Responsibility
The head of internal audit (HIA) is responsible for all aspects of internal audit activity, including:
- strategy
- planning
- performance
- quality
- reporting
The HIA will:
Strategy
- Develop and maintain an internal audit strategy
- Review the internal audit strategy at least annually with management and audit committee
Planning
- Develop and maintain a risk based internal audit plan
- Engage with management and consider the council’s:
- strategic and operational objectives
- related risks in the development of the internal audit plan
- Review the internal audit plan periodically with management. The review will reflect changes in the risk environment. These changes must be approved when significant
- Present the internal audit plan, including updates, to the audit committee for periodic review and approval
- Agree an internal audit budget sufficient to fulfil the requirements of:
- this charter
- the internal audit strategy
- the internal audit plan
- The internal audit budget is reported annually to the cabinet and full council. This is for approval as part of the council's overall budget. The head of internal audit will draw any resourcing issues that potentially impact on the effectiveness of the internal audit function to the attention of:
- the chief executive
- section 151 officer
- the audit committee
- Coordinate with and (where relevant) provide oversight of other control, monitoring and assurance functions, including risk management and external audit.
- Consider the scope of work of the external auditors (and other assurance providers) for the purpose of providing optimal audit coverage to the organisation.
The HIA should be consulted about:
- Significant proposed changes to the internal control system
- Implementation of new systems
Advice can then be provided on the standards of controls to be applied. This need not prejudice the audit objectivity when reviewing systems at a later date.
In developing the internal audit plan, we also take account of the council’s assurance framework. We use the three lines of assurance which is obtained through our combined assurance work. These are:
- management – accountable for delivery
- corporate and third-party – external inspections and internal assurance functions
- internal audit – independent assurance
We achieve these through:
- Speaking to senior and operational managers who have the day-to-day responsibility for managing and controlling their service activities
- Working with corporate functions and using other third-party inspections to provide information on:
- performance
- successful delivery
- organisational learning
- Using the outcome of internal audit work to provide independent insight and assurance opinions
- Considering other information and business intelligence that feed into and has potential to impact on assurance
Performance
- Implement and deliver the risk based internal audit plan
- Maintain professional resources with sufficient knowledge, skills and experience to meet the requirements of:
- this charter
- the internal audit strategy
- the internal audit plan
- Allocate and manage resources to accomplish internal audit engagement objectives
- Establish and maintain appropriate internal auditing procedures incorporating best practice approaches and techniques
- Monitor delivery of the internal audit plan using appropriate performance indicators
- Hold regular senior management and statutory officer liaison meetings
Quality
- Establish a quality assurance framework to:
- provide a system for monitoring and evaluating our effectiveness and conformance with the standards
- ensure continuous improvement within the internal audit service
- ensure compliance with professional standards, code of ethics and council codes of conduct
- meet client expectations and demonstrate our importance to the business
- facilitate the head of internal audit’s statement on conformance with the international standards for the professional practice of internal auditing
- Undertake an annual assessment of the service and its compliance with the standards. Every five years the assessment is undertaken externally by a suitably qualified, independent assessor
- Obtain regular feedback on the quality and impact of our work (added value)
The standards are principles focused. They consist of the basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance.
The ten core principles set out what we must do to be considered effective. All these principles must be present and operating effectively to achieve our mission:
- demonstrates integrity
- demonstrates competence and due professional care
- is objective and free from undue influence (independent)
- aligns with the strategies, objectives and risks of the organisation
- is appropriately positioned and adequately resourced
- demonstrates quality and continuous improvement
- communicates effectively
- provides risk-based assurance
- is insightful, proactive and future focused
- promotes organisational improvement
Reporting
- Issue a report to management at the conclusion of each engagement. The reports will:
- confirm the results of the engagement
- state the timetable for the completion of agreed management actions
- Provide periodic reports to management and the audit committee. The reports will summarise:
- internal audit activities
- the results of internal audit engagements
- Provide periodic reports to management and the audit committee on the status of agreed management actions taken in response to internal audit engagements
- Report annually to the audit committee and management on internal audit performance against goals and objectives. The report includes an annual assurance opinion on governance, risk and control. This will also help inform the council's annual governance statement.
- Report as needed to the audit committee on management, resource, or budgetary impediments to the fulfilment of:
- this charter
- the internal audit strategy
- the internal audit plan
- Inform the audit committee of emerging trends and practices in internal auditing
- Provide results of the annual review on the effectiveness of internal audit. This will include:
- the outcomes of its quality assurance and improvement programme to both management and the audit committee
- a statement on the organisational independence of internal audit and conformance with the code of ethics. Any significant non-conformance must be included in the annual governance statement.
- The HIA will meet informally in private with members of the audit committee or the committee as a whole as required
- Report as necessary any significant risk exposures and control issues, including:
- fraud risks
- governance issues
- matters for or requested by the audit committee
- any response to risk by management that may be unacceptable to the council