To present the report of the Head of Audit and Risk.
Minutes:
The report of the Head of Audit and Risk incorporating the Annual Report of the Internal Audit Service for 2022/23 was presented for the Committee’s consideration. The report provided the Head of Audit and Risk’s overall opinion on the adequacy and effectiveness of the Council’s framework of governance, risk management and control during the year.
The Head of Audit and Risk reported that the Annual Report is presented under the Public Sector Internal Audit Standards (PSIAS) which require the “chief audit executive” i.e. the Head of Audit and Risk in the Council’s case to deliver an annual internal audit opinion that the organisation can use to inform its Annual Governance Statement. The annual opinion must include an opinion on the overall adequacy and effectiveness of the organisation’s risk management, control, and governance processes; any qualifications to that opinion and the reasons for the qualification; a summary of the audit work from which the opinion is derived,
including reliance placed on other assurance bodies; any issues which the chief audit executive judges relevant to the preparation of the Annual Governance Statement; a summary of the performance of the internal audit function against its performance measures, commentary on compliance with the PSIAS and the results of the Internal Audit quality assurance programme along with a Statement of Independence.
The Head of Audit and Risk confirmed that it was her opinion as the “Chief Audit Executive” for the Isle of Anglesey County Council that for the 12 months ended 31 March, 2023, the organisation had an adequate and effective framework for risk management, governance, and internal control. While the Head of Audit and Risk does not consider there to be any areas of significant concern, some areas require the introduction or improvement of internal controls to ensure the achievement of objectives, and these are the subject of monitoring. There are no qualifications to this opinion.
The opinion above was reached based on the work and activities conducted by Internal Audit during the year as outlined in the report and is substantially derived from the setting of a risk-based plan of work which management have fed into and the new Governance and Audit Committee approved in June, 2022. It should provide a reasonable level of assurance, subject to the inherent limitations as set out in the report. Key to being able to obtain sufficient assurance to inform the opinion was to take into account the internal audit reviews of the strategic risks and other audit work and the assurance ratings provided details of which are provided in the report.
There are no issues which are of a significantly high risk or impact that warrant inclusion in the Annual Governance Statement. During 2022/23 Internal Audit found senior management at the Council to be supportive and responsive to the issues raised. When delivering the risk-based audit strategy the Head of Audit and Risk supported by the Leadership Team has made every effort to make best use of available internal audit resources during the year and the service has striven to add value wherever possible. Internal Audit has in place a quality assurance and improvement programme to ensure continuous improvement of the service. The Service has performed well during the year against the targets agreed with the Governance and Audit Committee as part of the Strategy for 2022/23 with 3 out of the 4 indicators meeting their targets. Crucially, the target of reviewing 80% of the red and amber residual risks in the Strategic Risk Register has been comfortably achieved thereby providing sufficient assurance to allow the Head of Audit and Risk to provide the Annual Audit Opinion. The one missed target relates to retaining five full time equivalent members of staff during the year. A senior auditor was appointed and joined the team in April, 2023 and external expertise is being utilised to fill any gaps while a secondment continues. This arrangement has proved so successful that it has been decided to keep the secondment vacancy unfilled to continue to provide the funding for the specialist expertise. All current members of the Internal Audit team are professionally qualified and the service has invested significantly to ensure they continue their professional development and stay up to date with emerging risks and developments within the sector. Under the Public Sector Internal Audit Standards internal audit services are required to have an external quality assessment conducted by a qualified independent assessor or assessment team from outside the organisation once every five years. An external assessment of the Isle of Anglesey Internal Audit Service was conducted by Flintshire County Council in September 2022 and concluded in May 2023. The outcome of the assessment is the subject of a separate report to this meeting.
In response to questions by the Committee about the outstanding action pertaining to the Leisure Service booking system dating back to 2018/19 and about providing assurance about the corporate health of the Council as an entity in terms of trends and direction of travel, the Head of Audit and Risk confirmed that the outstanding action in the Leisure Service is rated moderate (yellow) and is not a cause for particular concern with work to address it forming part of the implementation of the new Leisure Hub system. Technical issues with the software supplier have caused a delay in agreeing a go live date for the system and the IT team is liaising with the supplier to agree a resolution. As for evaluating the Council as an organisation, from an Internal Audit perspective the information contained in Appendix B shows the reviews of red and amber residual risks in the strategic risk register over the course of several audit years and could be expanded upon to show any decline or improvement in performance in managing those risks. Additionally, the corporate self-assessment fulfils this function to a large part in terms of reviewing the Council’s performance and how well it is exercising its functions, using its resources, and implementing governance arrangements that are effective for achieving those two objectives and it provides a systematic review of the Council’s progress in meeting its duties over the year. With regard to financial health specifically, the Internal Audit review of financial resilience presented to the Committee in December 2022 suggested that CIPFA’S five indicators of public sector financial resilience could be applied to facilitate assessment of the Council’s long-term financial resilience and whether that is improving or deteriorating.
It was resolved to note the Internal Audit Annual Report for 2022/23 along with the Head of Audit and Risk’s opinion that for the 12 months ended 31 March, 2023, the Council had an adequate and effective framework for risk management, governance, and internal control subject to introducing and/or improving internal controls in some areas.
Supporting documents: