Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk which provided an update on the status and detail of the outstanding risks that Internal Audit has raised was presented for the Committee’s consideration.

The Principal Auditor reported on the main points as follows –

•           That this is the first time that a detailed report outlining overall performance in addressing audit actions has been presented to the Committee since the implementation of the new upgraded 4action tracking system. The new system has proved very successful in improving Internal Audit’s follow-up and action tracking processes.

•           The 4action dashboard which displays a real-time snapshot of current performance in addressing outstanding actions has been developed and refined. Overdue actions are continuously monitored thereby allowing updates from management on their progress in addressing them to be promptly obtained.

•           That a bespoke service dashboard to assist Heads of Service and their management teams in monitoring and providing updates on their actions has also been developed. This is currently being piloted with the Resources Service and if successful will be rolled out further across the Council during 2020/21. The Covid 19 emergency has limited the Internal Audit Service’s ability to roll out the new 4action system to services and provide training thereon so that management are able to fully utilise its functionalities. This work will resume as the pandemic recedes.

•           As at 31 March, 2021 60 outstanding actions were being tracked in 4action of which 20 are rated “major” (amber) and 40 “moderate” (yellow) in risk priority (Graph 1 refers). No Red issues were raised during the year and there are no Red issues/risks currently outstanding. The actions outstanding are spread between 2014/15 and 2020/21 with the majority pertaining to the last two financial years. The oldest dating back to 2014/15 relates to the need for regular independent checks of payroll reports and is well underway to being completed. The outstanding action from 2016/17 relates to the requirement for services to provide assurance that their procurement activity is effective in the annual service challenge process. This action is expected to have been completed for the next service challenge process.

•           That there are currently two actions that have reached their target date and have become overdue as shown in Graph 2.The overdue “major” rated action relates to training for IT staff on their responsibilities in the event of an IT incident requiring recovery action. Progress for this action will be determined when the formal follow up of the IT Resilience audit will be carried out in April, 2021. The overdue “moderate” related action relates to the need for regular, independent checks of payroll reports and as referred to previously is now mostly complete, but will need to embed within the service as a routine task.

•           That as a result of Internal Audit work in 2020/21, a total of 21 issues/risks were raised requiring management attention (Graph 3). Of these, 7 were classified as “major” and 14 as “moderate” (Graph 4). Of the actions raised which became due for completion in 2020/21, management had addressed 6 of moderate risk priority before 31 March 2021 which represents 100% performance in this area. All six related to the Covid 19 self-assessment audit that Internal Audit carried out in the early stages of the pandemic in April, 2020.

•           Graphs 5 and 6 show the current status of all actions be they in progress, not started or closed if they have been addressed and verified as such by Internal Audit. Graph 5 shows the status of all actions irrespective of the date management agreed to address them by – 40% have now been addressed 38% of which have been verified by Internal Audit. The remaining 2% relate to actions from an audit of IT Resilience which will be formally followed up in April, 2021. Around half of the actions shown as not started relate to two audits finalised towards the end of the year in relation to Payments – Supplier Maintenance and Corporate Parenting Panel for which the due completion date has not yet been reached.

•           Graph 6 shows the status of all actions that have reached their target date. Of these, management has addressed over 90% with work in progress for the remainder. Occasionally target dates are extended but only if services are able to demonstrate a legitimate reason for the extension. As a result of the Covid 19 emergency several target deadlines have been extended for services whose priority over the last 12 months has been focused on responding to the pandemic.

In discussing the report the Committee raised the following matters –

•           Although recognising that work is ongoing on outstanding actions that have yet to be fully completed, the Committee was disappointed to learn that among those actions are one that dates back to 2014/15 and another to 2016/17; the Committee sought clarity on management’s explanation for not fully addressing these issues on the basis that the longer issues remain unaddressed, the greater the risk of their escalating into something bigger.

The Head of Audit and Risk clarified that the outstanding action from 2014/15 relates to Payroll which has been the subject of a long restructure. Whilst the outstanding action in the form of a control that requires regular independent checks of payroll reports to be made  is now in place, Internal Audit needs to be satisfied that this task has become embedded in day to day payroll work over a period of time. The outstanding action from 2016/17 relates to procurement and derives from a procurement audit undertaken some years ago which suggested that the Council does not have any mechanism for measuring the effectiveness of its procurement activity. As a result of looking at  how other councils undertook this task and Welsh Government putting forward but then withdrawing the need to produce a report,  it has taken time to determine how best to provide the Council with assurance about the effectiveness of its procurement activity. It was subsequently agreed with the Procurement Manager and the Section 151 Officer that the mechanism for doing so would be via the service challenge process whereby services during that process would have to provide assurance that their procurement activity is effective. The opportunity to test the mechanism was missed in last year’s service challenge process and as a once a year process, it has had to be deferred until the next service challenge process this coming autumn.

•           Whether in instances where an audit review raises issues across the range of major, moderate and minor risk priority levels, the major issues should be given greater prominence and if necessary brought forward for implementation on the basis that if left to drift for a length of time there is a danger that the impetus and motivation to address those issues diminish. In that case, actions need to be refreshed and/or reassessed rather than just revisited.

The Head of Audit and Risk advised that Internal Audit takes each risk/issue raised and the management action proposed to address them on their own merits and a date for implementation is agreed with management – in some cases management is overly optimistic in its estimation of the time it will take to fully address an issue raised and is advised on an achievable timescale. The democratic process especially where policy change and consultation are involved, can take time and in instances where a system redesign or service restructure take place as in Payroll then the process can become drawn out . Although Internal Audit does differentiate between major and moderate risks/issues both are given equal prominence when they are followed up with management. Whilst Internal Audit endeavours to pursue all outstanding actions to ensure their completion, actions in relation to issues/risks deemed major in risk priority would not be allowed to be subject to protracted delay. As is noted in the report the “old” actions dating back to 2014/15 and 2016/17 are rated “moderate” in risk priority.

The Head of Audit and Risk further advised that when the new 4action tracking system was introduced, in the region of 380 historic recommendations were individually assessed and 60 were deemed of sufficient significance to be brought forward for continued monitoring and follow up.

The Principal Auditor confirmed that there are no major rated risks/issues that are more than a year old.

In considering the frequency with which a detailed report on outstanding issues and risk raised by Internal Audit should be submitted to Committee, Members were guided by the advice of the Head of Audit and Risk who deemed that a biannual report would meet the requirements in terms of the Committee’s governance responsibilities and would also be achievable within the Internal Audit team’s current workload.

It was resolved –

•           To note the Council’s progress in addressing the outstanding Internal Audit Issues/Risks.

•           That a detailed report on outstanding Internal Audit Issues/Risk be submitted to the Committee biannually.

NO PROPOSAL FOR ADDITIONAL ACTION WAS MADE