top stories

Share

CIPFA consultative draft: April 2000
Comments from The Association of Chartered Certified Accountants

Executive Summary

The Association of Chartered Certified Accountants (ACCA) is pleased to have this opportunity to comment on the CIPFA Consultative Draft Code of Practice for Internal Audit in Local Government (the Draft).

ACCA believes that the Draft does not adequately reflect best practice in internal audit, as it has developed in the private sector since CIPFA first introduced its Code of Practice for Internal Audit (the Code) in 1993. With the Government promoting the adoption of ‘best commercial practice’ for the public sector, ACCA believes that, in updating the Code, CIPFA should take this opportunity to lead on public sector internal audit developments.

The Draft ignores the wider definition of internal audit as given by the Institute of Internal Auditors (IIA), which, if accepted, would have far reaching implications for bringing the Code up to date. CIPFA does not appear to adopt the same risk based approach to auditing, as does the Audit Commission. The most contentious issue, however, is that CIPFA retains its policy that "the head of internal auditing should report directly to the responsible finance officer" other wise known as the Finance Director (FD): ACCA does not consider this sound advice.

The Draft appears to define a certain model to deliver internal audit and we feel that it would be more appropriate if the Code were to be presented as a set of generic principles, supplemented with guidance notes on how to apply these principles in different types of authorities. We suggest that the interpretation of such a Code would be better left to the auditor delivering the internal audit service.

 

1. General Comments

1.1 Before proceeding to discuss the technical content of the document, we would like to point out that the submission was prepared in the light of the following constraints:

• the Draft was issued to the ACCA one week after it was issued to CIPFA members at their annual accounting conference
• a copy of the original Code was not supplied with the Draft for comparison purposes
  
  and

• the Draft lacks the necessary background information and source referencing to other related documents to make it a ‘user friendly’ document.

1.2 The introduction to the Draft states that the original 1993 Code "has been updated to take account of changes that have taken place in the organisational world in which internal audit operates". It points out that, in preparing the Draft, CIPFA has taken into account developments by other professional bodies and has drawn on practice followed in other parts of the public sector, including the NHS and central government. ACCA does not believe, however, that the Draft adequately reflects best internal audit practice as emerging from the private sector. Government, generally, is trying to meet ‘best commercial practice’ and hence, ACCA believes that in updating the Code, CIPFA should take this opportunity to lead on public sector internal audit developments.

1.3 The Audit Commission has issued a new Code of Audit Practice, which brings in a more risk based approach to auditing. The concept of risk hardly gets mentioned in the Draft, other than in the introduction and in describing control risk assessment, even though it is becoming accepted practice that internal audit should focus on reviewing those areas of an entity that are most at risk. Central government is currently considering how far it should be influenced by the concept of risk management.

1.4 Throughout the Draft, CIPFA refers to "management’s responsibilities" without differentiating the responsibilities of elected members, who form the governing body, from those of statutory senior officers. There is no reference to the potential new executive arrangements, emanating from the Local Government (Organisation and Standards) Bill, which is currently passing through Parliament to allow for strong leadership.

1.5 ACCA believes that the Code has to apply to a wide range of local authorities, from parishes to unitary authorities, all of which are facing different challenges. The Draft, however, appears to adopt a prescriptive approach to internal auditing and hence does not give local authorities the scope to adapt the Code to their own particular circumstances.

  

2. Specific Comments

2. 1 We present our specific comments on the Draft in the same sequential chapter and paragraph order as presented in the original document.

Objectives and Scope

2.2 Chapter 1 is confined to areas defined in the APB guideline and hence no account has been taken of the new wider meaning of internal audit as defined by the IIA. If this new definition were to be adopted it would have far reaching implications for the rest of the document.

2.3 ACCA believes that the Code should be redrafted to allow a local authority to properly consider the 1996 Audit and Accounts Regulation. This would require the Terms of Reference section (page 2 of the Draft) to reflect that it is for the authority to formally consider the terms of reference of internal audit whilst taking account of the most up to date legislation and guidance.

2.4 Paragraph 7 explains that management should be responsible for agreeing the strategy and terms of reference for internal audit. ACCA believes that it is for the council or an appropriate committee of council to approve the audit strategy and terms of reference.

2.5 Paragraphs 13 and 14 state that (a) "a framework for audit involvement in fraud investigation and prosecution should be set down in an anti-fraud and corruption strategy for the authority" and (b) "the organisation will also need a whistle blowing policy or confidential reporting procedure". However, there is no further elaboration or guidance. These comments should be linked back to the objectives and scope of internal audit.

Independence

2.6 Paragraph 20 gives inconsistent guidance. The first sentence states that "it is for the organisation to decide where internal audit fits into the management structure" whereas the second sentence states that "the head of internal audit should report directly to the responsible finance officer and the scrutiny function". Many local authorities have already taken the opportunity, provided by 1996 Act, to separate audit from the finance function with the Head of Internal Audit reporting to the chief executive officer (CEO) and/or an audit or scrutiny committee, in line with central government and NHS practice.

2.7 CIPFA appears to be locked in tradition by retaining its policy that the responsible finance officer (nowadays known as the FD) should also assume responsibility for internal audit. This is regardless of the spirit of the 1996 Accounts and Audit Regulation and the accompanying DoE guidance, which envisage local authorities adopting best corporate governance practice.

Relationships

2.8 The Draft seems to be anticipating that one best practice model will flow from the Local Government (Organisation and Standards) Bill, whereas we believe that the bill should enable local authorities to decide on their own member structures. As the Bill is introducing constitutional change to local authorities, internal audit will need to provide assurance that any new arrangements meet with the public sector ethos in accordance with the forthcoming Act.

2.9 Paragraphs 50 and 51 recognise that (a) internal audit is part of a complex network of relationships that extend beyond the traditional financial areas and (b) it is important that those different relationships conform to some core principles. Paragraph 68 then advises that although the Accounts and Audit Regulation 1996 makes the "employing organisation" (i.e. the authority) responsible for "maintaining an effective system of internal audit" nevertheless "this responsibility can still be delegated to the officer with section 151 responsibility" i.e. the FD. ACCA does not agree that it is appropriate for a council to delegate its responsibility for internal audit to the FD, as this could be viewed as compromising the objectivity of internal audit. If a council decides that internal audit should be responsible to the FD, then members will have decided to carry the potential risk of mis-management.

2.10 Section G7 of the Draft states that an objective of internal auditing is to assist management in the pursuit of value for money (VFM), which is achieved through economic, efficient use of resources. ACCA believes that the purpose of internal auditing is to:

• independently examine and evaluate management’s activities and performance in the context of council’s policy in the pursuit of VFM
  
  and
  
• provide advice and guidance and some level of assurance on the authority’s internal control environment in relation to the governance arrangements for effective decision taking, performance and risk management and achieving VFM.

Planning, Controlling and Recording

2.11 Paragraph 90 states that the strategic plan "may be a broad outline of the work to be undertaken to meet internal audit’s objectives", whereas paragraph 94 states that "the organisation will need to specify the overall strategy in terms of the depth, breadth, frequency and timing of each systems audit" depending on the level of assurance required. Best practice suggests that a strategic plan should state the organisation’s strategic objectives and the strategic work that will be undertaken, within a specific timeframe, together with the resources that will be deployed in order to meet these objectives.

2.12 ACCA believes that the strategic plan should be prepared annually as a three to five year rolling programme with performance against plan reported to the authority at least quarterly.

2.13 On the whole, the section on strategic planning actually deals with mainly operational issues. For example, paragraph 91 states that "the strategic audit plan should be derived from an audit needs assessment of all systems within the organisation". An audit needs assessment only indicates the relative risk of each area assessed and is not an absolute measure of need. ACCA believes that a departmental strategic plan is concerned with those areas of strategic importance to the existence of the internal audit department. The survival of an internal audit department will largely be determined by:

• management ‘s attitude to the quality of the internal control system
• the perceived added value to the organisation from having an internal audit function
• and
• the extent and quality of competition from external suppliers.

The following hypothetical example is provided for illustrative purposes only. Internal audit may need access to the most up to date information technology equipment and software in order to meet efficiency targets. The strategy may be to (a) purchase or lease the equipment and software over the period of the plan, or (b) contract work out to a specialist firm. The accepted/approved strategy should be reflected in the budget and shown as a commitment in the strategic plan.

2.14 Paragraph 95 implies that the ‘scrutiny function’ decides the level of resources of internal audit whereas it is for the authority to decide how to make this decision.

Evaluation of the Internal Control System

2.15 Paragraphs 115-117 appear out of place as an introduction to this chapter in that they focus on ‘control risk self assessment’ (CRSA). In our view, the introduction to this chapter ought to focus on introducing ‘management’s responsibility’ in relation to maintaining appropriate effective systems for delivering their objectives. It should also give some indication as to how ‘effectiveness’ can be judged. The rest of the chapter should concentrate on the internal audit role. We suggest that paragraphs 115-117 be omitted, or at least be moved to later in the chapter, as CRSA is arguably a management tool and is not commonly used. We also suggest that the Code should not specify approaches for evaluating internal control systems but should be confined to describing a general approach and the necessary requirements.

Evidence

2.16 Paragraph 129 needs clarification, as ACCA believes that it is internal audit’s responsibility to gather the evidence that it needs in order to support its findings. Clients should provide internal audit with specific evidence as requested: it is not for clients, generally, to make sure that "all necessary evidence has been made available for an audit".

Reporting and Follow-up

2.17 ACCA suggests that the words "adequacy, reliability and effectiveness" in paragraph 151 be replaced by the word ‘soundness’ in accordance with the recommendations of the Turnbull Committee.

Presentation

2.18 ACCA suggests that the following amendments be made to each paragraph as stated:

• paragraph 4, sentence 2 should also refer to terms of reference
• paragraph 10, point (i) insert the word ‘management’ before information
• paragraph 13, sentence 2, insert the word ‘possible’ before audit involvement
• paragraph 26 could provide examples of external factors that could compromise the auditor’s judgement
• paragraph 31, the first sentence should read ‘where organisations continue to operate on a business unit basis …etc.’
• paragraph 78 should read that declarations of interest are maintained and "kept up to date’
• paragraph 90 could end with the sentence ‘this should be prepared in consultation with senior managers’
• paragraph 91, mentions "standard lists": which are available in the CIPFA FIS series in the volume on internal audit to which the bibliography should be cross referenced
• paragraph 111, the last sentence should point out that the annual report should include a clear audit opinion on the quality of the authority’s internal control system
• paragraph 114, audit files should, at least, be retained until after the next audit of a particular system has been completed
• paragraph 133, last sentence repeats what is said at G58
• paragraph 137, should read ‘in addition it is good practice to have annual reporting of an opinion on the quality of internal control and the performance of internal audit’
• paragraph 142 should read ‘the audit manual should outline the …etc.’
  
  and
  
  
• paragraph 146 is a repetition of paragraph 141.

  Back to top