To provide a progress report on the Internal Audit function for the period January 2024 – March 2024 and to seek approval of the Audit Committee for the 2024/25 Internal Audit Plan.
Minutes:
The Committee was reminded that the Accounts and Audit Regulations 2015 required that: “a relevant authority must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance”.
In respect of the Internal Audit Plan the Public Sector Internal Audit Standards required the Internal Audit Manager to: -
· Establish a risk based Internal Audit Plan, at least annually, to determine the priorities of the Internal Audit function, consistent with the Council’s goals.
· Has in place a mechanism to review and adjust the plan, as necessary, in response to changes to the Council’s business, risks, operations, programmes, systems and controls.
· Produces a plan that takes into account the need to produce an annual Internal Audit opinion.
· Considers the input of senior management and the Audit Committee in producing the plan.
· Assesses the Internal Audit resource requirements.
The Committee heard that a total of four audits had been completed since the previous update in January 2024. Six audits were still in fieldwork. A request was made to the Audit Committee to defer four audits from the 2023/24 audit plan. Those audits were the Social Housing Bill Implementation Plan, External Funding, Emerging Risks from Legislative Changes, and Careline Service – Follow Up. All audits equated to a total of 40 audit days.
It was reported that the Internal Audit Manager continually risk assessed the progress of the plan against the level of resources available throughout the year to determine whether a measured annual assurance opinion could be provided based on the level of work completed. A determination was then made as to whether audit days needed to be procured to support the delivery of the plan. Although there were some audits to be deferred, they were not auditable areas that would have a significant impact on the Council’s overall assurance framework.
Throughout the year, the audit team had had a number of long-term absences which were covered through the use of overtime as it was the most practical and cost-effective method to ensure adequate coverage at the time. If there was a need for additional coverage in the future, then the Audit Committee would be updated accordingly through the periodic update arrangements in place. In order to provide the Head of Internal Audit’s Annual Opinion at the June 2024 Audit Committee, it was important that the following audits were completed as they formed part of the Council's key systems. The audits were Procurement, Contract Management, Project Management, and IT Governance. All were currently in fieldwork and close to completion.
Quality Assurance
The Internal Audit function issued satisfaction surveys for each audit completed. All satisfaction surveys were yet to be returned from the four audits completed in this period.
Resourcing
Internal Audit currently had an establishment of 4 FTE posts with access to a third-party provider of Internal Audit Services for specialist audit days as and when required. IA currently had an Audit Technician post vacant. The team would advertise for another apprentice in the next few months to support both the Internal Audit Team and the Fraud and Compliance Team.
Outcomes of Internal Audit Work
The standards required the Internal Audit manager to report to the Audit Committee on significant risk exposures and control issues. Since the last report, four audits had been completed and the final report issued. The Public Sector Internal Audit Standards required the reporting of significant risk exposures and control issues.
Assurance |
Colour |
Number this Period |
Total for 2023/24 Plan |
|
Substantial |
|
3 |
10 |
|
Adequate |
|
1 |
13 |
|
Improvement Required |
|
0 |
0 |
|
Significant Improvement Required |
|
0 |
0 |
|
No Opinion Required |
|
0 |
2 |
Two consultative engagement in 2023/24 to date |
For the purpose of the color-coding approach, both the substantial and adequate opinions were shown in green as both were within acceptable tolerances.
The report outlined the issues arising from audits completed in the period under review. None had received an ‘Improvement Required’ opinion and required reporting to Committee:
There were no significant issues arising from the four audits completed in the period from January to March 2024. However, it was important to inform the Audit Committee that the Council had fallen victim to payroll fraud during this period whereby one month's pay for a TDC employee had been paid into a fraudulent bank account.
The details were tat a fraudulent email had been sent to the Council requesting a change of bank details. In this instance, the normal control of contacting the employee via a verified method of communication had not been carried out prior to making the changes to the account on file. The process followed at the time was weak, which had led to confusion as to who had undertaken each task in the process.
In the short term, a more prescriptive form had been designed to prevent future confusion with the objective of using an electronic authorization process in the future within the new HR / Payroll system currently being implemented. Internal Audit had advised throughout the process.
The Council’s bank had been informed of the fraud, and details recorded on the Essex Police Action Fraud website. It was unlikely that the monies would be recovered.
Management Response to Internal Audit Findings – There were processes in place to track the action taken regarding findings raised in Internal Audit reports and to seek assurance that appropriate corrective action had been taken. Where appropriate, follow-up audits were arranged to revisit significant issues identified after an appropriate time.
The number of high severity issues outstanding was as follows: -
Status |
Number |
Comments |
Overdue more than 3 months |
4 |
Long term actions reported to the Audit Committee periodically (Appendix B) |
Overdue less than 3 months
|
0 |
|
Not yet due |
0 |
|
The Committee heard that the Internal Audit Plan had been produced taking into account the requirements as set out in the Public Sector Internal Audit Standards and the current Internal Audit Charter. The Internal Audit Team continued to aspire to add value by targeting particular areas of the Council that might benefit from an independent review of processes and procedures to determine potential efficiency gains, improved technology/software requirements, or change through new innovative ways of working.
Risk Management was also an aspect that required consideration when developing an audit plan. Although risk registers were considered as part of this process, leadership, managers, and officers considered risk every day in the work they did; therefore, interviews with Officers at all levels were key when reviewing whether risks were considered in decision-making.
Members were informed that risk was defined as: 'the possibility of an event occurring that would have an impact on the achievement of objectives’. Therefore, risk could be a positive and negative aspect, so as well as managing things that could have an adverse impact (downside risk), it was also important to look at potential benefits (upside risk). All audits would look at adverse impacts and potential opportunities, and all significant areas were reported to the Audit Committee periodically.
Discussions were held with Management Team members individually and collectively. The feedback from the Management Team was taken into account and incorporated within the plan presented to the Committee. The Committee then had the opportunity to input into the draft plan provided.
Other factors had also been considered when developing the plan:-
• The risk maturity of the organization;
• The need to use specialists e.g. IT Auditors
• Contingency time to undertake ad-hoc reviews and fraud investigations
• Having the right balance of different reviews e.g. Systems and risk-based vs added value and consultative assessments
The Committee heard how the plan outlined the work proposed to be undertaken during the 2024/25 financial year. In order to continue providing a proactive and flexible approach, the plan was considered indicative of the work intended at that time. The Internal Audit Plan needed to be flexible to ensure that Internal Audit resources were directed where they were most needed and added as much value as possible to the organization. The plan was kept under review during the year, in consultation with the Council’s senior management, and took account of changes to the Council’s priorities, operations, and risk. Changes to the plan were brought to the attention of the Committee for its approval. The plan was considered to be a rolling programme of work, rather than specific to one year, and audits scheduled but incomplete at the end of any financial year rolled forward and were completed in the new financial year.
The Committee’s attention was drawn to the following:-
• The comments section of the plan provided additional detail on the audit techniques used to deliver the reviews, a brief summary of what was included within the audit, and in some instances why it was included in the plan.
• Consultative audits – The Council faced a difficult period with budget constraints, increased demand on services, and involvement with major projects, which could expose the Council to further financial and reputational risk. Therefore, it was felt that Internal Audit could add more value by advising at the start and throughout the projects/initiatives.
• Key Financial Audits – Audits within this section formed the foundation of the Head of Internal Audit's annual opinion as they covered all aspects of the Council's financial procedures. This was important because if there were major failings in the Council’s financial procedures as well as its service delivery audits, then there was an increased risk of error, poor governance, and fraud.
As referred to above, mechanisms existed to allow necessary amendments to the plan and if any issues arose regarding the risks in the current Corporate Risk Register, or new risks emerged including any identified by the Council’s external auditors, then plan adjustments were considered.
The level and range of coverage were considered sufficient for the Internal Audit Manager to provide an annual opinion on the Council’s assurance framework.
After a detailed discussion it was moved by Councillor Sudra, seconded by Councillor Steady and RESOLVED that:
(a) the periodic update and the action tracking report be noted; and
(b) the proposed Internal Audit Plan for the 2024/25 financial year be approved.
Supporting documents: