Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk which provided an update on Internal Audit’s latest progress with regard to service delivery, assurance provision and reviews completed was presented for the Committee’s consideration.

The Head of Audit and Risk highlighted the main points as follows –

•           That four audit reports were finalised in the period relating to the Direct Payments Scheme which resulted in a Limited Assurance opinion; Recruitment and Retention; Gypsies and Travellers (Requirements of the Housing Act 2014) and Leisure Function – Governance and Control all three of which were considered to provide Reasonable Assurance. For all three reviews, Internal Audit identified scope for improving controls in future in the areas audited which is reflected in action plans agreed with Management. Internal Audit raised 2 Moderate Risk/Issues on the Recruitment and Retention review; 2 Major and 1 Moderate Risks/Issues on the Gypsies and Traveller review and 2 Major and 9 Moderate Risks/Issues on the Leisure Function review.

•           That with regard to the Direct Payments Scheme Limited Assurance Review 5 Moderate Risks/Issues were raised, and whilst the audit review confirmed compliance with legislation in implementing policies and procedures and the accuracy and timeliness  of the payments made, it identified shortcomings in relation to reviewing the care plans that support direct payments; obtaining confirmation of Panel approval, risk assessments not undertaken and evidence of service users’ involvement in care and support plans decisions not consistently obtained. A formal project team is addressing the risks and issues raised; the team meets on a monthly basis and has access to external support. Of the five Risks/Issues raised two that were due to be implemented by this time have been implemented, and work is in progress on the remaining three. Internal Audit will conduct a follow-up review in September, 2019.

•           That although the review of Direct Payments raised 5 Moderate Risks/Issues resulting in a Limited Assurance opinion compared with the 2 Major and 9 Moderate Risks/Issues raised on the Leisure Function review which resulted in a Reasonable Assurance opinion, the latter constituted a much greater area and the issues raised are primarily of a housekeeping nature. The Direct Payments is a much smaller system and whilst the numbers and volume involved mean that the 5 Risk/Issues raised are at a Moderate level in terms of their corporate impact on the Council, Internal Audit was only able to provide Limited Assurance with regard to the Direct Payments system itself.

•           That one Follow-up review has been finalised in the period relating to Child Care Court Orders under the Public Law Outline. This has resulted in the original Limited Assurance rating being upgraded to a Reasonable Assurance opinion. A Follow-up review of Payment Card Industry Data Security Standards Compliance is currently in progress and a further four Follow-ups are scheduled to be undertaken in the first six months of the year – these are in relation to Income Collection in Primary Schools (First Follow-up); Sundry Debtors (Second Follow-up); System Control - Logical Access and Segregation of Duties) (Fourth Follow-up) and Direct Payments (First Follow-up).

The Head of Function (Resources)/Section 151 Officer confirmed that the project which has been focused on Payment Card Industry Data Security Standards Compliance is nearing completion. A great deal has been invested in this project in terms of  policy development and staff training across the services that use payment cards and therefore come within the payment card industry data security standards requirements.

•           That Management performance in addressing Issues/Risks and implementing actions has plateaued over the last year, with a recent slight decline in implementing actions to address High, Red and Amber Risks/Issues. The new upgraded version of the action tracking system will be available shortly and will provide extra functionality whilst reducing the burden of administering the system. Internal Audit will undertake an exercise to cleanse the historical data and review the system configuration.

•           That since the appointment of two new Senior Auditors, work on the 2018/19 Operational Plan has progressed well. Work is close to completion in four areas which are included as amber residual risks in the corporate risk register – these are outlined in paragraph 24 of the report. Two investigations have been concluded to which paragraph 25 refers. Work has also begun on the 2019/20 Audit Strategy with four audits currently in progress – Business Continuity Arrangements; Corporate Safeguarding, IT Resilience and Corporate Information Governance Health Check.

•           In line with the requirements of the Public Sector Internal Audit Standards and as part of the Service’s continuous improvement of the audit approach, Internal Audit has reviewed the definitions of its Assurance Ratings which are set out in Appendix B to the report. The new definitions better reflect the judgements made by auditors at the conclusion of each audit.

•           Internal Audit has also revised the Risk Management Policy Statement in line with the recommendations from the Risk Management Health Check conducted by the Council’s Insurers, Zurich Municipal. In accordance with the Council’s Constitution, the policy statement will be submitted to the Executive for approval and will be presented to the Audit and Governance Committee for review in July, 2019.

The Committee considered the report and made points as follows –

•           The Committee sought clarification of whether the Direct Payments Scheme whereby individuals or their representative can organise and pay for their own care and support needs is a more efficient system than the traditional model whereby care and support services are provided directly or commissioned by the Council and whether this is the direction of travel for care services.

The Head of Function (Resources)/Section 151 Officer said that under the Direct Payment System, if the client employs a carer directly then they take on the responsibilities of employer and it is for them as employer to agree terms and conditions with the individual(s) they employ. The Council as employer has obligations to its employees in respect of the National Pay Structure, Local Government Pension Scheme and the Council’s Sickness Policy which all add to the costs. Therefore the cost of the Council providing the care is higher than if the individuals were to organise the care for themselves in which case the costs are significantly lower or are different. It is compulsory for local authorities to offer direct payments to any adult, child or carer eligible for a service under the Social Services Well-being (Wales) Act and the Council’s aim is to increase the take-up of direct payment but only for individuals who have been assessed as capable of managing the payments or have the necessary support to help them do so.

•           The Committee noted that the Action Plans agreed with Management in relation to the Recruitment and Retention, Gypsies and Travellers and Leisure Function Internal Audit Reviews were not made available to the Committee. It was suggested that being able to see the action plans would be helpful to the Committee and especially so in putting into context the Reasonable Assurance rating given to the Leisure Function review despite the identification of 2 Major and 9 Moderate Risk/Issues as opposed to the Limited Assurance opinion of the Direct Payments review with 5 Moderate Risk/Issues.

The Head of Audit and Risk said that the Internal Audit Service in providing the Committee with information to enable it to take assurance that risks are being managed effectively will seek to ensure that the information the Committee receives is both relevant and manageable and is not so extensive that the Committee loses sight of the key issues. Presenting the Committee with action plans for each and every review including those where the assurance rating is Reasonable or above, would mean the Committee having a considerable amount of information to deal with and may mean it not being able to see the wood for the trees. However, where reviews lead to a Limited or Minimal Assurance rating as in the case of the review of the Direct Payment scheme, then the Committee is provided with the full report and action plan to enable it to consider whether appropriate and timely action is being taken to address the issues raised.

•           The Committee noted that only 4 out of the 10 internal audit review reports on the Operational Plan (as presented to the Committee’s February meeting) with a target date of reporting to the April meeting of the Committee have actually been presented which suggests that the Service is 40% off target.

The Head of Audit and Risk said that a further four audits are nearing conclusion but could not be completed in time for submission to this meeting there also being a process to be followed after an audit has been completed which involves formulating the draft report, an action plan and then finalising the end report. The Officer gave a brief update on the status of the four audits and confirmed that a further audit that was due to be reported in April, 2019 in relation to Recovery and Write-Offs (Car Loans) is now a consultation piece rather than an audit.

•           The Committee sought clarification of whether the Internal Audit Service has the staffing capacity it needs to deliver the Operational Plan and whether based on current resources, the Plan is realistic and achievable. The Committee noted that given that that the assurance it obtains about the adequacy or otherwise of the Council’s governance, risk management and internal control processes comes from the information it receives from Internal Audit’s monitoring of the performance of those processes, it is important that Internal Audit is able to provide the Committee with the information it requires in a timely way and that it has the necessary resources to do so.

The Head of Audit and Risk said that as has been noted in previous reports, the Internal Audit Service has in the past been disadvantaged by vacancies which have hampered the Service’s ability to deliver in the way it would wish and as intended. However, resource constraints is an issue in most councils and as a smaller sized authority the Internal Audit function in Anglesey compares favourably with many other authorities in Wales in having a team of five full time auditors which in the Head of Audit and Risk’s professional opinion places the Service in a good position to ensure delivery of the Audit Plan (subject to noting that there is currently a sickness absence as well as a maternity absence in the team). Additionally, the Internal Audit Service has again been successful this year in engaging the services of an individual under the Council’s Denu Talent Scheme whereby up to 10 young persons 16 years of age and over have 12 weeks of paid work experience at the Council over the summer months. The Officer said that whilst maternity and sickness absence have been factored into the Audit Plan as contingency, it is difficult to project the amount of time that the Service may have to spend on investigations which can take up a not insignificant number of audit days.

The Committee noted the limitations placed on Internal Audit which may adversely impact on the Service.

•           The Committee sought clarification of whether there is a standard national definition of assurance ratings and if there is not, whether in the interests of benchmarking and consistency, such a definition should be introduced.

The Head of Audit and Risk confirmed that whilst there is no one all-Wales definition of assurance ratings, councils’ definition are not dissimilar with substantial, reasonable and limited being generic terms common to most councils. However the Internal Audit Service in Anglesey seeks to align its rating of issues and risks to the Council’s risk appetite hence the use of the definitions in the Corporate Risk Matrix to define risks and issues raised.

It was resolved that having considered the information presented and the clarifications provided by Officers, the Audit and Governance Committee accepts and notes Internal Audit’s latest progress in terms of its service delivery, assurance provision, reviews completed, performance and effectiveness in driving improvement.

NO FURTHER ACTION WAS PROPOSED