This content has been automatically generated from the original PDF and some formatting may have been lost. Let us know if you find any major problems.
Text in this format is not official and should not be relied upon to extract citations or propose amendments. Please see the PDF for the official version of the document.
Public Accounts Committee Internal Audit
Chief Internal Auditor
MONDAY, 2nd JUNE 2014
Panel:
Deputy T.A. Vallois of St. Saviour (Chairman) Senator S.C. Ferguson (Vice Chairman) Deputy R.J. Rondel of St. Helier
Mr. I. Ridgway
Mr. J. Mills, C.B.E.
Mr. R. Parker
Witnesses:
Chief Internal Auditor
In Attendance:
Comptroller and Auditor General Deputy Comptroller and Auditor General
[15:30 – Commencement and introductions]
Deputy T.A. Vallois:
We are going to just start on requirement of the Public Finances (Jersey) Law, if that is okay. The first question is: "Which pieces of work of Internal Audit in the last 12 months provided assurance that the public finances of Jersey were being supervised in accordance with the law?"
Chief Internal Auditor:
I do not think you can draw on any particular piece of work that would give ultimate coverage. I think it is delivering of the Audit Plan, as you are aware, that I started in August of this year, so I will comment on the work done since August but incorporate the work done of my predecessor. The Audit Plan is done to give assurance and assistance to Comptrollers of the States of Jersey and delivering that plan is done under a risk assessment to ensure that there is ultimate coverage of systems and controls in order to give absolute assurance on all transactions of the States of Jersey.
Deputy T.A. Vallois:
How do you determine the frequency with which individual non-ministerial bodies are subject to internal audit?
Chief Internal Auditor:
Sorry, can you repeat the question?
Deputy T.A. Vallois:
How do you determine the frequency with which individual non-ministerial bodies are subject to internal audit?
Chief Internal Auditor:
In regards to non-ministerial bodies there are a number of cross-departmental audits, such as debtors, creditors and payroll, and they will touch on non-ministerial departments. In addition, the Audit Plan that is done will look at non-ministerial departments. So, for example, this year we are doing an audit of overseas aid commissions, we will also be doing the Greffe accounts, so we will touch on non-ministerial departments as well.
Senator S.C. Ferguson:
How do you determine the work to be undertaken in respect of the States Treasury?
Chief Internal Auditor:
That is a very important question and one that involves a strict protocol, so there is a protocol, which is in your briefing pack, for the Treasury Department. It needs to be done to ensure there is adequate coverage in Treasury but that there is an independent reporting line as well. So I will discuss the Audit Plan with the Chief Executive and the Chairman of the Audit Committee. The Audit Plan will also go to the whole Audit Committee for review and they will ask questions on all departments, including Treasury, so there is oversight in that area. In addition, BDO, our outsource contractors, also discuss the audit plan with myself; so there is not just myself, there is also a second department looking at the plan, and in specific Treasury, to ensure there is adequate coverage in Treasury.
Senator S.C. Ferguson:
Right, so when do you discuss it with the Treasurer?
Chief Internal Auditor:
The audit plan gets discussed with the Treasurer once we have decided what audits should be done, including that of Treasury, and that is when it is discussed with the Treasurer.
Senator S.C. Ferguson:
So presumably at the moment you were not responsible for the 2014 plan?
Chief Internal Auditor:
I was not responsible for the 2013 Audit Plan, I am responsible for the 2014 Audit Plan that went to Audit Committee in November 2013.
Senator S.C. Ferguson: This one? Right.
Chief Internal Auditor: Yes.
Senator S.C. Ferguson:
So risk assessment with regard to the Audit Plan, you have obviously heard my questions to the other participants in the hearings. Have you any explanation as to why you did not include a risk assessment, and so on, in this Audit Plan and perhaps a section on the parameters of the risk assessment? Why did you not do that?
Chief Internal Auditor:
The paper that you have there is the final Audit Plan that went to Audit Committee in January 2014. There was a previous version which went to Audit Committee in November 2013. In that one, there was greater information on methodology on the audit, on assessment. It did not specifically list PSIAS (Public Sector Internal Audit Standards) standards but it did explain why we looked at, for example, state management, procurement, governance and how the Audit Plan did that, and I am more than happy to supply that methodology document to PAC if they wish to have a copy of that.
Senator S.C. Ferguson: Why did you take it out?
Chief Internal Auditor:
It was not taken out. This is a pack for yourselves of information, this just includes the Audit Plan. It is the most updated one. It was not omitted, it was that this is the most updated plan and I am more than happy to share with you ...
Senator S.C. Ferguson:
No, that was not ... I said why is the risk thing not in this?
Chief Internal Auditor:
Sorry, for clarification purposes, this is the final Audit Plan that went to Audit Committee after adjustments had been made post Audit Committee's comments, therefore it did not include the visual methodology because the visual methodology did not change, so it was just the audits themselves that changed, if that gives you clarity on what you are asking. It was not omitted from the Audit Committee, this was a resubmission of the plan to Audit Committee a quarter later.
Deputy R.J. Rondel:
Is there any reference to it in here, the risk assessment, that methodology?
Chief Internal Auditor:
Sorry, I will go back just for clarification purposes. The original Audit Plan was sent to Audit Committee in November 2013 and that included the paper that went to Audit Committee as well with it on methodology of the Audit Plan.
Deputy R.J. Rondel:
Right, which was part of this, or ...?
Chief Internal Auditor:
Which was part of that, then they asked for some additional audits and questions on audit, and then the paper you have there is the final Audit Plan that was basically re-presented to them for confirmation, for information purposes, after taking into account the Audit Committee's valid points.
Senator S.C. Ferguson:
So why did you leave out the methodology and the risk assessment side?
Chief Internal Auditor: What, for yourselves?
Senator S.C. Ferguson: No, as a ...
Deputy T.A. Vallois:
No, as in the Audit Plan. It is like the question I asked the Chief Executive before: so if I look at this document and I want to see the risks being addressed, as per, say for example, income tax plan section processing, or ports, for example, I cannot see that plain and simply when I just open up the book and look at it. So if risk is a major part, or a big part, of the planning process in looking at the audit plans, why can I not see that in looking in the internal Audit Plan?
Chief Internal Auditor:
You are right, I think, that the risk assessment could be more explicitly written into the audit methodology going to Audit Committee, and I agree with that. The Audit Committee did have an update of the risk assessment in the November Audit Committee, but I do agree and I welcome the C&AG's (Comptroller and Auditor General's) comments that I think more detailed analysis and understanding should be put in the paper. We welcome that response and it will be taken forward to the next Audit Committee.
Senator S.C. Ferguson:
Yes, because I think you will find that people do not like keeping too much paper around because otherwise you will drown, so if they have not got it easily accessible they cannot refer to it easily.
Chief Internal Auditor: No, I agree.
Mr. J. Mills:
But what is the essence of your risk methodology, just in a few sentences?
Chief Internal Auditor:
From a risk point of view, without going into a lot of technical detail, there will be certain key audits to be done required by the law, for example hip transplants, to then look at key cycles, for example debtors, creditors and payroll specifically for audit, and they will be looked at as well. Then we will look at the accounts and look at the key transactions so, for example, grants are a key financial expenditure of the States of Jersey, and so therefore the Audit Plan, as you can see, has a number of grants. If you compare this to previous audit plans; we have increased the number of grants that are being audited this year to reflect the recommendations and the follow-up, and not just of ED (Economic Development), for example, but also of other departments, so we can review that. I think it is an important area for us to focus on.
Mr. J. Mills:
If I can just follow that up. When the Chief Executive was here earlier we asked him a similar kind of question and he gave us what seemed to be his view that, in his discussions with you, he was anxious to get across some of the important corporate risks facing the organisation of cross- departmental stuff and the importance of seeing those effected in the plan. Then he instanced one about the sewage plant, the sewage sludge operation. So did the sewage sludge plant within here appear because of that; it was not on your risk horizon, but he suggested it ought to be from his own perspective? So it was not part of your methodology, in a sense.
Chief Internal Auditor:
The sewage treatment plant has been on the Audit Plan for 2015, for example, just like e- government, will be on the Audit Plan for 2015 as well. So when we do the Audit Plan I will go and meet with the chief officers and the finance directors of each department and ascertain from them where they think their risks are, where their concerns are to reflect that in the Audit Plan. The sewage treatment works is being billed as a capital audit this year; it was on the radar for next year but it has been brought forward to this year following on from the Chief Executive's comments.
Senator S.C. Ferguson:
You adopt a risk-based planning process. Can you describe to us, please, what you mean by "risk", because there must be about 95,000 versions of it, and what the planning process involves?
Chief Internal Auditor:
As I said earlier, when we look at risk, it is about giving assurance on the systems and controls of the States of Jersey and, when you look at risk, it is to look at what are the key systems and controls in the States of Jersey. Like, for example, I said to you earlier, you would look at payroll because it is a major expense of the States of Jersey, you would look at debtors, you would look at creditors, you look at bank accounts because they are where most transactions happen; when they go through. So you would look at that from a risk-based approach. You would also look at departments to make sure you have enough departmental coverage for all departments during the year. You would also look at things you would have to do under the law, for example hip transplant,, as I said to you before, has to be done under the law. Also, I would look at previous findings, both from external audit work, from the C&AG's work, from external reports done and, for example, there was a lot of work done on grants last year by yourselves, and there was a need to do more internal audit work on grants, and I welcomed that as a finding from yourselves. It has been reflected that we are doing a number of grant audit works in a number of departments this year, and I have issued a number audit grants this year already. As per the Public Finance (Jersey) Law, as per Internal Audit protocol, the C&AG, as well as the Chairman of the Audit Committee are sent all audit reports as well.
Deputy T.A. Vallois:
At the planning stage, how do you identify and assess the risks associated with information technology?
Chief Internal Auditor:
Information technology is a key specialist area and we would use BDO to look at our information technology, our Internal Audit information technology person that we use with specific qualifications on that, and would use that resource with that experience to look at it. This year, for example, we are doing an audit on long-term care charged at collection, and that would need an IT (information technology) audit specialist to come in. Again, compliance with the U.S. (United States) tax legislation.
[15:45]
Although it is not in the Audit Plan because the Tax Department have come to see me recently and said they would like Internal Audit to help them in an advisory capacity on FATCA (Foreign Account Tax Compliance Act) compliance for IT purposes. So we have engaged anIT specialist to come and do that piece of work. So when we are looking at the IT side, we would always use a specialist to come and ascertain what the scope of work is and what is needed, because that is a resource that we would get externally. Similarly, for example, value for money audits on a specific area as well, so we are doing an audit currently on Back to Work being value for money. BDO in the U.K. (United Kingdom) are a very strong market leader in that area and they have a lot of information on what the U.K. Government use, for example, things like multiplier effects, et cetera, on Back to Work, and they are doing a piece of work on value for money and we would use them because they are the specialists. We would outsource that specialist work because it would not be worthwhile currently from a financial point of view having a person specifically in-house just for that piece of work. Obviously with IT it may change going forward a number of years, but currently that is the model that is best value for money for States of Jersey.
Mr. I. Ridgway:
Can I ask what the specific risk factors were around Back to Work compared to anything else?
Chief Internal Auditor:
The States of Jersey has spent a lot of money on the Back to Work initiative and, based on that, the risk assessment would look at that and make sure it has been spent to the best value.
Mr. I. Ridgway:
So the financial value of the Back to Work scheme rose it sufficiently in your risk register?
Chief Internal Auditor:
I raised it to look at it on the audit potential plan and also, and more importantly, when we spoke to the department themselves the Financial Director and the Chief Officer both said that they would like an audit done on Back to Work to confirm the value it is giving and the amount of resources they are putting into it. So it was raised from their side as well. It is important we listen to the departments and important that we have a good relationship with departments so they can come to us and ask for an additional piece of work to add value to their departments.
Mr. R. Parker:
Are there areas where you have not been approached by the departments but you feel there is a risk and have decided to do the work in that area?
Chief Internal Auditor:
In the Audit Plan that was presented to the Audit Committee, and it was also presented to FAB (Financial Advisory Board) as well as CMB (Corporate Management Board), there was no resistance to the audits on our plan, and we will carry out that plan. Departments have come to us and asked for audits but I have not had any resistance since being in post.
Mr. R. Parker:
You have not had anything where, shall we say, there was a potential problem in a department or the like, which has been highlighted? So a whistleblower or something like that, which has instigated work to be done?
Chief Internal Auditor:
I have not come across any departments in the senior management team that have not welcomed us to come in and do an audit, compliance or advisory, if we so wish to do, and I have had full co- operation from departments since being in post from August. If there was a concern, there are protocols to go through and I would raise that appropriately. So far I have not heard any views ...
Mr. R. Parker:
There has not been anything raised to say: "There is a potential problem in this area and it needs to be looked at."
Chief Internal Auditor:
There are areas that we have come across during the year, and the Audit Plan is a live document, so it will be developed, and there are areas that we have gone into and audits we are doing currently that are based on some findings or based on some information we have gone into in more detail, but there has not been any resistance from departments to that, so ...
Mr. R. Parker:
I am not saying so much resistance as information coming to yourselves, or you have looked at it and said: "Here is a problem area; we are hearing things" or someone has whistle-blown and given you information and you felt that that is something you need to put on the plan.
Chief Internal Auditor:
Yes, indeed, there is. There are currently 2 pieces of work ongoing at the moment based on individuals coming to raise a point that we are looking into and we will continue to look into those areas when they are informed to us. The Audit Plan is set, but there are resources put aside within that Audit Plan to do additional pieces of work as the year progresses, because there will be additional risks that come up, there will be additional concerns that will be raised. The point we are looking at at the moment I cannot divulge because it is under review and it has not been finalised yet, but it may prompt additional work to be done afterwards. There, the department themselves came to us concerned about this area and ...
Deputy R.J. Rondel:
How do you assess whether to continue and carry on with a full review of that specific piece of work?
Chief Internal Auditor:
That is a very good question. We would originally do the assessment and we would then do an initial findings report and then make a recommendation to the department that we do a further review to substantiate what the concern was and if it was systemic or whether it was an isolated incident.
Mr. I. Ridgway:
Would you make a recommendation to the department to do a review or just do it?
Chief Internal Auditor:
We would make a recommendation that we would do further reviews, and we would do those further reviews to ensure that it had been followed up. More importantly, when there are incidents that are informed to me, is to ascertain if it is an isolated incident or if it is more systemic. So, for example, although I go back to ... I do not want to raise Canbedone again, that grant situation happened before I arrived, but it is important that that was noted and was developed in the Audit Plan. That meant that, rather than the original Audit Plan for 2014, I amended that. We went to the Audit Committee and said "We need to do more audits on more grants, but not just within one department, to see if the points raised are systemic to an organisation or whether it is training or addressing them or exemptions being used, or due diligence, or whether it is isolated in that one department." That is why we are doing a number of departments on a risk-based approach because I wanted to ensure that there was assurance in that area, given the fact there had been some areas of weakness previously.
Deputy T.A. Vallois:
I was just quite interested in the way that the Chief Internal Auditor works and hearing what the Chief Executive said earlier about business plan objectives and risk assessments around those particular areas. I would just like to understand from yourself if you are doing an audit on a particular area, let us say for example that does not have an overarching legislative requirement or an overarching policy requirement, and you are trying to determine value for money. Being the management tool that you are for the States, how would you go about dealing with that particular issue? I am just intrigued because, listening to what the Chief Executive had to say earlier, I would like to understand from the Internal Audit point of view how you would go ahead with your reviews or your reports on that basis.
Chief Internal Auditor:
Specifically on value for money audits?
Deputy T.A. Vallois:
Yes, and if there is no particular objective in the business plan or if there is no particular overarching legislation or policy that requires that money to be spent.
Chief Internal Auditor:
Value for money is very important to the States of Jersey and to ensure that money is spent in the best public interest. Value for money audits are a specialist skill, and it is a very specialist type of audit one would do. So that specialist skill-set we do outsource in value for money audits, we do not do those currently in-house. The way the scope would be set would be that it would be done in conjunction with the value for money specialist, for example, it would be on the basis of, for example, a ministerial decision that is made, maybe a policy, maybe a statement about why the money would be used in the first place and how it has been best used. That is what we would look at. I cannot answer the question in specifics of the methodology on value for money audits because that is a specialist area, but I would be more than happy to revert back to you on the specifics of ...
Mr. R. Parker:
I understand where you are looking at standard operations, if you do this operation, what is the benefit to the community, and so forth. I understand that being value for money but, if you are going through a standard structure and you look at it and say: "Why are you going around the park when you could go from here to there?" If you were to do that, while you would increase the efficiency substantially, it may have an impact on the number of jobs involved in doing that operation. How do you deal with that?
Chief Internal Auditor:
Internal audit is to give independent assurance on systems of control, it is not to recommend in terms of how departments should resource themselves. However, part of our audit programme this year is, for example, to look at public reform and look at Lean management. Now, Lean management is very, very key and I am a very strong ambassador of Lean management. Two of my team members have been qualified in Lean, and that is specifically so that on all of our audits we do not just deliver the audits in, say, a department in compliance, but also add value in terms of Lean strategy in terms of: "Can this be done more efficiently? Could you deliver more to the public purse more effectively?" By having members of the audit team that are Lean trained, we can use that skill-set on the audits. Like you say, to make sure we go from A to B rather than going A to C, D and back to B. So this is really ...
Mr. R. Parker:
All the simple things: when you ended up having to pay certain bills, you could not pay them online until only relatively recently, and that was so many years out of date.
Senator S.C. Ferguson:
Can you not pay on debit card?
Mr. R. Parker:
We will not go into that, but ...
You are right. For example, like changing addresses; in the States of Jersey people have to go to various places to change their address. This causes public frustration because they may even be fined for not changing their address when they genuinely think that they have changed it.
Mr. R. Parker:
You end up with a situation where there are a whole lot of databases and you think: "Why can that not be centralised into one?" You end up with letters going out from, I think it is the hospital when emails or SMSs are current now, and I think that was recognised in some report, and that would end up simplifying things, because people are less likely to lose their email address or SMS than probably their postal address. There are things like that which can simplify the efficiency of an operation.
Chief Internal Auditor:
I agree with you. In fact, when I arrived I had some conversations with the Comptroller of Income Tax as well as Social Security and now, for example, for pensioners, they share information. So, for example, now the Income Tax office will share information with Social Security so if you are a pensioner with a private pension, it is already put on your tax return form, which has great efficiencies because it is sharing information. That decreases error rates, it decreases things like fraud, for example. I think working much more cross-departmental is very important, because a lot of our audits, for example, are cross-department as well. At the moment, we are looking at travel and accommodation expenditure and we are looking at compliance with financial directions in processes of travel and accommodation. This is specifically an audit on not using proper methods, so why people are buying stuff and not using the corporate channel. There may be a legitimate reason because if there is not a hotel and it is out in the country, maybe they cannot use that, which is within policy and procedures. So sharing that information in a cross-departmental way. Also, when I arrived, one of the big things I wanted to do was to do a follow-up recommendation programme and we went back for the past 3 years. There were 173 audit recommendations over the past 3 years across all departments. We are looking at each department to follow them up because, as part of PSIAS, which are our internal auditing standards, we have to make sure we can follow up internal auditing recommendations. So when I came, I wanted to make sure that they are being followed up robustly. We have issued 7 departmental draft reports, 3 are to be issued this week, but it has been a big, big exercise and we have checked every high recommendation and we have done a sample of medium and low recommendations with departments to make sure they are (a) taking recommendations seriously but (b), more importantly, if there is a recommendation made by Internal Audit, that was to address a shortcoming or a risk in the first place and if it has not been addressed we need to know why and to make sure it is followed up practically.
[16:00]
That is a big piece of work we are undergoing. Subsequently, on all audits it is part of our procedure that we follow-up recommendations 6 months after every audit to have a traditional follow-up model. At the moment we are doing a catch-up exercise to ensure that we are looking at all recommendations.
Deputy R.J. Rondel:
The Treasurer mentioned you use BDO quite often and the importance of that relationship, but is that correct or should you really use other organisations as well?
Chief Internal Auditor:
For the States of Jersey, if you use one contractor you are going to achieve better rates than if you use a number, so therefore it is value for money so it is good to use BDO. However, there are some times where it is necessary to potentially use other firms. For example, the FATCA project we are doing, without explaining to you U.S. (United States) tax legislation ...
Deputy R.J. Rondel: That is exciting ...
Deputy T.A. Vallois:
We have passed that, I hope you understand it ...
Senator S.C. Ferguson:
I think we probably do have an idea.
Chief Internal Auditor:
Yes, I am sure you do have an idea but, without going into too much detail, the IRS (Internal Revenue Service) are coming over to Jersey in the summer to check that we are set up and running to comply with FATCA requirements. I am getting one of the Big 4 firms in to do a piece of work, because they have specific FATCA knowledge and they are being currently appointed. So BDO will do that piece of work because the firm we are using has had dealings with the IRS and other government organisations so they have that specialist knowledge, and also it was a much better place for the IRS...
Senator S.C. Ferguson:
So that is a consultancy analysis, that is not internal audit compliance.
Chief Internal Auditor:
That is an advisory piece of work, so an Internal Audit advisory piece of work.
Senator S.C. Ferguson: It is advisory, yes.
Chief Internal Auditor: Yes.
Senator S.C. Ferguson:
Are you doing the same for the U.K. FATCA?
Chief Internal Auditor:
Well, they are specifically doing the USA project because ...
Senator S.C. Ferguson:
I know that is the USA, I just said are you doing the UK one, where I understand that there is a higher degree of risk?
Chief Internal Auditor:
Currently we are not doing the UK one because the department, from our assessment, is doing a programme and putting in procedures to address that one, but they need some advisory work for the US FATCA project.
Senator S.C. Ferguson:
So how do you estimate the division between advisory and compliance work?
Chief Internal Auditor:
I think it is very important, and I welcome the C&AG's comments that Internal Audit needs to give assurance on systems control for the States of Jersey and that means doing adequate compliance audits. You will see the C&AG's comments on previous year's Internal Audit work of 50 per cent, based on number of reports. I agree with the C&AG and I welcome her recommendations and embrace that. You will see from the Audit Plan there is approximately 6 per cent of planned advisory work because, while it is important that Internal Audit provides advice to departments and helps them to deliver efficiencies and improvements, Internal Audit must not lose oversight about putting enough resources into compliance. Therefore in my audit programme that I delivered to the Audit Committee I did change the balance to have more compliance audits. I do agree with the C&AG's point that this is important.
Senator S.C. Ferguson:
So run through it again for me, if you would be so kind. You came up with the original Audit Plan and then you went to see the Chief Executive. Run through it simplistically for me, please; I am only a politician.
Chief Internal Auditor:
Yes, I will do. No, no; you are a very knowledgeable politician.
Deputy R.J. Rondel:
She is not, you know. [Laughter]
Chief Internal Auditor:
In the past, the 3-year audit programme that you have seen was presented to the Audit Committee and ...
Senator S.C. Ferguson:
Okay. You have got a piece of paper, you sit down and you say: "These are the things I want to look at. These are where I see a risk." So you have got your little draft plan, what happens then?
Chief Internal Auditor:
The draft plan then gets presented to the Treasurer of the States for consideration and discussion.
Senator S.C. Ferguson: Where is the Chief Executive?
Chief Internal Auditor:
Then, after the Treasurer, currently it will get discussed with the Chief Executive as well and the Chairman of the Audit Committee.
Senator S.C. Ferguson:
Is the Chief Executive not part of the meeting with the Treasurer?
Chief Internal Auditor: No.
Senator S.C. Ferguson:
So you do it then you talk to the Treasurer, then you go to the Audit Committee, the C.E.O. (Chief Executive Officer), rather ...
Chief Internal Auditor:
The Chairman of the Audit Committee.
Senator S.C. Ferguson:
Then the Chairman of the Audit Committee, and then you go back and play with it again and then go ...
Chief Internal Auditor:
Present the totality of it to the Audit Committee itself for consideration. The Audit Committee comprises 4 members, 3 of whom are independent, in addition to the C&AG, the Deputy C&AG, the external auditors, Price waterhouseCoopers, the partner as well as senior manager, myself and the BDO Director and also the Chief Executive and the Treasurer.
Senator S.C. Ferguson:
How do you manage to keep your independence if your first review of it is with the Treasurer?
Chief Internal Auditor:
It is discussed with the Treasurer but under the law the Treasurer cannot direct me on the Treasury audit.
Deputy T.A. Vallois:
That is the Treasury audits though, it is not any other audit.
Senator S.C. Ferguson:
That is the Treasury audit, what about the rest of the audits?
Chief Internal Auditor:
The Treasurer can give her opinion on additional audits that she thinks are relevant, based on her understanding of the States of Jersey, based on her own department as well as her meetings and her involvement with the CMB and the Audit Sub-committee, for example, and I will listen to her comments, take on board her comments and amend the audit programme if appropriate.
Deputy T.A. Vallois:
Can I ask how many times this Internal Audit Plan 2014 was amended from the first draft presented to the Treasurer to the final to the Audit Committee?
I cannot give a definitive number, but there were some changes. There was nothing taken out, there were additional items put in.
Deputy T.A. Vallois: More put in.
Chief Internal Auditor: Yes.
Deputy T.A. Vallois:
So how realistic was that, though, in terms of your ability to work to a timeframe?
Chief Internal Auditor:
It was realistic because there was capacity left in the plan to do additional audits at the request of departments, which included the Treasurer and the Chief Executive, so it was realistic in terms of timeframe. In addition, there is some capacity within that audit programme that you have to deliver additional audits at the request of departments. So, for example, this year I have done one investigation for the Chief Executive, which is a confidential investigation. Currently there are some reviews being done within a number of departments at their request that they wish Internal Audit to look into, both compliance and advisory. So there is additional capacity. For example, there is some additional work done on the Innovation Fund at the moment at the request of E.D.D. (Economic Development Department) to make sure that there is compliance and it has been functioning properly. In addition, as part of the consultation process, I am asked to read financial directions; for example, the current Innovation Fund financial direction is in draft at the consultation stage. There has to be capacity in any audit programme to address those risks because, if something happens, I need capacity to respond to that and to have adequate resources to do that and therefore when you compare what was in the original audit programme to the final Audit Plan delivered, there will be some additions. Some too will move: for example, on that audit programme, adult care homes is being deferred to next year because the renovation for them is not being done till next year so there will be no capital expenditure audit in that area for that one reason. Therefore we look at saying: "Well, what additional capital expenditure audits may need to be done instead on that basis?" For example, also I meet with the Chairman of the Jersey Appointments Commission as well, so you will see on there, there are audits to the Appointments Commission. The one area we are looking at is acting up because, from my point of view, there have been a lot of audits about payroll and generally about is someone being appointed appropriately, but one area I wanted to focus on, based on speaking to departments, is acting up. If people are acting up for 12 or 18 months, is there a reason behind it? Has it followed
procedures and has there been a proper appointment approval process? If someone is acting up for 18 months, was there a reason behind it, an exemption and, if not, to see why and then put this across a number of departments to see if there is a concern in that area, and if that is ...
Mr. R. Parker:
Who gets involved in the scope? So for instance, if you have determined a particular area to do an internal audit on, how do you develop the scope? Is that down to you or is that in discussion?
Chief Internal Auditor:
No, if it is a compliance piece of audit work, we will look at the key elements of the financial direction to ensure there is compliance with it. If it is policy, we will look at key elements of the policy's financial directions. If it is a compliance piece of audit work, we will set the scope. If it is an advisory piece of work and the departments come to us, we will consult with them in terms of what the scope will be if it is an advisory piece of work, but it is Internal Audit's scope and it is not the department's audit scope, and the department cannot dictate to us to take something out of the scope whatsoever. I would not allow it.
Mr. R. Parker:
I was just thinking of my favourite one, Canbedone, where it looked like the scope had been, shall we say, really tunnelled to only a particular area.
Chief Internal Auditor:
I was not in Internal Audit, it would have been before my time and I did not issue that report but I can confirm that the audits that we are doing for grants at the moment, that we set the audit scope and that we are very robust in saying: "That is the scope and that is what we will look at" and our audit reports will rest on that finding.
Mr. R. Parker:
The recommendations will be, rather than a sort of panacea for all ills, more training, it will probably be a bit more targeted?
Chief Internal Auditor:
I can confirm to you that no grant audits this year will be advisory, they will all be compliance, whereas previously they have been advisory. If they are compliance as well and they get issued a 1 or a 2, which means there are some areas of weakness in the control environment, at draft stage the Chief Executive sees the report as a protocol. That is why it is very important that we focus on compliance audits to ensure there is a proper review of procedures and, if there is not, to have recommendations. But the recommendation then needs to be followed up as well, and that is very
important, and that is a big piece of work requiring a lot of resources. That is why, going back to the 3-year project, it is reflected in the time in the audit programme but it does take resources and time up, but is very important. What we are doing as well as part of that is gathering key themes, because I think in the States of Jersey that departments are more similar than they are different. I know they do different things but, in terms of governance, if you book a flight, whether you are booking a flight as the accounting officer of the Chief Minister or whether you are a manager in TTS (Transport and Technical Services) you are still using the same system. There are a lot of key themes that come out of it and I think it is very important that we learn from those recommendations. What we are doing in this recommendation piece is pulling out key themes and explaining to departments: "These are the areas where there are shortcomings" and when we do an audit, for example on debtors and creditors, explain to the department: "This is what key areas we found previously" and to educate them to say: "This where our shortcomings are." Because in audits, quite often it is about keeping paperwork, documentation, asking what can be done about due diligence, things like that. So I think it is important that we learn from our recommendations and that we endorse that. I think the CA&G's report is really helpful because you are basically putting an emphasis on that and saying: "You need to look at it and we are doing a big project, but it will take time to do."
[16:15]
Mr. I. Ridgway:
Can I ask one question? When you first came in you said your title was Chief Internal Auditor and Head of Risk. What does Head of Risk do? Is that not the Chief Executive's job?
Chief Internal Auditor:
This to do with giving support to CMB in terms of risk management. Without going into a lot of detail, the risks of the States of Jersey is a source to look at. Although it is slightly off the report, it is important to understand the risk ...
Mr. I. Ridgway:
I was looking at the drawings on your time; Head of Risk is a big job.
Chief Internal Auditor:
Oh, yes, I appreciate that. It is a support to CMB in terms of risk. We are doing a big project at the moment with Marsh Consultancy that is looking at corporate risk and looking at where the corporate risks are for the States of Jersey, where the corporate risk register sits. Looking at previous work done on business continuity, on health and safety, and we have employed an outside contractor to help manage that risk process, because it is such a big piece of work. So the risk side is to give support. Risk in the States of Jersey does need some resources and time dedicated to it to get it to a level where it is appropriate against another ...
Mr. R. Parker:
Is that going ahead this year?
Chief Internal Auditor: Yes.
Mr. R. Parker:
So you have got e-commerce, or e-whatever it is called; eGov is next year, and most of the risk is related to possibly the data. First of all you need to get the data sorted out and the databases, so are you putting the cart before the horse in the sense that you need to sort it all out first? The risk factor is because it is all over the place and it needs to be consolidated, and that probably needs to be the first piece of work before going into the risk, because you can see the basic risk and you do not need a consultant to tell you that.
Chief Internal Auditor:
We are getting Marsh in to do some work on risk management to look at the attitudes of departments, the values, the beliefs on risk, what they think risk is, and to understand where we are at, then to develop a risk strategy improvement programme to deliver a strategy. As part of that, there will be other areas we will look at, for example, data. One of the areas will be looking at data and we will then look at it to ensure that there is adequate data as part of that.
Mr. J. Mills:
But who will do the internal audit reports on the risk management or who will decide to do them? You have got 2 hats here, have you not?
Chief Internal Auditor:
I think the title of "Head of Risk" can have a lot of meanings in organisations. My role as Head of Risk is not what may be perceived as being head of risk from a chief executive's point of view, it is Head of Risk to support CMB. in delivering a corporate risk register, and it is in that ...
Senator S.C. Ferguson:
Does it rate higher on Hay than Chief Internal Auditor?
Chief Internal Auditor:
I could not comment whether on Hay it rated higher or not, unfortunately, but the role in the main is internal audit, but then we do do risk management in addition to that.
Deputy T.A. Vallois:
I am a little perplexed, just from the answer that was given by the Chief Executive earlier, that there is no overall framework for risk on the States, which I would see as a corporate risk strategy. You would expect some kind of principle-based risk framework that is applied across the board whereby you have an accounting officer that has discretionary responsibility, as they do in law, for spending money. If you have not got that and we have got what the Chief Executive says, individual departments doing individual things, this is a gigantic piece of work. Has there not been any discussion on the Audit Committee side of things, rather than just directly to individual accounting officers, saying: "We need something in that is principle-based here. This is the core value of the sector and this is what we are going to follow from" rather than doing all this kind of playing around the edges and just producing something that apparently everyone is going to follow.
Chief Internal Auditor:
I think you are right and, on the next agenda item for the Audit Committee, which is in July, is to look at the risk management programme. It is only just being started and it is to look at terms of reference, what we are doing, look at direction on risk management, corporate risk management and what projects have been done previously. For example, one big piece of work done was health and safety, another big piece of work done was business continuity, and it is in its infancy stage now. I am sure it would be appropriate to give you an update later on when it is more firm in terms of what the strategy is, what the papers and the methodology is on delivering a corporate risk management strategy and developing the corporate risk register.
Mr. J. Mills:
Last time Mr. Richardson came in he said we had one already.
Chief Internal Auditor: We do have one ...
Mr. J. Mills:
Are you saying it is not really fit-for-purpose or are in need of review or in need of change, development?
Chief Internal Auditor:
It is important that all corporate risk registers are live and that there is an opportunity to now look at it and improve it. In the States of Jersey there has been a lot of change, for example, there is a new hospital being built, a new bond issuance going on and, to reflect that, there needs to be eGovernment public reform and therefore there have been a lot of changes in the States and, therefore, it is now an opportune time. There is a sub-committee of CMB who are the Risk Sub- committee, who also ...
Deputy T.A. Vallois:
I am just conscious of the time ...
Mr. J. Mills:
Who chairs that subcommittee, please?
Chief Internal Auditor:
The Treasurer of the States of Jersey chairs that subcommittee, and there are a number of accounting officers on it.
Mr. J. Mills:
May I ask one final question: I was very pleased with what you said about doing the compliance report on the grants and so forth. The Overseas Aid Commission is a big spender, very big; how are you going to check compliance with the people on the receiving end, which you say you are going to do in this document?
Chief Internal Auditor: Sorry, which one are you ...?
Mr. J. Mills:
The Overseas Aid Commission, you know, reviewing the eligibility of recipients, and so forth, how are you going to do this? This is pretty big territory.
Deputy R.J. Rondel: Which number is that, John?
Mr. J. Mills:
It is not on the page numbers.
Chief Internal Auditor: Which quarter was it in?
Mr. J. Mills:
Quarter 3. The Overseas Aid Commission is a year's worth of work in itself, I would have thought.
Chief Internal Auditor:
The Overseas Aid Commission gets audited every 3 years because in terms of risk it is appropriate to do so. No audit will give absolute assurance on every single grant to every single member, so we will do a sample basis of that.
Mr. J. Mills:
I was thinking of the practicality.
Chief Internal Auditor:
We have not done the full scope of the audit yet and we will look at the practicality issue on the audit was done 3 years ago by my predecessor. I do agree with you, there will be some practical implications of that, and if you have any comments or any value to add to that we welcome hearing it.
Mr. J. Mills:
Check your travel budget.
Chief Internal Auditor:
Yes. But I would welcome any comments you have; it is a big piece of work to do but we will do it on a sample basis and give assurance on the procedure itself.
Mr. J. Mills:
That is very important. Very good.
Chief Internal Auditor:
As well, one of the big pieces of work we are doing is look at recommendations. There were some recommendations from that audit from 3 years ago which we are also following up. I think it is important that we test those ones to make sure they have been complied with as well. But I would welcome any of your input.
Deputy T.A. Vallois:
I have just got 2 final questions: how do you envisage meeting the requirement of the PSIAS for an external review of Internal Audit?
Chief Internal Auditor:
You will see that the C&AG has given a very helpful ... sorry, for an ...?
Deputy T.A. Vallois:
For an external review of Internal Audit, so if somebody came in and wanted to review Internal Audit against the PSIAS
Chief Internal Auditor:
Sorry, I misunderstood your question. I did a self-review in October of this year against PSIAS. There were a number of areas that needed to be addressed quite quickly so, for example, there were a number of documents that needed to be included, audit files needed to have evidence of parent sign-off, that there needed to be consideration of an independent strategy for more audits. There needed to be a CPD (continuing professional development) monitoring programme. All these areas get some checklists. The checklists are supplied by PSIAS, which needs to be complied with. I did a self-assessment of that and then, along with the C&AG's report, we did a further self-assessment, which has driven the improvement programme. In December of this year we will ask for an independent person to come and review that improvement programme against the standard and do a report. That report will also go to the Audit Committee. I have initiated that and I want to do that. It will be completely transparent on where we are at and, if there are any gaps from that report in December, it is then to continue on the improvement programme to improve it. When I came in in August, there were a number of gaps that needed to be addressed and some are higher priority than others. For example, documentation of audit files was really very key, and I put those in to make sure that there was evidence that if someone did an advisory piece of work they then cannot do a compliance piece of work, because otherwise there are worries they may criticise their own piece of work in the first place, which you are not allowed to do under auditing standards in proper governance. Therefore, I put in place in the planning document who is on the audit team, have they done a piece of advisory work; yes or no. If they have, they cannot do that audit if they have a personal relationship within that team. So when I came in I developed an internal audit protocol so that everyone had to declare to me if they had any conflict of interest or any personal relationships. They have to do that annually, but that is not just personal relationships; for example, if they were a treasurer of a charity they could not then do the grant on that charity because they would be having to do the audited accounts which they may potentially sign off on. So that planning document looks at that. It looks at the IT involvement, for example. IT is a very specialist skill; at the planning stage of each audit I put in place to make
sure that we assess the IT environment. If the IT environment is significant you have to have an IT specialist involved in that audit because, from a risk-based approach, it would not be covered. So I put this document in place. They are being enhanced and they are being looked at and we are constantly improving them, but that was very important. The CPD log; it is important that the team have appropriate special development and we monitor that, so I put a CPD log in place to check that to make sure it is done properly. So I do agree with the C&AG's report there is a lot still to do to get there, but I recognise that, we have put a lot of things in place already, we continue to put a lot on things in place. On the improvement programme we consider there is a lot of work to do but it has to be in compliance with these, so it is important that we have benchmark and we strive to do it. But, like the Treasurer said beforehand, we must do it and do it properly, but we also must judge and test ourselves. When the independent person comes and does that review, which will be done in December, we will be sharing that with the Audit Committee in a fully transparent way.
Deputy T.A. Vallois:
Are you satisfied that the extent of compliance with the PSIAS and associated improvement programme was adequately reported to the Audit Committee?
Chief Internal Auditor:
The improvement programme was presented to the Audit Committee on 12th May this year. They were given a copy of it, as well as the C&AG's report, and they asked questions on the improvement programme. We will update them on the improvement programme should they need for the timescale, and again, the independent report will be presented to them in December. In addition, one of the key recommendations from the C&AG's report was the recommendation piece which I have said to you, and we will do a report to the Audit Committee on 30th June about the state of the recommendations: which ones have been implemented, if there are any concerns, and what the timeline for the ones that have not been addressed yet is. It is very important that we have that fully transparent relationship with the Audit Committee.
[16:30 - Ends]