Agenda item 7 Report SAC 02/13 Appendix 1

I
I
n
n
t
t
e
e
r
r
n
n
a
a
l
l
A
A
u
u
d
d
i
i
t
t
S
S
t
t
r
r
a
a
t
t
e
e
g
g
y
y
a
a
n
n
d
d

A
A
n
n
n
n
u
u
a
a
l
l
P
P
l
l
a
a
n
n
2
2
0
0
1
1
3
3
-
-
1
1
4
4








P Pr re ep pa ar re ed d b by y: :
M Ma ar rk k D Da al ll le en n, , ( (A Au ud di it t M Ma an na ag ge er r) )
B Br ri ig gh ht to on n a an nd d H Ho ov ve e C Ci it ty y C Co ou un nc ci il l
F Fe eb br ru ua ar ry y 2 20 01 13 3

V Ve er rs si io on n 1 1. .0 0





















This page is intentionally left blank

Internal Audit Strategy and Plan 2013-14

Page 1



Contents Page

Introduction

2

Key Deliverables 2013/14

2
The Role and Purpose of Internal Audit at the National Park

3
Protocol for Audit Reviews

3
Priority Areas for 2013/14 4

Performance Management

4

Developing the Internal Audit Plan


5
Summary Internal Audit Plan 2013/14 5

Appendices

Detailed Internal Audit Plan 2013/14 A

Summary 3 Year Internal Audit Plan B

Terms of Reference for the Provision of Internal Audit Services C

Service Performance Targets D



Internal Audit Strategy and Plan 2013-14

Page 2



Introduction

Purpose of this report

1. This document sets out the South Downs National Park Authority (SDNPA) Internal Audit
Strategy and Annual Plan for the year 2013/14.

2. The SDNPAs internal audit function is provided by Brighton and Hove City Council. The terms
of reference are attached at Appendix C

3. Internal Audit supports and contributes to the achievement of the SDNPAs priorities for 2013/14
as follows:

Purposes:
Conserve and enhance the natural beauty, wildlife and cultural heritage of the area.
Promote opportunities for the understanding and enjoyment of the parks special
qualities by the public.

Authority Duty:
To seek to foster the economic and social well-being of the communities within the
National Park.


4. The purpose of the Internal Audit Strategy and Plan is to:

Provide independent and objective overall assurance to Members and senior management
on the effectiveness of the SDNPAs control environment.
Identify the key risks facing the SDNPA to achieving its objectives and determine the
corresponding level of audit resources.
Add value and support senior management in providing effective control and identifying
opportunities for improving value for money.
Support the Chief Finance Officer in fulfilling obligations as the SDNPAs nominated Section
151 Officer.
Deliver an internal audit service that meets the requirements of the Accounts & Audit
Regulations.

Providing Assurance

5. The Internal Audit Strategy and Annual Plan is aimed primarily at providing ongoing and annual
assurance to the SDNPA to provide confidence to its stakeholders.


Key Deliverables for 2013/14

6. The following are considered to be our key deliverables:

To provide ongoing assurance to management on the integrity, effectiveness and operation
of the SDNPAs internal control system.

Delivery of the Annual Audit Plan.


Internal Audit Strategy and Plan 2013-14

Page 3


To meet the requirements of the audit arrangements with the SDNPAs external auditors.

To embed integration of internal audit work with governance and managing risk to produce
a coordinated risk-based approach to the audit of business/operational systems across the
SDNPA.

To ensure agreed management responses to audit recommendations made are
implemented.

To deliver the statutory requirements of the Accounts and Audit Regulations 2011.

To develop our role and work closely with the Standards and Audit Committee.

The Role and Purpose of Internal Audit at the National
Park

7. The statutory basis for the internal audit service is provided in the Accounts and Audit
Regulations 2011, which states that a local authority shall maintain an adequate and effective
system of internal audit of its accounting records and of its system of internal control in
accordance with proper practice. The SDNPA has recognised this statutory requirement in its
Financial Regulations.

8. In addition to the above, the Chief Finance Officer has a statutory duty under Section 151 of the
Local Government Act 1972, to establish a clear framework for the proper administration of
the authoritys affairs. To perform that duty the Section 151 Officer relies on amongst other
things, the work of Audit & Business Risk Services in reviewing systems of internal control,
financial management and other assurance processes.

9. The standards for proper practice in relation to internal audit were laid down in CIPFAs Code
of Practice for Internal Audit in Local Government (Updated in 2006). From the 1 April 2013
these are replaced by the Public Sector Internal Audit Standards. This document is issued by
CIPFA in collaboration with the Chartered Institute of Internal Auditors.

10. We continually ensure compliance with these professional standards and reflect this in our
Terms of Reference, Appendix C.

11. The standard and quality of our service is principally scrutinised in four ways:

Scrutiny by the Standards and Audit Committee
Review by External Audit
Customer feedback
Peer Reviews

Protocol for Audit Reviews

12. For each audit review carried out an Audit Owner is identified who will be involved in the
scoping to ensure appropriately focussed on key perceived risks, providing assurance and
maximising added value. A terms of reference will be produced for each audit review to ensure
the scope, objectives and approach are understood and agreed.

13. Draft internal audit reports will be issued for discussion with the appropriate levels of
management which is normally set-out in the terms of reference.

Internal Audit Strategy and Plan 2013-14

Page 4



14. Final internal audit reports will be issued after the agreement of draft reports and contain
completed management action plans that identify those responsible for implementation and
timescales.

15. Agreed actions or recommendations will be followed-up in accordance with an agreed protocol.


Priority Areas for 2013/14

16. Having regard to the current risk profile of the SDNPA, the following areas have been identified
as priority areas of our work for 2013/14.

Key Financial Systems

17. The effectiveness of controls and management of risks within financial systems remains a core
part of our audit work. This work is important in providing annual assurance to the SDNPA
and to meet the requirements of the National Parks external auditors. Audits have been
scheduled on a 3 year cyclical basis so not all key financial system audits will be undertaken each
year. (see Appendix B)

Other Services and Systems

18. We will review other services, systems and processes according to an assessment of risk and
business need. This may include financial, administrative or operational systems or services.

Risk Management

19. We have a key role to promote effective risk management across the SDNPA. Within individual
audits we will seek to assess compliance with good risk management practices and the adequacy
of controls put in place by management to mitigate risks in their service areas.

ICT Audit

20. This work will be delivered either by our own team or Deloitte & Touche Public Sector Internal
Audit Limited depending on requirements.

Counter Fraud Work

21. We will support the SDNPAs counter fraud arrangements. This may include individual
investigations and/or counter fraud training or workshops.

Audit Planning, Strategy and Audit Committee Support

22. We will work closely with Standards and Audit Committee Members in developing its role in
relation to best practice and to contribute to effective corporate governance of the SDNPA.

Performance Management

23. To achieve planned coverage, deliver a high standard of customer care and demonstrate
effectiveness of the service, we have established performance targets based on best professional
practice and which are easily comparable with other organisations.

Internal Audit Strategy and Plan 2013-14

Page 5



24. Performance indicators and targets are shown at Appendix C for four aspects of our service:

Cost and quality of input
Productivity and process efficiency
Compliance with professional standards
Staff Qualifications

Developing the Internal Audit Plan

25. The methodology used for developing the Annual Internal Audit Plan will be focused on the
quantification of the risks associated with the National Parks objectives in consultation with key
officers.

26. Audit work covering governance will contribute towards our advice and assistance on the
preparation of the Annual Governance Statement.

27. The Annual Internal Audit Plan is indicative and it may be that changes will be made during the
year as the risk profile of the SDNPA changes. This will be achieved through ongoing review
and amendment, in consultation with relevant officers.

28. The Standards and Audit Committee will be kept informed of progress against the Annual Audit
Plan and give final approval to any significant changes during the year.

Summary Internal Audit Plan 2013/14

29. Appendix A shows the Annual Internal Audit Plan and provides a brief summary of each review.
The plan also cross references (where relevant) against the Authoritys Risk Register. The
allocation of the 34 audit days is summarised in table 1 below.


Table 1 Summary of Internal Audit Annual Internal Audit Plan 2013/14

Thematic Area Audit Days
Key Financial Systems

6
Other Services and Systems

12
Risk Management

3
ICT Audits

2
Counter Fraud Work

1
Audit Committee Support, Audit Strategy and
Planning
10
Totals 34



Page 6



Appendix A


DETAILED INTERNAL AUDIT PLAN 2013/14

The table below details the Plan for 2013/14. Where the Corporate Risk Register (as at February 2013) details risks these have been cross referenced to the audits.


Audit Details Ref. Audit Review Corporate Risk Reference
(if relevant)
Audit
Days
Overview Audit
Owner
Timing
Key Financial Systems
1002 Creditors/ Accounts
Payable
3 To examine key controls for the payment of suppliers and
other third parties, including systems procedures
documentation, authorisations and payment mechanisms.
Director of
Corporate
Services
Quarter 3
1003 Main Accounting and
Budget Management
64. Potential shift and/or
reduction in resources for
2014/15 as a result of the next
Comprehensive Spending
Review (CSR)
3 To review the overall framework for budget management
of the Authority. To include examination of the integrity
of budget build and the effectiveness of the main
accounting system.
Director of
Corporate
Services
Quarter 3
Other Services and Systems
1020 Grant Payments 3 Assess the controls over applications for and management
of external funding, including accounting arrangements.
Director of
Corporate
Services
Quarter 3
1019 Health and Safety 37. Health & Safety of staff,
particularly lone workers and
volunteers
4 To review the corporate health and safety framework to
ensure key risks are identified and appropriate processes
put in place to mitigate risks.
Director of
Corporate
Services
Quarter 1



Page 7

1016 Planning (Income) 58. IDOX system as
implemented not delivering
improvements to service
delivery
3 To examine the key controls over the Authoritys
management and control of planning income.
Head of
Planning
Quarter 3
1009 Allowances and
Expenses
2 Review and testing of the key systems for the payment of
allowances and expenses.
Director of
Corporate
Services
Quarter 1
ICT Audits


1015 IT Audit 58. IDOX system as
implemented not delivering
improvements to service
delivery

69. Re-tendering GIS contract
for 2013-16

70. Lack of integration of
different software packages

73. Retender of the scanning
contract (planning)
2 Terms of Reference to be confirmed following
completion of the 2012/13 ICT audit.
Head of IT Quarter 3
Risk Management
1022 Facilitation of Risk Management Workshops and
Advice
3 Support to the Authority's corporate risk management
processes including advice and facilitation of risk
workshops.
Director of
Corporate
Services
Quarter 1
Counter Fraud Work


Page 8

1010 Contingency for Investigations/ Counter Fraud
Work
1 Contingency for investigation of fraud and irregularities
and other counter fraud work including training or
workshops.
Director of
Corporate
Services
Quarter 1-4





Standards and Audit Committee
Support, Audit Strategy and
Planning

1201 Support to Standards and Audit Committee and Authority
by Audit Manager.
10 Attendance at Standards and Audit Committee including
preparation and agenda facilitation. Corporate support.
Preparation of Audit Plan and Strategy, audit progress
report, annual report, liaison with external audit.
Director of
Corporate
Services /
Chief
Executive
Quarters 1-4
Total Days

34



Page 9


Appendix B

Summary 3 Year Internal Audit Plan


2013/14 2014/15 2015/16
Audit Days Days Days

Key Financial Systems
Payroll 3 3
Creditors/ Accounts Payable 3 3 3
Debtors/ Income 2
Treasury Management 1
Main Accounting and Budget Management 3
Capital Accounting 2 3
Other Services and Systems
Grant Funding 3 2
Planning 3 4
Procurement 3 3
Health and Safety 4
Corporate Governance Arrangements 2
Allowances and Expenses 2
HR Processes 2

ICT Audit 2 5 5

Counter Fraud Work 1 1 1

Risk Management 3 1 1

Support for Audit Committee and Audit Planning 10 10 10

34 35 35


Page 10




Appendix C
Terms of Reference for the provision of
Internal Audit Services

1. Purpose

1.1 This Terms of Reference is for the provision of Internal Audit Service to SDNPA. It is reviewed
and approved on an annual basis to ensure that current needs are met.

2. Role and Function

2.1 Internal audit is an assurance function that primarily provides an independent and objective
opinion and adds value to the SDNPA on the control environment by evaluating its effectiveness
in achieving the organisations objectives. It objectively examines, evaluates and reports on the
adequacy of the control environment as a contribution to the proper, economic, efficient and
effective use of resources. The service is delivered by the Audit & Business Risk at Brighton and
Hove City Council.

2.2 The control environment comprises the systems of governance, risk management and internal
control.

3. Reporting Lines & Relationships

3.1 The Audit Manager reports to the Chief Executive, Director of Corporate Services, Chief Finance
Office and the Standards and Audit Committee.

3.2 The Standards and Audit Committee is responsible for approving the Internal Audit Strategy and
Plan.

4. Independence and Accountability

4.1 Internal Audit will remain sufficiently independent of the activities that it audits to enable auditors
to perform their duties in a manner, which facilitates impartial and effective professional
judgements and recommendations. Internal auditors do not have operational responsibility.

4.2 Internal Audit is involved in the determination of its priorities in consultation with those charged
with governance. Internal Audit has unrestricted access to officers, members, records and to
report in its own name.

4.3 The existence of an internal audit function within the SDNPA does not diminish the responsibility
of management to establish systems of internal control to ensure that activities are conducted in
a secure, efficient and well ordered manner.

5. Statutory Role

5.1 Internal auditing is provided as a statutory service in the context of the Accounts & Audit
Regulations 2011 which states that a relevant body shall maintain an adequate and effective
system of internal audit of its accounting systems and its system of internal control in accordance
with the proper Internal audit practices.


Page 11

5.2 The statutory role is recognised and endorsed within the SDNPAs Financial Regulations, which
provides the authority for unlimited access to officers, Members, documents and records and to
require information and explanation necessary.

6. Consultancy and Advisory Role

6.1 Audit & Business Risk may also perform a consultancy or advisory role on an ad-hoc basis or as
part of the Internal audit Plan, if requested by management. Reports from this type of work
contain findings and recommendations particularly to add value to the SDNPAs services in
achieving value for money in its use of resources.

7. Internal Audit Standards

7.1 There is a statutory requirement for Audit & Business Risk to work in accordance with the
proper audit practices. These are currently detailed within the CIPFA Code of Practice for
Internal Audit in Local Government ) but from the 1 April 2013 these are replaced by the Public
Sector Internal Audit Standards. It is unlikely that this change with have a significant impact of the
services operational arrangements.

8. Internal Audit Scope

8.1 The scope for Audit & Business Risk is the control environment comprising risk management,
control and governance. This means that the scope of Audit & Business Risk includes all of the
SDNPAs operations, resources, services and responsibilities in relation to associated partner
organisations. The priorities for Audit & Business Risk will be determined by a process of risk
assessment.

9 Internal Audit Resources

9.1 Audit & Business Risk will ensure as far as possible that it appropriately staffed in terms of
numbers, skills and experience. The Head of Audit & Business Risk at Brighton and Hove City
Council responsible for appointing staff and will ensure these are made in order to achieve the
appropriate mix of qualifications, experience and skills.

9.2 The make up of the Audit & Business Risk Team is currently as follows:-

Head of Audit and Business Risk (Ian Withers)
Audit Manager (Mark Dallen)
Principal Auditors x 3
Principal Auditor (Counter Fraud)
Auditors x 3
Risk Manager

9.3 The Team currently includes four three qualified accountants (CIPFA and ACA) and four fully
qualified members of the Chartered Institute of Internal Auditors (CMIIA). In addition we
currently have one Auditor studying for professional qualifications.


10. Fraud and Corruption

10.1 Managing the risk of fraud and corruption is the responsibility of management. Internal audit
reviews alone, even when performed with due professional care, cannot guarantee that fraud or
corruption will be detected. Audit & Business Risk will, however be alert in all their work to
risks and exposures that could allow fraud or corruption.


Page 12

11. Reporting Accountabilities

11.1 A written internal audit report will be prepared for every audit carried out and issued to the
appropriate manager responsible for the area under review. Internal audit reports will include an
opinion on the risk and adequacy of controls, which together will contribute to the annual audit
opinion on the SDNPAs control environment.

11.2 Audit & Business Risk will make practical recommendations based on the findings of the audit
work and discuss these with management to establish appropriate action plans.

11.3 Management are expected to implement all agreed recommendations within a reasonable
timeframe. Each internal audit will be followed up in accordance with an agreed protocol, with
progress on implementation reported to the Audit Committee.

11.4 The Chief Finance Officer will report regularly to the Audit Committee on progress made against
the Annual Audit Plan and the summarised outcomes of individual audits.

11.5 The Chief Finance Officer will provide an Annual Internal Audit Report to the Audit Committee
that includes an opinion on the adequacy and effectiveness of the control environment.

12. Responsibilities

12.1 In meeting its responsibilities, the activities of Audit & Business Risk will be conducted in
accordance with the SDNPAs objectives, established policies and procedures.

12.2 Audit & Business Risk will co-ordinate effectively with the SDNPAs appointed external auditors
for optimal audit coverage and to ensure that appropriate reliance can be placed on internal audit
work.


Page 13

Appendix D

Service Performance Targets

Aspect of Service Performance Indicators Target
Cost and Quality of
Input
Planned days delivered


100%

Productivity and
Process Efficiency





Achievement of annual plan (%)
Issue of draft report after completion of
fieldwork
Issue of final report after agreement with
client of draft

95% Minimum
Within 10 Days
Within 10 Days
Compliance with
Professional
Standards


Public Sector Internal Audit Standards

100% compliant
Our Staff Professionally Qualified
Annual Training & Development
Received (Minimum)
80%
5 Days