To present the report of the Head of Audit and Risk.
The Annual Report of the Internal Audit Service for 2020/21 was presented for the Committee’s consideration. The report outlined the Internal Audit work carried out during the year ended 31 March, 2021 based on which the Head of Audit and Risk gave her overall opinion on the adequacy and effectiveness of the Council’s framework of governance, risk management and control during the year which also informs the Council’s Annual Governance Statement.
Ahead of presenting the report, the Head of Audit and Risk advised the Committee that she had been alerted by a member to the possibility that in raising questions on the two Limited Assurance reports that accompanies the Annual Report, the one in relation to ICT Service Continuity (Phishing) and the other in relation to the Identification of Duplicate Invoices and Recovery of Duplicate Payments, information may be disclosed that could lead to the identity of an individual(s) being revealed; discussion of the reports could also disclose sensitive information with regard to the business affairs of the Council. Having sought the advice of the Monitoring Officer and having discussed the matter with the Chair beforehand it was proposed that discussion of those two reports be therefore deferred to the end of the meeting when the Committee will be asked to consider going into private session and to exclude the press and public from the meeting. The Committee agreed to the arrangement proposed for dealing with the two Limited Assurance reports.
The Head of Audit and Risk reported that the Annual Report is presented under the Public Sector Internal Audit Standards (PSIAS) which require the “chief audit executive” i.e. the Head of Audit and Risk in the Council’s case to deliver an annual internal audit opinion that the organisation can use to inform its Annual Governance Statement. The annual opinion must include an opinion on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes; any qualifications to that opinion and the reasons for the qualification; a summary of the audit work from which the opinion is derived including reliance placed on other assurance bodies; any issues which the chief audit executive judges relevant to the preparation of the Annual Governance Statement; a summary of the performance of the internal audit function against its performance measures and a comment on compliance with the PSIAS and the results of the Internal Audit quality assurance programme.
The Head of Audit and Risk confirmed that it was her opinion as the “Chief Audit Executive” for the Isle of Anglesey County Council that for the 12 months ended 31 March, 2021, the organisation had an adequate and effective framework for risk management, governance and internal control. While the Head of Audit and Risk does not consider there to be any areas of significant concern, some areas require the introduction or improvement of internal controls to ensure the achievement of objectives, and these are the subject of monitoring. There are no qualifications to this opinion.
The opinion above was reached based on the work and activities carried out by Internal Audit during the year as outlined in the report and is substantially derived from the setting of a risk based plan of work which management has agreed and the Governance and Audit Committee has approved. It should provide a reasonable level of assurance, subject to the inherent limitations noted in the report and subject also to the report submitted to the Committee’s February, 2021 meeting which referred to the revision of Internal Audit’s priorities to cover the new risks and changes from the impact of Covid-19 and the consequent provisions that would be made to obtain sufficient assurance to support the annual opinion.
Key to being able to obtain sufficient assurance to inform the opinion was to take into account both internal audit work and other sources of opinion encompassing Corporate Risk Register Audits; Review of Covid-19 Emergency Response arrangements; other audit work in key areas of the Council’s activities carried out as a result of concerns raised by the Director of Function (Resources)/ Section 151 Officer and/or the Senior Leadership Team; Grant Certification work and Emergency Management assurance. The latter involved management completing two questionnaires, one strategic-level and one at operational level the objective being to gain direct first line assurance from senior and middle managers about how the Council had coped with the challenges brought by Covid-19 and whether key governance, risk management and internal control arrangements had deteriorated or had been maintained. Overall the results were positive with the Council able to take reasonable first line assurance that the governance, risk management and control frameworks have been adequately maintained while it has responded to the Covid-19 pandemic.
Whilst the Annual Report provides the substantive detail regarding the year’s work, points to note include the following -
· Internal Audit was able to provide Reasonable assurance that the Council was effectively managing all but two of the corporate risk register risks reviewed. Although the IT Resilience and IT Service Continuity (Phishing) audits resulted in a Limited assurance rating when IT Resilience issues/risks were revisited later in the year the assurance rating was increased to Reasonable.
· The outcome of Internal Audit’s review of the Council’s Covid 19 emergency response arrangements was reported in two parts both of which were given a Reasonable assurance rating and the six issues/risks raised for the attention of the Emergency Management Response Team were found to have been all addressed when reviewed one month later.
· Of the nine audits of other key areas of the Council’s activities finalised in 2020/21, five were given Reasonable assurance for the arrangements for governance, risk management and internal control and four, Limited assurance. (Appendix C refers)
· Of the nine grant certification audits finalised during 2020/21, seven were given Substantial assurance for the arrangements for governance, risk management and internal control and no significant or material risks/issues were identified.
· Overall 78% of the audits undertaken during 2020/21 were given a Reasonable assurance rating. Five audits received Limited assurance four of which were revisited in accordance with Internal Audit protocol as were two audits which had a Reasonable assurance the one because it was recognised as a risk in the corporate risk register (Emergency Response) and the other because it had a number of issues/risks outstanding (Sundry Debtors).The assurance rating for all the reports revisited was raised to Reasonable.
· No audits received No assurance and no Critical (red) issues/risks were raised during the year. Where issues/risk were identified, management accepted them all. During 2020/21, senior management at the Council has been supportive and responsive to the issues raised by Internal Audit.
In referring to the section of the Annual Report covering outstanding issues/risks, the Head of Audit and Risk advised that the Committee was provided with a detailed analysis of the same at its previous meeting in April, 2021 which showed that good progress has been made to address all the risks/issues identified during 2020/21. She confirmed that there are no issues which are of a significantly high risk or impact that warrant inclusion in the Annual Governance Statement. With regard to Internal Audit’s performance, the Head of Audit and Risk supported by the SLT has made every effort to make best use of available audit resources during the pandemic and the service has striven to add value wherever possible. Internal Audit has in place a quality assurance and improvement programme to ensure continuous improvement. The Service has performed well during the year against the targets agreed with the Governance and Audit Committee as part of the Strategy for 2020/21 (Appendix E) with 3 out of 5 indicators meeting their targets. The service has performed less well in terms of the percentage of the red and amber residual risks reviewed due mainly to the reduction in the service’s staffing complement through promotion, secondment, long-term absence and also the Covid-19 emergency. All current members of the Internal Audit team are professionally qualified and the service has invested significantly to ensure they continue their professional development. A total of 139 days was invested in training and development during 2020/21. Under the Public Sector Internal Audit Standards internal audit services are required to have an external quality assessment every 5 years - the Council’s Internal Audit Service last underwent an external assessment in June, 2017 which confirmed that the Service “generally conforms” with the PSIAS which is the top assessment available to the assessor - and it is next due for assessment in 2022.
The Head of Audit and Risk responded to questions raised by the Committee as follows –
· That with regard to buying in expertise from an external provider, she confirmed that the engagement with Salford City Council on an IT audit is progressing well with Internal Audit staff benefiting from the expertise of Salford’s IT auditors who are specialists in the field. The work has not been hampered by the pandemic with all parties having by now become accustomed to remote working which has its own advantages in significant time and costs savings on what would have been the auditors’ commute from Manchester to Anglesey.
· That with regard training and development and specifically bringing young people forward, Internal Audit has in in the past benefited from the Denu Talent placement scheme which provides young people aged 16 and over with work experience opportunities in various services across the Council through a 12 week placement programme. The Head of Profession (HR) and Transformation advised further on this point that in order to provide the best support and experiences the Denu Talent scheme requires its participants to be physically present at the Council Offices and as that has not been possible over the past year because of the pandemic with Welsh Government requiring people to work from home where practically possible, the scheme was paused in 2020/21. However, the Council will be re-introducing a Professional Trainee programme in the coming September which as well as providing opportunities for individuals to start a career in local government will also help address future skills shortages at the Council.
· That with regard to the pressures on Internal Audit in 2020/21 both as a result of a reduction in staff and the extra demands created by the pandemic and adjusting to it, the Head of Audit and Risk confirmed that some degree of normalcy has been restored with Internal Audit having adapted to the new ways of working and to making the best use of the resources it has at its disposal. She was optimistic that with the enthusiastic and dedicated team that it has and the expectation that the team will be back to full capacity by September, Internal Audit will be able to deliver on its priorities and meet the Council’s assurance needs.
In noting the report and the Head of Audit and Risk’s annual opinion the Committee acknowledged the hard work of Internal Audit in 2020/21 recognising the efforts of its staff in delivering on the internal audit work programme in challenging circumstances, and also their contributions in supporting the wider organisation in its response to the Covid-19 emergency.
Internal Audit Limited Assurance reports - ICT Service Continuity (Phishing) and Identification of Duplicate Invoices and Recovery of Duplicate Payments (These reports were taken at the end of the meeting in closed session following a resolution by the Committee under Section (100) (A) (4) of the Local Government Act 1972 to exclude the press and public from the discussion on those reports on the grounds that it involved the disclosure of exempt information as defined in paragraphs 13 and 14 of Schedule 12A of the Act).
The Head of Audit and Risk presented the Internal Audit review report in connection with ICT Service Continuity (Phishing)(conducted by an external IT audit specialist) which had resulted in a Limited Assurance opinion and the identification of 4 issues/risks that require management attention. She reported on the scope of the review and elaborated on its findings. All the risk/issues that were identified are included in the accompanying management action plan.
In considering the report the Committee recognised the importance of providing training for staff at all levels with regard to cyber security specifically to recognise cyber-attacks in all their forms and to report malicious activity; for training to be regularly updated to take account of new/emerging threats, and for training to be supplemented by regular reminders to staff of the need for vigilance. Elected Members should also be included in those communications. The Committee discussed the action plan timescales and emphasised the need for timely action where cyber security is concerned.
The Committee was advised by the IT Team Manager that cyber threats are increasing in frequency and sophistication; a Cyber Security and ICO recommendations working group has been formed which as well as actioning ICO recommendations is also developing an action plan to address cyber and data security issues. Whilst it is accepted that cyber security awareness is a process that needs regular reinforcement, reminders that are overly repetitive run the risk of disengaging staff so the right balance has to be struck in delivering cyber security awareness reminders to staff. The majority of the actions in the action plan being developed by the working group are likely to be implemented within a shorter than stipulated timeframe - technical solutions are quick fixes, process change can take longer as can building a strong culture of cyber security awareness. Successful completion of the relevant parts of the working group’s action plan will address most of the issues identified by the Internal Audit review.
The Head of Audit and Risk presented the Internal Audit review report in connection with the Identification of Duplicate Invoices and recovery of Duplicate Payments which had also resulted in a Limited Assurance opinion and the identification of 6 risks/issues which require management attention. She reported on the scope of the review and elaborated on its findings highlighting the issues identified by the Internal Audit’s data analytics exercise which looked at the payments made over the period from April, 2017 to November, 2020. All the risk/issues that were identified are included in the accompanying management action plan.
In response to questions by Members, she updated the Committee on the latest position with regard to the recovery of duplicate payments and advised that supplier details have been passed on to the Payments team to expedite further enquiries where necessary. As part of improving system control arrangements Internal Audit will undertake a continuous monitoring exercise using software to identify potential duplicate payments and will provide a report quarterly for the Payments Team to investigate. Internal Audit will revisit the Issues/Risks raised in September, 2021 and will subsequently update the Committee on the progress of implementation.
The Director of Function (Resources)/Section 151 Officer in responding to the audit review highlighted that the duplicate payments identified equate to 0.04% of the value of the payments made over the 3½ years in question, and that they were identified not on the basis of a random sample but following a data analytics exercise involving digging deep down into payments information meaning that most of the duplicate payments made will likely have been captured. He outlined the context and the types of payment errors that can occur and advised that there are specific procedures governing the purchase to payments process which if followed faithfully would minimise the risk of duplicate payments; procedural non-compliance is therefore a factor and applies to all service staff, as is increased automation of invoice processing which can mean that invoice details are sometimes misread. He accepted the report and the need to further improve housekeeping measures and to educate staff on the importance of keeping to payments policies and procedures; he assured the Committee that the Authority seeks to recover duplicate payments where made and confirmed that the situation in this regard has moved on since the audit report was written. Additionally, a restructure of the Payroll and Payments sections has seen additional resources focused on the Payments team.
The Head of Audit and Risk provided further assurance that the duplicate payments which the audit had identified are not unusual and are attributable to error and not malpractice; duplicate payments are not uncommon in public sector organisations where the volume of invoices dealt with is significant.
It was resolved –
· To accept the Internal Audit Annual Report for 2020/21 and to note that for the 12 months ended 31 March, 2021, the Head of Audit and Risk is satisfied with the adequacy and effectiveness of the Council’s overall arrangements for risk management, governance and internal control subject to introducing and/or improving internal controls in some areas.
· To accept and to note the two accompanying Limited Assurance reports - ICT Service Continuity (Phishing) and Identification of Duplicate Invoices and Recovery of Duplicate Payments.