Agenda item

Update on the Internal Audit Strategy and Priorities 2020/21

To present the report of the Head of Audit and Risk.

Minutes:

The report of the Head of Audit and Risk providing an update as at 18 August on the work of Internal Audit  since the last report to Committee on Internal Audit activity in February, 2020 together with  the priorities for the short to medium term was presented.

 

The Head of Internal Audit –

 

           Updated the Committee on the assurance work completed for 2019/20 comprising of 3 audits the results of which were presented to the Committee’s July meeting as part of the Internal Audit Annual Report for 2019/20. Due to services being heavily involved in responding to the emergency, work on four audits were suspended (paragraph 9 refers). Once staff return from their redeployment, work on those audits will resume

           Reported that early on in the Covid-19 emergency, the Deputy Chief Executive on behalf of the Emergency Management Response Team (EMRT) commissioned Internal Audit to provide assurance that the Council’s emergency response arrangements were safe, robust, effective and fit for purpose. The outcome of this work was reported in two parts and provided Reasonable Assurance for each. Six Issues/Risk were raised and these were reviewed a month later and all were found to have been addressed. (Copies of the reports were issued separately to the Committee’s members).The work which the review of the emergency response entailed is ground-breaking in so far as no other local authority Internal Audit service has conducted such a review and consequently Anglesey’s Internal Audit Service has been asked by CIPFA to produce a case study.

           Explained that due to services being heavily involved in responding to the emergency, work on following up actions to address the Issues/Risks raised previously in audit reports was suspended with the result that a number of actions have become overdue. The 4action dashboard at Appendix 1 shows that as at 18 August 5 Major and 6 Moderate actions were overdue. The Committee was further advised that as at present only 1 Major action remains overdue and is within the Learning Service and relates to the absence of central compliance monitoring to ensure policies and guidance are followed with regard to Primary School income collection. Also, the Major outstanding actions have reduced from 19 to 15 with Moderate outstanding actions remaining at 34.

           Referred to the Corporate Risk Register priorities confirming that in 2019/20 50% of the risks in the corporate risk register with a red or amber residual risk rating were reviewed (83% over a 17 month rolling period).The remaining 3 risks that need to be reviewed to complete red and amber risk coverage over a 12 month rolling period will have to be parked until capacity is restored, as in the current circumstances they are considered a low priority. The EMRT has developed a separate risk register to capture the risks associated with the pandemic – it contains 35 risks and these are a priority which Internal Audit will be focusing on to provide assurance that they are being effectively managed.

           Outlined the priorities for Internal Audit over the coming months divided into high, medium and low priority taking into account the availability of staff within other services as well as the resources available to Internal Audit. The High priority items include post-event assurance to assess the risks associated with the relaxing of policies and processes during the emergency response; NDR Fiscal Stimulus – Business Grants post payment assurance to provide assurance that payments have been made to the correct organisations and that its use was as intended; Managing the Risk of Fraud – Payments (Supplier Maintenance and Payments) in light of the increased risk of fraud posed by the current climate and collaborating with the National Fraud Initiative biennial exercise.

           Updated the Committee on the resourcing of Internal Audit and Risk Management with regard to recruitment, redeployment, and secondments.

 

The Committee considered the report and thanked the Internal Audit Service for its work during the period. The Head of Audit and Risk provided the following further clarifications in response to questions by the Committee on the matters noted –

 

           That with regard to the overdue action in the Learning Service in respect of central compliance monitoring of policies and procedures in relation to primary school income collection, the Learning Service’s performance staff have been heavily involved with the community hubs over the past few months. The Service is now working on the outstanding recommendations and Internal Audit is assured that it will not be long before the issues/risks remaining to be addressed are implemented.

           That with regard to the Limited Assurance audit of IT resilience and whether in light of the proliferation of cyber security incidents and an increase in attempted fraud against local authority systems, the follow up audit should be brought forward from April, 2021, the audit was focused on the resilience of IT infrastructure rather than cyber-security arrangements. A previously conducted internal audit of the latter did provide a Reasonable assurance opinion. The resilience of the IT provision was also examined as part of the audit of the Council’s Covid-19 emergency response and the rapid shift to large scale digital working which that entailed, and was found to be robust and effective.

 

The Chief Executive confirmed that the IT Service is now reviewing cyber security arrangements in terms of staff and expertise in order to further improve protection for the future.

 

           That with regard to the adequacy of resources to support remote working/ meetings, the Head of Democratic Services confirmed that arrangements are being reviewed and that a questionnaire is to be circulated to Members to establish IT hardware and software needs to facilitate/improve the conduct of remote meetings. 

           That Salford City Council has been commissioned by Internal Audit to undertake a piece of work to health check the Council’s IT function with a view to providing assurance about the effectiveness and robustness of the Council’s IT arrangements at the same time as providing the service with the benefit of their knowledge and expertise in this area.

 

It was resolved to note Internal Audit’s assurance provision and priorities going forward.

 

NO ADDITIONAL ACTION WAS PROPOSED

Supporting documents: