Internal Audit Charter:
1.0 Introduction
1.1 The Mid Kent Internal Audit Charter defines the purpose, authority and responsibility of Internal Audit. It establishes Internal Audit’s position within the organisation; authorises access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.
1.2 An internal audit charter is a requirement of the Public Sector Internal Audit Standards, which also defines the content of the charter.
1.3 In the context of the Standards and their application for Mid Kent Audit, the ‘board’ is the respective Audit Committee for each of the four partners, the ‘chief audit executive’ is the Head of Audit Partnership and senior management are the Heads of Service, the Directors and the Chief Executive.
1.4 Mid Kent Audit is a shared service partnership between Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils.
2.0 Code of Ethics
2.1 Internal auditors will conform to the Code of Ethics as shown in the Standards. The Code of Ethics promotes an ethical culture in the profession of internal auditing. A code is particularly necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control and governance.
2.2 Auditors who have membership of another professional body must also comply with the relevant requirements of that organisation.
2.3 The key ethical principles are:
· Integrity
· Objectivity
· Confidentiality
· Competency
2.4 Internal auditors will also have regard to the Committee on Standards of Public Life’s Seven Principles of Public Life. www.public-standards.gov.uk
3.0 Purpose, Authority and Responsibility
3.1 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the Council’s operations. It helps the Council accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. (Definition of Internal Audit – PSIAS 2013)
3.2 Authority for Internal Audit is provided by the Accounts and Audit Regulations 2011, which require that the Council ‘undertake an adequate and effective internal audit of its accounting records and its system of internal control in accordance with the proper practices in relation to internal control’. The ‘proper practices’ are the Public Sector Internal Audit Standards. The Regulations require that any officer or member must:
a) Make available such documents and records as appear to be necessary for the purposes of the audit, and
b) Supply Internal Audit (on behalf of the Council) with such information and explanation as Internal Audit considers necessary for that purpose.
3.3 The scope for Internal Audit is the control environment, comprising risk management, control and governance. The scope of internal audit activity therefore includes all of the services, resources, systems, processes, assets and interests of the Council, including those operated by other agencies or contractors on the Council’s behalf.
3.4 Internal Audit is and will remain, free from interference in determining the scope of internal auditing, performing work and communicating results.
4.0 Assurance provided to the organisation
4.1 Internal Audit will provide assurance through a systematic disciplined approach designed to evaluate and improve the effectiveness of risk management, control and governance processes. It is not possible to provide absolute assurance.
5.0 Independence and Objectivity
5.1 Internal Audit will be independent and internal auditors will be objective in performing their work.
5.2 The Head of Audit Partnership will report to a level within the organisation that allows Internal Audit to fulfil its responsibilities. The level will be a senior officer who is a member of the chief officer management team.
5.3 The Head of Audit Partnership will confirm the organisational independence of Internal Audit to the Audit Committee in an annual report.
5.4 The Head of Audit Partnership will report functionally to the Audit Committee.
5.5 The Head of Audit Partnership will establish effective communication with, and have free and unfettered access to, the chief executive, the section 151 officer, the monitoring officer and the chair of the audit committee.
5.6 In order to demonstrate and ensure independence, the chief executive (or equivalent) will undertake or countersign or contribute feedback or review the performance appraisal of the Head of Audit Partnership. The chair of the audit committee will also be asked to comment on performance.
5.7 Internal Audit will be free from interference in determining the scope of internal auditing, performing work and communicating results.
5.8 The Head of Audit Partnership will communicate directly with the Audit Committee.
6.0 Individual objectivity
6.1 Auditors will exhibit the highest level of professional objectivity, and will make a balanced assessment for each audit and will not be unduly influenced by their own interests or those of others, and will not engage in any activity that may impair their judgement. As such, auditors will have no operational responsibility or authority over any of the activities audited.
6.2 Internal auditors will have an impartial, unbiased attitude and avoid any conflict of interest.
6.3 If independence or objectivity is impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.
6.4 Internal auditors will not assess specific operations for which they were previously responsible within the previous year.
7.0 Consulting activities
7.1 Consulting services are advisory in nature and are generally performed at the specific request of the organisation, with the aim of improving governance, risk management and control and contributing to the overall opinion.
7.2 Approval will be sought from the Audit Committee for any significant additional consulting services not already included in the audit plan, prior to accepting the engagement.
7.3 If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure will be made to the engagement client prior to accepting the engagement.
7.4 The Head of Audit Partnership will decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.
7.5 Internal auditors will exercise due professional care during a consulting engagement by considering the:
· Needs and expectations of clients, including the nature, timing and communication of engagement results;
· Relative complexity and extent of work needed to achieve the engagement’s objectives; and
· Cost of the consulting engagement in relation to potential benefits.
8.0 Proficiency and Due Professional Care
8.1 Engagements will be performed with proficiency and due professional care.
8.2 The Head of Audit Partnership will ensure that individual auditors’ posses the knowledge, skills and other competencies needed to perform their individual responsibilities and that the collective audit partnership team posses a sufficiently broad range of skills.
8.3 Internal auditors within the partnership team will be encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications.
8.4 Internal auditors are expected to enhance their knowledge, skills and other competencies through continuing professional development.
8.5 The Head of Audit Partnership will hold a professional qualification (CMIIA, CCAB or equivalent and be suitably experienced.
8.6 Internal auditors will have sufficient knowledge to evaluate the risk of fraud.
8.7 Internal auditors will have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.
8.8 Internal auditors will apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.
8.9 Internal auditors will exercise due professional care by considering the:
· Extent of work needed to achieve the engagement’s objectives;
· Relative complexity, materiality or significance of matters to which assurance procedures are applied;
· Adequacy and effectiveness of governance, risk management and control procedures;
· Probability of significant errors, fraud, or non-compliance: and
· Cost of assurance in relation to potential benefits
8.10 Internal auditors will be alert to the significant risks that might affect objectives, operations or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.
9.0 Quality Assurance and Improvement Programme
9.1 Quality assurance procedures are set out in the Mid Kent Audit Partnership Procedure Manual which makes the respective responsibilities of the internal auditors and the audit manager clear for the audit cycle, from engagement to follow-up. These provide the basis for the day-to-day supervision, review and measurement of the internal audit activity.
9.2 Periodic internal self-assessments will be carried out and will be considered by the Audit Partnership Board and the respective Audit Committee.
9.3 External assessment of conformance with the Standards will be carried out at least every five years by a qualified, independent assessor or assessment team from outside the organisation. The Head of Audit Partnership will discuss with the Audit Committee:
· The form of external assessments;
· The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest; and
· The need for more frequent external assessments.
9.4 The Head of Audit Partnership will agree the scope of external assessments with the Audit Partnership Board and the respective audit committee
9.5 The results of the quality and improvement programme will be reported to the Audit Partnership Board, the respective management team and the audit committee.
9.6 Progress against any improvement plans, agreed following external assessment, will be reported in the annual report.
9.7 Subject to the external assessment confirming that the internal audit activity conforms to the International Standards for the Professional Practice of Internal Auditing, the statement of conformance will be quoted in internal audit reports and elsewhere.
9.8 Instances of non-conformance will be report to the audit committee. More significant deviations will be considered for inclusion in the governance statement.
10:0 Managing Internal Audit
10:1 The Head of Audit Partnership will manage internal audit effectively to ensure that it adds value.
10.2 Internal audit adds value to the Council (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management and control processes.
11:0 Planning
11.1 Mid Kent Audit work to a risk-based plan to determine the priorities of the internal audit activity for each of the four partners Councils, consistent with the respective organisations goals.
11.2 The risk-based plan takes into account the requirement to produce an annual internal audit opinion on the assurance framework. It is linked to a high level statement (a strategy) stating how the internal audit service will be delivered and developed in accordance with the internal audit charter and how it links to organisational objectives and priorities.
11.3 The Internal Audit Plan is based on a documented risk assessment process, which is utilised annually to create a one year audit plan for each Council.
11.4 The preparation of the plan includes consultations with the Heads of Service to help to identify their risk areas, and consultation with the s151 officer and other members of senior management and with the audit committee.
11.5 Consulting engagements, where accepted, are included in the plan.
11.6 Audit plans are provided to senior management, and to the audit committee for approval. The resources necessary to deliver the plan are shown.
11.7 The adequacy of internal audit resources is an ongoing consideration for the Head of Audit Partnership, with a statement on adequacy made in the annual report.
11.8 The Head of Audit Partnership will ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plans.
11.9 The risk-based plan will include an internal audit resource assessment.
11.10 Where the Head of Audit Partnership believes that the level of agreed resources will impact adversely on the provision of the annual internal audit opinion, the consequences will be brought to the attention of the audit committee.
11.11 The Mid Kent Audit Procedures Manual contains policies and procedures to guide the internal audit activity.
11.12 Mid Kent Audit has adopted a protocol with the external auditors which agrees the sharing of information and the coordination of activities. The assurance provided by the external auditors and other assurance providers is a consideration when preparing the internal audit plan, subject to any work required in order to be able to place reliance upon the sources.
12.0 Reporting to Senior Management and the Board
12.1 The Head of Audit Partnership reports on a six monthly basis to the respective management team and audit committee on internal audits purpose, authority, responsibility and performance relative to its plan. The reports include significant risk exposures and control issues, including fraud risks, governance issues and other matters.
12.2 The internal audit service is provided in partnership with other Councils; however the annual report to the audit committees highlight that the respective Council has the responsibility for maintaining an effective internal audit activity in accordance with the Accounts and Audit Regulations.
12.3 Internal Audit evaluates and contributes to the improvement of governance, risk management and control processes using a systematic and disciplined approach.
12.4 Internal Audit assesses and makes appropriate recommendations for improving the governance process in the context of:
· Promoting appropriate ethics and values with the respective Councils
· Ensuring effective organisational performance management and accountability
· Communicating risk and control information to appropriate areas of the organisation; and
· Coordinating the activities of and communicating information among the audit committee, external and internal auditors and management.
12.5 Internal Audit will carry out internal audit work which seeks to evaluate the design, implementation and effectiveness of the Council’s ethics-related objectives, programmes and activities.
12.6 Internal Audit will assess whether the information technology governance for the Council supports the Council’s strategies and objectives.
13.0 Risk Management
13.1 Internal Audit will evaluate the effectiveness and contribute to the improvement of risk management processes.
13.2 Internal Audit will evaluate risk exposures relating the Councils governance, operations and information systems for the:
· Achievement of the Councils strategic objectives;
· Reliability and integrity of financial and operational information;
· Effectiveness and efficiency of operations and programmes;
· Safeguarding of assets; and
· Compliance with laws, regulations, policies, procedures and contracts.
13.3 Internal Audit will evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk.
13.4 Managing the risk of fraud and corruption is the responsibility of management. Internal Audit procedures alone cannot guarantee that fraud and corruption will be detected.
13.5 Where evidence of fraud is detected as part of audit work the matter will be brought to the attention of the relevant Head of Service and the s151 officer. Where evidence of fraud is detected elsewhere within the organisation, the relevant Head of Service will bring the matter to the attention of the Head of Audit Partnership.
13.6 Where requested to do so by senior management, Internal Audit will, where appropriate, assist with the investigation.
13.7 During consulting engagements, internal auditors will address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks.
13.8 Internal auditors will incorporate knowledge of risks gained from consulting engagements into their evaluation of the Council’s risk management processes.
13.9 In the context of their work, internal auditors will not assume any management responsibility by actually managing risks.
14.0 Control
14.1 Internal Audit will evaluate the adequacy and effectiveness of controls in responding to risks within the Councils governance, operations and information systems regarding the:
· Achievement of the Councils strategic objectives;
· Reliability and integrity of financial and operational information;
· Effectiveness and efficiency of operations and programmes;
· Safeguarding of assets; and
· Compliance with laws, regulations, policies, procedures and contracts.
14.2 Internal auditors will incorporate knowledge of controls gained from consulting engagements into the evaluation of the Councils control processes.
15.0 Engagement Planning
15.1 An engagement brief will be created for each audit project, which will represent a plan for each engagement’s objectives, scope, timing and resource allocations.
15.2 In planning the engagement the internal auditor will consider:
· The objectives of the activity being reviewed and the means by which the activity controls its performance;
· The significant risks to the activity, its objectives, resources and operations and the means by which the potential impact of risk is kept to an acceptable level;
· The adequacy and effectiveness of the activity’s governance, risk management and control processes compared to the relevant framework or model; and
· The opportunities for making significant improvements to the activity’s governance, risk management and control processes.
· Whether opportunities exist to consider the value for money of the activity being reviewed.
15.3 Consulting activities will be the subject of a similar written engagement brief.
16.0 Engagement Objectives
16.1 Objectives will be established for each engagement.
16.2 Internal auditors will conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives will reflect the results of this assessment.
16.3 Internal auditors will consider the probability of significant errors, fraud, non-compliance and other exposures when developing the engagement objectives.
16.4 Use will be made of the criteria used by management to determine whether objectives and goals have been accomplished. This will form part of the preparation for the audit and will be reflected in the engagement brief. If the criterion is inadequate, internal auditors will work with management to develop appropriate evaluation criteria.
16.5 Consulting engagement objectives will address governance, risk management and control processes to the extent agreed upon with the client and will be consistent with the Councils values, strategies and objectives.
16.5 The established scope will be sufficient to satisfy the objectives of the engagement and will include consideration of relevant systems, records, personnel and physical properties, including those under the control of third parties.
16.6 If significant consulting opportunities arise during an assurance engagement, they will only be pursued where a written agreement with the client is created. If internal auditors develop reservations about the scope during the engagement, these reservations will be discussed with the client to determine whether to continue with the engagement.
16.7 As part of engagement planning, internal auditors must determine the level of resources sufficient to achieve the engagement objectives based on the nature and complexity of the engagement, time constraints and available resources.
16.8 Internal auditors will develop and document work programmes that achieve the engagement objectives.
16.9 Work programmes will include the intended process for identifying, analysing, evaluating and documenting information during the engagement. The work programme will be approved prior to its implementation and any adjustments will be approved.
17.0 Performing the Engagement
17.1 Internal auditors will identify, analyse, evaluate and document sufficient information to achieve the engagement’s objectives.
17.2 Internal auditors will identify sufficient, reliable, relevant and useful information to achieve the engagement’s objectives.
17.3 Internal auditors will base conclusions and engagement results on appropriate analyses and evaluations.
17.4 Internal auditors will document relevant information to support the conclusions and engagement results. All such documents will be stored securely in electronic format.
17.5 The Head of Audit Partnership will control access to engagement records. The approval of senior management and/or legal counsel will be obtained prior to releasing such records to external parties, as appropriate.
17.6 The Head of Audit Partnership has developed retention requirements for engagement records (and all other audit records and documents). These include policies for the custody and retention of records, as well as there release to internal and external parties.
17.7 Engagements will be properly supervised by the Audit Manager to ensure objectives are achieved, quality is assured and staff are developed.
18.0 Communicating Results
18.1 The results of all engagements will be communicated in writing, in the form of an audit report. The report will include the engagement’s objectives and scope as well as applicable conclusions, recommendations and action plans.
18.2 The report will, where appropriate, contain the internal auditor’s opinion and conclusions. The opinion and conclusion will be supported by sufficient, reliable, relevant and useful information.
18.3 The report will acknowledge satisfactory performance.
18.4 The results of the engagement will not be released to anyone other than the client unless the client has given instructions to do so.
19.0 Quality of Communications
19.1 Communications will be accurate, objective, clear, concise, constructive, complete and timely.
19.2 If a final communication contains a significant error or omission, the Head of Audit Partnership will communicate corrected information to all parties who received the original communication.
19.3 Subject to having had an external assessment which confirmed that internal audit conforms to the International Standards for the Professional Practice of Internal Auditing, the statement of conformance will be quoted in internal audit reports. Where a specific engagement did not conform, this will be disclosed in the report.
19.4 The Head of Audit Partnership will communicate the results of the audit (or consultancy) engagement with the appropriate Head of Service, the relevant Director and the Chief Executive (and others if instructed by the Chief Executive).
19.5 The Head of Audit Partnership will review and approve the final communication (report) before issuance and deciding to whom and how it should be disseminated.
19.6 If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing reports to parties outside the Council the Head of Audit Partnership will:
· Assess the potential risk to the Council
· Consult with senior management and/or legal counsel as appropriate; and
· Control dissemination by restricting the use of the results.
19.7 All reports, where appropriate, will include an overall opinion on the adequacy of the control assurance at the time of the audit. The opinion will be supported by sufficient, reliable, relevant and useful information.
19.8 The Head of Audit Partnership will deliver an annual internal audit opinion and report that can be used by the Council to inform its governance statement. The annual internal audit opinion will conclude on the overall adequacy and effectiveness of the Council’s framework of governance, risk management and control.
19.9 The annual report will incorporate:
· The opinion
· A summary of the work that supports the opinion
· A statement on conformance with the Public Sector Internal Audit Standards and the results of the quality assurance and improvement programme.
19.10 A process is in place to ensure that responses (action plans) are received from the client addressing the recommendation made in each audit report.
19.11 A follow-up process is in place to monitor and ensure that management actions have been effectively implemented or that management has accepted the risk of not taking action.
19.12 The results of consulting engagements are also monitored.
19.13 If the Head of Audit Partnership concludes that management has accepted a level of risk that may be unacceptable to the organisation, the HAP will discuss the matter with senior management. If the HAP determines that the matter has not been resolved, the HAP will communicate the matter to the audit committee.
Version 1 5 September 2013