To present the report of the Head of Audit and Risk.
Minutes:
The report of the Head of Audit and Risk incorporating the Internal Audit Strategy for 2023/24 was presented for the Committee’s consideration and endorsement.
The Head of Audit and Risk provided some contextual information to the strategy stating that global events and upheavals over the past two years have shaped the risk environment for the Council meaning that a state of crisis has become the new normality. With regard to the audit approach she highlighted that Internal Audit would be taking a risk based approach in accordance with Standard 2010 of the Public Sector Internal Audit Standards aligning internal audit activity with the Council’s strategic risk register with a focus on the inherent risks rated as red and where the residual risk is rated as red or amber (a list of proposed audits was provided under Appendix A to the report). An agile audit methodology has also been adopted allowing Internal Audit to respond to change as new risks emerge or as priorities change. Given that cybersecurity and data security continue to be perceived as the top threats in a survey of chief audit executives, Internal Audit proposes that during 2023/24 a programme of work covering the specific IT elements noted in the report be undertaken with the support of the IT Auditors of Salford City Council to provide the Council with assurance that its IT vulnerabilities are being effectively managed. As another high risk area, the Council’s approach to counter fraud will be kept under review and the Fraud Response Plan will be updated accordingly. Other audit work planned for 2023/24 includes providing assurance with regard to managing partnership risks and assessing the Council’s
preparedness for the new Procurement Act.
The Head of Audit and Risk referred to the Service’s capacity confirming that a recent successful recruitment exercise has provided a new member of the team meaning the service is now only carrying a vacancy (1.0 FTE) at Senior Auditor level due to secondment which is being used to commission external audit expertise. The appointment will also enable work on some of the lower priority areas outstanding from 2022/23 to resume as outlined in the report. With a productivity level of 72% approximately 700 days of audit resource are available to provide the annual assurance opinion. The service will continue to invest significantly in training and development with 115 days being earmarked to that end in 2023/24.
To ensure continuous improvement of the Internal Audit Service, a quality assurance and improvement programme has been put in place and a streamlined suite of performance measures and targets has been adopted as reflected in the table at page 16 of the report.
The Committee discussion which followed focused on the following –
· The responsibility for internally auditing partnerships. The Head of Audit and Risk advised that the internal audit responsibility in relation to local authority partnerships would be discharged by the host authority; where partnerships involve other organisations and/or separate entities in the absence of an annual report from the Partnership and Regeneration Scrutiny Committee she could not confirm who undertook the internal audit function in those cases, hence the proposed piece of work by Internal Audit on the assurance and governance arrangements of significant partnerships or collaborations in which the Council has an involvement.
· With regard to the new procurement legislation whether the programme/project management of large contracts comes within the scope of Internal Audit. The Head of Audit and Risk in confirming that they do, advised that no audit of internal programme and project management processes is planned for this year, although a related area that will be examined involves organisational resilience being the ability of the Council to respond to external changes and the arrangements it has in place to help it do so.
· Whether the absence of an annual report from the Partnerships and Regeneration Scrutiny Committee means that partnerships are not being scrutinised. The Head of Audit and Risk advised that the unavailability of an annual report is attributable to a vacancy at scrutiny officer level meaning that it has not been possible to produce the annual report for the past two years but is not reflective of a lack of scrutiny of partnerships within the committee’s programme. Councillor Dafydd Roberts as a former member of the Partnership and Regeneration Scrutiny Committee referred to the availability of the minutes of the Committee’s meetings which provide a record of the matters covered during the period and are published on the Council’s website.
· Whether with regard to the strategic risk that the Council cannot adapt to become a carbon neutral authority by 2030, the Governance and Audit Committee should be receiving more detailed information about the processes/ arrangements that will enable the achievement of this objective. The Head of Audit and Risk advised that a Climate Change Health Check by Zurich Municipal along with Audit Wales’ report on public sector readiness for net zero carbon by 2030 was presented to this Committee in December, 2022; an update on the Council’s progress in working towards the 2030 target will be presented to the Governance and Audit Committee in June, 2023.
It was resolved to endorse the approach and priorities outlined in the Internal Audit Strategy for 2023-24 as fulfilling the Council’s assurance needs.
Supporting documents: