BACKGROUND
1 Internal audit provides independent and objective assurance and advice about the Council’s operations. It helps the organisation to achieve overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.
2 The work of internal audit is governed by the Accounts and Audit Regulations 2015 and the Public Sector Internal Audit Standards (PSIAS). In accordance with these, the Head of Internal Audit is required to regularly report progress on the delivery of the internal audit plan to the Audit and Governance Committee and to identify any emerging issues which need to be brought to the attention of the committee.
3 The internal audit work programme was agreed by this committee in April 2021. The number of agreed days is 1,095 and the plan is flexible in nature. Work is being kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the Council.
4 The purpose of this report is to update the committee on internal audit activity in 2021/22.
A new approach to work programme development and delivery
5 As noted in the April 2021 report to the committee (internal audit work programme) we have adopted a flexible approach to audit planning to meet professional aims and objectives, and in line with good practice for internal audit. This is the first year we have adopted a fully flexible approach. The arrangements are summarised below.
6 The indicative programme provided to the committee in April is a long list of areas of potential work which are considered the highest priority for audit, based on an assessment of risk. The difference in approach this year is that the programme now acts as a guide for ongoing planning through the course of the year, with the expectation being that areas will drop out of this list, and new areas will be added, as our assessment of risks and priorities changes. This approach allows us to ensure audits are targeted to areas of most importance at the time we undertake the work. Rather than being based on a fixed risk assessment, undertaken before the start of the year, which quickly becomes out of date.
7 Using the indicative programme, we will determine audit work to be undertaken on an ongoing, rolling basis during the year on the basis of:
· “Do now” – work of the highest value, priority, or urgency
· “Do next” – work to be started after current audit work is completed
· “Do later” – work to be scheduled for consideration later in the year
8 Decisions on which category work falls into will be based on professional judgement, together with communication with key client officers, and will be guided by the following considerations:
· where we have no recent audit assurance, or other sources of assurance
· where controls are changing and/or risks are increasing
· where we are following up previous control weaknesses
· where specific issues have arisen
· areas that are of significant importance to the Council, for example they reflect key objectives or high priority projects
· areas that provide broader assurance, for example corporate policies and frameworks
· areas that need to be covered to enable us to provide an annual opinion
· where there are time pressures or scheduling requirements, for example grant deadlines, or work scheduled to minimise the impact on council service areas at busy times.
9 Between now and the end of the year, the committee can expect individual pieces of work to move between the categories based on their priority at the time of assessment. For example, an audit scheduled for quarter three to minimise the impact on a service area may initially be classed as to “do later”, but will become “do now” as we move into quarter three. Similarly, a project audit classed as “do now” because it represents an area of high importance to the Council may move from “do now” to “do next” or “do later”, if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as “do later” are likely to be deferred until the next year.
10 To ensure the Audit and Governance Committee continues to have oversight of current and planned audit work, a current assessment of work to be undertaken will be presented as part of each internal audit progress report. This will enable the committee to understand what work is currently planned and to provide input on the relative priorities of work to be carried out in the future.
INTERNAL AUDIT PROGRESS
11 The Annual Head of Internal Audit report for 2020/21 was presented to this committee on 16 June 2021. As noted in that report, the impact of the Covid-19 pandemic meant that we had a higher level of outstanding 2020/21 work than would normally be expected. The intention is to bring the audit cycle back in line with normal arrangements over the next two years.
12 Much of the work that has taken place since the last report to this committee has been to finalise the outstanding 2020/21 work.
13 A summary of 2021/22 internal audit work currently underway and completed is included in appendix 1. Also included is 2020/21 work that has recently been finalised or is still to be finalised.
14 The prioritisation and scoping of work will continue to be discussed with officers. Appendix 2 shows the current work plan, and categorises audits by when they are expected to be completed.
15 Appendix 3 summarises the key findings from work completed that we have not previously reported to this committee.
FOLLOW-UP OF AGREED ACTIONS
16 All actions agreed with services as a result of internal audit work are followed up to ensure that underlying control weaknesses are addressed. A summary of the current status of follow up of agreed actions is included in appendix 4.
Audit |
Status |
Assurance Level |
Danesgate follow up audit |
Final report issued |
No opinion given |
Continuing Healthcare |
Draft report issued |
|
Ordering and Creditors |
Draft report issued |
|
Health and Safety |
In progress |
|
Highways CDM (Construction, Design and Management) Regulations |
In progress |
|
ICT Asset Management |
In progress |
|
Main Accounting System |
In progress |
|
Payroll |
In progress |
|
Records Management |
In progress |
|
Safety Advisory Group (SAG) Governance |
In progress |
|
Information Security |
Ongoing – further work planned |
|
|
||
2020/21 audits brought forward |
||
Absence Management |
Final report issued |
No opinion given |
Community Hubs |
Final report issued |
Reasonable Assurance |
Council Tax & NNDR |
Final report issued |
Reasonable Assurance |
Council Tax Support & Housing Benefit |
Final report issued |
Substantial Assurance |
Environmental Health |
Final report issued |
Substantial Assurance |
Project Management |
Final report issued |
Reasonable Assurance |
Schools Themed Audit – Cyber Security & IT Management |
Final report issued |
Reasonable Assurance |
Sundry Debtors |
Final report issued |
Substantial Assurance |
Business Continuity |
Draft report issued |
|
Commercial Waste |
Draft report issued |
|
Other work Internal audit work has been undertaken in a range of other areas during the period, including those listed below. |
||
· Quarterly review of Supporting Families claims · Review of new parking system processes · Follow up of agreed actions · Grant certification work |
APPENDIX 2: CURRENT PRIORITIES FOR INTERNAL AUDIT WORK
Audit / Activity |
Rationale |
Strategic risks / Corporate & cross cutting |
|
Category 1 (do now) |
|
Health and Safety |
Deferred from 20/21 and significant risk area |
Information security |
Deferred from 20/21 and significant risk area |
Records Management |
Deferred from 20/21 and significant risk area |
Safety Advisory Group governance |
Emerging risk. Requested by senior management |
Category 2 (do next) |
|
Information Governance – DSP (NHS) toolkit |
Significant risk area |
Complaints processes |
Key area of corporate governance |
HR and workforce planning |
Significant risk area |
Financial planning and budgeting |
Significant risk area |
Category 3 (do later) |
|
s106 agreements / support in developing systems Procurement and Contract Management Risk Management Partnership working Information security checks Information Governance – RIPA actions Performance management and data quality Environment and waste |
|
Fundamental / material systems |
|
Category 1 (do now) |
|
General Ledger / Main Accounting System |
Key assurance area |
Payroll |
Key assurance area |
Ordering and Creditors |
Key assurance area |
Category 2 (do next) |
|
Debtors and income collection |
Key assurance area |
Council Tax / NNDR and benefits |
Key assurance area |
Category 3 (do later) Capital accounting and assets Treasury Management |
|
Operational / regularity |
|
Category 1 (do now) |
|
Continuing Healthcare charging |
Provides broader assurance |
Highways CDM |
Emerging risk. Identified by senior managers |
Danesgate follow up audit |
Follow up of significant risks identified in previous audit |
Category 2 (do next) |
|
Adults: budget management, commissioning, high cost placements, market management, internal provision |
Significant risk area. Specific areas for audit being discussed with officers. |
Children: Special Educational Needs and Disability (SEND), education, Health & Care (EHC) plans and processes
|
Significant risk area. Specific areas for audit being discussed with officers. |
Building services and housing repairs |
Provides broader assurance. Significant area for council |
Public health |
Provides broader assurance. Significant area for council |
Category 3 (do later) Direct payments Service contract management ad client arrangements (Explore, YMT, Leisure) |
|
Technical / projects |
|
Category 1 (do now) |
|
ICT Asset Management |
Deferred from 20/21; key assurance area |
Category 2 (do next) |
|
ICT remote access |
key assurance area |
ICT procurement and contract management |
key assurance area |
Category 3 (do later) ICT procurement and contract management |
|
APPENDIX 3: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE
System/area |
Opinion |
Area reviewed |
Date issued |
Comments / Issues identified |
Management actions agreed |
Community Hubs |
Reasonable Assurance |
Policies and procedures, customer safety, purchase cards, recovering costs. |
08/06/21 |
Generally systems worked well. Hubs were set up with urgency and there were some issues with the robustness of processes. Issues were raised regarding vetting volunteers and procedures for issuing and retrieving ID badges. |
The council has worked with partners to establish a different process for recruiting and deploying volunteers in emergencies. The council will establish procedures for the issue and retrieval of ID badges for volunteers. |
Project Management |
Reasonable Assurance |
Project management best practice, risk management, governance arrangements. |
25/06/21 |
Generally systems were working well. Issues were raised regarding the clarity of mandatory elements of the council’s project management framework, risk targets levels not being set, and a lack of consistency in communicating risk assessments. |
Mandatory elements of the project management framework will be communicated to project managers. Target risk levels will be required. Training will be provided on communication of project risks. |
Environmental Health |
Substantial Assurance |
Recording and prioritising complaints, investigation and action processes, information recording and communicating. |
30/06/21 |
Overall systems were found to be working well. No major issues identified. Minor issues identified with the efficiency of information recording and responding to Freedom of Information requests (FOIs). |
The service will look to streamline information recording where possible. The service manager will discuss ways to streamline FOI processes with the information governance manager. |
Absence Management |
No opinion given |
Record keeping; integrity / consistency of data across council and third party systems under the absence management contract; access to management information. |
15/07/21 |
No significant weaknesses were found Some issues were identified and fed back to the service in December 2020 and have already been resolved and actions put in place to address weaknesses in systems. |
No actions required resulting from the audit. However, the service will conduct a full assessment of the short term absence management service. |
Council Tax & NNDR |
Reasonable Assurance |
Property database. Billing, discounts, exemptions, disregards and reliefs. Arrears, refunds, write offs. Covid-19 grants. |
21/07/21 |
Generally systems were working well. The service area had very significant demands arising from Covid-19. Quality assurance checks had not been completed consistently. Database reconciliations (Valuation Office to council records) had not been completed for 2 quarters. Customer records were incomplete. |
Quality assurance checks resumed in July 2021. Reconciliations have now been completed. Direct debit rejections letters stored against customer accounts. |
Council Tax Support and Housing Benefits |
Substantial Assurance |
Accuracy and timeliness of assessments and calculations, appeals processing, overpayment and recovery processes. |
31/07/21 |
Overall systems were found to be working well. No major issues identified. Post payment assurance checks do not take place on self-isolation payments (extensive pre-payment checks had been undertaken). |
A sample of post payment assurance checks will be undertaken. |
Sundry Debtors |
Substantial Assurance |
Invoice raising, account management, debt management |
20/08/21 |
Overall systems were found to be working well. No major issues were identified. One issue raised regarding clarity of delegated authority to write off debt (we were satisfied authority for write offs had been appropriately delegated). |
Scheme of delegation will be updated to document the delegation of authority for approving the write off of unrecoverable debts. |
Schools Themed – Cyber Security & IT Management |
Reasonable Assurance |
Physical and logical security, training, IT asset management, IT contract management. |
14/09/21 |
Generally systems were working well. No major issues identified but a number of findings raised, relating to: server security, contractor management, user access, disaster recovery, IT asset management and data protection, cyber security awareness. |
The council’s schools business support team will share the audits findings and best practice guidance with schools. Each school will be responsible for reviewing the situation at their school and addressing any weaknesses. |
Danesgate follow up audit |
No opinion given |
Follow up of issues identified in 2019-20 audit |
22/09/21 |
Majority of agreed actions fully implemented and issues identified been addressed. Some actions only partially implemented or not yet complete so further actions agreed. |
Outstanding policies to be ratified by Governors. Contract procedures to be followed and records kept of opening of quotations. Schedule of contracts to be presented to Governors. All issuing of petty cash to be signed off by Headteacher; no petty cash reimbursement for travel and subsistence. Physical check of inventory to take place and be recorded half termly. |
APPENDIX 4: FOLLOW UP OF AGREED AUDIT ACTIONS
Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee.
Follow up work was suspended for a period during the pandemic and restarted in autumn 2020. A detailed report on higher priority actions was provided in the Head of Internal Audit annual report, reported to this committee in June 2021. This report covers actions followed up between the date of that report and 30th September 2021.
Actions followed up
A total of 34 actions have been followed up since the last report to this committee in June 2021. A summary of the priority of these actions is included below.
Actions followed up |
|
Actions followed up by directorate |
|||
Priority of actions* |
Number of actions followed up |
|
Corporate Services |
People Directorate |
Place Directorate |
1 |
0 |
|
0 |
0 |
0 |
2 |
13 |
|
6 |
4 |
3 |
3 |
21 |
|
9 |
12 |
0 |
Total |
34 |
|
15 |
16 |
3 |
Of the 34 agreed actions 26 (76%) had been satisfactorily implemented. In8 cases (24%) the action had not been implemented by the target date and a revised date was agreed. This is done where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable.