Internal Audit Report

Annex 1

City of York Council

Internal Audit Work Programme 2021/22

Introduction

1 This report sets out the proposed 2021/22 programme of internal audit work for City of York Council.

2 The work of internal audit is governed by the Public Sector Internal Audit Standards (PSIAS) and the council’s audit charter. In accordance with PSIAS, internal audit work must be risk-based and take into account the requirement to produce an evidence-based annual internal audit opinion. Planned work should be reviewed and adjusted on an ongoing basis in response to changes in services, risks, operations, programmes, systems and internal controls.

3 The Head of Internal Audit’s annual opinion is based on an independent and objective assessment of the effectiveness of the framework of risk management, governance and internal control. Our planned audit work includes coverage of all three areas to enable us to develop a broad understanding of the arrangements in place, to enable us to provide that opinion.

4 Responsibility for effective risk management, governance and internal control arrangements remains with the council. The work of internal audit cannot be expected to prevent or detect all weaknesses or failures in internal control nor can audit work cover all areas of risk across the organisation.

Approach

5 There is currently a significant amount of uncertainty for the council arising from the environment in which it operates. The impact of Covid-19 on all service areas, the socioeconomic and regulatory uncertainty in post-Brexit UK, and the significant potential impact of Local Government Reorganisation are just three reasons why it is difficult to accurately predict key organisational risks for 2021/22. Risks relating to these issues, and the actions needed to manage and mitigate them, are likely to change and evolve over the next 12 months.

6 The audit work programme for 2021/22 represents a summary of the areas where we expect to provide assurance over the next year, based on our current assessment of risk. This assessment involves giving careful consideration to:

· systems where the volume and value of transactions processed are significant, or the impact if risks materialise is very high, making the continued operation of regular controls essential

· areas of known concern, where a review of risks and controls will add value to operations

· areas of significant change which may include providing direct support / challenge to projects, reviewing project management arrangements, or consideration of the impact of those changes on the control environment, for example where the reduction in resources may result in fewer controls.

Despite the significant uncertainties facing the council, the areas listed above remain the core principles and appropriate criteria in identifying and prioritising areas for internal audit review.

7 The identification of risks included in the assessment has been informed in a number of ways. This includes review of organisational risk management processes, sector-wide risk information, understanding the council’s strategies and objectives, other known risk areas (for example areas of concern highlighted by management), the results of recent audit work and other changes in council services and systems. We have also consulted with key officers and this committee in forming a view on proposed areas of coverage.

8 To meet professional aims and objectives, good practice for internal audit requires us to adopt flexible planning processes. This helps to ensure that internal audit work undertaken during the year is adapted on an ongoing basis to reflect changing and emerging risks within the council. We will review priorities for work on a rolling basis and update the programme and its content, to reflect actual work undertaken, and new priorities, throughout the year.

9 We will also regularly discuss the scope and timings of work with officers to help ensure that we provide assurance in the right areas and at the right time. We will provide regular updates to the Audit and Governance Committee throughout 2021/22 on the coverage, scope and findings of our work.

10 Where possible, internal audit work during 2021/22 will include shorter, more focussed assignments and an increased use of data analytics to support the provision of continuous assurance to the council.

2021/22 internal audit work programme

11 The proposed areas of audit coverage are based on a total of 1,095 days and are included in the work programme at appendix A below. This includes overall areas where we expect to undertake work; although the specific areas of focus within each area will be determined in consultation with officers during the year. In some cases, an indication of priorities for each area has also been included.

12 The programme is designed to ensure that limited audit resources are prioritised towards those areas which are considered to carry the most risk or which contribute the most to the achievement of the council’s strategic priorities and objectives.

13 The plan has been structured into a number of sections, as follow.

· Strategic risks / corporate & cross cutting; to provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.

· Technical / projects; to provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.

· Fundamental / material systems; to provide assurance on the key areas of financial risk.

· Operational / regularity; to provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.

· Other assurance work; an allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by officers.

· Client support, advice & liaison; work we carry out to support the council in its functions. This includes the time spent providing support and advice and liaising with staff.

14 It is important to emphasise two important aspects of the programme. Firstly, the audit areas included in this draft programme are not fixed. Work will be kept under review to ensure that audit resources continue to be deployed in the areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.

15 Secondly, it will not be possible to deliver all of the audits listed in the programme. The programme has been over planned, to build in flexibility from the outset while providing an indication of the priorities for work at the time of assessment. This will enable us to respond quickly by commencing work in other areas of importance to the council when risks and priorities change during the year.

16 The prioritisation and scoping of work will continue to be discussed regularly with officers, and relevant changes to the programme will be agreed with officers and notified to this committee.

Area	Days	Potential audits / activity

Strategic risks / corporate & cross cutting	280	· Areas of the council’s corporate governance framework: schemes of delegation (following the review of the Constitution), registers of interests and complaints processes · Financial planning and budgeting: commercialisation and investments, use of assets, Cipfa Financial Management Code, s106 (support in developing systems) · Strategic planning: Covid-19 recovery, LGR preparedness · Risk management · Performance management and data quality · Partnership working · Business continuity and disaster recovery · Health and safety: risk assessments (including remote workers), incident reporting · Procurement and contract management: supply chain resilience, due diligence, Modern Slavery Act compliance · HR and workforce planning: management of remote teams, staff wellbeing · Information governance and data protection: data security, data quality / integrity of information assets, data breach management, data sharing agreements · Environment and waste: air pollution, carbon footprint, energy reduction, recycling
Technical / projects	80	· Cyber security: policies and procedures, networks, physical and logical access, electronic communications security, firewalls and anti-malware · ICT change management · ICT procurement / contract management · Digitalisation / automation · Overall corporate project management arrangements and project risk management · Support and review for specific key projects
Fundamental / material systems	150	· Core financial systems: general ledger, debtors (including debt recovery and enforcement practice), income collection, ordering and creditors · Council Tax / NNDR and benefits: Covid-19 related grants and funds · Payroll · Treasury management · Capital accounting and assets
Operational / regularity	400	· Adults: budget management, commissioning, high cost placements, market management, internal provision · Children: Special Educational Needs and Disability (SEND), education, Health & Care (EHC) plans and processes · Direct payments · Service contract management and client arrangements: Explore, YMT, leisure facilities · Public health · Building services and housing repairs · York Central
Other assurance work	90	· Follow-up of previously agreed management actions · Assurance mapping and continuous assurance arrangements, including data analytics and data matching projects · Assurance related working groups · Contingency
Client support, advice & liaison	95	· support and advice on control, governance and risk related issues · audit planning and monitoring · liaison with officers · external audit liaison · support to A&G and reporting to committee · FOI Act requests
TOTAL	1,095