Agenda item

To provide the Committee with a periodic report on the Internal Audit function for the period March 2023 – May 2023, as required by the professional standards.

 

 

The Committee  was provided with a periodic report on the Internal Audit function for the period March 2023 – May 2023 and the Internal Audit Manager’s Annual Report for 2022/23 as required by the professional standards.

 

This report was split into three sections:

 

1)         Internal Audit Plan Progress 2022/23

 

2)         Annual Report of Internal Audit Manager

 

3)         Internal Audit Plan Progress 2023/24

 

 Members heard how the Public Sector Internal Audit Standards (PSIAS) required the Chief Internal Auditor (Internal Audit Manager) to make arrangements for reporting to senior management (Management Team) and to the board (Audit Committee) during the course of the year, and for producing an annual Internal Audit opinion and report that  could be used to inform the Annual Governance Statement.

 

The Accounts and Audit Regulations 2015 required that: “a relevant authority must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance”.

 

In respect of the Internal Audit Plan the  PSIAS required the Internal Audit Manager to: -

 

• Establish a risk based Internal Audit Plan, at least annually, to determine the priorities of the Internal Audit function, consistent with the Council’s goals.

 

• Had in place a mechanism to review and adjust the plan, as necessary, in response to changes to the Council’s business, risks, operations, programmes, systems and controls.

 

• Produces a plan that takes into account the need to produce an annual Internal Audit opinion.

 

• Considers the input of senior management and the Audit Committee in producing the plan.

 

• Assesses the Internal Audit resource requirements.

 

It was reported to the Committee that all expected audits for the 2022/23 Internal Audit Plan had been completed. A total number of eight audits  had been completed during April 2023 to May 2023. Two audits in that period had received an overall opinion of ‘Improvement Required’ (Housing Repairs and Maintenance and Housing Allocations) with the other six receiving satisfactory assurance opinions with no significant issues being identified. The audits receiving an overall opinion of ‘Adequate’ or ‘Substantial’ in that period were Risk Management, Health and Safety, Recycling and Waste, IT Governance, Freedom of Information / Subject Access Requests and Procurement. Internal Audit continued to provide advice on internal control, risk management and governance arrangements on a consultative basis.

 

All audits completed in the year had been assessed against the following risk:-

 

“The department has not managed or adapted to post Covid-19 working arrangements therefore current processes do not align with service demand potentially leading to process inefficiencies and gaps in internal control”. All procedural changes had been recorded and recommendations would be made throughout the year if procedural changes were needed; however, all departments reviewed to date had adapted well to the challenges brought by the Covid-19 pandemic and no significant issues specifically relating to the above risk  had been identified.

 

The Committee also heard that the  Internal Audit section remained focussed on delivering the message that it was here to support services and by letting the Council know about policy and procedural changes, difficult circumstances or just the unknown due to working on new projects / initiatives,  it could advise and support at an early stage rather than create additional work at a later date if governance or internal control issues were identified during an audit at a later date.

 

Quality Assurance – The Internal Audit function issued satisfaction surveys for each audit completed. In the period under review 100% of the responses received had indicated that the auditee was satisfied with the audit work undertaken.

 

Resourcing

 

Internal Audit had an establishment of 4 fte posts with access to a third-party provider of Internal Audit Services for specialist audit days as and when required. The Council had an Audit Technician post vacant at the time of the meeting. The Audit department had recently advertised and interviewed for an Internal Audit Apprentice with  the successful applicant due to start in early July 2023. Unfortunately, the candidate would now no longer be joining the Council as they had since found alternative employment.  Therefore, there  was a need to advertise and recruit again; however, this would be the third attempt to recruit with not many people previously applying for the vacancy.

 

Outcomes of Internal Audit Work

 

The Standards required the Internal Audit manager to report to the Audit Committee on significant risk exposures and control issues. Since the last report four audits  had been completed and the final report issued. The  PSIAS required the reporting of significant risk exposures and control issues.

 

Assurance	Colour	Number this Period	Total for 2022/23Plan
Substantial		3	9
Adequate		3	12
Improvement Required		2	2
Significant Improvement Required		0	0
No Opinion Required		0	3	Two consultative engagements in 2022/23 to date

 

For the purpose of the colour coding approach, both the substantial and adequate opinions were shown in green as both were within acceptable tolerances. Issues arising from audits completed in the period under review receiving an ‘Improvement Required’ opinion and requiring reporting to Committee were: -

 

Housing Allocations

 

Semi-automation of the Housing Register

 

Finding

 

“Shortlists to determine allocation of tenancies should be automated, recorded and reflect preferences and bandings of applicants.

 

Previously, this was a manual process, and flaws in this were highlighted in previous audit reports.

 

A new system was implemented and while the system is a large improvement on the previous method, the shortlisting still requires some manual input to bypass unsuitable candidates and officer time to sift through these.

 

Reasons for manual bypass could include an unrequested area, only accepting sheltered housing or a property unable to be adapted for a disabled applicant”.

 

Risk

 

“Without fully evidencing why certain applicants were bypassed, it is problematic to evidence why one applicant was awarded the property over another with an apparently higher claim. There is also the risk of an applicant being unfairly awarded accommodation if a higher placed applicant can be bypassed without authorisation or in error manually by an officer”.

 

Agreed Action

 

It was reported to Members that, at the conclusion of the Post Live Update software upgrade, it was expected that the shortlisting process should be fully automated due to including more factors (such as location) in the filtering to determine eligibility and offer. There  should not be any manual input, which should make the process both less prone to manual error and manipulation as well as faster to process.

 

The process should still have a manual check to ensure the system was correct and all documentation was present and correct before any offer was made.

 

Housing Repairs and Maintenance

 

“The issues identified within the Housing Repairs and Maintenance review remain the same as the previous years audit. The reason for the overall ‘Improvement Required’ opinion is because the new management system has not yet been fully implemented which is expected because it is a long term solution to the issues previously identified. However, because temporary processes are still being used until the system is fully implemented we were unable to provide an improved audit opinion from the previous year”.

 

Recycling and Waste

 

“Although the overall opinion for recycling and waste was ‘Adequate Assurance’ there is one finding that needs to be raised with the Audit Committee because it is significant to green waste. In terms of recycling and waste generally, green waste collection is a small part of the service and its financial impact in comparison to the overall contract is low. However, the issue identified has a significant impact on the management of the green waste collection service”.

 

Finding

 

The Committee heard that the Garden Waste service had significantly grown since the introduction of the function. In order to effectively manage and monitor the service, several operational controls should be in place.  Currently, there was no master list to confirm the total number of garden waste customers. This had led to a lack of reconciliations, which essentially, prevented the team from checking income against customer figures.  In line with the above, invoices were unclear which made it challenging to establish charges for individual bin collections. Therefore, the team were uncertain whether the Council  was being correctly charged, per bin.

 

The use of two systems had also made it difficult to provide an accurate database. 

 

Risk

 

“Failure to implement suggested changes, could result in the following;

 

- Customers receiving a service which they have not paid for

- The Council being over charged for garden waste bin collections

- Associated debt through lack of house keeping

- Financial loss and Reputational Damage”

 

Agreed Action

 

It was reported to Members that Garden waste data was to be transferred to Firmsteps, in order to verify total number of customers. Transparency of garden waste invoices was also to be sought, to enable confirmation of charges.

 

Once complete, full monthly reconciliations would be carried out and checks by management would be evidenced.

 

Management Response to Internal Audit Findings – There were processes in place to track the action taken regarding findings raised in Internal Audit reports and sought assurance that appropriate corrective action had been taken. Where appropriate follow up audits had been arranged to revisit significant issues identified after an appropriate time.

 

The number of high severity issues outstanding was as follows: -

 

Status	Number	Comments
Overdue more than 3 months	0
Overdue less than 3 months	1
Not yet due	0

 

 

Update on previous significant issues reported

Depot Operations

 

It was outlined to the Committee that issues had previously been reported to the Audit Committee relating to Housing Repairs and Maintenance and Depot Operations that remained ongoing, however a further update could be provided relating specifically to stock taking.

 

The service had a designated Officer to manage stores who recorded and issued stock upon management approval to keep a better record of all assets and stock. A weekly stock take was undertaken based on categories due to the variety of stock e.g. timber, tools, etc.

 

As this information was held and updated on a spreadsheet it could be prone to error or manipulation and had a big impact on staff time to update the records. However, it was a huge improvement on the fact that there was no process previously. The current process was a temporary fix until a full stock control and barcoding system could be implemented. The IT Department had agreed to create this system, a first version had already been created but some changes needed to be made in order to implement it fully.

 

The Committee  requested that the Portfolio Holder responsible for the Council’s waste function, as well as the appropriate Officer  attend the next meeting of the Committee to discuss these green waste issues.

 

Richard Barrett (Assistant Director, Finance & IT) said that he would update the Committee on the progress of a solution to the Green Waste issue between now and the next meeting of the Committee.

 

Annual Audit Report of the Internal Audit Manager

 

Members were reminded that all local authorities must make proper provision for internal audit in line with the Local Government Act 1972. The Accounts and Audit Regulations 2015 required that the Council undertook an effective Internal Audit to evaluate the effectiveness of its risk management, internal control and governance processes, taking into account the Public Sector Internal Auditing Standards (PSIAS).

 

The PSIAS stated that a professional, independent and objective internal audit service was one of the key elements of good governance, as recognised throughout the UK public sector. The role of the Head of Internal Audit (Internal Audit Manager), in accordance with the PSIAS, was to provide an opinion based upon, and limited to, the work performed on the overall adequacy and effectiveness of the organisation’s governance, risk management, and control processes.

 

As set out in PSIAS there was a requirement under PSIAS 2450 that the Chief Audit Executive must provide an annual report to the Audit Committee, timed to support the Annual Governance Statement. This must include:

 

•    An annual internal audit opinion on the overall adequacy and effectiveness of the organisation’s governance, risk and control framework (i.e. the control environment);

•    A summary of the audit work from which the opinion was derived (including reliance placed on work by other assurance bodies); and

•    A statement on conformance with the PSIAS and the results of the internal audit Quality Assurance and Improvement Programme.

 

It was reported that the Council was accountable collectively for maintaining a sound system of internal control and was responsible for putting in place arrangements for gaining assurance about the effectiveness of that overall system. As a result of this, the Council continued to adopt a ‘Three Lines of Defence’ assurance model, which was taken from the following sources:-

 

1.         Senior Management and Departmental Leadership

 

Under the first line of defence, operational management had ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.

 

2.         Internal Governance

 

The second line of defence consisted of activities covered by several components of internal governance (Statutory Officers, Corporate Oversight Functions, Quality Control, IT Security, Data Protection and other control departments). This line of defence monitored and facilitated the implementation of effective risk management practices by operational management and assisted the risk owners in reporting adequate risk related information up and down the organisation.

 

3.         Internal Audit

 

The requirement for an internal audit function in local government was detailed within the Accounts and Audit Regulations 2015, which stated that a relevant body must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.

 

Internal Audit Approach

 

The Committee was aware that the Internal Audit function undertook a programme of audits each year in order to provide the Council and its Audit Committee with assurance on the adequacy of its system of internal control, governance and risk management arrangements. The audit programme was developed using a risk based approach that incorporated a number of independent reviews of the Council’s activities to be able to give an overall opinion on the areas mentioned above.

 

Over the past few years there had been a rapid shift in the risk landscape leading to changing expectations from stakeholders for more value driven outcomes from Internal Audit work. This could be broken down into the following four categories that the Internal Audit function had tried to adopt in its approach to auditing within Tendring District Council;

 

•    Flexibility – Utilising different options to build engagement that allow varied deliverables;

•    Value creation – Enhancing or improving deliverables whilst considering culture, organisation maturity and stakeholder needs;

•    Innovation – Considering new and different ways of delivering audit efficiency, risk coverage and overall value; and

•    Systematic approach – Considering options and making decisions in an orderly way.

 

The Committee was reminded that the COVID-19 pandemic had been a major contributor to the ever changing risk landscape which had led to the impact of COVID-19 becoming a section of every audit undertaken and it would continue to be going forwards. The Internal Audit Team recorded changes to procedures and effectiveness and efficiency issues due to COVID-19 and reported any significant issues to the Council’s Management Team and Audit Committee as required. Departments had adapted well by making permanent and temporary changes to procedures. Recommendations had been made to a number of service areas throughout the year to reassess what were meant to be temporary process changes. However, none had been significant enough to warrant reporting to the Audit Committee as they were minor operational issues managed by departments without significant resource impacts.

 

Communication between Internal Audit, Leadership and the Audit Committee had been effective and remained consistent which provided reasonable assurance around the effectiveness and transparency of reporting arrangements.

 

Internal Audit had continued to work with services on a consultancy basis to support the implementation of new processes, identify and analyse route cause if necessary and to ensure that all relevant employees had the appropriate training to competently carry out their role. This included advising service areas’ transformation projects, procurement, ad-hoc investigations and any further advice on procedures due to the impact of COVID-19.

 

Independent investigatory work had also been undertaken throughout the year as and when required to support Senior Management when internal control issues had arisen within service areas.

 

In 2022/23, only two audits from a total of 26 reviews undertaken had received an overall audit opinion of “Improvement Required” where high severity issues had been identified. Those audits had been Housing Allocations and Housing Repairs and Maintenance. The issues raised in both areas had related specifically around system implementation and the need to ensure that the IT systems used to manage the records and monitor progress were further developed.

 

Improvement actions were in place for the mentioned audit areas, which had been followed up by the Internal Audit function to assess the progress of implementation. All significant issues were reported to the Audit Committee with required improvement actions throughout the year in order to provide a continuous update on the Council’s control environment, governance arrangements and material issues identified.

 

ANNUAL OPINION 2022/23

 

The Committee was advised that the Head of Internal Audit’s annual assurance opinion was based on the following:

 

•    Internal Audit work completed during the course of the year;

•    observations from consultancy/ advisory support;

•    results of any follow up exercises undertaken in respect of previous years’ internal audit work;

•    a review of assurance from other providers including those from first and second lines of defence, independent regulators and peer reviews;

•    the extent of resources available to deliver the internal audit work; and

•    the quality and performance of the Internal Audit service and the extent of compliance with the Public Sector Internal Audit Standards

 

Limitations to the Annual Opinion

 

It was reported that there were no limitations to report on the ability to deliver the Internal Audit Plan and to provide an annual opinion on the effectiveness of governance, risk management and internal control. There had been changes to the audit plan throughout the year due to emerging risks and changes to service provision. The changes to the audit plan had been made in consultation with the Audit Committee and Management Team to fit with the resources available at the time.

 

The Head of Internal Audit’s Annual Opinion

 

The Committee was informed that the overall direction of travel regarding the internal control environment since 2022/23 had improved. In 2021/22 it had been noted that an unqualified opinion could be difficult due to the wider governance issues raised in that year. However, it was noted that, based on the work completed in 2022/23, there had been evidence of improvements to processes and procedures throughout the Council meaning that a qualified opinion was not necessary for the 2022/23 financial year. A total of 39 moderate issues and 1 major issue had been identified with actions agreed with operational management throughout the year. All major actions had been reported to the Audit Committee and all moderate actions had been managed through the audit follow-up process with the service area.

 

Governance arrangements and internal controls had been evaluated in all audits within the plan, albeit with varying levels of scope. Senior Management continued to review strategic risks on a regular basis within Management Team and the Corporate Risk Register was reviewed bi-annually with any feedback reported to Management Team for its consideration.

 

The Internal Audit Manager had considered assurances obtained through:

 

•    All of the information reported above;

•    Internal Audit outcomes;

•    Annual Risk Management Review;

•    The Council’s assurance framework;

•    Management assurance through the Annual Governance Statement process;

•    External inspections;

•    Ongoing engagement with the business; and

•    Monitoring and reporting the implementation of agreed management actions.

 

The Internal Audit Manager was satisfied that sufficient work had been completed in 2022/23 to draw a reasonable conclusion on the adequacy and effectiveness of the Council’s activities. The internal control environment continued to remain stable with some significant changes in specific service areas, which had been reported to the Audit Committee throughout the year as part of the periodic reporting arrangements. An open dialogue with Senior Management on risk remained in place and a generally sound system of internal control had been assessed across the majority of the Council’s operational areas. Therefore, an overall unqualified opinion of ‘Adequate Assurance’ could be provided.

 

In noting this opinion, it was acknowledged that Internal Audit had not reviewed all risks and assurances and could not provide absolute assurance on the internal control environment.

 

The above report would be included within the Council’s Annual Governance Statement (AGS) as part of its statutory responsibilities.

 

Internal Audit Progress 2023/24

 

It was reported that the Internal Audit Team had yet to finalise an audit within the 2023/24 Internal Audit Plan. A total of six audits were in the ‘fieldwork’ phase.

 

Work had begun in areas such as Corporate Governance, Planning Development, Leisure Estate – Efficiencies and Cost Pressures, Building Control, Treasury Management and Contact Centre - Digitalisation.

 

Appendix B (2023/24 Internal Audit Plan progress) to the report provided an update on the status of each audit to date. There were no significant issues or particular areas of concern to report at this time.

 

After an in-depth discussion, the Committee NOTED the contents of the report and, in particular, in relation to the following:

 

·         The annual opinion statement within this report

·         The completion of audit work against the 2022/23 and 2023/24 Internal Audit Plans

·         Any audit findings provided; and

·         The overall performance and customer satisfaction on audit delivery.