CONTENTS
2 Background
2 Internal audit work carried out in 2023/24
3 Follow up of agreed actions
3 Professional standards
4 Opinion of the Head of Internal Audit
5 Appendix A - 2023/24 internal audit work
8 Appendix B - Summary of key issues from audits finalised since the last report to the committee
17 Appendix C - Audit opinions and priorities for actions
18 Appendix D - Follow up of agreed audit actions
19 Appendix E - Internal audit quality assurance and improvement programme
27 Appendix F - Exit Payments
BACKGROUND
1 The work of internal audit is governed by the Public Sector Internal Audit Standards (PSIAS) and the council’s audit charter. These require the Head of Internal Audit to bring an annual report to the Audit and Governance Committee. The report must include an opinion on the adequacy and effectiveness of the council’s framework of governance, risk management and control. The report should also include:
(a) any qualifications to the opinion, together with the reasons for those qualifications (including any impairment to independence or objectivity)
(b) any particular control weakness judged to be relevant to the preparation of the annual governance statement
(c) a summary of work undertaken to support the opinion,including any reliance placed on the work of other assurance bodies
(d) an overall summary of internal audit performance and the results of the internal audit service’s quality assurance and improvement programme, including a statement on conformance with the PSIAS.
INTERNAL AUDIT WORK CARRIED OUT IN 2023/24
2 Throughout 2023/24 audit work has continued to be prioritised based on risk and the need to provide coverage of the council’s framework of governance, risk management and control. This has seen audits drop out of the work programme and others added as risks and priorities have changed and as our understanding of key systems of internal control has developed.
3 We have also continued to promote good governance, provide advice and support, and make recommendations to management to help improve controls. We have met with the Chief Finance Officer, Monitoring Officer, directorate senior management teams and other officers on a regular basis to help identify and address governance issues and concerns, and to ensure audit work has remained targeted towards key areas.
4 The results of completed audit work have been reported to service managers, relevant chief officers, members of this committee, and Executive portfolio holders during the course of the year. In addition, summaries of all finalised audit reports have been presented to this committee as part of regular progress reports.
5 A summary of internal audit work undertaken during the year, and relevant to the opinion, is contained in appendix A. This appendix also shows other work undertaken by the internal audit team to support the council during 2023/24.
6 At the time of writing, nine audits have been finalised since the previous report to this committee. A further seven audit reports have been issued to the responsible officers but remain in draft. We expect these audits to be finalised over the next 3-4 weeks.
7 Appendix B provides details of the key findings arising from internal audit assignments completed, that we have not previously reported to the committee. Final reports listed in appendix B are included as exempt annexes to this report.
8 Appendix C provides an explanation of our assurance levels and priorities for management action
FOLLOW UP OF AGREED ACTIONS
9 All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. As a result of this work we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits. A summary of the current status of follow up activity is included at appendix D.
PROFESSIONAL STANDARDS
10 In order to comply with Public Sector Internal Audit Standards (PSIAS) the Head of Internal Audit is required to develop and maintain an ongoing quality assurance and improvement programme (QAIP). The objective of the QAIP is to ensure that working practices continue to conform to professional standards. The results of the QAIP are reported to the committee each year as part of the annual report. The QAIP consists of various elements, including:
maintenance of a detailed audit procedures manual and standard operating practices
ongoing performance monitoring of internal audit activity
regular customer feedback
training plans and associated training and development activities
periodic self-assessments of internal audit working practices (to evaluate conformance to the standards)
11 External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. An external assessment of Veritau’s internal audit working practices was undertaken between June and August 2023 by John Chesshire, an approved reviewer for the Chartered Institute of Internal Auditors (the UK and Ireland’s local chapter)[1].
12 The assessment involved a full independent validation of Veritau’s own self-assessment of conformance to the PSIAS, as well as to the wider International Professional Practices Framework which governs the performance of internal auditing globally. The report concluded that Veritau’s internal audit activity generally conforms to the PSIAS[2] and, overall, the findings were very positive.
13 The feedback included comments that the internal audit service was highly valued by its clients. Key stakeholders felt confident in the way Veritau had established effective working relations, both in our approach to planning and the way in which we engage flexibly with our clients throughout the internal audit process, at the strategic and operational levels.
14 The outcome of the recently completed self-assessment demonstrates that the service continues to generally conform to the PSIAS, including the Code of Ethics and the Standards. Further details of the QAIP are given in appendix E.
15 The audit charter sets out how internal audit at the council will be provided in accordance with the PSIAS. The charter is reviewed on an annual basis and any proposed changes are brought to the Audit and Governance Committee. No changes are proposed at this time.
16 The PSIAS are based on the mandatory elements of the Institute of Internal Auditors (IIA) International Professional Practices Framework. New IIA professional standards, known as the Global Internal Audit Standards, were published in January 2024 and will apply from 9 January 2025. The UK Public Sector Internal Audit Standards Advisory Board (IASAB) is currently reviewing the implications for the PSIAS. Any subsequent changes to the UK’s PSIAS will be subject to consultation and will apply from 1 April 2025.
OPINION OF THE HEAD OF INTERNAL AUDIT
17 The overall opinion of the Head of Internal Audit on the framework of governance, risk management and control operating at the council is that it provides Reasonable Assurance.
18 The opinion given is based on work that has been undertaken directly by internal audit, and on the cumulative knowledge gained through our ongoing liaison and planning with officers. No reliance was placed on the work of other assurance providers in reaching this opinion.
19 There are no significant control weaknesses which, in the opinion of the Head of Internal Audit, need to be considered for inclusion in the council’s annual governance statement.
APPENDIX A: INTERNAL AUDIT WORK IN 2023/24
Final reports issued
Audit |
Reported to Committee |
Opinion |
Physical information security compliance |
July 2024 |
Reasonable Assurance |
Absence management |
July 2024 |
Reasonable Assurance |
Project management |
July 2024 |
Substantial Assurance |
Agency staff (C&E and ASC&I) |
July 2024 |
Reasonable Assurance |
NHS Data Security and Protection Toolkit (thematic review) |
July 2024 |
No Opinion Given |
Adult education (York Learning) |
July 2024 |
Substantial Assurance |
Foster carer payments |
July 2024 |
Limited Assurance |
Business continuity |
July 2024 |
Reasonable Assurance |
Payroll control |
July 2024 |
Substantial Assurance |
Full school audit: Carr Infant School |
February 2024 |
Reasonable Assurance |
Schools themed audit: SFVS |
February 2024 |
Reasonable Assurance |
LATCO governance: Make It York |
February 2024 |
No Opinion Given |
Housing rents |
February 2024 |
Reasonable Assurance |
Transparency |
February 2024 |
Substantial Assurance |
Residents’ parking scheme |
February 2024 |
Reasonable Assurance |
Adherence to constitution: decision-making |
February 2024 |
Reasonable Assurance |
Treasury management |
February 2024 |
Substantial assurance |
ICT remote access |
November 2023 |
Substantial Assurance |
Data breach management |
November 2023 |
Reasonable Assurance |
Risk management |
November 2023 |
Reasonable Assurance |
Insurance |
November 2023 |
Reasonable Assurance |
Climate Change Strategy: governance framework |
September 2023 |
Reasonable Assurance |
Public health: procurement and contract management |
September 2023 |
Reasonable Assurance |
Jewson managed stores contract |
September 2023 |
Reasonable Assurance |
Health and safety |
September 2023 |
Reasonable Assurance |
CCTV: Surveillance Camera Code of Practice |
September 2023 |
Reasonable Assurance |
Council tax and NNDR |
September 2023 |
Reasonable Assurance |
July 2023 |
Substantial Assurance |
|
Sundry debtors |
July 2023 |
Substantial Assurance |
Savings plans |
July 2023 |
Reasonable Assurance |
Ordering and creditor payments |
July 2023 |
Substantial Assurance |
Main accounting system |
July 2023 |
Substantial Assurance |
Audits in progress
Audit |
Status |
Section 106 agreements |
Draft |
Asset management (Place) |
Draft |
Health and safety (Place) |
Draft |
Highway maintenance scheme development |
Draft |
ICT procurement and contract management |
Draft |
Elvington Primary School |
Draft |
Wigginton Primary School |
Draft |
Member induction programme |
In progress |
Officer declarations of interest and gifts & hospitality |
In progress |
Safety Valve |
In progress |
Contract management |
In progress |
Ordering and creditor payments |
In progress |
Public protection |
In progress |
Adults safeguarding |
In progress |
Continuing healthcare |
In progress |
Other work completed in 2023/24
Internal audit work has been undertaken in a range of other areas during the year, including those listed below. |
Follow up of agreed actions Grant certification work: Scambusters UKSPF annual assurance return support (2022/23) UKSPF mid-year assurance return support (2023/24) ESFA 2022/23 academic year subcontracting standard Rough Sleeping Accommodation Programme Supporting Families Pooling of housing capital receipts WYCA Transport Fund and Transforming Cities Fund LAD3 and HUG1 Consultative engagements: UKSPF assurance framework development support Review of the council’s PDR policy framework and related guidance, training uptake, and appraisal completion rates Completion of consultation work on the system for booking of hire cars and the monitoring of their use Independent fact-finding review into the handling of an FoI Completion of consultation work to assist the Chief Finance Officer in demonstrating conformance with CIPFA’s Financial Management Code Review of processes for instructing barristers and managing reserved activities (Trading Standards and revenues) Review of payments made to the council’s leisure provider, GLL, for ongoing operational management of facilities, Covid-19 support, and energy price increases Review of the council’s budget monitoring framework, with the aim of providing Finance with insights on budget managers’ experience and identifying possible areas for improvement Support and advice: Housing benefits – supported housing claims (rent review process) Compliance efforts relating to additional payments to care workers, including feedback to the Adult Social Care & Integration DMT Administration of adults’ direct payments Review of the Public Health risk register, and provision of advice
|
APPENDIX B: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE
Opinion |
Area reviewed |
Comments |
Management actions agreed |
|
Physical information security compliance (July 2024) |
Reasonable Assurance |
Security sweeps of the council’s two main offices, West Offices and Hazel Court, were undertaken to assess information security compliance. The audit also involved review of the use of the council’s electronic key storage system and of arrangements for controlling access to the CCTV room in West Offices. York Crematorium was visited to assess premises access arrangements, information security procedures, and CCTV operations. |
Similar levels of non-compliance with information security protocols and the council's clear desk policy were observed as in previous security sweeps last conducted in late 2022. There was a variety of personal and special category data left in unsecured locations at both office premises. No significant information security issues were noted at York Crematorium. Where keys are stored in an electronic key safe, data analysis shows that they are mostly returned promptly (i.e. on the same day). A number of keys had been removed for more than one day but very few keys had been removed for longer than one week. Visitors to the CCTV room are expected to sign a log showing the date, time and reason for their visit, their name and organisation. Comparison of key card access data to the visitor log established that the log is not an accurate record of CCTV room access. Less than half of the key card access records had a corresponding entry on the visitor log. |
A full record of audit findings will be provided to CMT so that Corporate Directors can use the these to resolve any issues within their service areas and report back on the actions taken. The Corporate Governance Team will arrange with Facilities Management, Security, ICT, and the Communications Team for regular reminders to be sent to staff and other users of all council buildings regarding the council’s policies, procedures and instructions on issues identified in this audit, such as clear desk policy, locking cupboards, storing keys, and password security. The Corporate Governance Team will work with the Gough & Kelly CCTV & Compliance Manager to ensure the ad-hoc visitor logs are completed in full. |
Absence management (July 2024) |
Reasonable Assurance |
The purpose of this audit was to provide assurance that the council’s Attendance Management Policy and Procedure is being correctly applied. It focused on short-term sickness and absence and testing was undertaken in service areas which had been identified by HR as meriting review. |
With the introduction of the Medigold system, the council is well placed to manage sickness absence in accordance with its policy. The system provides real-time sickness information, with in-built workflows to guide officers and managers through absence procedures. Business Intelligence run regular reports to maintain data integrity and provide other reports to both Directorate Management Teams and managers, showing trends in absence and highlighting open absences and overdue return to work (RTW) interviews. Despite the improvements introduced with Medigold, some instances of non-compliance were still observed. This included non-completion of RTW interviews and interviews being held outside of the compliance window. Staff personal files had also not been consistently updated with fit notes where relevant, and evidence was not consistently available to confirm the stage management process (i.e. linked to absence triggers) had been correctly followed. |
A range of actions were agreed to address the identified control weaknesses, including: · Ensuring that attendance management procedures are covered in both induction and management training · Sending a reminder to managers on the processes for RTW, stage management, and fit notes · Reminding DMTs to use absence management data to manage compliance · Individual training and coaching for managers on the RTW process and use of the Medigold system (undertaken by HR) where support is identified through case management · Fortnightly checks to confirm personal files are updated with filings from Medigold |
Project management (July 2024) |
Substantial Assurance |
This audit assessed compliance of the council’s medium-sized projects against the All About Projects Framework. A sample of four medium-sized projects was selected for detailed review. |
We found that the mandatory requirements of AAP Framework have been clearly communicated and, if followed, should ensure the controlled progression of council projects. Sufficient corporate oversight is in place to ensure that project teams adopt and comply with the Framework. This is delivered by the project assurance function and the wider Project Assurance Group. Training and support is available to officers managing projects that are assessed as being medium in size. However, training frequency has reduced since 2022 due to budget pressures and these same pressures put the ongoing viability of this training under threat. For each of the medium-sized sample projects reviewed, we confirmed that all mandatory documentation was being used by project staff. We found that an audit trail was in place for decisions made throughout the projects’ lifecycles. One area for improvement was identified. This relates to the gateway process which is used at various stages in the project lifecycle to assess readiness for progression. One project reviewed was an assistive technology pilot within the Adult Social Care & Integration directorate. We found that the project had stalled significantly, despite passing through the plan phase gateway, due to the lack of a joined-up delivery plan between the directorate and the ICT department. |
Programme Assurance Group leads will regularly communicate the mandatory requirements of the AAP Framework to project manager. CMT will also reinforce its commitment to utilising the AAP Framework for all projects. All members of small / medium projects who have not attended the one day project management course will be identified and enrolled. Attendance will by monitored by the Programme Assurance Group. |
Agency staff (C&E and ASCI& I) (July 2024) |
Reasonable Assurance |
This audit assessed compliance with council policy and procedure for use of agency staff. It focused on agency staff engaged in the Children & Education and Adult Social Care & Integration directorates. |
All requests for agency staff are made through Work with York. Booking forms are used to control the engagement of agency staff, with clear authorisation requirements based on daily rates. Authorisation is only required via email and there was not always a clear record kept of the approvals given within both directorates. We also found that authorisation for extensions had often been received after the extension had begun, and placements were being extended multiple times. Reports providing management information on agency staff are distributed for review at Council Management Team, Directorate Management Teams, and Staffing Matters and Urgency Committee. These confirm a reduction in both agency spend and agency staff numbers. The overall number of engagements has reduced by 42% in the last year, and costs have reduced by around £2.7m over the same period. The number of staff costing over £250 a day has also significantly reduced over the last financial year. |
Towards the end of the audit, new governance arrangements were introduced for all posts which require agency staff engagements in the Adult Social Care & Integration directorate to be authorised by the Corporate Director and discussed at Directorate Management Team. There are also similar arrangements in the Children & Education directorate. All new agency and interim specialist placements are approved through a new cost control process. This was introduced in January 2023 and updated in November 2023. This gateway ensures that there is both affordability (via checks with Finance) and challenge for all agency placements, after directorate Chief Officer approval. |
NHS Data Security and Protection Toolkit (thematic review) (June 2024) |
No Opinion Given |
This audit involved reviewing the council’s 2023/24 NHS DSP Toolkit submission to confirm that it is meeting compliance requirements and has sufficient evidence to support assertions made. It focused on incident response, continuity planning, and unsupported systems. |
The council was able to respond in full to all questions in the relevant sections of the Toolkit for 2023/24. Evidence was available to support the answers given. Some suggestions were made on how the council could improve its responses to provide greater assurance through its submission. |
The council’s DPO has responded to the findings of the report. These will be included in the annual improvement plan presented to the Governance, Risk, and Assurance Group following submission of the 2023/24 Toolkit response. |
Adult education (York Learning) (May 2024) |
Substantial Assurance |
This audit focused on arrangements for the collection of learner fee income and applying discounts and refunds. It also included review of processes for allocating funding and tracking use of apprenticeship funding. |
Income processing is now largely automated through the EBS system. Where cash is handled, this is done so in accordance with council policy. Policies and procedures for managing discounts and refunds are in place and were found to be operating effectively. York Learning income is reconciled regularly and recorded on spreadsheets that track income from different funding sources. Processes are in place to ensure apprenticeship funding is accurate and can be tracked to each learner. Evidence was in place of the checks made to confirm the eligibility of apprentices. |
N/A |
Foster carer payments (April 2024) |
Limited Assurance |
This audit focussed on the processes in place to administer foster carer payments, and to review Special Guardianship Allowance and Child Protection Order payments. Veritau was invited to undertake an audit in this area to support the directorate’s improvement efforts. |
A number of control weaknesses and opportunities for improvement were identified. These have arisen mainly as a result of the complexity of the system: · Numerous foster carer rates policy documents are in existence which include duplicate, missing or contradictory information. There is no documented scheme of delegation relating to payment authorisation. · There are numerous different ad-hoc payment types which are available to be paid to carers. Application for, and provision of, these payments is inconsistent. · No procedure notes are available documenting how to perform annual reviews or back-end finance processes. Reliance is placed on the knowledge of a small number of key staff. · System restrictions and manual processes increase the risk of overpayments. · No management information is available to support delivery of the service. Data is captured in three systems but is not collated to provide key performance information. |
A range of actions have been agreed. These include: · A review of foster carer rates for 2024/25, including review and possible rationalisation of ad-hoc payments. · The fostering service structure will be reviewed to ensure that individual roles and business processes are clearly defined and understood by all. · Internal systems and processes will also be reviewed to ensure effective administration of payments and review cycles. · A scheme of delegation will be developed which covers key tasks and decisions. · SGO and other annual review processes will be strengthened to ensure good financial governance. · Short term management information processes will be developed until more sophisticated systems, aligned to Mosaic, can be implemented. |
Business continuity (March 2024) |
Reasonable Assurance |
This audit was undertaken as a follow-up to the 2021 audit. It reviewed the guidance and training available to plan owners and arrangements for monitoring, assessing, and reporting on plan effectiveness. |
Guidance and training is available and is provided to senior officers via extended Directorate Management Teams. However, training records are not maintained centrally or consistently at service level. Not all service areas could confirm that training and guidance had been provided to staff responsible for business continuity. Since the previous audit, there has been some progress in relation to processes for monitoring, assessing and reporting business continuity activities within services. However, these are yet to be fully embedded. For example, while Council Management Team (CMT) receives quarterly updates and an annual report on the status of business continuity plans, the review and monitoring process which supports these updates does not include quality assurance checking, does not confirm that exercises have been held or are scheduled, and has no escalation mechanism for non-compliance. |
Directorates will be required to maintain training records and update corporate HR with completion data for the purpose of recording this centrally. The Emergency Planning Manager will report to the Corporate Emergency Planning Group and CMT those services where plans have not been exercised. CMT will consider the requirement for a strategic exercise schedule. The tracker process will be updated to include follow up of outstanding documents from services, and where they remain outstanding this will be reported to CMT. A Business Continuity manager has been recruited within the Resilience and Emergencies’ Team, and they will review the documents returned by services to provide quality assurance within the system. |
Payroll control (March 2024) |
Substantial Assurance |
This audit reviewed processes and controls within the payroll system which ensure that: · Only current employees are paid in respect of actual hours worked, and that those amounts are accurate · Any adjustments to pay are calculated correctly · Appropriate authorisations are sought before the payroll is finalised.
|
A series of reports highlight errors which could prevent the system completing the payroll or result in errors to pay or deductions. We found that action is consistently taken to investigate and resolve any issues. Exception reports are also produced. These reports compare pay in the current period to that in the previous. Reporting has been improved in recent months and now provides more meaningful data from which to carry out reasonableness assessments. The overall payroll control process is supported by a payroll control run sheet. This is completed each month by a payroll control officer after each task is performed. The Chief Finance Officer authorises the payroll once the payroll control process has concluded to the satisfaction of the payroll manager. |
N/A |
APPENDIX C: AUDIT OPINIONS AND PRIORITIES FOR ACTION
Audit opinions |
|
Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit. |
|
Our overall audit opinion is based on 4 grades of opinion, as set out below. |
|
Opinion |
Assessment of internal control |
Substantial assurance |
Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified. |
Reasonable assurance |
Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made. |
Limited assurance |
Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation. |
No assurance |
Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse. |
Priorities for actions |
|
Priority 1 |
A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management |
Priority 2 |
A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management. |
Priority 3 |
The system objectives are not exposed to significant risk, but the issue merits attention by management. |
APPENDIX D: FOLLOW UP OF AGREED AUDIT ACTIONS
Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates. Internal audit carry out follow up work to check that the issue has been resolved once target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee.
A total of 113 actions have been followed up so far during 2023/24, up to 30 June 2024. A summary of the priority of these actions and the directorate they relate to is included below.
Actions followed up |
|
Actions followed up by directorate |
||||
Priority of actions |
Number of actions followed up |
|
Other (Customers, Governance, Finance, HR) |
Place Directorate |
Adult Social Care and Integration |
Children and Education |
1 |
0 |
|
0 |
0 |
0 |
0 |
2 |
57 |
|
34 |
19 |
2 |
2 |
3 |
56 |
|
23 |
13 |
2 |
18 |
Total |
113 |
|
57 |
32 |
4 |
20 |
Of the 113 agreed actions, 70 (62%) had been satisfactorily implemented and 17 (15%) had been superseded. The proportion of actions marked as superseded has reduced over the year, as the impact of reviewing all outstanding actions dating back to the Covid period has been completed. Actions are marked as superseded where circumstances have changed significantly and the previous actions are no longer appropriate. In 26 cases (23%) the action had not been implemented by the target date and a revised date was agreed. This is done where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable.
APPENDIX E: INTERNAL AUDIT QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME
Ongoing quality assurance arrangements
Veritau maintains appropriate ongoing quality assurance arrangements designed to ensure that internal audit work is undertaken in accordance with relevant professional standards (specifically the Public Sector Internal Audit Standards). These arrangements include:
p the maintenance of a detailed audit procedures manual
p the requirement for all audit staff to conform to the Code of Ethics and Standards of Conduct Policy
p the requirement for all audit staff to complete annual declarations of interest
p detailed job descriptions and competency profiles for each internal audit post
p regular performance meetings
p regular 1:2:1 meetings to monitor progress with audit engagements
p induction programmes, training plans and associated training activities
p attendance on relevant courses and access to e-learning material
p the maintenance of training records and training evaluation procedures
p membership of professional networks
p agreement of the objectives, scope and expected timescales for each audit engagement with the client before detailed work commences (audit specification)
p the results of all audit testing and other associated work documented using our audit management system (previously Sword Audit Manager but now replaced by K10 Vision)
p file review by senior auditors and audit managers and sign-off at each stage of the audit process
p the ongoing investment in tools to support the effective performance of internal audit work (for example data interrogation software)
p post audit questionnaires (customer satisfaction surveys) issued following each audit engagement
p regular client liaison meetings to discuss progress, share information and evaluate performance
On an ongoing basis, completed audit work is subject to internal peer review by a Quality Assurance group. The review process is designed to ensure audit work is completed consistently and to the required quality standards. The work of the Quality Assurance group is overseen by an Assistant Director. Any key learning points are shared with the relevant internal auditors and audit managers. The Head of Internal Audit will also be informed of any general areas requiring improvement. Appropriate mitigating action will be taken where required (for example, increased supervision of individual internal auditors or further training).
Annual self-assessment
On an annual basis, the Head of Internal Audit will seek feedback from each client on the quality of the overall internal audit service. The Head of Internal Audit will also update the PSIAS self-assessment checklist and obtain evidence to demonstrate conformance with the Code of Ethics and the Standards. As part of ongoing performance management arrangements, each internal auditor is also required to assess their current skills and knowledge against the competency profile relevant for their role. Where necessary, further training or support will be provided to address any development needs.
The Head of Internal Audit and other members of the Internal Audit management team also participate in various professional networks and obtain information on operating arrangements and relevant best practice from other similar audit providers for comparison purposes.
The results of the annual client survey, PSIAS self-assessment, professional networking, and ongoing quality assurance and performance management arrangements are used to identify any areas requiring further development and/or improvement. Any specific changes or improvements are included in the annual Improvement Action Plan. Specific actions may also be included in the Veritau business plan, internal audit strategy action plan, and/or individual personal development action plans. The outcomes from this exercise, including details of the Improvement Action Plan are also reported to each client. The results will also be used to evaluate overall conformance with the PSIAS, the results of which are reported to senior management and the board[3] as part of the annual report of the Head of Internal Audit.
At least once every five years, arrangements must be made to subject internal audit working practices to external assessment to ensure the continued application of professional standards. The assessment should be conducted by an independent and suitably qualified person or organisation and the results reported to the Head of Internal Audit. The outcome of the external assessment also forms part of the overall reporting process to each client (as set out above). Any specific areas identified as requiring further development and/or improvement will be included in the annual Improvement Action Plan for that year.
2.0 Customer Satisfaction Survey 2024
In March 2024 we asked clients for feedback on the overall quality of the internal audit service provided by Veritau. Where relevant, the survey also asked questions about counter fraud and information governance services. A total of 163 surveys (2023 – 176) were issued to senior managers in client organisations. A total of 17 responses were received representing a response rate of 10.4% (2023 – 10.8%). Respondents were asked to rate the different elements of the audit process as either excellent, good, satisfactory or poor.
Respondents were also asked to provide an overall rating for the service. The results of the survey are set out in the charts below. These are presented as percentages, for consistency with previous years. However, it is recognised that the low number of respondents means that the percentage for each category is sensitive to small changes in actual responses (1 respondent represents about 6%).
The overall ratings in 2024 were:
|
2024 |
2023 |
||
Excellent |
7 |
44% |
13 |
69% |
Good |
8 |
50% |
5 |
26% |
Satisfactory |
1 |
6% |
1 |
5% |
Poor |
0 |
0% |
0 |
0% |
The feedback shows that the majority of respondents continue to value the service being delivered.
3.0 Self-Assessment Checklist 2024
CIPFA has prepared a detailed checklist to enable conformance with the PSIAS and the Local Government Application Note to be assessed. The checklist is reviewed and updated annually. Documentary evidence is provided where current working practices are considered to fully or partially conform to the standards.
Current working practices are considered to be at standard. However, as in previous years there are a few areas of non-conformance. These areas are mostly as a result of Veritau being a shared service delivering internal audit to a number of clients as well as providing other related governance services. None of the issues identified are considered to be significant. Existing arrangements are considered appropriate for the circumstances and require no further action. The following table shows the areas of non-compliance, which remain unchanged from last year.
Conformance with Standard |
Current Position |
Where there have been significant additional consulting services agreed during the year that were not already included in the audit plan, was approval sought from the audit committee before the engagement was accepted? |
Consultancy services are usually commissioned by the relevant client officer (generally the s151 officer). The scope (and charging arrangements) for any specific engagement will be agreed by the Head of Internal Audit and the relevant client officer. Engagements will not be accepted if there is any actual or perceived conflict of interest, or which might otherwise be detrimental to the reputation of Veritau.
|
Are consulting engagements that have been accepted included in the risk-based plan?
|
Consulting engagements may be commissioned and agreed separately. |
Does the risk-based plan include the approach to using other sources of assurance and any work that may be required to place reliance upon those sources?
|
The development of assurance mapping and the use of other sources of assurance has been included as an action in the refreshed internal audit strategy (see below). Our approach will be informed by further guidance from CIPFA and the LGA which is expected in 2024. Any use of the methodology will also be dependent on securing client engagement in the assurance mapping process.
|
Does ongoing performance monitoring contribute to quality improvement through the effective use of performance targets? |
Historic targets used as performance measures do not provide meaningful information about the value of audit work delivered. The development of new and effective measurement tools is being done as part of the implementation of the refreshed internal audit strategy (see below).
|
4.0 External Assessment
As noted above, the PSIAS require the Head of Internal Audit to arrange for an external assessment to be conducted at least once every five years to ensure the continued application of professional standards. The assessment is intended to provide an independent and objective opinion on the quality of internal audit practices.
An external assessment of Veritau’s internal audit working practices was undertaken in summer 2023, by John Chesshire, an approved reviewer for the Chartered Institute of Internal Auditors. The report concluded that Veritau internal audit activity ‘generally conforms’ to the PSIAS[4] and, overall, the findings of the review were very positive. The feedback included comments that the internal audit service was highly valued by its member councils. Key stakeholders felt confident in the way Veritau had established effective working relations, both in our approach to planning, and the way we engage flexibly with our clients throughout the internal audit process, at both strategic and operational levels.
The report concluded that Veritau ‘generally conforms’ to 59 of the 60 applicable principles. One area for improvement was highlighted relating to assurance mapping. The recommendation and our response are included in the table below:
Recommendation |
Response |
The Chief Audit Executive (CAE) should continue to develop a proportionate, formal approach to assurance mapping, coordination and where appropriate, reliance, to enhance the function’s risk-based planning, delivery and the effectiveness of assurance provided to key stakeholders.
|
Agreed – we will develop our approach to assurance mapping and working with other internal and external assurance provision. The approach will be flexible to reflect the different sectors and clients we provide internal audit services to.
|
A copy the external assessment report was reported to this committee on 8 November 2023.
5.0 Improvement Action Plan
Overall, the internal audit services provided by Veritau continue to meet the requirements of the Public Sector Internal Audit Standards. However, we recognise that the pace of change in local government and the wider public sector mean that there is a need to continually review and update aspects of the service to ensure it stays up to date and continues to deliver good value.
We refreshed our internal audit strategy during 2023/24. The updated strategy identifies the working practices we will prioritise for development over the next three years, to ensure we:
p understand our clients’ organisation, the environment they operate in and emerging pressures. We need to plan work flexibly to meet changing needs and target areas that are most important for our clients and where we can add the most value.
p focus on providing support at the right time. Retrospective audits providing commentary after the fact have limited benefit in a fast-changing environment. We should anticipate change, provide advice in advance, and focus on providing ongoing assurance in real time.
p maximise the benefit of audit work through the use of technology. For example, using data to analyse whole populations or detect emerging issues; develop better information for clients to help them understand and act on outcomes from audit work; and understand and make use of emerging technologies such as artificial intelligence to improve our efficiency.
To achieve these objectives, we will focus on the following key areas:
p embedding a strategic approach to work programme development and the use of the audit opinion framework
p Redesigning and modernising our audit working practices (including assignment planning and reporting)
p further developing our use of data analytics
p developing our key performance indicators and the measures of added value
Detailed action plans have been prepared to support each area of focus, and a number of these actions have already been completed. For example, our standard audit committee reports have been redesigned, a pilot exercise to test the use of agile audit techniques has been completed and new performance dashboards have been created (for use by auditors, managers and clients). Progress is being tracked each month. The next areas to focus on include taking steps to reduce elapsed time (the time between an audit starting and the final report being agreed) and providing clients with an interface to allow them to update agreed actions themselves.
In addition, we have replaced our existing audit management system with a new system called K10 Vision. The new system has been developed using the latest technology and offers improved functionality for both users and clients.
6.0 Overall Conformance with PSIAS
(Opinion of the Head of Internal Audit)
Based on the results of the quality assurance process I consider that the service generally conforms to the Public Sector Internal Audit Standards, including the Code of Ethics and the Standards.
The guidance suggests a scale of three ratings, ‘generally conforms, ‘partially conforms’ and ‘does not conform’. ‘Generally conforms’ is the top rating and means that the internal audit service has a charter, policies and processes that are judged to be in conformance to the Standards.
APPENDIX F: EXIT PAYMENTS
In April 2021, the council’s external auditor issued a Report in the Public Interest. This related to exit payments made to a former employee. The report, and actions to address concerns about processes that were raised, were considered by the Council on 4 May 2021.
Following the report, a new system for agreeing settlement agreements was approved by the Staffing Matters and Urgency Committee in October 2021.
It was agreed that internal audit would review packages finalised under the new system, to assess whether the council has complied with the process, and that it would report the outcome of any reviews in the annual Head of Internal Audit report.
In the period to the end of June 2024, no settlement agreements were reached.
[1] Reported to the Audit and Governance committee in November 2023.
[2] PSIAS guidance suggests a scale of three ratings, ‘generally conforms, ‘partially conforms’ and ‘does not conform’. ‘Generally conforms’ is the top rating.
[3] As defined by the relevant audit charter.
[4] PSIAS guidance suggests a scale of three ratings, ‘generally conforms, ‘partially conforms’ and ‘does not conform’. ‘Generally conforms’ is the top rating.