The Head of Internal Audit submitted a report, in order to provide Members of the Governance and Audit Committee with the Annual Internal Audit Strategy and Risk Based Plan for 2021-22.

He explained by way of background, that in line with the Public Sector Internal Audit Standards (PSIAS) the Head of Internal Audit must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals.

The Public Sector Internal Audit Standards, required a risk-based audit plan to be produced to cover the Council’s overall control environment including risk, governance and internal controls, as far as was practicable. 

With regards to the changes to the way the Council was operating since Covid-19, including any new risks as a result of remote working, these had been considered and included within the draft audit plan for 2021-22.

Attached at Appendix A to the report, was the draft Internal Audit Strategy document for 2021-22.  This demonstrated how the Internal Audit Service would be delivered and developed in accordance with the Committee’s Terms of Reference. The Strategy would be reviewed and updated annually in consultation with stakeholders, namely the Governance and Audit Committee, Corporate Management Board, External Auditors and Senior Management.

The Head of Internal Audit explained that the 2021-22 draft Annual Risk Based Plan of work, had been formulated in compliance with the PSIAS. The draft detailed plan was attached at Appendix B to the report.

The proposed plan at Appendix B, would offer sufficient coverage to be able to provide an opinion at the end of 2021-22. It would also consider risks that had emerged and were ongoing, in relation to the Covid-19 pandemic, amongst others.

The Lay Member asked if consideration had been given to developing the draft Annual Risk Based Audit Plan, so that it covers a longer and more strategic timeframe over and above an annual period, in order to include longer strategies included and embedded in the Plan, maybe for example by having a 3 Year Plan. She also asked what the joint service Authorities relationship was with Audit Wales, particularly in terms of monitoring performance and improvements, given that there were not one but four participating Authorities comprising the Regional Service.

The Head of Internal Audit advised that in terms of the relationship with Audit Wales this was strong, there were common Performance Auditors across the four Councils but different Financial Auditors.  He also met with Audit Wales representatives covering the four Councils to share progress on work and to raise any issues.

With regards to having a longer term Plan, the Head of Internal Audit confirmed that this had been the case in the past, i.e. having in place a 5 or 3 Year version. However, it had been changed to facilitate a more dynamic approach in recent years, in order to quickly respond to Risks etc, as these can change quickly and therefore have to be responded to.  The Regional Service, also plan to look at some common work areas across the four Councils, for example Cyber Security, so that learning from different Councils can be applied. Also a standard approach had been adopted for carrying out audits, report formats etc.

The Chairperson noted that the service was still holding a number of vacancies. She asked that until these were filled, was the Service intending to adopt a frontload approach to cover Audit related work, through the use of SWAP or another external provider, or was it the intention to backload this work until such time suitable staff were in post and fully trained.

The Head of Internal Audit, advised that there were still vacancies within the Service but the structure had been finalised and it was hoped that progress could be made in terms filling the roles in the Autumn. SWAP, or an alternative external provider would continue to be used to complete some audits along with Internal Audit also doing this work. So the intention was, neither to frontload or backload work, but to balance the work over the year as consideration also had to be given to the availability and pressure on Service Department staff to be able to devote time to audits.  

RESOLVED:                               The Committee considered and approved the draft Internal Audit Strategy (Appendix A to the report) and draft Annual Risk Based Audit Plan for 2021-22 (at Appendix B).