INTERNAL AUDIT PROGRESS REPORT,Date: 23 October 2023
Annex 1
man typing on keyboard - cropped for reports


 


  BACKGROUND

1            Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

2            The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government and the CIPFA Statement on the role of the Head of Internal Audit.

3            In accordance with the PSIAS, the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit Committee, and to identify any emerging issues which need to be brought to the attention of the committee.

4            The internal audit work programme was agreed by this committee in June 2023. The plan is flexible in nature and work is being kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the Council.

5            The purpose of this report is to update the committee on internal audit activity up to 6 October 2023.

    INTERNAL AUDIT PROGRESS

6            This is the first internal audit progress report for North Yorkshire Council. 

7            In the period to 6 October 2023, nine audit reports have been finalised. A further four audits have been reported in draft. Work has also started in a number of areas. Further detail on the work completed and underway is included in appendix A. We are also in the process of planning a number of other audits which we are aiming to start this quarter.

8            We have been meeting regularly with officers to provide support and advice, further understand council arrangements, discuss risks and confirm areas of ongoing and future work. A key priority remains targeted work on the Council’s key financial systems. This work involves understanding and testing the continued operation of key controls, reviewing identified areas of weakness, answering ad-hoc queries, supporting transformation and considering specific data quality, system transfer and other relevant matters. 

9            In determining which audits will actually be undertaken, the priority and relative risk of each area will continue to be considered throughout the remainder of the year, and as part of audit planning for 2024/25 which will commence towards the end of quarter 3. Consideration will also be given to the coverage of each of the 11 key opinion assurance areas when prioritising any remaining work during 2023/24.

10        The work programme showing current priorities for internal audit work is included at appendix B, where we categorise work as ‘do now’, ‘do next’ and ‘do later. These timescales are subject to change and work priorities may also change during the year depending on the ongoing consideration of risk.

11        Appendix C summarises the key findings from the completed audits and the actions agreed with officers to address the identified control weaknesses[1]. Appendix D lists our current definitions for action priorities and overall assurance levels.

      EXTERNAL QUALITY ASSESSMENT (EQA)

12        To comply with the Public Sector Internal Audit Standards (PSIAS), internal auditors working in local government are required to maintain a quality assurance and improvement programme (QAIP). As part of this programme, providers are required to have an external assessment of their working practices at least once every five years.

13        An external assessment of Veritau’s internal audit working practices was undertaken between June and August 2023, by John Chesshire, an approved reviewer for the Chartered Institute of Internal Auditors.

14        The report concluded that Veritau internal audit activity generally conforms to the PSIAS[2] and, overall, the findings were very positive.

15        The feedback included comments that the internal audit service was highly valued by its member councils. Key stakeholders felt confident in the way Veritau had established effective working relations, both in our approach to planning, and the way we engaged flexibly with our clients throughout the internal audit process, at both strategic and operational levels.

16        The report concluded that Veritau generally conforms to 59 of the 60 applicable principles. A copy of the full EQA report is included at annex 2. One area for improvement was highlighted relating to assurance mapping. The recommendation and our response are included in the table below: 

Recommendation

Response and Action Date

The CAE should continue to develop a proportionate, formal approach to assurance mapping, coordination and where appropriate, reliance, to enhance the function’s risk-based planning, delivery and the effectiveness of assurance provided to key stakeholders.

Agreed – we will develop our approach to assurance mapping and working with other internal and external assurance provision. The approach will be flexible to reflect the different sectors and clients we provide internal audit services to.

Target implementation date
31 March 2024

 

 

 

 

   FOLLOW-UP OF AGREED ACTIONS

17        It is important that actions agreed to address previously reported findings and internal control matters are regularly and formally followed up.

18        As part of planning our 2023/24 work we have used our knowledge to focus on known risk areas based on our previous work.  We have carried over all key findings which relate to systems and processes which continue to be operated by NYC. All relevant actions agreed with services have and will be followed up to ensure that underlying control weaknesses are addressed.

19        We currently have no matters to report to the Committee as a result of our follow up work. We will provide members with a more detailed picture of outstanding actions, in our March 2024 progress report.

 

 

APPENDIX A: INTERNAL AUDIT WORK IN 2023/24

Audits in progress

Audit

Status

Liquidlogic (adult social care system)

Draft Report issued

Information security incident – adult social care system (Liquid Logic and ControCC)

Draft Report issued

Highways performance management

Draft Report issued

Payroll

Draft Report issued

General ledger – various

In progress

Creditors – various

In progress

Sundry debtors and debt recovery

In progress

Income collection and receipting

In progress

Revenues

In progress

Housing benefits

In progress

Budget monitoring

In progress

Governance arrangements

In progress

Health and safety

In progress

Highways Ringway contract demobilisation

In progress

Housing stock conditions surveys

In progress

Housing rents

In progress

Yorwaste performance management

In progress

Schools Themed Audits – Business Continuity

In progress

Childrens direct payments

In progress

Early years payments

In progress

Aftercare services for mental health (s117)

In progress

Court of Protection

In progress

Care home providers

In progress

IT access controls

In progress

 

 

 

 

 

 

Final reports issued

Audit

Issued

Opinion

Main accounting

June 2023

Substantial Assurance

Developing stronger families

June 2023

No opinion given

Creditors

July 2023

Substantial Assurance

Fairburn CP School

July 2023

No opinion given

Pension fund – investments

August 2023

Substantial Assurance

Schools themed audits - schools ICT

September 2023

Limited Assurance

Pension fund - income

September 2023

Reasonable Assurance

Schools themed audits - related party transactions

October 2023

Reasonable Assurance

Debtors

October 2023

Reasonable Assurance

 

 

Other work completed in 2023/24

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

·        Certification of a number of returns, including the LEP Growth Hub Grant Fund, local transport grant, bus subsidy operators grant, education skills funding agency sub-contracting, home upgrade grant and changing places fund

·        Direct support for the NYC finance function

 


 

APPENDIX B: CURRENT PRIORITIES FOR INTERNAL AUDIT WORK

Audit

Timing

 

Do now

Do next

Do later

Strategic and Corporate risks

 

 

 

Council plan and performance

 

ü

ü

Council transformation plans

 

ü

ü

Budget management, monitoring and reporting

ü

 

 

Governance

ü

 

 

Information governance

 

 

 

Information security incident reviews

ü

ü

ü

Records management

 

 

ü

Council complaints

 

ü

 

Risk management

 

ü

 

Climate change

 

ü

 

Health and safety

ü

 

 

Asset management

ü

 

 

Procurement

 

ü

ü

Contract management

ü

ü

ü

Business continuity

ü

 

 

Partnerships

 

 

ü

Staff registers of interests

ü

 

 

Council companies and other commercial operations

 

ü

 

Combined authority and devolution

 

ü

 

Transparency code

ü

 

 

CIPFA financial management code

 

ü

 

Technical / Project Risks

 

 

 

Support and advice for council and service transformation

ü

ü

ü

Involvement in specific service areas developments

ü

ü

ü

Project advice / implementation

ü

ü

ü

ICT governance

 

ü

 

ICT access controls

ü

 

 

ICT change management

 

ü

 

ICT disaster recovery

 

 

ü

ICT other work

 

 

ü

Financial Systems

 

 

 

Main accounting system

ü

ü

ü

Creditor payments

ü

ü

ü

Sundry debtors, including debt recovery

ü

ü

ü

Payroll

 

ü

 

Income collection and receipting

ü

 

 

Treasury management

ü

 

 

Revenues

ü

ü

ü

Benefits

ü

ü

ü

Rents

ü

ü

ü

Service Area Related

 

 

 

Community infrastructure levy and s106 agreements

 

 

ü

Other planning areas

ü

 

 

Housing stock condition surveys

ü

 

 

Homelessness

 

ü

 

Economic development

 

 

ü

Community Development income controls

ü

 

 

Licensing

 

ü

 

Waste

ü

 

 

Highways performance management

ü

 

 

Developing stronger families

ü

 

ü

Children’s direct payments

ü

 

 

Children leaving care

ü

 

 

Special educational needs

ü

 

 

Early years payments

ü

 

 

Maintained schools

ü

ü

ü

Schools themed audits

ü

ü

ü

Schools financial value standard

 

 

ü

Adult learning

 

ü

 

Visits to care providers

ü

ü

ü

Aftercare services for mental health (s117)

ü

 

 

Scheme of delegation

 

 

ü

Social care financial assessments

 

ü

 

Adults’ direct payments

 

 

ü

Court of Protection

ü

 

 

Payment to care providers – provider portal

 

ü

ü

Liberty protection safeguards

ü

 

 

Continuing healthcare (adults)

 

ü

 

Public health

 

ü

 

Pensions Fund

 

 

 

Pensions expenditure

 

 

ü

Pensions income

 

 

ü

Pensions investments

 

ü

 

Attendance at pensions board

ü

ü

ü

Other assurance work

 

 

 

Follow-up of previously agreed management actions

ü

ü

ü

Gaining understanding on the evolving systems and processes at the new council

ü

ü

ü

Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control

ü

ü

ü

Continuous assurance work, including data analytics and data matching projects

ü

ü

ü

Attendance at, and contribution to, governance- and assurance-related working groups

ü

ü

ü

 

 

 


 


APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area

Opinion

Area reviewed

Date issued

Comments

Management actions agreed

Main Accounting System

Substantial Assurance

The council uses Oracle Financials as its main accounting system. We reviewed the system during 2022/23 to ensure:

·         User access was appropriate for users to prevent unauthorised system changes

·         Accounting journals were appropriately authorised

·         Suspense accounts were monitored and cleared regularly

·         Bank reconciliations were undertaken regularly and appropriately authorised and retained.

 

June 2023

The system prevents access from anyone who has not used Oracle for 8 weeks. Systems support also perform an annual check by providing managers with details of who has access to systems and whether continued access is required. From our sample review all employees had appropriate user access considering the role they were working in.

All journals sampled were in the required format and were input and posted by the same employee. Council policy is for journals not to be checked or authorised before posting. Officers explained that due to the high volume of journals and limited resources it was not practical, and this has been subject to discussion with external audit. Management was satisfied with the controls in place and rely upon the budget monitoring framework and formal quarterly performance reporting to identify any material issues.

Suspense accounts were monitored and cleared on a regular basis.

From the three reconciliations reviewed, all had been reconciled but only one showed evidence of review and approval.

 

1 x Priority 3 action was agreed.

 

Responsible Officer(s):

Senior Accountant Corporate Finance and systems.

Evidence of review and approval retrospectively documented.

Action completed.

Developing stronger families
(June 2023)

No opinion

The Developing Stronger Families return is an established funding requiring regular auditing.

 

June 2023

The sample tested was found to be accurate and suitable evidence was identified to substantiate the inclusion of each individual case checked.

No management actions.

Creditors

 

Substantial Assurance

We reviewed the arrangements in place to ensure that:

·         orders are authorised and goods and services received in line with Council policies and procedures

·         invoices are paid in line with defined timescales

·         duplicate payment of invoices is prevented

·         checks are conducted when a supplier requests to change bank details.

 

 

July 2023

P2P orders were raised in compliance with the ‘no purchase order, no pay’ policy.

Many manual orders do not go through the centralised ordering process, with services areas raising their own orders, and then sending the invoices and coding blocks to the Accounts Payable (AP) team for payment. Sample testing noted some instances of improvement in the completion of these orders. There were also some cases where the officer coding the expenditure did not have sight of evidence that good receipt checks had been conducted.

Daily duplicate checks are carried out through AP forensics to identify any true duplicates. Our data analysis covering 9 months of 2022/23 payments confirmed no true duplicate payments had occurred.

Procedures are in place to help ensure the appropriate checks are completed when a supplier requests to change bank details. From our sample reviewed, some improvements can be made to the completion of the necessary paperwork.

 

5 x Priority 3 actions were agreed.

 

Responsible Officer(s):

Business Support Manager.

 

Manual purchase order guidance was to be issued to all services using manual orders by 30 September 2023.

The Council will ‘on board’ more services to use the iProc P2P system. This will be restarted following the finance restructuring and is planned to be completed by 31 December 2023.

 

New supplier checking paperwork was developed as part of the LGR process and was rolled out on 1st April.

 

Incomplete forms to be returned to service for completion. AP team are not to process any incomplete forms. The payments team within Exchequer to flag if incomplete forms found to have been processed.

 

Fairburn CP School

No opinion given

The purpose of the work was to provide assurance to NYC management, Governors and the Headteacher that:

·         effective governance arrangements were in place at the school

·         recruitment, payroll and staffing processes were carried out appropriately

·         procurement activities were performed appropriately

·         the budget was reported and reviewed by Governors on a regular basis.

July 2023

Work identified a number of issues and weaknesses. 

The school has been in a deficit position since 2018 and appeared to be making financial decisions to incur additional expenditure that may not be essential without evidence of appropriate challenge from governors.

There was a lack of evidence of approval for the appointment of a school governor to a paid position.

By ordering online, using Barclaycard and Amazon, and reimbursing staff directly, the school was circumventing normal purchasing arrangements, and the approval of purchases occurs retrospectively. These purchasing methods are used frequently and appear to be used on occasions where normal purchasing methods could be used.

The frequency of applications for cash advances suggests the school does not have adequate financial planning in place to mitigate those occasions when additional monthly expenditure is incurred.

1 x Priority 2 and 5 x Priority 3 actions were agreed.

 

Responsible Officer(s):

Headteacher, Governors and Full Governing Body.

All but one action was completed prior to the final report being issued.

A best value book will be completed for every purchase over £100 and every 10th purchase. The finance committee will monitor, record and report to full governor meetings to ensure best value is being achieved.

The Barclaycard statement will be reviewed, and each finance meeting will challenge any relevant purchases. 

A cash flow system has been implemented.

Skills audit tool has been sent to all governors.

 

Schools Themed Audits - Schools ICT

Limited Assurance

In recent years there has been a steadily increasing number of high-profile cybersecurity incidents targeting schools.

We reviewed IT security and managed service provider governance arrangements within maintained schools to ensure that:

·         IT security governance, risk management and external assurance arrangements are in place

·         IT assets are managed and appropriate logical access controls are required

·         networks, servers and firewalls are appropriately configured, patched and maintained

·         suitable policies and procedures are in place to enable data recovery and respond to cyber incidents

·         governors, staff and pupils regularly receive appropriate cybersecurity training.

September 2023

Adequate oversight of managed IT service providers is not always being exercised. Governor and senior management responsibilities for overseeing IT outsourcing were often not defined and the risks from outsourcing not regularly assessed. 

IT-specific disaster recovery plans were not always in place. Of the ten schools sampled, seven had no plans in place. Of the three which did, only one had tested the plan.

Whilst all schools sampled confirmed backups were taken, the extent to which these met best practise varied. Only three of the ten schools sampled met best practice rules for backups, and only two had tested the restorability of the data. 

Staff and Governors did not always receive suitable cybersecurity training. Four schools had not offered any cyber security training to staff or governors. Only one school was following recommended Department for Education best practice to provide annual NCSC cyber security training to all staff and governors.  In the event of a claim under the Risk Protection Arrangement (RPA), the school will have to demonstrate evidence of the training being undertaken.

5 x Priority 2 actions was agreed.

 

Responsible Officer:

Head of Finance - Schools & Early Years & High Needs.

All actions have a deadline of 31 March 2024 for completion.

The findings from the audit and new resources to support schools in managing IT security will be communicated to schools via Headteacher briefings, Governor network meetings and School Admin & Finance Conferences.

The NYES training offer and free audit on cyber-security and IT disaster recovery arrangements will be promoted.

A review of the RPA terms and implications for schools in terms of IT security actions will be undertaken. Schools will be reminded of the actions required to be in place in order to comply with the insurance cover requirements.

 

Related Party Transactions (Schools Themed Audit)

Reasonable Assurance

The Department for Education requires all maintained schools to submit details of any related party transactions (RPT’s) alongside their annual School Financial Value Standard submissions. North Yorkshire Council has issued its maintained schools with best practice guidance and created a termly return cycle to support and monitor these types of transactions.

We reviewed a sample of 12 schools’ arrangements to ensure that:

·         declarations of interest are managed appropriately and remain up to date

·         best value exercises are undertaken, prior to entering into a RPT

·         appropriate approval is sought from the governing body

·         where competitive tendering cannot be undertaken, best value forms were completed.

·         contracts and agreements, with RPTs, are managed appropriately and insurance obtained where necessary.

 

October 2023

All 12 schools had disclosed RPTs in the last two years. Most schools sampled generally managed declarations of interest well and these were mostly up to date for governors and staff with key financial responsibility.

However, some schools have not been consistent in identifying related party transactions. Some transactions were identified which should have been categorised as related party transactions.

Best value exercises are not always being undertaken to compare best value between the related party and alternative suppliers. Where direct awards have been made to a related party, the best value form, supplied by the Council, is not always being sufficiently completed to support the decision.

Governing body approval is not always being obtained in accordance with the Council’s guidance. Those with related party connections are often involved in the authorisation of payment.

Public liability insurance is not being sought consistently from related parties undertaking works on school premises.

2 x Priority 2 and 2 x Priority 3 actions were agreed.

 

Responsible Officer:

Head of Finance – Schools & Early Years & High Needs.

The Council’s Related Party Transactions Best Practice Guidance will be updated to reflect the findings of the audit work.

A briefing note will be provided to schools on the findings from the audit and a reminder of the associated process requirements.

Schools will be reminded at the Autumn 2023 term School Admin & Finance Conference of the requirement to identify and categorise related party transactions.

All actions are planned to be completed by 31 October 2023.

Sundry Debtors

Reasonable Assurance

We reviewed the council’s arrangements in respect of:

·         the raising of invoices

·         reconciliation of income

·         debt management and write-off procedures.

 

 

October 2023

The Council has processes in place for raising invoices. Testing found invoices were accurate and were suitably detailed.

A number of manual processes continue to exist including the issuing of payment reminders. Debt reports also have to be compiled manually by pulling information from different systems.

Management information showing the break down debts for service areas and for those tass managing debt needs to be improved.

Management of some debts has been delayed and recovery action is not always being taken promptly.

There is no target in place for the time between service delivery date and an invoice being raised. Invoices do not always provide a date of service delivery and not all invoices were raised in a timely manner.

The impact of Local Government Reorganisation impacted significantly on the ability of relevant officers to progress some of the known weaknesses in the debtors’ system.

1 x Priority 2 and 3 x Priority 3 actions was agreed.

 

Responsible Officer(s):

Credit Control Manager, AR invoice raising teams, and service departments.

 

Improved systems reporting is ongoing. A new dashboard has been developed which will allow service departments to review their debt by cost centre. This will be rolled out to the service areas.

Automation of Reminder Letters and AR Reporting will be undertaken.

Work is also ongoing with those service areas generating high volumes of invoicing to develop a more coordinated approach to debt recovery.

All actions are due to be completed by 31 December 2023.

 


ANNEX D: AUDIT OPINIONS AND PRIORITIES FOR ACTIONS

Audit opinions

Our work is based on using a variety of audit techniques to test the operation of systems. This may include sampling and data analysis of wider populations. It cannot guarantee the elimination of fraud or error. Our opinion relates only to the objectives set out in the audit scope and is based on risks related to those objectives that we identify at the time of the audit.
 

Opinion

Assessment of internal control

Substantial assurance
A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.
Reasonable assurance
There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.
Limited assurance
Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.
No assurance
Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.

Priorities for actions

Priority 1
A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management
Priority 2
A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Priority 3
The system objectives are not exposed to significant risk, but the issue merits attention by management.

 



[1] The two completed Pension Fund audits are reported separately to the Pension Board and are not summarised in Appendix C.

[2] PSIAS guidance suggests a scale of three ratings, ‘generally conforms, ‘partially conforms’ and ‘does not conform’.  ‘Generally conforms’ is the top rating.