COYC%202%20colour

CONTENTS

3 Background

3 Internal audit progress

5 Follow up

6 Appendix A: Internal audit work in 2024/25

9 Appendix B: Current priorities for internal audit work

13 Appendix C: Summary of key issues from finalised audits

15 Appendix D: Audit opinions and finding priorities

16 Appendix E: Follow up of agreed actions

A blue and white triangle pattern Description automatically generated

BACKGROUND

1 Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control, and governance processes.

2 The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government, and the CIPFA Statement on the role of the Head of Internal Audit.

3 In accordance with the PSIAS the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit & Governance Committee, and to identify any emerging issues which need to be brought to the attention of the committee.

4 The internal audit work programme was agreed by this committee in May 2024.

5 Veritau has adopted a flexible approach to work programme development and delivery. Work to be undertaken during the year is kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council.

6 The purpose of this report is to update the committee on internal activity up to 17 January 2025.

INTERNAL AUDIT PROGRESS

7 A summary of internal audit work currently underway, as well as work finalised in the year to date, is included in appendix A. Appendix A also details other work completed by internal audit during the year.

8 Since our last report to this committee, two audits have been finalised. These are the audits of officer declarations of interest and gifts and hospitality and of VAT accounting. A further four internal audit engagements have reached draft report stage. These will be finalised over the coming weeks.

9 A total of 16 audits are underway at the time of reporting. A further nine audits are at the background planning stage, in preparation for commencement during the final quarter of 2024/25.

Contract management audit: Audit & Governance Committee request

10 In our last report to this committee in November, we introduced the second audit of contract management which was added to the 2024/25 work programme at the request of the committee. Since then, we have issued a specification and begun work, with the following areas in scope:

· Objective 1: suitable contract terms are included within contracts,

· Objective 2: contract management procedures are in place and have been communicated,

· Objective 3: training is provided in respect of the contract management procedures.

11 Taking objectives two and three first, our provisional conclusions are that improvements can be made to strengthen the council’s procedures and guidance on contract management. While we understand that the Commercial Procurement Team is working on material in preparation for the new Procurement Act and Regulations (which introduce more detailed contract management and performance requirements), none are currently available. With the council not currently having defined procedures or guidance it follows that there is also no corporate training offer. Instead, reliance is placed on the experience and ability of the named contract manager to manage the contract effectively.

12 Objective one is where most of our work will be focused. To date, we have identified several key criteria against which sampled contracts will be assessed. These include contractual provisions for performance, dispute resolution, variation, extension, and termination, among others. We have also selected a sample of 10 contracts (including the expired Salvation Army contract) for review against these criteria. Fieldwork is currently underway and, in addition to the review of criteria, will also involve testing to confirm that contract management meetings are being held and performance data provided where applicable.

13 We expect to conclude the audit in February 2025. The final outcomes from this audit will, as usual, be shared with members of the committee on conclusion of the audit. They will also be presented as part of the Head of Internal Audit annual report scheduled for the 14 May 2025 meeting.

14 In addition to the audits noted above, we have also continued to support the council by certifying central government grants, undertaking consultative engagements in a number of areas, and providing support and advice on risk- and control-related matters.

15 The 2024/25 work programme, showing current priorities for internal audit work, is included in appendix B. All work is now categorised as either ‘do now’ or ‘do later’.

16 Audits categorised as ‘do now’ will be undertaken over the remainder of 2024/25 and, once completed, will mark the conclusion of the current year’s work programme.

17 Audits categorised as ‘do later’, of which there are 19, will be considered for inclusion in the 2025/26 internal audit work programme alongside other audit priorities that emerge during ongoing consultation. The internal audit work programme is designed to include all potential areas that should be considered for audit in the short to medium term, recognising that not all of these will be carried out during the current year (work is deliberately over-programmed). The 2025/26 programme is currently being developed and will be presented to the committee for its approval at the 26 March 2025 meeting.

18 The two audits that have been finalised since the last report to this committee are included in appendix C. The appendix summarises the key findings from these audits, and includes actions agreed with officers to address identified control weaknesses. The finalised reports in appendix C are also included as exempt annexes to this report.

19 Appendix D provides the definitions for our audit opinions and finding ratings.

FOLLOW UP

20 All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. As a result of this work, we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits. A summary of the current status of follow up activity is included at appendix E.

APPENDIX A: INTERNAL AUDIT WORK IN 2024/25

Audits in progress

Audit	Status
Member induction programme	Draft
Housing benefits	Draft
Contract management (major projects)	Draft
NHS DSP Toolkit: accountable suppliers	Draft
Contract management (inc. Salvation Army)	In progress
Commercial asset performance	In progress
Savings plans	In progress
Travel and subsistence	In progress
Carbon reduction and climate adaptation	In progress
Physical information security (satellite sites)	In progress
Main accounting system	In progress
Safety Valve	In progress
Clifton Green Primary School	In progress
School themed audit: purchasing and best value	In progress
Residential care: Beehive / Wenlock Terrace	In progress
Unaccompanied asylum seeker children	In progress
Continuing healthcare	In progress
Payments to care providers and contract management (ASC&I)	In progress
Public protection	In progress
ICT disaster recovery	In progress
FOI and EIR improvement plan	Planning
Performance management framework	Planning
Risk management	Planning
Funded early education	Planning
Schools themed audit: pupil premium	Planning
Children’s direct payments	Planning
Green waste subscription service	Planning
Public EV charging strategy	Planning
Project management	Planning

Final reports issued

Audit	Reported to Committee	Opinion
Officer declarations of interest and gifts & hospitality	January 2025	Substantial Assurance
VAT accounting	January 2025	Substantial Assurance
Ordering and creditor payments	November 2024	Substantial Assurance
Highways maintenance scheme development	November 2024	Reasonable Assurance
Section 106 agreements	November 2024	Reasonable Assurance
Asset management (TEPHC)	November 2024	Reasonable Assurance
Adult safeguarding	November 2024	Reasonable Assurance
Health and safety (TEPHC)	November 2024	Limited Assurance
ICT procurement and contract management	November 2024	Reasonable Assurance
Wigginton Primary School	November 2024	Reasonable Assurance
Procurement Act: preparedness assessment	November 2024	Substantial Assurance
Physical information security compliance	July 2024	Reasonable Assurance
Absence management	July 2024	Reasonable Assurance
Project management	July 2024	Substantial Assurance
Agency staff (C&E and ASC&I)	July 2024	Reasonable Assurance
NHS Data Security and Protection Toolkit (thematic review)	July 2024	No Opinion Given
Adult education (York Learning)	July 2024	Substantial Assurance
Foster carer payments	July 2024	Limited Assurance
Business continuity	July 2024	Reasonable Assurance
Payroll control	July 2024	Substantial Assurance

Other work in 2024/25

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

Follow up of agreed actions

Grant certification work:

Scambusters

UKSPF assurance return support (2023/24)

UKSPF assurance return support (mid-year 2024/25)

Supporting Families

West Yorkshire Combined Authority (YORR and TCF)

Department for Transport (BSOG, LTP, Tadcaster Road, NPIF STEP)

Social Housing Decarbonisation Fund (wave 2, 2023/24)

Homes England compliance audit

Pooling Housing Capital Receipts return (2023/24)

Consultative engagements:

Fact-finding review into adult social care provider overpayments

Review of the Food and Fuel voucher scheme administration (including data analytics)

Review of processes for managing transport direct payments

Review of highways maintenance decisions (Heworth Without ward)

Provision of support and advice:

Duplicate creditor payments analysis

Void recharge policy development

APPENDIX B: CURRENT AUDIT PRIORITIES
Audit / Engagement		Rationale
Strategic / corporate & cross cutting
Do now
Member induction programme		Provides assurance on system development, following work with the LGA.
Contract management (major projects)		Provides coverage of more than one key assurance area.
Contract management (inc. Salvation Army)		Being undertaken in response to known issues, and at the request of A&G.
Physical information security (satellite sites)		Forms part of a rolling programme of assurance.
NHS DSP Toolkit: accountable suppliers		Forms part of a rolling programme of assurance.
Commercial asset performance		Provides coverage of more than one key assurance area.
Savings plans		Linked to a key corporate risk. Provides broader assurance.
Carbon reduction and adaptation		Emerging risk area.
Travel and subsistence		Identified in consultation with officers.
FOI and EIR improvement plan		Being undertaken in response to known issues previously reported to A&G.
Performance management framework		No recent coverage. Provides assurance on key assurance area.
Risk management		Key area of corporate governance. Provides broader assurance.
Do later
Data quality
Use of CCTV and investigatory powers
York 2032: partnership governance
Public health: procurement and contract management
Financial systems
Do now
Housing benefits		Key material system, with risk of error and fraud.
Main accounting system		No recent coverage. Provides coverage of a key assurance area.
Do later
Sundry debtors
Housing rents
Service areas
Do now
Safety Valve		Emerging risk area.
Clifton Green Primary School		Provides assurance on organisational and financial governance at this setting.
School themed audit: purchasing and best value		Emerging risk area. Provides broader assurance coverage.
Unaccompanied asylum seeker children		Emerging risk area.
Residential care: Beehive / Wenlock Terrace		Being undertaken in response to known areas for improvement.
Continuing healthcare		Risks / controls are changing.
Payments to care providers and contract management (ASC&I)		Provides coverage of more than one key assurance area.
Public protection		Risks / controls are changing.
Funded early education		Risks / controls are changing due changes being implemented by the DfE.
Schools themed audit: pupil premium		Provides broader assurance coverage.
Children’s direct payments		Risks / controls are changing.
Green waste subscription service		Risks / controls are changing with the implementation of this new service.
Public EV charging strategy (tariff management)		Risks / controls are changing. Linked to council priorities.
Do later
Alternative provision		Emerging risk area.
Section 17 payments		Being undertaken in response to known areas for improvement.
Danesgate Community School
Managing customer finances (ASC&I)		Identified in consultation with officers.
Referrals and care assessments (ASC&I)
Care and support planning (ASC&I)
Landlord regulatory standards
Council house repairs
Locality working / ward committee model
Community safety strategy
Technical / projects
Do now
ICT disaster recovery		Provides broader assurance. Linked to key corporate risk.
Project management		Provides coverage of key assurance area.
Do later
ICT applications / database security		Key attack vector for threat actors. Provides assurance on security controls.
Cybersecurity: user awareness
IT projects / systems development

APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area (month issued)	Opinion	Area reviewed	Comments / Issues identified	Management actions agreed
Officer declarations of interest and gifts and hospitality (January 2025)	Substantial Assurance	The audit reviewed arrangements for administering the council’s officer declaration of interests and gifts and hospitality processes, including associated recordkeeping. It also reviewed the availability and accuracy of policy and procedure documents and uptake of code of conduct training.	Processes for administering officer declarations and gifts and hospitality were found to be operating effectively. One weakness was observed. This related to uptake of the council’s code of code of conduct training, which was 60% across the sample of officers tested. New starters must complete the training within two months of commencing employment. All officers are expected to complete the training annually. Other minor improvement opportunities were identified, including making declarations and gifts and hospitality data easier to locate on the council’s website and improving the consistency with which gift and hospitality information is submitted and retained.	Officers will be reminded of the requirement to complete the code of conduct training within two months of commencing employment and annually thereafter. The MyLO learning platform has been configured to send automated reminders. Web Services will add a link from the Corporate Management Team page on the council’s website to officers’ declarations of interests on York Open Data. The gifts and hospitality submission methods will be reviewed to ensure that there is consistency in the information supplied, particularly the reasons for accepting gifts and hospitality.
VAT accounting (January 2025)	Substantial Assurance	The purpose of this audit was to review the effectiveness of the council’s arrangements for VAT accounting.	The council’s VAT accounting processes were found to be operating effectively. VAT reconciliations are completed regularly and accurately, with any errors or miscoding corrected on Civica. Working papers were available to support the council’s calculation of VAT exemptions. A small number of minor issues were identified arising from use of procurement cards. Not all invoices named the council, and some invoices did not record a VAT registration number (yet VAT had been applied). There were also some instances of VAT being claimed without a VAT invoice or receipt being available.	The VAT policy for procurement cards will be updated on the intranet site. Finance will send regular reminders to procurement card users to reinforce VAT requirements.

System/area

(month issued)

Opinion

Area reviewed

Comments / Issues identified

Management actions agreed

Officer declarations of interest and gifts and hospitality

(January 2025)

Substantial Assurance

The audit reviewed arrangements for administering the council’s officer declaration of interests and gifts and hospitality processes, including associated recordkeeping. It also reviewed the availability and accuracy of policy and procedure documents and uptake of code of conduct training.

Processes for administering officer declarations and gifts and hospitality were found to be operating effectively. One weakness was observed. This related to uptake of the council’s code of code of conduct training, which was 60% across the sample of officers tested. New starters must complete the training within two months of commencing employment. All officers are expected to complete the training annually.

Other minor improvement opportunities were identified, including making declarations and gifts and hospitality data easier to locate on the council’s website and improving the consistency with which gift and hospitality information is submitted and retained.

Officers will be reminded of the requirement to complete the code of conduct training within two months of commencing employment and annually thereafter. The MyLO learning platform has been configured to send automated reminders.

Web Services will add a link from the Corporate Management Team page on the council’s website to officers’ declarations of interests on York Open Data.

The gifts and hospitality submission methods will be reviewed to ensure that there is consistency in the information supplied, particularly the reasons for accepting gifts and hospitality.

VAT accounting

(January 2025)

Substantial Assurance

The purpose of this audit was to review the effectiveness of the council’s arrangements for VAT accounting.

The council’s VAT accounting processes were found to be operating effectively. VAT reconciliations are completed regularly and accurately, with any errors or miscoding corrected on Civica. Working papers were available to support the council’s calculation of VAT exemptions.

A small number of minor issues were identified arising from use of procurement cards. Not all invoices named the council, and some invoices did not record a VAT registration number (yet VAT had been applied). There were also some instances of VAT being claimed without a VAT invoice or receipt being available.

The VAT policy for procurement cards will be updated on the intranet site.

Finance will send regular reminders to procurement card users to reinforce VAT requirements.

APPENDIX D: ASSURANCE AUDIT OPINIONS AND FINDING PRIORITIES

Audit opinions
Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit. Our overall audit opinion is based on four grades of opinion, as set out below.
Opinion	Assessment of internal control
Substantial assurance	Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified.
Reasonable assurance	Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made.
Limited assurance	Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation.
No assurance	Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse.

Finding ratings
Critical	A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management.
Significant	A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Moderate	The system objectives are not exposed to significant risk, but the issue merits attention by management.
Opportunity	There is an opportunity for improvement in efficiency or outcomes but the system objectives are not exposed to risk.

APPENDIX E: FOLLOW UP OF AGREED AUDIT ACTIONS

Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee.

To simplify the presentation of follow-up information, all agreed actions which had previously been reported to this committee on the priority 1-3 scale have been converted to reflect their equivalent rating under Veritau’s new rating system of critical, significant, moderate. This is required now that internal audit reports have begun being presented in Veritau’s new format.

To remind the committee, Veritau is no longer attaching priorities to agreed actions. Instead, ratings of ‘critical’, ‘significant’, ‘moderate’ and ‘opportunity’ are given to each detailed finding raised in our reports. These ratings reflect the severity of the issue identified. Agreed actions then inherit the rating of the finding to which they are attached.

A total of 112 actions have been followed up so far during 2024/25, up to 31 December 2024. A summary of the priority of these actions and the outcome from the follow up activity is below. Actions are marked as superseded if circumstances have changed sufficiently that the action is no longer required. Revised dates are agreed where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable.

Actions followed up		Results of follow up of agreed actions
Priority of actions	Number of actions followed up	Action implemented	Revised date agreed	Superseded
Critical	0	0	0	0
Significant	70	47	22	1
Moderate	42	35	5	2
Total	112	82	27	3