Agenda item

To present the report of the Head of Internal Audit and Risk.

The report of the Head of Audit and Risk setting out the work of Internal Audit in the period since the last committee meeting was presented for the Committee’s consideration.

The Head of Audit and Risk summarised the main considerations as follows –

•           That one report has been finalised during the period which was in relation to Project and Programme Management Arrangements and specifically the governance of programme and project management. The high level audit review undertaken resulted in a Reasonable Assurance rating having found that much work has been undertaken to ensure that the Council’s projects and programmes are governed appropriately with the establishment of two Corporate Programme Boards, the assistance provided by the corporate project managers and the project management methodology used and promoted corporately. Two moderate risks were raised for management attention, with the review having found that insufficient attention is being given to impact assessment and risk registers with no mention of these being made in minutes of meetings. Impact assessments should be used to ensure decisions are made with full awareness of how they may affect different sections of the community.

•           That one follow-up review was finalised in the period relating to School Transport. The review confirmed that significant progress has been made towards improving School Transport arrangements and addressing the issues/risks raised in the Internal Audit review report. Eleven of the risks identified from the audit report have been fully addressed; three risks have been partially implemented or are in the progress of being implemented; these are subject to the issuing of identification badges to all school bus drivers in September 2018, the Capita ONE system to be in operation and the review of the school taxis’ eligibility criteria together with the review of the school taxis’ budget. Two risks remain outstanding which are centred around the next procurement process when the Transport Section will be reviewing its current contractors’ terms and conditions. It is deemed that the Council has demonstrated good progress in addressing the issues and risks raised and as a result the assurance rating has increased to Reasonable Assurance.

•           The withdrawal of the facility enabling managers to extend target implementation dates for risk/issues/recommendations without reference to Internal Audit has resulted in the anticipated dip in performance over the short-term. Notwithstanding, this is a more robust process for ensuring that risks are addressed and reduces the risk of “drift.” Additionally, overall the Council has steadily improved its performance in implementing actions over the last 15 months with a significant year on year improvement as testified to by the graph at section 18 of the report. A more detailed report on all outstanding recommendations and issues/risks is presented to the Committee twice a year with the next report due in September, 2018.

•           Due to a significant slippage of work from 2016/17 and the loss of two officers through retirement and resignation, the resource available to complete the Internal Audit Operational Plan for 2017/18 has reduced. Consequently, the Head of Audit and Risk has undertaken a risk assessment with Heads of Service and the Head of Function (Resources)/Section151 Officer. Audit reviews have been prioritised to ensure resources are targeted to the areas of highest risk. The revised Annual Plan is attached to the report at Appendix A. To date, 79% of the revised plan has been completed with a further 21% currently work in progress – a combined total of 100%.Ninety-two percent of audits have been completed in time against a target of 90%. Eighty-one percent of Internal Audit’s reports have been submitted to the targeted Audit and Governance Committee.

•           That with regard to the Committee’s planned review of its terms of reference, CIPFA has once again postponed publication of its updated guidance. The Committee is therefore asked to agree deferring its review to the following meeting.

The Committee noted the information presented and raised the following points –

•           The Committee noted that the audit review of Project and Programme Management Arrangements found that little significance is given to impact assessments and to risk registers with no evidence to show that decisions are being made with full awareness of the content of the assessments. The Committee further noted that the risks raised by the review were assessed as moderate. The Committee sought clarification of whether in light of the audit review finding that not enough regard is had of the impact of projects when making decisions – which it deemed to be a not insignificant shortcoming - the risk rating should be elevated.

The Head of Audit and Risk said that the Council’s risk management matrix is used to evaluate risks in terms of what the effect would be on the Council if a risk came to pass. The risks raised as a result of the review of  Project and Programme Management were assessed as being firmly in the Yellow or Moderate category meaning  they are not a major consideration. This is on the basis that the impact assessments and risk registers were being done but were not given the significance they should be given.

•           The Committee sought clarification of whether the Council’s Programme Management arrangements include measuring the outputs of various projects and assessing whether projects deliver the benefits originally envisaged of them.

The Head of Audit and Risk confirmed that post-implementation reviews are conducted at the end of every project. However, the focus of the audit review was on the governance of the Council’s projects and programme management arrangements and although the review did include sampling a few projects to confirm that all elements were in place, it did not entail any compliance testing in terms of verifying actual outputs.

•           The Committee noted with regard to the Follow-up review of School Transport that out of the outstanding actions including actions that have been partially implemented all target dates have been revised and extended based on updates received. The Committee sought assurance that this is acceptable to Internal Audit .The Head of Audit and Risk confirmed that Internal Audit is satisfied that the grounds for extending the timescales are reasonable. The Head of Function (Resources) and Section 151 Officer said that the Capita ONE system uses pupils’ addresses via the GIS system to plot the optimum routes for school taxis and minibuses. Much work has been done in the past few months to verify addresses on the database. Given that it is expected there will be movement on the pupil database in September as pupils change schools the Authority is delaying work on the route plotting process until that time so as to avoid the revisions that would have to be done as a result of changes in the database. By gearing this work to September the Authority can start from a fresh base and plot the routes for the full the school year.

•           The Committee noted that Identification Badges will be issued to all school bus drivers in September. The Committee sought clarification of the arrangements in place in the intervening period from April to September and whether the delay creates a risk that the Authority finds tolerable.  The Head of Function (Resources) and Section 151 Officer confirmed that a vetting process is and has been in place which involves checks other than ID badges. The audit review identified that that process was capable of being improved and strengthened with the issuing of ID badges being one of the improvements to be introduced.

•           With regard to the implementation of Management actions, the Committee sought assurance that any uncompleted red risks/issues are closely monitored. The Head of Audit and Risk confirmed that Red risks/issues tend to be raised in Limited Assurance reports; these reports are regularly followed up so that when the actions are due for implementation, Internal Audit will revisit the review. The Committee further noted that there could therefore be a three month period wherein red risks remain unactioned. The Head of Audit and Risk said that although technically this is possible, it is unlikely for Red risks to have as long an implementation date as three months unless it is a corporate issue which do have longer implementation dates than service specific actions/ recommendations. The Officer said that the Committee is provided with a report on all outstanding issues and risks twice a year and will be next updated on this matter in September.

•           The Committee noted that 79% of the revised Annual Internal Audit Plan for 2017/18 has been completed which it acknowledged as an achievement given that staff resources have reduced in the period. The Committee further noted however that this means that 21% or a fifth of the Plan remains to be completed some of which will likely roll forward into 2018/19 thereby adding to the service workload and potentially placing pressure on staff. The Committee sought assurance therefore that the Internal Audit Service is sufficiently resourced to be able to meet expectations both now and in the coming year.  The Head of Audit and Risk said that the 21% described as work in progress was at the beginning of April; since then some of this work has had to be postponed due to the unavailability of Council staff. The Operational Plan includes a contingency provision to enable the service to complete work from the previous year’s plan; it is also the aim to compete unfinished work from the 2017/18 Plan by the end of April.

•           The Committee sought clarification of whether the 2018/19 Operational Plan reflects the current staff level (there having been a reduction of 2 in the Internal Audit establishment one being an efficiency saving following a retirement and the other a vacancy following a resignation). The Committee also sought clarification of whether the priorities within the Plan will change while the service has a vacancy. The Head of Audit confirmed that with regard to the vacancy and depending on the speed of recruitment the 2018/19 Plan does include that Officer’s time in full. She also confirmed that the Plan will change to reflect circumstances and said that the Internal Audit Annual Operational Plan is in any case a dynamic document; it is not a one-time only document but is regularly updated as the level and nature of risks change with some risks coming off and others coming onto the Corporate Risk Register. The Officer said that the approach to risk is changing with continuous assessment and prioritisation of risks replacing longer term plans, the thinking being that as risks are constantly changing, any plans that cover a period longer than a year are likely to become out of date very quickly. The Internal Audit Service will seek to allocate time to areas it is expected and needs to cover which are not risk based but on which External Audit places reliance e.g. key Financial Systems audits whilst the remainder of the plan will be risk focused. In the event that the Chief Audit Executive assesses that the service does not have the necessary resources to cover priority areas and/or current risks then a report would be brought to the Section 151 Officer and to the Committee.

It was resolved –

•           To note the Internal Audit Service’s latest progress in relation to service delivery, assurance provision, reviews completed, performance and effectiveness in driving improvement, and to note also that the Audit and Governance Committee is satisfied with the assurance provided.

•           To approve the postponement of the review of the Committee’s terms of reference until the Chartered Institute of Public Finance and Accountancy (CIPFA) issues its new guidance document.

NO ADDITIONAL ACTION WAS PROPOSED