BACKGROUND
1 Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.
2 The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government and the CIPFA Statement on the role of the Head of Internal Audit.
3 In accordance with the PSIAS, the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit and Governance Committee, and to identify any emerging issues which need to be brought to the attention of the committee.
4 The internal audit work programme was agreed by this committee in March 2023. The number of agreed days is 1,023.
5 Veritau follows a fully flexible approach to work programme development and delivery, to keep pace with developments in the internal audit profession and to ensure that we can continue to deliver a responsive service. In line with this approach, work is being kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council.
6 The purpose of this report is to update the committee on internal activity up to 1 September 2023.
INTERNAL AUDIT PROGRESS
7 In the period to 1 September 2023, six audits have been finalised. A further five audits have been reported in draft. We expect to finalise these audits in time for the November meeting of this committee.
8 As at the time of reporting, 14 audits are in progress. A number of audits that are currently in progress are a good way through the fieldwork stage. We expect to be able to report on findings from the following audits at the next meeting of this committee:
· Schools themed audit: Schools Financial Value Standard (SFVS)
· Teckal company governance: Make it York
· ICT remote access
· CIPFA Financial Management Code (consultative)
· Adherence to constitution: decision-making
· Adult education
· Highways maintenance scheme development review
9 In addition, we are in the process planning a further nine audits, with fieldwork set to commence over the coming weeks. These audits will continue into quarter 3 2023/24.
10 A summary of internal audit work currently underway, as well as work finalised in the year to date, is included in appendix A.
11 The work programme showing current priorities for internal audit work is included at appendix B.
12 A total of 14 audits are shown in the ‘do next’ category where we expect work to begin during quarter 3 2022/23. Some of these audits already have agreed start dates. Start dates for the remaining audits will be determined through liaison with responsible officers across the directorates.
13 The programme also includes 15 audits in the ‘do later’ category. The internal audit work programme is designed to include all potential areas that should be considered for audit in the short to medium term, recognising that not all of these will be carried out during the current year (work is deliberately over-programmed).
14 In determining which audits will actually be undertaken, the priority and relative risk of each area will continue to be considered throughout the remainder of the year, and as part of audit planning for 2024/25 which will commence towards the end of quarter 3. Consideration will also be given to the coverage of each of the 11 key assurance areas when prioritising any remaining work during 2023/24.
15 The six audits that have been finalised since the last report to this committee in July 2023 are included in appendix C. The appendix summarises the key findings from these audits and actions agreed with officers to address identified control weaknesses. The finalised reports listed in appendix C are published online, along with the papers for this committee. This is with the exception of the Jewson managed stores audit which is instead included as an exempt annex to this report.
16 Appendix D lists our current definitions for action priorities and overall assurance levels.
FOLLOW UP
17 All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. As a result of this work we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits. A summary of the current status of follow up activity is included at appendix E.
APPENDIX A: INTERNAL AUDIT WORK IN 2023/24
Audits in progress
Status |
|
Risk management |
Draft |
Insurance |
Draft |
Parking |
Draft |
Data security incident management |
Draft |
Housing rents (inc. data quality) |
Draft |
Schools themed audit: SFVS |
In progress |
Teckal company governance: Make it York |
In progress |
ICT remote access |
In progress |
Foster carer payments |
In progress |
CIPFA Financial Management Code (consultative) |
In progress |
Adherence to constitution: decision-making |
In progress |
Adult education |
In progress |
Highway maintenance scheme development review |
In progress |
Transparency |
In progress |
Section 106 agreements |
In progress |
Agency staff (Children and Education / Adult Social Care and Integration |
In progress |
Payroll |
In progress |
Budget management |
In progress |
Treasury management |
In progress |
Asset management |
Planning |
ICT procurement and contract management |
Planning |
Continuing healthcare |
Planning |
Health and Safety (Place directorate) |
Planning |
Officer declarations of interest |
Planning |
Business continuity |
Planning |
Adult social care: safeguarding |
Planning |
Placements and commissioning (children’s services) |
Planning |
Safety Valve (implementation review |
Planning |
Final reports issued
Audit |
Reported to Committee |
Opinion |
Climate Change Strategy: governance framework |
September 2023 |
Reasonable Assurance |
Public health: procurement and contract management |
September 2023 |
Reasonable Assurance |
Jewson managed stores contract |
September 2023 |
Reasonable Assurance |
Health and safety |
September 2023 |
Reasonable Assurance |
CCTV: Surveillance Camera Code of Practice |
September 2023 |
Reasonable Assurance |
Council tax and NNDR |
September 2023 |
Reasonable Assurance |
Commercial procurement and compliance |
July 2023 |
Substantial Assurance |
Sundry debtors |
July 2023 |
Substantial Assurance |
Savings plans |
July 2023 |
Reasonable Assurance |
Ordering and creditor payments |
July 2023 |
Substantial Assurance |
Main accounting system |
July 2023 |
Substantial Assurance |
Other work in 2023/24
Internal audit work has been undertaken in a range of other areas during the year, including those listed below. |
· Follow up of agreed actions · Grant certification work:
· UKSPF assurance framework development support · Review of the council’s PDR policy framework and related guidance, training uptake, and appraisal completion rates · Completion of consultation work on the system for booking of hire cars and the monitoring of their use Provision of support and advice: · Housing benefits – supported housing claims (rent review process) · Compliance efforts relating to additional payments to care workers, including feedback to the Adult Social Care & Integration DMT · Administration of adults’ direct payments
|
APPENDIX B: CURRENT PRIORITIES FOR INTERNAL AUDIT WORK
Audit / activity |
Rationale / comments on progress |
Risk management |
Provides coverage of key assurance area. |
Insurance |
Provides broader assurance. |
Data security incident management |
Significant risk area. |
Teckal company governance: Make it York |
Key area of corporate governance. |
CIPFA Financial Management Code (consultative) |
Provides broader assurance. Support being provided to CFO. |
Adherence to constitution: decision-making |
Key area of corporate governance. |
Transparency |
Provides coverage of key assurance area. |
Agency staff (C&E / ASC&I) |
Significant risk area. |
Officer declarations of interest |
Provides coverage of key assurance area. |
Business continuity |
Risks / controls are changing. Provides broader assurance. |
Category 2 (do next) |
|
Member induction programme |
Risks / controls are changing. Provides coverage of key assurance area. |
Contract management |
Provides coverage of key assurance area. |
Physical information security compliance (WO and HC) |
Provides coverage of key assurance area. |
Absence management |
Significant risk area. Requested by Audit & Governance Committee. |
Category 3 (do later) |
|
York 2032: The 10-year Plan |
|
Risk management |
|
Management of external funding sources |
|
Data and decision-making |
|
Climate adaptation / carbon reduction |
|
Public health |
|
Fundamental / material systems |
|
Risks / controls are changing. Provides coverage of key assurance area. |
|
Budget management |
Emerging risk area. |
Treasury management |
Provides coverage of key assurance area. |
Housing rents (inc. data quality) |
Risks / controls are changing. Provides coverage of key assurance area. |
Category 2 (do next) |
|
Ordering and creditor payments |
Provides coverage of key assurance area. |
Sundry debtors |
Provides coverage of key assurance area. |
Housing benefits |
Provides coverage of key assurance area. |
Category 3 (do later) |
|
Main accounting system |
|
Operational / regularity |
|
Category 1 (do now) |
|
Parking |
Emerging risk area. |
Schools themed audit: SFVS |
Emerging risk area. |
Foster carer payments |
Emerging risk area. |
Asset management |
Emerging risk area. |
Highway maintenance scheme development review |
Identified in discussions with officers. |
Section 106 agreements |
Risks / controls are changing. Provides broader assurance. |
Health and Safety (Place directorate) |
Emerging risk area. Identified in discussions with officers. |
Adult education |
Significant risk area. |
Continuing healthcare |
Emerging risk area. |
Adult social care: adults safeguarding |
Significant risk area. |
Placements and commissioning (children’s services) |
Emerging risk area. |
Safety Valve (implementation review |
|
Category 2 (do next) |
|
Public protection |
Emerging risk area. |
Additional landlord duties |
Emerging risk area. |
Integrated care partnerships |
Risks / controls are changing. Provides broader assurance. |
Reablement and independent living |
Emerging risk area. Provides broader assurance. |
Schools themed audits / full school audits |
Identified in discussions with officers. |
Category 3 (do later) |
|
Ward committee model / locality working |
|
Public EV Charging Strategy (tariff management) |
|
Community Infrastructure Levy |
|
Mental health services |
|
Payments to care providers and contract management |
|
Section 17 payments |
|
Technical / projects |
|
Category 1 (do now) |
|
ICT remote access |
Provides coverage of key assurance area. |
ICT procurement and contract management |
Provides coverage of key assurance area. |
Category 2 (do next) |
|
Project management |
Provides coverage of key assurance area. |
ICT disaster recovery |
Provides coverage of key assurance area. Provides broader assurance. |
Category 3 (do later) |
|
ICT OneDrive & MS Teams information governance |
|
NHS Data Security and Protection Toolkit (thematic review) |
|
APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE
(month issued) |
Opinion |
Area reviewed |
Comments |
Management actions agreed |
Climate Change Strategy: governance framework (September 2023) |
Reasonable Assurance |
The Climate Change Strategy is organised into eight main themes covering 32 objectives and is guided by five principles. This audit concentrated on the theme of governance, assessing the effectiveness of the governance arrangements established through the strategy. |
The council has established the Climate Change Programme Board (CCPB) to provide internal oversight and challenge to delivery groups and projects, make recommendations and provide advice to officers, Council Management Team (CMT) and Members. CCPB also monitors progress against the Climate Change Strategy. The CCPB terms of reference require review and alignment with the work of the city-wide parternship known as the York Climate Commission and the internal Sustainability Leads Group terms of reference. There is a discrepancy between stated CCPB membership and actual meeting attendance and not all council directorates are represented. CCPB action logs do not provide clarity on attendance and updates received from delivery groups and officers.
The Climate Change Strategy Action Plan contains actions for which funding and delivery mechanisms have not yet been identified.
Climate risks are included in the corporate risk register. However, these are not reflected at the directorate risk register level. |
The CCPB terms of reference will be reviewed to ensure they are fit for purpose. The action log will include attendance records and make clear any recommendations made on projects or decisions for CMT to consider. CMT will also review membership. The strategy action plan will be refreshed to focus on deliverable SMART actions. The refresh will be completed once the Council Plan 2023-27 has been published. The Carbon Reduction team will work with council departments to support them to recognise and understand climate change risks in their services. CMT will ensure that directorate risk registers are updated to include relevant climate change risks. |
Public health contract management (August 2023) |
Reasonable Assurance |
Contract management arrangements were reviewed for the integrated sexual health service and the alcohol and illicit drug integrated treatment and recovery service. |
Governance and reporting mechanisms are in place for both public health contracts reviewed. Roles and responsibilities and reporting lines for contract management are clearly documented in contract managers’ job descriptions. Public health governance meetings take place regularly, and the relevant contract managers attend and report on the contracts. Key performance indicators (KPIs) are set out in the service specifications of the sampled contracts, and the specifications comprehensively outline arrangements for collecting and sharing information, requiring both parties to meet regularly to discuss performance as part of the respective performance management frameworks. However, we found that the integrated sexual health service provider had not complied with the contractual requirement to produce an annual report. Beyond initial financial appraisal at point of contract award, there is no formal process in place for monitoring the financial health of public health service providers. Public health maintains a risk register but not in the format required by the council’s risk management policy and strategy. Significant contract risks are not included on the risk register despite a challenging external environment with the potential to impact on service delivery and continuity. |
Officers responsible for the management of the integrated sexual health contract will agree future reporting arrangements with the provider and ensure that an annual report is completed. Annual financial appraisals will be built into contract monitoring arrangements for all public health contracts. The public health team will request training and advice from the council’s risk management team to ensure that risks impacting service delivery are captured and monitored in accordance with the council’s risk management policy and strategy. |
Jewson managed stores contract (August 2023) |
Reasonable Assurance |
This audit aimed to provide assurance that the council is receiving value for money from the contract, that the contract is being effectively managed, and that the council’s interests are adequately protected. It also reviewed whether invoicing for materials is accurate. |
The council operates on an open book basis with Jewson and profit margins are in line with the agreed rate. Although regular client meetings are taking place with Jewson to discuss issues that are relevant to the management of the contract, the agendas do not include all items that should be discussed in these meetings according to the contract. None of the KPIs included in the contract are clearly defined and do not appear to provide information on price and quality. The council receives monthly KPI reports from Jewson but the information contained in these reports does not correspond with the KPIs that are set down in the contract. Invoices are generated automatically from the management information system that is operated by Jewson. Invoices are received each week and checked to ensure charges relate to valid job numbers. |
Clear definitions of what the KPIs are measuring will be produced and shared with the contractor and the council officers who are responsible for managing the contract. A summary of contract performance will be included in monthly Building Services performance monitoring meetings. Annual meetings with the contractor will be reinstated. All agenda items from the contract will be listed on the agenda for each monthly and quarterly meeting, even though not all items will be addressed in every meeting. |
Health and safety (August 2023) |
Reasonable Assurance |
This audit involved a review of risk assessment processes and incident reporting at a sample of council premises. It evaluated processes against the compliance note in the council’s health and safety policy and use of the B-Safe system. |
The council’s risk assessment process is guided by the health and safety policy and risk assessment compliance note within the council’s Safety Management System. The compliance note includes a comprehensive procedure for completing risk assessments. However, the audit identified that not all premises risk assessments had been recently reviewed and did not effectively capture required changes arising from reviews undertaken. A number of discrepancies were also identified between the requirements of the compliance note and the risk assessments in place for the sites visited. In addition, risk assessment logs required by the compliance note (ie a consolidated register which identifies the risk assessments that are in place at each site) were not held for four of the five sites visited. Health and safety training requirements are unclear and there is variation in the provision of training for officers with responsibility for health and safety at sites. Incidents are generally reported promptly, with 76% of incidents across sites during 2022/23 reported within two days of occurrence and all except one within nine days of occurrence. |
Council Management Team will define corporate expectations for risk assessments that should be held at council premises. It will also define training requirements for managers with health and safety responsibilities at sites, and requirements for health and safety inductions for new staff or those that take on site management responsibilities. DMTs will ensure that risk assessment logs are in place for premises and activities within their area of responsibility. In addition, they will review and seek assurances that observational monitoring is undertaken to ensure risk assessments comply with the risk assessment compliance note. |
CCTV: Surveillance Camera Code of Practice (August 2023) |
Reasonable Assurance |
This audit was undertaken in response to the new Biometric and Surveillance Camera Commissioner’s survey and their heightened focus on compliance with the Surveillance Camera Code of Practice (“the Code”). It involved review of arrangements for managing the council’s overt surveillance systems and availability of information to support compliance assertions made in the survey return. |
The council has identified suitable officers to act as Senior Responsible Officer (SRO) and the Single Point of Contact. The council’s security contractor, Gough & Kelly (G&K), is responsible for most of the council’s CCTV installations. G&K regularly completes the Commissioner’s self-assessment tool to monitor and validate compliance with the Code. The council last completed a compliance self-assessment in 2020. Knowledge of the compliance of service-operated systems is limited to those where the SRO and DPO are actively consulted by services (eg during procurement or where issues arise as part of ongoing management of systems). The council has no single central register of all CCTV systems and cameras. The audit identified that several CCTV systems belonging to Housing were omitted from the Commissioner’s survey and no traffic enforcement cameras had been included. |
The council will undertake a complete survey of CCTV systems (issued to both G&K and council service areas), following which a central log of CCTV systems and locations will be compiled and maintained by the SRO. A full DPIA will be completed by all CCTV systems owners, utilising the Commissioner’s template, for all systems not maintained by G&K. Compliance with the Surveillance Code will be formally assessed and documented via completion of a self-assessment, to be undertaken by both G&K and council service areas. |
Council tax and NNDR (July 2023) |
Reasonable Assurance |
This audit involved a review of processes in place to manage the billing and collection of income due from eligible households (council tax) and business premises (NNDR). |
Quarterly reconciliations between the Valuation Office (VOA) and the Revenue and Benefits IT system (NEC/SX3) databases are carried out. However, completion notices had not been issued or sent to the VOA for several months, reducing the council’s ability to bring properties into taxation in a timely way. Bills and demand notices were issued and calculated correctly for both council tax and NNDR. Where the council had been notified of a change to the liable party, the account has been updated correctly. However, full reviews of historical discounts and exemptions had not been conducted in 2022. Arrears are promptly and effectively pursued with a detailed debt recovery timetable in place for issuing reminders, final notices, and summons. Write-off cases and refunds are reviewed regularly and authorised by a suitable officer. However, refund reconciliations (ie between the property database and the finance system) had not been carried out in accordance with the procedure established by the service. |
An officer has been visiting council properties since May 2023 and will attend a dedicated completion notice course in October 2023. Completion notices will be issued before the end of October 2023. The team has already been working through some of the reviews this year and will be on schedule by September 2023. The Service has asked Finance whether the refund reconciliation process is necessary going forward and will act on their response. |
APPENDIX D: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS
Audit opinions |
|
Our work is based on using a variety of audit techniques to test the operation of systems. This may include sampling and data analysis of wider populations. It cannot guarantee the elimination of fraud or error. Our opinion relates only to the objectives set out in the audit scope and is based on risks related to those objectives that we identify at the time of the audit. |
|
|
|
Opinion |
Assessment of internal control |
Substantial assurance |
A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited. |
Reasonable assurance |
There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited. |
Limited assurance |
Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited. |
No assurance |
Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited. |
Priorities for actions |
|
Priority 1 |
A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management |
Priority 2 |
A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management. |
Priority 3 |
The system objectives are not exposed to significant risk, but the issue merits attention by management. |
APPENDIX E: FOLLOW UP OF AGREED AUDIT ACTIONS
Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee.
A total of 50 actions have been followed up. A summary of the priority of these actions and the directorate they relate to is included below.
Actions followed up |
|
Actions followed up by directorate |
||||
Priority of actions |
Number of actions followed up |
|
Other (Customers, Governance, Finance, HR) |
Place Directorate |
Adult Social Care and Integration |
Children and Education |
1 |
0 |
|
0 |
0 |
0 |
0 |
2 |
19 |
|
12 |
6 |
1 |
0 |
3 |
31 |
|
17 |
6 |
2 |
6 |
Total |
50 |
|
29 |
12 |
3 |
6 |
Of the 50 agreed actions, 29 (58%) had been satisfactorily implemented and 14 (28%) had been superseded. The number of actions marked as superseded is high due to the continuing impact of a review of all outstanding actions dating back to the Covid period, which found that in some cases circumstances had changed significantly and the previous actions were no longer appropriate. In some cases controls were re-examined and new actions raised if issues were found. In7 cases (14%) the action had not been implemented by the target date and a revised date was agreed. This is done where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable.