BACKGROUND

1            Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

2            The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government and the CIPFA Statement on the role of the Head of Internal Audit.

3            In accordance with the PSIAS, the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit and Governance Committee, and to identify any emerging issues which need to be brought to the attention of the committee. 

4            The internal audit work programme was agreed by this committee in April 2022. The number of agreed days is 1,095 and the programme is high-level and flexible in nature.

5            In 2021/22 Veritau introduced a fully flexible approach to work programme development and delivery, to keep pace with developments in the internal audit profession and to ensure that we can continue to deliver a responsive service. In line with this approach, work is being kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council.

6            The purpose of this report is to update the committee on internal activity up to 22 November 2022.

 

   INTERNAL AUDIT PROGRESS

7            In the period to 22 November 2022, two of three remaining audits from the 2021/22 work programme have been concluded. This includes the contract management – GLL Community Stadium & Leisure audit and an audit of Poppleton Road Primary School. The one remaining audit from 2021/22, ICT asset management, has been issued in draft form and we expect it to be finalised in early December.

8            Other 2021/22 work that has been completed during the reporting period relates to health and safety, records management and payroll. A brief outline of the work undertaken in each area is included below:

·         Health and safety – Covid-19 (premises): this work was concluded with a presentation to Council Management Team in July 2022. A formal report was not produced as it represented our assessment, at a point in time, during the pandemic under significantly different circumstances that are no longer reflective of the current control environment. However, the work has resulted in the inclusion of a new 2022/23 audit, covering the same area, which will focus on how controls are currently operating across the council’s premises.

·         Records management: from its inception as a routine internal audit review, in consultation with the DPO and SIRO, this work transformed into a general records management health check, facilitated by a council-wide survey which was completed by more than 700 staff (20% of the workforce). Summarised results and key observations were fed back to the DPO in September. As a result of this, the 2022/23 work programme has been updated to reflect potential control weaknesses or areas of risk, including physical information security and data security incident management.

·         Payroll: this work involved a review of the updated and digitalised controls and workflows introduced in response to increased homeworking. It did not include all of the key controls that would be tested in a typical payroll audit. However, it was able to confirm that there are robust processes in place to authorise the monthly payroll. Through data analysis performed on a range system-generated reports, aimed at identifying exceptions and duplication, it was also able to provide assurance that the data held within iTrent is free from significant error. A small number of process and data-capture improvements were communicated to the Head of HR in November 2022.

9            Following a slower than anticipated start to delivery of the 2022/23 work programme, we have completed work on the council tax support and housing benefit audit, and work is also now well underway on a number of other audits. Audits of complaints, concerns, comments and compliments (one audit relating to all corporate feedback), commercial waste, and 100-hour short breaks have all been reported in draft form and will be finalised by the time of the next progress report to this committee.

10        A number of other audits that are currently ongoing are a good way through the fieldwork stage. We expect to be able to report on findings from several of these audits at the next meeting of this committee. These include:

·         Savings plans

·         Direct payments

·         Physical information security compliance (West Offices and Hazel Court)

·         ICT remote access

·         Main accounting system

·         Ordering and creditor payments

·         Debtors

·         Council tax and NNDR

·         Jewson managed stores contract

·         Payroll (schools)

·         Absence management (schools)

·         Food and fuel voucher scheme

 

11        In addition, we have either begun background planning or are at an early stage of fieldwork for a further 13 audits. These audits will continue into the early part of quarter 4 2022/23.

12        A summary of internal audit work currently underway, as well as work finalised in the year to date, is included in appendix A.

13        The work programme showing current priorities for internal audit work is included at appendix B.

14        A total of 18 audits are shown in the ‘do next’ category where we expect work to begin during the final quarter of 2022/23. Some of these audits already have agreed start dates. Start dates for the remaining audits will be determined through liaison with responsible officers across the directorates.

15        The programme also includes 21 audits in the ‘do later’ category. The internal audit work programme is designed to include all potential areas that should be considered for audit in the short to medium term, recognising that not all of these will be carried out during the current year (work is deliberately over-programmed).

16        In determining which audits will actually be undertaken, the priority and relative risk of each area will continue to be considered throughout the remainder of the year, and as part of audit planning for 2023/24. Consideration will also be given to the coverage of each of the 11 key assurance areas we use when prioritising any remaining work during 2022/23.

17        The three full audits that have been completed since the last report to this committee in June 2022 are included in Appendix C. The appendix summarises the key findings from these audits as well as details of actions agreed. The finalised reports listed in appendix C are published online, along with the papers for this committee. 

18        Appendix D lists our current definitions for action priorities and overall assurance levels.

 

   FOLLOW UP

19       All actions agreed with services as a result of internal audit work are followed up to ensure that underlying control weaknesses are addressed. Since the last report to this committee 19 actions reviewed have been completed. Follow up work is underway to review all other outstanding actions and a detailed update will be included as part of the next progress report to the committee.

 

 

APPENDIX A: 2022/23 INTERNAL AUDIT WORK

Audits in progress

Audit	Status
ICT asset management	Draft
Complaints, concerns, comments and compliments	Draft
Commercial waste (follow-up)	Draft
100-hour short breaks	Draft
Savings plans	In progress
Direct payments	In progress
Physical information security compliance (WO & HC)	In progress
ICT remote access	In progress
Main accounting system	In progress
Ordering and creditor payments	In progress
Debtors	In progress
Council tax and NNDR	In progress
Jewson managed store contract	In progress
Payroll (schools)	In progress
Absence management (schools)	In progress
Food and fuel voucher scheme	In progress
Physical information security compliance (satellite sites)	In progress
Risk management	In progress
CCTV	In progress
Asset management (highways and housing repairs)	In progress
Public health (procurement and contract management)	In progress
Additional payment to care workers (spot check)	In progress
Continuing healthcare	In progress
Adult social care: adults safeguarding	Planning
Health and safety	Planning
Procurement and contract management	Planning
Insurance arrangements	Planning
Teckal company governance	Planning
Foster carer payments	Planning

 

 

 

Final reports issued

Audit	Reported to Committee	Opinion
Council tax support and housing benefit	November 2022	Substantial Assurance
Poppleton Road Primary School	November 2022	Reasonable Assurance
Contract management – GLL Community Stadium & Leisure	November 2022	Reasonable Assurance
Safety Advisory Group (SAG) governance	June 2022	Reasonable Assurance
Fishergate Primary School	June 2022	Reasonable Assurance
Highways CDM (construction, design and management) regulations	June 2022	Reasonable Assurance

 

Other work in 2022/23

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

·         Follow up of agreed actions ·         Grant certification work: Scambusters West Yorkshire Plus Transport Fund and Transforming Cities Fund Contain Outbreak Management Fund Supporting Families Programme (September 2022 return) Green Homes Grant LAD 1B Assurance review of the ESFA subcontracting standards for post-16 providers ·         Feedback of Health and Safety audit findings to CMT ·         Completion of council-wide records management health check (via survey) ·         Completion of analytics-led review of payroll system data integrity ·         Provision of support and advice: o   Payroll deviance checking process o   Processing of Yorwaste invoices o   Responding to internal requests to amend supplier details

APPENDIX B: CURRENT PRIORITIES FOR INTERNAL AUDIT WORK

Audit / activity	Rationale / comments on progress
Strategic risks / corporate & cross cutting
Category 1 (do now)
Complaints, concerns, comments and compliments	Risks / controls are changing. Provides broader assurance. In draft.
Physical information security compliance (WO & HC)	Risks / controls are changing. Provides coverage of key assurance area.
Physical information security compliance (satellite sites)	Risks / controls are changing. Provides coverage of key assurance area.
Teckal company governance	Key area of corporate governance.
Procurement and contract management	Provides coverage of key assurance area.
Health and safety	Follow-up of previous internal audit work.
Risk management	Provides coverage of key assurance area.
Insurance arrangements	Provides coverage of key assurance area.
Category 2 (do next)
Directorate schemes of delegation and decision-making	Key area of corporate governance.
Absence management	Significant risk area. Requested by Audit & Governance Committee.
Partnership working	Provides broader assurance.
Performance management and data quality	Provides broader assurance.
Environment and climate change	Emerging risk area. Council priority.
Business continuity and disaster recovery	Risks / controls are changing. Provides broader assurance.
NHS Data Security and Protection Toolkit: thematic review	Identified in discussions with management.
Data security incident management	Significant risk area. Identified in discussions with management.
Cipfa Financial Management Code compliance	Provides broader assurance.
Category 3 (do later)
Retention payments and market supplements
Agency staff
Building security
Fundamental / material systems
Category 1 (do now)
Main accounting system	Provides coverage of key assurance area.
Ordering and creditor payments	Provides coverage of key assurance area.
Debtors	Provides coverage of key assurance area.
Council tax and NNDR	Provides coverage of key assurance area.
Category 2 (do next)
Housing rents (inc. data quality)	Risks / controls are changing. Provides coverage of key assurance area.
Category 3 (do later)
Cash income
Payroll
Operational / regularity
Category 1 (do now)
Commercial waste (follow-up)	Follow-up of previously identified control weaknesses. In draft.
Jewson managed store contract	Requested by senior management.
100-hour short breaks	Risks / controls are changing. In draft.
Direct payments	Significant risk area. Provides broader assurance.
Payroll (schools)	Emerging risk area. Identified in discussions with management.
Absence management (schools)	Emerging risk area. Identified in discussions with management.
CCTV	Risks / controls are changing. Identified in discussions with management.
Asset management (highways and housing repairs)	Identified in discussions with management.
Food and fuel voucher scheme	Emerging risk area. Identified in discussions with management.
Public health (procurement and contract management)	Provides broader assurance. Identified in discussions with management.
Additional payment to care workers (spot check)	Identified in discussions with management.
Continuing healthcare	Emerging risk area. Identified in discussions with management.
Foster carer payments	Emerging risk area. Identified in discussions with management.
Adult social care: adults safeguarding	Significant risk area. Identified in discussions with management.
Category 2 (do next)
Children’s social care (scope TBC)	Significant risk area. Specific area for audit being discussed with officers.
Housing landlord duties	Emerging risk area. Identified in discussions with management.
Parking	Emerging risk area. Identified in discussions with management.
Hire cars	Emerging risk area. Identified in discussions with management.
Section 106 agreements	Risks / controls are changing. Provides broader assurance.
SEN funding (schools)	Emerging risk area. Identified in discussions with management.
SFVS (schools)	Emerging risk area. Identified in discussions with management.
Category 3 (do later)
Housing repairs and maintenance
Education, health and care plans (EHCPs)
Children's social care budget management
Children's services safeguarding
Educational psychology
Housing strategy (temp. accomm. & homelessness)
Adult social care: care payments and contract mgt.
Integrated care partnerships and joint commissioning
Service contract management and client arrangements
Highways asset maintenance
High cost placements
Technical / projects
Category 1 (do now)
ICT asset management	Provides coverage of key assurance area. In draft.
ICT remote access	Provides coverage of key assurance area.
Category 2 (do next)
ICT procurement and contract management	Provides coverage of key assurance area.
Category 3 (do later)
ICT applications / database security
ICT systems development and benefits realisation
ICT OneDrive and MS Teams (information assurance)
York Central / Castle Gateway
Overall project management arrangements

 

 

APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

 

System/ area	Opinion	Area reviewed	Date issued	Comments / Issues identified	Management actions agreed
Council tax support and housing benefit	Substantial Assurance	The audit reviewed the design and effectiveness of management controls in place to ensure claims and changes in circumstances are processed accurately, correctly, and within a reasonable timeframe. It also sought to confirm that recovery and write-off action is taken appropriately.	16 November 2022	A systematic and well-controlled quality assurance process is in placed which is targeted towards higher risk / higher value assessments completed by the service. Separation of duties is maintained in the process and outcomes, including lessons learned, are communicated to team members.   Comprehensive performance data is collected across the key functions in CTS and HB and circulated to management for review. Performance is regularly benchmarked against other local authorities.   Recovery performance was found to be in line with previous years. All write-offs reviewed during the audit had been appropriately authorised and suitable reasons were documented.	N/A (no control weaknesses identified)
Poppleton Road Primary School	Reasonable Assurance	The audit reviewed financial, operational and governance procedures at the school.	22 July 2022	Processes were found to be operating reasonably well but a number of issues were identified.   Some improvements are needed to review of key governing governance documents such as the budget management policy and Finance Committee terms of reference, use of / reconciliation of procurement cards, completion / documentation of return to work interviews, retention of DBS certificates, segregation of duties in payroll processing, and the performance of regular inventory checks.	Action will be taken to address the issues in each of the areas identified for improvement.
Contract management – GLL Community Stadium & Leisure	Reasonable Assurance	This audit reviewed the governance and performance reporting arrangements between the council and GLL for the leisure and stadium complex.	15 July 2022	The process for managing the leisure facilities part of the contract was found to be working reasonably well and a number of performance indicators are included in the contract with GLL (with the key indicators being reported as part of quarterly updates in client-contractor meetings).   However, performance management arrangements for the stadium element of the contract are not working as effectively. Only 3 performance indicators have been defined and none of these have target performance levels set. Procedures for calculating performance indicators in the contract are not documented and so is dependent on the knowledge of the council’s current contract manager and their counterparts at GLL.   Only summarised contract performance reports were available at the time of the audit, and more than 6 months had passed since the last detailed quarterly performance report had been received from GLL. Only 1 of the 3 stadium performance indicators is reported on the Open Data Platform and this had not been updated since July 2019.	The KPIs used to calculate the annual outcomes scorecard will be reviewed and balanced by the addition of new stadium operational KPIs. This will be secured through a deed of variation to the contract.   At the conclusion of the audit, we obtained assurances that the timeliness and completeness of performance reporting had been resolved following the introduction of a new single central system from which performance data is collected.   Guidance notes will be produced to ensure that performance indicators are calculated on a consistent basis.   At the conclusion of the audit, the Open Data Platform was updated with current performance information. In addition, an annual report, addressing GLL’s performance, will be produced, published, and considered by the Overview and Scrutiny Committee.

 

 

APPENDIX D: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS

Priorities for actions
Priority 1	A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management
Priority 2	A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Priority 3	The system objectives are not exposed to significant risk, but the issue merits attention by management.