1

Guidance on the Implications Following Rationalisation of Audit Arrangements for Sixth Form Colleges September 2012

2

Contents

Introduction 3

Applicability 3

Core Issues 4

Corporate Governance 4

Assurance and Audit 7

Retention of Best Practice Guidance 10

Contacts 10

Appendices

A - Summary Responses to Consultation 11

B - ‘Essential features of the Governance Statement’ 13

C - Indicative Board Assurance Map 14

D – Professional Standards applicable to the provision of Internal Audit services 15

3

Introduction

1. In May 2012 the Education Funding Agency (EFA) invited governors, principals and senior managers of Sixth Form Colleges (SFCs), and other interested parties, to consider proposals to remove both the requirement on SFCs to have an Internal Audit Service, and the annual submission of the Financial Management and Control Evaluation (FMCE) return.

2. Following this consultation, at the Sixth Form Colleges Forum (SFCF) conference on 22 June 2012, Lord Hill of Oareford confirmed that the requirement for SFCs to have internal audit and to submit an annual internal audit report to the EFA was removed from 1 August 2012.

3. Other aspects of the consultation were confirmed as follows:

• the EFA’s requirement for SFCs to submit an annual Financial Management and Control Evaluation (FMCE) return was removed with immediate effect;

• the EFA’s prohibition on one firm providing external audit, internal audit and other assurance services was removed, also with effect from 1 August 2012;

• Development of, and consultation on, the Joint Audit Code of Practice (JACOP) Part II would take place during 2012/13;

• No changes were proposed in respect of the other two core aspects of the audit arrangements currently applicable to SFCs, being Financial Statements audit and Regularity audit1.

4. Although respondents to the consultation broadly welcomed and endorsed the EFA’s proposals, they also raised a number of concerns about the practical implications of the changes. These were summarised in Appendix A to the formal consultation response published by the EFA in conjunction with the SFCF. A copy of the consultation response summary is included here, also at Appendix A, and the full report can be accessed at (http://www.sfcforum.org.uk/images/stories/EFA_Internal_Audit_Consultation_Response_FINAL.pdf).

5. This report is aimed at providing further guidance on the issues raised during the consultation and some practical guidance for SFCs and their Audit Committees and Boards to consider when determining how to take forward these new freedoms. It has been prepared jointly by the EFA financial assurance team and officers of the SFCF who, in turn, consulted practitioners from Colleges who serve on the SFCF Finance Director's network group. It is offered as guidance only and has no guarantees that it is free from error, omission or represents a prescriptive view. Principals as accounting officers together with SFC Corporations retain the ultimate responsibility for ensuring an adequate financial control environment in their institutions and must take decisions about removing all or some of the internal audit function in that context.

Applicability 6. The regulatory changes arising from the earlier consultation are aimed solely at SFCs for

whom the EFA take lead responsibility for assurance matters. They do not apply to non-SFC Colleges, Academies, Schools or other learning providers that the EFA funds. Similarly, this guidance is aimed only at those same SFCs. It does though take heed of good practice within the broader Public sector and refers to other external regulations as appropriate.

1 To avoid confusion, we have kept references to these two forms of audit separate throughout the remainder of this guidance. To

refer to the more generic ‘external’ audit might cause readers to interpret this as including both financial statements and regularity

audits, which although currently delivered as a combined audit, are actually governed by differing regulations and accountabilities.

4

Core Issues 7. The concerns raised by respondents to the consultation (Appendix A) fell into three areas:

a. Corporate Governance – what are SFCs’ Boards still required to sign up to in the corporate governance statement in the annual financial statements, and how should they seek to ensure they can fulfil these requirements;

b. Assurance and audit – how to manage the relationship with a SFC’s financial statements auditors, and in particular any potential conflicts of interest where internal audit work is to be provided by these auditors;

c. Retention of best practice - how to retain the benefits to SFCs of having ‘best practice’ guidance available, such as the FMCE questionnaire, when completion of this questionnaire is no longer a requirement and it will not be maintained by the EFA.

8. The following sections address each of these areas in turn. The EFA and SFCF would welcome feedback on these areas to inform further debate and respective contact details are provided at Para 54. The SFCF have also offered to establish a FAQs database in relation to this guidance as they start to receive feedback. This will be accessible through their website for the benefit of all SFCs.

Corporate Governance 9. Key areas of concern raised by respondents to the consultation were as follows:

a. How, if at all, have the changes affected the Board’s responsibility for assurance, and how might those responsibilities be fulfilled;

b. What are the implications for the role and responsibilities of the audit committee.

Board Responsibility

10. The Education Act 2011 granted new freedoms and flexibilities to colleges, including the ability to determine their own Instrument and Articles of Government. However, within the legislation, SFC Corporations retain a non-delegable, statutory, responsibility for:

a. “…oversight of its [the SFC’s] activities”; and

b. “…the effective and efficient use of resources, the solvency of the institution and the body and the safeguarding of their assets”.

11. These responsibilities are not new and all SFCs are well aware of what is expected of them in fulfilling these responsibilities at both strategic and operational levels and so we will not explore that further here.

12. At a practical level, we believe there are only two areas that Boards need to consider as a direct consequence of the consultation, and which we believe should be considered under the advisement of the SFC’s audit committee. These are picked up in detail below, but may be summarised as:

a. Changes in the ‘Statement of Corporate Governance and Internal Control’ in the annual accounts for 2012/13; and

b. Development of a Board Assurance Framework.

Audit Committee

13. Allied to the above, respondents to the consultation were questioning how, if at all, the role of the audit committee needed to change.

14. SFCs will be aware that under the 2012/13 Funding Agreement with the EFA they are still required to retain an Audit Committee. Notwithstanding the freedoms inherent in the

5

Education Act 2011, we believe the retention of an audit committee does represent best practice and is in the interests of good governance for the sector.

15. Although this guidance is written on the assumption that all SFCs are well versed in the role, responsibilities and practical administration of an audit committee, it is worth reiterating that the core role of an audit committee in a college, as set out in the last Audit Code of Practice, is ‘to advise the governing body on the adequacy and effectiveness of the FE college’s systems of internal control and its arrangements for risk management, control and governance processes...’ This description is not unique to further education, but is consistent with good practice guides issued by regulators, sector advocacy bodies and professional services firms across all of the public, private and third sectors.

16. This core role of advising the Board we do not see being diminished. If anything this role has greater significance now in that the Board will be looking to the audit committee to advise them on what the SFC should do, as opposed to what it has to do, which is a significant shift in emphasis and responsibility from the EFA to SFCs, and particularly to audit committees.

17. We have referred above to developments in the Statement of Corporate Governance and Internal Control and the development of a Board Assurance Framework. The determination of an assurance framework will, we believe, enable SFCs to make an informed judgement over whether or not to have an internal audit service, and if so, what scope and coverage is required from that service and from where those services might best be provided. This is described in more detail in the section on Board Assurance Frameworks. In terms of the audit committee, we recommend that its current role is extended to include advising the Board on what assurance framework to have in place, and from whence the assurances over the effective operation of the systems of control will come.

18. Just as the further education sector and SFCs have developed over time, so will the assurance needs of a SFC change over time. It is recommended therefore that a review of the assurance framework – design and effectiveness - is part of the annual cycle of business of the audit committee, ideally in the Spring term to inform planning for the following academic / financial year.

19. Besides this extended advisory role to the Board, we do not envisage any other changes to the role and responsibilities of an audit committee.

Statement of Corporate Governance and Internal Control

20. In the Statement of Corporate Governance and Internal Control in the 2011/12 financial statements, Boards will be making positive statements about the SFCs risk management, governance and control arrangements. However, whilst the statement has remained fairly consistent for the last few years, it is probable that it will be revised for the 2012/13 accounts as its format and content no longer reflects practice across the broader public sector.

21. For Central Government Departments and associated Non-Departmental Public Bodies, for the fiscal year 2012 there was no set template for this statement, but there is guidance on its ‘essential features’. These ‘essential features’ have been included at Appendix B for information, and the relevant annex to HM Treasury’s Managing Public Money from which these are drawn is available at http://www.hm-treasury.gov.uk/d/mpm_annex3.1.pdf

22. It is anticipated that the corporate governance statement for SFCs and general further education colleges for 2012/13 will follow the Central Government route. Work on this will be being picked up by the audit firms’ working party, co-chaired by the EFA and SFA. It may yet be that the EFA and SFA determine that, as with Central Government departments and associated bodies, colleges are given the freedom to write their own corporate governance statements rather than working to a pro-forma model.

23. This uncertainty is leading to a concern that without knowing what Boards are being asked to sign up to in the corporate governance statement for 2012/13, management (and Boards /

6

audit committees) cannot be confident that they have the appropriate reporting / monitoring / assurance mechanisms in place to underpin these future assertions.

24. Whilst the concerns are understandable the broad principles that can be inferred from Appendix B should already be very familiar to SFCs and are not radically different to the contents of the current statement. The key issue we believe will be the nature of the language used in this statement, and this is explored further in paras 41 to 44 below.

25. In the immediate term therefore we believe that if SFCs have a clearly defined ‘Board Assurance Framework’ in place, then this should be sufficient to underpin whatever actual assertions are required to be made in the Statement of Corporate Governance and Internal Control for 2012/13.

Board Assurance Framework

26. A Board Assurance Framework for SFCs might be defined as

“A structure within which the SFC identifies the principal risks to the College of not delivering on its vision and values and not achieving its strategic goals; establishes the systems and controls necessary to manage and mitigate those risks; and receives adequate assurances about the effectiveness of those systems and controls.”

27. In implementing such a framework there is a need for the Board to debate and ascertain the assurances it requires, and to map the connections between the SFC’s objectives, risks and the range and effectiveness of existing assurance mechanisms. In doing so it will be important to establish the principle of ‘reasonable’ rather than ‘absolute’ assurance as it is important to recognise that assurances, no matter what the source, can never provide absolute certainty. In determining therefore what is reasonable assurance it is necessary to balance both the likelihood of any given risk materialising and the severity of the consequences should it do so, against the cost of eliminating, reducing or minimising that risk. The control framework therefore needs to be proportionate to the individual SFC.

28. The core elements of this framework, outlined below, will be familiar to SFCs, except perhaps those relating to the explicit determination of what assurances are actually required:

• Establishing the SFCs principal objectives (strategic and operational);

• Identifying the principal risks that may threaten the achievement of those objectives (the ‘Gross’ or ‘Inherent’ risk);

• Identifying and assessing the existing controls in place to mitigate those risks (leaving the ‘net’ or ‘residual’ risk);

• Determining the SFCs appetite for any given risk or class of risks;

• Identifying additional control / actions necessary to mitigate those risks to the acceptable level;

• Determining the Board’s explicit requirements for receiving assurances on the effectiveness of controls across all areas of principal risk;

• Identifying the source of existing assurances; assessing their quality ; determining where there are gaps between what is required and what is currently in place; and taking corrective action to address those gaps.

Th

e e

xis

ting

ris

k

ma

na

ge

me

nt fr

am

ew

ork

7

The overall process is diagrammatically presented as follows:

29. This could be applied through the implementation of the “three lines of defence” approach:

30. To facilitate the stages concerning what assurances are required, and where from, the use of

an assurance map is common practice in other sectors. Such a map is a colour coded representation of the quality and level of assurance coverage against the key risks in an organisation. Its aim is to ensure that there is a comprehensive risk and assurance process aligned to an organisations risk and risk appetite with no gaps or duplication of effort. It takes account of the ‘three lines of defence’ referred to above.

31. An indicative assurance map is included at Appendix C by way of illustration.

Assurance and Audit 32. Key areas of concern raised by respondents to the consultation in respect of future

assurance and audit arrangements were as follows:

a. How to manage perceived conflicts of interest where internal audit work is to be provided by an SFC’s financial statements auditors (or vice versa), and the role of the audit committee in this;

b. What is likely to be the impact on financial statements audit procedures and costs where a SFC has no, or only a limited, internal audit service in place;

c. That the market for internal audit will decline to the extent that some firms decide to pull out thereby reducing choice and/or sector expertise.

8

Managing Conflicts

33. There is no legal restriction on qualified financial statements auditors also providing internal audit services. Similarly, there is no legal restriction on internal audit service providers also undertaking the financial statements audit where they are qualified to do so. In both situations appropriate safeguards need to be put in place and maintained, and there would have to be open and transparent communication between auditors, management and ‘those charged with governance.’

34. The detailed guidelines and regulations that underpin this are quite lengthy and inter-twined. We have therefore set out at Appendix D an overview of the relevant ethical and professional standards that apply2.

35. The two common ‘safeguards’ used by firms when facing possible conflicts of interest in performing assignments for one or more clients are:

a. Separate teams providing the respective services, and under separate letters of engagement;

b. A senior independent peer reviewer ensures the work undertaken by both teams is of an appropriate standard and the conclusions and opinion are supported by the evidence available.

36. Where a SFC is considering using one audit firm to provide both financial statements and internal audit services, the key to making this work successfully is open communication about how conflicts of interest (real and/or perceived) would be dealt with. In particular, we recommend that the audit committee discuss with the auditors how they propose to meet the requirements of Ethical Standard 5 (refer Appendix D) and, more specifically:

• Make it a contractual condition that appropriate safeguards will be put in place; and

• Require a written report, either annually (for ongoing services), or at the completion of any ad hoc assignments provided, confirming that these safeguards were maintained throughout the contract and/or outlining any concerns raised through the peer review process (where applicable) and how these have been addressed.

37. It was also clear from some respondents to the consultation that no matter what safeguards are put in place, there will always be a view held by some individuals / SFCs that the provision of financial statements and internal audit services ‘do not mix’. In these circumstances SFCs hold the ultimate sanction themselves – do not ask your auditors to provide both audit services.

Impact on Financial Statements Audit

38. Within the further education sector there has always been an expectation that internal and financial statements auditors cooperate to avoid duplication of work. In practice, the regulated nature of the work required to be carried out by internal auditors (based on the old Audit Code of Practice), as well as the methodologies adopted by financial statements auditors, has meant that the majority of financial statements auditors ‘take account of’ rather than ‘place reliance on’ the work of internal auditors. This differentiation is important for the reasons set out in Appendix D.

39. In terms of the financial statements audit work required on the core financial statements (‘the numbers’), it is not expected therefore that the presence or absence of an internal audit service will have any impact on the financial statements audit work carried out.

2 Although technical in places, we believe that this is relevant to a SFCs understanding of the issues, the historical

context within which they have applied to the FE sector and will inform a SFCs debate on this core area of concern.

9

40. The current Regularity Audit approach has been in place for 7 years and is carried out by colleges’ appointed financial statements auditors under a framework issued by the then Learning and Skills Council. The EFA and SFA have agreed that the approach needs to change to reflect current expectations, and that this should apply to the 2012/13 financial statements. As work on the revised approach has yet to commence, it is impossible to say at this stage what impact the presence or absence of an internal audit service would have on the regularity audit work required under a new framework.

41. Where financial statements auditors have taken comfort from the work of internal auditors is in relation to the overall internal audit opinion covering governance, risk management and internal control. This triple opinion provides independent third party support for the contents of the Statement of Corporate Governance and Internal Control within the annual accounts.

42. The financial statements auditor’s responsibility in respect of the non-financial information included within the Statement of Corporate Governance and Internal Control is “to identify material inconsistencies with the audited financial statements” and if there are any inconsistencies, consider what impact these may have on the overall audit opinion.

43. We have discussed above some of the uncertainties surrounding what this statement will look like for 2012/13 and beyond. Specifically in respect of the impact of this on the work of the financial statements auditors however, there are probably two key points to consider:

a. If all SFCs go down the route of devising their own corporate governance statements for 2012/13 (taking account of the broad guidance available), then the financial statements auditors will have to assess each of these statements on a case by case basis. In doing so, they will need to determine what ‘positive statements’ are being made about such as risk management and the Board’s own performance, what the basis is for making such statement(s), and hence what audit work is required to confirm or otherwise that these statements are materially consistent with the accounts.

b. Allied to the above, the more positive the assertions that are made, the greater the impact on the financial statements audit work required might be. For example, a bland statement such as ‘SFC has a Board supported by 4 committees: Audit, Finance, HR and Search’ will have no impact on the audit work required compared to currently as this will be known historical information and is readily substantiated. However, a statement such as ‘The Board’s use of robust learner number data and other management information has allowed the College to mitigate all known risks to the future solvency of the SFC’ is likely to present more of a challenge to audit, require more audit input and hence audit fees to the SFC.

44. In light of the uncertainty surrounding the content of the Statement of Corporate Governance and Internal Control for 2012/13, the SFCF will work with representatives of the EFA and the audit firms’ working party to develop a pro-forma statement with the aim that this pro-forma does not require any increased level of audit input to form an opinion on than currently.

Sector Expertise

45. Some respondents to the consultation expressed a concern that the removal of internal audit would lead to a reduction in sector expertise as some firms might perceive there to be no longer a business case for working in the sector. We do not believe this is likely to eventuate.

46. The Education sector has always been diverse, and many audit providers have always worked across different parts of the sector as a whole (HEIs, GFEs, SFCs, Schools, PTPs etc). Although the market for internal audit work in SFCs might decline, other avenues will open up (Academies) and we expect audit firms to continue a ‘portfolio’ approach to providing services across the Education sector.

47. Similarly, many respondents to the consultation made it clear that rather than ‘lose’ internal audit altogether, they welcomed the opportunity to direct the service at those areas that they

10

believed would add most value. As in any market economy therefore, where there is a demand, so there will be a supply.

48. In determining which firm(s) to approach in respect of the provision of audit services, then clearly relevant, proven, sector expertise is a key consideration. In addition, for a SFC proposing to retain a full scope internal audit service (as opposed to commissioning only occasional, ad hoc, reviews) we would recommend that the SFC require the internal audit service providers to adhere to the new set of public sector internal audit standards (PSIAS) that will come in to force from April 2013 and which will replace HM Treasury’s Government Internal Audit Standards (GIAS).

49. These new standards are being developed by the Chartered Institute of Public Finance Accountants, the Chartered Institute of Internal Auditors, HM Treasury and other relevant organisations under the aegis of a new Internal Audit Standards Board. Adherence to these standards should provide SFCs with the comfort that service providers are appropriately qualified and technically proficient at delivering the assurance services required.

50. Additionally, we have seen recently firms trying to move into the sector and the CPC framework includes also some relatively new entrants. Overall therefore we would not expect there to be any significant diminution in choice of service providers or loss of sector expertise held within the current proponents of these services.

Retention of Best Practice Guidance 51. The removal of the requirement to submit annually the Financial Management and Control

Evaluation (FMCE) questionnaire was welcomed by the sector. In doing so however there was also a clear recognition that whilst the removal of an element of bureaucracy was to be welcomed, the questionnaire itself was a useful source of ‘best practice’ guidance against which to assess SFCs own operations and that it would be a pity to lose this.

52. SFCs will be aware that the SFA have also rescinded now the requirement for the colleges they regulate to submit an annual FMCE return and neither the EFA nor SFA plan to maintain the FMCE questionnaire to reflect future best practice. We have considered various options for how this questionnaire might be maintained for the benefit of all SFCs, including corporate sponsorship, a working party of SFC FDs, or indeed whether it is worth trying to maintain it. On balance, we do believe that the questionnaire has a useful role in facilitating self-assessment of SFCs own control processes, and in providing Boards / Audit Committees with an understanding of what constitutes best practice in the sector and as a basis against which to hold management to account for the efficient and effective use of resources.

53. The SFCF are therefore proposing to facilitate an ‘open source’ approach to maintaining this questionnaire. By ‘open source’ we mean that the master copy of the questionnaire will be accessible through the SFCF’s website, and that SFCF members will be able to suggest amendments that can then be commented on by others. On a six-monthly basis, the SFCF will moderate the suggested changes and update the master copy. In this way we believe the questionnaire will continue to reflect developing good practice. Also, being maintained ‘by the sector, for the sector’ is consistent with the wider, developing, framework of self-regulation.

Contact details

54. The EFA and SFCF would welcome comments and queries on any of the matters raised in this paper. Contact details are as follows:

Education Funding Agency: Head of Assurance Phil Eames; phil.EAMES@education.gsi.gov.uk

Sixth Form Colleges Forum Policy Support Officer Victoria Platt; victoria.platt@local.gov.uk

11

APPENDIX A: Summary Response to Consultation

Consultation Questions Yes No

1 Do you agree with the EFA’s proposal to remove the mandatory requirement for internal audit for SFCs?

90 (83%)

18 (17%)

Key issues raised by respondents:

• Still believe some assurance is good, but welcome flexibility to set the agenda and target the use of Internal Audit resources

• Board still has responsibility for seeking assurance over systems of internal control, governance and risk management

• Will place additional burden on the Audit Committee to ensure suitable assurance arrangements in place

• Brings arrangements into line with Academies / Corporate sector.

2 Do you agree with the EFA’s proposal that if a SFC determines not to have an Internal Audit Service this decision is taken by the Corporation, under advisement from its audit committee, which itself will have fully considered the SFC’s overall audit needs, and for the Corporation to keep these audit needs under annual review?

107 (99%)

1 (1%)

Key issues raised by respondents:

• Should be annual agenda item to keep under review

• Board needs to be comfortable that sufficient assurance mechanisms in place overall

• Decision should also be taken in conjunction with management / Principal (as Accounting Officer).

3 Do you agree with the EFA’s proposal that if a SFC decides to maintain an Internal Audit Service the prohibition on one firm providing both external and internal audit and other assurance services should be removed?

80 (74%)

28 (26%)

Key issues raised by respondents:

• Perceived conflict in roles and responsibilities if both internal and external audit undertaken by one firm

• Separation led to additional costs through duplication, so flexibility to decide welcomed

• Market for internal audit may decline such that some firms decide to pull out thereby reducing choice and/or sector expertise

• Desire to cut red tape is impeding the need for clear and separate accountability

• There will need to be guidance from the EFA and/or sector bodies on the role of audit committees in ensuring audit(or) independence and objectivity

• Needs greater clarity / guidance on when, or at what level, internal audit work might be seen to compromise independence

• Separation brings with it a wider range of expertise and professional opinion.

12

Consultation Questions Yes No

4 Do you agree with the EFA’s proposal to remove the requirement for SFCs to complete and submit FMCE returns annually?

103 (95%)

5 (5%)

Key issues raised by respondents:

• Still provides useful guidance as to what is considered best practice and would wish that the EFA maintain the pro forma questionnaire

• Need to clarify if still required as part of the Common Inspection Framework

• Completion is source of valuable assurance to audit committees and should be retained, but requirement to submit to the EFA should be removed

• Need to ensure that not replaced by an alternate layer of bureaucracy.

5 Do you agree with the proposal that the EFA and SFA will, in consultation with local authorities, conduct a full review of the need for and content of detailed provisions to be contained in Part 2 of the JACOP and consult during 2012/13 on the provisions, if any, to come into force for 2013/14?

104 (96%)

4 (4%)

Key issues raised by respondents:

• Early sight of the proposals would be appreciated as they will need plenty of time for detailed consideration

• Would prefer that JACOP (Part 2) be implemented as soon as possible to give clarity of requirements and remove uncertainty

• Will need consistency between EFA and SFA arrangements and/or two separate codes to ensure clarity of applicability to different institutions.

13

APPENDIX B: ‘Essential features of the Governance Statement’

Source: HM Treasury – Managing Public Money

• the governance framework of the organisation, including information about the board’s committee structure, its attendance records, and the coverage of its work;

• the board’s performance, including its assessment of its own effectiveness;

• highlights of board committee reports, notably by the audit and nomination committees;

• an account of corporate governance, including the board’s assessment of its compliance with the Corporate Governance Code, with explanations of any departures;

• information about the quality of the data used by the board, and why the board finds it acceptable;

• where relevant (for certain central government departments), an account of how resources made available to certain locally governed organisations are distributed and how the department gains assurance about their satisfactory use;

• a risk assessment, including the organisation’s risk profile, and how it is managed, including, subject to a public interest test:

– any newly identified risk

– a record of any ministerial directions given

– a summary of any significant lapses of protective security (eg data losses).

Source: http://www.hm-treasury.gov.uk/d/mpm_annex3.1.pdf

14

APPENDIX C: Indicative Board Assurance Map

KEY

Severity of risk: Minor Medium Critical

Level of assurance: High Medium Low None

© RSM Tenon

Failure to recruit and retain high quality

staff

Underperforming staff

Poor OFSTED result

Non-compliance with safeguarding

legislation

Significant clawback from funding audit

Declining financial position

Failure of the IT network

Failure to complete effective due

diligence on sub-contract partners

Failure to submit data/MIS returns

accurately and on time

OFSTED

Risk assessment

Reporting Risk

Management

Gross Net

2. Governance Oversight1. Management Operations

Sources of Assurance

External

Audit

Internal

Audit

Other 3rd

parties

3. Independent Assurances

Self

Assessment

Corporation Audit

Committee

Regulators

(EFA/ SFA)

Assurance

Example Risk

Areas

15

APPENDIX D: Professional Standards applicable to the provision of Internal Audit services

1. The Auditing Practices Board (APB), which has a role in setting and overseeing compliance with professional standards for regulated external audit firms, issued Ethical Standard 5 (Revised) in December 2011. This Standard covers the provision of ’internal audit services’ by financial statements auditors to the ‘audited entity’ (in this case a SFC). The APB define internal audit services as including any of the following:

• “to outsource the audited entity’s entire internal audit function; or

• to supplement the audited entity’s internal audit function in specific areas; or

• to provide occasional internal audit services to the audited entity on an ad hoc basis.”

2. The APB go on to confirm that that financial statements auditors may provide internal audit services “provided that the auditor is satisfied that there is informed management and appropriate safeguards are applied…” The only prohibition on providing internal audit services is “where it is reasonably foreseeable that:

• (a) for the purposes of the audit of the financial statements, the auditor would place significant reliance on the internal audit work performed by the audit firm; or

• (b) for the purposes of the internal audit services, the audit firm would undertake part of the role of management.”

‘Informed Management’

3. Informed management exists when:

• “the auditor is satisfied that a member of management has been designated by the audited entity to receive the results of the non-audit service and has been given the authority to make any judgments and decisions …needed;

• the auditor concludes that that member of management has the capability to make independent management judgments and decisions on the basis of the information provided; and

• the results of the non-audit service are communicated to the audited entity and, where judgements or decisions are to be made they are supported by an objective analysis of the issues to consider and the audited entity is given the opportunity to decide between reasonable alternatives.”

4. For a sector that has been as heavily regulated and audited as the FE sector over the last 20 years, we believe it would be very unlikely that any financial statements auditor would conclude that a SFC didn’t have ‘informed management’.

‘Appropriate Safeguards’

5. Where a threat, real or perceived, to the financial statements auditor’s objectivity and independence is identified, the ‘financial statements audit engagement partner’ is required to assess the significance of that threat and consider whether there are safeguards that could be applied that would be effective in eliminating it, or reducing it to an acceptable level. If such safeguards can be identified and are applied, the internal audit services may be provided. The two common safeguards used in such circumstances are:

a. Separate teams provide the financial statements and internal audit services;

b. A senior independent peer review is undertaken of both the financial statements and internal audit services provided and conclusions documented to confirm

16

whether or not the work undertaken, judgements made and conclusions reached are supported by the evidence available and are appropriate.

6. All of the main audit firms currently providing services to the FE sector are used to working on assignments across their client base (not just within education) with these safeguards in place.

‘Significant reliance on internal audit work’

7. International Standard on Auditing (UK and Ireland) 315 requires financial statements auditors to “obtain an understanding of the entity and its environment, including its internal control…in order to identify and assess the risks of material misstatement” [in the accounts]. The presence, or absence, of an internal audit function is just one small part of this overall assessment.

8. Where the financial statements auditors determine that internal audit is ‘relevant to’ the financial statements audit, then rules governing determining whether, and to what extent, to use internal audit; the competency of the internal auditors3; and the adequacy of any internal audit work completed, are set out in International Standard on Auditing (UK and Ireland) 610.

9. In essence, these rules require a financial statements auditor to carry out an independent review of the competency of the internal audit service provider, as well as re-performing in part their work in order to quality assure their findings and conclusions. From a financial statements auditor’s perspective therefore, to place reliance on the work of the internal auditor is a time consuming and expensive process.

10. Within the further education sector, there has always been an expectation that internal and financial statements auditors cooperate to avoid duplication of work. In practice, the regulated nature of the work required to be carried out by internal auditors, as well as the methodologies adopted by the financial statements audit firms working in the sector, has meant that the majority of financial statements audit firms ‘take account of’ rather than ‘place reliance on’ the work of internal auditors.

11. Currently therefore, and unless other core assurance mechanisms (Regularity audit and the annual funding audits overseen by the Skills Funding Agency) operating in the sector change, we would not expect financial statements auditors to place any more reliance on the work of internal auditors than they have in the past.

‘Management Role’

12. Within the Education sector historically, and more broadly across the Public Sector, it has always been acknowledged that internal auditors remain independent of the management function. The current version of the standard letter of engagement for internal auditors of SFCs actually states “the Internal Audit Service has no executive role, nor does it have any responsibility for the development, implementation or operation of systems…”

13. As with the ethical standards for external auditors, there are International Standards for the Professional Practice of Internal Auditing that cover situations where there may be an actual or perceived conflict of interest. Although having a management role is not precluded for internal auditors, where they do so, then any internal audit assurance work in relation to that area of management responsibility “must be overseen by a party outside the internal audit activity.4”

3 The requirement to assess competency is notwithstanding that International Internal Auditing Standards already

require internal audit service providers to have an independent quality assurance review at least every five years.

4 Attribute Standard 1130.A2, International Standards for the Professional Practice of Internal Auditing.

17

14. Currently therefore, and unless SFCs start to move to having an in-house internal audit service (whether individually or through such as a consortium arrangement), we do not envisage that internal auditors would have any role in the management of an SFC and hence this aspect of the prohibition on financial statements auditors undertaking internal audit services would not apply.

15. As with the above, all of which relates to the provision of internal audit services by financial statements auditors, there are ethical standards that apply to internal auditors working in the public sector.

16. These Standards require that internal auditors “must conform to the Code of Ethics [as being promulgated by Internal Audit Standards Advisory Board]. If individual internal auditors have membership of another professional body then he or she must also comply with the relevant requirements of that organisation.” Additionally, “Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest”, with a conflict of interest being defined as “a situation in which an internal auditor…has a competing professional or personal interest.”

17. The standards though do not preclude internal auditors from taking on assignments where there might be a conflict of interest. Rather, it is required that there be a process of open communication and that full details of the conflict “must be disclosed to appropriate parties”. This is akin to the rules relating to ‘informed management’ referred to above.