COYC%202%20colour

INTERNAL AUDIT PROGRESS REPORT,Date: 28 February 2024
Annex 1


 


A blue logo with a square and a square in the middle  Description automatically generatedBACKGROUND

1            Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

2            The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government and the CIPFA Statement on the role of the Head of Internal Audit.

3            In accordance with the PSIAS, the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit and Governance Committee, and to identify any emerging issues which need to be brought to the attention of the committee. 

4            The internal audit work programme was agreed by this committee in March 2023.

5            Veritau has adopted a flexible approach to work programme development and delivery. Work to be undertaken during the year is kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council.

6            The purpose of this report is to update the committee on internal activity up to 16 February 2024.

 

*   INTERNAL AUDIT PROGRESS

7            Eight audits have been finalised since the last report to this committee in November. A further six audits are currently at the draft report stage.

8            Eighteen 2023/24 audits are currently in progress. Approximately half of these audits are nearing the final stages of fieldwork. We are currently planning a further six audits, that will commence in February and March. These audits will conclude the 2023/24 work programme.

9            The results of all audits currently in progress, and those in the planning stage, will be reported to this committee at its July meeting, as part of the Head of Internal Audit annual report.

10        A summary of internal audit work currently underway, as well as work finalised in the year to date, is included in appendix A. Appendix A also shows the range of other work completed by internal audit during the year.

11        Other audits in the work programme which are currently classed as ‘do next’ or ‘do later’[1] are being reviewed as part of the audit planning process for 2024/25, alongside new and emerging areas. Those that remain a priority will be included in the 2024/25 work programme.

12        The eight audits that have been finalised since the last report to this committee in November 2023 are detailed in appendix B. The appendix summarises the key findings from these audits, and includes actions agreed with officers to address identified control weaknesses.  The finalised reports in appendix B are included as exempt annexes to this report.

13        Appendix C lists our current definitions for action priorities and overall assurance levels.

 

        FOLLOW UP

14       All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. As a result of this work we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits. A summary of the current status of follow up activity is included at appendix D.

 


 

APPENDIX A: INTERNAL AUDIT WORK IN 2023/24

Audits in progress

Audit

Status

Adult education (York Learning)

Draft

Business continuity

Draft

Payroll

Draft

Foster carer payments

Draft

Full school audit: Wiggington Primary School

Draft

Full school audit: Elvington CE Primary School

Draft

ICT procurement and contract management

In progress

Section 106 agreements

In progress

Budget management

In progress

Highway maintenance scheme development review

In progress

Agency staff (C&E / ASC&I)

In progress

Asset management (Place directorate)

In progress

Safety Valve (implementation review)

In progress

Health and Safety (Place directorate)

In progress

Adult social care: safeguarding

In progress

Ordering and creditor payments

In progress

Physical information security compliance

In progress

Officer declarations of interests

In progress

Absence management

In progress

Project management

In progress

NHS Data Security and Protection Toolkit

In progress

Member induction programme

In progress

Contract management

In progress

Integrated care partnerships

In progress

Housing benefits

Planning

Special Guardianship Orders and Care Arrangement Orders

Planning

Public protection

Planning

Additional landlord duties

Planning

Continuing healthcare

Planning

Payments to care providers and contract management (Adult Social Care)

Planning

Final reports issued

Audit

Reported to Committee

Opinion

Full school audit: Carr Infant School

February 2024

Reasonable Assurance

Schools themed audit: SFVS

February 2024

Reasonable Assurance

LATCO governance: Make It York

February 2024

No Opinion Given

Housing rents

February 2024

Reasonable Assurance

Transparency

February 2024

Substantial Assurance

Residents’ parking scheme

February 2024

Reasonable Assurance

Adherence to constitution: decision-making

February 2024

Reasonable Assurance

Treasury management

February 2024

Substantial assurance

ICT remote access

November 2023

Substantial Assurance

Data breach management

November 2023

Reasonable Assurance

Risk management

November 2023

Reasonable Assurance

Insurance

November 2023

Reasonable Assurance

Climate Change Strategy: governance framework

September 2023

Reasonable Assurance

Public health: procurement and contract management

September 2023

Reasonable Assurance

Jewson managed stores contract

September 2023

Reasonable Assurance

Health and safety

September 2023

Reasonable Assurance

CCTV: Surveillance Camera Code of Practice

September 2023

Reasonable Assurance

Council tax and NNDR

September 2023

Reasonable Assurance

Commercial procurement and compliance

July 2023

Substantial Assurance

Sundry debtors

July 2023

Substantial Assurance

Savings plans

July 2023

Reasonable Assurance

Ordering and creditor payments

July 2023

Substantial Assurance

Main accounting system

July 2023

Substantial Assurance

 

Other work in 2023/24

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

·         Follow up of agreed actions

·         Grant certification work:

  • Scambusters
  • UKSPF assurance return support (2022/23)
  • UKSPF mid-year assurance return support (2023/24)
  • ESFA 2022/23 academic year subcontracting standard
  • Rough Sleeping Accommodation Programme
  • Supporting Families
  • Pooling of housing capital receipts
  • WYCA Transport Fund and Transforming Cities Fund
  • LAD3 and HUG1

 

Consultative engagements:

·         UKSPF assurance framework development support

·         Review of the council’s PDR policy framework and related guidance, training uptake, and appraisal completion rates

·         Completion of consultation work on the system for booking of hire cars and the monitoring of their use

·         Completion of consultation work to assist the Chief Finance Officer in demonstrating conformance with CIPFA’s Financial Management Code

Provision of support and advice:

·         Housing benefits – supported housing claims (rent review process)

·         Compliance efforts relating to additional payments to care workers, including feedback to the Adult Social Care & Integration DMT

·         Administration of adults’ direct payments

 


APPENDIX B: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area

(month issued)

Opinion

Area reviewed

Comments / Issues identified

Management actions agreed

Full school audit: Carr Infant School

(February 2024)

Reasonable Assurance

This audit evaluated the controls in place relating to the school’s governance, financial management, people management, building security, information security, and safeguarding.

Systems and controls within the school were generally found to be working. Clear records maintained to support and evidence most key processes.

Some control weaknesses were identified during the audit. Return to work interviews are not taking place or being recorded following periods of staff absence. Quotations were not being sought consistently for procurements with an expected value over £5,000 and there was a lack of information to support decisions made to appoint suppliers.

Other issues identified included a failure to notify the council of lease agreements in place, no user agreements covering home use of school-owned ICT equipment, desktop PCs being left unsecured when unattended by school staff, and no formal process to review committee terms of reference.

Return to work interviews are now taking place for all absences, with records retained.

At the time of the next re-procurement for IT equipment, three written quotes will be sought.

Before entering into any new lease agreement, the school will seek council approval and prepare a lease agreement form to record this.

The school will set up a user agreement for staff to sign to cover the removal of school-owned IT equipment.

All staff will be reminded to lock desktops when leaving them unattended.

Committee terms of reference have now been updated.

Schools themed audit: SFVS

(February 2024)

Reasonable Assurance

This audit reviewed arrangements across a sample of nine schools for preparing and submitting their annual School Financial Value Standard (SFVS) return.

All schools included in this review had submitted their 2022/23 SFVS returns to the local authority by the specified deadline. In most cases (eight) returns had been authorised by the governing body prior to submission to the Department for Education.

Submitted returns were fully completed. Evidence provided by the schools enabled us to confirm that they were generally accurate. The main issue identified was that several schools did not have an up-to-date business continuity plan or could not provide a contract register.

Other issues noted included:

·         a lack of awareness of the guidance on reporting related party transactions

·         the governing body of one school had not reviewed and approved the SFVS

·         four schools had not undertaken a recent governing body skills assessment.

School business managers and governors will be reminded of the need for the SFVS return to be reviewed by the full governing body. Schools will be expected to submit, to the council, the minutes from the meeting at which the SFVS return was reviewed and approved.

The council will ask schools to share business continuity plans and contract registers in future SFVS returns.

A mixture of training, reminders, and submission of evidence to the council were agreed as actions to address the issues relating to skills assessments and related party transactions.

LATCO governance: Make It York

(January 2024)

No Opinion Given

The purpose of the work was to review the council’s arrangements for overseeing Make It York. The review used relevant good practice on local authority owned companies, issued by CIPFA in May 2022, to evaluate the council’s arrangements.

The guidance issued by CIPFA on local authority owned companies sets out the principles councils should consider when deciding whether to set up companies and determining how they should operate. It does not set out specific requirements. Instead, it recognises that each council must determine what is appropriate in individual circumstances.

The review found that the council has established suitable governance mechanisms to discharge its shareholder functions at the strategic level (through its Shareholder Committee and representation on the Make It York board) and to oversee Make It York’s delivery against the SLA at an operational level (through the work of the council’s assigned link officer). A small number of observations were made relating to performance measurement, risk management arrangements, and appointments to the Make It York board.

None. Given the non-prescriptive nature of the CIPFA guidance, the final report instead included four observations in the following areas:

1.   Make It York business plan

2.   Monitoring performance against the SLA

3.   Risk management and the annual governance statement

4.   Appointments to the company board

Management responses were received from the Monitoring Officer and Deputy S151 Officer.

Housing rents

(January 2024)

Reasonable Assurance

This audit was undertaken following the implementation of the new Open Housing system. It focused on controls relating to user access, billing, income receipting, arrears monitoring, and performance management.

The transfer of processes for administering housing rents to the Open Housing system has been largely effective. However, some issues were identified.

An amount of £618k was bought forward from the old rents system (SX3). This was the outstanding balance on rent accounts that were rolled forward onto the new Open Housing System. However, no working paper was produced during the audit to confirm that this bought forward figure is correct. At the time of the audit there was an imbalance of £221k between the figure recorded on the general ledger and the figure on Open Housing.

There is no active recovery action on rent arrears from former tenants who left their property more than three years ago and where the council has no way of contacting the former tenant. Arrears belonging to tenants matching these criteria were not rolled forward to the Open Housing system, but the arrears had not been formally written off in accordance with the Council’s Financial Regulations. Some payments are still being received from these former tenant accounts.

It is not possible to run a report on the Open Housing system to identify all rent accounts that have had a stop put on the arrears recovery process.

Some other less significant issues relating to user access management, applying the annual rent increase, and performance reporting were also identified.

The £221k amount will be formally written off if it is still present at the end of 2023/24.

Weekly checks are being made to confirm that rent account balances on the Open Housing system reconcile with the general ledger. Reports are being developed for the Open Housing system to support reconciliation.

New codes will be created on the Open Housing system that will enable officers to manage former tenant arrears cases.

Active rent accounts will also be set up on the Open Housing System for former tenants who have repaid outstanding rents.

The Open Housing Board receives a regular data quality report and use of the stop code will be added to the data quality report to make sure that users are not using this function.

Transparency

(December 2023)

Substantial Assurance

This audit focused on the arrangements the council has in place to achieve and maintain compliance with the Local Government Transparency Code (LGTC) and the ICO’s Model Publication Scheme requirements. It also evaluated controls relating to the management of Re-use of Public Sector Information Requests.

The council publishes and maintains information in accordance with LGTC and ICO Model Publication Scheme requirements. Information meets required accessibility standards. Heads of Service, as information asset owners, are responsible for publishing the required datasets within LGTC timeframes. The council’s Business Intelligence function facilitates the prompt publication of data to the York Open Data Website.

The council publishes the ICO's guidelines for charging for Re-use of Public Sector Information Requests on its website. However, there is no specific page on the council website where customers can view all relevant charges and fees that the council may impose, to enable them to make an informed choice before requesting information.

The schedule of fees and charges for Re-use of Public Sector Information Requests will be made accessible to customers by placing it on the York Open Data website and by providing a link from the council’s model publication scheme webpage. The schedule will then be updated annually.

Residents’ parking scheme

(December 2023)

Reasonable Assurance

This audit reviewed controls in place for managing applications for residents’ parking permits. Areas covered included eligibility checks and counter fraud arrangements. It also reviewed the process for reconciling income received from the parking system (Taranto) to the main financial system (Civica Financials).

From a customer-facing perspective, the application process provided by Taranto is efficient and accessible. Guidance is provided to applicants before they begin the process. This sets out the different permit types and costs. The terms and conditions that customers must agree to when applying include an appropriate counter-fraud declaration. However, the application process is not sufficiently robust to prevent ineligible applicants from successfully applying for a permit. No compensating controls are in place to detect instances of potential fraud.

Income received from parking permits via Taranto is downloaded to Civica Financials every evening. The council’s IT service checks that it has interfaced correctly. Reconciliations are carried out by accounting technicians annually. The 2022/23 reconciliation was still ongoing at the time of the audit; permits with a value of £2.5k on Taranto, had not been reflected in Civica Financials.

The process for refunding residents for rejected permit applications is not automated and is inefficient. This has created a large backlog of rejected permits awaiting refund.

On a monthly basis, random spot-checks will be carried out on permit applications The Taranto system and the terms and conditions will be updated to notify applicants that spot-checks may be carried out to confirm the validity of applications.

Parking Services will coordinate with the accounting technician and ICT Systems Support Team Leader to investigate the income from parking permits that cannot be found on the general ledger.

The parking portal help page will be revised to incorporate information on the procedure for obtaining a refund when applications are rejected. Clear information on the process to follow will be provided.

Adherence to constitution: decision-making

(December 2023)

Reasonable Assurance

This audit focused on areas of the constitution which govern how key and non-key decisions are made. It covered schemes of delegation, forward planning, committee report preparation, decision records, scrutiny arrangements, and guidance / training on decision-making.

The constitution is published on the council’s website and provides a clear framework for decision-making that complies with relevant legislation. However, internal procedures to ensure compliance with the constitution are less well defined.

The main issues identified during the audit include:

·         Detailed schemes of delegation are held for each directorate. However, the majority are now in need of updating in line with the review of the constitution.

·         The corporate report template guidance is not consistently followed when reports are prepared. This has led to instances where the views of specialist implication officers had not been sought.

·         Of the council’s four directorates, only two had their report preparation and submission processes documented (i.e. to manage consultation, scheduling, and review and approval of committee reports).

·         There is a comprehensive learning package available for Councillors relating to decision-making. However, there is no equivalent training for officers on the decision-making process.

All directorates will have an up to date, version controlled, scheme of delegation and a process in place for annual reviews of their delegations.

The ModGov system will be developed to ensure all the council’s mandatory sections of the corporate report template are included. System access controls will be developed to ensure appropriate distribution to relevant officers.

All directorates will have comprehensive and version-controlled procedure notes for decision making in their area. The procedure notes should include the requirement for quality checks to be undertaken before the Chief Officer signs off the final version before it is presented for a decision to be made.

An online learning package for decision-making will be developed in MYLO. This will be made available to all officers.

Treasury management

(November 2023)

Substantial assurance

This audit evaluated whether the council has a treasury management strategy in place that meets the requirements of the CIPFA Prudential Code and Treasury Management Code of Practice. It also reviewed controls for taking out loans and making investments, for recording and accounting for them, and for monitoring performance against prudential indicators.

The procedures for administering the council's treasury management function were found to be working well. No issues or control weaknesses were identified.

The council’s treasury management strategy aligns with the Prudential Code requirements and is presented to Executive and Full Council for approval prior to the start of each financial year. Prudential indicators have been set and performance against these is monitored and reported throughout the year, with an outturn report is produced after the financial year-end.

Procedures for taking on long-term borrowing and new investment are well controlled, with clear decision-making and authorisation processes in place.

Annual reconciliations are performed to ensure that interest payments, principal and value of loans outstanding are correctly recorded on Civica Financials.

N/A


APPENDIX C: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS

Audit opinions

Our work is based on using a variety of audit techniques to test the operation of systems. This may include sampling and data analysis of wider populations. It cannot guarantee the elimination of fraud or error. Our opinion relates only to the objectives set out in the audit scope and is based on risks related to those objectives that we identify at the time of the audit.

 

Opinion

Assessment of internal control

Substantial assurance

A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.

Reasonable assurance

There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.

Limited assurance

Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.

No assurance

Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.

Priorities for actions

Priority 1

A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management

Priority 2

A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.

Priority 3

The system objectives are not exposed to significant risk, but the issue merits attention by management.

 

 

APPENDIX D: FOLLOW UP OF AGREED AUDIT ACTIONS

Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee. 

A total of 75 actions have been followed up so far during 2023/24, up to 31 January 2024. A summary of the priority of these actions and the directorate they relate to is included below.

Actions followed up

 

Actions followed up by directorate

Priority of actions

Number of actions followed up

 

Other (Customers, Governance, Finance, HR)

Place Directorate

 

Adult Social Care and Integration

Children and Education

1

0

 

0

0

0

0

2

40

 

30

8

2

0

3

35

 

20

7

2

6

Total

75

 

50

15

4

6

 

Of the 75 agreed actions, 42 (56%) had been satisfactorily implemented and 17 (23%) had been superseded. The number of actions marked as superseded is relatively high due to the continuing impact of a review of all outstanding actions dating back to the Covid period. This review found that, in some cases, circumstances had changed significantly and the previous actions were no longer appropriate. In some cases, controls were re-examined and new actions raised if issues were found. In 16 cases (21%) the action had not been implemented by the target date and a revised date was agreed. This is done where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable.

 



[1] The internal audit work programme includes all potential areas to be considered for audit in the short to medium term, recognising that not all of these will be carried out during the current year (work is deliberately over-programmed).