The CAE should continue to develop a proportionate, formal approach to assurance mapping, coordination and where appropriate, reliance, to enhance the function’s risk-based planning, delivery and the effectiveness of assurance provided to key stakeholders.

Agreed – we will develop our approach to assurance mapping and working with other internal and external assurance provision. The approach will be flexible to reflect the different sectors and clients we provide internal audit services to.

Target implementation date
31 March 2024

Audit

Status

Liquidlogic (adult social care system)

Draft Report issued

Information security incident – adult social care system (Liquid Logic and ControCC)

Draft Report issued

Highways performance management

Draft Report issued

Payroll

Draft Report issued

General ledger – various

In progress

Creditors – various

In progress

Sundry debtors and debt recovery

In progress

Income collection and receipting

In progress

Revenues

In progress

Housing benefits

In progress

Budget monitoring

In progress

Governance arrangements

In progress

Health and safety

In progress

Highways Ringway contract demobilisation

In progress

Housing stock conditions surveys

In progress

Housing rents

In progress

Yorwaste performance management

In progress

Schools Themed Audits – Business Continuity

In progress

Childrens direct payments

In progress

Early years payments

In progress

Aftercare services for mental health (s117)

In progress

Court of Protection

In progress

Care home providers

In progress

IT access controls

In progress

Main accounting

June 2023

Substantial Assurance

Developing stronger families

June 2023

No opinion given

Creditors

July 2023

Substantial Assurance

Fairburn CP School

July 2023

No opinion given

Pension fund – investments

August 2023

Substantial Assurance

Schools themed audits - schools ICT

September 2023

Limited Assurance

Pension fund - income

September 2023

Reasonable Assurance

Schools themed audits - related party transactions

October 2023

Reasonable Assurance

Debtors

October 2023

Reasonable Assurance

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

·        Certification of a number of returns, including the LEP Growth Hub Grant Fund, local transport grant, bus subsidy operators grant, education skills funding agency sub-contracting, home upgrade grant and changing places fund

·        Direct support for the NYC finance function

Strategic and Corporate risks

Council plan and performance

ü

ü

Council transformation plans

ü

ü

Budget management, monitoring and reporting

ü

Governance

ü

Information governance

Information security incident reviews

ü

ü

ü

Records management

ü

Council complaints

ü

Risk management

ü

Climate change

ü

Health and safety

ü

Asset management

ü

Procurement

ü

ü

Contract management

ü

ü

ü

Business continuity

ü

Partnerships

ü

Staff registers of interests

ü

Council companies and other commercial operations

ü

Combined authority and devolution

ü

Transparency code

ü

CIPFA financial management code

ü

Technical / Project Risks

Support and advice for council and service transformation

ü

ü

ü

Involvement in specific service areas developments

ü

ü

ü

Project advice / implementation

ü

ü

ü

ICT governance

ü

ICT access controls

ü

ICT change management

ü

ICT disaster recovery

ü

ICT other work

ü

Financial Systems

Main accounting system

ü

ü

ü

Creditor payments

ü

ü

ü

Sundry debtors, including debt recovery

ü

ü

ü

Payroll

ü

Income collection and receipting

ü

Treasury management

ü

Revenues

ü

ü

ü

Benefits

ü

ü

ü

Rents

ü

ü

ü

Service Area Related

Community infrastructure levy and s106 agreements

ü

Other planning areas

ü

Housing stock condition surveys

ü

Homelessness

ü

Economic development

ü

Community Development income controls

ü

Licensing

ü

Waste

ü

Highways performance management

ü

Developing stronger families

ü

ü

Children’s direct payments

ü

Children leaving care

ü

Special educational needs

ü

Early years payments

ü

Maintained schools

ü

ü

ü

Schools themed audits

ü

ü

ü

Schools financial value standard

ü

Adult learning

ü

Visits to care providers

ü

ü

ü

Aftercare services for mental health (s117)

ü

Scheme of delegation

ü

Social care financial assessments

ü

Adults’ direct payments

ü

Court of Protection

ü

Payment to care providers – provider portal

ü

ü

Liberty protection safeguards

ü

Continuing healthcare (adults)

ü

Public health

ü

Pensions Fund

Pensions expenditure

ü

Pensions income

ü

Pensions investments

ü

Attendance at pensions board

ü

ü

ü

Other assurance work

Follow-up of previously agreed management actions

ü

ü

ü

Gaining understanding on the evolving systems and processes at the new council

ü

ü

ü

Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control

ü

ü

ü

Continuous assurance work, including data analytics and data matching projects

ü

ü

ü

Attendance at, and contribution to, governance- and assurance-related working groups

ü

ü

ü

Main Accounting System

Substantial Assurance

The council uses Oracle Financials as its main accounting system. We reviewed the system during 2022/23 to ensure:

·         User access was appropriate for users to prevent unauthorised system changes

·         Accounting journals were appropriately authorised

·         Suspense accounts were monitored and cleared regularly

·         Bank reconciliations were undertaken regularly and appropriately authorised and retained.

June 2023

The system prevents access from anyone who has not used Oracle for 8 weeks. Systems support also perform an annual check by providing managers with details of who has access to systems and whether continued access is required. From our sample review all employees had appropriate user access considering the role they were working in.

All journals sampled were in the required format and were input and posted by the same employee. Council policy is for journals not to be checked or authorised before posting. Officers explained that due to the high volume of journals and limited resources it was not practical, and this has been subject to discussion with external audit. Management was satisfied with the controls in place and rely upon the budget monitoring framework and formal quarterly performance reporting to identify any material issues.

Suspense accounts were monitored and cleared on a regular basis.

From the three reconciliations reviewed, all had been reconciled but only one showed evidence of review and approval.

1 x Priority 3 action was agreed.

Responsible Officer(s):

Senior Accountant Corporate Finance and systems.

Evidence of review and approval retrospectively documented.

Action completed.

Developing stronger families
(June 2023)

No opinion

The Developing Stronger Families return is an established funding requiring regular auditing.

June 2023

The sample tested was found to be accurate and suitable evidence was identified to substantiate the inclusion of each individual case checked.

No management actions.

Creditors

Substantial Assurance

We reviewed the arrangements in place to ensure that:

·         orders are authorised and goods and services received in line with Council policies and procedures

·         invoices are paid in line with defined timescales

·         duplicate payment of invoices is prevented

·         checks are conducted when a supplier requests to change bank details.

July 2023

P2P orders were raised in compliance with the ‘no purchase order, no pay’ policy.

Many manual orders do not go through the centralised ordering process, with services areas raising their own orders, and then sending the invoices and coding blocks to the Accounts Payable (AP) team for payment. Sample testing noted some instances of improvement in the completion of these orders. There were also some cases where the officer coding the expenditure did not have sight of evidence that good receipt checks had been conducted.

Daily duplicate checks are carried out through AP forensics to identify any true duplicates. Our data analysis covering 9 months of 2022/23 payments confirmed no true duplicate payments had occurred.

Procedures are in place to help ensure the appropriate checks are completed when a supplier requests to change bank details. From our sample reviewed, some improvements can be made to the completion of the necessary paperwork.

5 x Priority 3 actions were agreed.

Responsible Officer(s):

Business Support Manager.

Manual purchase order guidance was to be issued to all services using manual orders by 30 September 2023.

The Council will ‘on board’ more services to use the iProc P2P system. This will be restarted following the finance restructuring and is planned to be completed by 31 December 2023.

New supplier checking paperwork was developed as part of the LGR process and was rolled out on 1st April.

Incomplete forms to be returned to service for completion. AP team are not to process any incomplete forms. The payments team within Exchequer to flag if incomplete forms found to have been processed.

Fairburn CP School

No opinion given

The purpose of the work was to provide assurance to NYC management, Governors and the Headteacher that:

·         effective governance arrangements were in place at the school

·         recruitment, payroll and staffing processes were carried out appropriately

·         procurement activities were performed appropriately

·         the budget was reported and reviewed by Governors on a regular basis.

July 2023

Work identified a number of issues and weaknesses. 

The school has been in a deficit position since 2018 and appeared to be making financial decisions to incur additional expenditure that may not be essential without evidence of appropriate challenge from governors.

There was a lack of evidence of approval for the appointment of a school governor to a paid position.

By ordering online, using Barclaycard and Amazon, and reimbursing staff directly, the school was circumventing normal purchasing arrangements, and the approval of purchases occurs retrospectively. These purchasing methods are used frequently and appear to be used on occasions where normal purchasing methods could be used.

The frequency of applications for cash advances suggests the school does not have adequate financial planning in place to mitigate those occasions when additional monthly expenditure is incurred.

1 x Priority 2 and 5 x Priority 3 actions were agreed.

Responsible Officer(s):

Headteacher, Governors and Full Governing Body.

All but one action was completed prior to the final report being issued.

A best value book will be completed for every purchase over £100 and every 10th purchase. The finance committee will monitor, record and report to full governor meetings to ensure best value is being achieved.

The Barclaycard statement will be reviewed, and each finance meeting will challenge any relevant purchases. 

A cash flow system has been implemented.

Skills audit tool has been sent to all governors.

Schools Themed Audits - Schools ICT

Limited Assurance

In recent years there has been a steadily increasing number of high-profile cybersecurity incidents targeting schools.

We reviewed IT security and managed service provider governance arrangements within maintained schools to ensure that:

·         IT security governance, risk management and external assurance arrangements are in place

·         IT assets are managed and appropriate logical access controls are required

·         networks, servers and firewalls are appropriately configured, patched and maintained

·         suitable policies and procedures are in place to enable data recovery and respond to cyber incidents

·         governors, staff and pupils regularly receive appropriate cybersecurity training.

September 2023

Adequate oversight of managed IT service providers is not always being exercised. Governor and senior management responsibilities for overseeing IT outsourcing were often not defined and the risks from outsourcing not regularly assessed. 

IT-specific disaster recovery plans were not always in place. Of the ten schools sampled, seven had no plans in place. Of the three which did, only one had tested the plan.

Whilst all schools sampled confirmed backups were taken, the extent to which these met best practise varied. Only three of the ten schools sampled met best practice rules for backups, and only two had tested the restorability of the data. 

Staff and Governors did not always receive suitable cybersecurity training. Four schools had not offered any cyber security training to staff or governors. Only one school was following recommended Department for Education best practice to provide annual NCSC cyber security training to all staff and governors.  In the event of a claim under the Risk Protection Arrangement (RPA), the school will have to demonstrate evidence of the training being undertaken.

5 x Priority 2 actions was agreed.

Responsible Officer:

Head of Finance - Schools & Early Years & High Needs.

All actions have a deadline of 31 March 2024 for completion.

The findings from the audit and new resources to support schools in managing IT security will be communicated to schools via Headteacher briefings, Governor network meetings and School Admin & Finance Conferences.

The NYES training offer and free audit on cyber-security and IT disaster recovery arrangements will be promoted.

A review of the RPA terms and implications for schools in terms of IT security actions will be undertaken. Schools will be reminded of the actions required to be in place in order to comply with the insurance cover requirements.

Related Party Transactions (Schools Themed Audit)

Reasonable Assurance

The Department for Education requires all maintained schools to submit details of any related party transactions (RPT’s) alongside their annual School Financial Value Standard submissions. North Yorkshire Council has issued its maintained schools with best practice guidance and created a termly return cycle to support and monitor these types of transactions.

We reviewed a sample of 12 schools’ arrangements to ensure that:

·         declarations of interest are managed appropriately and remain up to date

·         best value exercises are undertaken, prior to entering into a RPT

·         appropriate approval is sought from the governing body

·         where competitive tendering cannot be undertaken, best value forms were completed.

·         contracts and agreements, with RPTs, are managed appropriately and insurance obtained where necessary.

October 2023

All 12 schools had disclosed RPTs in the last two years. Most schools sampled generally managed declarations of interest well and these were mostly up to date for governors and staff with key financial responsibility.

However, some schools have not been consistent in identifying related party transactions. Some transactions were identified which should have been categorised as related party transactions.

Best value exercises are not always being undertaken to compare best value between the related party and alternative suppliers. Where direct awards have been made to a related party, the best value form, supplied by the Council, is not always being sufficiently completed to support the decision.

Governing body approval is not always being obtained in accordance with the Council’s guidance. Those with related party connections are often involved in the authorisation of payment.

Public liability insurance is not being sought consistently from related parties undertaking works on school premises.

2 x Priority 2 and 2 x Priority 3 actions were agreed.

Responsible Officer:

Head of Finance – Schools & Early Years & High Needs.

The Council’s Related Party Transactions Best Practice Guidance will be updated to reflect the findings of the audit work.

A briefing note will be provided to schools on the findings from the audit and a reminder of the associated process requirements.

Schools will be reminded at the Autumn 2023 term School Admin & Finance Conference of the requirement to identify and categorise related party transactions.

All actions are planned to be completed by 31 October 2023.

Sundry Debtors

Reasonable Assurance

We reviewed the council’s arrangements in respect of:

·         the raising of invoices

·         reconciliation of income

·         debt management and write-off procedures.

October 2023

The Council has processes in place for raising invoices. Testing found invoices were accurate and were suitably detailed.

A number of manual processes continue to exist including the issuing of payment reminders. Debt reports also have to be compiled manually by pulling information from different systems.

Management information showing the break down debts for service areas and for those tass managing debt needs to be improved.

Management of some debts has been delayed and recovery action is not always being taken promptly.

There is no target in place for the time between service delivery date and an invoice being raised. Invoices do not always provide a date of service delivery and not all invoices were raised in a timely manner.

The impact of Local Government Reorganisation impacted significantly on the ability of relevant officers to progress some of the known weaknesses in the debtors’ system.

1 x Priority 2 and 3 x Priority 3 actions was agreed.

Responsible Officer(s):

Credit Control Manager, AR invoice raising teams, and service departments.

Improved systems reporting is ongoing. A new dashboard has been developed which will allow service departments to review their debt by cost centre. This will be rolled out to the service areas.

Automation of Reminder Letters and AR Reporting will be undertaken.

Work is also ongoing with those service areas generating high volumes of invoicing to develop a more coordinated approach to debt recovery.

All actions are due to be completed by 31 December 2023.

Priorities for actions

Priority 1

A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management

Priority 2

A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.

Priority 3

The system objectives are not exposed to significant risk, but the issue merits attention by management.