BACKGROUND
1
Internal audit
provides independent and objective assurance and advice about the
council’s operations. It helps the organisation to achieve
its overall objectives by bringing a systematic, disciplined
approach to the evaluation and improvement of the effectiveness of
risk management, control and governance processes.
2
The work of internal
audit is governed by the Accounts and Audit Regulations 2015 and
relevant professional standards. These include the Public Sector
Internal Audit Standards (PSIAS), CIPFA guidance on the application
of those standards in Local Government and the CIPFA Statement on
the role of the Head of Internal Audit.
3
In accordance with
the PSIAS, the Head of Internal Audit is required to report
progress against the internal audit plan (the work programme)
agreed by the Audit and Governance Committee, and to identify any
emerging issues which need to be brought to the attention of the
committee.
4
The internal audit
work programme was agreed by this committee in March 2023. The
number of agreed days is 1,023.
5
Veritau follows a
fully flexible approach to work programme development and delivery,
to keep pace with developments in the internal audit profession and
to ensure that we can continue to deliver a responsive
service. In
line with this approach, work is being kept under review to ensure
that audit resources are deployed to the areas of greatest risk and
importance to the council.
6
The purpose of this
report is to update the committee on internal activity up to 1
September 2023.
INTERNAL AUDIT PROGRESS
7
In the period to 1
September 2023, six audits have been finalised. A further five
audits have been reported in draft. We expect to finalise these
audits in time for the November meeting of this
committee.
8
As at the time of
reporting, 14 audits are in progress. A number of audits that are
currently in progress are a good way through the fieldwork stage.
We expect to be able to report on findings from the following
audits at the next meeting of this committee:
·
Schools themed
audit: Schools Financial Value Standard (SFVS)
·
Teckal company
governance: Make it York
·
ICT remote
access
·
CIPFA Financial
Management Code (consultative)
·
Adherence to
constitution: decision-making
·
Adult
education
·
Highways maintenance
scheme development review
9
In addition, we are
in the process planning a further nine audits, with fieldwork set
to commence over the coming weeks. These audits will continue into
quarter 3 2023/24.
10
A summary of
internal audit work currently underway, as well as work finalised
in the year to date, is included in appendix A.
11
The work programme
showing current priorities for internal audit work is included at
appendix B.
12
A total of 14 audits
are shown in the ‘do next’ category where we expect
work to begin during quarter 3 2022/23. Some of these audits
already have agreed start dates. Start dates for the remaining
audits will be determined through liaison with responsible officers
across the directorates.
13
The programme also
includes 15 audits in the ‘do later’ category. The
internal audit work programme is designed to include all potential
areas that should be considered for audit in the short to medium
term, recognising that not all of these will be carried out during
the current year (work is deliberately over-programmed).
14
In determining which
audits will actually be undertaken, the priority and relative risk
of each area will continue to be considered throughout the
remainder of the year, and as part of audit planning for 2024/25
which will commence towards the end of quarter 3. Consideration
will also be given to the coverage of each of the 11 key assurance
areas when prioritising any remaining work during
2023/24.
15
The six audits that
have been finalised since the last report to this committee in July
2023 are included in appendix C. The appendix summarises the key
findings from these audits and actions agreed with officers to
address identified control weaknesses. The finalised reports listed
in appendix C are published online, along with the papers for this
committee. This is with the exception of the Jewson managed stores
audit which is instead included as an exempt annex to this
report.
16
Appendix D lists our
current definitions for action priorities and overall assurance
levels.
FOLLOW UP
17
All actions agreed
with services as a result of internal audit work are followed up to
ensure that issues are addressed. As a result of this work we are
generally satisfied that sufficient progress is being made to
address the control weaknesses identified in previous audits. A
summary of the current status of follow up activity is included at
appendix E.
APPENDIX A:
INTERNAL AUDIT WORK IN 2023/24
Audits in
progress
|
Audit
|
Status
|
|
Risk
management
|
Draft
|
|
Insurance
|
Draft
|
|
Parking
|
Draft
|
|
Data security
incident management
|
Draft
|
|
Housing rents (inc.
data quality)
|
Draft
|
|
Schools themed
audit: SFVS
|
In
progress
|
|
Teckal company
governance: Make it York
|
In
progress
|
|
ICT remote
access
|
In
progress
|
|
Foster carer
payments
|
In
progress
|
|
CIPFA Financial
Management Code (consultative)
|
In
progress
|
|
Adherence to
constitution: decision-making
|
In
progress
|
|
Adult
education
|
In
progress
|
|
Highway maintenance
scheme development review
|
In
progress
|
|
Transparency
|
In
progress
|
|
Section 106
agreements
|
In
progress
|
|
Agency staff
(Children and Education / Adult Social Care and
Integration
|
In
progress
|
|
Payroll
|
In
progress
|
|
Budget
management
|
In
progress
|
|
Treasury
management
|
In
progress
|
|
Asset
management
|
Planning
|
|
ICT procurement and
contract management
|
Planning
|
|
Continuing
healthcare
|
Planning
|
|
Health and Safety
(Place directorate)
|
Planning
|
|
Officer declarations
of interest
|
Planning
|
|
Business
continuity
|
Planning
|
|
Adult social care:
safeguarding
|
Planning
|
|
Placements and
commissioning (children’s services)
|
Planning
|
|
Safety Valve
(implementation review
|
Planning
|
Final reports
issued
|
Audit
|
Reported to
Committee
|
Opinion
|
|
Climate Change
Strategy: governance framework
|
September
2023
|
Reasonable
Assurance
|
|
Public health:
procurement and contract management
|
September
2023
|
Reasonable
Assurance
|
|
Jewson managed
stores contract
|
September
2023
|
Reasonable
Assurance
|
|
Health and
safety
|
September
2023
|
Reasonable
Assurance
|
|
CCTV: Surveillance
Camera Code of Practice
|
September
2023
|
Reasonable
Assurance
|
|
Council tax and
NNDR
|
September
2023
|
Reasonable
Assurance
|
|
Commercial
procurement and compliance
|
July 2023
|
Substantial
Assurance
|
|
Sundry
debtors
|
July 2023
|
Substantial
Assurance
|
|
Savings
plans
|
July 2023
|
Reasonable
Assurance
|
|
Ordering and
creditor payments
|
July 2023
|
Substantial
Assurance
|
|
Main accounting
system
|
July 2023
|
Substantial
Assurance
|
Other work in
2023/24
|
Internal
audit work has been undertaken in a range of other areas during the
year, including those listed below.
|
|
·
Follow up of agreed
actions
·
Grant certification
work:
-
Scambusters
-
UKSPF assurance
return support (2022/23)
-
ESFA 2022/23
academic year subcontracting standard
-
Rough Sleeping
Accommodation Programme
-
Supporting
Families
-
WYCA Transport Fund
and Transforming Cities Fund
·
UKSPF assurance
framework development support
·
Review of the
council’s PDR policy framework and related guidance, training
uptake, and appraisal completion rates
·
Completion of
consultation work on the system for booking of hire cars and the
monitoring of their use
Provision of support and
advice:
·
Housing benefits
– supported housing claims (rent review process)
·
Compliance efforts
relating to additional payments to care workers, including feedback
to the Adult Social Care & Integration DMT
·
Administration of
adults’ direct payments
|
APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE
LAST REPORT TO THE COMMITTEE
|
System/area
(month
issued)
|
Opinion
|
Area
reviewed
|
Comments
|
Management
actions agreed
|
|
Climate Change
Strategy: governance framework
(September
2023)
|
Reasonable
Assurance
|
The Climate Change
Strategy is organised into eight main themes covering 32 objectives
and is guided by five principles. This audit concentrated on the
theme of governance, assessing the effectiveness of the governance
arrangements established through the strategy.
|
The council has
established the Climate Change Programme Board (CCPB) to provide
internal oversight and challenge to delivery groups and projects,
make recommendations and provide advice to officers, Council
Management Team (CMT) and Members. CCPB also monitors progress
against the Climate Change Strategy.
The CCPB terms of
reference require review and alignment with the work of the
city-wide parternship known as the York Climate Commission and the
internal Sustainability Leads Group terms of reference. There is a
discrepancy between stated CCPB membership and actual meeting
attendance and not all council directorates are represented. CCPB
action logs do not provide clarity on attendance and updates
received from delivery groups and officers.
The Climate Change
Strategy Action Plan contains actions for which funding and
delivery mechanisms have not yet been identified.
Climate risks are
included in the corporate risk register. However, these are not
reflected at the directorate risk register level.
|
The CCPB terms of reference will be reviewed to ensure they are fit
for purpose. The action log will include attendance records and
make clear any recommendations made on projects or decisions for
CMT to consider. CMT will also review membership.
The strategy action plan will be
refreshed to focus on deliverable SMART actions. The refresh will
be completed once the Council Plan 2023-27 has been
published.
The Carbon Reduction
team will work with council departments to support them to
recognise and understand climate change risks in their services.
CMT will ensure that directorate risk registers are updated to
include relevant climate change risks.
|
|
Public health
contract management
(August
2023)
|
Reasonable
Assurance
|
Contract management
arrangements were reviewed for the integrated sexual health service
and the alcohol and illicit drug integrated treatment and recovery
service.
|
Governance and
reporting mechanisms are in place for both public health contracts
reviewed. Roles and responsibilities and reporting lines for
contract management are clearly documented in contract
managers’ job descriptions. Public health governance meetings
take place regularly, and the relevant contract managers attend and
report on the contracts.
Key performance
indicators (KPIs) are set out in the service specifications of the
sampled contracts, and the specifications comprehensively outline
arrangements for collecting and sharing information, requiring both
parties to meet regularly to discuss performance as part of the
respective performance management frameworks. However, we found
that the integrated sexual health service provider had not complied
with the contractual requirement to produce an annual
report.
Beyond initial financial
appraisal at point of contract award, there is no formal process in
place for monitoring the financial health of public health service
providers.
Public health maintains a risk
register but not in the format required by the council’s risk
management policy and strategy. Significant contract risks are not
included on the risk register despite a challenging external
environment with the potential to impact on service delivery and
continuity.
|
Officers responsible
for the management of the integrated sexual health contract will
agree future reporting arrangements with the provider and ensure
that an annual report is completed.
Annual financial appraisals will
be built into contract monitoring arrangements for all public
health contracts.
The public health team will
request training and advice from the council’s risk
management team to ensure that risks impacting service delivery are
captured and monitored in accordance with the council’s risk
management policy and strategy.
|
|
Jewson managed
stores contract
(August
2023)
|
Reasonable
Assurance
|
This audit aimed to
provide assurance that the council is receiving value for money
from the contract, that the contract is being effectively managed,
and that the council’s interests are adequately protected. It
also reviewed whether invoicing for materials is
accurate.
|
The council operates
on an open book basis with Jewson and profit margins are in line
with the agreed rate.
Although regular
client meetings are taking place with Jewson to discuss issues that
are relevant to the management of the contract, the agendas do not
include all items that should be discussed in these meetings
according to the contract.
None of the KPIs
included in the contract are clearly defined and do not appear to
provide information on price and quality. The council receives
monthly KPI reports from Jewson but the information contained in
these reports does not correspond with the KPIs that are set down
in the contract.
Invoices are generated
automatically from the management information system that is
operated by Jewson. Invoices are received each week and checked to
ensure charges relate to valid job numbers.
|
Clear
definitions of what the KPIs are measuring will be produced and
shared with the contractor and the council officers who are
responsible for managing the contract. A summary of
contract performance will be included in monthly Building Services
performance monitoring meetings.
Annual meetings with the
contractor will be reinstated. All agenda items from the contract
will be listed on the agenda for each monthly and quarterly
meeting, even though not all items will be addressed in every
meeting.
|
|
Health and
safety
(August
2023)
|
Reasonable
Assurance
|
This audit involved
a review of risk assessment processes and incident reporting at a
sample of council premises. It evaluated processes against the
compliance note in the council’s health and safety policy and
use of the B-Safe system.
|
The council’s
risk assessment process is guided by the health and safety policy
and risk assessment compliance note within the council’s
Safety Management System. The compliance note includes a
comprehensive procedure for completing risk assessments.
However, the audit identified
that not all premises risk assessments had been recently reviewed
and did not effectively capture required changes arising from
reviews undertaken. A number of discrepancies were also identified
between the requirements of the compliance note and the risk
assessments in place for the sites visited. In addition, risk
assessment logs required by the compliance note (ie a consolidated
register which identifies the risk assessments that are in place at
each site) were not held for four of the five sites
visited.
Health and safety training
requirements are unclear and there is variation in the provision of
training for officers with responsibility for health and safety at
sites.
Incidents are generally reported
promptly, with 76% of incidents across sites during 2022/23
reported within two days of occurrence and all except one within
nine days of occurrence.
|
Council Management Team will define corporate expectations for risk
assessments that should be held at council premises. It will also
define training requirements for managers with health and safety
responsibilities at sites, and requirements for health and safety
inductions for new staff or those that take on site management
responsibilities.
DMTs will ensure that risk
assessment logs are in place for premises and activities within
their area of responsibility. In addition, they will review and
seek assurances that observational monitoring is undertaken to
ensure risk assessments comply with the risk assessment compliance
note.
|
|
CCTV: Surveillance
Camera Code of Practice
(August
2023)
|
Reasonable
Assurance
|
This audit was
undertaken in response to the new Biometric and Surveillance Camera
Commissioner’s survey and their heightened focus on
compliance with the Surveillance Camera Code of Practice
(“the Code”). It involved review of arrangements for
managing the council’s overt surveillance systems and
availability of information to support compliance assertions made
in the survey return.
|
The council has
identified suitable officers to act as Senior Responsible Officer
(SRO) and the Single Point of Contact.
The council’s security
contractor, Gough & Kelly (G&K), is responsible for most of
the council’s CCTV installations. G&K regularly completes
the Commissioner’s self-assessment tool to monitor and
validate compliance with the Code.
The council last completed a
compliance self-assessment in 2020. Knowledge of the compliance of
service-operated systems is limited to those where the SRO and DPO
are actively consulted by services (eg during procurement or where
issues arise as part of ongoing management of systems).
The council has no single
central register of all CCTV systems and cameras. The audit
identified that several CCTV systems belonging to Housing were
omitted from the Commissioner’s survey and no traffic
enforcement cameras had been included.
|
The council will undertake a complete survey of CCTV systems
(issued to both G&K and council service areas), following which
a central log of CCTV systems and locations will be compiled and
maintained by the SRO.
A full DPIA will be completed by all CCTV systems owners, utilising
the Commissioner’s template, for all systems not maintained
by G&K.
Compliance with the Surveillance Code will be formally assessed and
documented via completion of a self-assessment, to be undertaken by
both G&K and council service areas.
|
|
Council tax and
NNDR
(July
2023)
|
Reasonable
Assurance
|
This audit involved
a review of processes in place to manage the billing and collection
of income due from eligible households (council tax) and business
premises (NNDR).
|
Quarterly
reconciliations between the Valuation Office (VOA) and the Revenue
and Benefits IT system (NEC/SX3) databases are carried out.
However, completion notices had not been issued or sent to the VOA
for several months, reducing the council’s ability to bring
properties into taxation in a timely way.
Bills and demand
notices were issued and calculated correctly for both council tax
and NNDR. Where the council had been notified of a change to the
liable party, the account has been updated correctly. However, full
reviews of historical discounts and exemptions had not been
conducted in 2022.
Arrears are promptly and
effectively pursued with a detailed debt recovery timetable in
place for issuing reminders, final notices, and summons. Write-off
cases and refunds are reviewed regularly and authorised by a
suitable officer. However, refund reconciliations (ie between the
property database and the finance system) had not been carried out
in accordance with the procedure established by the
service.
|
An officer has been visiting council properties since May 2023 and
will attend a dedicated completion notice course in October 2023.
Completion notices will be issued before the end of October
2023.
The team has already been
working through some of the reviews this year and will be on
schedule by September 2023.
The Service has asked Finance
whether the refund reconciliation process is necessary going
forward and will act on their response.
|
APPENDIX D: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS
|
Audit
opinions
|
|
Our work is based on
using a variety of audit techniques to test the operation of
systems. This may include sampling and data analysis of wider
populations. It cannot guarantee the elimination of fraud or
error. Our opinion relates only to the objectives set out in the
audit scope and is based on risks related to those objectives that
we identify at the time of the audit.
|
|
|
|
Opinion
|
Assessment of
internal control
|
|
Substantial
assurance
|
A sound
system of governance, risk management and control exists, with
internal controls operating effectively and being consistently
applied to support the achievement of objectives in the area
audited.
|
|
Reasonable
assurance
|
There is
a generally sound system of governance, risk management and control
in place. Some issues, non-compliance or scope for improvement were
identified which may put at risk the achievement of objectives in
the area audited.
|
|
Limited
assurance
|
Significant gaps,
weaknesses or non-compliance were identified. Improvement is
required to the system of governance, risk management and control
to effectively manage risks to the achievement of objectives in the
area audited.
|
|
No
assurance
|
Immediate action is
required to address fundamental gaps, weaknesses or non-compliance
identified. The system of governance, risk management and control
is inadequate to effectively manage risks to the achievement of
objectives in the area audited.
|
|
Priorities for
actions
|
|
Priority
1
|
A fundamental system
weakness, which presents unacceptable risk to the system objectives
and requires urgent attention by management
|
|
Priority
2
|
A significant system
weakness, whose impact or frequency presents risks to the system
objectives, which needs to be addressed by management.
|
|
Priority
3
|
The system
objectives are not exposed to significant risk, but the issue
merits attention by management.
|
APPENDIX E: FOLLOW UP OF AGREED AUDIT ACTIONS
Where weaknesses in
systems are found by internal audit, the auditors agree actions
with the responsible manager to address the issues. Agreed actions
include target dates and internal audit carry out follow up work to
check that the issue has been resolved once these target dates are
reached. Follow up work is carried out through a combination of
questionnaires completed by responsible managers, risk assessment,
and by further detailed review by the auditors where necessary.
Where managers have not taken the action they agreed to, issues are
escalated to more senior managers, and ultimately may be referred
to the Audit and Governance Committee.
A total of 50 actions have been
followed up. A summary of the priority of these actions and the
directorate they relate to is included below.
|
Actions followed
up
|
|
Actions followed up
by directorate
|
|
Priority of
actions
|
Number of actions
followed up
|
|
Other (Customers,
Governance, Finance, HR)
|
Place
Directorate
|
Adult Social Care
and Integration
|
Children and
Education
|
|
1
|
0
|
|
0
|
0
|
0
|
0
|
|
2
|
19
|
|
12
|
6
|
1
|
0
|
|
3
|
31
|
|
17
|
6
|
2
|
6
|
|
Total
|
50
|
|
29
|
12
|
3
|
6
|
Of the 50 agreed
actions, 29 (58%) had been satisfactorily implemented and 14 (28%)
had been superseded. The number of actions marked as superseded is
high due to the continuing impact of a review of all outstanding
actions dating back to the Covid period, which found that in some
cases circumstances had changed significantly and the previous
actions were no longer appropriate. In some cases controls were
re-examined and new actions raised if issues were found.
In7 cases
(14%) the action had not been implemented by the target date and a
revised date was agreed. This is done where the delay in addressing
an issue will not lead to unacceptable exposure to risk and where,
for example, the delays are unavoidable.
