BACKGROUND
1
Internal audit
provides independent and objective assurance and advice about the
Council’s operations. It helps the organisation to achieve
its overall objectives by bringing a systematic, disciplined
approach to the evaluation and improvement of the effectiveness of
risk management, control and governance processes.
2
The work of internal
audit is governed by the Accounts and Audit Regulations 2015 and
relevant professional standards. These include the Public Sector
Internal Audit Standards (PSIAS), CIPFA guidance on the application
of those standards in Local Government and the CIPFA Statement on
the role of the Head of Internal Audit.
3
In accordance with
the PSIAS, the Head of Internal Audit is required to report
progress against the internal audit plan (the work programme)
agreed by the Audit and Governance Committee, and to identify any
emerging issues which need to be brought to the attention of the
committee.
4
The internal audit
work programme was agreed by this committee in April 2021. The
number of agreed days is 1,095 and the plan is high level and
flexible in nature.
5
In 2021/22 Veritau
has introduced a new, flexible approach to work programme
development and delivery to keep pace with developments in the
internal audit profession and to ensure that we can continue to
deliver a responsive service. Work is being kept under review
to ensure that audit resources are deployed to the areas of
greatest risk and importance to the Council.
6
The purpose of this
report is to update the committee on internal activity between 1
April 2021 and 7 January 2022.
INTERNAL AUDIT PROGRESS
7
As noted in previous
reports to this committee, the Covid-19 pandemic meant there was
2020/21 work outstanding at the start of the year and much of the
time in the first part of the year was spent finalising that
work.
8
Work is ongoing on a
number of 2021/22 audits. The Ordering and Creditors, Health and
Safety and Main Accounting System audits have been reported in
draft and will be finalised by the time of the next update report
to this committee.
9
A number of other
audits are in the latter stages of fieldwork and we expect to be
able to report on findings for these to the next committee. These
include the Highways CDM Regulations and SAG (Safety Advisory
Group) Governance audits.
10
A summary of
internal audit work currently underway, as well as work finalised
in the year to date, is included in appendix A.
11
The work programme
showing current priorities for internal audit work is included at
appendix B.
12
Nine audits are
shown in the ‘do next’ category where we anticipate
beginning work during the final quarter of 2021/22 but have not yet
agreed a start date with the responsible officers.
13
The programme also
includes ten audits in the ‘do later’ category. The
internal audit work programme is designed to include all potential
areas that should be considered for audit in the short to medium
term, recognising that not all of these will be carried out during
the current year (work is deliberately over-programmed).
14
In determining which
audits will actually be undertaken, the priority and relative risk
of each area will continue to be considered throughout the
remainder of the year, and as part of audit planning for
2022/23.
15
Three audits have
been completed since the last report to this committee in October
2021. Appendix C summarises the key findings from these audits as
well as details of actions agreed. Finalised reports listed in
appendix C are published online, along with the papers for this
committee. The report on Commercial Waste is included in the agenda
papers as annex 3 as the opinion given is limited
assurance.
16
Appendix D lists our
current definitions for action priorities and overall assurance
levels.
FOLLOW UP
17
All actions agreed
with services as a result of internal audit work are followed up to
ensure that underlying control weaknesses are addressed. As a
result of this work we are generally satisfied that sufficient
progress is being made to address the control weaknesses identified
in previous audits. A higher proportion of revised dates have been
agreed than might normally be the case. This is largely in
recognition of the continued effect of resource pressures caused by
the Covid pandemic. A summary of the current status of follow up
activity is included at appendix E.
APPENDIX A:
2021/22 INTERNAL AUDIT WORK
Audits in
progress
|
Audit
|
Status
|
|
Ordering and
Creditors
|
Draft report
issued
|
|
Health and
Safety
|
Draft report
issued
|
|
Main Accounting
System
|
Draft report
issued
|
|
Highways CDM
(Construction, Design and Management) Regulations
|
In
progress
|
|
ICT Asset
Management
|
In
progress
|
|
Payroll
|
In
progress
|
|
Records
Management
|
In
progress
|
|
Safety Advisory
Group (SAG) Governance
|
In
progress
|
|
Information
Security
|
Ongoing –
further work planned
|
|
Headlands primary
school
|
Planning
|
|
Poppleton Road
primary school
|
In
progress
|
|
Fishergate primary
school
|
Planning
|
|
Direct
Payments
|
Planning
|
|
Building Services
and Housing Repairs
|
Planning
|
|
Contract Management
– Stadium / Leisure
|
Planning
|
Final reports
issued
|
Audit
|
Reported to
Committee
|
Opinion
|
|
Commercial
Waste
|
January
2022
|
Limited
Assurance
|
|
Business
Continuity
|
January
2022
|
Reasonable
Assurance
|
|
Continuing
Healthcare
|
January
2022
|
Reasonable
Assurance
|
|
Community
Hubs
|
October
2021
|
Reasonable
Assurance
|
|
Project
Management
|
October
2021
|
Reasonable
Assurance
|
|
Environmental
Health
|
October
2021
|
Substantial
Assurance
|
|
Absence
Management
|
October
2021
|
No opinion
given
|
|
Council Tax &
NNDR
|
October
2021
|
Reasonable
Assurance
|
|
Council Tax Support
and Housing Benefits
|
October
2021
|
Substantial
Assurance
|
|
Sundry
Debtors
|
October
2021
|
Substantial
Assurance
|
|
Schools Themed
– Cyber security and IT Management
|
October
2021
|
Reasonable
Assurance
|
|
Danesgate follow up
audit
|
October
2021
|
No opinion
given
|
|
SEN Ofsted
Inspection & written statement of action (WSoA)
|
June 2021
|
Substantial
Assurance
|
|
Contract Management
– Make it York
|
June 2021
|
Limited
Assurance
|
|
Home
working
|
June 2021
|
Reasonable
Assurance
|
|
ICT Server
Administration and Security
|
June 2021
|
Substantial
Assurance
|
|
ICT Licence
Management
|
June 2021
|
Substantial
Assurance
|
|
Public Health
– Healthy Child Service
|
June 2021
|
Reasonable
Assurance
|
|
Cash
handling
|
June 2021
|
High
Assurance
|
Other work completed
in 2021/22
|
Internal
audit work has been undertaken in a range of other areas during the
year, including those listed below.
|
|
·
Quarterly review of
Supporting Families claims
·
Review of new
parking system processes
·
Follow up of agreed
actions
·
Grant certification
work
|
APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE
LAST REPORT TO THE COMMITTEE
|
System/
area
|
Opinion
|
Area
reviewed
|
Date
issued
|
Comments /
Issues identified
|
Management
actions agreed
|
|
Commercial
Waste
|
Limited
Assurance
|
The audit reviewed
commercial waste collection and disposal processes and income
collection and accounting.
|
17 December
2021
|
Strengths
Process to apply for commercial waste collections was working
correctly.
Commercial waste collections continued at a reasonable level during
the pandemic.
Weighbridge tickets are being correctly issued and contain
appropriate details.
Cash is no longer accepted as a method of payment.
Weaknesses
It was not known which businesses were operating and having waste
collected during the pandemic and many customers were not invoiced,
which may result in a potentially significant loss of
income.
Poor management information systems result in a lot of manual work
and there is a lack of reconciliation between waste services and
the finance system.
Waste transfer notes not renewed in a timely manner.
Crew sheets not being properly completed and a lack of management
information systems prevent them being used effectively.
Responsibility for setting commercial waste fees and charges was
not clear.
|
The council
will apply for funding under the Government’s Income
Compensation Scheme for 2020/21 and for the extended period allowed
in 2021/22. The council must meet some of the shortfall from its
own funds.
The current
provision of the service will be reviewed.
Back office
processes will be reviewed and improvement actions identified. The
issuing of duty of care documentation will be transferred from the
Commercial Waste Team to Business Support Team.
The service
will look to implement improvements to processes, systems and
management information through the Webaspx waste management system,
including crews using in cab units.
Cash is not
accepted and all businesses have an account on the finance
system.
The Head of
Service will agree the fees and charges in consultation with the
Finance Manager. This will be implemented for the setting of
charges for 2022/23.
|
|
Continuing
Healthcare (CHC)
|
Reasonable
Assurance
|
The audit reviewed
the completeness and accuracy of CHC invoicing
processes.
|
19 October
2021
|
Strengths
New workflow process designed and implemented from January 2020 to
track progress of all CHC applications and record financial
contributions.
Financial agreement forms in place with CCG and recharge amounts
checked by income services.
Weaknesses
No clear audit trail for changes to agreed recharge
amounts.
Lack of management information on all services users in receipt of
CHC funding (those that pre-date the new workflow
process).
|
Improve records management process for correspondence related to
uplifts. Continue to upload correspondence to Adults Mosaic where
changes to recharges are made on an individual basis.
To add a workflow to record VPU (Vulnerable Persons Unit) funding
in an analogous way to CHC cases.
Complete MI reports for all NHS-funded customers.
To create additional Element Types on Mosaic to allow VPU recharges
to be represented differently to CHC recharges, to support separate
reporting of the two different funding streams.
|
|
Business
Continuity
|
Reasonable
Assurance
|
The
audit reviewed guidance and training available to officers
responsible for producing business continuity plans; the emergency
planning units (EPU) monitoring of council wide business continuity
plans and the governance arrangements for business continuity
management within the council.
|
26 November
2021
|
Strengths
Support guidance and training provided by EPU to council
officers.
Policy, templates and guidance developed with reference to ISO and
National Resilience Standards.
Shared service agreement planned with NYCC to provide greater
resilience.
Annual reviews of plans undertaken and reported to Council
Management Team.
Testing of plans takes place and is monitored by EPU.
Weaknesses
Some guidance documents out of date and don’t always meet
best practice.
Some plans not updated annually. Many plans only updated annually
and not after significant organisational or external
changes.
Plan exercises not conducted frequently enough and details of
testing, lessons learned and actions required not
recorded.
No formal training programme for new or existing plan owners and
training records not kept.
|
Policy,
templates and guidance will be reviewed, updated and circulated.
Will clearly identify responsibilities for review, updates and
testing of plans.
EPU now attend
CMT four times per year to provide updates on business
continuity.
Leavers’
checklist will include business
continuity responsibilities.
Business
continuity plans now accessible to the EPU and all plan owners and
copies uploaded to Resilience Direct.
Annual review
process will include whether plans have been tested or activated in
the last year. As part of 2021/22 annual review process, plan
owners will be asked to include lessons learned from
Covid-19.
EPU will
conduct strategic business continuity exercises (Council–wide
and in conjunction with the Local Resilience Forum) based on
national and local (LRF) identified risks.
Outcomes of
exercises will be recorded. Lessons learned from strategic
exercises will be shared with business continuity plan owners
across the Council.
The EPU will
develop introduction to business continuity training for
consideration by CMT to be part of managers’ induction. The
business continuity policy will be amended to state that plan
owners will provide training to their staff.
The annual
review process will include a confirmation that the plan owner has
made staff aware of business continuity requirements and
responsibilities.
|
APPENDIX D: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS
|
Audit
opinions
|
|
Our work is based on
using a variety of audit techniques to test the operation of
systems. This may include sampling and data analysis of wider
populations. It cannot guarantee the elimination of fraud or
error. Our opinion relates only to the objectives set out in the
audit scope and is based on risks related to those objectives that
we identify at the time of the audit.
|
|
|
|
Opinion
|
Assessment of
internal control
|
|
Substantial
assurance
|
A sound
system of governance, risk management and control exists, with
internal controls operating effectively and being consistently
applied to support the achievement of objectives in the area
audited.
|
|
Reasonable
assurance
|
There is
a generally sound system of governance, risk management and control
in place. Some issues, non-compliance or scope for improvement were
identified which may put at risk the achievement of objectives in
the area audited.
|
|
Limited
assurance
|
Significant gaps,
weaknesses or non-compliance were identified. Improvement is
required to the system of governance, risk management and control
to effectively manage risks to the achievement of objectives in the
area audited.
|
|
No
assurance
|
Immediate action is
required to address fundamental gaps, weaknesses or non-compliance
identified. The system of governance, risk management and control
is inadequate to effectively manage risks to the achievement of
objectives in the area audited.
|
|
Priorities for
actions
|
|
Priority
1
|
A fundamental system
weakness, which presents unacceptable risk to the system objectives
and requires urgent attention by management
|
|
Priority
2
|
A significant system
weakness, whose impact or frequency presents risks to the system
objectives, which needs to be addressed by management.
|
|
Priority
3
|
The system
objectives are not exposed to significant risk, but the issue
merits attention by management.
|
APPENDIX E: FOLLOW UP OF AGREED AUDIT ACTIONS
Where weaknesses in
systems are found by internal audit, the auditors agree actions
with the responsible manager to address the issues. Agreed actions
include target dates and internal audit carry out follow up work to
check that the issue has been resolved once these target dates are
reached. Follow up work is carried out through a combination of
questionnaires completed by responsible managers, risk assessment,
and by further detailed review by the auditors where necessary.
Where managers have not taken the action they agreed to, issues are
escalated to more senior managers, and ultimately may be referred
to the Audit and Governance Committee.
Follow up work was
suspended for a period during the pandemic and restarted in autumn
2020. A detailed report on higher priority actions was provided in
the Head of Internal Audit annual report, reported to this
committee in June 2021. This report covers actions followed up
between 1 April 2021 and 31 December 2021.
A total of 45 actions have been
followed up since April 2021. A summary of the priority of these
actions and the directorate they relate to is included
below.
|
Actions followed
up
|
|
Actions
followed up by directorate
|
|
Priority of
actions*
|
Number of actions
followed up
|
|
Other (Customers,
Governance, Finance, HR, Public Health)
|
Place
Directorate
|
People
Directorate
|
|
1
|
0
|
|
0
|
0
|
0
|
|
2
|
20
|
|
11
|
1
|
8
|
|
3
|
25
|
|
8
|
0
|
17
|
|
Total
|
45
|
|
19
|
1
|
25
|
Of the 45 agreed
actions 5 (11%) had been satisfactorily implemented and 11 (24%)
had been identified as either redundant or superseded, for example,
where systems or processes have changed so that they are no longer
exposed to risks. In 22 cases (49%) the action had
not been implemented by the target date and a revised date was
agreed. This is done where the delay in addressing an issue will
not lead to unacceptable exposure to risk and where, for example,
the delays are unavoidable. This is a high proportion but this
reflects the impact of the Covid-19 pandemic and continuing
pressure on resources. In the remaining 7 cases follow up work is
currently in progress.
