|
Requirement |
Description |
Responsibility |
Response |
Action |
|
Authority Compliance (Section 4) |
The authority should explain how it complies with the Code in its annual governance statement. CIPFA is currently updating its guidance on annual governance statements for publication in 2025. Conformance with both the Code and GIAS in the UK public sector will be featured in the new Addendum as part of the core arrangements authorities should have in place. Effective arrangements for the governance of internal audit, as well as effective internal audit, are vital parts of an authority’s governance arrangements. |
Authority |
This is a new requirement and will therefore be included in future AGS. |
Management to ensure that 2025/26 AGS includes specific reference to organisational compliance with Code of Practice for the Governance of Internal Audit in UK Local Government. |
|
Internal Audit Mandate (Section 1.1) |
In local government in the UK, internal audit’s authority comes from the statutory requirement within the Accounts & Audit Regulations [England] 2015. |
Internal Audit
|
Included within IA Charter which is approved annually by senior management and audit committees. |
None. |
|
In addition to internal audit’s mandate from regulations, each body may agree a wider statement of internal audit’s authority.
|
Authority |
Internal Audit’s mandate is further set out within local financial regulations and procedures. |
None.
|
|
|
Internal Audit Charter (Section 1.2) |
The chief audit executive has a responsibility to prepare a charter that conforms with GIAS (UK public sector). When reviewing the charter, the audit committee should be satisfied that it covers the governance arrangements for internal audit. It must include the mandate derived from the regulations, plus any additional agreed mandate, and include internal audit’s reporting line to the audit committee. The charter should include the administrative reporting arrangements for internal audit and the chief audit executive. |
Internal Audit
|
Internal Audit Charter has been updated to reflect new GIAS, including governance arrangements for internal audit. Specific reference to mandate from regulations already covered. |
None. |
|
Support for Internal Audit (Section 1.3) |
Internal audit’s activities require access to and support from senior management, the audit committee and those charged with governance. Support allows internal audit to apply their mandate and charter in practice and meet expectations. |
Authority |
Internal Audit has regular access to senior management, the audit committee and those charged with governance. |
None. |
|
Support including putting in place the following conditions: · The direct reporting line of the Chief Internal Auditor is not lower than a member of the senior management team and has access to all members of the team; · The Chief Internal Auditor should be a senior manager, providing them with the necessary profile to fulfil the function’s mandate; · Where internal audit is delivered through a partnership arrangement, there is a nominated Chief Internal Auditor and client responsibility lies with a member of senior management; · The organisational position of the Chief Internal Auditor should be supported by direct reporting to the audit committee. |
Authority |
The Chief Internal Auditor is a senior manager and reports directly to a member of the senior management team and has access to all others where needed.
In all cases client management rests with a member of senior management.
The Chief Internal Auditor has a direct reporting line to all audit committees. |
None. |
|
|
The audit committee can also demonstrate its support for internal audit by: · Enquiring of senior management and the Chief Internal Auditor about any restrictions on the internal audit’s scope, access, authority or resources that limit its ability to carry out its responsibilities effectively. · Considering the audit plan or planning scope and formally approving or recommending approval. · Meeting at least annually with the Chief Internal Auditor in sessions without senior management present. |
Authority |
In all cases, audit committees have the ability to, and do, enquire as to any restrictions on internal audit activities.
Audit Strategies and Plans are approved by all audit committees on an annual basis.
Whilst it does not routinely happen, arrangements exist to enable the Chief Internal Auditor to meet with audit committees without senior management present. |
None.
|
|
|
|
||||
|
Organisational Independence (Section 2.1) |
On behalf of those charged with governance, senior management needs to establish and safeguard internal audit’s independence. These arrangements must include: · Ensuring internal audit’s access to staff and records, as set out in regulations and the charter, operates freely and without any interference to its scope, performance of engagements or communication of results. · Ensuring that the chief audit executive reports in their own right to the audit committee on the work of internal audit. · Providing opportunities for the chief audit executive to meet with the audit committee without senior management present. At least one such meeting must be held each year. · Where there are actual or potential impairments to the independence of internal audit, senior management should work with the chief audit executive to remove or minimise them or ensure safeguards are operating effectively. · Recognise that if the chief audit executive has additional roles and responsibilities beyond internal auditing, or if new roles are proposed, it could impact on the independence and performance of internal audit. The impact must be discussed with the chief audit executive and the views of the audit committee sought. Where needed, appropriate safeguards must be put in place by senior management to protect the independence of internal audit and support conformance with professional standards. |
Authority |
Internal Audit access to staff and records covered within Charter, Accounts and Audit Regulations and local financial procedures/regulations.
Whilst the Chief Internal Auditor effectively reports in their own right to audit committees on the work of Internal Audit, technically in some cases the reports are presented in the name of senior management in accordance with organisational requirements.
Both the Chief Internal Auditor and the audit committees have the ability to meet in private at any time without senior management present. This is an option available when needed.
No actual or potential impairments to the independence of internal audit exist or have been experienced.
The Chief Internal Auditor currently has no additional roles or responsibilities that impact on the independence and performance of Internal Audit.
|
None. |
|
In local government, matters around the appointment, removal, remuneration and performance evaluation of the chief audit executive will be undertaken by senior management, but these arrangements must not be used to undermine the independence of internal audit. The audit committee should provide feedback on the proposed job description and the performance evaluation of the chief audit executive should include feedback from the chair of the audit committee. In shared or outsourced arrangements, the audit committee should provide feedback on the operation of the contract. |
Authority |
Whilst audit committee chairs have previously been involved in the appointment of the CIA, this has not formally included feedback on their performance evaluation.
Through ongoing interaction between CIA and audit committee, along with performance information provided with regular progress reports, the audit committee are able to provide ongoing feedback on the operation of the shared services arrangements. Confirmation of adequacy of internal audit arrangements provided annually as part of annual internal audit report. |
None. |
|
|
The audit committee must support internal audit’s independence by reviewing the effectiveness of safeguards at least annually, including any issues or concerns about independence from the chief audit executive. The chief audit executive must have the right of access to the chair of the audit committee at any time. The audit committee can escalate its concerns about internal audit independence to those charged with governance. |
Authority |
No issues or concerns over Internal Audit independence have arisen and the CIA has the right of access to chairs of audit committees where required. Should any issues or concerns arise, arrangements are in place for these to be escalated through regular formal and informal interactions between CIA, the chairs of audit committees and the audit committees themselves, including within formal Internal Audit progress reporting. |
None. |
|
|
Qualifications of the Chief Audit Executive (Section 2.2) |
Ensuring effective leadership of the internal audit team requires a suitably qualified and experienced chief audit executive. The Application Note: GIAS in the UK public sector sets out the qualifications and competencies expected of the chief audit executive. These must be taken into account by senior management when recruiting to the post. |
Authority |
The CIA role profile clearly requires the postholder to be suitably qualified and experienced, and these are taken into account by senior management when recruiting the role. |
None. |
|
|
Where internal audit is fully outsourced, senior management should ensure that an appropriate individual from the provider is nominated as the chief audit executive and meets the qualification requirements. |
Authority |
No fully outsourced arrangements in place. |
None. |
|
Audit Committee Interaction (Section 3.1) |
All audit committees should follow the CIPFA audit committee guidance for the oversight of internal audit. |
Authority |
In 2021, Audit and Standards Committee completed a self-assessment in accordance with CIPFA best practice. The assessment generally identified a few areas for improvement which were actioned. Current self assessment also completed. |
None. |
|
To ensure there is good interaction between the audit committee and internal audit, audit committees must agree its work plan with the chief audit executive to ensure there is appropriate coverage of internal audit matters within audit committee agendas. |
Authority / Internal Audit |
Forward plans for all audit committees are in place, produced in conjunction with the CIA, and which include appropriate coverage of internal audit matters. |
None. |
|
|
The audit committee workplan should provide for the internal audit mandate and charter, strategy, plans, engagement reporting and the annual conclusion, and quality reports. The committee should also oversee the tracking and implementation of the actions agreed following audits. |
Authority / Internal Audit |
Forward plans for all audit committees include the internal audit mandate and charter, strategy, plans, engagement reporting, annual conclusion, quality reports and action tracking. |
None. |
|
|
The audit committee must familiarise itself with the authority’s assurance framework, governance, risk management and internal control arrangements to facilitate its interactions with internal audit. |
Authority |
All audit committees remit includes assurance framework (inc. AGS), governance, risk management and internal control. |
None. |
|
|
Senior management should update the audit committee on significant changes to governance, risk and control arrangements and any concerns they have on assurance. The audit committee should have oversight of the annual governance statement before final approval. |
Authority |
See above. All audit committees have oversight of the annual governance statement before final approval. |
None. |
|
|
Where internal audit consider the management of risk or proposed actions in response to audit engagements represent an unacceptable level of risk to the authority, the audit committee must review the matter. The committee should make their recommendation to either management or those charged with governance as necessary. |
Authority / Internal Audit |
Where Internal Audit consider management’s response to risk issues identified through internal audit activity is unacceptable, this will be reported to the audit committee for review. No such circumstances have, however, been identified. |
None. |
|
|
Resources (Section 3.2) |
The audit committee and senior management must engage with the chief audit executive to review whether internal audit’s financial, human and technological resources are sufficient to meet internal audit’s mandate as set out in the regulations and achieve conformance with GIAS (UK public sector). |
Authority |
Through regular reporting to audit committees throughout the year the CIA will report any issues associated with financial, human or technological resources that may impact on service delivery. Regardless, audit committees regularly enquire of the CIA on these issues to obtain the necessary assurance. |
None. |
|
Where there are concerns about internal audit’s ability to fulfil its mandate or deliver an annual conclusion, the concerns should be formally recorded and reported to those charged with governance. |
Authority |
See above. This has not occurred, but should it happen, concerns would be escalated through the audit committee to those charged with governance. |
None |
|
|
If resource issues result in a limitation of scope on the annual conclusion, this should also be reported and disclosed in the annual governance statement. |
Authority |
See above. Should the CIA report on any limitation of scope, this will be included with the annual governance statement. |
None. |
|
|
Decisions on internal audit resourcing by senior management and those charged with governance must take account of the longer-term risks to the governance and financial sustainability of the authority and internal audit’s role in supporting those objectives. The long-term viability of the internal audit function must be considered. |
Authority |
Long terms resourcing of the IA function based on organisational priorities, risks and financial strategies. |
None. |
|
|
Where there are temporary resource constraints, senior management must work with the chief audit executive to establish longer-term plans for sustainable internal audit resources. |
Authority |
Resourcing challenges are managed by the CIA in co-ordination with senior management and the audit committee. Long term strategy currently focussed on ‘growing our own’ with appropriate investment in training and development. |
None. |
|
|
Quality (Section 3.3) |
Annually, the audit committee must review the results of the chief audit executive’s assessment of conformance against GIAS (UK public sector), including any action plan. |
Authority |
An annual self-assessment against professional standards (GIAS) is undertaken by the CIA and reported to the audit committee, along with a summary of any actions arising. |
None. |
|
The audit committee must review the chief audit executive’s annual report, including the annual conclusion on governance, risk management and control, and internal audit’s performance against its objectives. The committee should review in-year updates and make appropriate enquiries if there are concerns about internal audit performance. |
Authority |
The audit committee reviews all outputs from the CIA including annual report and opinion, quarterly progress reports and the strategy and annual audit plan. Appropriate discussions and enquiries take place on all occasions. |
None. |
|
|
To meet the requirements of the regulations (the mandate) for internal audit, the audit committee must satisfy itself on the effectiveness of internal audit. They should take into account conformance with the standards, interactions with the committee, performance and feedback from senior management. Their conclusions should be reported to those charged with governance, for example, as part of the audit committee’s annual report. |
Authority |
See above. The audit committee regularly receives reports covering internal audit performance and effectiveness and makes enquiries of these throughout the year. Currently unclear, however, as to the extent to which conclusions are reported to those charged with governance. |
Review arrangements for Audit, Standards and General Purposes Committee reporting on its conclusions as to the effectiveness of Internal Audit, possibly as part of the committee’s annual report. |
|
|
External Quality Assessment (Section 3.4) |
On behalf of those charged with governance and the audit committee, senior management must ensure that internal audit has an external quality assessment at least once every five years of its conformance against GIAS (UK public sector), including this Code. Senior management and the chief audit executive should discuss the timing of the review and report the options and their recommendation to the audit committee. |
Authority |
Internal Audit is subject to an independent external quality assessment at least once every 5 years, with last review conducted by the Chartered Institute of Internal Auditors, which reported in 2022. Next review therefore due in 2027, the timing and options for which will be agreed with the audit committees. |
None. |
|
Where the authority is the client of an internal audit provider, (shared, partnership or outsourced functions), then agreement on the approach to the EQA will need to take account of the broader arrangements. |
Authority |
See above – agreement to the approach obtained from all audit committees and takes account of broader partnerships arrangements. |
None. |
|
|
Where the authority commissions the EQA, the proposals for the scope, method of assessment and assessor should be brought to the audit committee for agreement. For all EQAs covering local government clients, the assessor must use this Code alongside the standards and be familiar with the sector. |
Authority |
See above – for next review, scope, method and assessor will continue to be bought to audit committees for agreement and will include use of the Code. |
None. |
|
|
The audit committee must receive the complete results of the assessment and consider the chief audit executive’s action plan to address any recommendations. Progress should be monitored. |
Authority / Internal Audit |
The complete results of external assessments are reported to all audit committees along with details of any action plans arising. |
None. |
|
|
Where the audit committee does not have delegated authority, the committee should report the overall results of the external quality assessment to those charged with governance. |
Authority |
See above. |
None. |