Date: 23 September 2024
 Annex 1 
 ,Internal Audit Progress Report 2024/25
A black and white logo  Description automatically generated

 

 

A blue and white triangle pattern  Description automatically generated


 


CONTENTS

3           Background

3           Internal audit progress

4           Follow up of agreed actions

5           Appendix A: Internal audit work in 2024/25

8           Appendix B: Summary of key issues from audits finalised since the last report to the Committee

14         Appendix C: Current priorities for internal audit work

17         Appendix D: Audit opinions and priorities for actions

A blue and white triangle pattern  Description automatically generated

 

 

 

 

 

 

 

 

 

 

 

            

 


 

Clipboard with solid fillBackground

1            Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

2            The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Public Sector Internal Audit Standards (PSIAS), CIPFA guidance on the application of those standards in Local Government and the CIPFA Statement on the role of the Head of Internal Audit.

3            In accordance with the PSIAS, the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit Committee, and to identify any emerging issues which need to be brought to the attention of the committee. 

4            The internal audit work programme was agreed by this committee in June 2024. The plan is flexible in nature and work is kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council.

5            The purpose of this report is to update the committee on internal audit activity up to 31 August 2024.

Hourglass Finished with solid fill 


Internal audit progress

6            A summary of specific internal audit reviews currently underway, as well as work finalised in the year to date is included in appendix A. Appendix A also shows the range of other work completed by internal audit during the year.

7            Five audits have been finalised since the last report to this committee in June. Further information on these audits is included in appendix B. The appendix summarises the key findings from these audits, and includes actions agreed with officers to address identified control weaknesses.  A further three audits are currently at the draft report stage.

8            Twelve audits are currently in progress. Approximately half of these audits are nearing the final stages of fieldwork. We are currently planning a further sixteen assignments.  

9            The work programme showing current priorities for internal audit work is included in appendix C where we categorise audits as ‘do now’, ‘do next’ and ‘do later. These timescales are subject to change and work priorities may also change during the year depending on the ongoing consideration of risk.

10        Appendix D lists our current definitions for action priorities and overall assurance levels.

Speech with solid fill
 

Follow up of agreed actions

11        All actions agreed with services as a result of internal audit work are followed up after the agreed implementation deadline to ensure that the identified issues have been addressed.

12        The dates for completion of agreed actions are included, where appropriate, as part of Appendix C reporting. In some instances, ongoing internal audit work in the same area will pick up the progress being made.

13        We currently have no matters to report to the committee as a result of our follow up work.

Scales of justice with solid fill
 

Professional standards

14        The PSIAS are based on the mandatory elements of the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF). New IIA professional standards were published in January 2024 and will apply from 9 January 2025. The UK Public Sector Internal Audit Standards Advisory Board (IASAB) is currently reviewing the implications for the PSIAS. Any subsequent changes to the UK’s PSIAS will be subject to consultation and will apply from 1 April 2025.

15        In July 2024, CIPFA announced that they plan to introduce a code of practice for the governance of internal audit. The code will apply to all principal authorities in UK local government and is complementary to CIPFA’s ongoing work to update the current Public Sector Internal Audit Standards.

16        Subject to consultation, it is proposed that both the new standards and the code will be effective from 1 April 2025.


 

APPENDIX A: Internal audit work in 2024/25

Audits in progress

Audit

Status

ICT governance

Draft report issued

Early years payments

Draft report issued

Scarborough waterpark

Draft report issued

ICT access controls

Draft report issued

Claro Road depot

Fieldwork close to completion

Children leaving care

Fieldwork close to completion

Governance arrangements (constitution, schemes of delegation, decision making and call-in arrangements)

Fieldwork close to completion

HAS personal bank accounts

Fieldwork close to completion

Schools themed audit – purchasing

Fieldwork in progress

Schools themed audit – ring fenced funding

Fieldwork in progress

Transformation governance

Fieldwork in progress

Power of Attorney and Court of Protection

Fieldwork in progress

Climate change

Fieldwork in progress

Purchasing Cards

Fieldwork in progress

Procurement Act – preparedness assessment

Fieldwork in progress

ICT asset management

Planning

HAS financial assessments

Planning

Liberty Protection Safeguards

Planning

Adult safeguarding

Planning

Adult direct payments

Planning

Business continuity

Planning

Project management

Planning

Performance management

Planning

Customer complaints

Planning

Harbours

Planning

Contract management - Unaccompanied asylum-seeking children

Planning

Payroll

Planning

Bank reconciliations and bank accounts

Planning

Creditors

Planning

Cash handling

Planning

Housing rents

Planning

 

Final reports issued

Audit

Reported to Committee

Opinion

Schools themed audit – Business Continuity

September 2024

Limited Assurance

CCTV office review

September 2024

Reasonable Assurance

Revenue budget monitoring

September 2024

Reasonable Assurance

Housing rents

September 2024

Reasonable Assurance

Contract management -waivers

September 2024

Reasonable Assurance

ICT governance

September 2024

Reasonable Assurance

 

Other work completed in 2024/25

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

·         Follow up of agreed actions

·         Grant certification work:

*      Local Enterprise Partnership (LEP) growth hub

*      Bus subsidy operators grant

*      Heritage Action Zone - Selby

*      Supporting Families Programme

·         Consultative engagements:

*      Data cleansing of feeder information to support the new general ledger project

*      Grant schemes including UK shared prosperity fund,

·         Completing financial appraisals

·         Certifying Scarborough and Harrogate Charter Trustee annual returns

·         Completion of specific maintained schools review and follow up of previously agreed actions.

·         Additional assurance gathering to inform our opinion

*      Updating our knowledge on the control and risk management arrangements of the council within the 11 key areas for our annual opinion. This includes targeted reviews covering areas such as performance and property asset management.

 


APPENDIX B: Summary of key issues from audits finalised since the previous committee

System/area

Opinion

Area reviewed

Date issued

Comments

Management actions agreed

Schools Themed Audit – Business Continuity

 

Limited Assurance

 

We reviewed the arrangements in place at 12 maintained schools to ensure:

·         a clear and up to date business continuity and ICT disaster recovery plan was in place to minimise potential service disruption

·         business impact assessments were complete and up to date, with critical functions identified and prioritised

 

June 2024

Half of the schools sampled either did not have a business continuity plan, or plans were out of date/contained out of date information. Some schools referenced informal arrangements with a local town hall or school, but these were not formalised or documented.

Over half of the schools did not have an ICT disaster recovery plan. Many schools were unclear as to the incident response arrangements in place with their managed service provider.

The majority of schools had not completed a business impact assessment and were not able to evidence that they were testing business continuity and ICT disaster recovery plans.

Only half of the schools were able to confirm back-ups were taken by their nominated ICT back up service provider, and could provide evidence of this, including a back-up schedule. For the remaining schools, back-up arrangements were not confirmed.

5 x Priority 2 actions and 1 x Priority 3 action were agreed.

 

Responsible Officer: Assistant Director, Education and Skills

It is the responsibly of schools to ensure plans are in place and tested. Maintained schools provide annual assurance on plans to the council through the Health and Safety Process. Officers will review the uptake of schools providing assurance they have completed their plan.

Resilience and Emergencies have offered briefing events to Head Teachers and School Business Managers to support with testing plans.


Date for completion of all actions is 31 March 2025. 

Closed Circuit Television (CCTV)

 

Reasonable Assurance

 

The council operates public space surveillance systems in North Yorkshire. We visited one of the operations hubs to assess compliance and support improvement.

We reviewed whether:

·         effective mechanisms were in place to ensure key legal and regulatory requirements were being followed

·         staff were aware of their responsibilities and appropriate training had been delivered

·         effective operational and security arrangements were in place for staff, buildings and assets

 

July 2024

Some documentation and key procedures contained out of date information and were due for review.

Release, retention and deletion of footage was not always in line with UK GDPR requirements.

Improvements could be made to ensure the accurate recording of incidents in the electronic management log/shift report.

Records and observation totals were not accurately or consistently recorded in the electronic management log, meaning that statistical data was not accurate and could not be relied upon for performance monitoring.

Staff training and licence records were incomplete.

Entry to the control room was controlled by electronic access and keys. However arrangements for non-staff entry into the control room were not always being complied with.

3 x Priority 2 actions and 5 x Priority 3 actions were agreed.

 

Responsible Officer:
Head of Community Safety and CCTV

 

Procedures will be reinforced regarding retention and collection of footage. The retention and deletion of emails will be discussed with the Data Governance team.

Procedures for non-staff entry into the control room will be followed.

All priority 2 actions will be completed by 30 September 2024. All other actions will be completed by 31 December 2024.  

 

 

Revenue Budget Monitoring

 

Reasonable Assurance

 

We reviewed the arrangements in place to ensure that:

·         budget managers are receiving appropriate, timely and useful budget monitoring information and support from the finance team

·         budget managers understand the monitoring reports and suitable training is provided. Responsibilities are defined and understood

·         significant variances are identified, examined, and challenged throughout the organisation, with appropriate remedial action taken to minimise over- or underspend

 

July 2024

Budget managers were receiving appropriate, timely and useful budget monitoring information. Arrangements in the first year involved mainly accessing and using Oracle Financials and Oracle Planning and Budgeting Cloud Services. As arrangements in the Community Development were not set up within Oracle, they instead used monthly monitoring spreadsheets provided by Strategic Finance.  

Our testing of budget monitoring information for three directorates confirmed the logic and calculations were working as intended thereby providing the correct information to the relevant budget managers. 

Some cost centres had not been mapped correctly to those with operational responsibility for budgets.

Budget managers roles and responsibilities are defined in the Council’s constitution, and this is supplemented by detailed guidance available on the Council intranet. In addition to the support provided by finance officers, training is also provided to budget managers on budget forecasting and using Oracle.

1x Priority 2 & 1x Priority 3 action were agreed.

 

Responsible officer(s):

Assistant Director Resources

 

Work to consolidate budgets alongside organisational restructures was ongoing throughout the year and the majority of budgets had been consolidated by the completion of the audit. Progress is being tracked as part of the wider transformation programme.

 

Actions to address the two findings have been completed.

Housing Rents

 

Reasonable Assurance

 

The council has three areas (Harrogate, Richmondshire and Selby) with housing stock and these are using those legacy rents systems transferred as part of LGR. We reviewed the arrangements in place to ensure that:

·         rents are appropriately calculated and correctly recorded and accounted for

·         tenants are correctly billed for rent due

·         rent arrears are subject to appropriate recovery action

Two of the three areas were reviewed as part of this audit. The remining area will be included in planned 2024/25 work.

August 2024

The annual rent review is calculated for each property type by the respective finance teams. Processes in place in the two areas reviewed were found to be well controlled and the 2024/25 uplift calculations appropriately applied.

Robust systems are in place to ensure that expected rent is calculated and reconciled frequently to rent due in the two areas we tested. Likewise in the two areas tested, we found signed tenancy agreements that set out the agreed rent level were retained.

A review of the reconciliations undertaken for rent payments received and recorded on the finance management system compared to the housing rents system found these to be effective. Any variances which are identified are quickly resolved in the two areas we tested.

Established procedures are in place for monitoring and chasing overdue rent payments.

No management actions.

 

Contract management - waivers

 

Reasonable Assurance

 

Procurement and Contract Procedure Rules (PCPRs) are set out in the council’s Constitution. Where a service is unable to comply in full with the PCPRs, an exemption (‘waiver’) may be permitted where certain criteria are met.

We reviewed the arrangements in place that ensure:

·         exemptions are monitored and appropriate records are maintained

·         waiver and exemption requests are completed and authorised in line with relevant rules

·         Best value forms are completed and authorised appropriately.

The audit included testing of new council exemptions and a sample of pre-1 April 2023 former council exemptions.

 

August 2024

Registers of contract waivers, director recommendations, and best value forms are kept by the Procurement and Contract Management service (PCMS). Compliance with PCPRs is monitored and reviewed by the PCMS to confirm forms have been completed and the correct authorisation obtained.

Sample testing of waivers and director recommendations confirmed applications were appropriately completed.

We found that there were inconsistencies in the completion of fields including contract dates and supplier names.

A register is maintained for all contracts with an aggregate value of £25k or more, and director recommendations and waivers awarded for contracts over £30k must be published on Contracts Finder. We found a number of omissions from both the register and Contracts Finder.

Information relating to two legacy council pre LGR exemptions could not be provided.

2x Priority 2 & 1x Priority 3 actions were agreed.

 

Responsible officer(s):

Head of Procurement and Contract Management.

Senior Commercial Managers (who oversee the processes covered by the audit) will have all audit findings shared and discussed with them.

Missing entries will be added to Contracts Finder.

Quarterly performance on compliance with publication will be monitored as part of PCMS management meetings.

 

ICT governance

 

Reasonable Assurance

 

ICT governance is a key element of the wider council’s corporate governance framework.

We reviewed whether:

·         the Technology directorate had appropriate structures in place that included clear lines of reporting and role responsibility

·         the Technology directorate monitor and report the performance of their functions

·         risks are identified, monitored and actions implemented to ensure risks are kept within the council’s risk tolerance

·         the Technology directorate had up-to-date policies in place to direct working practices

 

 

Individual officers had clear roles and responsibilities. Processes are also in place to ensure work was monitored and reviewed to meet the needs of stakeholders.

A suite of policies is in place that covered all the areas of required best practice (ISO 20000 and 27001).

However, there is currently no overall IT strategy and not all teams within the directorate have a strategy/service plan in place.  

There is no formal process for determining the priority of projects within the Technology directorate.

The technology directorate had clear KPIs for front-line IT services. However, KPIs were not in place for all teams.

Risks were clearly documented however some risks were not reviewed within the required timescales.

2x Priority 2 & 2x Priority 3 actions proposed. No management response received.

 

Responsible officer(s):

N/A

 

 



APPENDIX C: Current priorities for Internal Audit work

Audit

Timing

 

Do now

Do next

Do later

Strategic and Corporate risks

 

 

 

Council transformation plans and savings programme

ü

ü

ü

Revenue budget setting, monitoring and management

 

ü

 

Capital budget management

ü

 

 

Governance

ü

 

ü

Information security incident reviews and support

 

 

ü

Records management

 

ü

 

Risk management

 

ü

 

Property asset management

 

ü

 

Procurement Act – preparedness assessment

ü

 

 

Procurement – specific reviews

 

ü

ü

Contract management – specific reviews

ü

ü

ü

Business continuity

ü

 

 

Climate change

ü

 

 

Health and safety

 

ü

 

Partnership working and governance

 

ü

 

Performance management framework

ü

 

ü

Project management arrangements

ü

 

 

Management of external funding

 

ü

 

Council companies and other commercial operations

 

ü

 

Agency staff and consultants

 

 

ü

Complaints

ü

 

 

Technical / Project Risks

 

 

 

Support and advice for council and service transformation

ü

ü

ü

Involvement in specific service areas developments

ü

ü

ü

Project advice / implementation and support

ü

ü

ü

ICT disaster recovery and incident management

ü

 

 

ICT cyber security

ü

ü

 

ICT asset management

ü

 

 

IT information security operations centres

 

ü

 

ICT applications – including Highways Aurora System

 

 

ü

Financial Systems

 

 

 

Main accounting system

ü

ü

ü

Creditor payments

ü

ü

ü

Purchase cards

ü

 

 

Sundry debtors, including debt recovery

 

ü

 

Payroll

ü

 

 

Income collection and management

 

ü

 

Revenues

ü

 

ü

Benefits

ü

 

ü

Housing rents

ü

 

ü

Service Area Related

 

 

 

Locality working

 

 

ü

Community infrastructure levy and s106 agreements

 

ü

 

Planning systems

 

ü

 

Housing regulation

 

ü

 

Council house stock and repairs

 

ü

 

Homelessness

 

 

ü

Leisure – cash handling procedures

ü

 

 

Economic development

 

 

ü

Harbours

ü

 

 

Licensing

 

 

ü

Car Parking

 

ü

 

Highways

 

ü

 

CCTV

ü

 

 

Developing stronger families

ü

 

ü

Special educational needs – transition planning

ü

ü

 

Early years funding expansion

 

ü

ü

Maintained school’s visits

ü

ü

ü

Schools themed audits

ü

ü

ü

Schools financial value standard

 

 

ü

Home to school transport

ü

 

 

Social care provider visits

 

ü

 

Social care financial assessments

ü

 

 

Safeguarding

ü

 

 

Power of Attorney and Court of Protection

ü

 

 

Payment to care providers (Provider Portal)

 

ü

 

Liberty protection safeguards

ü

 

 

Continuing Healthcare

 

ü

 

Public health

 

ü

 

Pensions Fund

 

 

 

Pensions expenditure

ü

 

 

Pensions income

 

ü

 

Pensions investments

 

ü

 

Attendance at pensions board

ü

ü

ü

Other assurance work

 

 

 

Follow-up of previously agreed management actions

ü

ü

ü

Gaining understanding on the evolving systems and processes at the new council

ü

ü

ü

Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control

ü

ü

ü

Continuous assurance work, including data analytics and data matching projects

ü

ü

ü

Attendance at, and contribution to, governance- and assurance-related working groups

ü

ü

ü

 


 


APPENDIX D: Audit opinions and priorities for actions

Audit opinions

Our work is based on using audit techniques to test the operation of systems. This may include sampling and data analysis of wider populations. It cannot guarantee the elimination of fraud or error. Our opinion relates only to the objectives set out in the audit scope and is based on risks related to those objectives that we identify at the time of the audit.

Opinion

Assessment of internal control

Substantial assurance

A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.

Reasonable assurance

There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.

Limited assurance

Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.

No assurance

Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.

Priorities for actions

Priority 1

A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management

Priority 2

A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.

Priority 3

The system objectives are not exposed to significant risk, but the issue merits attention by management.