Agenda No. 10a

Annual Assurance Report

Scottish Fire and Rescue Service 2018-19

Audit and Risk Assurance Committee - 26/06/2019

Internal Audit

Report Issue Date: 14-06-2019 NOT PROTECTIVELY MARKED

Paper no: C/ARAC/22-19 Meeting date: 26 June 2018 Agenda item: 10a

Title: SCOTTISH FIRE AND RESCUE SERVICE (SFRS): ANNUAL ASSURANCE REPORT 2018/19

1. Purpose

1.1. For information and comment.

2. Key Messages

2.1. Reasonable assurance provided on risk management, control and governance arrangements.

2.2. Six of seven assignments in revised 2018-19 Internal Audit Plan completed.

2.3. 100% of recommendations accepted.

2.4. External Quality Assessment of IA by Institute of Internal Auditors confirms IA conforms to the Institute’s professional standards.

2.5. Overview of IA by Audit Scotland confirms no areas of significant non-compliance against standards.

3. Action Required

3.1. Members are invited to comment on and note the 2018-19 assurance opinion and Internal Audit’s performance for that reporting period.

Jim Montgomery Gary Gibb Senior Internal Audit Manager Internal Audit Manager

Audit&RiskAssuranceCommittee/Report/ Page 2 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

4. Introduction

4.1. This report summarises internal audit work relating to SFRS during 2018-19 and provides our overall assurance opinion on its risk management, control and governance arrangements during the year. It also summarises Internal Audit’s (IA) performance during the period. The report helped form the basis of a general report on our work which will be considered by the Scottish Government Assurance and Audit Committee (SGAAC) on 24 June 2019.

5. Overall Opinion

5.1. Our work was undertaken in accordance with UK Public Sector Internal Audit Standards (PSIAS), the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) , and with the standards set out in the Scottish Public Finance Manual (SPFM). These standards require us to provide an objective opinion supported by sufficient, reliable and relevant evidence.

5.2. Our framework for assessing assignment and overall assurance opinions is set out at Annex 1. After carefully considering all of the evidence, we have provided “reasonable” assurance for 2018-19, which means in general terms that controls were adequate but require improvement. The opinion continues to reflect SFRS’s development and while there has been good progress in many areas, there is a continuing need to focus upon the efficient and effective implementation of the developed frameworks, policies and procedures.

6. Rationale for Opinion

6.1. In arriving at our opinion, we relied primarily on the results of our direct work, taking into consideration the nature of our main internal audit assignments (assurance and advisory), their significance to the risk environment and their significance relative to each other (Annex 2 refers). Our direct work also included follow-up of 26 recommendations from 2017-18 audit reviews, with the results of these detailed at Annex 3. We also continue to monitor and report to the ARAC upon progress with the implementation of other remaining recommendations.

6.2. In line with the principles of integrated assurance, we also took account of the following when arriving at our overall assurance opinion: • Competency, skill set and general approach of the Audit and Risk Assurance Committee in conducting its corporate governance role. • Attitude towards, and engagement of senior management in risk management, control and governance arrangements. • The risk maturity of the organisation. • Corporate governance documents. • Outcomes from thematic inspections by HM Fire Service Inspectorate: Operational Risk Information (Feb 2019) and Fleet and Equipment Management (May 2019). • External Audit reviews and management responses to these. • Approach to prevention, detection and management of fraud.

6.3. Finally, we framed our overall assurance opinion in the context of our cumulative knowledge of SFRS’s control environment.

Audit&RiskAssuranceCommittee/Report/ Page 3 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Fraud

6.4. IA is a permanent member of the SG Counter Fraud Group (CFG), whose primary purpose is to lead on the implementation of effective counter fraud policy across SG. The CFG also monitors relevant cases of suspected internal and external fraud that are reported to the SG Fraud Response Team (FRT) though formal reporting lines. We are therefore party to information regarding instances of reported fraud and we are sometimes commissioned to carry out work on the CFG’s behalf. SFRS’s internal audit staff are responsible for monitoring the SFRS Fraud Response Plan. There were no instances of potential fraudulent activity during 2018-19.

7. IA Performance

7.1. IA’s performance is subject to monitoring in various ways. Our annual Internal Quality Assessment concluded that we generally conform to PSIAS. We commissioned the Chartered Institute of Internal Auditors (IIA) to undertake an External Quality Assessment (EQA) against PSIAS, which is required every five years. The report is attached and confirms that IA conforms to the IIA’s professional standards. Audit Scotland’s 2018-19 Overview Report of IA is also attached and confirms that Audit Scotland did not find any areas of significant non-compliance with PSIAS. Our 2018-19 Annual Report is due to be considered by the Scottish Government Audit and Assurance Committee on 24 June 2019 and will be issued via correspondence to the ARAC thereafter.

8. Conclusion

8.1. Members are invited to comment on and note the assurance opinion for 2018-19 and IA’s performance for that reporting period.

Audit&RiskAssuranceCommittee/Report/ Page 4 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Annex 1

Definition of Assurance and Recommendation Categories

Assurance

Risk, governance and control procedures are effective in Substantial Assurance supporting the delivery of any related objectives. Any Controls are robust and exposure to potential weakness is low and the materiality well managed of any consequent risk is negligible.

Reasonable Assurance Some improvements are required to enhance the adequacy and effectiveness of procedures. There are Controls are adequate but weaknesses in the risk, governance and/or control require improvement procedures in place but not of a significant nature.

Limited Assurance There are weaknesses in the current risk, governance and/or control procedures that either do, or could, affect Controls are developing the delivery of any related objectives. Exposure to the but weak weaknesses identified is moderate and being mitigated.

Insufficient Assurance There are significant weaknesses in the current risk, governance and/or control procedures, to the extent that Controls are not acceptable the delivery of objectives is at risk. Exposure to the and have notable weaknesses identified is sizeable and requires urgent weaknesses mitigating action.

Recommendations

High Serious risk exposure or weakness requiring urgent consideration. Medium Moderate risk exposure or weakness with need to improve related controls. Low Relatively minor or housekeeping issue.

Audit&RiskAssuranceCommittee/Report/ Page 5 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Annex B Audit Area Comments Information Governance – GDPR We split this review into two parts, to enable us to assess the preparedness for and compliance with GDPR. Final Report Issued: 30/08/2018 Assurance: Reasonable We found that: Recommendations: 0 High, 6 Medium and 2 Low • Direct oversight of the progress of actions in relation to GDPR is by an Information Governance Group chaired by the Head of Corporate Governance and directly accountable to the Corporate Assurance Board. • A GDPR Working Group in place with an approved Terms of Reference. Information Governance – GDPR Implementation • Compliance with the legal requirement of privacy by design has required SFRS to undertake Privacy Impact Assessments and Data Protection Final Report Issued: 18/03/2019 Impact Assessments. Assurance: Substantial • There is an appropriate suite of policies, procedures and guidance notes in Recommendations: 0 High, 1 Medium and 1 Low place to ensure that SFRS is compliant with GDPR. • Appropriate data management processes are in place.

• Revised terms based on the Scottish Government’s guidelines for public Responsible Director sector organisations, to bring contracts in accordance with GDPR have Strategic Planning, Performance and Communications been issued to contracted suppliers with a request to accept the terms.

• A mandatory assessable e-learning module on Data Protection and Information Security for all SFRS personnel to raise awareness of GDPR and Information Security was launched in February 2019. • There is an overarching information security handbook for SFRS that all staff are required to confirm that they have read as part of the mandatory e-learning training. • A Data Protection Officer has been appointed • Ongoing ownership and updating of the Information Asset Register as a business as usual process requires to be agreed.

Audit&RiskAssuranceCommittee/Report/ Page 6 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Audit Area Comments Corporate Governance –Committees and Executive We found: Boards • SFRS has an established formal governance route in place for executive Final Report Issued: 08/01/2019 boards and committees. Assurance: Reasonable • Management information is of a high standard and is presented in a Recommendations: 0 High, 5 Medium and 2 Low standard reporting format to executive board and committee meetings and reports have a named sponsor. Responsible Director • The arrangements for reviewing the effectiveness of the SFRS Board were Strategic Planning, Performance and Communications revised and approved by the SFRS Board in June 2018. • A formal induction programme is in place for new board members. • Board members attend strategy days throughout the year and receive input from relevant personnel on the topics included. • The development of a structured programme of engagement events for Board members was approved by the SFRS Board in June 2018. • The papers for committee meetings to be held in public are published to comply with the Standing Orders for and Governance and Accountability Framework. • All committees have a current terms of reference which are subject to annual review and approval by the SFRS Board. • SFRS is meeting the requirements of the Scottish Public Finance Manual in terms of the risk management framework and spotlight reporting is now routinely used to monitor key risks in more depth. Recommendations included:

• The governance route section of the reporting to committee should include all relevant comments and actions from executive board and SLT meetings. • Consider reviewing report classifications to improve efficiency of committee meetings.

Audit&RiskAssuranceCommittee/Report/ Page 7 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Audit Area Comments Corporate Governance – External Engagement We found:

Final Report Issued: 13/06/2019 • SFRS utilises the online consultation hub Citizenspace as a tool to support Assurance: Reasonable engagement both internally and externally. There is a process in place to Recommendations: 0 High, 4 Medium and 0 Low handle complaints, comments and compliments. • There is a standardised approach to Local Fire & Rescue Plan Responsible Director development. Strategic Planning, Performance and Communications • Monitoring of SFRS performance in meeting the objectives of the Local Fire & Rescue Plans is performed through scrutiny bodies within local councils on a regular basis and internal monitoring of performance is undertaken at SFRS management meetings. • There is a SFRS Communications and Engagement Strategy 2017-2020 in place which includes adoption of stakeholder mapping. • SFRS has been actively involved within The National Emergency Services Collaboration Group. • SFRS has regular engagement and communication with key Scottish Government Departments. • Risk management processes are appropriate.

Recommendations included:

• Statistics and trend analysis in relation to complaints, comments and compliments should be routinely monitored by the relevant executive board. • The Complaints, Comments and Compliments policy and procedure should be reviewed and updated where required. • An annual communications plan with key objectives including independent verification of communications and engagement impact should be developed in accordance with the requirements of the Communications and Engagement Strategy.

Audit&RiskAssuranceCommittee/Report/ Page 8 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Audit Area Comments Service Improvement Strategy We found:

Final Report Issued: 23/11/2018 • The Strategy was approved by the SLT and subsequently presented to the Assurance: Reasonable SFRS Board for noting. Recommendations: 0 High, 5 Medium and 1 Low • An initial one year programme of service improvement activities was developed in response to service requirements. Responsible Director • The Service Improvement Team have been identified as the key enabler of Strategic Planning, Performance and Communications improvement across SFRS. • The core service improvement team consists of 2 full time members of staff who are appropriately qualified and committed. • There is monitoring and oversight of the implementation of the Strategy and programme of service improvement activities. • The core Service Improvement Team is supported by volunteer Service Improvement Assessors. • Management recognise that in order to meet the future demands of the Service Improvement Team and to be able to fulfil the expectations of managers, it is important to widen the pool of available resources. • A project to improve business processes has been initiated. Recommendations included:

• Oversight of the Strategy implementation and action plan progress at Committee/Board level requires to be formally decided. • Scrutiny of service improvement outcomes should be increased. • A review of the Learning Content Management System (LCMS) introductory module for service improvement should be performed. • A structured approach to capturing all service improvement activity, additional to the work undertaken by the Service Improvement Team should be developed to share best practice and demonstrate continuous improvement and learning

Audit&RiskAssuranceCommittee/Report/ Page 9 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Audit Area Comments

Purchasing Card Arrangements We found:

Final Report Issued: 18/03/2019 • A Purchasing Card Policy and Procedure is in place with associated Assurance: Limited guidance notes. Recommendations: 4 High, 4 Medium and 0 Low • A Purchasing Card Administrator is in place to manage the issuing and withdrawal of cards,to facilitate the card reconciliation process and to liaise Responsible Director with the card provider. Finance and Contractual Services • The financial system Technology 1 has a purchasing card module to facilitate electronic coding and reconciliation of card transactions. This module enforces the principles of separation of duties between cardholder and authoriser. • Cardholders must complete an electronic monthly reconciliation of card transactions which is then reviewed and authorised by their line manager.

Recommendations included:

• To comply with GDPR, a privacy notice should be issued stating how cardholders’ personal data will be processed and a GDPR statement should be added to the new cardholder application form. • To comply with HMRC requirements, cardholders should be instructed to provide receipts which detail the goods or services purchased and where relevant, provide appropriate VAT receipts • Reporting on spend should be produced on a regular basis and distributed to budget holders and Procurement Manager to ensure compliance with Financial Regulations and Procurement rules. • The SFRS contracts register should be published and circulated to ensure that cardholders do not make purchases through the card when there is a contracted supplier in place. • The Purchasing Card Policy and Procedure should be updated to ensure that cardholders comply in particular with the Travel and Subsistence Policy and Procedure.

Audit&RiskAssuranceCommittee/Report/ Page 10 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Audit Area Comments

Assignment Title: Our emerging findings confirm that SFRS has sound preparations and Brexit Preparations contingency planning in place for the UK’s withdrawal from the EU.

Final Report Issued: tbc Assurance: Substantial (emerging)

Responsible Director Strategic Planning, Performance and Communications

Internal Audit Processes (Advisory) We drafted an Audit Charter for potential use in SFRS’s procurement process for an Internal Audit service. We also facilitated an introduction to another public body which has recently undertaken a similar procurement exercise.

Audit&RiskAssuranceCommittee/Report/ Page 11 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

Annex 3 Monitoring Implementation Of Agreed High/Medium Recommendations Follow-Up Work Completed In 2018-19 of 2017-18 reviews High/Medium Recommendations Audit Title Total Superseded Implemented Partially Not Comments Number Implemented Implemented Firefighter Training Audit actions completed during 3 0 3 0 0 Programme 2018/19 assurance period Income Arrangements Audit actions completed during 4 0 4 0 0 (External Funding) 2018/19 assurance period Due to restructure and organisational change within the Service, actions related to terms of reference and reporting lines are on hold until the business and reporting routes are decided. Corporate Since the 1st April the ownership Responsibility of Significant Events has been 5 0 1 4 0 Arrangements (Health transferred across to H&S and a and Safety) RAG status progress report embedded into the main H&S report that goes to SLT. Planned 2019-20 Health, Safety and Wellbeing audit review has not been progressed due to ongoing vacancy issues. Two of the “partially implemented” actions have been completed by the action owner: they have to ICT Security of SFRS provide evidence for one, whilst 6 0 2 3 1 Systems Internal Audit function has still to review the evidence for the other. The Security Policy is being amended to temporary remove the

Audit&RiskAssuranceCommittee/Report/ Page 12 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19 NOT PROTECTIVELY MARKED

secure storage element and then it can be sent out for consultation and published. Getting this published, allows all SFRS staff to be aware of the guidelines for marking documents and once agreement has made between ICT and information, the Policy can be revised. Main fuel procedure has been issued and data cleanse been done on the fuel management system The Fuel Support Group has created a desktop guidance for office use has still to forwarded to Internal Audit as the final part of evidence. An interface between the Fuel Management 8 0 6 2 0 Tranman (Fleet Management Arrangements System) and Jigsaw (Fuel Management System) has been installed and currently testing and trialling the reporting features. It is anticipated that reports will be issued out end of June, however guidance on reporting and remediation of issues requires to be developed. Total 26 0 16 9 1 Percentage 100% 0% 61% 35% 4%

Audit&RiskAssuranceCommittee/Report/ Page 13 of 13 Version: 1.0 14/06/2019 AnnualAssuranceReport2018-19

EXTERNAL QUALITY ASSESSMENT (EQA) REPORT FOR

Scottish Government Internal Audit

Prepared by Chris Butler on behalf of

The Chartered Institute of Internal Auditors,

March 2019

Page 1

TABLE OF CONTENTS

EXECUTIVE SUMMARY PAGE NUMBERS

Opinion, including level of conformance to the International Professional Practices Framework (IPPF) 3

Key Messages 4-5

Recommendations to achieve conformance to the Standards 6-7

Scope for Further Development 8

SWOT Analysis 9

Internal audit maturity 10

Recommendations for Further Development 11-12

IIA Grading definitions 13

List of Interviewees 14

Disclaimer: The EQA Review was concluded in February 2019 and provides management and the Audit Committee with information about Internal Audit as of that date. Future changes in environmental factors and actions taken to address recommendations, may have an impact upon the operation of Internal Audit in a manner that this report cannot anticipate. Considerable professional judgment is involved in evaluating. Accordingly, it should be recognised that others could draw different conclusions. This report is provided on the basis that it is for your information only and that it will not be quoted or referred to, in whole or part, without the prior written consent of Chartered IIA.

Page 2

EXECUTIVE SUMMARY – Scottish Government Internal Audit Directorate (IAD)

Background

The Chartered Institute of Internal Auditors (CIIA) has undertaken an external quality assessment of the Scottish Government’s Internal Audit Directorate (IAD) against the Public Sector Internal Audit Standards (PSIAS). The review assessed IAD against the professional standards framework (the IPPF set out below) using an assessment process which incorporates the additional requirements of the PSIAS. The Standards form the foundation for effective internal audit practice. The review has included the services provided to the Scottish Government core and to its arms-length bodies where these receive an internal audit service from IAD. We did not review the work conducted on behalf of the European Commission which as this is regularly assessed by the Commission.

Our review included interviews with the chair of the Scottish Government Audit and Assurance Committee (SGAAC), the Permanent Secretary, most of the Director Generals and other internal audit stakeholders including a sample of stakeholders in sponsored bodies and internal audit staff (see Appendix 2 for full list). These interviews were supplemented by the results of surveys of stakeholders and staff. We also reviewed audit reports submitted to a selection of Audit Committees in the last year, in addition to a sample of associated working papers from recent audits and other relevant policies and documents.

Conformance Opinion and conclusion

The Institute of Internal Audit’s (IIA’s) International Professional Practice Framework (IPPF) includes the Definition of Internal Auditing, Core Principles, Code of Ethics and International Standards. There are 64 fundamental principles to achieve with 118 points of recommended practice. It is our view that the IA team conforms to 54 of these principles (with 6 not applicable), as summarised in the table below. This places IAD in the category of Generally Conforming overall to the IPPF. It is therefore appropriate for the internal audit function to say in reports and other literature that it “conforms to the IIA’s professional standards”.

Summary of IIA Conformance Standards Does not Partially Generally N/A Total Conform Conforms Conforms Definition of IA and Code of Ethics Rules of - 12 - 12 conduct Purpose 1000 - 1130 8 8 Proficiency and Due Professional Care (People) 1200 - 1230 3 1 4 Quality Assurance and Improvement Programme 1300 - 1322 6 1 7 Managing the Internal Audit Activity 2000 - 2130 2 9 1 12 Engagement Planning 2200 - 2600 2 16 3 21 Total - 4 54 6 64

Page 3

Key Messages

IAD is well regarded by key stakeholders who value the core assurance work, the advisory work and for the Scottish Government core, the increasing use of cross-cutting reviews which the function delivers. The Director of Internal Audit (referred to in this report as the Head of Internal Audit – HIA) is well respected by colleagues and has been implementing a range of improvements to many areas of IAD’s working practices which we support. We noted a number of key strengths of the IAD team which reflect the “generally conforms” opinion in most areas of the IPPF set out above and are further detailed in our SWOT analysis set out on page 10.

The main areas of the Standards relating to establishing the internal audit function, those covering Remit, Reporting Lines and Independence, are well in place supported by the updating of the Internal Audit Charter, the development of the Internal Audit Manual and improvements in strategic level planning. Progress has been made in bringing in a number of new staff to add to the team’s capability, developing the use of standard documentation and extending quality control and assurance over the audit process. The main areas for development concern managing some aspects of the internal audit activity and managing the delivery of assignments. Improvements in these areas should improve IAD’s overall impact and effectiveness.

These areas are covered in detail on pages 5-6 and are in summary:

• Providing a more focussed approach to reviewing and providing an opinion on risk management; • Improved management of resources at Directorate level to ensure delivery of the whole programme; • Better allocation and management of resources on individual audit assignments; and • More flexible and targeted supervision of assignments

The findings from the interviews and surveys we conducted demonstrate the impressive improvements which the HIA and the IAD have been introducing over the last two years and it is clear that these developments are continuing. The IAD has been particularly flexible in responding to management requests and in undertaking advisory engagements, sometimes risking the existing programme. However, given the current level of change and uncertainty this is appropriate provided there are clear criteria for undertaking advisory work since generally it should support the assurance work. In general we support the more proactive, forward looking work which tends to be a characteristic of much of the advisory work. In addition, we support use of the more challenging cross-cutting audits provided that IAD has the capacity to undertake them successfully. Stakeholders recognise the professional and independent approach the auditors take. The main criticisms relate to understanding the business and what managers are trying to achieve, timeliness of the fieldwork and report and some uncertainty about whether IA selects important risks or topics for their audits. However, stakeholders do seem to be well consulted at the planning stage as well as plans being fully discussed by the audit committee. Audit reports are generally seen to be clear and concise although there are some views that they could have less boilerplate. We have seen some examples of good innovative approaches to auditing including use of analytical software, assurance mapping and an audit of culture. Morale and enthusiasm within IAD seems to be good and good efforts are made to keep staff informed and involved. It is important to ensure that all staff

Page 4

are actively developed, both through formal training and by being given a variety of types of work. We are pleased that one Senior Internal Audit Manager has recently taken on oversight of training and development. Quality assurance processes have been revamped and we were pleased to see the use made of a checkpoint document to prompt and record sign off of key stages of audits with an opportunity to record lessons learned once the audit has been completed. It is difficult to benchmark Internal Audit services because they differ so much in terms of their target audit universe and stakeholders. That said we would say that in terms of what it is trying to audit IAD is comparable in size and cost to other large public sector audit units. It is slightly below average in terms of the cost per auditor and cost per man-day. It is lower in terms of the number of audits per auditor per year suggesting that a possible direction would be towards more tightly focussed audits. However, this measure may indicate that some audit time is being consumed on advisory work which is valued but not always captured. This is one area where reviewing KPIs could be useful. Overall our view is that IAD is in a good place in terms of its adherence to standards and in delivering a valuable service to its multiple stakeholders. There is more to be done to consolidate some of the more recent developments, achieve greater consistency, share good audit practices within the directorate, develop its staff in line with the challenging programme of audits to be undertaken and improve the efficiency and effectiveness of its work.

Page 5

Recommendations to achieve full conformance to the Standards

Risk Management (standard 2120) Management Response & Action Review of how risks are being managed is done throughout the year in assurance Agreed. We are planning on working closely with the new assignments, advisory work and by attendance at the assurance committees. We Director of Performance and Strategic Outcomes and the recommend that a formal evaluation of the effectiveness of risk management needs to be Chief Financial Officer on the work that is being undertaken done annually in the way it is already carried out in some sponsored bodies. This will in Scottish Government to further develop risk management. provide more evidence for the HIA’s opinion on risk management in the annual assurance This, alongside a number of the cross-cutting reviews that we report. will be undertaking in 2019-20, will provide us with more evidence to support our assessment of risk management in Where risk management is still maturing IAD should provide more active support to the annual assurance report. improving it and should work closely with the risk function.

Resource Management (standard 2030) Management Response & Action

IAD is currently struggling to fill a large number of vacancies mainly at B1 and B2 level. This Agreed. We will continue to explore all avenues for staffing leaves IAD short of resources in the short term. We recommend that where it is cost- the planned audits with properly skilled resources, including effective IAD should plan to use more input from higher graded staff on audits of the more the use of contractors and guest auditors. challenging subjects. The use of other sources such as contractors and guest auditors from the business or from other public sector bodies should also be explored. We agree that the amount of audit should relate to the need We support the initiative to rationalise the charging of sponsored bodies which could help for assurance, and we will continue to strive to be as cost to fund the greater use of contractors. The principle should be that full costs should be effective as we can in delivering the assurance required. recovered and that the amount of audit should relate to the need for assurance on risk rather than being constrained by the charging position.

Engagement Resource Allocation (Standard 2230) Management Response & Action There seems to be a process for selecting the appropriate skill set and the degree of Agreed. We agree that the skills matrix needs updating and management oversight, based on knowledge of the team and the nature of the assignment. this will be carried out as part of the annual objective setting However, this is constrained by the current level of vacancies and the number of trainees. exercise with staff. This will be used to inform our learning Where necessary and possible contractors are used to fill gaps especially where there are and development plan. particular skill needs. Further steps are needed to fill vacancies and raise the skill and experience level. We recommend that the skills matrix be updated and used to plan

Page 6

resource usage and identify training and development needs. Whilst recognising the potentially difficult environment that our clients may be working in, we will be focusing on working Budgets for specific assignments seem to be relatively generous although some budgets are with our clients to improve the spacing and timeliness of exceeded. By adopting a more keenly risk focussed approach it should be possible to delivery. expand the scope or depth of the audits or reduce the man-days. It is also important to recognise and resource audits according to the degree of challenge. As IAD moves towards We are currently investigating systems and processes that tackling more challenging types of subject, which is increasingly what stakeholders are will enable us to better manage our audit delivery on a week requesting and appreciating, deploying the right skills becomes even more important. by week basis and are also planning on improving the management information that we review on a monthly basis. We recommend that more attention is given to identifying the appropriate resource needs and then planning to complete assignments in specific quarters and to avoid audits bunching up at the end of the year.

Engagement Supervision (Standard 2340) Management Response & Action

Engagements must be properly supervised to ensure objectives are achieved, quality is Agreed. As above, we are currently investigating systems assured, and staff is developed. Within the remit of the Standard there needs to be a and processes that will enable us to better manage our audit greater sense of pace from the start with ongoing guidance and supervision to steer the delivery on a week by week basis and are also planning on audit towards a prompt and efficient conclusion. To do this more experienced audit skills improving the management information that we review on a need to be brought to bear in order to deliver increased value add and insight. In some monthly basis. cases, this may mean recognising when more audit time is unnecessary to bring the audit to a satisfactory conclusion under budget. We recommend a range of measures be considered to improve the overall effectiveness and productivity of the team. KPIs should be devised to encourage the right responses. In some cases, greater use of data analytics could be valuable.

Page 7

Scope for Further Development

The Chartered Institute regards conformance to the IPPF as the foundation for effective internal audit practice. However, our EQA reviews also seek feedback from key stakeholders and we benchmark each function against the diversity of professional practice seen on our EQA reviews and other interviews with chief audit executives, summarised in an Internal Audit effectiveness matrix. We then interpret our findings into scope for further development based upon the wide range of guidance published by the Chartered Institute. It is our aim to offer advice and a degree of challenge to help internal audit activities continue their journey towards best practice and excellence.

In the following pages we present this advice in three formats.

• A SWOT analysis to recognise the accomplishments of the team and to highlight potential threats and opportunities for development. • A matrix describing the key criteria of effective internal audit, highlighting the level IAD has achieved and hence the potential for further development. • Recommendations for further development which the IA team could use as a basis for an action plan.

The Internal Audit maturity matrix model (page 11) places the IA team mainly in the good or satisfactory categories. The areas which could be further developed are:

• Internal Audit Charter and Communication with stakeholders – some improvements to reflect PSIAS and forthcoming organisational changes • Assurance mapping – this could be usefully further developed and used during audit planning • Quality Assurance – mainly housekeeping improvements

Page 8

SWOT ANALYSIS

What works well (Strengths) What could be done better (Weaknesses) • Highly experienced HIA with a good profile within the Scottish Government. • Tighter management of resource budgets • Increased level of staffing (although there are still vacancies) • Lack of an evidence-based view on risk management • An updated audit planning methodology for the 2019/20 which builds on • Ensuring cross-cutting audits deliver impact the prior year approach with good consultation and plans linked to • Implementation of a people and development strategy to grow the IAD corporate risks and objectives workforce • Clear reporting style aids in delivery of key messages • Considering the balance between core work and that provided to sponsored • Audit strategy, Charter and manual well established bodies • Quality Assurance processes defined, leading to identification of areas for • Better linkage between Galileo and eRDM and more consistency in development documentation • Flexibility and responsiveness to new risks and management requests • KPIs which better reflect internal audit effectiveness • Good reporting to the Audit and Assurance Committee

What could deliver further value (Opportunities) What could stand in your way (Threats)

• More active communication building on the successful quarterly bulletins • Recycling funds charged to clients back to the IAD budget and HIA blog • Unforeseen demands caused by Brexit and new sponsored bodies • Widening the background and experience of IA staff to exploit expertise • Ability to recruit auditors of sufficient calibre at the available pay levels and knowledge of good practice from other sectors/organisations • Loss of staff through promotion, career progression and competition • More synergy with Gateway reviews, Office of the Chief Information Officer and fraud group • More advice on risk management • More development of assurance mapping • Targeted use of data analytics and advice on continuous monitoring • Greater co-ordination with other assurance providers

Page 9

Internal Audit Team Maturity

Assessment IIA standards Focus on performance, risk and Coordination and maximising Operating with efficiency Quality Assurance and adding value. assurance Improvement Programme

Excellent Outstanding reflection of IA alignment to the organisation’s IA is fully independent and is Assignments are project Ongoing efforts by IA team to the IIA standards, in objectives risks and change. IA recognised by all as a 3rd line of managed to time and budget enhance quality through terms of logic, flow and has a high profile, is listened to defence. The work of assurance using tools/techniques for continuous improvement. spirit. Generally conforms and is respected for its providers is coordinated with IA delivery. IA reports are clear, QA&IP plan is shared with and in all areas. assessment, advice and insight. reviewing reliability of. concise and produced promptly. approved by AC.

Good The IIA Standards are Clear links between IA Coordination is planned at a Audit engagement are controlled Quality is regarded highly, fully integrated into the engagement objectives to risks high level around key risks. IA and reviewed while in progress. includes lessons learnt, methodology – mainly and critical success factors with has established formal Reporting is refined regularly scorecard measures and generally conforms. some acknowledgement of the relationships with regular linking opinions to key risks. customer feedback with value-added dimension. review of reliability. results shared with AC

Satisfactory Most of the IIA Standards Methodology requires the The 3 lines of defence is model Methodology recognises the Clear evidence of timely QA in are found in the purpose of IA engagements to be is regarded as important. need to manage engagement assignments with learning methodology with scope linked to objectives and risks. IA Planning of coordination is efficiency and timeliness but points and coaching. to increase conformance provides advice and is involved in active and IA has developed further consistency is needed. Customer feedback is evident. from partially to generally change, but criteria and role better working relationships Reports are informative and Wider QA&IP may need conform in some areas. require clarity. with some review of reliability. valued. formalising

Needs Gaps in the methodology Some connections to the The need to coordinate Multiple guides that are slightly QC not consistently improvement with a combination of organisation’s objectives and assurance is recognised but out of date and form a consistent embedded across the non-conformances and risks but IA engagements are progress is slow. Some informal and coherent whole. Engagement function. QA is limited / late partial conformances to mainly cyclical and prone to coordination occurs but go beyond deadline and a or does not address root the CIIA Standards. change at management request. reviewing reliability may be number are deferred causes resisted.

Poor No reference to the IIA No relationship between IA IA performs its role in an Lack of a defined methodology No evidence of ownership of Standards with significant engagements and the isolated way. There is a feeling with inconsistent results. Reports quality by the IA team. levels of non- organisation’s objectives, risks of audit overload with are usually late with little conformance. and performance. Many audits confusion about what various perceived value. are adhoc. auditors do. Note that areas of text have been highlighted where they apply most appropriately.

Page 10

Recommendations for Further Enhancement / Further Development

We offer a range of ideas and recommendations to improve the effectiveness and efficiency of internal audit. They are presented in order of importance rather than in Standards order, although we highlight specific reference to non-conformance and partial conformances.

Assurance Mapping Response & action date

At the strategic level more needs to be done to get a view of the three lines of Within Scottish Government will work closely with the Executive defence, the various assurance providers, what reliance can be placed on them and Team’s Head of Assurance to help map out the input received how they interact. As part of planning, consideration is given to the main review from the various assurance providers, as reported to the DG agencies and there are developments to understand and bring together under the HIA Assurance Meetings. some of the project review agents. This is encouraging and should lead to a more co- ordinated approach to projects (but note caveat on safeguarding independence and objectivity below). Elsewhere there is more to be done to review assurance providers, In undertaking our future planning we will ensure that we take decide where internal audit can take assurance from their work and adapt plans all of these factors in to consideration. accordingly.

Improvements to the Internal Audit Charter (standard 1000) Response & action date

The internal audit charter should be updated to bring into line with the latest version We have informed the Scottish Government Audit and of the IPPF with reference to the Mission and core principles of internal audit. It Assurance Committee that we will update our Charter to take should be brought into line with 2017 PSIAS with reference to the Code of Ethics and account of the recommendations from this EQA and the work being taken forward to develop integrated assurance. The the Seven Principles of Public Life (Nolan Principles) and a reference to the role of revised Charter will be submitted to the Committee in June Chair of Audit Committee in contributing to the HIA's appraisal report. 2019. The Charter will need to be updated to describe the safeguards which will be needed to ensure that Internal Audit can take an objective view on Gateway reviews and the During 2019-20 we will look to enhance our intranet homepage. work of the OCIO. We would also suggest that the Charter be made available to the department via the intranet as part of an updated internal audit homepage with other information such as current plans. This could be part of a communication strategy and stakeholder engagement strategy to make sure the business fully understands the role of internal audit.

Page 11

Quality Assurance and Improvement Programme (standard 1321)

This is a housekeeping issue. We recommend that reference to the standards should Agreed – we will add this to our reports. be added to the report template to indicate that the work conforms to the PSIAS.

Page 12

IIA Grading definitions Appendix 1

The following rating scale has been used in this report.

Overall Audit Grading

Generally The assessor has concluded that the relevant structures, policies, and procedures of the activity, as well as the processes by which Conforms they are applied, comply with the requirements of the individual Standard or element of the Code of Ethics in all material (GC) respects. For the sections and major categories, this means that there is general conformance to a majority of the individual Standards or elements of the Code of Ethics, and at least partial conformance to the others, within the section/category. There may be significant opportunities for improvement, but these must not represent situations where the activity has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives. As indicated above, general conformance does not require complete/perfect conformance, the ideal situation, successful practice, etc.

Partially The assessor has concluded that the activity is making good-faith efforts to comply with the requirements of the individual Conforms Standard or element of the Code of Ethics, section, or major category, but falls short of achieving some major objectives. These (PC) will usually represent significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the activity and may result in recommendations to senior management or the board of the organisation.

Does Not The assessor has concluded that the activity is not aware of, is not making good-faith efforts to comply with, or is failing to Conform achieve many/all of the objectives of the individual Standard or element of the Code of Ethics, section, or major category. These (DNC) deficiencies will usually have a significant negative impact on the activity’s effectiveness and its potential to add value to the organisation. They may also represent significant opportunities for improvement, including actions by senior management or the board.

Often, the most difficult evaluation is the distinction between general and partial. It is a judgement call keeping in mind the definition of general conformance above. The assessor must determine if basic conformance exists. The existence of opportunities for improvement, better alternatives, or other successful practices does not reduce a “generally conforms” rating.

Page 13

Appendix 2

Stakeholder Interviews and Feedback

Interviewees Title/Position Leslie Evans Permanent Secretary Janet Hamblin Audit Committee Chair SGAAC Henry Graham Audit Committee Chair, Forestry Joe Al-Gharabally Audit Committee Chair, Scottish Courts and Tribunal Service Ed McGrachan Audit Committee Chair, Student Awards Advisory Service Stuart Smith Non-Executive Director Linda MacKay Non-Executive Director Liz Ditchburn DG Economy Sarah Davidson DG Operations and Organisational Development Paul Johnston DG Education, Justice and Communities Alyson Stafford DG Scottish Exchequer Gordon Wales Chief Financial Officer Nicola McBain Corporate Assurance Manager, Social Security Scotland Richard McCallum Deputy Director, Health Finance and Infrastructure Stephen Boyle Audit Director, Audit Scotland IA Team members Sharon Fairweather Director of Internal Audit Jennifer Inglis-Jones Deputy Director of Internal Audit Jim Montgomery Senior Internal Audit Manager Les Henderson Senior Internal Audit Manager Iain Burns Senior Internal Audit Manager Myra Binnie Senior Internal Audit Manager Sarah Self Senior Internal Audit Manager Gary Richardson Senior Internal Audit Manager Kate Moffat Senior Internal Audit Manager Douglas Falconer Internal Audit Manager Karen Wilkinson Internal Auditor (trainee) Peter Graham Internal Auditor (trainee)

Page 14

Page 15

Scottish Government Overview of Internal Audit 2018/19

Prepared for Scottish Government June 2019

Who we are

The Auditor General, the Accounts Commission and Audit Scotland work together to deliver public audit in Scotland:

• The Auditor General is an independent crown appointment, made on the recommendation of the , to audit the Scottish Government, NHS and other bodies and report to Parliament on their financial health and performance.

• The Accounts Commission is an independent public body appointed by Scottish ministers to hold local government to account. The Controller of Audit is an independent post established by statute, with powers to report directly to the Commission on the audit of local government.

• Audit Scotland is governed by a board, consisting of the Auditor General, the chair of the Accounts Commission, a non – executive board chair, and two non – executive members appointed by the Scottish Commission for Public Audit, a commission of the Scottish Parliament.

About us

Our vision is to be a world – class audit organisation that improves the use of public money.

Through our work for the Auditor General and the Accounts Commission, we provide independent assurance to the people of Scotland that public money is spent properly and provides value. We aim to achieve this by:

• carrying out relevant and timely audits of the way the public sector manages and spends money

• reporting our findings and conclusions in public

• identifying risks, making clear and relevant recommendations.

Scottish Government: | 3

Contents

Audit findings 4 Introduction 4 Key messages 5

Review of Internal Audit Division 6 Audit approach and planning 6 Governance and reporting 7 Staffing and resources 8 Quality assurance 8 Planned use of internal audit work 9

Detailed review of IA work 10 Audit planning 10 Audit documentation 11 Clearing audit findings and reporting 12 Management review 12

Appendix 1: Action plan 13

Appendix 2: Public bodies using IAD services in 2018/19 15

Appendix 3: Sample of IAD reports 16

4 |

Audit findings

Introduction

1. The Scottish Government is a large and complex organisation responsible for administering a budget of approximately £37 billion in 2018/19. The governance structures within the Scottish Government draw on a number of sources of assurance, including the work of the Internal Audit Division (IAD) within the Directorate of Internal Audit and Assurance (DIAA). This provides assurances that the framework of internal control operates satisfactorily and that proper arrangements are in place for the prevention and detection of fraud and corruption.

2. During 2018/19, IAD provided services to the Principal Accountable Officer (PAO) and the six Director-Generals within the Scottish Government as well as the Accountable Officer (AO) for 22 other public bodies (see Appendix 2 for details). IAD’s structure is based around portfolios of audit work broadly reflecting the wider structure of the Scottish Government. An efficient and effective internal audit function is a key element of good governance. Each year, as part of our appointment as external auditors, we undertake a review of the Scottish Government’s internal audit arrangements in accordance with International Standard on Auditing (ISA) 610 Using the work of internal audit. We also share the results of our review with the external auditors of the other public bodies that use the services of IAD.

3. Public Sector Internal Audit Standards (PSIAS) emphasise the importance of External Quality Assurance (EQA) which involves an independent review of the quality of IAD work at least once every five years. The scope of our work assesses aspects of PSIAS compliance, but it does not equate to a full EQA review of internal audit. ISA 610 requires an assessment on whether the work of the internal audit function can be used for the purposes of external audit. This includes:

• the extent to which the internal audit function’s organisational status and relevant policies and procedures support the objectivity of the internal auditors

• the level of competence of the internal audit function

• whether the internal audit function applies a systematic and disciplined approach, including quality control.

4. A key purpose of our review is to determine the extent to which we can place reliance on internal audit work for the purpose of our external audit of the Scottish Government. Audit Scotland’s Code of Audit Practice sets out the wider dimension of public sector audit. The Code highlights the importance that auditors coordinate their work with internal audit to secure value for money and avoid unnecessary duplication.

5. The Scottish Government’s Internal Audit Directorate is required to comply with PSIAS. The purpose of the PSIAS includes setting basic principles for carrying out internal audit and establishing a framework for providing internal audit services, which provide assurance and add value to the

Audit findings | 5

organisation, leading to improved organisational processes and operations. Last year, our work found that IAD met some of the PSIAS but also did not comply with significant aspects of the standards.

6. This report summarises our audit findings for 2018/19 and is set out in two parts. The first part of the report covers our review of IAD covering audit approach and planning, governance and reporting, staffing and resources, quality assurance and details our planned use of internal audit work. The second part reports our findings from our detailed review of internal audit work.

7. Our review was conducted during December 2018 to May 2019. Our findings and related risks are summarised in the action plan at Appendix 1. The assistance provided by internal audit staff during the course of our review is gratefully acknowledged.

Key messages

8. Our work to meet the requirements of ISA 610 found clear improvements in the standard of internal audit work undertaken compared with 2017/18. We did not find any areas of significant non- compliance with the PSIAS. We did identify some areas for improvement and these are set out in this report.

9. We set out in our Annual Audit Plan that we would identify Internal Audit reports to consider as part of our audit after we completed our review of internal audit. These reports are detailed at paragraphs 31-32.

10. Our review found that:

• During 2018/19, IAD has demonstrated clear improvement in its work to better reflect the requirements of PSIAS. We found improvements in the standard of audit work reviewed but did identify some areas for improvement, primarily around ensuring that all reviews are documented consistently in line with the requirements of the internal audit manual.

• IAD continues to experience challenges in recruiting the necessary staff and skills required to deliver its audit plans. The 2018/19 Scottish Government internal audit plan was not complete by the year end. In their progress reports to the Scottish Government Audit and Assurance Committee (SGAAC) IAD reported that there was very little capacity to perform unplanned work such as responding to fraud or whistleblowing allegations. Recruitment campaigns during 2018/19 did not result in all vacancies being filled, whilst a number of senior internal audit managers have left the directorate. Looking ahead, IAD is procuring a co-sourcing arrangement with an external supplier. This is a positive step which should help it increase capacity and access specialist skills necessary to support the increasing complexity of the Scottish Government’s operations.

• From 1 April 2019, DIAA was formed which encompasses Internal Audit, the Digital Assurance Office (formerly Office of the Chief Information Officer) and the Project and Programme Management Centre of Expertise (PPM-CoE). The new Directorate is headed by the Director of Internal Audit and Assurance. It is critical that the internal audit function has the necessary levels of independence from management to ensure that it can support the organisation’s assurance requirements while safeguarding its independent audit judgements and conclusions.

• PSIAS emphasise the importance of External Quality Assurance (EQA) and require an independent review of the quality of internal audit work at least once every five years. An EQA was recently completed by the Institute of Internal Auditors (IIA). Overall the review concludes that IAD 'generally conforms' with the PSIAS. This is a positive outcome.

11. Based on our audit findings we have identified a number of recommendations. These are detailed at Appendix 1.

6 |

Review of Internal Audit Division

12. This section sets out our review of IAD covering its audit approach and planning, governance and reporting, staffing and resources, quality assurance and details our planned use of internal audit work.

Audit approach and planning

13. IAD takes a risk-based audit approach to planning. This includes consideration of key organisational risks identified in risk registers, through consultation with senior staff and non-executive directors and informed by its own understanding of key risk areas. The IAD annual audit plan consists of thematic cross-cutting reviews, portfolio specific reviews and other work to provide assurance on the Scottish Government’s core corporate systems. The Director of Internal Audit and Assurance and her senior team liaise with Directors-General, Directors and other key stakeholders to ensure that IAD is aware of new systems, programmes, projects and procedures for consideration for future work.

14. The 2018/19 Internal Audit Plan for the Scottish Government was approved by SGAAC on 26 March 2018 and detailed 17 planned reviews. The plan was subsequently revised with one review cancelled and two deferred to 2019/20 largely to allow further work to be undertaken on the Scottish Government’s key financial systems. The changes to the plan were communicated to SGAAC through the progress report IAD provide to each SGAAC meeting.

15. IAD’s Quarter 3 Progress Report to SGAAC on 26 March 2019, indicated that as at 28 February 2019, from 14 assignments:

• Seven (50%) were completed (five final reports issued and two advisory pieces of work where no formal report is issued)

• One (7%) was at draft report stage

• Six (43%) were at fieldwork stage.

16. It was anticipated that at year end four (29%) reviews would be incomplete including three at draft report stage and one at fieldwork stage.

17. IAD’s audit plan is designed to remain flexible so that it can take account of emerging risks and changing priorities. As mentioned above, during the year the plan was revised to allow further time to be dedicated to key financial systems following concerns that budgetary and resourcing pressures have impacted on the ability to recruit staff and update/maintain systems in corporate areas such as Finance, and IT, People Directorate and Procurement. We welcome this focus on key financial

Review of Internal Audit Division | 7

systems and the concerns raised reflect our own as detailed in our annual audit plan and management report.

18. It is important to report progress against the plan, including any changes to the original plan. We reported in our 2017/18 Overview of Internal Audit report that improvements could be made to make clear the links between the audit plan and what is delivered. Reporting to SGAAC has improved with details of progress on an individual audit level and changes to the plan are made clear.

Governance and reporting

19. The Director of Internal Audit and Assurance has the right of access to the PAO (the Permanent Secretary), other Accountable Officers, the chair of SGAAC and other relevant audit committees to which IAD provides a service. The Director of Internal Audit reports to the Director-General Scottish Exchequer for line management purposes.

20. The PSIAS are mandatory for all central government departments, agencies and executive Non- Department Public Bodies. These standards define the role of Internal Audit, its Code of Ethics and Standards. The Scottish Government is one of six Relevant Internal Audit Standard Setters including HM Treasury and the Chartered Institute of Public Finance and Accountancy.

21. The PSIAS require a number of pieces of information to be reported to senior management and the board, including the audit charter, the audit plan, resource requirements and conformance with the code of ethics. The majority of information above is reported to SGAAC rather than the Scottish Government’s Corporate Board. Following our recommendation last year, IAD now include reporting on conformance with the code of ethics to SGAAC. This was reported as part of their 2017/18 Annual Report presented to SGAAC in July 2018.

22. IAD provide regular updates to SGAAC and the Director-General (DG) assurance meetings. In 2016/17 we reported that there was no documented framework in place between IAD and the Scottish Government to determine the nature and level of reporting to these DG assurance groups. In July 2018, IAD set out the proposed arrangements including details of where final reports would be considered within the Scottish Government’s governance structure. Cross-cutting reviews are reported to SGAAC with other reports considered by the relevant DG assurance meeting. We have observed this arrangement operating in practice and consider it a reasonable approach.

23. From 1 April 2019, DIAA was formed which encompasses Internal Audit, the Digital Assurance Office (formerly Office of the Chief Information Officer) and the Project and Programme Management Centre of Expertise (PPM-CoE). This Directorate is headed by the Director of Internal Audit and Assurance. The PSIAS require that in these circumstances, safeguards are put in place to ensure the independence of internal audit is not impaired. In addition, the PSIAS also require the board to approve any safeguards put in place. The IAD update to the March 2019 meeting of SGAAC included details of some safeguards and advised that further details will be included in the 2018/19 IAD annual report. It is important that details of the new arrangements are finalised and communicated as soon as possible to enable internal audit to demonstrate how its independence will be maintained. We will monitor the developments and consider them as part of our Overview of Internal Audit in 2019/20.

Refer Action Plan No. 1

8 |

Staffing and resources

24. The Scottish Parliament’s financial powers are changing substantially, with new responsibilities for taxes, social security and borrowing through the 2012 and 2016 Scotland Acts. The scale of change needed to implement and manage the new powers is significant. Further devolved financial powers create new demands for internal audit skills particularly in new and complex areas such as tax and social security, including the audit of Social Security Scotland, established in September 2018. At the same time as further devolved financial powers are placing new demands on IAD, UK withdrawal from the European Union adds extra uncertainty.

25. IAD produced a resourcing strategy and resourcing plan in February 2018. The strategy was developed as it recognised that a more structured approach needed to be taken to resourcing to ensure that IAD had both the right capacity and the relevant skills to meet the organisation’s needs.

26. IAD has experienced significant challenges in recruiting qualified or part qualified staff in the short to medium term. In its progress reports to SGAAC throughout 2018/19, IAD advised that resourcing pressures continued to be significant and although a number of recruitment exercises were undertaken, these did not result in all vacancies being filled. In addition, a number of senior internal audit managers have left the directorate. The vacancy rate for qualified staff, at May 2019, was around 15%. As a result, IAD continues to rely on the contractor market to deliver its audit plans.

27. IAD has taken both short term and long-term steps to address the resourcing challenge. A longer- term initiative of converting some of its vacancies to trainees or technicians is designed to grow its capacity and capability internally. In the short term, IAD obtained agreement from the Scottish Government’s Executive Team to procure a co-sourcing arrangement with an external supplier of internal audit services to support the delivery of its audit plans and give it access to a wider range of skillsets. Timescales are challenging with procurement due to be completed by the end of June 2019 with the aim of having a supplier in place by September 2019.

28. The 2017/18 audit plan was not complete until the second quarter of 2018/19. Similarly, the latest reported progress to SGAAC indicated that 29 per cent of the 2018/19 audit plan would not be complete at year end. An incomplete audit plan by year end raises the risk that timely assurances cannot be provided to the Permanent Secretary and other accountable officers about the adequacy of internal controls and arrangements to prevent fraud and corruption. These assurances are necessary to inform directors and accountable officers annual assurance statements and Scottish Government’s governance statement. Refer Action Plan No. 2

Quality assurance

29. During 2018/19 IAD undertook a ‘Back to Basics’ project which involved bringing in a Senior Internal Audit Manager from a professional services firm for six months to review its quality arrangements. The project involved reviewing IAD’s guidance and practices on working papers, documentation, quality assurance and peer review processes with the aim of ensuring best practice in these areas is embedded across IAD in line with PSIAS. This project resulted in the Internal Audit Manual being significantly re-written in August 2018.

Review of Internal Audit Division | 9

30. Public Sector Internal Audit Standards emphasise the importance of External Quality Assurance (EQA) which involves an independent review of the quality of IAD work at least once every five years, along with an internal review carried out at least once in the interim period. An EQA was recently completed by the Institute of Internal Auditors (IIA) and the results of this will be formally reported to the June 2019 meeting of SGAAC. Overall the review concludes that IAD 'generally conforms' with the PSIAS. This is a positive outcome, reflecting the commitment made to the ‘Back to Basics’ project over the past twelve months.

Planned use of internal audit work

31. As set out in our 2018/19 Annual Audit Plan, we seek to use the work of internal audit wherever possible. Our review in accordance with ISA 610 has given us assurance that, in general, the work of IAD is of a sufficient standard to consider using it to support our own audit work and conclusions.

32. We have reviewed the 2018/19 Internal Audit Plan for the Scottish Government and will consider placing formal reliance on their review of European Structural and Investment Funds as part of our financial statements audit. We will also consider the following reviews as part of our audit:

• Crosscutting - Cyber security

• Crosscutting - Data loss protection

• Crosscutting - Financial guarantees, other contingent liabilities and financial interventions in private companies

• Cross cutting - Contract management

• DG Constitution and External Affairs - EU exit arrangements

• DG Health and Social care - Review of SG Health Finance response to issues raised in NHS Tayside reports

• DG Organisational Development and Operations - SEAS capability and capacity

• DG Organisational Development and Operations - Finance practices

10 |

Detailed review of IA work

33. As part of our review of Internal Audit in 2017/18 we identified a number of areas of non-compliance with Public Sector Internal Audit Standards and the Scottish Government’s Internal Audit Manual across four areas:

• audit planning

• audit documentation

• clearing audit findings and reports

• management review.

34. We undertook a detailed examination of the work underpinning a sample of IAD reports with the aim of identifying whether the ‘Back to Basics’ project and other work had improved the standard of work and compliance with PSIAS. This work was undertaken in April and May 2019. We selected a sample of 10 completed reports covering both Scottish Government core and public bodies. All reports were from 2018/19. Our audit sample is detailed at Appendix 3.

35. Overall, we found clear improvements and did not identify any significant areas of non-compliance with PSIAS. We identified areas of good practice as well as areas for improvement. These are detailed below. Implementing these actions will improve the consistency and clarity of the work performed and further strengthen compliance with PSIAS.

Refer Action Plan No. 3

Audit planning

Good practice

• In a number of reviews that were completed later in the year, we noted that initial risk assessment documents were completed as required by the revised audit manual. This helps to clarify how the key risks were identified and is a welcome development.

• Terms of Reference (ToR) documents were available for all audits reviewed and were generally of a good standard, although some did not have all the detail as required by the Internal Audit Manual.

• Planning meetings were held for a number of audits and these were well documented.

Detailed review of IA work | 11

Areas for improvement

• The revised audit manual requires details of the budget for the audit to be included in the ToR. For half of the audits we reviewed, this was not included.

• The audit manual requires that details of resourcing are included in Galileo (the audit software used by IAD). For 3 of the 10 audits we reviewed this was not included.

Audit documentation

Good practice

• The risk matrix in Galileo was used for all audits. This means the risks, controls and testing carried out was clearly set out for each audit.

• Supporting evidence for each review is held in a separate folder on ERDM. The supporting documents were clearly referenced in Galileo and the ERDM files were well set out which meant it was relatively easy to follow the work performed.

• We identified a number of examples of sample testing which was clearly documented and set out in Galileo. We noted the use of standard questionnaires which ensured consistent evidence was obtained.

Areas for improvement

• For one review, the testing performed to verify the accuracy of a payment confirmed the amount paid to a supporting spreadsheet but did not look at the underlying detail. This was not sufficient to support the conclusion that payments made were accurate.

• For one review, there were no references to supporting documentation in ERDM. This made it challenging to identify the supporting evidence and made re-performing the audit work difficult. It is a requirement of PSIAS that the work performed should be documented in a way to allow re-performance.

• Galileo has a function that allows linking to documents in ERDM, this was not used in all reviews. Consistent use of this would mean finding supporting documentation is easier.

• The risk matrix in Galileo contains a description of each control tested. For half of the reviews, descriptions were either unclear or did not contain all the information required by the audit manual.

• For one review, the time taken was approximately double the budgeted days. The Senior Audit Manager overseeing the work acknowledged there were lessons learned about monitoring the budget as a review progresses. As there is significant pressure on IAD resources, ensuring budgets are closely monitored is important.

• For two reviews, whilst the sample size taken appeared reasonable, there was insufficient detail included on the audit file as to why the

12 |

particular sample had been selected. Lack of detail on sample selection makes it harder to understand the judgements applied.

Clearing audit findings and reporting

Good practice

• For all reports, the findings in Galileo agreed to the final report.

• A number of reviews had a summary issues document on file. This made understanding the key findings and how they were reported clearer.

Areas for improvement

• For two reviews, although clearance meetings with the client were held, these were not documented on file. For one review, minutes of the meetings held were subsequently provided.

Management review

Good practice

• For all reviews there was evidence of management review of all stages of the audit on file. An audit checkpoints checklist was introduced during the year and this was used in a number of audits.

Areas for improvement

• For five reviews, although there was evidence of management review of the work performed, this was not documented on Galileo as required by the audit manual. We are aware of an issue with the system where review points were removed when the system was rolled over into 2018/19. This issue has now been resolved and a restored version of the system created. However, for four of the five reviews we were still unable to see review points on Galileo.

Appendix 1: Action plan | 13

Appendix 1: Action plan

Action Issue Response and agreed action point

1. Independence of Internal Audit Details of the new arrangements were discussed with SGAAC in From 1 April 2019, a new Directorate of Internal Audit March. They will be documented and Assurance was formed which encompasses for SGAAC at their June meeting. Internal Audit, the Digital Assurance Office (formerly Office of the Chief Information Officer) and the Project and Programme Management Centre of Expertise In addition, the proposals have (PPM-CoE). This Directorate is headed by the Director been tested with the Internal of Internal Audit and Assurance. Audit Standards Advisory Board The PSIAS require that in these circumstances, who are content that they do not safeguards are put in place to ensure the compromise Internal Audit’s independence of internal audit is not impaired. independence. It is critical that the IAD ensures that its independence, and perception of independence, is not compromised in this new arrangement. It is important that details of the new arrangements are finalised and communicated as soon as possible to enable internal audit to demonstrate how its independence will be maintained.

2. Resourcing pressures The procurement for the co- sourcing partner is currently IAD continues to experience challenges in recruiting underway and a partner will be in the necessary staff and skills required to deliver its place by September. audit plans. The 2018/19 audit plan was not complete by the year end and IAD reported that there was very little capacity to perform unplanned work such as IAD continuously assess responding to fraud or whistleblowing allegations. progress against plan and An incomplete audit plan at the year end raises the risk available resources. that timely assurances cannot be provided to the Permanent Secretary and other accountable officers about the adequacy of internal controls and arrangements to prevent fraud and corruption. IAD is currently procuring a co-sourcing arrangement with an external supplier to help increase capacity and access specialist skills. Timescales are challenging as IAD aim to have a supplier in place by September 2019. IAD should ensure it has a suitably flexible resourcing plan that will enable it to deliver its 2019/20 audit plan. This should include internal and external resourcing arrangements as well as any contingency plans.

14 |

Action Issue Response and agreed action point

3. Areas for improvement Noted. The new manual was introduced during 2018/19 and is Our detailed review of internal audit work underpinning now well embedded. A project a sample of reports identified clear improvements from has also been undertaken to 2017/18. provide detailed guidance to the We did identify a number of areas for improvement and team on the use of Galileo to these are detailed in Part 2 of this report. These were improve consistency. primarily around consistency of documentation especially around the use of Galileo. Addressing these issues will improve the clarity, consistency and quality of the work performed.

Appendix 2: Public bodies using IAD services in 2018/19 | 15

Appendix 2: Public bodies using IAD services in 2018/19

Accountant in Bankruptcy

Community Justice Scotland

Crown Office and Procurator Fiscal Service

Disclosure Scotland

Education Scotland

Forestry Commission for Scotland

Food Standards Scotland

National Records of Scotland

Office of the Scottish Charity Regulator

Registers of Scotland

Revenue Scotland

Risk Management Authority

Student Awards Agency Scotland

Scottish Courts and Tribunals Service

Scottish Criminal Cases Review Commission

Scottish Fiscal Commission

Scottish Fire and Rescue Service

Scottish Land Commission

Scottish Public Pensions Agency

Scottish Road Works Commissioner

Social Security Scotland

Transport Scotland

16 |

Appendix 3: Sample of IAD reports

Reports sampled as part of our detailed review

Scottish Government Core

Financial Guarantees, Other Contingent Liabilities and Financial Interventions in Private Companies

Contract and Supplier Management of Low Value Contracts

Scottish Government Health Finance Response to Issues Raised in NHS Tayside Reports

Marine Scotland Governance Review

Justice - Vision and Priorities: Digitally Enabled Transformation

Other public bodies

Transport Scotland – Management of Caledonian Sleeper Franchise

Transport Scotland – Financial Reporting Arrangements

Crown Office and Procurator Fiscal Service – Risk Management Arrangements

Scottish Public Pensions Agency – Data Quality and Records Management

Social Security Scotland – Recruitment

Appendix 3: Sample of IAD reports | 17

37. Scottish Government

38. If you require this publication in an alternative format and/or language, please contact us to discuss your needs: 0131 625 1500 or [email protected]

For the latest news, reports and updates, follow us on:

Audit Scotland, 4th Floor, 102 West Port, Edinburgh EH3 9DN T: 0131 625 1500 E: [email protected] www.audit-scotland.gov.uk

AS.1.3