Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk which updated the Committee on the work of the Internal Audit section since the last update as at 1 December, 2021 was presented for consideration. The report set out the audits completed in the period, the current workload of Internal Audit and its priorities for the short to medium term.

The Head of Audit and Risk highlighted the two audit reports finalised in the period, the one – Information Governance resulted in a Reasonable Assurance opinion and raised 2 major and 5 moderate issues/risks details of which are provided in paragraphs 3 to 11 of the report and the other – Software Licence Management which is one of three pieces of work which Salford City Council’s specialist IT Audit team was commissioned to undertake resulted in a Limited Assurance opinion and raised one major and 9 moderate issues/risks. Further details are provided in paragraphs 12 to16 of the report. An action plan to address the issues/risks identified has been agreed and has been made available to the Committee’s members; assurance is taken from the Council’s proposed migration to “Cloud” based applications for some of its mission critical applications which will mitigate some of the risks identified.

The six audits noted in the table at paragraph 17 of the report are currently in progress and work continues on investigating the first tranche of the National Fraud Initiative 2020/21 matches released in January, 2021.  As at 1 February, 2022 there were 18 overdue actions (8 major and 10 moderate) which all fall within the Resources Services and relate to issues/risks raised in the four audits listed at paragraph 27 of the report. Internal Audit is working with the service to provide support with implementing the actions. Internal Audit’s short to medium term priorities are set out in paragraphs 30 to 32 of the report and focus on reviewing the red and amber residual risks not yet reviewed or not reviewed in the last two years from the now re-designated Strategic Risk Register. The Annual Internal Audit Strategy for 2022/23 is also in development. For the longer term, Internal Audit will be looking to deliver the Counter Fraud, Bribery and Corruption Strategy for 2021-24, working with colleagues in the Performance Team to improve assurance mapping across the Council and contribution to the development of the Performance Review, and preparing for the External Quality Assessment due in June, 2022. In addition, following its issuing of the final report on the Management of School Unofficial Funds, Internal Audit has been working on refreshing the guidance document, providing training for head teachers and governors and undertaking quality assurance checks of the certificate submitted by schools.

Officers responded to the Committee’s questions as follows –

·         With regard to the Limited assurance review of Software Licensing, the IT Team Manager advised that the cost of all the software licences for the Council for 2021 was in the region of £580k and included all individual licences, software licences and the maintenance of those licences. With regard to reducing the cost, he confirmed that while some of the actions detailed in the report address the need to manage the risk that unlicensed or unauthorised software is in use, other actions come from the perspective of cost reduction and securing value for money. Suggested controls include introducing a register of software assets to provide an integrated way of identifying where those individual assets are aligned to. As well as providing a way of keeping track of who has what a comprehensive register would also help identify if there are unnecessary software licences being held, thereby avoiding the duplication and/or re-purchasing of licences.

·         Although the IT Unit monitors the licence position for the Council’s software in the main, the IT Team Manager advised that the risk that unauthorised software could be used could apply in instances where the Council works in partnership with third parties/ companies where the licensing arrangements are not known, or where software is purchased via channels that are not captured by the standard IT processes which would verify whether or not there is already a licence for that software. Whilst the audit review report notes the controls that are already place to limit such occurrences, the implementation of additional controls is recommended to strengthen existing processes and provide further assurance.

·         With regard to overdue actions, it was clarified that Covid related absences have contributed to the overdue actions in the four audits pertaining to the Resources function. The Director of Function (Resources)/Section 15 Officer advised  that capacity issues have affected the timely implementation of the recommended actions in the four audits as managers’ time in the income and debtors teams is taken up by day to day responsibilities leaving little or no time for addressing the effectiveness of business processes. An external resource has since been commissioned to review processes and to respond to the audit recommendations, and as part of the 2022/23 budget approval process the Resource function has submitted a bid for funding for a Business Manager post to review systems, processes and practice across the function and to implement any improvements identified.

It was resolved to note Internal Audit’s assurance provision and priorities going forward.