Final Report for the external assessment of the internal audit function

1. Introduction

1.1 Internal audit within the public sector in the United Kingdom is governed by the Public Sector Internal Audit Standards (PSIAS), which have been in place since 1^st April 2013 (revised 2016 and 2017). All public sector internal audit services are required to measure how well they are conforming to the standards. This can be achieved through undertaking periodic self-assessments, external quality assessments, or a combination of both methods. However, the standards state that an external reviewer must undertake a full assessment or validate the internal audit service’s own self-assessment at least once in a five-year period. This is Bracknell Forest Council’s Internal Audit Services second external quality assessment (EQA) of conformance to the PSIAS that the Internal Audit Service has undergone.

2. Background

2.1 Bracknell Forest Council’s Internal Audit Service comprises an in-house team of four individuals who are supported by external co-sourcing partners. The Service is managed by the Head of Audit and Risk Management who is ICAEW qualified, and she is supported by an experienced Internal Audit Contract Manager. Below the management level of the Service is a team of two Senior Auditors. One of these posts was, at the time of the EQA, vacant and being covered by a temporary workerand a further temporary worker was assisting with clearing the backlog of audits which had arisen due to COVID.

2.2 The Service currently has four co-sourcing partners. Three of these are other local authorities who provide their services through the use of section 113 agreements. These are Wokingham Council for internal audit services and Reading Borough Council and Oxford City Council for counter fraud services. The fourth co-sourcing partner is TIAA Ltd who provide the Council with specialist IT audit services.

2.3 From an operational perspective, Internal Audit reports directly to the Council’s Corporate Management team (CMT) and the Governance and Audit Committee and these two bodies fulfil the roles of ‘senior management’ and ‘the board’, as defined by the Public Sector Internal Audit Standards. The Head of Audit and Risk Management periodically reports on the audit plan and its delivery to the Corporate Management Team and Accounts and Governance and Audit Committee, together with the annual report and opinion.

2.4 Internal Audit has a comprehensive audit manual in place, and they use standard template documents for their engagement working papers and testing schedules, engagement terms of reference, action plans and audit reports. Supervision of the engagements is undertaken at every stage of the audit process and all audit reports are reviewed and cleared by the Internal Audit Contract Manager or the Head of Audit and Risk Management before they are issued to the clients.

2.5 The Service has a comprehensive quality assurance process in place that includes supervision and monitoring of live audit assignments, completed audit file reviews, customer satisfaction surveys, and annual self-assessments of their conformance to the PSIAS and LGAN. The output from these feed into the Service’s Quality Assurance and Improvement Programme (QAIP).

3. Validation Process

3.1 The self-assessment validation comprises a combination of a review of the evidence provided by Bracknell Forest Council; a review of a sample of completed internal audits; questionnaires that were sent to and completed by a range of stakeholders from the Service’s clients; and a series of (virtual) interviews using MS Teams with key stakeholders. The questionnaire and interviews focused on determining the strengths and weaknesses of Internal Audit and assessed them against the four broad themes of Purpose and Positioning; Structure and Resources; Audit Execution; and Impact.

3.2 The Service provided a comprehensive range of documents that they used as evidence to support their self-assessment, and these were available for examination prior to and during this validation review. These documents included the:

· self-assessment against the standards;

· quality assurance and improvement plan (QAIP);

· evidence file to support the self-assessment;

· the audit charter;

· the annual report and opinion;

· the audit plan and strategies;

· audit manual;

· a range of documents and records relating to the team members; and

· progress and other reports to the Governance and Audit Committee.

All the above documents were examined during the EQA.

3.3 The validation process was carried out in two phases. The first was a pre-inspection ‘readiness review’ carried out in December 2021. This involved a detailed examination of the key documents and templates used by the Service and, where applicable, made suggestions on how these could be enhanced to fulfil the requirements of the PSIAS and incorporate current best practice. The second phase was the formal EQA, and this took the form of the validation of the Service’s self-assessment. This was carried out during April 2022.

3.4 The formal EQA focused on the accuracy of the Service’s self-assessment to ensure it was an accurate portrayal of their conformance to the standards, and primarily included four elements. The first involved a re-examination of the Service’s standard documentation to ascertain that the Service had made the suggested enhancements to these that had been identified from the pre-inspection review.

3.5 The second element involved interviews with the key personnel from the Service plus a sample of key stakeholders from the Council, made up of members of the senior management team and the chair of the Governance and Audit Committee. Overall, the feedback from the interviewees was positive with clients valuing the professional and objective way Internal Audit delivered services.

3.6 The third element involved capturing the views of a range of other stakeholders by the use of an electronic survey that was also sent to them, and the results analysed during the review. A summary of the survey results has been provided to the Head of Audit and Risk Management.

3.7 The final element of the validation phase involved a review of a sample of completed audits to confirm the Assessor’s understanding of the audit process used by Internal Audit.

4. Opinion

It is our opinion that Bracknell Forest Council’s Internal Audit Service’s self-assessment is accurate and, as such, we conclude that they FULLY CONFORM to the requirements of the Public Sector Internal Audit Standards and the CIPFA Local Government Application Note.

The table below shows the Service’s level of conformance to the individual standards assessed during this external quality assessment:

Standard / Area Assessed	Level of Conformance
Mission Statement	Fully Conforms
Core principles	Fully Conforms
Code of ethics	Fully Conforms
Attribute standard 1000 - Purpose, Authority and Responsibility	Fully Conforms
Attribute standard 1100 - Independence and Objectivity	Fully Conforms
Attribute standard 1200 - Proficiency and Due Professional Care	Fully Conforms
Attribute standard 1300 - Quality Assurance and Improvement Programmes	Fully Conforms
Performance standard 2000 - Managing the Internal Audit Activity	Fully Conforms
Performance standard 2100 - Nature of Work	Fully Conforms
Performance standard 2200 - Engagement Planning	Fully Conforms
Performance standard 2300 - Performing the Engagement	Fully Conforms
Performance standard 2400 - Communicating Results	Fully Conforms
Performance standard 2500 - Monitoring Progress	Fully Conforms
Performance standard 2600 - Communicating the Acceptance of Risk	Fully Conforms

5. Areas of full conformance with the Public Sector Internal Audit Standards

5.1 Mission Statement and Definition of Internal Audit

The mission statement and definition of internal audit from the PSIAS are included in the audit charters.

5.2 Core Principles for the Professional Practice of Internal Auditing

The Core Principles, taken as a whole, articulate an internal audit function’s effectiveness, and provide a basis for considering the organisation’s level of conformance with the Attribute and Performance standards of the PSIAS.

The clear indication from this EQA is that the Core Principles are embedded in the Service’s working methodologies and demonstrates that they are a competent and professional service that conforms to all ten elements of the Core Principles.

5.3 Code of Ethics

The purpose of the Institute of Internal Auditors’ Code of Ethics is to promote an ethical culture in the profession of internal auditing, and is necessary and appropriate for the profession, founded as it is on the trust placed in its objective assurance about risk management, control, and governance. The Code of Ethics provides guidance to internal auditors and in essence, it sets out the rules of conduct that describe behavioural norms expected of internal auditors and are intended to guide their ethical conduct. The Code of Ethics applies to both individuals and the entities that provide internal auditing services.

The clear indication from this EQA is that Internal Audit conforms to the Code of Ethics, and this is embedded in their audit methodologies. Conformance to the code of ethics is part of their overarching culture and underpins the way the Service operates.

5.4 Attribute Standard 1000 – Purpose, Authority and Responsibility

The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The internal audit charter must be reviewed regularly and presented to senior management and the audit panel for approval.

Internal Audit has an up-to-date audit charter in place. We reviewed this document and the processes used to present it to the Governance and Audit Committee for approval and found the audit charter to be a comprehensive and well written document that contained all the elements required by the standards. We are satisfied that Internal Audit conforms to attribute standard 1000 and the LGAN.

5.5 Attribute Standard 1100 – Independence and Objectivity

Standard 1100 states that the internal audit activity must be independent, and internal auditors must be objective in performing their work.

The need for independence and objectivity is an integral part of the Service’s culture. The Head of Audit and Risk Management reports in her own name and directly to the Council’s Senior Management Team and to the Governance and Audit Committee. Other than attending the Governance and Audit Committee, which is a meeting open to the public and officers of the Council, the Head of Audit and Risk Management does not meet regularly in private with the Chair of the Governance and Audit Committee to discuss matters of a confidential or sensitive nature that should not be raised in a public meeting. Principle 3 in the CIPFA guidance on the Role of the Head of Internal Audit (HIA) is clear that the relationship between the HIA and the Chair of the Committee is crucial to the delivery of an effective internal audit function. Having regular private meetings with the Chair of the Committee would undoubtedly help strengthen the independence of the Head of Audit and Risk Management as well as enhancing compliance with the CIPFA guidance on the Role of the Head of Internal Audit, and is widely regarded as good practice. We have therefore made one recommendation on this observation in section 9 of the report. (Paragraph 9.2)

All the Service’s employees sign a declaration of interest form each year and declare any potential impairment to their independence or objectivity. The audit charter includes a section setting out the independence and objectivity of the Service and the Head of Audit and Risk Management, and she plans to incorporate a similar statement of independence in the next annual assurance report and opinion.

We have reviewed the Service’s audit procedures, their standard documentation, quality assurance and improvement plan, their audit charter and annual report and opinion, and a sample of completed audit files, together with their reporting lines and their positioning in the Council. We are satisfied that Internal Audit conforms with attribute standard 1100 and the LGAN.

5.6 Attribute Standard 1200 – Proficiency and Due Professional Care

Attribute standard 1200 requires Internal Audit Service’s engagements are performed with proficiency and due professional care, having regard to the skills and qualifications of the staff, and how they apply their knowledge in practice.

It is evident from this EQA that Internal Audit has a professional and experienced workforce, who are supported by competent co-sourcing partners.

The Service is insightful and proactive and is a well-respected and professional operation that is valued by the Council’s management. There are only two observations we have relating this Standard, and both relate to the functionality of the Service and not their conformance to the Standard.

The first observation relates to making greater use of data analytics when carrying out audits. Although the Service is already aware of this need and has started to train staff in the use of data analytical techniques, mainly Excel at present, we feel there is scope to further enhance this element by making use of specialist auditing tools, such as IDEA, ACL, Arbutous or similar applications. Furthermore, there are also opportunities to use other general tools, such as PowerBI which can be used to analyse data outputs that are already available within the Council, and also data that is readily available from external bodies such as CIPFA via the ‘Nearest Neighbour’ data analysis application.

The second observation relates to the vacant Senior Auditor posts and the fact that there is currently a national shortage of qualified and skilled internal auditors. Whilst there is no short-term solution to this problem, in the longer term the Service should consider alternative solutions to ensuring they have a sustainable in-house team. There are options that can be considered, including incorporating trainee or apprentice internal audit posts in the structure, and putting the post holders through relevant professional qualifications. Another option may be the use of internships where undergraduates from universities are given work placements in the Service, albeit on a short-term basis. Both are viable options and are being considered by other internal audit services around the country, although it is acknowledged that both options require robust management and supervision processes to be put in place if they are to be effective.

It is evident from this review that Internal Audit performs their duties with due professional care. We are satisfied that Internal Audit complies with attribute standard 1200 and the LGAN. There are operational enhancements that the Service should consider regarding the use of data analytics and the recruitment of staff and, as such, we have included two actions in section 9 for the Head of Audit and Risk Management to consider. (Paragraphs 9.3 and 9.4)

5.7 Attribute Standard 1300 – Quality Assurance and Improvement Programmes

This standard requires the Chief Audit Executive to develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity.

Internal Audit has developed a robust and effective quality assurance process that ensures engagements are performed to a high standard within the available resources. It is effective and feeds into their quality assurance and improvement programme. We have examined this process during the EQA and are satisfied that the Service conforms to attribute standard 1300 and the LGAN.

5.8 Performance Standard 2000 – Managing the Internal Audit Activity

The remit of this standard is wide and requires the Chief Audit Executive to manage the internal audit activity effectively to ensure it adds value to its clients. Value is added to a client and its stakeholders when internal audit considers their strategies, objectives, and risks; strives to offer ways to enhance their governance, risk management, and control processes; and objectively provides relevant assurance to them. To achieve this, the Chief Audit Executive must produce an audit plan for and communicate this and internal audit’s resource requirements, including the impact of resource limitations, to senior management and the Audit Committee for their review and approval. The Chief Audit Executive must ensure that internal audit’s resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

The standard also requires the Chief Audit Executive to establish policies and procedures to guide the internal audit activity, and to share information, coordinate activities and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts.

Last, but by no means least, the standard requires the Chief Audit Executive to report periodically to senior management and the Audit Committee on internal audit’s activities, purpose, authority, responsibility, and performance relative to its plan, and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues and other matters that require the attention of senior management and/or the audit panels.

Internal Audit has a comprehensive audit manual, supervision, and quality assurance processes in place that meet the requirements of the PSIAS. They also have a comprehensive audit planning process in place that enables them to produce robust risk-based audit plans that are designed to enhance the Council’s risk management and governance frameworks and control processes; and objectively provide them with relevant assurance.

Details of the completed audits and the risk and control issues found, together with the progress being made on delivering the audit plans and the performance of the Service, are reported to the Audit Committee, along with an annual report and opinion that is issued at the end of the year.

The clear indication from this EQA is that Internal Audit is effectively managed and conforms to standard 2000 and the LGAN.

5.9 Performance Standard 2100 – Nature of Work

Standard 2100 covers the way the internal audit activity evaluates and contributes to the improvement of the organisation’s risk management and governance framework and internal control processes, using a systematic, disciplined and risk-based approach.

This is the approach adopted by Internal Audit and is set out in their audit manual and their working methodologies. During this EQA, we selected a sample of completed audit engagements and examined them to see if they conformed to standard 2100 and the Service’s own methodologies. We found that the sample audits complied with both.

Internal Audit’s credibility and value is enhanced when they are proactive, and their evaluations offer new insights and consider future impact on the organisation. Overall Internal Audit’s clients value the work they do in this area and often turn to them for advice and guidance when faced with emerging risks or when they are developing or changing systems.

The clear indication from this EQA is that Internal Audit conforms to performance standard 2100 and the LGAN.

5.10 Performance Standard 2200 – Engagement Planning

Performance standard 2200 requires internal auditors to develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organisation’s strategies, objectives, and risks relevant to the engagement.

As mentioned above, Internal Audit have a comprehensive audit manual, supervision and quality assurance processes in place that cover engagement planning in detail and meet the requirements of the PSIAS. During this EQA, we selected a sample of completed audit engagements, and examined them to see if they conformed to standard 2200. We found that they all conformed to the standards and the Service’s own audit procedures and methodologies, and therefore we conclude that Internal Audit conforms to performance standard 2200 and the LGAN.

5.11 Performance Standard 2300 – Performing the Engagement

Performance standard 2300 seeks to confirm that internal auditors analyse, evaluate and document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions, and that all engagements are properly supervised.

The Service’s audit manual, methodologies, supervision, and quality assurance processes all fulfil the requirements of the standards and our examination of a sample of completed audit engagements confirmed that the Service adopts a consistent approach to the way audits are undertaken and managed, with all the sample audits conforming to the standards and the Service’s own procedures. We therefore conclude that Internal Audit conforms to performance standard 2300 and the LGAN.

5.12 Performance Standard 2400 – Communicating Results

This standard requires internal auditors to communicate the results of engagements to clients and sets out what should be included in each audit report, as well as the annual report and opinion. When an overall opinion is issued, it must take into account the strategies, objectives and risks of the clients and the expectations of their senior management, the audit panels and other stakeholders. The overall opinion must be supported by sufficient, reliable, relevant, and useful information. Where an internal audit function is deemed to conform to the PSIAS, reports should indicate this by including the phrase “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing”.

The communication of engagement results is covered in detail in the Service’s procedures, and these fulfil the requirements of the PSIAS. We selected a sample of completed audit engagements and found that they all conformed to the standards and the Service’s own procedures.

We have also reviewed the progress and annual reports to the Governance and Audit Committee and found that overall, these also conformed to the standards and Service’s own internal procedures.

We therefore conclude that Internal Audit conforms to performance standard 2400.

5.13 Performance Standard 2500 – Monitoring Progress

There is a comprehensive follow-up process in place which monitors the client’s progress towards the implementation of agreed actions. The results of follow-up reviews are reported to the Governance and Audit Committee. From this EQA, it is evident that Internal Audit conforms to performance standard 2500 and the LGAN.

5.14 Performance Standard 2600 – Communicating the Acceptance of Risk

Standard 2600 considers the arrangements which should apply if the Head of Audit and Risk Management has concluded that management has accepted a level of risk that may be unacceptable to the organisation. Situations of this kind are expected to be rare, consequently, we did not see any during this EQA. From this external quality assessment, it is evident that Internal Audit conforms to performance standard 2600 and the LGAN.

6. Areas of partial conformance with the Public Sector Internal Audit Standards and the CIPFA Local Government Application Note

6.1 There are no areas of partial conformance with the Public Sector Internal Audit Standards.

7. Areas of non-conformance with the Public Sector Internal Audit Standards and the CIPFA Local Government Application Note

7.1 There are no areas of non-conformance with the Public Sector Internal Audit Standards.

8. Survey results

8.1 Overall, the results of the survey of key stakeholders from Internal Audit’s clients were positive with respondents valuing the services provided by the Service. A total of 20 surveys were received by the assessor. The overall number of negative responses were very low ranging from zero for most questions to a maximum of one on any given question. We have shared the summary report from the survey with the Head of Audit and Risk Management as they may wish to explore some of the responses in further detail to understand if there are any underlying issues that the service may wish to address.

9. Issues for management consideration

9.1 We have assessed the Bracknell Forest Council as conforming to the PSIAS and the LGAN. There are two observations and suggested enhancements to the operation of the Service that the Head of Audit and Risk Management should consider.

9.2 Other than attending the Governance and Audit Committee, which is a meeting open to the public and officers of the Council, the Head of Audit and Risk Management does not meet regularly in private with the Chair of the Governance and Audit Committee to discuss matters of a confidential or sensitive nature. Principle 3 in the CIPFA guidance on the Role of the Head of Internal Audit (HIA) is clear that the relationship between the HIA and the Chair of the Committee is crucial to the delivery of an effective internal audit function. Having regular private meetings with the Chair of the Committee would undoubtedly help strengthen the independence of the Head of Audit and Risk Management as well as enhancing compliance with the CIPFA guidance on the Role of the Head of Internal Audit and is widely regarded as good practice.

9.3 Whilst the Head of Audit and Risk Management is aware of the need to make greater use of data analytics and has already started to train staff, mainly on the functionality in Excel at present, we feel there are opportunities to enhance this element of the services that Internal Audit provide by making use of specialist data interrogation and auditing tools, such as IDEA, ACL, Arbutous or similar applications.

9.4 Our next observation relates to the Service’s ability to fill the vacant Senior Auditor posts that it has. Given that there is currently a national shortage of qualified and skilled internal auditors. Whilst there is no short-term solution to recruiting permanent staff, in the longer term the Head of Audit and Risk Management should consider alternative solutions to ensuring the Service has a sustainable in-house team. There are options that should be considered, including incorporating trainee or apprentice internal audit posts in the structure, and putting the post holders through relevant professional qualifications. Another option may be the use of internships where undergraduates from universities are given work placements in the Service, albeit on a short-term basis. Both are viable options and are being considered by other internal audit services around the country, although it is acknowledged that both options require robust management and supervision processes to be put in place if they are to be effective.

Definition	Criteria
Fully Conforms	The internal audit service complies with the standards with only minor deviations. The relevant structures, policies, and procedures of the internal audit service, as well as the processes by which they are applied, at least comply with the requirements of the section in all material respects.
Partially Conforms	The internal audit service falls short of achieving some elements of good practice but is aware of the areas for development. These will usually represent significant opportunities for improvement in delivering effective internal audit and conformance to the standards.
Does Not Conform	The internal audit service is not aware of, is not making efforts to comply with, or is failing to achieve many/all of the elements of the standards. These deficiencies will usually have a significant adverse impact on the internal audit service’s effectiveness and its potential to add value to the organisation. These will represent significant opportunities for improvement, potentially including actions by senior management or the board.

Action Priorities	Criteria
High priority	The internal audit service needs to rectify a significant issue of non-conformance with the standards or the LGAN. Remedial action to resolve the issue should be taken urgently.
Medium priority	The internal audit service needs to rectify a moderate issue of conformance with the standards, the LGAN or other recognised guidance. Remedial action to resolve the issue should be taken, ideally within six months.
Low priority	The internal audit service should consider rectifying a minor issue of conformance with the standards, the LGAN or other recognised guidance. Remedial action to resolve the issue should be considered but the issue is not urgent.
Advisory	These are issues identified during the EQA that do not adversely impact the service’s conformance with the standards or LGAN. Typically, they include areas of enhancement to existing operations and the adoption of best practice.

1. Instigate regular private meetings between the Head of Audit and risk Management and the Chair of the Governance and Audit Committee (Medium priority)
Rationale	Agreed Action
Other than attending the Governance and Audit Committee, which is a meeting open to the public and officers of the Council, the Head of Audit and Risk Management does not meet regularly in private with the Chair of the Governance and Audit Committee to discuss matters of a confidential or sensitive nature. Principle 3 in the CIPFA guidance on the Role of the Head of Internal Audit (HIA) is clear that the relationship between the HIA and the Chair of the Committee is crucial to the delivery of an effective internal audit function. Having regular private meetings with the Chair of the Committee would undoubtedly help strengthen the independence of the Head of Audit and Risk Management as well as enhancing compliance with the CIPFA guidance on the Role of the Head of Internal Audit and is widely regarded as good practice.	The Head of Audit and Risk Management will arrange private meetings with the Chair of the Governance and Audit Committee to coincide with the scheduled Committee meetings.
Action Responsibility	Head of Audit and Risk Management
Deadline	July 2022

2. Make greater use of data analytical techniques (Advisory)
Rationale	Agreed Action
Whilst the Head of Audit and Risk Management is aware of the need to make greater use of data analytics and has already started to train staff, mainly on the functionality in Excel at present, we feel there are opportunities to enhance this element of the services that Internal Audit provide by making use of specialist data interrogation and auditing tools, such as IDEA, ACL, Arbutous or similar applications.	A training session on Excel data analytics was attended by all members of the team in November 2022 but has not been applied to date and one of the team has since left. We are due to recruit replacement staff and will undertake further training once they are in post and look to apply this in practice.
Action Responsibility	Head of Audit and Risk Management
Deadline	March 2023

3. Consider employing trainee or apprentice auditors (Advisory)
Rationale	Agreed Action
Our second observation relates to the Service’s ability to fill the vacant Senior Auditor posts that it has. Given that there is currently a national shortage of qualified and skilled internal auditors. Whilst there is no short-term solution to recruiting permanent staff, in the longer term the Head of Audit and Risk Management should consider alternative solutions to ensuring the Service has a sustainable in-house team. There are options that should be considered, including incorporating trainee or apprentice internal audit posts in the structure, and putting the post holders through relevant professional qualifications. Another option may be the use of internships where undergraduates from universities are given work placements in the Service, albeit on a short-term basis. Both are viable options and being considered by other internal audit services, although we acknowledge that these options require robust management and supervision processes if they are to be effective.	The option to take on an apprentice was considered in 2021 but was discounted at the time in favour of getting two qualified senior auditors as due to COVID we were working remotely and would not have been able to provide the face-to-face supervision and support an apprentice should have. Now that one of the senior auditor posts has become vacant, we have taken the decision to take on an apprentice and are working with Learning and Development to recruit an apprentice to start in September 2022.
Action Responsibility	Head of Audit and Risk Management
Deadline	September 2022