internal audit progress report – november 2017 · internal audit progress report – november...

Agenda Item No. 7 Appendix 1

Internal Audit Progress Report

November 2017

West Sussex County Council

Internal Audit Progress Report – November 2017

2

Contents:

1. Role of Internal Audit 3

2. Purpose of report 4

3. Performance dashboard 5

4. Follow Up Work 6

5. Executive summaries ‘Limited’ and ‘No’ assurance opinions 7-11

6. Planning and resourcing 12

7. Rolling work programme 12 – 18

8. Adjustments to the Plan 18 - 19

Annexe 1 – External Quality Assessment – Action Plan 20 – 25

Annexe 2 – Overdue ‘High Priority’ Management actions 26


3

1. Role of Internal Audit

The requirement for an internal audit function in local government is detailed within the Accounts and Audit (England) Regulations 2015, which states that a relevant body must:

‘Undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.’ The standards for ‘proper practices’ are laid down in the Public Sector Internal Audit Standards [the Standards – updated 2017]. The role of internal audit is best summarised through its definition within the Standards, as an: The County Council is responsible for establishing and maintaining appropriate risk management processes, control systems, accounting records and governance arrangements. Internal audit plays a vital role in advising the County Council that these arrangements are in place and operating effectively. The County Council’s response to internal audit activity should lead to the strengthening of the control environment and, therefore, contribute to the achievement of the organisations objectives.

‘Independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes’.


4

2. Purpose of report

In accordance with proper internal audit practices (Public Sector Internal Audit Standards), and the Internal Audit Charter the Chief Internal Auditor is required to provide a written status report to ‘Senior Management’ and ‘the Board’, summarising:

The status of ‘live’ internal audit reports;

an update on progress against the annual audit plan;

a summary of internal audit performance, planning and resourcing issues; and

a summary of significant issues that impact on the Chief Internal Auditor’s annual opinion. Internal audit reviews culminate in an opinion on the assurance that can be placed on the effectiveness of the framework of risk management, control and governance designed to support the achievement of management objectives of the service area under review. Assurance opinions are categorised as follows:

Substantial There is a sound system of control designed to achieve the objectives. Compliance with the control process is considered to be of a high standard and few or no material errors or weaknesses were found.

Satisfactory While there is a basically sound system, there are weaknesses which put some of the system objectives at risk, and/or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk.

Limited Weaknesses in the system of controls are such as to put the system objectives at risk, and/or the level of non-compliance puts the system objectives at risk.

No Control is generally weak, leaving the system open to significant error or abuse, and/or significant non-compliance with basic controls leaves the system open to error or abuse.


5

3. Performance dashboard

% Positive Customer Feedback

Compliance with Public Sector Internal Audit Standards

An ‘External Quality Assessment’ of the Internal Audit Service was undertaken by Mazars in December 2016. The report concluded:

‘It is our view that West Sussex internal audit service ‘generally conforms’ to the Public Sector Internal Audit Standards (PSIAS). *an action plan to further enhance service provision generated from the external assessment is detailed at Annexe 1

% of revised plan delivered

(incl carry fwd)

28% Complete

40% Yet to

Commence

32% Work in Progress

Target 90%

Actual 95 %


6

4. Follow Up Work High and medium priority recommendations are monitored for each directorate. The latest information on implementation % rate of high & medium priority recommendations accepted and due from 2015/16 onwards is as follows:

Directorate High Medium Number

Made Number Cleared

%’age Cleared

Number Made

Number Cleared

%’age Cleared

Corporate, Finance, Law & Transformation 14 13 93 176 142 81 Children, Adults’, Families, Health & Education 8 8 100 61 58 95 Economy, Infrastructure & Environment 10 9 90 40 34 85 Communities & Public Protection & Chief Fire Officer 0 0 N/A 11 5 45

Outstanding high recommendations are detailed in Appendix 2. The appendices include comments from officers in respect of status/action taken.

Not all completed actions as described by officers have been verified by Internal Audit. Where actions have been verified this has been stated on the table. All key recommendations will be checked by Internal Audit during the year and any outstanding or not satisfactorily completed will continue to be reported to this committee.


7

5. Executive Summaries of reports published concluding a ‘Limited’ or ‘No’ assurance opinion

Procurement Cards Directorate Sponsor: Finance, Performance & Procurement

Final Report Issued: September 2017

Assurance opinion:

Limited

Substantial Satisfactory No

Management Actions:

Summary of key observations: This review was carried out at the request of the Director of Finance, Performance & Procurement as a result of concerns over the compliant use of PCards. At the time of review there were 1,264 PCards in use across the organisation, a significant majority of which appeared to be operating in accordance with corporate guidance; however, there were instances of non-compliance. Such areas of non-compliance and poor behaviours are summarised below:

• Transactions not approved, and hence not subject to line manager scrutiny; • Missing receipts; • The General Ledger code used did not accord with the description or merchant or both; • The description of spend provided was insufficient; and • Spend of a type, or with a merchant, not permitted by the rules of the PCard scheme

The Compliance Team have focused enhanced resource on monitoring adherence to the scheme, and report monthly through a range of Key Performance Indicators, this had led to a marked increase in overall compliance in the review and approval of transactions.

There has also been a demonstrable improvement in behaviours and compliance over the last 12 months (in such areas as those highlighted above) during a period of enhanced senior management focus; however, there has been some regression in recent months coinciding with the high profile corporate push for compliance easing.

Recommendations from this review include a revision of existing guidance to include a strengthening of sanctions in response to continued poor behaviours and non-compliance. Management Response / Update: We have commenced implementing the management actions identified in the report. The issue continues to receive senior management focus and alternative procurement routes are being identified to reduce Procurement Cards expenditure.

0 High

18 Medium

0 Low


8

Business Resilience Directorate Sponsor: Communities & Public Protection & Chief Fire Officer

Final Report Issued: October 2017

Assurance opinion:

Limited


Management Actions:

Summary of key observations: The Business Continuity and Resilience Policy outlines a commitment to ensure required plans are in place in the event of an emergency or disruptive event and identifies responsibilities and accountabilities in delivery, testing and reviewing the plans. To support the policy the Authority has adopted a Corporate Response Recovery Plan and 18 Specific Incident plans. Analysis of the status of these plans on the Point identified a number as overdue for review, however, RET officers indicated that a majority of the plans had been reviewed and retained locally but had not been updated to the Point.

Each service is required to complete a Business Impact Analysis (BIA) document. This document identifies the key activities, critical recovery times, dependencies and the impact of disruption on services. Of the 80 BIA’s 10 were found to be incomplete and 62 had not been designated as approved. It was explained that organisational changes has presented challenge in coordinating the BIA assessments.

Following the production of the BIA the RET adviser will review the document and subject to approval by the Directorate it will be developed into a business resilience plan for the service function. From the 80 service business resilience plans available, 29 had been partially developed and 15 had not been completed. Further analysis highlighted that 17 of the 36 completed plans had exceeded their review date.

The WSCC Business Continuity and Resilience Policy states that all Business Continuity and Resilience plans should be exercised at least once every 2 years. A review of completed Service Continuity and Response plans indicated that only 16 of the plans had been exercised none of which were within the last two years. A full corporate multi agency exercise to test the corporate response to a disaster has not taken place but is being planned.

The Resilience & Emergency Team (RET) oversees the business continuity management tool and a database of documentation is available on the Resilience and Emergencies SharePoint page. It was acknowledged that the tool requires significant improvement and at the time of the audit is limited in functionality as a management tool and requires upgrading to a standard that will accommodate a satisfactory user experience and provide effective management information.

2 High

5 Medium

0 Low


9

Management Response / Update: Of the 7 recommendations made in the audit report October 2017 all of them were being worked on prior to the audit and 1 is now complete. The new WSCC Corporate Response & Recovery Plan (CR&RP) was published on 30 Oct 17 and work is now under way to review Supporting Plans. Once reviews are complete these will be distributed to Directors and Heads of Service for consultation prior to publication. A Training Needs Analysis is currently being conducted and this work will support the review of induction training for WSCC employees. Directorates and Services Business Continuity and Recovery (BCR) representatives have received training on the new Service Continuity Planning (SCP) Tool and in line with the Corporate BCR Policy have been asked to complete Business Impact Analysis (BIA) supported by their RET Advisors. Completed BIAs are to be signed off by Directors to enable the development of Business Continuity Plans (BCPs). Directors and Services have been further encouraged to identify and plan time to validate and exercise their plans, ideally before the Corporate Exercise from 05-08 March 2018 which has been approved and supported by the Corporate Leadership Team (CLT). Training for CLT and the Corporate Management Team (CMT) continues, with Directors attending a briefing day at Sussex Police HQ and further training planned for November 2017 and February 2018. The Resilience and Emergencies Team has the ability to design, deliver and facilitate a wide range of exercises which will enable directorates to exercise and verify their BCPs are fit for purpose, experience has shown that there are secondary benefits such as team building and leadership development from undertaking these exercises. The RET are undertaking analysis with partners in the Sussex Resilience Forum to ensure robust mutual support arrangements are in place supporting learning from the Major Incident at Grenfell in the summer of 2017. Joint training for WSCC CLT and Directors from Districts and Boroughs will take place in February 2018 to validate joint arrangements for response to Major Incidents in West Sussex. The focus remains on ensuring that WSCC is compliant with statutory regulations (Civil Contingencies Act 2004). This can only be achieved by Directors and BCR Coordinators ensuring that Business Impact Analysis and Plans are completed and Exercises conducted in line with the Corporate BCR Policy. As part of this compliance work RET will be presenting to the Corporate Management Team on Thursday 16th November 2017 to ensure that all 100 plus managers are reminded of the need to ensure the work is undertaken and delivered on time. Overall projected completion for all recommendations in the October 2017 audit will be Apr 2018.


10

Beechfield Secure Children’s Home Directorate Sponsor: Children’s, Adults, Families, Health & Education

Final Report Issued: October 2017

Assurance opinion:

Limited


Management Actions:

Summary of key observations: Beechfield Secure Children’s Home accommodates up to seven young people (10 - 17 years) under section 25 of the Children Act 1989. The home caters for a mix of children from West Sussex and out of county placements. This review was carried out at the request of the Director of Family Operations requiring a focus on financial controls and management at the home. Internal audit review found there to be a general culture of poor financial management involving insufficient scrutiny and challenge, key issues related to: • Purchasing Arrangements - concerns were noted with the manner in which general spending occurs, predominantly with the way P Cards were used. • Pocket Money - weaknesses were noted in the operation and recording of the accounts. • Residents’ Valuables - custody of residents' belongings was weak. Items were not appropriately recorded or held securely. Additionally items were

held for individuals no longer resident. • Staffing - due to the inaccessibility of records it was not possible to form an opinion of the effectiveness of staffing arrangements or the correctness of

claims. There was however found to be significant use of agency staff and levels of overtime claimed. • Security of Equipment - security of high value assets and equipment was poor, with no inventory in place. • Imprest Account/ Pre Paid cards – a pre-paid card was held in the name of the manager. This was used to withdraw cash which then functioned as a

petty cash account. Issues were highlighted with regard security of the card and PIN details in addition to the appropriateness of spend in some instances.

• Adequacy of Financial Records - there were concerns over the adequacy of a full audit trail to identify which young person a purchase was made for. This has an impact when recharging other authorities who have placed young people at the home.

During the course of the review additional observations were made and reported to management that were not directly related to financial management including the expiry of staff DBS checks and working arrangements in place that did not appear to benefit the operation of the home or optimise efficiency and effectiveness

4 High

26 Medium

8 Low


11

During the course of the audit, Beechfield was closed as a residential home and residents were moved elsewhere. Much work has been undertaken to improve the site and align systems and practices with WSCC policies and procedures. Beechfield is anticipated to re-open late October/ early November 2017. Our recommendations have been used to inform improved operations once Beechfield re-opens.

Management Response / Update: Robust action has been taken in relation to the requirements as noted above: The number of P-cards has been significantly reduced to 3. This will ensure good practice in relation to P-card spend. A range of new Policies have been devised including one covering issues such as the recording of what pocket money is spent on – these policies have been through our internal QA procedure and will be inspected by OFSTED in terms of meeting the requirements of the Children’s Homes Regulations. All resident’s valuables will be recorded upon admission. There is now lockable storage available for each young person’s valuable possessions. All items that belonged to young people who had left have now all been returned to them or their Social Worker. The staffing establishment has been increased and new staff have been recruited to fill vacancies. The sessional staff ‘bank’ has also been increased thereby enabling minimum reliance on agency staff going forward. Any additional pay claims can only be authorised by the Registered Manager or Assistant Team Manager. An inventory has been started to record assets and equipment. The Pre-paid card is now managed by the Interim Service Manager – it is locked away and the PIN code is only known to the Service Manager. There is a requirement for all petty cash spend to be approved and recorded by one of the management team. A spreadsheet to record spend against individual young people has been developed which will include e.g. pocket money spend. All DBS checks are in place, and in date. Working arrangements have been changed to ensure business requirements are fully met. In addition the Beechfield Unit has been a standing item at Cabinet where updates are provided on a weekly or fortnightly basis. We anticipate that Beechfield will re-open early December 2017 subject to the approval of OFSTED.


12

6. Planning & Resourcing The internal audit plan for 2017-18 was approved by the County Council’s Executive Leadership Team and the Regulation, Audit & Accounts Committee in March 2017. The audit plan remains fluid to provide a responsive service that reacts to the changing needs of the County Council. Progress against the plan is detailed within section 7 7. Rolling Work Programme

Audit Review Audit

Sponsor Scoping Audit

Outline Issued

Fieldwork Draft Report Issued

Final Report Issued

Assurance Opinion

Comment

Procurement Cards FP&P Aug 17 Sept 17 Limited

Cyber Security FP&P April 17 July 17 Satisfactory

Beechfield CAFH&E Oct 16 Sept 17 Limited

Capita Services & Contract FP&P Q4

Service Business Resilience Plans C&PP Oct 17 Oct 17 Limited

GDPR Compliance FP&P

Procurement FP&P

Safeguarding Children CAFH&E Q4

Direct Payments CAFH&E


13

Audit Review Audit Sponsor

Scoping Audit Outline Issued


Final Report Issued

Assurance Opinion

Comment

IT Needs Assessment FP&P

Telecommunications FP&P

On-going audit needs assessment and

assurance mapping to inform the audit plan

Q4

IT Infrastructure FP&P

E-mail / Exchange Server FP&P

PC End User Controls FP&P

Access Control FP&P

Risk Management FP&P Q4

Project Management EIE Q4

Payroll FP&P May 17 June 17 Satisfactory

Accounts Payable FP&P May 17 Oct 17 Satisfactory

Fire Core Systems C&PP May 17 June 17 Satisfactory

Accounts Receivable FP&P

Main Accounting System FP&P

Capital Accounting & Monitoring FP&P


14




Final Report Issued

Assurance Opinion

Comment

Treasury Management FP&P

Payments FP&P

Pension Administration FP&P

Internally Managed Investments FP&P

Externally Managed Investments FP&P Sept 17

Payroll FP&P

Fire Core Systems C&PP Q4

Social Care Feeder Systems CAFH&E Q4

Pensions – External Bodies FP&P June 17 July 17 Satisfactory

Waste Strategy EIE May 17 June 17 Satisfactory

No Recourse to Public Funds CAFH&E

Agency Staff HR&OD Aug 17

Health & Safety L&A Aug 17

Crawley Schools PFI CAFH&E Q4


15




Final Report Issued

Assurance Opinion

Comment

Special Education Needs CAFH&E Q4

Public Health Contracts CAFH&E Q3

Domiciliary Care CAFH&E Q4

Customer Financial Administration CAFH&E Q4

Public Transport Contracts EIE

Fleet Management C&PP

Early Years Payments to Providers CAFH&E

Prevent CAFH&E Oct 17

IR35 Compliance TC&SS Q4

Scheme of Delegation L&A Q4

Coroner C&PP - - - - - - Advisory

Grant Claims FP&P N/A N/A N/A

Think Family CAFH&E N/A N/A N/A

Singleton Primary CAFH&E April 17 April 17 Substantial

Oathall CAFH&E Mar 17 May 17 Satisfactory

Steyning Grammar CAFH&E April 17 May 17 Substantial

Horsham Nursery School CAFH&E Jul 17 Sep 17 Substantial

West Sussex Alternative Provision College CAFH&E Q4

Bersted Green Primary School CAFH&E Q4


16




Final Report Issued

Assurance Opinion

Comment

London Meed Community Primary School CAFH&E Jul 17 Sep 17 Satisfactory

Northchapel Primary School CAFH&E Aug 17 Oct 17 Satisfactory

Amberley C.E. First School CAFH&E Oct 17

St James' C.E. Primary School CAFH&E Oct 17

Rogate C.E. Primary School CAFH&E

Shipley C.E. Primary School CAFH&E

Steyning Primary CAFH&E Q3

Yapton C.E. Primary School CAFH&E Q4

Easebourne C.E. Primary School CAFH&E Q4

Lyndhurst Infants CAFH&E Q4

The March C.E. Primary School, CAFH&E Q4

Bishop Tufnell C.E. Infant School, Felpham CAFH&E Q4

English Martyrs Catholic Primary School CAFH&E Q4

Oriel High School CAFH&E Jul 17 Aug 17 Satisfactory

Millais School, Horsham CAFH&E Oct 17

Bourne Community College CAFH&E

Ifield Community College, Crawley CAFH&E

Felpham Community College CAFH&E

St Andrews High School CAFH&E Aug 17

Littlegreen School CAFH&E Q3


17




Final Report Issued

Assurance Opinion

Comment

Woodlands Meed CAFH&E Q4

Cissbury Lodge CAFH&E May 17 Jul 17 Satisfactory

Orchard House CAFH&E Sep 17 Sep 17 Satisfactory

May House CAFH&E Sep 17 Oct 17 Substantial

18, Teasel Close CAFH&E Q4

Beechfield (Follow up) CAFH&E Q4

Hammonds CAFH&E Jun 17 Aug 17 Satisfactory

Tozer House CAFH&E Aug 17 Aug 17 Satisfactory

Strawford Centre CAFH&E Jun 17 Jul 17 Satisfactory

New Tyne Resource Centre CAFH&E Aug 17 Aug 17 Substantial

Cash Handling – Thematic FP&P

Audit Sponsor

Director of Finance, Performance & Procurement (s151) FP&P Director of Human Resources & Organisational Development (Interim) HR&OD Director of Law & Assurance L&A Executive Director of Communities & Public Protection C&PP Executive Director of Economy, Infrastructure & Environment EIE Executive Director of Children’s, Adults, Families, Health & Education CAFH&E


18

8. Adjustment to the Internal Audit Plan

Audit reviews removed from the plan

Contract Variations Removed Amalgamated into one procurement review.

Contract – Single Tender / Waivers Removed Amalgamated into one procurement review.

Fostercare Removed Ongoing service review. Removed to avoid duplication.

Direct Payments – Adults Removed Amalgamated into combined DP review with children direct payments

Highways Asset Management System Removed Requirement from CIPFA/LASAAC to move to depreciated replacement cost (DRC) postponed.

Unaccompanied Asylum Seeking Children Removed Originally in the plan due to the risk of increasing number. This trend has since plateaued and the risk reduced.

Serious Case Reviews Removed A consultant has been commissioned by the department to review how the organisation learns from SCRs and how such learning is disseminated. Our assurance will be taken from this piece of work.

Audit reviews added to the plan

Prevent CAFH&E Addition Request from Executive Director of CAH & E for assurances over Council’s responsibilities / accountabilities in relation to the Prevent Strategy.

Early Years Payments to Providers CAFH&E Addition Request from the Director of FP&P to review the control environment for the payment to early years providers.


19

Risk Management FP&P Addition Assurances over the embeddedness of risk management arrangements due to relative infancy of strategy and framework.

Project Management Review TC&SS Addition Assurance over the project management framework incl. governance to support the effectively delivery of the Council’s significant change agenda.

IT Needs Assessment FP&P Addition To ensure the appropriate focus of internal audit resource across the IT environment.

Safes & Cash Handling FP&P Addition Request from the Director of FP&P to review the control environment for cash handling across the Councils various establishments.


20

Annexe 1

External Assessment – Action Plan

Recommendation Management Action Priority Responsible Officer

(Due Date)

Comments

1. The Internal Audit function should undertake a detailed identification of the key outcomes, corporate and operational risks and map these to the assurance requirements of the Council. The outcomes of the new Chief Executive’s ‘100 day plan of action’ will allow Internal Audit to understand and adapt to the different needs and expectations in place in identifying where it needs to focus its coverage in both providing assurance on the adequacy of the other assurance activities, where these exist, and to focus its core assurance (and advisory) work. There is also a need to ensure that the risks identified during the planning process are followed through when formulating and agreeing audit planning memorandums and delivering the audit work.

Ongoing audit needs assessment will incorporate / acknowledge key strategic policies (Chief Executive’s 100 day plan; Future West Sussex Plan etc.) to ensure internal audit are best positioned to add value and assist the organisation in the achievement of their objectives. A process of assurance mapping will be introduced to identify and record the key sources of assurance that inform management and those charged with governance on the effectiveness of the key controls / processes that are relied on to manage risk and achieve the organisations objectives. In forming ‘terms of reference’ at an assignment level a ‘golden thread’ will be evidenced between assessed service risks and the objectives reviewed on which the assurance opinion is to be based.

High Neil Pitman, Head of Audit (Interim)

Keith Phillips, Audit Manager

Rob Allen, Audit Manager

(April 2018)

Complete

A new template has been introduced as part of the audit scoping to formally

assess and document risks specific to the area

under review and align to service objectives to

ensure relevant focus.


21


(Due Date)

Comments

2. With the support of the Internal Audit function, the Council should continue in its attempts to embed a Risk Management Framework across the Council. This will allow a more transparent linking of Internal Audit plans, the nature and coverage of individual assignments, work performed and reports, against key Council outcomes and risks.

Future internal audit planning will include review of risk registers as a primary source of reference in the assessment of audit needs. This in turn will advocate the importance of the risk registers / risk management as part of the governance framework. In forming ‘terms of reference’ at an assignment level a ‘golden thread’ will be evidenced between assessed service risks and the objectives reviewed on which the assurance opinion is to be based.

High Neil Pitman, Head of Audit (Interim)

(Jan 2018)

Complete

Risk registers are now established within the organisation and the

internal audit team have access to view them to inform audit planning.





3. The Audit Charter should be refreshed and communicated consistent with the new PSIAS requirements to clarify:

• Internal Audit’s role as an objective assurance function which is truly independent of management, yet providing robust challenge to management’s response to key business risks; and

Revise, endorse and communicate the internal audit charter to reflect internal audit’s role and responsibilities reflective of the organisational risk. Formulate an internal audit business plan aligned to the organisations priorities, objectives and risks.

Medium Neil Pitman, Head of Audit (Interim)

(Sep 2017)

Complete

Business plan produced and aligned to directorate

and organisational priorities (July 2017)


22


(Due Date)

Comments

• Internal Audit objectives that are fully aligned with the outcomes of the new Chief Executive’s ‘100 day plan of action’ and wider business objectives

Internal audit charter revised and presented to the Regulation Audit & Accounts Committee

(September 2017)

4. Due to the high level of senior management turnover, the HoIA and the Audit Managers should develop closer relationships and improve communications with senior management across all areas within the Council’s remit. Internal Audit should have regular access to senior management (e.g. via meetings of the corporate leadership team, attendance at and providing input to governance and transformation boards, Internal Audit work reflected in the quarterly management reports etc.) to clearly identify and communicate common themes and emerging issues.

To introduce quarterly (minimum) liaison meetings with Executive Directors and their Senior Management Teams to discuss ongoing internal audit work, relevant departmental risks, upcoming departmental initiatives, horizon scanning etc. Establish clear and timely reporting protocols to CLT, ELT and RAAC etc.

Medium Neil Pitman, Head of Audit (Interim);

Keith Phillips,

Audit Manager;

Rob Allen, Audit Manager

(July 2017)

Complete

Quarterly meetings scheduled with

Directorate Management Teams

(July 2017)

Quarterly progress reports timetabled to

follow due governance through Senior

Management and the Regulation Audit &

Accounts Committee

(July 2017)


23


(Due Date)

Comments

5. To improve the efficiency and effectiveness; the Internal Audit function should consider the use of techniques such as control risk self-assessment and/or annual testing through a more CAATS-focussed continuous testing approach making use of the data analytics module offered by TeamMate

The compile a ‘Data Analytics Strategy’ to formulate an approach to the effective use of data.

Medium Neil Pitman, Head of Audit (Interim);

Keith Phillips, Audit Manager

(Dec 2017)

Complete

A data analytics strategy presented to the

Regulation Audit & Accounts Committee

27 November 2017.

(Appendix 2)

6. The audit manual should be updated to clearly define the requirements of a more overtly focused top-down risk-based internal audit approach to be consistently applied across the Internal Audit function.

The approach should clarify the distinct roles of management and internal audit in the design, operation and monitoring of controls; and also make a clear distinction between control design (adequacy of control) and operation (effectiveness of control).

Audit protocol(s) to be reviewed to embed a risk based audit approach to auditing. This will include reference to relevant directorate / corporate risk registers and the introduction of a risk assessment template to consider and appropriately align service risks to objectives assessed for review as part of the assurance engagement.


Audit Team

(Aug 2017)

Complete

Risk registers are now established within the organisation and the

internal audit team have access to view them to inform audit planning.






24


(Due Date)

Comments

7. The Council should give consideration to devoting additional resources to enable a proactive response to fraud risk management in: • Developing a counter-fraud culture to

increase resilience to fraud; • Preventing fraud through appropriate

and robust internal controls and security measures;

• Using techniques such as data matching to validate data; and

• Publicising the Council’s anti-fraud and corruption stance and the actions it takes against fraudsters

Develop and maintain a ‘Fraud Risk Plan’ to compliment the Internal Audit Plan in allocating resources to support proactive fraud initiatives in the prevention and detection of fraud.

Medium Neil Pitman, Head of Audit (interim),

Nick Barrett,

Principal Auditor

(Sep 2017)

Complete

A ‘Fraud Risk Plan’ has been developed and

presented to the Regulation Audit &

Accounts Committee (Sept 2017)

8. To ensure an effective, efficient, focussed and consistent approach across all Internal Audit teams; Internal Audit staff should receive refresh training in the focused top-down risk-based internal audit approach

To revise and implement internal audit protocols to ensure a top-down risk-based audit approach to annual planning processes and at an assignment level. Training to be provided to all internal audit staff with regard the principles and application of revised protocols


(Sept 2017)

Ongoing

Training is being scheduled for to provide

internal audit staff an overview of the risk

based audit approach. Additionally internal

protocols / templates are being updated to

accommodate the risk based approach.


25


(Due Date)

Comments

9. Given the changes happening across the Council; the format and content of assignment, progress and Regulation, Audit & Accounts Committee reports should be reviewed to ensure these identify key themes and future or potential risks. Consideration should also be given to introducing some more forward-looking updates, including key themes and current issues once the more rigorous approach to performance and risk management becomes embedded across the Council

To review the format and content of reports at all levels (assignment, CLT, ELT and RAAC). Utilise existing channels through the Southern Internal Audit Partnership and networking groups (CCAN, HCCIAG) to attain insight into good practice evident in other Local Authority partners

Medium Neil Pitman Head of Audit (Interim)

(Sept 2017)

Complete

Report templates have been enhanced to more effectively communicate internal audit outcomes

in accordance with the PSAIS

(Sept 2017)

10. The Internal Audit function should explore opportunities to maintain and improve completion rates of customer satisfaction surveys issued via TeamMate

To review existing customer satisfaction surveys and the relative engagement of key stakeholders. Determine the most effective model and media of engagement moving forward.

Low Neil Pitman, Head of Audit (Interim)

(Oct 2017)

Ongoing

Currently exploring / benchmarking alternative methods of engaging and receiving feedback from

stakeholders


26

Annexe 2

Overdue ‘High Priority’ Management Actions

Recommendation Management Action(s) Due Date Comments Ethical Governance –April 2017 The authority needs to determine whether the current part 5 Section 9 within the constitution is acceptable and fit for purpose. If this is not deemed to be the case then a code of conduct should be considered that prescribes fully what the expectations are for maintaining integrity of employees and the processes for raising and recording any areas which may bring this into question.

A review of this element of the constitution will be undertaken to ensure officers have a clear set of rules in relation to conduct.

June 17

Director of Law, Assurance & Strategy Actioned - Text and scope of the Code of Conduct reviewed by Director of Law, reviewed by the Standards Committee and subsequently endorsed by full Council.

Once in place this framework should be measured in terms of compliance and should feature as part of the monitoring framework for ELT (as per the key findings in the previous section)

Action will also be taken to describe and communicate the mechanisms to ensure compliance to the code can be recorded and measured and will identify how compliance will be monitored. Alignment with related disciplinary and HR policies and guidance will be undertaken.

June 2017 Jan 2018

Director of Human Resources & Organisational Development (Interim) There is a review of all HR policies currently underway, this will incorporate alignment with Codes of Conduct, disciplinary & other policies relevant to compliance.

Audit Summary of outcomes: Employees will have clear guidance around conduct and expectations. This will also include monitoring compliance with the code and ensuring any areas where learning or training is identified as needed are addresses.

internal audit progress report – november 2017 · internal audit progress report – november...

Documents