Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk setting out the work carried out by Internal Audit to 26 January, 2018 was presented for the Committee’s consideration. The report provided a summary of the internal audit reports issued since 17 November, 2017; the outcome of follow up reviews of previous internal audit inspections; implementation of management actions; progress in delivering the Audit Annual Plan for 2017/18 along with the latest position in relation to the planned review of the Audit Committee’s terms of reference.

The Head of Audit and Risk reported on the main issues as follows and in doing she confirmed that she had sought to strike a balance between providing the full audit reports which involve more information than the Committee practicably needs for challenge and assurance purposes, and increasing the level of detail about each audit –

•           That five Internal Audit review reports were finalised during the period covering the areas noted below. All of the reviews resulted in either a Reasonable or a Substantial assurance rating:

•           General Data Protection Regulations (GDPR) (Reasonable) – 3 moderate level risks raised

•           Capital Expenditure (Substantial) – no risks or issues raised

•           Housing Rents: Readiness for Universal Credit (Reasonable) – 3 major, 7 moderate and 1 minor risk/issues raised

•           Supporting People Programme (Substantial) – no risks or issues raised

•           Referral – Payroll Overpayment – an advisory review

The Head of Audit and Risk elaborated on the findings for those reviews where risks and/or issues had been raised, the nature and degree of the risks identified, current and/or planned corrective actions, and the rationale for the audit conclusion reached. The Officer referred specifically to the audit review of Housing Rents where 3 major risks had been noted. Notwithstanding, the Officer confirmed that due to the preparatory work undertaken by the Housing Service in readiness for the introduction of Universal Credit, Internal Audit was able to provide a Reasonable Assurance rating for this area.

•           That 6 follow up reviews of Limited Assurance reports were finalised during the period with the following outcomes –

•           Logical Access and Segregation of Duties (Second Follow-Up) – it was concluded that due to the length of time the risks/issues identified by the original audit in 2014/15 and subsequently by the first follow-up review in January, 2015 have been outstanding, the Council has demonstrated little progress in implementing actions agreed to address all the audit recommendations. Therefore, and because of the nature of the risks outstanding which relate to staff acceptance of ICT policies and issues around the separation of duties in the Payroll system, the level of assurance remains as Limited. The Head of Function (Resources)/Section 151 Officer explained that arrangements are in hand to update and integrate the Payroll and HR systems which will allow more tasks to be undertaken electronically and will address the issue of segregation of duties. The upgrade will also link the recruitment process to Payroll electronically thereby doing away with the need for payroll staff to manually establish staff payroll records. There has been some delay due to technical issues and a redesign of the business processes is necessary to reflect a new division of duties/responsibilities. Whilst this will take time, the project does have a planned finish date of September, 2018.

•           Affordable Housing, Houses into Homes and Self-Build Loan Schemes (Second Follow-Up) – it was concluded that the Council has demonstrated reasonable progress in addressing the audit risks. Taking account of the issues identified in the remainder of the report, the level of assurance has increased to Reasonable.

•           Extra Care Housing (First Follow-Up) – it was concluded that the Council has demonstrated good progress in addressing the issues/risks and as a result, the assurance rating has increased to Substantial.

•           Payment Card Industry Data Security Standards Compliance (First Follow-Up) – it was concluded that as the Council has demonstrated little progress in addressing the issues/Risks, the assurance rating remains as Limited Assurance. Internal Audit will revisit this area during October, 2018 to monitor progress with addressing the risks. The Head of Function (Resources)/Section 151 Officer explained the requirements with regard to PCI DSS and what it entails for the Council in terms of ensuring the security of the card data it holds. A planned update of the Income Management system which is to be project managed will help address PCI DSS issues; however as meeting the requirements in full involves a number of tasks some of which are complex, it is a project for the longer term.

•           Child Care Court Orders under the Public Law Outline (First Follow-Up) – it was concluded that the Council has demonstrated reasonable progress in implementing actions agreed to address the audit recommendations. However, due to the outstanding “catastrophic” risk, the level of assurance remains as Limited. Internal Audit will undertake a further follow-up review during 2018/19.

•           Corporate Procurement Framework (First Follow Up) – it was concluded that the Council has demonstrated good progress in implementing actions with an agreed target date of December, 2017. However, the assurance level of the report remains as Limited Assurance due to the priority level of the remainder of the issues raised which are yet to reach their target implementation date. A further follow-up review will be undertaken in July, 2018. 

•           School Transport (Follow-Up in process) – this matter was considered by the Corporate Scrutiny Committee at its meeting on 31 January, 2018 following a referral by the Audit and Governance Committee. Following a detailed discussion of the issues raised by the audit review and the assurances given to the meeting by the Highways and Learning Services, the Corporate Scrutiny Committee was satisfied overall by the progress made against the Internal Audit Action Plan and by the commitment shown by both services to complete the plan within timescale. It had noted that the safeguarding issues arising are being monitored by the Corporate Safeguarding Arrangements Board and it had noted also that there are arrangements within Internal Audit to follow-up and monitor management actions in relation to Limited Assurance reports and to report thereon to the Audit and Governance Committee. The Scrutiny Committee had further determined that it be provided with a progress update at its June, 2018 meeting.

•           That the Council’s performance in relation to the implementation of management actions has steadily improved over the last 13 months with a significant increase having taken place over the last six months. However, analysis of the outstanding issues/risks has shown that that the extension to the target implementation dates for addressing the Payment Card Industry Data Security Standards and the Children’s Court Orders under the PLO issues/risks has been the main contributor to the increased performance. This has highlighted that managers assigned with implementing actions are able to extend the target implementation date without reference to Internal Audit. This facility has since been withdrawn from managers, and all requests for the date to be extended must be made to Internal Audit who will consider the circumstances before agreeing to extend. It is expected that this will have a short-term impact on the implementation rate and that performance will worsen in the short-term.

•           Due to a significant slippage of work from 2016/17 and capacity related matters, the resource available to complete the Operational Plan for 2017/18 has reduced. Consequently, the Head of Audit and Risk has undertaken a risk assessment with Heads of Service and the Head of Function (Resources)/Section 151 Officer. Audit reviews have been prioritised to ensure resources are targeted to the areas of highest risk. The revised Annual Plan is included at Appendix A to the report. To date, 64% of the revised plan has been completed with a further 23% currently work in progress making a combined total of 87%. Ninety two percent of audits have been completed in time against a target of 90%.

•           The Committee’s terms of reference which are due for review were to have been presented to the Committee’s September, 2017 meeting. However, the Committee agreed to postpone the review pending the publication of the new CIPFA guidance anticipated originally for November, 2017. A further postponement ensued in December, 2017. The guidance has still not been published, and although complete, CIPFA is awaiting the Home Office which is bringing out a new Financial Management Code of Practice that impacts on Police audit committees. The new guidance is now expected in March, 2018.

The Committee considered the information presented and made the following points -

•           With regard to GDPR, the Committee noted that schools/Head teachers have not been provided with information on GDPR compliance. The Committee noted also that the stated date for GDPR compliance is May, 2018. In light of that fact that penalties can be imposed for non-compliance and that schools may not be in a position of readiness by the due date particularly smaller primary schools, the Committee sought both clarification of the consequent risk to the Council and assurance that the matter is receiving attention. The Head of Audit and Risk said that schools are separate establishments acting as independent bodies under the new regulations and will need to establish their own compliance. However, the Learning Service has recognised this matter as a risk and has made a resource available for GDPR compliance within schools and preparations are underway. This issue will be the subject of a separate internal audit early in 2018/19.

•           The Committee noted the 3 major risks raised with regard to the Housing Rents Readiness for Universal Credit internal audit review. The Committee sought assurance that there is a commitment and a timetable for Management to complete the actions necessary to address all the risks highlighted since none was specified. The Head of Audit and Risk confirmed that an action plan has been agreed with the service. As the assurance rating is Reasonable, the recommendations for actions by Management will be fed through to Internal Audit’s tracking system and the service will be reminded to provide updates on the progress in addressing those actions.

•           The Committee noted that the scheduled completion date for the School Transport Action Plan is September, 2018. The Committee sought clarification whether the actions required are complex and therefore require this length of time to implement. The Committee further inquired whether the Action Plan addresses the issue of over expenditure on school transport. The Head of Audit and Risk said that the timescale is influenced by the timing of school transport contracts; the current contracts will run to the end of the school term. The contract tendering process will commence shortly with the new contracts coming into effect at the start of the new school year in September, 2018. Safeguarding elements are now being followed up whilst data cleansing work needs to be done before the Transport ONE software system can be implemented fully. The latter will enable the optimum school routes to be mapped out electronically thus eliminating any duplication of routes meaning the transport to school service will be more cost-efficient. There is now also a written agreement between the Learning Service and the Highways Service which clarifies their respective responsibilities. Additionally, the Learning Service has appointed a Consultant as the Project’s Manager.  Councillor Robin Williams as a member of the Finance Scrutiny Panel, said that the Panel had been informed by the Highways and Learning services that a 100 new requests for a home to school transport service had been received. The Panel was however reassured that Management is now approaching this matter in a more proactive manner and that the new electronic route mapping process will be more robust for the next school year.

•           The Committee noted in the context of the Logical Access and Segregation of Duties follow up that a systems upgrade is in process which will lead to greater clarity and accountability in the separation of duties. The Committee inquired whether under the current system therefore where staff are recorded in Payroll manually, the Council   has been at risk because the potential for irregularities is greater. The Head of Function (Resources)/Section 151 Officer said that there are other controls in place to verify the accuracy of the Payroll; budget monitoring of staffing would also flag up any anomalies. There are therefore controls during and after the payment process that mitigate against the risk from the lack of a separation of duties facility within the Payroll system at present. An audit of Payroll is planned for 2018/19.

•           The Committee sought clarification of whether Management does or should be required to report to Internal Audit on circumstances which may delay or affect the speed of implementation of actions to address issues raised. The Head of Audit and Risk said that implementation target dates can be extended with the agreement of Internal Audit who will consider the circumstances.

•           The Committee noted with regard to the Corporate Procurement Framework first Follow-Up review that a factor in the non-completion of two of the actions/risks is a lack of response by relevant officers to a request for advice by the Legal Service on issues in relation to the wording of draft terms and conditions. The Committee noted that whilst it recognised the volume of work that the internal audit update reflected as a whole, it was disappointed that progress seemed to have been delayed in this instance by officer inaction although it accepted that there may also be extenuating circumstances of which it was unaware. The Chief Executive said that he noted the Committee’s concern; the Head of Audit and Risk confirmed that she would follow the matter up.

•           The Committee noted with regard to the delivery of the Internal Audit Operational Plan for 2017/18 that some items had been deleted; the Committee took assurance however from that fact that a risk assessment has been undertaken with Heads of Service and that the revised Audit Plan is risk based meaning that it is driven by a recognition of the areas of highest risk to the Council.

It was resolved that the Committee:

•           Notes Internal Audit’s latest progress in terms of service delivery, assurance provision, reviews completed, performance and effectiveness in driving improvement and that overall, it takes assurance from the information presented both in the report and by the officers’ updates at the meeting.

•           Approves the postponement of the review of its terms of reference until the Chartered Institute of Public Finance and Accountancy (CIPFA) issues its new guidance document.

ADDITIONAL ACTION PROPOSED: Head of Audit and Risk to follow-up on the Officer response in connection with the Corporate Procurement Framework first Follow-Up review.