Agenda item

To present the report of the Head of Audit and Risk.

The Annual Report of the Internal Audit Service for 2019/20 was presented for the Committee’s consideration. The report outlined the Internal Audit work carried out during the year ended 31 March, 2020 based on which the Head of Audit and Risk gave her overall opinion on the adequacy and effectiveness of the Council’s framework of governance, risk management and control during the year which also informs the Council’s Annual Governance Statement.

The Head of Audit and Risk reported that for the 12 months ended 31 March, 2020, the Isle of Anglesey’s Chief Audit Executive i.e. the Head of Audit and Risk is of the opinion that the organisation had an adequate and effective framework for risk management, governance and internal control. While the Head of Audit and Risk does not consider there to be any areas of significant concern, some areas require the introduction or improvement of internal controls to ensure the achievement of objectives, and these are the subject of monitoring. There are no qualifications to this opinion.

The Officer said that the opinion above was reached based on the work and activities undertaken by the Internal Audit Service during the year specifically with reference to the following –

•           During 2019/20, the Internal Audit Service reviewed 50% of the risks in the corporate risk register with a red or amber residual risk rating (83% over a 17 month rolling period) (Appendix A refers) and was able to provide Reasonable assurance that the Council was effectively managing all but one of the risks reviewed. The review of IT Resilience finalised towards the end of 2019/20 concluded in a Limited assurance rating and has received attention from the Senior Leadership Team.

•           Of the total 21 audits finalised during 2019/20, six were awarded Substantial assurance for the arrangements for governance, risk management and internal control with no significant or material risks/issues identified compared to three in 2018/19. Thirteen reviews resulted in a reasonable assurance rating (14 in 2018/19). As in the previous year, two audits received a Limited assurance rating; two reports remain with Limited assurance after follow-up and will continue to be reviewed to monitor the implementation of the risks raised.

•           No audits received “No” assurance and no Critical (red) issues/risk were raised during the year. There are no red issues/risks currently outstanding.

•           Where Internal Audit has identified issues/risks, Management has accepted them all

•           During 2019/20 Internal Audit found senior management at the Council to be supportive and responsive to the issues raised.

•           There were no issues deemed to be of a significantly high risk or impact to warrant inclusion in the Annual Governance Statement

With regard to performance, the Internal Audit Service has in place a quality assurance, and improvement programme to ensure continuous improvement. The Service has performed well during the year against the targets agreed with the Audit and Governance Committee as part of the Strategy for 2019/20 (Appendix D) with 3 out of 5 indicators meeting or surpassing their targets. The service has performed less well in terms of the percentage of the red and amber residual risks reviewed and in respect of its staffing complement with staff lost again in the year to promotion, secondment and long-term absence. The service has also benchmarked its performance against the 22 members of the Welsh Chief  Auditors Group (although only 19 participate) and despite not benefiting in terms of economies of scale with Anglesey being a small authority based on population, the service achieved top quartile performance for completing audits within planned time and for client satisfaction.  An external assessment of the Council’s Internal Audit Service in March 2017 provided assurance that the Service “generally conforms” with the Public Sector Internal Audit Standards which is the top assessment available to the assessor.

Going forwards, the experience from last year as well as that gained during the emergency response to Covid-19 has provided valuable learning and, together with two new members of staff, new risk management software and upgraded action tracking software, will place the Internal Audit team in a good position to ensure the delivery of its plan and to continue to support the Council as a key component of its governance structure.

The Committee considered the report and discussed the following issues –

•           Further clarity on the performance measures set out in Appendix D to the report which compared performance against targets and benchmarked with the Welsh Chief Auditors Group which to the Committee appeared high and not reflective of actual performance within the twelve month period.

The Head of Audit and Risk clarified that the audits completed within planned time are those that have been completed within the timescale allocated to them i.e. 100% in 2019/20. Higher targets – agreed in February, 2020 – have been set for 2020/21 but these are now likely to prove unrealistic and to be of minimal value in light of the changed circumstances which Covid-19 has created. However, although the Service did not achieve its target of auditing 80% of the red and amber residual risks on the corporate risk register within the twelve month period of 2019/20, it did achieve 83% over the longer time timeframe of 18 months from November, 2018 to April, 2020 thereby providing the Committee with assurance that the major risk areas have been covered. The Committee was further advised that the coverage is now up to 86% with only 2 of the red/amber residual risk areas remaining unaudited.

In response to a further question about the adequacy of its staffing levels, the Head of Audit and Risk advised that half of the Internal Audit team has been redeployed to the Covid-19 emergency response meaning that two out of the five members of the team are currently undertaking audit work while the response to the Covid-19 emergency remains live. The two full time posts advertised earlier in the year have each been filled on a part-time basis with one appointee having commenced in post in June and  the other due to commence in August. Notwithstanding the reduction in capacity, the work which the Internal Audit Service has undertaken this year has been significant and has involved carrying out a review of the Council’s response to the Covid-19 emergency including whether the arrangements it had in place for governance, IT provision, evidence gathering and data analysis, and engagement and collaboration were safe, robust, effective and fit for purpose. This work has also shown the Internal Audit Service to be flexible and adaptive in being able to change its plans and focus in response to the changing risk environment. Going forwards the Service will be concentrating on the immediate priority areas as agreed with the Senior Leadership Team which may mean that other aspects of work e.g. the Audit Committee’s self-assessment will be delayed.

•           Whether the new working environment wherein the majority of the Council’s staff are working remotely from home added to reduced capacity, are likely to impact on the Internal Audit Service’s ability to carry out its plans.

The Head of Audit and Risk advised that home working for the Internal Audit team is neither a new experience nor an issue in terms of productivity and does not affect the way team members do their job it not being difficult to conduct an audit in this way in terms of sharing documents. In relation to team working, working remotely has led to effective communications using technology, and more frequent team meetings have been held this way. Internal Audit and Risk Management has thrived especially as a result of the aforementioned work undertaken in relation to the emergency response team with this Authority’s Internal Audit service being the only Internal Audit service nationally to conduct such a review to date. As a result CIPFA has asked the Authority to submit a case study to be shared with other internal audit teams.

•           The audit review of  IT resilience which resulted in Limited assurance being provided and whether the situation has since improved and whether as a connected issue, the new ways of working which the emergency has created can be supported by the Authority’s IT systems going forwards.

The Head of Audit and Risk in confirming that a great deal of work had since been undertaken clarified that the limited assurance applied to the structure of the IT team with some key roles being reliant on one member of staff thereby increasing the service’s vulnerability in the event that the staff occupying those roles depart or are absent. This issue has now been addressed with supporting arrangements having been put in place. A follow-up review will take place in September. In addition, as part of its review of the arrangements which the Authority had in place to respond to the Covid-19 emergency, Internal Audit looked at IT resilience including internet bandwidth and remote access capacity and found that the IT provision was effective in the context of the emergency response.

In response to a question by the Chair about the schedule for reviewing YM32 – the risk of the Council being unable to provide the necessary investment in leisure facilities to maintain the current level of provision, the Head of Audit and Risk clarified that although the risk will remain on the register, there are no immediate plans to review the risk.

•           Whether having issues outstanding from 2014 shows the Authority’s governance arrangements in a bad light and whether these can be dealt with promptly or abandoned.

The Head of Audit and Risk clarified that the three outstanding issues/risk from 2014 relate to System Control and segregation of Duties within Payroll. The ongoing restructure of the payroll team has now been completed with the result that 2 of the 3 outstanding issues have been signed off. The third remains the subject of discussion.

It was resolved to accept the Internal Audit Annual Report for 2019/20 and to note that the Head of Audit and Risk is satisfied with the adequacy and effectiveness of the Council’s overall arrangements for risk management, governance and internal control subject to introducing and/or improving internal controls in some areas.

NO ADDITIONAL ACTION WAS PROPOSED