Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value and providing insight to improve the operations of Transport for Wales. It assists Transport for Wales in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organisation's governance, risk management, and internal control.
Internal audit is established by the Board of Directors and Audit and Risk Committee (hereafter referred to as the ARC). Internal audit’s responsibilities are defined by the Board and Audit and Risk Committee as part of their oversight role.
Internal audit will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. Internal Audit will also have regard to Public Sector Internal Audit Standards (“PSIAS”), Managing Public Money (HM Treasury) and Managing Welsh Public Money (Welsh Government). In addition, internal audit will adhere to Transport for Wales’s relevant policies and procedures and internal audit’s operating procedures manual. Internal Audit will also have regard to the Committee on Standards of Public Life’s Seven Principles of Public Life.
Internal audit, with strict accountability for confidentiality, safeguarding records and information, is authorised full, free, and unrestricted access to any and all of Transport for Wales’s records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist internal audit in fulfilling its roles and responsibilities. Internal audit activity will also have free and unrestricted access to the ARC.
The Internal Audit lead will report functionally to the ARC and administratively (i.e. day to day operations) to the Executive Director of Finance.
The ARC will:
• Approve the internal audit charter.
• Approve the risk based internal audit plan.
• Approve the internal audit budget and resource plan.
• Receive communications from the Internal Audit lead on internal audit’s performance relative to its plan and other matters.
• Approve decisions regarding the appointment and removal of the Internal Audit lead.
• Approve the remuneration of the Internal Audit lead.
• Make appropriate enquiries of management and the Internal Audit lead to determine whether there is inappropriate scope or resource limitations.
The Internal Audit lead will communicate and interact directly with the ARC, including in executive sessions and between ARC meetings as appropriate.
Independence and objectivity
The internal audit activity will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor’s judgment.
If the Internal Audit lead and/or Internal Audit undertakes non-audit activities, clearance will need to be obtained from the Chair of the ARC, who will only issue approval if the Chair is satisfied that there is no impairment of independence taking into account PSAS 2030 Resource Management and 1112 Chief Audit Executive Roles Beyond Internal Auditing.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Internal Audit lead will confirm to the ARC, at least annually, the organisational independence of internal audit.
The Chair of the ARC will provide feedback to the individual responsible for the performance assessment of the Internal Audit lead.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organisation's governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organisation’s stated goals and objectives. This includes:
• Evaluating risk exposure relating to achievement of the organisation’s strategic objectives.
• Evaluating the reliability and integrity of information and the means used to identify, measure, classify, and report such information.
• Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organisation.
• Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such assets. • Evaluating the effectiveness and efficiency with which resources are employed.
• Evaluating operations or programmes to ascertain whether results are consistent with established objectives and goals and whether the operations or programmes are being carried out as planned.
• Monitoring and evaluating governance processes.
• Monitoring and evaluating the effectiveness of the organisation's risk management processes.
• Performing consulting and advisory services related to governance, risk management and control as appropriate for the organisation.
• Reporting periodically on the internal audit’s purpose, authority, responsibility, and performance relative to its plan.
• Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the ARC.
• Evaluating specific operations at the request of the ARC or management, as appropriate.
As TfW is an organisation wholly owned by Welsh Government the values from “Managing Welsh Public Money” will be considered in all activity.
The responsibilities of Internal Audit are wide. It is the responsibility of the Board, the Audit and Risk Committee and the Welsh Ministers to ensure that appropriate resources are provided to the Head of Internal Audit to fulfil Internal Audit’s responsibilities either through the provision of full-time staff; outsourcing for specific projects: either to the Welsh Government; the private sector; or, ensuring that no conflicts of interest are created, by: secondments from the Welsh Government; other public sector bodies; or the private sector.
Internal audit plan
At least annually, the Internal Audit lead will submit to senior management and the ARC an internal audit plan for review and approval.
The internal audit plan will be developed based on a prioritisation of the audit universe using a risk-based methodology, including input of senior management and the ARC. The Internal Audit lead will review and adjust the plan, as necessary, in response to changes in the organisation’s business, risks, operations, programmes, systems, and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the ARC through periodic activity reports.
The risk-based plan will take into account the fact that an annual internal audit opinion will be produced for the ARC and the Accounting Officer, which will conclude on the overall adequacy and effectiveness of TfW’s framework of governance, risk management and control.
The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next year. The Internal Audit lead will communicate the impact of any resource limitations and significant interim changes to senior management, the ARC and if the Internal Audit lead believes that the level of agreed resources will impact adversely on the Annual Internal Audit Opinion, the Board.
Prior approval must be sought from the Chair of the ARC for any significant additional consulting services not included in the approved Internal Audit Plan.
Reporting and monitoring
A written report will be prepared and issued by the Internal Audit lead or designate following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the ARC.
The internal audit report may include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response, whether included within the original audit report or provided thereafter (i.e. within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.
The Internal Audit lead will periodically report to senior management and the ARC on internal audit’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the ARC.
Quality assurance and improvement programme
Internal audit will maintain a quality assurance and improvement programme that covers all aspects of internal audit activity. The programme will include an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The programme also assesses the efficiency and effectiveness of internal audit and identifies opportunities for improvement.
The Chair of the ARC will include details of the results of the programme and progress against improvement plans in the Chair’s report included in TfW’s Annual Report.
The Internal Audit lead will communicate to senior management and the ARC on internal audit quality assurance and improvement programme, including results of ongoing internal assessments and external assessments conducted at least every five years (the terms of which should be agreed by the Chair of the ARC).
Approved on 6 June 2019