COYC%202%20colour

BACKGROUND

1 Internal audit provides independent and objective assurance and advice about the Council’s operations. It helps the organisation to achieve overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

2 The work of internal audit is governed by the Accounts and Audit Regulations 2015 and the Public Sector Internal Audit Standards (PSIAS). In accordance with these, the Head of Internal Audit is required to regularly report progress on the delivery of the internal audit plan to the Audit and Governance Committee and to identify any emerging issues which need to be brought to the attention of the committee.

3 The internal audit work programme was agreed by this committee in April 2021. The number of agreed days is 1,095 and the plan is flexible in nature. Work is being kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the Council.

4 The purpose of this report is to update the committee on internal audit activity in 2021/22.

A new approach to work programme development and delivery

5 As noted in the April 2021 report to the committee (internal audit work programme) we have adopted a flexible approach to audit planning to meet professional aims and objectives, and in line with good practice for internal audit. This is the first year we have adopted a fully flexible approach. The arrangements are summarised below.

6 The indicative programme provided to the committee in April is a long list of areas of potential work which are considered the highest priority for audit, based on an assessment of risk. The difference in approach this year is that the programme now acts as a guide for ongoing planning through the course of the year, with the expectation being that areas will drop out of this list, and new areas will be added, as our assessment of risks and priorities changes. This approach allows us to ensure audits are targeted to areas of most importance at the time we undertake the work. Rather than being based on a fixed risk assessment, undertaken before the start of the year, which quickly becomes out of date.

7 Using the indicative programme, we will determine audit work to be undertaken on an ongoing, rolling basis during the year on the basis of:

· “Do now” – work of the highest value, priority, or urgency

· “Do next” – work to be started after current audit work is completed

· “Do later” – work to be scheduled for consideration later in the year

8 Decisions on which category work falls into will be based on professional judgement, together with communication with key client officers, and will be guided by the following considerations:

· where we have no recent audit assurance, or other sources of assurance

· where controls are changing and/or risks are increasing

· where we are following up previous control weaknesses

· where specific issues have arisen

· areas that are of significant importance to the Council, for example they reflect key objectives or high priority projects

· areas that provide broader assurance, for example corporate policies and frameworks

· areas that need to be covered to enable us to provide an annual opinion

· where there are time pressures or scheduling requirements, for example grant deadlines, or work scheduled to minimise the impact on council service areas at busy times.

9 Between now and the end of the year, the committee can expect individual pieces of work to move between the categories based on their priority at the time of assessment. For example, an audit scheduled for quarter three to minimise the impact on a service area may initially be classed as to “do later”, but will become “do now” as we move into quarter three. Similarly, a project audit classed as “do now” because it represents an area of high importance to the Council may move from “do now” to “do next” or “do later”, if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as “do later” are likely to be deferred until the next year.

10 To ensure the Audit and Governance Committee continues to have oversight of current and planned audit work, a current assessment of work to be undertaken will be presented as part of each internal audit progress report. This will enable the committee to understand what work is currently planned and to provide input on the relative priorities of work to be carried out in the future.

INTERNAL AUDIT PROGRESS

11 The Annual Head of Internal Audit report for 2020/21 was presented to this committee on 16 June 2021. As noted in that report, the impact of the Covid-19 pandemic meant that we had a higher level of outstanding 2020/21 work than would normally be expected. The intention is to bring the audit cycle back in line with normal arrangements over the next two years.

12 Much of the work that has taken place since the last report to this committee has been to finalise the outstanding 2020/21 work.

13 A summary of 2021/22 internal audit work currently underway and completed is included in appendix 1. Also included is 2020/21 work that has recently been finalised or is still to be finalised.

14 The prioritisation and scoping of work will continue to be discussed with officers. Appendix 2 shows the current work plan, and categorises audits by when they are expected to be completed.

15 Appendix 3 summarises the key findings from work completed that we have not previously reported to this committee.

FOLLOW-UP OF AGREED ACTIONS

16 All actions agreed with services as a result of internal audit work are followed up to ensure that underlying control weaknesses are addressed. A summary of the current status of follow up of agreed actions is included in appendix 4.

Audit	Status	Assurance Level
Danesgate follow up audit	Final report issued	No opinion given
Continuing Healthcare	Draft report issued
Ordering and Creditors	Draft report issued
Health and Safety	In progress
Highways CDM (Construction, Design and Management) Regulations	In progress
ICT Asset Management	In progress
Main Accounting System	In progress
Payroll	In progress
Records Management	In progress
Safety Advisory Group (SAG) Governance	In progress
Information Security	Ongoing – further work planned

2020/21 audits brought forward
Absence Management	Final report issued	No opinion given
Community Hubs	Final report issued	Reasonable Assurance
Council Tax & NNDR	Final report issued	Reasonable Assurance
Council Tax Support & Housing Benefit	Final report issued	Substantial Assurance
Environmental Health	Final report issued	Substantial Assurance
Project Management	Final report issued	Reasonable Assurance
Schools Themed Audit – Cyber Security & IT Management	Final report issued	Reasonable Assurance
Sundry Debtors	Final report issued	Substantial Assurance
Business Continuity	Draft report issued
Commercial Waste	Draft report issued
Other work Internal audit work has been undertaken in a range of other areas during the period, including those listed below.
· Quarterly review of Supporting Families claims · Review of new parking system processes · Follow up of agreed actions · Grant certification work

APPENDIX 2: CURRENT PRIORITIES FOR INTERNAL AUDIT WORK

Audit / Activity	Rationale
Strategic risks / Corporate & cross cutting
Category 1 (do now)
Health and Safety	Deferred from 20/21 and significant risk area
Information security	Deferred from 20/21 and significant risk area
Records Management	Deferred from 20/21 and significant risk area
Safety Advisory Group governance	Emerging risk. Requested by senior management
Category 2 (do next)
Information Governance – DSP (NHS) toolkit	Significant risk area
Complaints processes	Key area of corporate governance
HR and workforce planning	Significant risk area
Financial planning and budgeting	Significant risk area
Category 3 (do later)
s106 agreements / support in developing systems Procurement and Contract Management Risk Management Partnership working Information security checks Information Governance – RIPA actions Performance management and data quality Environment and waste
Fundamental / material systems
Category 1 (do now)
General Ledger / Main Accounting System	Key assurance area
Payroll	Key assurance area
Ordering and Creditors	Key assurance area
Category 2 (do next)
Debtors and income collection	Key assurance area
Council Tax / NNDR and benefits	Key assurance area
Category 3 (do later) Capital accounting and assets Treasury Management
Operational / regularity
Category 1 (do now)
Continuing Healthcare charging	Provides broader assurance
Highways CDM	Emerging risk. Identified by senior managers
Danesgate follow up audit	Follow up of significant risks identified in previous audit
Category 2 (do next)
Adults: budget management, commissioning, high cost placements, market management, internal provision	Significant risk area. Specific areas for audit being discussed with officers.
Children: Special Educational Needs and Disability (SEND), education, Health & Care (EHC) plans and processes	Significant risk area. Specific areas for audit being discussed with officers.
Building services and housing repairs	Provides broader assurance. Significant area for council
Public health	Provides broader assurance. Significant area for council
Category 3 (do later) Direct payments Service contract management ad client arrangements (Explore, YMT, Leisure)
Technical / projects
Category 1 (do now)
ICT Asset Management	Deferred from 20/21; key assurance area
Category 2 (do next)
ICT remote access	key assurance area
ICT procurement and contract management	key assurance area
Category 3 (do later) ICT procurement and contract management

APPENDIX 3: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area	Opinion	Area reviewed	Date issued	Comments / Issues identified	Management actions agreed
Community Hubs	Reasonable Assurance	Policies and procedures, customer safety, purchase cards, recovering costs.	08/06/21	Generally systems worked well. Hubs were set up with urgency and there were some issues with the robustness of processes. Issues were raised regarding vetting volunteers and procedures for issuing and retrieving ID badges.	The council has worked with partners to establish a different process for recruiting and deploying volunteers in emergencies. The council will establish procedures for the issue and retrieval of ID badges for volunteers.
Project Management	Reasonable Assurance	Project management best practice, risk management, governance arrangements.	25/06/21	Generally systems were working well. Issues were raised regarding the clarity of mandatory elements of the council’s project management framework, risk targets levels not being set, and a lack of consistency in communicating risk assessments.	Mandatory elements of the project management framework will be communicated to project managers. Target risk levels will be required. Training will be provided on communication of project risks.
Environmental Health	Substantial Assurance	Recording and prioritising complaints, investigation and action processes, information recording and communicating.	30/06/21	Overall systems were found to be working well. No major issues identified. Minor issues identified with the efficiency of information recording and responding to Freedom of Information requests (FOIs).	The service will look to streamline information recording where possible. The service manager will discuss ways to streamline FOI processes with the information governance manager.
Absence Management	No opinion given	Record keeping; integrity / consistency of data across council and third party systems under the absence management contract; access to management information.	15/07/21	No significant weaknesses were found Some issues were identified and fed back to the service in December 2020 and have already been resolved and actions put in place to address weaknesses in systems.	No actions required resulting from the audit. However, the service will conduct a full assessment of the short term absence management service.
Council Tax & NNDR	Reasonable Assurance	Property database. Billing, discounts, exemptions, disregards and reliefs. Arrears, refunds, write offs. Covid-19 grants.	21/07/21	Generally systems were working well. The service area had very significant demands arising from Covid-19. Quality assurance checks had not been completed consistently. Database reconciliations (Valuation Office to council records) had not been completed for 2 quarters. Customer records were incomplete.	Quality assurance checks resumed in July 2021. Reconciliations have now been completed. Direct debit rejections letters stored against customer accounts.
Council Tax Support and Housing Benefits	Substantial Assurance	Accuracy and timeliness of assessments and calculations, appeals processing, overpayment and recovery processes.	31/07/21	Overall systems were found to be working well. No major issues identified. Post payment assurance checks do not take place on self-isolation payments (extensive pre-payment checks had been undertaken).	A sample of post payment assurance checks will be undertaken.
Sundry Debtors	Substantial Assurance	Invoice raising, account management, debt management	20/08/21	Overall systems were found to be working well. No major issues were identified. One issue raised regarding clarity of delegated authority to write off debt (we were satisfied authority for write offs had been appropriately delegated).	Scheme of delegation will be updated to document the delegation of authority for approving the write off of unrecoverable debts.
Schools Themed – Cyber Security & IT Management	Reasonable Assurance	Physical and logical security, training, IT asset management, IT contract management.	14/09/21	Generally systems were working well. No major issues identified but a number of findings raised, relating to: server security, contractor management, user access, disaster recovery, IT asset management and data protection, cyber security awareness.	The council’s schools business support team will share the audits findings and best practice guidance with schools. Each school will be responsible for reviewing the situation at their school and addressing any weaknesses.
Danesgate follow up audit	No opinion given	Follow up of issues identified in 2019-20 audit	22/09/21	Majority of agreed actions fully implemented and issues identified been addressed. Some actions only partially implemented or not yet complete so further actions agreed.	Outstanding policies to be ratified by Governors. Contract procedures to be followed and records kept of opening of quotations. Schedule of contracts to be presented to Governors. All issuing of petty cash to be signed off by Headteacher; no petty cash reimbursement for travel and subsistence. Physical check of inventory to take place and be recorded half termly.

APPENDIX 4: FOLLOW UP OF AGREED AUDIT ACTIONS

Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee.

Follow up work was suspended for a period during the pandemic and restarted in autumn 2020. A detailed report on higher priority actions was provided in the Head of Internal Audit annual report, reported to this committee in June 2021. This report covers actions followed up between the date of that report and 30^th September 2021.

Actions followed up

A total of 34 actions have been followed up since the last report to this committee in June 2021. A summary of the priority of these actions is included below.

Actions followed up		Actions followed up by directorate
Priority of actions*	Number of actions followed up	Corporate Services	People Directorate	Place Directorate
1	0	0	0	0
2	13	6	4	3
3	21	9	12	0
Total	34	15	16	3

Of the 34 agreed actions 26 (76%) had been satisfactorily implemented. In8 cases (24%) the action had not been implemented by the target date and a revised date was agreed. This is done where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable.