To seek the approval of the Audit Committee for the 2021/22 Internal Audit Plan.
There was submitted a report by the Council’s Internal Audit Manager (A.1) which sought the Committee’s approval for the Internal Audit Plan for 2021/22. The Draft Internal Audit Plan was before the Committee as an Appendix A to that report.
The Committee was reminded that Public Sector Internal Audit Standards required that the Internal Audit Manager -
It was reported that the 2021/22 Internal Audit Plan had been developed using a risk based approach, taking into account the Council’s Corporate Objectives, Corporate Risks and Emerging Risks. A Risk Assessment process had also been undertaken on all auditable areas (the “Audit Universe”) of the Council in order to enable the Internal Audit Manager to provide an opinion on the effectiveness of governance, risk management and internal control processes within the organisation and provide reasonable assurance to the Audit Committee.
Members were informed that existing knowledge of the auditable areas and historical data on operational processes within each service area had allowed for a practical assessment on whether a full audit, a leaner audit or a more balanced approach was required. Every audit within the Plan would include a section on the impact of COVID-19 on the service area rather than have a separate audit covering the entire organisation. In this way Officers could continually monitor the impact throughout the year and provide a more detailed level of assurance overall.
The Committee was made aware that discussions had been held with Management Team members individually and collectively. The feedback from Management Team had been taken into account and incorporated within the Plan presented to the Committee. The Committee now had the opportunity to input into the draft plan.
Members were reminded that the establishment for the Internal Audit function was currently 3.6 fte, however it had not operated at this level for some time. As reported previously two members of the Internal Audit Team had left the organisation leaving 3 fte currently working within the team. The Internal Audit Team had worked hard to deliver the 2019/20 audit plan whilst holding vacancies. Due to the organisation moving towards digitalisation and the Internal Audit Team already working paperless this had allowed the Team to stream line its processes and work smarter by targeting its resources and undertake 100% sample testing due to the availability of electronic data. It was therefore proposed that the Internal Audit Team remained with 3 fte whilst retaining the current budget to commission support from a third party for specialist audit days when needed.
The Committee was informed that the proposed Annual Audit Plan had been developed based on the current resource establishment and by using the Team’s adaptation to new innovative techniques and leaner ways of working. The number of audit days proposed was 450 which remained unchanged from the 2020/21 Audit Plan. The Plan had been created with the following in mind:-
· A leaner more practical audit plan had been developed using a risk based approach, knowledge of all operational processes within service areas, historical assurance opinions and an understanding of where procedural changes had occurred around the Council;
· A hybrid structure of both internal and external resource would provide additional resilience within the team as well as provide different experience, skills transfer for more junior staff and access to a hub of audit resource; and
· The impact of COVID-19 would be assessed within all auditable areas identified to ensure a consistent level of assurance could be provided.
The Committee was advised that the Plan would be kept under review during the year, in consultation with the Council’s senior management, and taking account of changes to the Council’s priorities, operations and risk. Changes to the Plan would be brought to the attention of the Committee for its approval.
The Committee also received the following update on progress made since the previous meeting of the Committee on the following completed audit:-
GDPR – Data Sharing Agreements
This audit was now completed and had received an overall audit opinion of Adequate Assurance. There had been one significant recommendation raised during the audit meeting the requirements to be reported to the Audit Committee, namely:-
Out of date Data Protection Policy
The current Data Protection Policy could be viewed as ‘Out of Date’ as it had originally been written in May 2018 as a response to GDPR, and it was intended that it be reviewed annually. As well as questions whether the Policy reflected current GDPR regulations and best practice since the implementation of the Act, it was considered to be beneficial to enhance or support the section on Information Sharing Agreements (ISA) or Data Sharing Agreements (DSA)
That the DPO would record all reviews of the Data Protection Policy in the amendment history on page 2 of that policy. A formal review would be undertaken every two years or as required due to a known requirement. A review would also be undertaken of the policy in line with the findings of the audit.
Following discussion, it was moved by Councillor Steady, seconded by Councillor Alexander and:-
RESOLVED that –
(a) subject to the minor textual additions put forward by the Chairman of the Committee at the meeting, the Internal Audit Plan for 2021/22 be approved; and
(b) that the existing arrangements for updating the Plan during the year, where necessary to reflect changing Authority activity and operational needs and to provide flexibility of service delivery, be continued, with significant amendments reported to the Committee as part of the periodic Internal Audit reporting arrangements.