Agenda item

To submit the Internal Audit Progress Report to 31 October, 2015.

The report of the Internal Audit Section on the work of the  Internal Audit Service during the period from 1 April to 31 October, 2015 was presented for the Committee’s consideration.

The Committee considered the information presented and highlighted the following matters –

•           With reference to performance targets, the Committee noted that progress has been hampered by a higher than expected level of sickness within the service and that the Team has been carrying a vacancy (which it was informed had since been filled).The Committee sought assurance that the Internal Audit Service has adequate staff resources to be able to carry out its duties effectively including the fulfilment of the Audit Plan and whether if needed there might be recourse in the short term to an audit officer at Conwy County Borough Council’s as the provider of the internal audit management function at Anglesey.

The Head of Internal Audit said that sickness absence is unpredictable and therefore difficult to plan for .The arrangement with Conwy County Borough Council was not intended to enable an officer resource to be parachuted in to bridge a gap and that the resources already available within Anglesey’s Internal Audit Service must be managed as effectively as possible. The issue for the Head of Internal Audit and Head of Resources is whether the Internal Audit function in Anglesey is sufficiently equipped to provide adequate coverage of activities on Anglesey to provide the level of assurance required at the year end. The service seeks to meet the requirements of the Audit Plan as mandated but the situation can change for example, because of additional unplanned work; it is the role of the Head of Internal Audit to ensure that the level of audit coverage by the end of the year is adequate to provide a sound basis for the opinion on the level of assurance that Internal Audit provides.

The Head of Resources and Section 151 Officer said that the Section 151 Officer and External Audit need to be satisfied that Internal Audit is able to provide them with the necessary level of assurance otherwise consideration will have to be given to putting in additional resources into Internal Audit. That point has not been reached. The Finance Service has engaged a trainee accountant who is spending periods of work in all the Finance sections and who as part of the training programme, will shortly be moving to Internal Audit thus providing the service with some extra coverage.

•           The Committee sought clarification of the extent and impact on the Audit Plan of unplanned audit work especially that pertaining to grant work as outlined in Appendix B to the report, and queried whether given these grants are known and ongoing and are not  ad-hoc, work on them should be factored into the Audit Plan. The Audit Manager said that the grant work involves work formerly undertaken by External Audit and the administration fee is inbuilt in the grant. The Head of Resources and Section 151 Officer said that the work is unplanned as regards its timing; the Officer suggested, and it was agreed that the Committee be provided with a report setting out the process for auditing grants and how the expectations of the Wales Audit Office are met.

•           The Committee referred to the summary of audit recommendations and assurance levels as at Appendix D and the key messages therefrom and it sought clarification of the situation in relation to recommendations that remain unimplemented. The Head of Resources and Section 151 Officer  said that with regard to recommendations relating to the Finance Service which show as unimplemented, the follow up audits will demonstrate that many of these will have been actioned  either as recommended or in alternative ways that still address the weakness identified. In relation to debtors, a great deal of work has been undertaken to address this issue and to reduce the debtor balance through recovery actions or by writing off unrecoverable debts. Services are now in possession of far more accurate information on the level of debt within their respective services and systems such as direct debit and pre-payment are geared towards facilitating the prompt collection of income.

•           The Committee noted that ICT Disaster Recovery and Business Continuity are still deemed to be areas where the assurance level is limited and it noted both as areas of recurring concern for the Committee. The Committee took the view that it should now be exercising its authority to hold Management to account for the inadequate response to Internal Audit recommendations to improve the system of controls in these two areas and because of the risks involved, they should also be flagged up with the Senior Leadership Team as requiring attention. The Audit Manager said that she would endeavour to complete the follow up audits on ICT Disaster Recovery and Business Continuity in time for the next Audit Committee meeting in February, 2016.

•           The Committee noted that the assurance level for Information Governance is judged to be reasonable whilst the key messages from the Annual Review of Compliance remain largely negative. The Committee was informed that the scope of the reviews undertaken by the ICO’s Office in 2012 and 2013/14 which was concerned with Data Protection Governance and Records Management was different to that undertaken by Internal Audit which looked at compliance with existing policies. The ICO’s enforcement notice was issued after the publication of the draft IA review report. Work on information governance including addressing both the recommendations relating to the enforcement notice and the recommendations of the Internal Audit review is being done under the oversight of a board. It was suggested and agreed that the Committee be provided with an update on Information Governance compliance issues at its next meeting so that it is clear regarding where the Authority is at on this matter.

It was resolved to accept the progress report and to note its contents.

ACTIONS ENSUING:

•           That the follow up audits in relation to ICT Disaster Recovery and Business Continuity be presented to the Audit and Governance Committee’s next meeting.

•           That the ICT Business Transformation Manager be asked to attend the next meeting to brief the Committee on progress to date on the above two areas.

•           That the Senior Leadership Team be made aware of the Committee’s continuing concern with regard to ICT Disaster Recovery and Business Continuity as high risk areas requiring attention.

•           That the Head of Council Business be asked to update the Committee at its next meeting on the position with regard to Information Governance compliance.

•           That the Head of Resources and Section 151 Officer provide the Committee at its next meeting with a report on the process for auditing grants and how the expectations of the Wales Audit Office are met.