Agenda item

Internal Audit Update

The purpose of this report is to provide the Combined Authority Audit and Governance Committee with an overview of the internal audit work completed in the fourth quarter of 2021-22 and first quarter of 2022-23, in accordance with the Internal Audit Plans 2021-22 and 2022-23.


The Committee considered the report of the Head of Internal Audit which provided the Combined Authority Audit and Governance Committee with an overview of the internal audit work completed in the fourth quarter of 2021-22 and first quarter of 2022-23, in accordance with the Internal Audit Plans 2021-22 and 2022-23.


Laura Williams, Head of Internal Audit, advised that there was an element of duplication as some of this work had been included in the Annual Report due to the fact that it related to last year. The report summarised the 15 new audits which had been completed and also included the outcomes from the governance work which again could be seen in the Annual Report and it also cut across to the Annual Governance Statement. Members might have noticed that the format of the report had changed a little and that was cognisant of the changes to the way that the Audit Plan had been set out. The report had been split into core work and responsive work and some detail had been provided around the responsive piece of the work as to what was in progress and why those particular pieces of work had been chosen and how these linked into the Corporate Risk Register. It was important to show that when selecting pieces of work it was not done on an arbitrary basis but that it was something that linked into our Corporate Risk Register and would likely be significant issues affecting the organisation.


The other element which had been included within the report was the CIPFA report on the state of Internal Audit. She confirmed that she had provided a summary of the key findings in the report and how those would impact on the Combined Authority and what was required to move those forward. The majority of the actions were things that had already been recognised and were being worked on. There were a couple of areas which had been teased out in the report where there was more work to do particularly around capacity and resources and work was ongoing as to how the team was resourced and how new entrants might be attracted to the Internal Audit profession. 


Councillor Graham Morgan referred to section 3 on page 103 of the report which set out 13 high priority recommendations of which two were still outstanding in respect of the assurance framework and health, safety and wellbeing in  operational transport. He asked when it was expected that those responses would be received and were there any concerns in terms of the delay. Laura Williams advised that those pieces of work had only been issued very recently so were not causing concern at the moment. She advised that more attention was paid to recommendations now and the team worked with Executive Directors to inform them about where there might be delays in their directorate. If there had been any concerns, then they would have been drawn out in the report. 


Jean Gleave referred to section 4 on page 110 in respect of Responsive Audit which noted that this part of the plan related to work to be conducted in response to identified areas of significant risk to the organisation. She felt that it would be useful to cross-reference to say where those risks were within the organisation so that the links could be seen and also how would that balance be carried on working through the year if it had an impact on the core plan. Laura Williams confirmed that it was possible to tie these pieces of work to items in the Corporate Risk Register and she could easily provide that. She advised that an Audit Plan was always a balancing act and it all came down to risk at the end of the day as to what was the most pressing risk. There was always an element of work that had been identified at the start of the year that it was proposed to complete but clearly if something on the Corporate Risk Register or a new risk came forward then there was the flexibility to reprioritise the plan to make sure that resources were being focused effectively. In last year’s plan it could be seen that a number of audit areas had been sacrificed because there were more pressing priorities that had come along or that some of those pieces of work had not been timely. It was always a balancing act. The plan did highlight what were thought to be the core areas of work and it was quite specific about what the responsive areas of work were but that was not to say that that might not change as the year progressed and there was that transparency to the Committee if changes needed to be made. 


Councillor David Burgess-Joyce referred to the capacity and capability issues in respect of them being a bit thin. He asked whether there was an opportunity for a lot of the pre-work to be taken on as a responsibility of Department Heads as it seemed that Internal Audit was small tight knit team. He queried whether that was viable and if not why. Laura Williams was not sure that she had said that resources were stretched. The team was very much optimised in terms of its productivity. She stated that Internal Audit was classed as being the third line of defence. Management was the first line and they were responsible for implementing the controls for managing their systems, services and processes and they carried that responsibility. There were certain other review functions that formed the second line and then Internal Audit was the third line. She felt that it was not possible to have a dilution of distinction between those lines of defence and therefore the audit function should not be delegated to managers. It was necessary for Internal Audit to maintain its independence so that it was able to go into those services, review them, look at how they operated, the quality of controls in place and to rely to a certain extent on the assurances that were provided obviously doing that on a risk basis but also with the use of evidence. It had been made clear that responsibility for the maintenance of risk management, internal control and governance processes sat with the first line which was management and Internal Audit would independently assess the quality of those processes as part of their work. It was necessary to maintain a clear line between those two elements but Internal Audit did work very closely with the managers within that area to make sure that it had the information, support and evidence required to undertake the audit effectively and therefore management were engaged as much as possible.


Councillor David Burgess-Joyce asked if something went seriously wrong where did the responsibility lie. He was aware of the responsibility being held at the first line but it just felt a bit woolly. Laura Williams confirmed that responsibility would lie with management without dispute. She had a professional responsibility to undertake her work in a diligent way which was to identify any deficiencies in those controls but she could not be held responsible for management failures she could only bring them to the attention of managers through her work. Councillor Burgess-Joyce asked what sanctions there were for a Department Head if they failed to do what was asked of them. He felt that there was no accountability in the public sector and he queried whether there was something that could be done to improve that situation to help Internal Audit. Laura Williams replied that as Head of Internal Audit all she could do was to make it very clear to the organisation where deficiencies might lie and what action management needed to take. If she found she was not getting the answers she needed then she would continue to raise and escalate that further.


Councillor Graham Morgan did not agree with the comments made by Councillor Burgess-Joyce as he felt that there were clear examples of accountability in the public sector when things went wrong. 


John Fogarty, Executive Director Corporate Services, stated that this Audit Committee was one of the ways in which Internal Audit discharged that function of holding managers accountable for their actions. The Executive Leadership Team took Internal Audit matters extremely seriously and managers were held to a very high standard for their actions or inactions. Internal Audit was used to inform where there were issues of non-compliance and he assured Members that the line of accountability was very strong.


RESOLVED - That the report be noted.


Supporting documents: