Agenda item

To present the annual report of the Internal Audit Service for 2015/16.

The Annual Report of the Internal Audit Service for 2015/16 was presented for the Committee’s consideration and endorsement in accordance with the requirements of the UK Public Sector Internal Audit Standards and the CIPFA UK Standards which came into force on 1 April, 2014 whereby the Head of Internal Audit Service is required to provide this Committee with assurance on the whole system of internal control. The report provided an analysis of the performance of the Internal Audit Service for 2015/16 and was supported by Appendices A to H which detailed the progress against performance targets for the year along with slippage during the year.

The Internal Audit Manager reported on the Service’s performance during the period from 1 April 2015 to 31 March 2016 and the factors which had impacted thereon. The Officer confirmed that the Service achieved 60.32% of the Annual Plan against a target of 80% and an all Wales average performance indicator of 83%. However, there are four audits which constitute work in progress at the year-end and will demonstrate on their completion that 67% of the Annual Plan has been achieved.

All of the audits performed during the year (Appendix C) have resulted in positive levels of assurance with the exception of ICT Disaster recovery which was assessed as providing Minimal Assurance and five other areas as noted in paragraph 4.2.2. which were assessed as providing Limited Assurance. The overall outcome of the Internal Audit work identified that 73% of reviews resulted in positive opinions (Substantial or Reasonable) and 27% resulted in negative assurance opinions. The 27% of reports receiving negative assurance opinions was made up of 6 reports – the one aforementioned minimal and 5 limited assurance audits.

Recommendations are currently ranked as high, medium or low according to the perceived risk as outlined in Appendix F. Those rated as low are not subject to formal follow up by internal audit are not included in the analysis. The percentage implementation rate as at 31 March 2016 was 74% of high and medium recommendations having been recorded as implemented.

The Officer drew attention to areas where significant weaknesses in control had been identified and which will continue to be a concern for Internal Audit until all significant recommendations have been implemented and assurance can be provided that the appropriate frameworks and systems are in place. An update on the position with regard to these particular areas was provided in paragraph 6.5 of the report.

The Officer confirmed that notwithstanding the Audit Plan was not completed in full, she was satisfied that the work undertaken during the year allowed her to draw a reasonable conclusion as to the adequacy and effectiveness of the Council’s control processes for those areas reviewed. She was also able to say that she was satisfied that the work of the external regulators together with the Authority’s service performance reviews allowed her to draw a reasonable conclusion that for the 12 months ended 31 March, 2016, Anglesey County Council has satisfactory internal control, risk management and corporate governance processes to manage the achievement of the organisation’s objectives.

The Committee considered the Annual Report and the information provided and, given the concern expressed at its previous meeting regarding the capability of the Internal Audit service to deliver the plan because of issues around resources, it welcomed the eventual out-turn which when the four audits in progress have been completed, will have resulted in 67% of the Plan being accomplished as testament to both a commendable performance and to the effort put in by the service. The Committee also noted the following matters:

•           That the broad picture is a positive one and that from the areas covered by it during the year, the Internal Audit Service is able to provide a reasonable conclusion as to the general effectiveness of the Council’s system of internal controls and governance and risk management arrangements.

•           The Committee noted those areas which were assessed as providing minimal or limited assurance due to the identification of more significant control failings and it requested an update report at its next meeting on the progress of the actions being taken to address the weaknesses in relation to ICT Disaster Recovery the audit of which had resulted in a minimal assurance opinion. The Internal Audit Manager confirmed that a follow-up audit of this area has since led to the assurance level being re-assessed as reasonable.

•           The Committee noted that although an audit of Payroll key controls resulted in a reasonable audit opinion, it was aware of an issue arising with regard to Payroll recently regarding which it sought clarification. The Head of Resources and Section 151 Officer reported on a malfunction that had affected the Payroll system for a short period of time recently, the contingency actions taken to meet immediate needs, the steps taken to resolve the matter and also to ensure that once the system had been successfully updated, there would be safeguards to reduce the risk of the problem reoccurring.

•           The Committee noted that resourcing the Internal Audit Service remains an issue which it believed needs to be kept under review and it sought assurance that any shortfall impacting on the service’s ability to discharge its responsibilities would be brought to its attention. The Committee noted that the issue was to have been highlighted with the Strategic Leadership Team and it requested that this be followed up. The Head of Internal Audit said that the critical issue is whether the level of internal audit activity can provide an adequate level of assurance at the year’s end and the annual report testifies to that being the case. The Head of Function (Resources) and Section 151 Officer confirmed that the situation is being monitored and that he was satisfied that the coverage provided is adequate at present and that prioritisation is achieved through the planning process so that the Audit Plan covers the right areas in terms of risk.

•           The Committee sought clarification of the role of the Corporate Fraud Officer and the potential for enhancing the function of the post to deliver more extensive benefits than those referred to under paragraph 4.5.2 of the report. The Head of Function (Resources) and Section 151 Officer said that there is scope to review the role as regards delivery as well as the approach taken to fraud prevention work and how that is undertaken. The Internal Audit Manager said that the Officer has also been a contributor as regards the special investigation work set out in Appendix H to the report.

•           The Committee noted that it would like to be provided with regular summary updates on the status and progress of actions in relation to specific areas of concern where the assurance level has been limited or minimal on a by whom, by when basis until such point as it can be satisfied that the associated risks have been reduced or eliminated and that the ongoing processes for managing them are appropriate.

It was resolved that the Audit and Governance Committee is assured that for the 12 months ended 31 March, 2016, Anglesey County Council had satisfactory internal control, risk management and corporate governance processes in place to manage and support the achievement of the Authority’s objectives.

ACTIONS ARISING:

•           ICT Business Continuity and Support Manager to provide the Committee with an update on progress in respect of addressing issues in relation to ICT Disaster Recovery.

•           Head of Function (Resources) and Section 151 Officer to follow up with the Senior Leadership Team the Committee’s concerns regarding the adequate resourcing of the Internal Audit Service.

•           Head of Function (Resources) and Section 151 Officer/Internal Audit Manager to incorporate within the quarterly reporting process to Committee a summary update on specific areas of concern to include the status of actions, the responsible officers and the timeline for completion.