COYC%202%20colour

CONTENTS

3 Background

3 Internal audit progress

4 Follow up

4 Other developments

6 Appendix A: Internal audit work in 2024/25

8 Appendix B: Current priorities for internal audit work

12 Appendix C: Summary of key issues from finalised audits

24 Appendix D: Audit opinions and finding priorities

25 Appendix E: Follow up of agreed actions

A blue and white triangle pattern Description automatically generated

BACKGROUND

1 Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control, and governance processes.

2 The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government, and the CIPFA Statement on the role of the Head of Internal Audit.

3 In accordance with the PSIAS the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit & Governance Committee, and to identify any emerging issues which need to be brought to the attention of the committee.

4 The internal audit work programme was agreed by this committee in May 2024.

5 Veritau has adopted a flexible approach to work programme development and delivery. Work to be undertaken during the year is kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council.

6 The purpose of this report is to update the committee on internal activity up to 15 November 2024.

INTERNAL AUDIT PROGRESS

7 A summary of internal audit work currently underway, as well as work finalised in the year to date, is included in appendix A. Appendix A also details other work completed by internal audit during the year.

8 Since our last report to this committee, nine audits have been finalised. A further four internal audit engagements have reached draft report stage. These will be finalised over the coming weeks and will be reported to this committee at its 29 January 2025 meeting.

9 A total of 18 audits are underway at the time of reporting. Several of these are in later stages, with the remaining representing audits which have started during the current quarter.

10 Amongst the work currently underway is an audit of the council’s contract management arrangements. This is a second audit, being undertaken in addition to the audit of major project contract management. This new audit has been requested by the Monitoring Officer and the committee. It will focus on key contractual provisions and terms, and arrangements for managing compliance with these. A sample of contracts will be selected, including the recently expired Salvation Army contract. At the time of reporting, the audit is in the early stages of fieldwork. We expect to present the outcomes from this audit at the January meeting of this committee.

11 In addition to the audits mentioned in paragraphs 8 and 9, we have also continued to support the council by certifying central government grants, undertaking consultative engagements in a number of areas, and providing support and advice on risk- and control-related matters.

12 The work programme, showing current priorities for internal audit work, is included at annex B.

13 A total of 13 audits are shown in the ‘do next’ category where we expect work to begin during the final quarter of 2024/25.

14 The programme also includes 15 audits in the ‘do later’ category. The internal audit work programme is designed to include all potential areas that should be considered for audit in the short to medium term, recognising that not all of these will be carried out during the current year (work is deliberately over-programmed).

15 In determining which audits will be undertaken, the priority and relative risk of each area will continue to be considered throughout the remainder of the year, and as part of audit planning for 2025/26 (which will commence towards the end of the current quarter). Consideration will also be given to the opinion framework and, in particular, coverage of the 11 key assurance areas, when prioritising any remaining work during 2024/25.

16 The nine audits that have been finalised since the last report to this committee are included in appendix C. The appendix summarises the key findings from these audits, and includes actions agreed with officers to address identified control weaknesses. The finalised reports in appendix C are also included as exempt annexes to this report.

17 Appendix D provides the definitions for our audit opinions and finding ratings.

FOLLOW UP

18 All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. As a result of this work, we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits. A summary of the current status of follow up activity is included at appendix E.

OTHER DEVELOPMENTS

19 The profession’s local government standards setter, CIPFA, is currently consulting on a Public Sector Application Note for the new Global Internal Audit Standards (which were released in January 2024) and an accompanying Code of Practice for the Governance of Internal Audit in Local Government.

20 Once both the Global Internal Audit Standards (GIAS) and Application Note come into effect on 1 April 2025, these will replace the PSIAS. There will no longer be a requirement for the PSIAS as these are fully incorporated into the GIAS and the Application Note. Taken together, the GIAS and Application note will be referred to as the Global Internal Audit Standards (UK public sector).

21 The primary audience for the Code of Practice, which will also come into effect from 1 April 2025, is those charged with governance of internal audit. It is intended to support local authorities in interpreting the essential conditions for governance of internal audit, as set out in the Global Internal Audit Standards, and with how to apply them in a public sector context.

22 We are not anticipating that these updates to public sector internal audit standards will require any significant changes to Veritau’s working practices or to the governance of the service. Future reports to this committee will explain how Veritau has responded to the new regime and will present an updated internal audit charter.

APPENDIX A: INTERNAL AUDIT WORK IN 2024/25

Audits in progress

Audit	Status
Member induction programme	Draft
Officer declarations of interest and gifts & hospitality	Draft
VAT accounting	Draft
Housing benefits	Draft
Contract management (major projects)	In progress
Contract management (inc. Salvation Army)	In progress
Commercial asset performance	In progress
Savings plans	In progress
Travel and subsistence	In progress
Carbon reduction and climate adaptation	In progress
Physical information security (satellite sites)	In progress
NHS DSP Toolkit: accountable suppliers	In progress
Main accounting system	In progress
Safety Valve	In progress
Clifton Green Primary School	In progress
School themed audit: purchasing and best value	In progress
Residential care: Beehive / Wenlock Terrace	In progress
Unaccompanied asylum seeker children	In progress
Continuing healthcare	In progress
Payments to care providers and contract management (ASC&I)	In progress
Public protection	In progress
ICT disaster recovery	In progress

Final reports issued

Audit	Reported to Committee	Opinion
Ordering and creditor payments	November 2024	Substantial Assurance
Highways maintenance scheme development	November 2024	Reasonable Assurance
Section 106 agreements	November 2024	Reasonable Assurance
Asset management (TEPHC)	November 2024	Reasonable Assurance
Adult safeguarding	November 2024	Reasonable Assurance
Health and safety (TEPHC)	November 2024	Limited Assurance
ICT procurement and contract management	November 2024	Reasonable Assurance
Wigginton Primary School	November 2024	Reasonable Assurance
Procurement Act: preparedness assessment	November 2024	Substantial Assurance
Physical information security compliance	July 2024	Reasonable Assurance
Absence management	July 2024	Reasonable Assurance
Project management	July 2024	Substantial Assurance
Agency staff (C&E and ASC&I)	July 2024	Reasonable Assurance
NHS Data Security and Protection Toolkit (thematic review)	July 2024	No Opinion Given
Adult education (York Learning)	July 2024	Substantial Assurance
Foster carer payments	July 2024	Limited Assurance
Business continuity	July 2024	Reasonable Assurance
Payroll control	July 2024	Substantial Assurance

Other work in 2024/25

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

Follow up of agreed actions

Grant certification work:

Scambusters

UKSPF assurance return support (2023/24)

UKSPF assurance return support (mid-year 2024/25)

Supporting Families

West Yorkshire Combined Authority (YORR and TCF)

Department for Transport (BSOG, LTP, Tadcaster Road, NPIF STEP)

Social Housing Decarbonisation Fund (wave 2, 2023/24)

Homes England compliance audit

Consultative engagements:

Fact-finding review into adult social care provider overpayments

Review of the Food and Fuel voucher scheme administration (including data analytics)

Review of processes for managing transport direct payments

Provision of support and advice:

Duplicate creditor payments analysis

Void recharge policy development

APPENDIX B: CURRENT AUDIT PRIORITIES
Audit / Engagement		Rationale
Strategic / corporate & cross cutting
Do now
Member induction programme		Provides assurance on system development, following work with the LGA.
Officer declarations and gifts and hospitality		Key area of corporate governance.
Contract management (major projects)		Provides coverage of more than one key assurance area.
Contract management (inc. Salvation Army)		Being undertaken in response to known issues, and at the request of A&G.
Physical information security (satellite sites)		Forms part of a rolling programme of assurance.
NHS DSP Toolkit: accountable suppliers		Forms part of a rolling programme of assurance.
Commercial asset performance		Provides coverage of more than one key assurance area.
Savings plans		Linked to a key corporate risk. Provides broader assurance.
Carbon reduction and adaptation		Emerging risk area.
Travel and subsistence		Identified in consultation with officers.
Do next
FOI and EIR improvement plan		Being undertaken in response to known issues previously reported to A&G.
Performance management framework		No recent coverage. Provides assurance on key assurance area.
Physical information security (WO & HC)		Forms part of a rolling programme of assurance.
Risk management		Key area of corporate governance. Provides broader assurance.
Do later
Data quality
Use of CCTV and investigatory powers
York 2032: partnership governance
Public health: procurement and contract management
Financial systems
Do now
VAT accounting		No recent coverage. Provides coverage of a key assurance area.
Housing benefits		Key material system, with risk of error and fraud.
Main accounting system		No recent coverage. Provides coverage of a key assurance area.
Do next
-		-
Do later
Sundry debtors
Housing rents
Service areas
Do now
Safety Valve		Emerging risk area.
Clifton Green Primary School		Provides assurance on organisational and financial governance at this setting.
School themed audit: purchasing and best value		Emerging risk area. Provides broader assurance coverage.
Unaccompanied asylum seeker children		Emerging risk area.
Residential care: Beehive / Wenlock Terrace		Being undertaken in response to known areas for improvement.
Continuing healthcare		Risks / controls are changing.
Payments to care providers and contract management (ASC&I)		Provides coverage of more than one key assurance area.
Public protection		Risks / controls are changing.
Do next
Alternative provision		Emerging risk area.
Funded early education		Risks / controls are changing due changes being implemented by the DfE.
Schools themed audit: pupil premium		Provides broader assurance coverage.
Section 17 payments		Being undertaken in response to known areas for improvement.
Children’s direct payments		Risks / controls are changing.
Managing customer finances (ASC&I)		Identified in consultation with officers.
Green waste subscription service		Risks / controls are changing with the implementation of this new service.
Public EV charging strategy (tariff management)		Risks / controls are changing. Linked to council priorities.
Do later
Danesgate Community School
Referrals and care assessments (ASC&I)
Care and support planning (ASC&I)
Landlord regulatory standards
Council house repairs
Locality working / ward committee model
Community safety strategy
Technical / projects
Do now
ICT disaster recovery		Provides broader assurance. Linked to key corporate risk.
Do next
ICT applications / database security		Key attack vector for threat actors. Provides assurance on security controls.
Project management		Provides coverage of key assurance area.
Do later
Cybersecurity: user awareness
IT projects / systems development

APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area (month issued)	Opinion	Area reviewed	Comments / Issues identified	Management actions agreed
Ordering and creditor payments (November 2024)	Substantial Assurance	The audit reviewed processes for administering ordering and creditor payment functions. This included authorisation and segregation of duties in ordering and invoice payment, the payment run, file interface loading and balancing, and supplier set up and amendment.	No control weaknesses were identified from the audit. Some minor improvements can be made to recordkeeping relating to supplier amendments but, otherwise, processes for controlling the payment run, loading and balancing file interfaces, new supplier set up, and ordering and invoicing were operating effectively.	None.
Highways maintenance scheme development (November 2024)	Reasonable Assurance	The audit reviewed the system in place to develop the council’s annual highway maintenance programme (AHMP). It focused on processes including condition data availability, design and application of prioritisation criteria, and recordkeeping relating to scheme inclusion / exclusion.	The survey data used as the foundation of the AHMP’s development is no longer a reliable source to measure the condition of the highway network as it dates from 2021. There are some data quality issues relating to footpath condition. A new system will be used for the 2025/26 programme onwards (with new condition data included). The Highways Infrastructure Asset Management Plan outlines the process of programme development, but it makes no reference to the weighted criteria used. It is not clear how they have been determined and approved. New weightings have now been developed and will be implemented in 2025/26. Inconsistent record management practices present a business continuity risk and make it challenging to follow decision-making.	New survey data will be analysed to create the 2025/26 AHMP, and surveys will be conducted annually to ensure the development of the AHMP remains objective and current. The service will also engage with another contractor to produce new one-off survey data for footways and 20km of cycle paths, using improved methods enabling access to remote routes. The service will engage with a similar local authority for a peer-review of the proposed weightings before implementation. The proposed weightings will be included in a revised AHMP presented to members for approval. Weightings will be reviewed annually or when there is a change in relevant council strategies to ensure they remain appropriate. Centralised files will be set up in the T-drive for each year’s Highways Asset Management Programme and these will be accessible to relevant officers.
Section 106 agreements (October 2024)	Reasonable Assurance	The purpose of this audit was to provide assurance on controls relating to the preparation of the legal deed (specifically the contributions being sought), collection of income, and fulfilment of both developer and council obligations.	Evidence of how required contributions have been determined / amounts have been calculated for inclusion in the legal deed is not routinely retained by service areas. Nor is evidence of internal review and approval. Where contributions are formula-driven, some of these are based on documents which were developed some time ago and show no evidence of recent review. Regular monitoring of income and expenditure against Section 106 agreements is carried out by Finance, who do not have access to the Exacom monitoring system. No single system or document currently provides a complete view of amounts due, held and spent across all active Section 106 agreements. There is often a delay in services returning the notification of spend forms once Section 106 funds have been spent. This can result in a delay in notifying the developer and could result in breaching the terms of the deed.	The Open Space Commuted Sum Document will be updated with new contribution requirements. All other service areas will review their arrangements for formulating contribution requests and the evidence base used. This will include arrangements for consistent storage of contribution requests. Planning and Finance will investigate how to integrate information and establish how systems can be reconciled to ensure there is a clear single source of information that can be reported on. Finance will be provided with access and training on Exacom as part of this. Reminders will be sent to service areas of the need to use the notification forms, and how they should be used.
Asset management (TEPHC) (October 2024)	Reasonable Assurance	The audit involved a review of the arrangements for managing housing repairs, highways, and fleet assets. This included controls relating to their issue, use, and disposal, and to confirm their existence and working order.	While materials are initially allocated to jobs on the Open Housing system by administrative staff in Housing Services, it is also possible for repairs operatives to request additional materials for a job via a system interface. Repair jobs are not subject to random inspections to assess the reasonableness of materials consumption. No other satisfactory compensating controls exist. Plant items should be presented for annual servicing at the council’s workshop. This is not being done consistently for all highways assets. At the time of the audit, over a quarter of plant items were more than three months overdue on their scheduled annual service. Disposal dates for vehicles and plant are not consistently being recorded on the asset replacement plan. This was the case for 15% of the council’s vehicle and plant assets. Assets are also held beyond their useful life without documented rationale or evidence of approval. The third-party vehicle hire spreadsheet used to track all hired vehicles is incomplete and recorded expiry dates different to those of the hire agreements.	Team leaders will inspect 10% of all works post completion. As part of this process, the team leader will compare the actual materials used on the job to the materials that were assigned to this work. The team leader will record this information and resolve any discrepancies. The service will be challenged in cases where the item is six months late for its annual service to confirm whether the service still has the asset. An explanation will also be obtained from the service as to why the council no longer has the asset. Replacement dates for all new assets are recorded on Tranman. The Fleet Intelligence Officer will ensure that Tranman is updated for older assets if they are not replaced in 2025. An expected return date has been added to the vehicle hire sheet. If the vehicle has to stay longer than expected, narrative has to be added and a new expected end date provided.
Adult Safeguarding (October 2024)	Reasonable Assurance	This audit reviewed the policies, procedures and training in place to govern and support the council’s safeguarding process. It also included review of processes for receiving and responding to concerns and of management information and quality assurance arrangements.	Staff working in adult social care are expected to complete five mandatory safeguarding training modules, with this being refreshed every three years. Completion of both virtual and in-person mandatory training was found to be low across adult social care staff. The Yorkshire and Humber consortium does not have terms of reference to confirm how revisions to adult safeguarding policies and procedures proposed by Tri.x (an external provider) are to be agreed. A policy tracker is used to record locally adopted adult safeguarding policies and procedures. This has only been partially effective since policy and procedure documents lack consistent document control to track review requirements. There are persistent delays in the Safeguarding Adults Board receiving data from partner agencies. This issue is compounded by poor attendance of partner agencies at Quality and Assurance subgroup meetings.	The training programme is currently being rolled out and this will ensure that all staff complete the mandatory modules. In addition, monitoring processes have been introduced to allow staff and managers to track completion, with this being supported by a wider supervision policy and framework designed to ensure continuing professional education requirements are met. A draft terms of reference document has been circulated to the Tri.x Consortium for agreement. A final version will be approved at the next Consortium meeting scheduled for 10 December 2024. The Safeguarding Adults Board Business Manager will maintain and update the safeguarding policies tracker. The Safeguarding Adults Board Quality and Assurance subgroup are to develop a multi-agency Safeguarding Adults Board performance framework.
Health and safety (TEPHC) (October 2024)	Limited Assurance	The purpose of this audit was to provide assurance on the effectiveness of departmental policies and procedures, risk assessments, safe systems of work, and mechanisms for implementation, monitoring and review of controls. The audit reviewed arrangements within: Environmental Services; Property Services; Highways and Asset Management; Building Services.	Arrangements within the service areas were reviewed against the council’s Safety Management System and, in particular, compliance note CN3 which covers the risk assessment process. A number of significant control weaknesses were observed which can be broadly categorised into: · Governance and oversight of health and safety compliance at a management level. · Quality and quality assurance arrangements at the individual risk assessment and safe systems of work (SSOW) level. The specific issues identified during the audit included: · Logs of risk assessments are not maintained in line with the council’s risk assessment compliance note CN3. There is not a clear process for reporting on risk assessments and observational monitoring. · Job descriptions do not always sufficiently reflect the health and safety responsibilities of the officer role. · The council’s corporate health and safety induction training requirements are not consistently implemented across the service areas. · Training records do not record all the information required and do not provide effective oversight of training requirements and completion. · Risk assessments are not completed consistently in line with risk assessment compliance note CN3 guidance. · SSOW are not consistently completed in line with the council’s risk assessment compliance note CN3 which itself does not provide sufficiently clear instruction on when SSOW are required.	Several management actions have been agreed to address the control weaknesses identified. These aim to strengthen oversight from management on the existence, completion, and review of risk registers and SSOW, verify completion of observational monitoring, and ensure updates are recorded on a central log. Job descriptions will be reviewed, and a standard training matrix will be developed for staff and managers to monitor completion. Any gaps in completion of training by current staff will be addressed.
ICT procurement and contract management (September 2024)	Reasonable Assurance	This audit focused on the council’s arrangements for managing its cloud-based systems with its suppliers. The Medigold (HR), Taranto (parking), and Microsoft 365 applications were reviewed.	ICT assess the security of third-party applications through a supplier technical questionnaire. The questionnaire assesses compatibility, performance, security, scalability, data protection, and accessibility. However, not all ICT procurements are appropriately routed through the ICT department. This is despite the procurement checklist guidance (available to all staff via the intranet) requiring consultation where any council data is to be held on a supplier’s system. The Medigold system was one example of an application procured without the supplier technical questionnaire having been completed. At the time of the audit, there was no complete list of cloud-based applications in use by the council. As a result, there is also no formal classification of cloud-based applications to then determine the level and frequency of ongoing due diligence that should be carried out against the council’s ICT, web, and governance requirements (i.e. based on factors such as business criticality and the nature of data being processed). This practice is recommended in ISO 27001 (Information Security in Supplier Relationships).	HR has sought assurance from Medigold and received its certifications relating to information security which have been forwarded to ICT. They will ensure any changes to the system or contract will go through ICT Security in future. Cloud based applications will be formally categorised indicating the level and frequency of due diligence that will be applied. A consolidated and comprehensive record will be produced detailing which applications have been assessed, date of assessment and when assessment is next due.
Wigginton Primary School (September 2024)	Reasonable Assurance	The purpose of the audit was to provide assurance that internal controls within the school and its systems are operating effectively to manage key financial and governance risks.	Several issues were identified during the audit, as follows: · Failure to obtain quotes and comply with wider procurement roles in the purchase of ICT equipment. · The school’s ICT asset register is incomplete, and no inventory checks are performed. · Bank reconciliations are not consistently signed by an authorised signatory to confirm review has taken place. · Annual accounts for the school’s voluntary fund have not been prepared and submitted to the Charity Commission. · Proof of public liability for hirers is not consistently sought when current certificates reach their expiry dates. · School governor details are out of date on the website.	The Full Governing Body will maintain oversight of ICT procurement activity. An inventory check and asset security procedure will be developed. The headteacher will ensure all bank reconciliations are reviewed and signed. An independent person will be found to review the account, which will then be submitted to the Charity Commission. Proof of public liability cover will be obtained on expiry. Governor details will be updated on the website.
Procurement Act: preparedness assessment (September 2024)	Substantial Assurance	The purpose of this audit was to assess the council’s readiness for changes being introduced by the new Procurement Act. At the time of the audit, the Act was to come into effect in October 2024. It is now expected to come into effect in February 2025.	The council’s Commercial Procurement team has developed a comprehensive implementation plan to help prepare for the Act. The action plan was compared against the Crown Commercial Service’s guidance document and was found to align well. It also records clear timescales and responsibilities for completion of actions. The council has taken sufficient action, through its plan, to prepare the council to the extent possible while it awaits further guidance from the Cabinet Office and Government Commercial Function. A Procurement Reform Group coordinates the work of the Commercial Procurement and Legal Services implementation. Progress against the implementation action plan is reported through directorate management structures. In addition, the council’s progress has been discussed at the Council Management Team and continues to be reported to the Scrutiny Management Committee. However, the council's Procurement Act 2023-specific risk register, and reporting of these risks, does not meet the requirements of the council's Risk Management Policy and Guide.	A review will be undertaken of the Procurement Act risk register to ensure it meets all requirements in the council’s Risk Management Policy. A clear separation between risk owner and risk actioner will be completed alongside prioritising the risks. The risk register will continue to be updated and developed to meet the required standards. Following a restructure of the Council’s Leadership Team, a new directorate risk register is currently being created. This will consider risks relating to implementation of the Act.

System/area

(month issued)

Opinion

Area reviewed

Comments / Issues identified

Management actions agreed

Ordering and creditor payments

(November 2024)

Substantial Assurance

The audit reviewed processes for administering ordering and creditor payment functions. This included authorisation and segregation of duties in ordering and invoice payment, the payment run, file interface loading and balancing, and supplier set up and amendment.

No control weaknesses were identified from the audit. Some minor improvements can be made to recordkeeping relating to supplier amendments but, otherwise, processes for controlling the payment run, loading and balancing file interfaces, new supplier set up, and ordering and invoicing were operating effectively.

None.

Highways maintenance scheme development

(November 2024)

Reasonable Assurance

The audit reviewed the system in place to develop the council’s annual highway maintenance programme (AHMP). It focused on processes including condition data availability, design and application of prioritisation criteria, and recordkeeping relating to scheme inclusion / exclusion.

The survey data used as the foundation of the AHMP’s development is no longer a reliable source to measure the condition of the highway network as it dates from 2021. There are some data quality issues relating to footpath condition. A new system will be used for the 2025/26 programme onwards (with new condition data included).

The Highways Infrastructure Asset Management Plan outlines the process of programme development, but it makes no reference to the weighted criteria used. It is not clear how they have been determined and approved. New weightings have now been developed and will be implemented in 2025/26.

Inconsistent record management practices present a business continuity risk and make it challenging to follow decision-making.

New survey data will be analysed to create the 2025/26 AHMP, and surveys will be conducted annually to ensure the development of the AHMP remains objective and current. The service will also engage with another contractor to produce new one-off survey data for footways and 20km of cycle paths, using improved methods enabling access to remote routes.

The service will engage with a similar local authority for a peer-review of the proposed weightings before implementation. The proposed weightings will be included in a revised AHMP presented to members for approval. Weightings will be reviewed annually or when there is a change in relevant council strategies to ensure they remain appropriate.

Centralised files will be set up in the T-drive for each year’s Highways Asset Management Programme and these will be accessible to relevant officers.

Section 106 agreements

(October 2024)

Reasonable Assurance

The purpose of this audit was to provide assurance on controls relating to the preparation of the legal deed (specifically the contributions being sought), collection of income, and fulfilment of both developer and council obligations.

Evidence of how required contributions have been determined / amounts have been calculated for inclusion in the legal deed is not routinely retained by service areas. Nor is evidence of internal review and approval. Where contributions are formula-driven, some of these are based on documents which were developed some time ago and show no evidence of recent review.

Regular monitoring of income and expenditure against Section 106 agreements is carried out by Finance, who do not have access to the Exacom monitoring system. No single system or document currently provides a complete view of amounts due, held and spent across all active Section 106 agreements.

There is often a delay in services returning the notification of spend forms once Section 106 funds have been spent. This can result in a delay in notifying the developer and could result in breaching the terms of the deed.

The Open Space Commuted Sum Document will be updated with new contribution requirements. All other service areas will review their arrangements for formulating contribution requests and the evidence base used. This will include arrangements for consistent storage of contribution requests.

Planning and Finance will investigate how to integrate information and establish how systems can be reconciled to ensure there is a clear single source of information that can be reported on. Finance will be provided with access and training on Exacom as part of this.

Reminders will be sent to service areas of the need to use the notification forms, and how they should be used.

Asset management (TEPHC)

(October 2024)

Reasonable Assurance

The audit involved a review of the arrangements for managing housing repairs, highways, and fleet assets. This included controls relating to their issue, use, and disposal, and to confirm their existence and working order.

While materials are initially allocated to jobs on the Open Housing system by administrative staff in Housing Services, it is also possible for repairs operatives to request additional materials for a job via a system interface. Repair jobs are not subject to random inspections to assess the reasonableness of materials consumption. No other satisfactory compensating controls exist.

Plant items should be presented for annual servicing at the council’s workshop. This is not being done consistently for all highways assets. At the time of the audit, over a quarter of plant items were more than three months overdue on their scheduled annual service.

Disposal dates for vehicles and plant are not consistently being recorded on the asset replacement plan. This was the case for 15% of the council’s vehicle and plant assets. Assets are also held beyond their useful life without documented rationale or evidence of approval.

The third-party vehicle hire spreadsheet used to track all hired vehicles is incomplete and recorded expiry dates different to those of the hire agreements.

Team leaders will inspect 10% of all works post completion. As part of this process, the team leader will compare the actual materials used on the job to the materials that were assigned to this work. The team leader will record this information and resolve any discrepancies.

The service will be challenged in cases where the item is six months late for its annual service to confirm whether the service still has the asset. An explanation will also be obtained from the service as to why the council no longer has the asset.

Replacement dates for all new assets are recorded on Tranman. The Fleet Intelligence Officer will ensure that Tranman is updated for older assets if they are not replaced in 2025.

An expected return date has been added to the vehicle hire sheet. If the vehicle has to stay longer than expected, narrative has to be added and a new expected end date provided.

Adult Safeguarding

(October 2024)

Reasonable Assurance

This audit reviewed the policies, procedures and training in place to govern and support the council’s safeguarding process. It also included review of processes for receiving and responding to concerns and of management information and quality assurance arrangements.

Staff working in adult social care are expected to complete five mandatory safeguarding training modules, with this being refreshed every three years. Completion of both virtual and in-person mandatory training was found to be low across adult social care staff.

The Yorkshire and Humber consortium does not have terms of reference to confirm how revisions to adult safeguarding policies and procedures proposed by Tri.x (an external provider) are to be agreed.

A policy tracker is used to record locally adopted adult safeguarding policies and procedures. This has only been partially effective since policy and procedure documents lack consistent document control to track review requirements.

There are persistent delays in the Safeguarding Adults Board receiving data from partner agencies. This issue is compounded by poor attendance of partner agencies at Quality and Assurance subgroup meetings.

The training programme is currently being rolled out and this will ensure that all staff complete the mandatory modules. In addition, monitoring processes have been introduced to allow staff and managers to track completion, with this being supported by a wider supervision policy and framework designed to ensure continuing professional education requirements are met.

A draft terms of reference document has been circulated to the Tri.x Consortium for agreement. A final version will be approved at the next Consortium meeting scheduled for 10 December 2024.

The Safeguarding Adults Board Business Manager will maintain and update the safeguarding policies tracker.

The Safeguarding Adults Board Quality and Assurance subgroup are to develop a multi-agency Safeguarding Adults Board performance framework.

Health and safety (TEPHC)

(October 2024)

Limited Assurance

The purpose of this audit was to provide assurance on the effectiveness of departmental policies and procedures, risk assessments, safe systems of work, and mechanisms for implementation, monitoring and review of controls.

The audit reviewed arrangements within: Environmental Services; Property Services; Highways and Asset Management; Building Services.

Arrangements within the service areas were reviewed against the council’s Safety Management System and, in particular, compliance note CN3 which covers the risk assessment process. A number of significant control weaknesses were observed which can be broadly categorised into:

· Governance and oversight of health and safety compliance at a management level.

· Quality and quality assurance arrangements at the individual risk assessment and safe systems of work (SSOW) level.

The specific issues identified during the audit included:

· Logs of risk assessments are not maintained in line with the council’s risk assessment compliance note CN3. There is not a clear process for reporting on risk assessments and observational monitoring.

· Job descriptions do not always sufficiently reflect the health and safety responsibilities of the officer role.

· The council’s corporate health and safety induction training requirements are not consistently implemented across the service areas.

· Training records do not record all the information required and do not provide effective oversight of training requirements and completion.

· Risk assessments are not completed consistently in line with risk assessment compliance note CN3 guidance.

· SSOW are not consistently completed in line with the council’s risk assessment compliance note CN3 which itself does not provide sufficiently clear instruction on when SSOW are required.

Several management actions have been agreed to address the control weaknesses identified. These aim to strengthen oversight from management on the existence, completion, and review of risk registers and SSOW, verify completion of observational monitoring, and ensure updates are recorded on a central log. Job descriptions will be reviewed, and a standard training matrix will be developed for staff and managers to monitor completion. Any gaps in completion of training by current staff will be addressed.

ICT procurement and contract management

(September 2024)

Reasonable Assurance

This audit focused on the council’s arrangements for managing its cloud-based systems with its suppliers. The Medigold (HR), Taranto (parking), and Microsoft 365 applications were reviewed.

ICT assess the security of third-party applications through a supplier technical questionnaire. The questionnaire assesses compatibility, performance, security, scalability, data protection, and accessibility. However, not all ICT procurements are appropriately routed through the ICT department. This is despite the procurement checklist guidance (available to all staff via the intranet) requiring consultation where any council data is to be held on a supplier’s system. The Medigold system was one example of an application procured without the supplier technical questionnaire having been completed.

At the time of the audit, there was no complete list of cloud-based applications in use by the council. As a result, there is also no formal classification of cloud-based applications to then determine the level and frequency of ongoing due diligence that should be carried out against the council’s ICT, web, and governance requirements (i.e. based on factors such as business criticality and the nature of data being processed). This practice is recommended in ISO 27001 (Information Security in Supplier Relationships).

HR has sought assurance from Medigold and received its certifications relating to information security which have been forwarded to ICT. They will ensure any changes to the system or contract will go through ICT Security in future.

Cloud based applications will be formally categorised indicating the level and frequency of due diligence that will be applied. A consolidated and comprehensive record will be produced detailing which applications have been assessed, date of assessment and when assessment is next due.

Wigginton Primary School

(September 2024)

Reasonable Assurance

The purpose of the audit was to provide assurance that internal controls within the school and its systems are operating effectively to manage key financial and governance risks.

Several issues were identified during the audit, as follows:

· Failure to obtain quotes and comply with wider procurement roles in the purchase of ICT equipment.

· The school’s ICT asset register is incomplete, and no inventory checks are performed.

· Bank reconciliations are not consistently signed by an authorised signatory to confirm review has taken place.

· Annual accounts for the school’s voluntary fund have not been prepared and submitted to the Charity Commission.

· Proof of public liability for hirers is not consistently sought when current certificates reach their expiry dates.

· School governor details are out of date on the website.

The Full Governing Body will maintain oversight of ICT procurement activity.

An inventory check and asset security procedure will be developed.

The headteacher will ensure all bank reconciliations are reviewed and signed.

An independent person will be found to review the account, which will then be submitted to the Charity Commission.

Proof of public liability cover will be obtained on expiry.

Governor details will be updated on the website.

Procurement Act: preparedness assessment

(September 2024)

Substantial Assurance

The purpose of this audit was to assess the council’s readiness for changes being introduced by the new Procurement Act.

At the time of the audit, the Act was to come into effect in October 2024. It is now expected to come into effect in February 2025.

The council’s Commercial Procurement team has developed a comprehensive implementation plan to help prepare for the Act. The action plan was compared against the Crown Commercial Service’s guidance document and was found to align well. It also records clear timescales and responsibilities for completion of actions. The council has taken sufficient action, through its plan, to prepare the council to the extent possible while it awaits further guidance from the Cabinet Office and Government Commercial Function.

A Procurement Reform Group coordinates the work of the Commercial Procurement and Legal Services implementation. Progress against the implementation action plan is reported through directorate management structures. In addition, the council’s progress has been discussed at the Council Management Team and continues to be reported to the Scrutiny Management Committee.

However, the council's Procurement Act 2023-specific risk register, and reporting of these risks, does not meet the requirements of the council's Risk Management Policy and Guide.

A review will be undertaken of the Procurement Act risk register to ensure it meets all requirements in the council’s Risk Management Policy. A clear separation between risk owner and risk actioner will be completed alongside prioritising the risks. The risk register will continue to be updated and developed to meet the required standards.

Following a restructure of the Council’s Leadership Team, a new directorate risk register is currently being created. This will consider risks relating to implementation of the Act.

APPENDIX D: ASSURANCE AUDIT OPINIONS AND FINDING PRIORITIES

Audit opinions
Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit. Our overall audit opinion is based on four grades of opinion, as set out below.
Opinion	Assessment of internal control
Substantial assurance	Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified.
Reasonable assurance	Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made.
Limited assurance	Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation.
No assurance	Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse.

Finding ratings
Critical	A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management.
Significant	A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Moderate	The system objectives are not exposed to significant risk, but the issue merits attention by management.
Opportunity	There is an opportunity for improvement in efficiency or outcomes but the system objectives are not exposed to risk.

APPENDIX E: FOLLOW UP OF AGREED AUDIT ACTIONS

Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee.

To simplify the presentation of follow-up information, all agreed actions previously reported to this committee on the priority 1-3 scale have been converted to reflect their equivalent rating under Veritau’s new rating system of critical, significant, moderate, and opportunity. This is required now that internal audit reports are being presented in the new format.

To remind the committee, Veritau is no longer attaching priorities to agreed actions. Instead, ratings of ‘critical’, ‘significant’, ‘moderate’ and ‘opportunity’ are given to each detailed finding raised in our reports. These ratings reflect the severity of the issue identified. Agreed actions then effectively inherit the rating of the finding to which they are attached.

A total of 104 actions have been followed up so far during 2024/25, up to 31 October 2024. A summary of the priority of these actions and the outcome from the follow up activity is detailed below. Actions are marked as superseded if circumstances have changed sufficiently that the action is no longer required. Revised dates are agreed where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable.

Actions followed up		Results of follow up of agreed actions
Priority of actions[1]	Number of actions followed up	Action implemented	Revised date agreed	Superseded
Critical	0	0	0	0
Significant	62	43	18	1
Moderate	42	35	6	1
Total	104	78	24	2

[1] As ‘Opportunity’ is a new priority rating for actions, there are currently none to follow up.