Agenda item

To present the Internal Audit Annual Report for 2016/17.

The Annual Report of the Internal Audit Service for 2016/17 was presented for the Committee’s consideration. The report provides an analysis of the performance of the services for the period from 1 April, 2016 to 31 March, 2017 and incorporates an assurance statement based on the work of Internal Audit during the year ended March, 2017.

The Internal Audit Manager highlighted the main considerations as follows –

•           A schedule of the Service’s performance against established targets for the year (Appendix A) shows that the Service achieved 73.85% of the Annual Plan against a target of 80% and an all Wales average performance indicator of 85%. There were 3 audits which constitute work in progress at the year end and will demonstrate on completion that 78.46% of the Annual Plan has been achieved. The shortfall was due to the factors described in section 3.2.2 of the report.

•           The Service completed 48 audits during the year, 4 of which were unplanned, against a planned target of 65 audits. 79.17% of audits were completed within the planned timescale against a challenging performance indicator of 90% and compared to an all Wales average figure of 68%. Achievement of this indicator was affected by 7 projects which exceeded planned targets and which accounted for 97.62 days.

•           The performance with regard to recommendations accepted is 98.57%. Out of a total of 279 recommendations issued, there was a failure to agree on 4 which were assessed as being low impact.

•           Draft audit reports were issued within 3.59 days against a performance target of 7 days and an all Wales average of 7.2 days.

•           Slippage of 258 days occurred in the year that resulted in 23 planned audits not being performed for the reasons outlined in paragraph 3.2.2 of the report. Audit assurance cannot be provided in respect of audits removed from the 2016/17 Plan. These areas for review will be prioritised during 2017/18. A schedule of the actual slippage that occurred in the year is shown under Appendix B to the report.

•           All the audits performed during the year have resulted in positive levels of assurance with the exception of the 7 audits listed in paragraph 4.2.2. of the report which were assessed as providing Limited Assurance. These will be followed up during 2017/18.

•           A further review of the Risk Management Framework was undertaken during 2016/17 which demonstrated reasonable progress in embedding risk management in the Authority.

•           The overall results of the Internal Audit work identified that 81.08% of reviews resulted in a positive assurance opinion (Substantial or Reasonable) and 18.92% resulted in a negative assurance opinion (Limited or Minimal). The 18.92% of reports receiving negative assurance opinions is made up of 7 reports (7 Limited, Nil Minimal).

•           A schedule of the 11 follow up audits and their outcome is provided at Appendix E to the report. The table in section 4.4.3 of the report summarises the implementation of High and Medium rated recommendations as at 31 March, 2017.The percentage implementation rate as at 31 March, 2017 was 86% recorded as implemented. All outstanding High and Medium recommendations are documented in Appendix G to the report.

•           The Internal Audit Service has undertaken 11 investigations some of which were brought forward from 2015/16.This has accounted for 224.46 days work compared to an annual target of 153 counter fraud work.

•           In giving an audit opinion, it should be noted that assurance can never be absolute. The most that the Internal Audit Service can provide to the Committee is a reasonable assurance based upon the work undertaken during the year that there are no major weaknesses in other than those identified. Qualifications to the Audit opinion are set out in paragraph 3.5.1 of the report and take account of the considerations listed in paragraph 6.1.2.

•           The Audit Manager is aware of areas where significant weaknesses in control would prevent the Council placing reasonable reliance on systems of internal control in respect of the work of the Internal Audit Service during the year. The current position with regard to those areas is set out in section 6.5 of the report.

The Internal Audit Manager concluded that overall, she was satisfied that the internal audit work undertaken during 2016/17 allowed her to draw a reasonable conclusion as to the adequacy and effectiveness of the Council’s control processes for the areas reviewed. The Officer confirmed that she was satisfied that the work of the external regulators together with the Authority’s service performance reviews allowed her to draw a reasonable conclusion that for the 12 months ended 31 March, 2017, the Isle of Anglesey County Council had in place, satisfactory internal control, risk management and corporate governance processes to manage the achievement of the organisation’s objectives.

The Committee considered the information presented about the work of the Internal Audit for the year to 31 March, 2017 and the level of assurance that the outcome of that work was able to provide. The Committee noted that as at the time of reporting, only 74% of the Annual Plan had been delivered; the Committee noted further that the audits not undertaken could relate to areas where there might be weaknesses in control arrangements which may pose a risk both as regards the immediate areas concerned and as regards the wider Council. The Committee sought clarification therefore whether the conclusion as to the reasonableness of the assurance which the Council’s system of internal control is able to provide can be justified. The Internal Audit Manager said that the Internal Audit approach is risk based. The Council’s Corporate Risk Register is the main reference point in shaping the Audit Plan but service risk registers as well as internal and external audit reports are also consulted. The Audit Plan is informed by an accumulated knowledge of the risk environment which helps identify which areas require audit coverage. Any slippage that has to occur will be in relation to lower risk areas.

It was resolved that having considered the information presented both verbally and within the documentation, the Committee is assured that for the 12 months ended 31 March, 2017, the Isle of Anglesey County Council had satisfactory internal control, risk management and corporate governance processes in place to manage and support the achievement of its objectives.

NO FURTHER ACTION ENSUING