COYC%202%20colour

BACKGROUND

1 Internal audit provides independent and objective assurance and advice about the Council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

2 The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government and the CIPFA Statement on the role of the Head of Internal Audit.

3 In accordance with the PSIAS, the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit and Governance Committee, and to identify any emerging issues which need to be brought to the attention of the committee.

4 The internal audit work programme was agreed by this committee in April 2021. The number of agreed days is 1,095 and the plan is high level and flexible in nature.

5 In 2021/22 Veritau introduced a new, flexible approach to work programme development and delivery to keep pace with developments in the internal audit profession and to ensure that we can continue to deliver a responsive service. Work is being kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the Council.

6 The purpose of this report is to update the committee on internal activity up to March 2022.

INTERNAL AUDIT PROGRESS

7 As noted in previous reports to this committee, the Covid-19 pandemic meant there was 2020/21 work outstanding at the start of the year and much of the time in the first part of the year was spent finalising that work.

8 Work is ongoing on a number of 2021/22 audits. The Health and Safety audit has been reported in draft. It was expected this audit would be finalised in time for this update to the committee but, following meetings with officers, further information is being provided that impacts on the findings of the audit.

9 A number of other audits are in the final stages of fieldwork and we expect to be able to report the findings as part of our next update. These include: highways CDM (construction, design and management) regulations, ICT asset management, safety advisory group (SAG) governance, payroll.

10 A summary of internal audit work currently underway, as well as work finalised in the year to date, is included in appendix A.

11 The work programme setting out current priorities for internal audit work is included at appendix B. All of the work classed as do now will be completed as part of the 2021/22 work programme. We have also reviewed the priority of all areas classed as do next and do later. A number of these will be completed as part of the current year’s work programme. Others that remain a priority are included in the draft work programme for 2022/23.

12 Three audits have been completed since the last report to this committee in January 2022. Appendix C summarises the key findings from these audits as well as details of actions agreed. Finalised reports listed in appendix C are published online, along with the papers for this committee.

13 Appendix D lists our current definitions for action priorities and overall assurance levels.

FOLLOW UP

14 All actions agreed with services as a result of internal audit work are followed up to ensure that underlying control weaknesses are addressed. As a result of this work we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits. There is still a reasonably high proportion of actions with revised dates. As noted previously, this is due to resource pressures resulting from the pandemic. However, we are seeing the impact of this reducing as more actions continue to be implemented. This trend is expected to continue. A summary of the current status of follow up activity is included at appendix E.

APPENDIX A: 2021/22 INTERNAL AUDIT WORK

Audits in progress

Audit	Status
Health and Safety	Draft report issued
Highways CDM (Construction, Design and Management) Regulations	In progress
ICT Asset Management	In progress
Payroll	In progress
Records Management	In progress
Safety Advisory Group (SAG) Governance	In progress
Information Security	Ongoing – further work planned
Poppleton Road primary school	In progress
Fishergate primary school	In progress
Direct Payments	In progress
Building Services and Housing Repairs	In progress
Contract Management – Stadium / Leisure	In progress
Council Tax & NNDR	Planning
Council Tax Support and Benefits	Planning
Special Educational Needs and Disability	Planning
ICT remote access	Planning

Final reports issued

Audit	Reported to Committee	Opinion
Ordering and Creditors	April 2022	Reasonable Assurance
Main Accounting System	April 2022	Substantial Assurance
Headlands Primary School	April 2022	Substantial Assurance
Commercial Waste	January 2022	Limited Assurance
Business Continuity	January 2022	Reasonable Assurance
Continuing Healthcare	January 2022	Reasonable Assurance
Community Hubs	October 2021	Reasonable Assurance
Project Management	October 2021	Reasonable Assurance
Environmental Health	October 2021	Substantial Assurance
Absence Management	October 2021	No opinion given
Council Tax & NNDR	October 2021	Reasonable Assurance
Council Tax Support and Housing Benefits	October 2021	Substantial Assurance
Sundry Debtors	October 2021	Substantial Assurance
Schools Themed – Cyber security and IT Management	October 2021	Reasonable Assurance
Danesgate follow up audit	October 2021	No opinion given
SEN Ofsted Inspection & written statement of action (WSoA)	June 2021	Substantial Assurance
Contract Management – Make it York	June 2021	Limited Assurance
Home working	June 2021	Reasonable Assurance
ICT Server Administration and Security	June 2021	Substantial Assurance
ICT Licence Management	June 2021	Substantial Assurance
Public Health – Healthy Child Service	June 2021	Reasonable Assurance
Cash handling	June 2021	High Assurance

Other work in 2021/22

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

· Quarterly reviews of Supporting Families claims

· Review of new parking system processes

· Follow up of agreed actions

· Grant certification work

APPENDIX B: CURRENT PRIORITIES FOR INTERNAL AUDIT WORK

Audit	Status
	Do now	Do next	Do later
Strategic risks / corporate & cross-cutting
Health and Safety	ü
Information Security	ü
Records Management	ü
Safety Advisory Group (SAG) Governance	ü
Complaints processes		ü
Risk Management			ü
Procurement and contract management		ü
s106 agreements			ü
Partnership working			ü
Performance Management and data quality			ü
HR and workforce planning		ü
Environment and waste		ü
Fundamental / material systems
Payroll	ü
Council Tax and NNDR	ü
Council Tax Support and Benefits	ü
Debtors and income collection			ü
Operational / regularity
Highways CDM Regulations	ü
Direct Payments	ü
Contract Management – Stadium	ü
Poppleton Road Primary School	ü
Fishergate Primary School	ü
Building Services and Housing Repairs	ü
Adult social care – High cost placements		ü
Be Independent		ü
Special Educational Needs and Disability	ü
Public Health			ü
Technical / projects
ICT Asset Management	ü
ICT remote access	ü

Further explanation on the work status

The programme of work is subject to ongoing review and is adjusted in response to changes in the Council’s activities, risks, operations, systems and controls. During the year, planned work is prioritised on the basis of:

• Do first – work of the highest value, priority, or urgency

• Do next – work to be started after current audit work is completed

• Do later – work to be scheduled for consideration later in the year

Changes in the priority and timings of work are agreed with council officers.

Individual audit assignments can also move between the categories as required.

APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/ area	Opinion	Area reviewed	Date issued	Comments / Issues identified	Management actions agreed
Ordering and Creditor Payments	Reasonable Assurance	The audit reviewed processes for ordering and making payments for goods and services	14 January 2022	Strengths Processes had been adapted where required in response to the demands arising from the pandemic and controls largely continued to work effectively. User accounts were well administered, purchase orders were being raised and authorised with appropriate delegated authority. Weaknesses Purchase orders were being raised after the order was placed with the supplier. Audit trail information in the system on purchase order approvers was not always accurate. Sufficient evidence was not always available of which officer in service areas authorised purchases. Duplicate creditor accounts were held on the system. Staff creditors accounts set up for valid reasons but no longer used had not been suspended.	Further enquiries will be made into areas of the council where proper practices are not being followed for raising purchase orders; targeted communications will be issued. A call will be raised with the system supplier regarding the audit trails. Evidence will always be retained for requests made to business support to raise purchase orders. Data cleansing will take place on staff records on the creditor system and duplicate supplier records. Further analysis of payments to staff via creditors will be undertaken to ensure that suitable authorisation was received prior to payment.
Main Accounting System	Substantial Assurance	The audit reviewed key controls for accurate accounting on the general ledger, including control accounts, bank reconciliations, feeder systems, user access, journals, virements and coding.	15 February 2022	Strengths Bank reconciliations are undertaken and feeder files are accurately and promptly interfaced to the general ledger. User access is generally well controlled. Journals and virements were accurately and promptly processed on the finance system. Access to set up new codes was suitably restricted. Miscellaneous codes are regularly reviewed. Weaknesses Responsibility for monitoring control accounts was not always assigned to an officer. A reasonably large number of users had ‘full access’ to the system. Guidance notes for budget managers are out of date. Written evidence is not always being kept to show who has authorised virements.	Principal accountants will receive a monthly report on control account balances, which will highlight any concerns. All privileged (full access) user accounts have been reviewed and it’s been confirmed their access is required and appropriate. Guidance notes on the intranet will be reviewed and updated. Reminders will be issued to members of the finance team on the evidence requirements for virements.
Headlands Primary School	Substantial Assurance	The audit reviewed financial, operational and governance procedures at the school.	21 March 2022	Strengths Overall, systems and controls were working effectively. Governance and financial management systems were well controlled. Weaknesses Declarations of interest were not available for some governors. The school’s contract schedule does not contain end dates or notice periods for contracts. Return to work interviews are not always being held on a timely basis. Payroll reports are not subject to independent checks.	The outstanding declarations of interest will be obtained. The contract schedule has been updated with the required data and made more accessible. The Head and Deputy will both conduct return to work interviews. The return to work procedure has been implemented and notified to all staff. A second officer will carry out independent checks of payroll reports.

APPENDIX D: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS

Audit opinions
Our work is based on using a variety of audit techniques to test the operation of systems. This may include sampling and data analysis of wider populations. It cannot guarantee the elimination of fraud or error. Our opinion relates only to the objectives set out in the audit scope and is based on risks related to those objectives that we identify at the time of the audit.

Opinion	Assessment of internal control
Substantial assurance	A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.
Reasonable assurance	There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.
Limited assurance	Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.
No assurance	Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.

Priorities for actions
Priority 1	A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management
Priority 2	A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Priority 3	The system objectives are not exposed to significant risk, but the issue merits attention by management.

APPENDIX E: FOLLOW UP OF AGREED AUDIT ACTIONS

Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee.

A total of 49 actions have been followed up since April 2021. A summary of the priority of these actions and the directorate they relate to is included below.

Actions followed up		Actions followed up by directorate
Priority of actions	Number of actions followed up	Other (Customers, Governance, Finance, HR, Public Health)	Place Directorate	People Directorate
1	0	0	0	0
2	25	16	1	8
3	24	7	0	17
Total	49	23	1	25

Of the 49 agreed actions 31 (63%) had been satisfactorily implemented and 1 (2%) had been identified as superseded, for example, where systems or processes have changed so that they are no longer exposed to risks. In 17 cases (35%) the action had not been implemented by the target date and a revised date was agreed. This is done where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable. This remains a reasonably high proportion, which reflects the impact of the Covid-19 pandemic and continuing pressure on resources. However, this situation is improving and there is a higher proportion of actions now being implemented.