To present the report of the Head of Audit and Risk.
The report of the Head of Audit and Risk on the status and details of the outstanding risks that Internal Audit has raised was presented for the Committee’s consideration.
The Principal Auditor reported as follows –
· That as at 31 March, 2022, 62 outstanding actions were being tracked in the 4action system 17 of which are rated major (amber) and 45 moderate (yellow in risk priority - Graph 1 of the report). A detailed status update of the 17 outstanding major rated issues/risks is provided at Appendix 1 of the report. No Red issues/risks were raised in the year and no Red issues/risks are currently outstanding.
· Three actions have reached their target date for completion and have now become overdue – these are all of moderate impact and relate to Payroll. Internal Audit is aware of the ongoing staffing and recruitment issues within the Payroll team as well as additional end of year workload pressures that have made the work of addressing these issues/risks challenging. Internal Audit will continue to work with the Service to ensure the issues/ risks are successfully addressed.
· Graph 3 shows the status of all outstanding actions (irrespective of the date management agrees to address them by) and confirms that management has now addressed 56% of which 55% have been verified by Internal Audit. The remaining 1% relates to an audit of ICT Service Continuity (Phishing) which will be formally followed up in May, 2022.The majority of the actions not started relate to two audits recently finalised in relation to Information Governance and Software Licensing Management; the actions identified during these audits have not yet reached their anticipated completion dates.
· Graph 4 shows the status of all actions that have reached their target date and confirms that where due, 96% have been addressed.
· Target dates are extended where the Service can demonstrate a legitimate reason for the extension.
· The 62 outstanding actions are spread between 2017/18 to 2021/22 with the majority relating to the last two financial years. Three issues/risks that management have yet to fully address date back to 2017/18. These relate to general improvements and efficiencies within the Council’s Sundry Debtors processes and are rated as moderate or yellow in risk priority. Work to address these issues forms part of the consultancy project currently underway within the Income Team and the planned restructure of the wider Revenues and Benefits section reported upon in the Internal Audit update report. No major or amber rated risks/issues date back further than 2019/20.
· All outstanding actions are being pursued by Internal Audit to ensure their completion.
In response to a point raised by the Committee whether there is a risk that because the completion dates for actions can be extended, issues/risks that could be of major concern and are in effect overdue are not being captured and might therefore not be given priority attention e.g. the two outstanding major risks/issues in connection with Supplier Maintenance and Payment, and Duplicate Invoices whose completion dates have been pushed back to November, 2022. The Principal Auditor confirmed that where amber rated risks/issues are concerned they are given priority, due regard is paid to how long the completion date is being extended for and updates are pursued expeditiously.
The Head of Audit and Risk clarified that issues/risks are assessed against the Council’s risk appetite so that risk/issues rated yellow in risk priority are not prioritised by virtue of that designation; slippage in that case would not be a cause of significant concern. However, where slippage increases the risk then the risk priority rating would be changed and if necessary uprated to Amber. She confirmed that the outstanding major risks/issues referred to in relation to Supplier Maintenance and Payment, and Duplicate Invoices are included in the data in the report.
It was resolved to note the Council’s progress in addressing the outstanding Internal Audit Issues/Risks.