CMB (Corporate Management Board) have a role to ensure that we know what our responsibilities are as accounting officers; then, yes, I think we need some training.
Deputy R.J. Rondel:
Has a training programme been put in place?
Chief Executive, States of Jersey:
No, we have not got one in at the moment.
Deputy T.A. Vallois:
Why was there not one put in place before PSIAS standards were introduced on 1 January 2013?
Chief Executive, States of Jersey: I do not know.
Deputy T.A. Vallois: Okay.
Deputy R.J. Rondel:
Do you think one should have been?
Chief Executive, States of Jersey:
Looking at the amount of work that is required now to ensure that we are compliant with it and when we look at the areas of PSIAS standards and the headings, probably some more work should have been done earlier to ensure that we were fully up to speed with the requirements of those standards.
Mr. J. Mills:
But were you surprised by the C&AG's report when you received it? Was it unexpected or did you have a sense beforehand from your general experience of the system that there might be some weaknesses and challenges in that area?
Chief Executive, States of Jersey:
I think, knowing that the Treasury had undergone a significant amount of restructuring in the last 2 years since the new Treasurer arrived, it meant that we knew that Internal Audit was one function that had to have that same view. The new Internal Auditor started in August 2013. It took a while to pick up the role, but certainly by October it was recognised that there were changes to be made and I think the timing of the C&AG's report was very timely because it gave us that very good independent view of standards that we need to comply with. I was thinking about the question that you were just asking and I have to say I cannot recall, in my career in the States, there being a previous review of Internal Audit. Internal Audit reviews departments and functions, but in my career in the States I can never recall a review of Internal Audit. So it is the first I can recall. I think it is very timely and I think it certainly sets us in a very good direction for the future.
Mr. J. Mills:
I am sure that is right but, going back to the first views of the new Internal Auditor last autumn, did the recognition that you just referred to - the need to change last autumn - foreshadow the
comments that the C&AG made in March or did the C&AG, in your opinion, have things to say that
either you or your colleagues or indeed the C.I.A. (Chief Internal Auditor) had not focused on sufficiently? That is really why I asked the question about whether it was a surprise.
Chief Executive, States of Jersey:
I think the Chief Internal Auditor had identified the issues, but I think the C&AG report really gave the clarity in terms of very clear recommendations as to where focus should be put in delivering that. So the combination: the CIA started the job; the C&AG report really gave us the clarity and the direction we needed and the delivery plan that we have now got, I think, is a good plan - a quality improvement action plan to give us some very good direction for the future - but it is going to take a while to make sure that is fully understood and implemented throughout the department.
[13:45]
Mr. J. Mills:
Would you have had such a plan had it not been for the C&AG's report?
Chief Executive, States of Jersey:
I think we would have had a plan. I am trying to look back in hindsight. Whether it would have had the same clarity and rigidity that it has now because the C&AG gave us that extra dimension, I do not think I can answer that. But I think it is fair to say ...
Mr. J. Mills:
You have answered it.
Deputy R.J. Rondel:
Given the amount of work you have stated might be involved, do you have a timeline when the whole project may well be completed?
Chief Executive, States of Jersey:
Well, the aim is certainly to make sure we are fully in line by ...
Deputy R.J. Rondel: By July.
Chief Executive, States of Jersey:
By July we are implementing it, but then fully running and operational by the end of this year and then Internal Audit Committee's charter is saying we will be reviewing, on an annual cycle, the charter and that, I think, at the same time, is the opportune time to keep looking at it and making
sure we are delivering against what we said we are going to in compliance with PSIAS standards,
delivering against the recommendations of the C&AG report. It is an opportunity to make sure that that cycle is reviewed.
Mr. R. Parker:
Are these changes reflected in the internal audit plan for 2014?
Chief Executive, States of Jersey:
The Internal Audit Plan I look at as more of a work plan for 2014. One area which was flagged up by the C&AG report, which was not in the original report, was the balance between compliance and advisory in all this, recognising possibly we have moved slightly too much towards advisory as opposed to compliance. So in the 2014 plan we have addressed that, meaning we have to shift the emphasis back to more compliance audits as opposed to advisory.
Mr. R. Parker:
So the Chief Internal Auditor reports directly to who now?
Chief Executive, States of Jersey:
The Chief Internal Auditor's structure has not changed. The recommendations coming out of the C&AG report, certainly in terms of appraisals, et cetera, there should be a more formal involvement of the Chief Executive and the Chair of the Internal Audit Committee and that will now take place. So in the past we had informal links, but not formal. We are now having a formal link.
Mr. R. Parker:
Does that create difficulties for chief officers? Under the existing structure you have all the chief officers, as the Chief Financial Officer, were all on the same level and I understand the Treasurer has to try and encourage people to change and to do things because they are on the same level. So if something comes up from the Internal Audit, how does the structure work to make that change, to changes related to any form of operation or if something is done incorrectly. It is very difficult to be acting as trying to encourage people to do something and then being the policeman as well.
Chief Executive, States of Jersey:
Well, I think the Treasurer's role and my role are slightly unique in terms of the Treasurer's role has got more definition in law than perhaps my role has got at the moment. There are requirements on the Treasurer to ensure compliance with financial standards, et cetera, and, equally, you would expect the Treasurer then to apply those same requirements on to chief officers. It would be, I would suggest, a slightly unwise chief officer not to take heed of Internal Audit reports.
Mr. R. Parker:
Is there formal enforceability of that and, if someone did not do something, what sort of ...
Chief Executive, States of Jersey:
Yes, there would be. Basically you would follow the disciplinary code if something came up, or the performance code. All chief officers or accounting officers have very clear roles and responsibilities under the Public Finances Law and they take those roles seriously. As an accounting officer, you are legally liable for it. So there is a liability on you as an accounting officer and if an Internal Audit report flagged something up, you would expect and I would expect the Chief Internal Auditor to follow it up. I would certainly expect the Treasurer to ensure and follow up that those recommendations are being addressed. If the score of an audit report was 2 or less, then all those audit reports come to me and they also go to the Audit Committee. So there is a process in place which is effectively saying to an accounting officer: "If something has not worked as we expect it to that has been identified in an audit report, there is a very clear requirement on you as an accounting officer to put it right and to address it." Again, going back in my career, I do not think I have ever known an accounting officer not to take heed of recommendations and those are then followed up in a subsequent review.
Deputy R.J. Rondel:
If I could ask a specific question on reporting lines: how do you satisfy yourself that the Chief Internal Auditor's programme and findings in respect of Treasury are not inappropriately influenced by the States Treasurer?
Chief Executive, States of Jersey:
That, I think, is something which has been raised on a number of occasions. Certainly having a reporting line and an opportunity to talk directly to the chair of the Audit Committee without the Treasurer present and having an interview itself gives the Chief Internal Auditor an opportunity. We have external auditors appointed to undertake audits and certainly you would expect the external audit company would provide those audits to maintain their professional standards through their work practices, which would be the standard you would expect to see in industry. So
if there was any pressure brought to bear, I would expect it to come out in one of those routes.
Senator S.C. Ferguson:
Talking about the reporting lines and the changes and your comments on those and your comments on your position in the reporting lines, were you involved in the business case for bringing the Internal Audit back in-house? Was there a business case?
Chief Executive, States of Jersey:
No, I was not involved in the decision. I know that the Treasurer and I did speak about it informally, on the basis that she was looking at the functions and the opportunity of effectively making some savings through re-establishing our in-house function. In terms of personal involvement, I did not have a lot of involvement in that decision.
Senator S.C. Ferguson:
Do you not think it would have been part of your role as Chief Executive when you were looking at the Internal Audit functions and the independence of Internal Audit?
Chief Executive, States of Jersey:
Well, I am looking at the role of Internal Audit not just from the Treasury, I am also looking at it across all the departments to make sure that we have a consistent approach in terms of applying standards, whether those are applied by an external body or by an internal body. Obviously we have always maintained an Internal Audit function for capital reviews, capital programmes, and in fact I have had very good reports coming out of that process. I was happy with the function. One thing that the new Chief Internal Auditor did identify was that the manual or the procedures set down within the internal function for accounts had been left to evolution, not perhaps set as strongly as they should have been, and that was addressed. So we have a procedures manual which is setting standards and there is follow up. There is always a question to ask and it is one that I do not think is unique to Jersey - I am not sure it is unique in other local authorities - is, when the audit function has to audit the function which is effectively their housekeeper, you have to make sure you have put in place the appropriate controls and barriers there. Having an Audit Committee, having obviously a Comptroller and Auditor General, having my role, then we have separate roles to ensure that any undue pressures that could be considered would be very unlikely to be brought to bear.
Mr. I. Ridgway:
Could I ask how many formal meetings you have had with the Chief Internal Auditor without the Treasurer present this year to discuss the audit point?
Chief Executive, States of Jersey:
Since she started, I have had 3 formal meetings with her.
Mr. I. Ridgway:
Without the Treasurer present?
Chief Executive, States of Jersey:
Yes, and basically the aim is to have them quarterly. She has only been in the post for a year in August, so effectively it works out just about quarterly.
Mr. I. Ridgway:
Could I ask how you assess her about any work that you do?
Chief Executive, States of Jersey:
She presents a draft plan to me. We will look at it. We tend to look back to see if there have been any previous auditor behaviour where there has been a compliant or non-compliant issue identified; any areas which I consider, looking forward, could be high risk; and projects coming up which I think could have a risk element in them that need to be included (capital programmes, for example: high risk capital work needs to be put into an audit plan); any significant changes that have taken place in departments: in my mind I would be thinking about: "What have we got in departmental business plans? What do I know is coming up and have we put enough time in the Audit Plan to make sure that they can be looked at?" I can give you an example. If I look back at my old organisation, I knew when the bus contract, for example, was coming up for renewal that it was an area where we needed to make sure that time was put in place for that. So it is, for my position, probably having a forward look into the business plan and departmental business plans, which I would have seen and will have copies of, and then just making sure with the Chief Internal Auditor that enough time has been allocated for the ones which we think could have risk attached to it.
Mr. I. Ridgway:
Does that assessment of risk go broader than yourself and the Treasurer?
Chief Executive, States of Jersey:
No, most of it would be knowledge of projects which are likely to have risk attached to them. I certainly do not have another group that I would consult in terms of deciding what goes in and what does not go into a plan.
Mr. I. Ridgway:
So the other accounting officers are not consulted?
Chief Executive, States of Jersey:
I do not consult with them as a panel as to what goes into an Audit Plan, no.
Mr. I. Ridgway:
They do not have an input into their areas of risk?
Chief Executive, States of Jersey:
The Chief Internal Auditor, I think, would be looking at and asking them what is coming up and what they are doing, but certainly the discussions I have with the Chief Internal Auditor are more about saying: "What am I looking for, especially when it comes to capital. Which big projects are coming up? Which ones are likely to attract a high degree of risk? Which one has the areas that we know from the past?" An example of that would be the new hospital development. It is long- term big project. So there is going to have to be a significant amount of time attached to auditing all the various phases of that programme.
Senator S.C. Ferguson:
Why do you keep insisting that Internal Audit is looking mainly at large capital programmes? Why are you not thinking about looking at revenue programmes?
Chief Executive, States of Jersey:
Sorry, I was not specifically. I was giving some examples of where I am looking forward. I was referring to departmental business plans. So where I am looking at departmental business plans I would expect, which obviously does not attract revenue expenditure, for those programmes to be looked at as well.
Senator S.C. Ferguson:
Well, what about looking at revenue income?
Chief Executive, States of Jersey: The 2014 ...
Senator S.C. Ferguson:
I merely asked why you keep referring to Internal Audit with regard to large capital expenditure.
Chief Executive, States of Jersey:
Sorry, I do not think I am referring specifically to large capital expenditure. I was giving examples in looking forward but, as I said 2 or 3 times this afternoon, I am looking at business plans. Business plans are not just capital expenditure. They are operational functions and those operational functions obviously attract significant revenue expenditure and that is what I am looking at.
Deputy R.J. Rondel:
I mean what is important when I am looking at the plan, which I am sure you would have had a copy of, if not I can get it for you ...
Deputy T.A. Vallois: Yes, we have a copy.
Chief Executive, States of Jersey:
There are a lot of projects in here. There are some which are capital. There is also a lot here which are not capital. So I think there is a balance. There are grants. There are loans. There are bank accounts. There are schools. There are tax transactions. There are procurement cards. There is income support.
Deputy T.A. Vallois:
You have mentioned quite a lot about risk in talking about business plans and operational and risk side of that and it is not just Internal Audit. Your job is the business plan side of things. So can you explain whether there is some form of risk assessment framework that goes across, consistently, departments - so that, in terms of acceptable or unacceptable risk, people can read and use their own discretion as an accounting officer in saying: "Okay, this is the kind of framework that I can sit against, so think I have got a higher chance of going with this in terms of risk," and then when the internal auditors come along they can say: "Well, justify it," or: "How has that come to this particular position"?
[14:00]
Chief Executive, States of Jersey:
I do not think we have one risk management process or structure. In an organisation such as ours, because we are so diverse, it would be quite difficult to have one structure. There is certainly a framework which all chief officers, I would expect, would be compliant with, but to say there is just one process and that everyone follows the same process. There is corporate risk, so
the CMB will look at the corporate risk. Then there will be departmental risk registers and risk
assessment and they will go right down to a much, much lower level, at departmental operational
level down to visible one-the-job risk assessments. So I think we have got a position where we have a corporate risk register, departmental risks which will affect the function and operation of a department, and then those will be taken right down to individual work processes, work risk assessments.
Senator S.C. Ferguson:
Have you got a copy of the risk assessment for the manpower returns that we had in January?
Chief Executive, States of Jersey:
No, I have not got a copy of the risk assessment.
Senator S.C. Ferguson:
I did not notice in the internal audit plan that you were going to look at the reasons for it being quite such chaos.
Chief Executive, States of Jersey:
Well, I would have looked to see what we had in terms of the project management plan. You have the report that we have got.
Senator S.C. Ferguson:
I certainly have not seen anything in list of eGov, an internal audit review of eGov.
Mr. J. Mills:
So the question is what ...
Chief Executive, States of Jersey:
Sorry, can I answer that first? Risk management for manpower returns, if you do not have a copy I will send it to you. In terms of eGovernment, eGov has obviously just been approved. So there will have to be a risk assessment of delivery against the objectives. If it has not been undertaken it will have to be undertaken, but it is a much longer-term programme. So I would expect, on eGovernment, to have a high level assessment in terms of delivery and impact of delivery across the organisation. Then I would expect each of the individual projects to consider risk because eGovernment is a good example of requiring really comprehensive cross-working across the organisation. It is one area where we potentially have risk because it is a new way of working in the organisation. It is more cross-work than when we are working in one department.
Mr. I. Ridgway:
I was just going to ask a very quick question. Is there something that links your corporate risk, assessment which you have just explained, to the Internal Audit Plan, so how Internal Audit is being used to mitigate those big corporate risks I think you identified?
Chief Executive, States of Jersey:
Yes. Well, this is where I do go back with the capital somewhat. The corporate risk registers will look at the big risks that we face and quite a lot of the big risks tend to be on the capital programmes, so some of those will be there. In terms of major revenue risks, then we would be looking at the areas which are likely to affect the business.
Mr. I. Ridgway:
So is there an explicit link that documents: "These are my corporate risks and this is how I am addressing it"?
Chief Executive, States of Jersey:
Well, the corporate risk register will have mitigation built into it.
Mr. I. Ridgway: Built into part of it?
Chief Executive, States of Jersey:
Built into the Internal Audit Plan, probably not directly.
Mr. I. Ridgway: Should it?
Chief Executive, States of Jersey:
I think I could argue both ways on that. I think it should but, at the same time, I would not want it to be linked to the point where you did not keep the independence of the Internal Audit Plan.
Mr. I. Ridgway:
What is the purpose of Internal Audit?
Chief Executive, States of Jersey:
Internal Audit is there to review and internal audit; to look at where it wants to look in terms of assessing projects. I would expect the Internal Audit Plan, in preparation, to be looking at report risks. I would expect the development of the Internal Audit Plan for the following year to look at
those risks; where they are in terms of the project, revenue or capital; where they are in terms of
delivery and what the risks are. Some of those could then ... I would expect some of those to be built into that plan.
Mr. I. Ridgway:
Is it a tool of management or is it completely independent?
Chief Executive, States of Jersey:
It is a function of both. It is a tool of management and it is independent.
Mr. I. Ridgway:
So it should be addressing the big risks faced by the organisation?
Chief Executive, States of Jersey:
That is what I am saying. I would expect, in preparation of an Internal Audit Plan for the following year, to be looking at corporate risks in the corporate risk register, taking some of those and building them into the plan and then looking at the more specific departmental areas that would come out of the business plan.
Mr. I. Ridgway:
But you are satisfied that this addresses ... that this looks at all your big risks?
Chief Executive, States of Jersey:
No, I would not say that I am satisfied. I think that, as we go forward, there is more to do in looking at corporate risk management and then bringing that down into the organisation, certainly then bringing it into our area. We are certainly looking at how we are improving both the risk management framework and corporate governance framework.
Deputy R.J. Rondel:
Just following on from that, are you able to explain the process that the Audit Committee follow when agreeing the Chief Internal Auditor's plan?
Chief Executive, States of Jersey: Audit Committee?
Deputy R.J. Rondel:
That the Audit Committee follow, yes.
Chief Executive, States of Jersey:
The Chief Internal Auditor will produce the plan and speak to the Chairman of the Audit Committee. Then the plan will go to the Audit Committee for approval. I do not get involved in a 3-way discussion with the Chief Internal Auditor, the Chairman of the Audit Committee and myself to discuss a plan that is going to the Audit Committee. The Chief Internal Auditor will meet with the Chairman of the Audit Committee.
Deputy R.J. Rondel:
That is what I want to try to extract, the exact process that is followed.
Chief Executive, States of Jersey:
The Chief Internal Auditor will meet with the Chairman of the Audit Committee and will look at the plan and the Chief Internal Auditor will meet with me and we will look at the plan coming ahead the following year. There is not a 3-way meeting between the 3 of us.
Mr. R. Parker:
Have there been any instances where you have had an Internal Audit report which has involved yourself and the Audit Committee having to take either disciplinary action or to take any action against an individual?
Chief Executive, States of Jersey:
No, I am not aware of any. I cannot, off-hand, think of any. The Audit Committee is not structured in a way that it would. It could make a recommendation and it would certainly have a very strong recommendation in terms of ...
Mr. R. Parker:
It comes back to you and in the past it has been you and the ...
Chief Executive, States of Jersey:
I would expect it to come back to myself and the Comptroller and Auditor General. We would become aware very quickly if something was not right.
Mr. R. Parker:
The Internal Audit Department is situate within the Treasury Department?
Chief Executive, States of Jersey: Yes.
Mr. R. Parker:
One of the big areas that you are dealing with going forward is the sort of restructuring related to manpower and I think that is regarding efficiencies and so forth, moving forward?
Chief Executive, States of Jersey:
That is part of the overall public sector reform programme.
Mr. R. Parker:
Yes. I see in this plan you have got capital projects but, in relation to restructuring and how that impacts on to internal controls and so forth, is there any aspect of that that has been linked to internal audit?
Chief Executive, States of Jersey:
I think we come have back to more the specific areas. eGovernment is one where we certainly would need to make sure we are very aware of the risks associated with delivering it because, as I said, that one is very much cross-work. If there are more specific, in the future, pieces of work which would significantly change the functions of departments and how they operate between their respective roles, then that would need to be looked at. Certainly I would expect that to be looked at from an audit and risk perspective to make sure that any risks that were associated with bringing the 2 functions from individual departments together to be properly assessed.
Mr. R. Parker: How do they ...
Mr. J. Mills:
Are there examples of that in this year's plan? You highlighted this as being an area of being particularly, sort of ...
Chief Executive, States of Jersey:
That is what I was just looking at. Ports of Jersey was one of them I just saw in the plan. So areas such as that I would expect to see in the future. If there were more coming up such as that, I would expect to see them in there.
Mr. J. Mills:
The ports one is really only about that creditor payments. It is not a really a corporate risk, is it, of the kind that you have been describing?
Chief Executive, States of Jersey:
As we are talking, I am just going to go through the 2014 plan.
Mr. J. Mills:
Put it this way: is this something you discussed in one of your 3 private meetings with the Chief Internal Auditor?
Chief Executive, States of Jersey:
Not directly in terms of the public sector reform programme.
Mr. J. Mills:
No, I do not mean that, but just this process that you described of moving to a more structured and corporate approach to business, where departments work together and where there are cross- cutting projects. You said this was an area of some risk but it is the way the place is going and, under the recent law changes, you yourself would have greater powers in this regard. Have you sought yet, in any way, to reflect these important changes in the work of the Chief Internal Auditor?
Chief Executive, States of Jersey:
Not at this stage, no. But I think, as we go forward and as we start identifying specific areas, there are areas we have to look at.
Mr. J. Mills:
You have not identified any areas yet?
Chief Executive, States of Jersey:
We have not identified that we are going to merge this bit of Department A with this bit of Department B and produce something new. So as we go forward, looking at that as part of the delivery of the reform programme, we need to be very cautious and very conscious of the requirement to look at the risks associated with it and deliverables that come out of it.
Deputy T.A. Vallois:
Can I ask, just to wrap up on the purpose and coverage of the Internal Audit work, the actual Internal Audit Plan that you have referred to many times mentions risk a large amount of times. Why is it that there is no form of methodology for risk assessment within the audit plan as such? I mean risk seems to play a massive part, particularly in your role. But if, say, I was Chief Executive and I needed to justify or place reliance on an internal audit report, how would I do that without a risk methodology within the audit plan or identifying what risks they are testing against in the actual audit plan?
Chief Executive, States of Jersey:
I think if we look at the audit reports that would come out from one of these reviews, they will have a plan of actions and they will categorise them to high, medium or low. Certainly the highs and mediums are the ones we will focus on straight away. So I would expect each department then to have a delivery plan against how they are going to deal with them. They would then be assessing what has to be delivered against those particular recommendations that come out of them.
Deputy R.J. Rondel:
Sorry, when you say you would expect ...
Chief Executive, States of Jersey:
I think we are mixing the outcome of an Internal Audit report with risk management plans. The Internal Audit report would come up with series of recommendations: high, medium or low. The departments who are receiving that report will be required to come up with an action plan to deliver against those and then Internal Audit will always follow up to make sure they are complied with. So there is a process that is in place for that. In terms of managing risk, I am not linking that directly with delivery against these individual reports.
Deputy T.A. Vallois:
But if I look at the Internal Audit Plan and - you have just mentioned Ports of Jersey, for example - and see that they are looking at Ports, how would I identify what risks are being addressed under Ports in the internal audit plan?
Chief Executive, States of Jersey:
When you say: "What risks are being addressed" ...
Deputy T.A. Vallois:
We have just gone through business planning and risk addressing. We have just discussed internal audit and its importance in looking at risk. So if I am looking at an internal audit and I was in your position, for example, and I wanted to know why Internal Audit were looking at a particular area and what risks were being addressed within that particular internal audit, how could I see that within this Audit Plan?
Chief Executive, States of Jersey:
I do not think you can see it here, but what I would expect is that if you pick any one of these topics which are going to be looked at then I would expect that part of the work that the Chief Internal Auditor is doing or the auditor doing the work would be looking with the department or the service area in particular to say: "What have you got around Ports creditors? What have you got there from a risk ..."
[14:15]
Senator S.C. Ferguson:
In your 3 meetings with the Chief Internal Auditor, have you not discussed the risks attached to each area before it is put into the report?
Chief Executive, States of Jersey:
Well, I think I said earlier on that part of looking at the programme is looking at which areas are likely to have risk attached to them and then identifying that that is an area that is in the report which is going to be covered. Or, have I looked at the departmental business plan; so there may be a project coming up there which, from past experience, could have some risk attached to it and you would expect ...
Senator S.C. Ferguson:
Well, do you not identify the likely risks? Have you not done that?
Chief Executive, States of Jersey:
I do not sit and look at every element of every department.
Senator S.C. Ferguson:
No, when you are discussing the plan with the Chief Internal Auditor.
Chief Executive, States of Jersey:
We will certainly, looking at the all the titles here, look at which ones there might be, the higher risk ones which need more attention. Some of them come up on a regular basis. So there needs to be, therefore, some statutory compliance; cash management, for example. Some of the others would be higher risk projects which need more days and that is probably reflected in the amount of time that is allocated to the review.
Mr. J. Mills:
The subject matter in the 2014 plan, are any of them there because you suggested in your meetings with the Chief Internal Auditor that it really would be quite a timely and good idea to look at this area or that area, having regard to what you have been saying about corporate management and corporate governance risk, or were you presented in a sense with a draft which was generated within the I.A. (Internal Audit) organisation which you were content to sign off?
Chief Executive, States of Jersey:
I think one I did suggest was in capital, just to go back to capital. I think it was in the sewage
treatment works and I suggested that one because I knew it was quite a complex process of a
number of individual elements. From experience, if you have individual elements in that sort of continual process you need to make sure that you address the risks ...
Mr. J. Mills:
But, by and large, your role in signing of the draft is a responsive one rather than whatever the opposite of that is?
Chief Executive, States of Jersey:
Yes. I will respond to it and then I will look at the list and think: "There is a project here that may be attracting a higher..." Sorry, I am going back to capital. The ones that do give me concern will be the hospital, because obviously it is such a big project spread out over such a long time, with so many inherent risks of managing patients, et cetera, throughout. So that one was very high risk, and the sewage treatment works is because it is a continual process.
Mr. R. Parker:
I mean on the hospital ...
Deputy R.J. Rondel:
We have got to move off risk.
Mr. R. Parker:
On the hospital, I see that that is down to Properly Holdings and that is related to the procurement and so forth and the contract. What about the management information within the hospital? I am sure that the KPMG report will have been based a lot on the actual documentation and so forth from the hospital. So has there been any review of the accuracy and comprehensiveness of that sort of data and the way in which it is collected to get to that decision, particularly after the problem with the incinerator where there was an issue regarding the actual requirements and the projections which were flawed in relation to, I believe, the size of the facility?
Chief Executive, States of Jersey:
Sorry. I have to challenge you on the issue about the incinerator. I am not aware of any projections that were flawed.
Mr. R. Parker:
No, okay. Well, there were no projections flawed on that? Not the incinerator; I mean ... okay, the incinerator I think it was. But, okay, that is not ... but the issue on this is what is the sort of management information like within the actual hospital?
Chief Executive, States of Jersey:
I think management information in the hospital is an area which has to be checked and validated on a regular basis and I think we would all recognise that it is so big and the cost of health care is growing rapidly that we have to be very, very careful to make sure that we assess it and, if there are any areas that are identified that need urgent attention, they will be ...
Mr. R. Parker:
So has there been any review by Internal Audit regarding management information?
Chief Executive, States of Jersey:
I do not think there has been. I think we need to be looking at a lot more work. Certainly when KPMG produced the White Paper they had access to all the information that was available and they based their recommendations and the outcomes on that. Whether that is still valid, whether it needs challenging and whether we find that there are improvements that need to be made, I think we need to look at and it will come out.
Deputy T.A. Vallois:
I am just conscious of time.
Chief Executive, States of Jersey:
Something as big as the hospital, I think, needs to have a continual programme. Something as big as healthcare - and it is not just the hospital, it is healthcare - needs to be constantly reviewed on management information accuracy and trends.
Deputy T.A. Vallois: We are aware.
Deputy R.J. Rondel: Absolutely.
Deputy T.A. Vallois:
I am just conscious of the time, so if you have just got a couple of questions.
Deputy R.J. Rondel:
Just a couple of very quick questions on the quality which underpins the whole of the Chief Internal Auditor's reports. As accounting officer seeking to place reliance on the work of Internal Audit, how do you satisfy yourself about the compliance of Internal Audit with relevant standards and are you satisfied that the extent of compliance with Public Sector Internal Audit Standards and the associated improvement programme was adequately reported to the Audit Committee?
Chief Executive, States of Jersey:
Looking forward, I think a combination of the work that is being done by the Chief Internal Auditor, linking that to the work that has been done by the Comptroller and Auditor General's report, and looking at the Internal Audit charter with the Audit Committee, I think the combination of those gives us a much better position going forward than we have had in the past. So I think if I was answering the question looking back and looking forward, I would probably answer it by saying I think there may be some gaps in what we have had in the past that have now been identified and are being addressed. Looking forward, we need to make sure that we have in place the rigid framework or we need to create the structure now that does assess on a regular basis compliance of Internal Audit against the standards. As I said before, I do not ever remember an audit of Internal Audit before.
Deputy T.A. Vallois:
You are an accounting officer and you have personal liability in terms of expenditure within your department. That is correct, is it not?
Chief Executive, States of Jersey: Yes.
Deputy T.A. Vallois:
If that is the case and you are saying that there were holes with regard to Internal Audit in the past, how difficult does that make your job in terms of complying with your role?
Chief Executive, States of Jersey:
Well, I am not saying "holes." I think what we have identified is PSIAS did not come out until 2013, if I remember rightly. So that is a new standard that has taken us some time to get fully operational. In the past I have had to rely on Internal Audit as it was functioning at the time to audit the services I am providing and any recommendations identified I made sure I delivered or made sure I addressed. Looking forward, I need to be satisfied as an individual accounting officer as well as the chief executive, which comes back to ... when we are talking about training for all accounting officers, that they are fully aware of the requirements of PSIAS, how they are
implemented from the Internal Audit perspective, what impact those standards have on the
individual accounting officers so that the accounting officers are fully aware of their responsibilities under that law. If I look back to when we moved in 2005-06 from an organisation that went straight into the role of accounting officers, did we put in place the training and structure to make everyone aware of their roles and responsibilities? The answer would be no. What happened, because I was part of it, was I was provided with a set of financial directions and those financial directions were: "That is what you have to comply with."
Deputy T.A. Vallois: Can I just ask finally ...
Chief Executive, States of Jersey:
I have to say I do not think that, in 2005-06, was a very good way of making a significant change from how we functioned in the past to how we have to function for the future with the responsibilities of an accounting officer. So as we move to implement PSIAS standards we need to make sure that we are putting that structure in place.
Deputy T.A. Vallois:
Just finally, because I have run out of time, would you say that the Corporate Management Board members - the accounting officers - feel as though they are being challenged by Internal Audit and do you think they should feel challenged?
Chief Executive, States of Jersey:
I think the answer is yes, they should feel they are being challenged. I think they feel they are challenged. I think they have a fairly healthy respect not just for Internal Audit but I look at it from 4 different areas. I look at it from the Public Accounts Committee, I look at it from the Comptroller and Auditor General's position, I look at it from the Audit Committee, and I look at it from the Chief Internal Auditor's role or the Internal Audit role. Those 4 compliance, governance, oversight positions provide a fairly strong framework that says to chief officers: "You have got financial direction or compliance standards or whatever to comply with. You have got 4 fairly strong bodies or organisations or areas which are going to be looking at your performance." I do not think I would ever see a chief officer that does not take the functions of the PAC, the C&AG, Internal Audit and the Audit Committee very seriously.
[14:26 - Ends]