COYC%202%20colour

BACKGROUND

1 Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

2 The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government and the CIPFA Statement on the role of the Head of Internal Audit.

3 In accordance with the PSIAS, the Head of Internal Audit is required to report progress against the internal audit work programme agreed by the Audit and Governance Committee, and to identify any emerging issues which need to be brought to the attention of the committee.

4 The internal audit work programme was agreed by this committee in April 2022. The number of agreed days is 1,023 and the programme is high-level and flexible in nature.

5 Veritau is into its second full year of fully flexible work programme development and delivery. This approach was introduced to ensure we keep pace with developments in the internal audit profession and to ensure that we can continue to deliver a responsive service. In line with this approach, work is being kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council.

6 The purpose of this report is to update the committee on internal activity up to 3 March 2022.

INTERNAL AUDIT PROGRESS

7 The slower than anticipated start to delivery of 2022/23 work is continuing to have an impact on the work programme but the pace of delivery has continued to increase during the second half of the year. In the period since November 2022, we have finalised eight audits. A further seven audits have been reported in draft form and will be finalised over the coming weeks.

8 All remaining audits in the 2022/23 work programme that we have assessed as priorities to deliver are now in progress. Several of these are a good way through the fieldwork stage. However, the majority are at early stages of fieldwork and four are still in the planning phase. These audits will continue into the first quarter of 2023/24. We are aiming to report the findings in time for the next meeting of this committee in June.

9 In addition to delivery of the internal audit work programme, we have undertaken certification work on four government grants and have begun providing support and advice on the design of the council’s assurance framework for its £5.8m share of the UK Shared Prosperity Fund.

10 A summary of internal audit work currently underway, as well as work finalised in the year to date, is included in appendix A.

11 Other audits in the work programme currently classed as do next or do later[1] are being reviewed as part of the audit planning process for 2023/24, alongside new and emerging areas. Those that remain a priority will be included in the 2023/24 work programme. Committee members can see the outcome of our current assessment of priorities for 2023/24 in the indicative work programme report included on the agenda for the current meeting.

12 Our previous progress report to this committee showed two audits (asset management and continuing healthcare) as being underway. These audits have now been deferred to 2023/24 to make time to deliver other priority work in the current year’s programme and, in the case of the asset management audit, to allow the work to be re-scoped and aligned with changing priorities in the Place directorate.

13 A summary of the eight audits that have been completed since the last report to this committee in November 2022 is included in appendix B. The appendix summarises the key findings from these audits as well as details of the actions agreed. The finalised reports listed in appendix B (except for both physical information security reports, which have been made exempt) are published online, along with the papers for this committee.

14 Appendix C lists our current definitions for action priorities and overall assurance levels.

FOLLOW UP

15 All actions agreed with services as a result of internal audit work are followed up to ensure that underlying control weaknesses are addressed. Since the last report to this committee a further 16 actions reviewed have been completed. A detailed review of all outstanding actions has recently been completed and a significant number of actions are currently being followed up. A further update will be included in the Head of Internal Audit annual report in June.

APPENDIX A: 2022/23 INTERNAL AUDIT WORK

Audits in progress

Audit	Status
Main accounting system	In draft
Ordering and creditor payments	In draft
Savings plans	In draft
Direct payments	In draft
Debtors	In draft
Jewson managed store contract	In draft
Food and fuel voucher scheme	In draft
Additional payment to care workers (spot check)	In progress
Council tax and NNDR	In progress
ICT remote access	In progress
Risk management	In progress
CCTV	In progress
Public health (procurement and contract management)	In progress
Adult social care: adults safeguarding	In progress
Health and safety	In progress
Procurement and contract management	In progress
Insurance arrangements	In progress
Teckal company governance: Make it York	In progress
Foster carer payments	In progress
Parking	In progress
Data security incident management	In progress
SEN funding (schools)	In progress
SFVS (schools)	In progress
Housing rents (inc. data quality)	In progress
Hire cars	Planning
Performance management and data quality	Planning
Business continuity	Planning
York Climate Change Strategy	Planning

Final reports issued

Audit	Reported to Committee	Opinion
Physical information security (satellite sites)	March 2023	Reasonable Assurance
Physical information security (West Offices and Hazel Court)	March 2023	Reasonable Assurance
Payroll (schools)	March 2023	Substantial Assurance
Absence management (schools)	March 2023	Reasonable Assurance
ICT asset management	March 2023	Reasonable Assurance
Complaints, concerns, comments and compliments	March 2023	Reasonable Assurance
Commercial waste (follow-up)	March 2023	No Opinion Given
100-hour short breaks	March 2023	No Opinion Given
Council tax support and housing benefit	November 2022	Substantial Assurance
Poppleton Road Primary School	November 2022	Reasonable Assurance
Contract management – GLL Community Stadium & Leisure	November 2022	Reasonable Assurance
Safety Advisory Group (SAG) governance	June 2022	Reasonable Assurance
Fishergate Primary School	June 2022	Reasonable Assurance
Highways CDM (construction, design and management) regulations	June 2022	Reasonable Assurance

Other work in 2022/23

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

· Follow up of agreed actions

· Grant certification work:

- Scambusters
- West Yorkshire Plus Transport Fund and Transforming Cities Fund
- Contain Outbreak Management Fund
- Supporting Families Programme (September and December 2022 returns)
- Green Homes Grant LAD 1B
- Green Homes Grant LAD 2
- UK Community Renewal Fund
- Local Authority Test and Trace Support Payment Scheme
- Public Health England Adult Weight Management Services Grant
- Provision of support and advice on the design of the UK Shared Prosperity Fund assurance framework
Assurance review of the ESFA subcontracting standards for post-16 providers

· Feedback of Health and Safety audit findings to CMT

· Completion of council-wide records management health check (via survey)

· Completion of analytics-led review of payroll system data integrity

· Completion of special severance payment review against the City of York Council Exit Guidance

· Provision of support and advice:

o Payroll deviance checking process

o Processing of Yorwaste invoices

o Responding to internal requests to amend supplier details

APPENDIX B: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/ area	Opinion	Area reviewed	Date issued	Comments / Issues identified	Management actions agreed
100-hour short breaks	No Opinion Given	The audit was undertaken as a consulting assignment to assist the service in their own review of processes. The main objective was to assess the efficiency and effectiveness of systems in place to administer short breaks. This included processes for eligibility checking, monitoring and review of arrangements, and recordkeeping.	21 November 2022	No assessment is undertaken by the council prior to awarding short breaks funding. In most cases a payment of approximately £1,000 is made to a family each year until the child reaches 18. This is because there is no review process in place. As there is limited contact with the families, the service may not be notified if the family move out of area and are no longer eligible for funding. The service has seen budget overspends for the previous five years. Families who apply for short breaks funding do not need to provide any evidence that the funding has been spent as intended. The council also lacks qualitative information to evidence the benefits of the service. The service has taken positive actions since the review began to tighten controls. However, there are several fundamental control weaknesses that need to be addressed within the processes for administering short breaks funding.	N/A – no management actions were agreed. 18 recommendations were made to further support the service in making improvements to the control framework. Veritau has offered to assist with the identification of any residual control gaps and risks when the service completes its review and prior to any implementation of revised systems, processes, and controls.
Commercial waste (follow-up)	No Opinion Given	The purpose of this audit was to provide assurance to management that sufficient progress has been made towards completing the actions agreed in the previous audit undertaken in 2020/21. The audit also assessed whether the actions taken have been effective in addressing the control weaknesses identified.	1 February 2023	Progress has been made in addressing the weaknesses identified in the original audit report. Of the nine agreed actions, we concluded that four had been completed in full, with the associated risks and control weaknesses satisfactorily addressed. This included claiming through the government’s Income Compensation Scheme, raising invoices in a timelier manner, stopping physical cash payments, and assigning clear ownership for setting fees and charges. However, the following key issues were found to still exist: · No central management information system is in place to store and organise data in relation to customers and collections. · Crew sheets are not being properly completed and the information on the crew sheets is not used or analysed. · Waste Transfer Notes are not being renewed in a timely manner.	The service plans to implement the Webaspx Trade Module during 2023/24. This should ease pressure within the team and help to make certain tasks more efficient, such as reconciling information held on the waste and finance databases and automating crew sheet information. Some resource has been added to the team as a result of the recent management restructure. The impact of this will be assessed before determining whether certain tasks, such as chasing duty of care documentation, should be transferred to Business Support.
Complaints, concerns, comments and compliments	Reasonable Assurance	This audit primarily focused on processes in place to respond to corporate complaints effectively, and in a timely manner. It also included a review of how concerns, comments and compliments are identified, tracked and responded to.	2 February 2023	The council has recently reviewed its policy procedures – the Complaints, Concerns, Comments and Compliments (4Cs) toolkit. The toolkit is comprehensive and has been developed in a way that helps to ensure processes followed are in line with Local Government and Social Care Ombudsman (LGSCO) best practice guidance. The council’s website contains clear and comprehensive public-facing guidance for customers wanting to complain or leave feedback. Most complaints are responded to within the specified timescales. However, this year’s LGSCO annual review letter raised an issue with response times where complaints are escalated outside of the corporate complaints procedure. The Corporate Governance Team (CGT) has already developed processes to address this finding. These include setting earlier internal deadlines that service areas need to meet. There is currently no quality assurance process in place to ensure that responses to complaints and feedback are of good quality and meet policy expectations. We also found that training and skills assessments are not maintained for members of the CGT.	A robust quality assurance process will be identified and implemented. The QA process will be reviewed to ensure it is effective and any necessary adjustments or amendments will be made. A robust training and learning (T&L) log process will be identified and implemented. The T&L log process will be reviewed to ensure it is effective and any necessary adjustments or amendments will be made.
ICT asset management	Reasonable Assurance	The audit reviewed the design and effectiveness of controls in place to manage ICT assets throughout their lifecycle.	9 February 2023	Overall management of the council’s ICT assets is effective. Clear processes are in place for the purchase, configuration, assignment, and patching of devices. However, some weaknesses were identified. These included inventory record mismatches between systems, outdated asset ownership information, the existence of a small number of duplicate asset numbers, a lack of clear or consistent guidance on reporting lost / stolen devices, and disposal procedures that do not fully meet guidance under the Financial Procedure Rules. The council has a clear, comprehensive, patch management policy applicable to all information storage media. The policy and procedures were reviewed and found to meet industry best practice.	ICT will work with HR to review the use of Microsoft Forms as an alternative to the existing HR leaver’s checklist ahead of taking a proposal to the Governance, Risk and Assurance Group. Reminders will be sent to staff outlining the process for requesting the removal or transfer of ICT devices within council offices and notifying ICT of this request. ICT will work with audit and an analysis of the identified duplicates will be undertaken and potential duplicates will be investigated to identify root causes and possible solutions. ICT will continue to develop a Microsoft Form for reporting lost or stolen assets in conjunction with Information Governance, Veritau and the Service Desk. ICT will review the existing disposals process and storage arrangements. Where necessary, ICT will update these in line with the council’s Financial Regulations. As part of this review, a second approval procedure will be developed for devices considered beyond economic repair to document approval for disposal prior to the disposal occurring. ICT will investigate devices identified on SNOW as remaining within the organisation, despite being listed as disposed on the disposal register, to identify root cause and possible solutions. The council will reach out to other local authority ICT services to establish how they approach setting the de minimis level for asset classifications.
Absence management (schools)	Reasonable Assurance	This audit involved reviewing absence management arrangements in place across a sample of 6 maintained schools.	24 February 2023	All schools reviewed had adopted the model absence management policy developed by the council. All of the policies had been reviewed within the last two years. Inconsistencies were found in the evidence held on employees’ fitness for work. Several absences exceeded the self-certification period without documented explanation. Evidence was not always found to show return-to-work interviews had taken place. Where they did take place there were often long delays between the return from absence and a meeting being held. All of the schools maintained an absence management log. However, there wasn’t always evidence to show these were used to monitor trends or identify when trigger points were met. Phased returns are well managed, with risk assessments undertaken and the correct health advice and support accessed when necessary.	The findings of the audit will be shared with maintained schools, to highlight the risks and control weaknesses identified. They will be asked to review their practices to ensure these follow their absence management policy. Schools will be reminded of their responsibilities to complete return to work interviews promptly. Schools will be asked to consider providing assurance to governors that the absence management policy is being followed. This could be by providing high level reports on absence levels and by exception reporting on trigger points reached and action taken.
Payroll (schools)	Substantial Assurance	This audit involved reviewing the design and operation of key payroll controls across a sample of 7 maintained schools.	24 February 2023	All but one school were using a summary log to record the number of additional hours worked by staff each month. All schools confirmed that additional hours are planned and pre-authorised wherever possible. With some minor exceptions, additional hours payments were accurate and were consistent with completed timesheets; timesheets were signed by employees and line managers. Additional hours claimed were paid promptly. All the schools ensure payroll runs are authorised prior to submission to the payroll provider. However, post-payment checks in three schools were undertaken by the same member of staff responsible for submitting payroll information. All the schools produced monthly budget monitoring reports. These were shared with governors on a regular basis. A review of the latest budget monitoring reports for 2022/23 confirmed that schools are generally forecasting expenditure for supply and agency staff to be within budget.	The findings of the audit will be shared with maintained schools, highlighting the risks and control weaknesses identified. Schools will be asked to review their timesheet recording, authorisation, and document retention processes. Schools will also be reminded of the importance of having a process in place to independently check and reconcile payments to their employees.
Physical information security (West Offices and Hazel Court)	Reasonable Assurance	Physical information security checks were undertaken at West Offices and Hazel Court to assess the extent to which personal, sensitive, and confidential data was stored securely and to identify any general security weaknesses at both sites. The audit also included an assessment of arrangements in place to control and monitor access to the Council’s CCTV room in West Offices.	1 March 2023	The council remains reasonably well protected against accidental disclosure of information from West Offices and Hazel Court, despite significant changes to working patterns and office utilisation following the Covid-19 pandemic. Suitable arrangements are in place to control and monitor access to West Offices and Hazel Court. Most information and assets held within the buildings were stored securely in locked cupboards and the clear desk policy is generally adhered, although some physical information security weaknesses were noted.	A number of actions were agreed with management to address the control weaknesses identified. These included actions specific to the sites visited as well as actions applicable to staff working at the council’s other offices.
Physical information security (satellite sites)	Reasonable Assurance	This audit involved carrying out an inspection of 5 council premises to assess the adequacy of physical information security arrangements. The audit also included a review of the general security and key storage arrangements at each site.	2 March 2023	This audit found that physical building security across the sites visited was generally effective and operating as intended. The council operates a clear desk policy across all offices. This was generally being adhered to. Personal information was rarely left unsecured within working areas, although some instances of this were noted.	A number of actions were agreed with management to address the control weaknesses identified.

APPENDIX C: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS

Audit opinions
Our work is based on using a variety of audit techniques to test the operation of systems. This may include sampling and data analysis of wider populations. It cannot guarantee the elimination of fraud or error. Our opinion relates only to the objectives set out in the audit scope and is based on risks related to those objectives that we identify at the time of the audit.

Opinion	Assessment of internal control
Substantial assurance	A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.
Reasonable assurance	There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.
Limited assurance	Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.
No assurance	Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.

Priorities for actions
Priority 1	A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management
Priority 2	A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Priority 3	The system objectives are not exposed to significant risk, but the issue merits attention by management.

[1] The internal audit work programme includes all potential areas to be considered for audit in the short to medium term, recognising that not all of these will be carried out during the current year (work is deliberately over-programmed).