ANNUAL HEAD OF INTERNAL REPORT 2021/22,29 June 2022,ANNEX 1,cyc logo


CONTENTS

Background,Briefcase icon blue,4 Internal audit work carried out,Handshake icon blue,4
Follow up of agreed actions,5 Professional standards,5
Opinion of the Head of Internal Audit,Lightbulb icon blue,6
Appendix A
 2020/21 internal audit work
 ,7
Appendix B
 Summary of key issues from audits finalised since the last report to the committee
10
Appendix C
 Audit opinions and priorities for actions
12
Appendix D
 Follow up of agreed audit actions
13
Appendix E
 Internal audit – quality assurance and improvement programme
14
 

 


 

 

 



Appendix F
 Exit Payments
21

 

 

 


Circulation list: Members of the Audit and Governance Committee

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



  BACKGROUND

1          The work of internal audit is governed by the Public Sector Internal Audit Standards (PSIAS) and the council’s audit charter. These require the Head of Internal Audit to bring an annual report to the Audit and Governance Committee. The report must include an opinion on the adequacy and effectiveness of the council’s framework of governance, risk management and control. The report should also include:

(a)        any qualifications to the opinion, together with the reasons for those qualifications (including any impairment to independence or objectivity)

(b)        any particular control weakness judged to be relevant to the preparation of the annual governance statement

(c)        a summary of work undertaken to support the opinionincluding any reliance placed on the work of other assurance bodies

(d)        an overall summary of internal audit performance and the results of the internal audit service’s quality assurance and improvement programme, including a statement on conformance with the PSIAS.

 

   INTERNAL AUDIT WORK CARRIED OUT IN 2021/22

2          At the beginning of 2021/22, the council was still recovering from the impact of the Covid-19 pandemic on its working practices and, in some areas, only starting to revert to business as usual.

3          The 2021/22 audit work programme was formally agreed by the Audit and Governance Committee on 14 April 2021. Work in the early part of 2021/22 focussed on finalising audits relating to the previous year.

4          During the remainder of the year audit work has continued to be prioritised based on risk and the need to provide coverage of the council’s framework of governance, risk management and control.

5          We have also continued to promote good governance, provide advice and make recommendations to management to help improve controls. Auditors meet with the s151 Officer, Monitoring Officer and other senior officers on a regular basis to help identify and address key governance issues and concerns.

6          A summary of internal audit work undertaken during the year and relevant to the opinion is contained in appendix A. The results of completed audit work have been reported to the relevant managers, executive members and the Audit and Governance Committee throughout the year. At the time of writing a further four audit reports have been issued but remain in draft. A number of other audits started in 2021/22 are ongoing. The results from these audits will be reported to the committee once work has been completed.

7          As noted in the 2020/21 annual report, delays caused by the pandemic had an impact on the timescales for the completion of internal audit work. These issues have continued into 2021/22.  There is therefore more work outstanding at this point in the year than might normally be expected. However, it is expected that audit cycles will return to a more normal pattern over the course of the next year.

8          Appendix B provides details of the key findings arising from internal audit assignments completed, that we have not previously reported to the committee. Final reports listed in appendix B are published online, along with the papers for this committee.

9          Appendix C provides an explanation of our assurance levels and priorities for management action

 

   FOLLOW UP OF AGREED ACTIONS

10       All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. As a result of this work we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits. There is still a reasonably high proportion of actions with revised dates. As noted previously, this is due to the continued resource pressures resulting from the pandemic. However, we are seeing the impact of this reducing as more actions continue to be implemented. This trend is expected to continue. A summary of the current status of follow up activity is included at appendix D.

 

      PROFESSIONAL STANDARDS

11       In order to comply with Public Sector Internal Audit Standards (PSIAS) the Head of Internal Audit is required to develop and maintain an ongoing quality assurance and improvement programme (QAIP). The objective of the QAIP is to ensure that working practices continue to conform to professional standards. The results of the QAIP are reported to the committee each year as part of the annual report. The QAIP consists of various elements, including:

 

·         maintenance of a detailed audit procedures manual and standard operating practices

·         ongoing performance monitoring of internal audit activity

·         regular customer feedback

·         training plans and associated training and development activities

·         periodic self-assessments of internal audit working practices (to evaluate conformance to the standards)

 

12       External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. The most recent external assessment of Veritau internal audit working practices was undertaken in November 2018[1]. This concluded that Veritau internal audit activity generally conforms to the PSIAS[2].

 

13       The outcome of the recently completed self-assessment demonstrates that the service continues to generally conform to the PSIAS, including the Code of Ethics and the Standards. Further details of the QAIP are given in appendix E.

 

14       The Internal Audit Charter sets out how internal audit at the council will be provided in accordance with the PSIAS. The Charter is reviewed on an annual basis and any proposed changes are brought to the Audit & Governance Committee. No changes are proposed at this time.

 

Lightbulb icon blue      OPINION OF THE HEAD OF INTERNAL AUDIT

15        The overall opinion of the Head of Internal Audit on the framework of governance, risk management and control operating at the council is that it provides Reasonable Assurance. No reliance was placed on the work of other assurance providers in reaching this opinion, and there are no significant control weaknesses which, in the opinion of the Head of Internal Audit, need to be considered for inclusion in the Annual Governance Statement.

 

16       The opinion given is based on work that has been undertaken directly by internal audit, and on the cumulative knowledge gained through our ongoing liaison and planning with officers. In giving the opinion, we would note that the Covid-19 pandemic has continued to affect the authority over the last year, with a consequential impact on business operations and controls. The work of internal audit has been directed to the areas considered most at risk, or that offer the most value for the authority overall. However, not all the areas affected by the Covid-19 pandemic will have been reviewed.

 

 

Audit progress report footer banner 


 


APPENDIX A: INTERNAL AUDIT WORK IN 2021/22

Final reports issued

 

Audit

Reported to Committee

Opinion

SEN Ofsted Inspection & written statement of action (WSoA)

June 2021

Substantial Assurance

Contract Management – Make it York

June 2021

Limited Assurance

Home working

June 2021

Reasonable Assurance

ICT Server Administration and Security

June 2021

Substantial Assurance

ICT Licence Management

June 2021

Substantial Assurance

Public Health – Healthy Child Service

June 2021

Reasonable Assurance

Cash handling

June 2021

High Assurance

Absence Management

October 2021

No opinion given

Community Hubs

October 2021

Reasonable Assurance

Council Tax & NNDR

October 2021

Reasonable Assurance

Council Tax Support & Housing Benefit

October 2021

Substantial Assurance

Environmental Health

October 2021

Substantial Assurance

Project Management

October 2021

Reasonable Assurance

Schools Themed Audit – Cyber Security & IT Management

October 2021

Reasonable Assurance

Sundry Debtors

October 2021

Substantial Assurance

Danesgate follow up audit

October 2021

No opinion given

Commercial Waste

January 2022

Limited Assurance

Business Continuity

January 2022

Reasonable Assurance

Continuing Healthcare

January 2022

Reasonable Assurance

Ordering and Creditors

April 2022

Reasonable Assurance

Main Accounting System

April 2022

Substantial Assurance

Headlands Primary School

April 2022

Substantial Assurance

Safety Advisory Group (SAG) Governance

June 2022

Reasonable Assurance

Fishergate Primary School

June 2022

Reasonable Assurance

Highways CDM (Construction, Design and Management) Regulations

June 2022

Reasonable Assurance

 

Audits in progress

 

Audit

Status

Assurance Level

Health and Safety

Draft

TBC (Reasonable Assurance)

ICT Asset Management

Draft

TBC (Reasonable Assurance)

Poppleton Road Primary School

Draft

TBC (Reasonable Assurance)

Contract Management – Stadium / Leisure

Draft

TBC (Reasonable Assurance)

Payroll

In progress

 

Records Management

In progress

 

Direct Payments

In progress

 

Council Tax Support and Benefits

In progress

 

Council Tax & NNDR

In progress

 

Special Educational Needs and Disability

In progress

 

ICT remote access

In progress

 

 

Other work completed in 2021/22

 

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

·        Quarterly review of Supporting Families claims

·        Review of new parking system processes

·        Follow up of agreed actions

·        Grant certification work

·        Information security – homeworking

·        Creditors data analytics work

·        Internal investigations

·        Review of new procedures for exit payments[3]

·        Support and advice provided through the year on risk management, controls and processes including: building services action plans, lost/stolen property processes, bank mandate fraud controls and electronic signatures


 


APPENDIX B: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area

Opinion

Area reviewed

Date issued

Comments

Management actions agreed

Safety Advisory Group (SAG) Governance

Reasonable Assurance

The audit reviewed the governance arrangements for the two safety advisory groups: the non-statutory events safety advisory group (ESAG) & statutory sports grounds safety advisory group (SGSAG).

 

May 2022

In most areas the governance arrangements and procedures were in line with good practice.

Some improvements could be made in documenting the SAGs procedures and reviewing their terms of reference to ensure they meet best practice.

Neither SAG currently has a privacy notice. There is some out of date events guidance on the council's website.

Privacy policies will be produced.

Procedures will be documented and terms of reference will be reviewed.

The council’s website will be updated with up to date event guidance.

Fishergate Primary School

Reasonable Assurance

The audit reviewed financial, operational and governance procedures at the school.

June 2022

Processes were found to be operating reasonably well but some issues and areas for improvement were identified.

Some improvements are needed to controls relating to procurement cards, absence management processes, asset management processes, Schools Financial Value Standard (SFVS) submissions, and personnel checks.

Action will be taken to address the issues in each of the areas identified for improvement.

Highways CDM (Construction, Design and Management) Regulations

Reasonable Assurance

The audit reviewed the processes and systems in place for complying with CDM regulations

10 June 2022

Overall, key documentation was in place, risk assessments had been carried out and plans were in place.

In a number of areas processes were in place but records did not always evidence they had been followed. Site induction records, verification of qualifications and supervisor site check records were not always present. Records management could be improved and responsibilities of different roles could be more clearly defined.

Evidence of inductions will be retained, qualifications will be verified, appointment to key roles will be put in writing.

Procedures for site safety checks and records management processes will be improved.


 

APPENDIX C: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS

 

Audit opinions

Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit.
Our overall audit opinion is based on 4 grades of opinion, as set out below.

Opinion

Assessment of internal control

Substantial assurance
Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified.
Reasonable assurance
Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made.
Limited assurance
Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation.
No assurance
Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse.

Priorities for actions

Priority 1
A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management
Priority 2
A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Priority 3
The system objectives are not exposed to significant risk, but the issue merits attention by management.

 


 

APPENDIX D: FOLLOW UP OF AGREED AUDIT ACTIONS

Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee. 

A total of 55 actions have been followed up. A summary of the priority of these actions and the directorate they relate to is included below.

Actions followed up

 

Actions followed up by directorate

Priority of actions

Number of actions followed up

 

Other (Customers, Governance, Finance, HR, Public Health)

Place Directorate

People Directorate

1

0

 

0

0

0

2

27

 

18

1

8

3

28

 

8

0

20

Total

55

 

26

1

28

 

Of the 55 agreed actions, 37 (67%) had been satisfactorily implemented and 1 (2%) had been superseded. In 17 cases (31%) the action had not been implemented by the target date and a revised date was agreed. This is done where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable. This remains a reasonably high proportion, which reflects the impact of the Covid-19 pandemic and continuing pressure on resources. However, this situation is improving and there is a higher proportion of actions now being implemented.

 

 


 


APPENDIX E: INTERNAL AUDIT – QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

1.0 Background

 

Ongoing quality assurance arrangements

 

Veritau maintains appropriate ongoing quality assurance arrangements designed to ensure that internal audit work is undertaken in accordance with relevant professional standards (specifically the Public Sector Internal Audit Standards).  These arrangements include:

p  the maintenance of a detailed audit procedures manual

p  the requirement for all audit staff to conform to the Code of Ethics and Standards of Conduct Policy

p  the requirement for all audit staff to complete annual declarations of interest

p  detailed job descriptions and competency profiles for each internal audit post

p  regular performance appraisals

p  regular 1:2:1 meetings to monitor progress with audit engagements

p  induction programmes, training plans and associated training activities

p  attendance on relevant courses and access to e-learning material

p  the maintenance of training records and training evaluation procedures

p  membership of professional networks

p  agreement of the objectives, scope and expected timescales for each audit engagement with the client before detailed work commences (audit specification)

p  the results of all audit testing and other associated work documented using the company’s automated working paper system (Sword Audit Manager)

p  file review by senior auditors and audit managers and sign-off at each stage of the audit process

p  the ongoing investment in tools to support the effective performance of internal audit work (for example data interrogation software)

p  post audit questionnaires (customer satisfaction surveys) issued following each audit engagement

p  performance against agreed quality targets monitored and reported to each client on a regular basis

p  regular client liaison meetings to discuss progress, share information and evaluate performance

 

On an ongoing basis, samples of completed audit work are subject to internal peer review by a Quality Assurance group. The review process is designed to ensure audit work is completed consistently and to the required quality standards. The work of the Quality Assurance group is overseen by an Assistant Director. Any key learning points are shared with the relevant internal auditors and audit managers. The Head of Internal Audit will also be informed of any general areas requiring improvement. Appropriate mitigating action will be taken where required (for example, increased supervision of individual internal auditors or further training).  

 

Annual self-assessment

 

On an annual basis, the Head of Internal Audit will seek feedback from each client on the quality of the overall internal audit service. The Head of Internal Audit will also update the PSIAS self-assessment checklist and obtain evidence to demonstrate conformance with the Code of Ethics and the Standards. As part of ongoing performance management arrangements, each internal auditor is also required to assess their current skills and knowledge against the competency profile relevant for their role. Where necessary, further training or support will be provided to address any development needs.

 

The Head of Internal Audit is also a member of various professional networks and obtains information on operating arrangements and relevant best practice from other similar audit providers for comparison purposes.  

 

The results of the annual client survey, PSIAS self-assessment, professional networking, and ongoing quality assurance and performance management arrangements are used to identify any areas requiring further development and/or improvement. Any specific changes or improvements are included in the annual Improvement Action Plan. Specific actions may also be included in the Veritau business plan, internal audit strategy action plan, and/or individual personal development action plans. The outcomes from this exercise, including details of the Improvement Action Plan are also reported to each client. The results will also be used to evaluate overall conformance with the PSIAS, the results of which are reported to senior management and the board[4] as part of the annual report of the Head of Internal Audit.

 

External assessment

 

At least once every five years, arrangements must be made to subject internal audit working practices to external assessment to ensure the continued application of professional standards. The assessment should be conducted by an independent and suitably qualified person or organisation and the results reported to the Head of Internal Audit. The outcome of the external assessment also forms part of the overall reporting process to each client (as set out above).  Any specific areas identified as requiring further development and/or improvement will be included in the annual Improvement Action Plan for that year. 

 

2.0 Customer Satisfaction Survey 2022

 

In March 2022 we asked clients for feedback on the overall quality of the internal audit service provided by Veritau. Where relevant, the survey also asked questions about counter fraud and information governance services. A total of 154 surveys (2021 – 165) were issued to senior managers in client organisations. A total of 19 responses were received representing a response rate of 12% (2021 – 12%). The surveys were sent using Smart Survey (an online survey tool) and the respondents were required to identify who they were. Respondents were asked to rate the different elements of the audit process as either excellent, good, satisfactory or poor.

 

Respondents were also asked to provide an overall rating for the service.  The results of the survey are set out in the charts below. These are presented as percentages, for consistency with previous years. However, it is recognised that the low number of respondents means that the percentage for each category is sensitive to small changes in actual responses (1 respondent represents about 5%).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The overall ratings in 2022 were:

 

2022

2021

Excellent

9

47%

11

58%

Good

9

47%

6

32%

Satisfactory

1

5%

0

0%

Poor

0

0%

2

11%

 

The feedback shows that the majority of respondents continue to value the service being delivered.     

 

3.0 Self-Assessment Checklist 2022

 

CIPFA has prepared a detailed checklist to enable conformance with the PSIAS and the Local Government Application Note to be assessed. The checklist was originally completed in March 2014 and has since been reviewed and updated annually. Documentary evidence is provided where current working practices are considered to fully or partially conform to the standards. A comprehensive update of the checklist was undertaken in 2020, following revisions by CIPFA.  

 

Current working practices are considered to be at standard. However, as in previous years there are a few areas of non-conformance. These areas are mostly as a result of Veritau being a shared service delivering internal audit to a number of clients as well as providing other related governance services. None of the issues identified are considered to be significant. Existing arrangements are considered appropriate for the circumstances and require no further action. 

 

The following table shows areas of non-compliance. These remain largely unchanged from last year, although one area has been removed from the table. This related to whether risk based plans set out the respective priority of audit work. New flexible planning arrangements introduced mean that working practices now comply with the standards in this area.

 

Conformance with Standard

Current Position

Where there have been significant additional consulting services agreed during the year that were not already included in the audit plan, was approval sought from the audit committee before the engagement was accepted?

Consultancy services are usually commissioned by the relevant client officer (generally the s151 officer).  The scope (and charging arrangements) for any specific engagement will be agreed by the Head of Internal Audit and the relevant client officer. Engagements will not be accepted if there is any actual or perceived conflict of interest, or which might otherwise be detrimental to the reputation of Veritau.

 

Are consulting engagements that have been accepted included in the risk-based plan?

 

Consulting engagements are commissioned and agreed separately.

Does the risk-based plan include the approach to using other sources of assurance and any work that may be required to place reliance upon those sources?

 

An approach to using other sources of assurance, where appropriate is currently being developed (see below).

 

4.0 External Assessment

 

As noted above, the PSIAS require the Head of Internal Audit to arrange for an external assessment to be conducted at least once every five years to ensure the continued application of professional standards. The assessment is intended to provide an independent and objective opinion on the quality of internal audit practices.

 

An external assessment of Veritau internal audit working practices was last undertaken in November 2018 by the South West Audit Partnership (SWAP). SWAP is a not for profit public services company operating primarily in the South West of England. As a large shared service internal audit provider it has the relevant knowledge and expertise to undertake external inspections of other shared services and is independent of Veritau.

 

The assessment consisted of a review of documentary evidence, including the self-assessment, and face to face interviews with a number of senior client officers and Veritau auditors. The assessors also interviewed audit committee chairs.

 

A copy the external assessment report was reported to this committee on 06/02/2019.

 

The report concluded that Veritau internal audit activity generally conforms to the PSIAS[5] and, overall, the findings were very positive. The feedback included comments that the internal audit service was highly valued by its member councils and other clients, and that services had continued to improve since the last external assessment in 2014. 

 

5.0 Improvement Action Plan

 

Overall, internal audit services provided by Veritau continue to meet the requirements of the Public Sector Internal Audit Standards. However, we recognise that the pace of change in local government and the wider public sector mean that we need to update aspects of the service to ensure it stays up to date and continues to deliver good value.

 

Between autumn 2020 and autumn 2021, Veritau undertook a fundamental review of internal audit practices. This resulted in the development of a new three year strategy which details how we will improve the internal audit service for our clients. The strategy sets out the actions we will be taking within Veritau to modernise our practices, from 2021 to 2024. The five key areas we are focussing on are:

p  increasing engagement across all clients; to improve communication and ensure we understand what represents good value and where internal audit work should be focussed

p  further development of strategic planning frameworks; focussing on further development of assurance mapping arrangements and other activities that help us ensure we provide assurance in the right areas at the right time

p  redesign and modernisation of audit processes; to ensure we can respond quickly as priorities change, reduce time to deliver findings and manage resources efficiently

p  increasing investment in high value data analytics work; shifting the focus of work towards a data driven model that provides wider assurance in real time

p  introducing better measures of outcomes from audit work, to enable us to direct resources to areas of most value to our clients.

 

Strategy focus area 2 includes further development of assurance mapping arrangements. This is an outstanding issue from previous improvement plans. We are currently undertaking a pilot assurance mapping exercise in partnership with officers at one of our key clients. The lessons learnt from this will be used to further develop processes to be rolled out as part of our core internal audit service. Completion of actions in this area will further reduce the areas of non-conformance with the standards (section 3 above).

 

In the 2020/21 QAIP we reported on the findings from the last Quality Assurance Group review, focussed on the follow up of agreed actions. The findings have been finalised and a programme of work is underway to improve these processes. This includes updates to processes (including integration with client risk management systems where appropriate), a full review of all outstanding actions across all clients, and further training for all auditors. This work will be completed in 2022/23.

 

A further review by the group in 2021/22 focussed on the consistency of opinions given for individual audit assignments. This follows the adoption of a revised four level opinion framework introduced in 2020/21, in accordance with recommendations from Cipfa. It was found that in almost all cases the opinions given on completed work was consistent with the guidance contained in the Veritau audit manual, and supported by the number and priority of actions. Auditors continue to use the guidance and professional judgement when forming conclusions on individual pieces of work. We will feedback and discuss the wider findings as part of auditor training in 2022/23. 

 

6.0 Overall Conformance with PSIAS (Opinion of the Head of Internal Audit)

 

Based on the results of the quality assurance process I consider that the service generally conforms to the Public Sector Internal Audit Standards, including the Code of Ethics and the Standards.

 

The guidance suggests a scale of three ratings, ‘generally conforms, ‘partially conforms’ and ‘does not conform’.  ‘Generally conforms’ is the top rating and means that the internal audit service has a charter, policies and processes that are judged to be in conformance to the Standards.

 

 


 

APPENDIX F: EXIT PAYMENTS

In April 2021, the council’s external auditor issued a Report in the Public Interest. This related to exit payments made to a former employee. The report, and actions to address concerns about processes that were raised, were considered by the Council on 4 May 2021.

 

Following the report, a new system for agreeing settlement agreements was approved by the Staffing Matters and Urgency Committee in October 2021. It has also been agreed that internal audit will review packages finalised under the new system, to assess whether the council has complied with the new process. A summary of the number of settlement agreements reviewed by internal audit and outcomes will also be included in the annual Head of Internal Audit report.

 

In the period to the end of May 2022, no settlement agreements have been reached under the new process.

 



[1] Reported to the Audit and Governance committee in February 2019.

[2] PSIAS guidance suggests a scale of three ratings, ‘generally conforms, ‘partially conforms’ and ‘does not conform’.  ‘Generally conforms’ is the top rating.

[3] A new system was approved by the Staffing Matters and Urgency Committee in October 2021. Under the council’s action plan in response to the Public Interest Report (PIR) issued in April 2021 internal audit will review settlement packages authorised by the council. Further information is included in appendix F.

 

[4] As defined by the relevant audit charter.

[5] PSIAS guidance suggests a scale of three ratings, ‘generally conforms’, ‘partially conforms’ and ‘does not conform’.  ‘Generally conforms’ is the top rating.