Agenda item

To provide the Committee with a periodic report on the Internal Audit function for the period March 2024 – May 2024, as required by the professional standards and the Internal Audit Managers Annual Report for 2023/24 as required by the professional standards.

 

 

The Committee had before it a periodic report on the Internal Audit function for the period March 2024 – May 2024, and the Internal Audit Manager’s Annual Report for 2023/24 was delivered as required by the professional standards.

 

The report was split into three sections:

 

1.    Internal Audit Progress 2024/25

2.    Annual Report of Internal Audit Manager

3.    Internal Audit Plan Progress

 

The report outlined how the Council had a statutory responsibility to maintain adequate and effective internal audit. The Accounts and Audit Regulations 2015 made it a statutory requirement that the Council must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal audit standards and guidance.

 

The Members heard how the  Public Sector Internal Audit Standards required the Chief Internal Auditor (Internal Audit Manager) to make arrangements for reporting to senior management (Management Team) and to the board (Audit Committee) during the course of the year, and for producing an annual Internal Audit opinion and report that could be used to inform the Annual Governance Statement.

 

The Accounts and Audit Regulations 2015 required that “a relevant authority undertook an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance”.

 

In respect of the Internal Audit Plan, the Public Sector Internal Audit Standards required the Internal Audit Manager to: -

 

• Establish a risk-based Internal Audit Plan, at least annually, to determine the priorities   of the Internal Audit function, consistent with the Council’s goals.

• Have in place a mechanism to review and adjust the plan, as necessary, in response to changes to the Council’s business, risks, operations, programmes, systems and controls.

• Produce a plan that took into account the need to produce an annual Internal Audit opinion.

• Consider the input of senior management and the Audit Committee in producing the plan.

• Assess the Internal Audit resource requirements.

 

The Committee heard that all expected audits for the 2023/24 Internal Audit Plan had been completed. That a total number of six audits were completed during April 2024 to June 2024. One audit in this period received an overall opinion of ‘Improvement Required’ (Project Management) with the other five receiving satisfactory assurance opinions with no significant issues being identified. Internal Audit continued to provide advice on internal control, risk management and governance arrangements on a consultative basis.

 

The Committee also heard how the Council remained focused on delivering the message that Internal Audit supported services and by letting Internal Audit know about policy and procedural changes, difficult circumstances or just the unknown due to working on new projects/initiatives, Internal Audit could advise and support at an early stage rather than create additional work at a later date if governance or internal control issues were identified during an audit.

 

The Internal Audit Manager continued to oversee Fraud and Compliance service as well as the Internal Audit team while the Assurance and Resilience Manager remained on secondment.

 

Quality Assurance

The Internal Audit function issued satisfaction surveys for each audit completed. No unsatisfactory responses were received in this period.

 

Resourcing

Internal Audit had an establishment of 4 fte posts with access to a third-party provider of Internal Audit Services for specialist audit days as and when required. We had an Audit Technician post vacant.

 

Internal Audit was yet to advertise for another apprentice to support both the Internal Audit Team and the Fraud and Compliance Team.

 

Outcomes of Internal Audit Work

The standards required the Internal Audit manager to report to the Audit Committee on significant risk exposures and control issues. Since the last report, four audits had been completed and the final report issued. The Public Sector Internal Audit Standards required the reporting of significant risk exposures and control issues.

 

Assurance	Colour	Number this Period	Total for 2023/24 Plan
Substantial		0	7
Adequate		5	12
Improvement Required		1	1
Significant Improvement Required		0	0
No Opinion Required		0	4	Four consultative engagements in 2023/24

 

For the purpose of the colour coding approach, both the substantial and adequate opinions were shown in green as both were within acceptable tolerances.

 

Members heard that issues arising from audits completed in the period under review received an ‘Improvement Required’ opinion and required reporting to Committee were: -

 

Project Management

 

Lack of periodic project updates

 

Finding

 

Major projects should report progress against time, budget and potential upcoming issues.

 

While it was expected that there was communication between the project manager and line manager, not all information was received by senior management.

 

The use of exception-based reporting was not suggested, mainly as there was no firm parameters of what constitutes an exception and whether project managers would report them if they thought (rightly or wrongly) they could recover the situation in future.

 

At present there was no regularised reporting arrangements which covers all projects performance

 

Risk

 

Without a strong monitoring process and involvement of senior officers, there is an increased risk of not recognising and mitigating delays and overspends with a consequential pressure on council funds and resources.

 

Agreed Action

 

Updates and progress reporting requirements of projects to be reviewed and specified by the new Project Board.

 

The review would take account of regularity of reporting, information required from project leads and format of reporting.

 

Reporting to be proactive in nature, and also consider use of system reports as applicable.

 

Failure to complete projects on time and budget.

 

Finding

 

The Council completed multiple projects across many departments each year. While some were successful and successfully complete against time, budget and purpose, there were multiple examples of those which have failed to do so.

 

Given the scale of upcoming Levelling Up works (as well as need to achieve budgets generally), the ability to deliver against targets must be of high importance.

There was no one element which united the less successful projects, there were repeat factors which give an indication. These included lack of sufficient preparation, incorrect specifications, variations, inadequate contingency and inaccurate estimates. It was acknowledged that each project was unique and some instances these additional costs could not be accounted for initially.

 

Risk

 

Without projects being completed on time and within budget consistently, this risked adding to financial pressures on the Council which, in turn, impacted spend in other areas adversely. In addition, specifically, the Levelling Up projects were very high value and even a small percentage variance would have an outsize impact on Council finances.

 

Agreed Action

 

Officers to be reminded to follow the requirements of the Constitution and ensure all steps were followed, including post-project review and adoption of lessons learnt.

It was agreed that large scale changes to the Constitution were not required, but officers needed to be aware and follow them.

 

Management Response to Internal Audit Findings – There were processes in place to track the action taken regarding findings raised in Internal Audit reports and to seek assurance that appropriate corrective action had been taken. Where appropriate follow up audits had been arranged to revisit significant issues identified after an appropriate time.

 

The number of high severity issues outstanding was as follows: -

 

Status	Number	Comments
Overdue more than 3 months	4	Long term actions reported to the Audit Committee periodically (Appendix B)
Overdue less than 3 months	0
Not yet due	2	Project Management – Reported above

 

 

Update on previous significant issues reported

 

All previous significant issues were now provided within the report before the Committee.

 

ANNUAL AUDIT REPORT OF INTERNAL AUDIT MANAGER

 

The Committee heard that the Council was required by the Accounts and Audit Regulations 2015 to undertake an effective Internal Audit to evaluate the effectiveness of its risk management, internal control and governance processes, taking into account the Public Sector Internal Auditing Standards (PSIAS).

 

It was explained that the Public Sector Internal Audit Standards (PSIAS) stated that a professional, independent and objective internal audit service was one of the key elements of good governance, as recognised throughout the UK public sector. The role of the Head of Internal Audit (Internal Audit Manager), in accordance with the PSIAS, was to provide an opinion based upon, and limited to, the work performed on the overall adequacy and effectiveness of the organisation’s governance, risk management, and control processes.

 

All guidance from the Chartered Institute of Public Finance and Accountancy was also considered in line with the Accounts and Audit Regulations and the PSIAS when delivering a Head of Internal Audit annual opinion.

 

As set out in the Public Sector Internal Audit Standards (PSIAS) there was a requirement under PSIAS 2450 that the Chief Audit Executive had to provide an annual report to the Audit Committee, timed to support the Annual Governance Statement. This had to include:

 

·         An annual internal audit opinion on the overall adequacy and effectiveness of the organisation’s governance, risk and control framework (i.e. the control environment);

 

·         A summary of the audit work from which the opinion was derived (including reliance placed on work by other assurance bodies); and

·         A statement on conformance with the PSIAS and the results of the internal audit Quality Assurance and Improvement Programme.

 

It was reported that the Council was responsible for ensuring its business was conducted in accordance with the law and proper standards, and that public money was safeguarded and properly accounted for, and used economically, efficiently and effectively. The Council also had a duty under the Local Government Act 1999 to make arrangements to secure continuous improvement in the way in which its functions were exercised, having regard to a combination of economy, efficiency and effectiveness.

 

In discharging this overall responsibility, the Council had to ensure that there was a sound system of internal control which facilitated the effective exercise of the Council’s functions, and which included arrangements for the management of risk. The system of internal control was designed to manage risk to a reasonable level rather than to eliminate risk of failure to achieve policies, aims and objectives; it could therefore only provide reasonable and not absolute assurance of effectiveness.

 

Therefore, the Council continued to adopt a ‘Three Lines of Defence’ assurance model which was taken from the following sources;

 

1.    Senior Management and Departmental Leadership

Under the first line of defence, operational management had ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.

 

2.    Internal Governance

The second line of defence consisted of activities covered by several components of internal governance (Statutory Officers, Corporate Oversight Functions, Quality Control, IT Security, Data Protection and other control departments). This line of defence monitored and facilitated the implementation of effective risk management practices by operational management and assisted the risk owners in reporting adequate risk related information up and down the organisation.

 

3.    Internal Audit

The requirement for an internal audit function in local government was detailed within the Accounts and Audit Regulations 2015, which stated that a relevant body had to:

 

·         Undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.

 

Internal Audit Approach

 

It was reported to the Committee that Internal Audit function undertook a programme of audits each year which provided the Council and its Audit Committee with assurance on the adequacy of its system of internal control, governance and risk management arrangements. The audit programme was developed using a risk-based approach that incorporated a number of independent reviews of the Council’s activities to be able to give an overall opinion on the areas mentioned above.

 

The internal audit team maintained an agile approach to auditing, seeking to maximise efficiencies and effectiveness in balancing time and resource commitments with the necessity to provide comprehensive, compliant and value adding assurance.

Aspects considered when developing an audit plan and delivering an effective internal audit service were broken down into the graphic below.

 

 

 

The Members heard that as well as incorporating all of the above areas into the Internal Audit service, the Council endeavoured to ensure that the service was agile and included the following aspects into its planning and implementation processes;

 

• Flexibility – Utilising different options to build engagement that allow varied deliverables
• Value creation – Enhancing or improving deliverables while considering culture, organisation maturity and stakeholder needs
• Innovation – Considering new and different ways of delivering audit efficiency, risk coverage and overall value
• Systematic approach – Considering options and making decisions in an orderly way

 

Communication between Internal Audit, Leadership and the Audit Committee had been effective and remained consistent which provided reasonable assurance around the effectiveness and transparency of reporting arrangements.

 

The Members also heard that Internal Audit had continued to work with services on a consultancy basis to support the implementation of new processes, identify and analyse route cause if necessary and ensure that all relevant employees had the appropriate training to competently carry out their role. This included advising service areas transformation projects, procurement, ad-hoc investigations and any further advice on procedural changes.

 

Independent investigatory work had also been undertaken throughout the year as and when required to support Senior Management when internal control issues arose within service areas.

 

In 2023/24, only one audit from a total of 24 reviews undertaken received an overall audit opinion of “Improvement Required” where high severity issues were identified. The audit was Project Management.

 

The Committee heard how the Monitoring Officer had also issued a Section 5a report relating to the Spendells Temporary Housing project due to unauthorised spend, that resulted in a substantial overspend against the contract. The S151 Officer had also raised concerns via an addendum report which set out a number of actions that needed to take place at the request of the Chief Executive to ensure that a formal review of the Spendells project was undertaken and effective governance arrangements were in place for all projects going forwards. This corresponded with the significant governance issues identified within the project management audit and supported the need for a corporate review of project management going forward. Improvement actions were recommended for the mentioned audit areas which were followed up by the Internal Audit function to assess the progress of implementation. All significant issues were reported to the Audit Committee with required improvement actions throughout the year to provide a continuous update on the Councils control environment, governance arrangements and material issues identified.

 

Annual Opinion 2023/24

 

The Head of Internal Audit annual assurance opinion was based on the following:

 

• Internal Audit work completed during the course of the year;
• observations from consultancy/ advisory support;
• results of any follow up exercises undertaken in respect of previous years’ internal audit work;
• a review of assurance from other providers including those from first and second lines of defence, independent regulators and peer reviews;
• the extent of resources available to deliver the internal audit work; and
• the quality and performance of the Internal Audit service and the extent of compliance with the Public Sector Internal Audit Standards

 

Limitations to the Annual Opinion

 

It was reported that there were no limitations to report on the ability to deliver the Internal Audit Plan and provide an annual opinion on the effectiveness of governance, risk management and internal control. There were changes to the audit plan throughout the year due to emerging risks and changes to service provision. Any changes to the audit plan were in consultation with the Audit Committee and Management Team to fit with the resources available at the time.

 

The Head of Internal Audit Annual Opinion

 

It was also reported that the majority of audits in the 2023/24 Internal Audit plan received a satisfactory level of assurance. There was a total of 26 moderate issues raised throughout the year which was less than the 39 raised in 2022/23. This represented some improvement with regards to the internal control and governance framework across the organisation. However, this must be caveated by the fact that the majority of ‘non-financial’ audits were in different service areas from the 2022/23 financial year.

 

The Members heard that there were two major issues raised in 2023/24, both of which related to project management. In a different year, this alone may not have had a material impact on the Head of Internal Audit opinion. However, when combined with the Section 5a report raised by the Monitoring Officer, the S151 Officers addendum report and the Chief Executives formal review instructions; it did raise serious governance concerns.

 

The Council had committed to major Levelling Up projects in the realm of £60m in total which could result in financial difficulties and significant reputational damage if not managed in a structured and effective way. The Council did have good governance frameworks in place, they had not been followed in the most effective and disciplined way for a number of projects completed to date. With this in mind, it does conclude that issues raised relating to the Councils current project management arrangements need to be addressed before moving too far ahead with the Levelling Up projects.

 

Governance arrangements and internal controls had been evaluated in all audits within the plan, albeit with varying levels of scope. Senior Management continue to review strategic risks on a regular basis within Management Team and the Corporate Risk Register was reviewed bi-annually with any feedback reported to Management Team for consideration.

 

The Internal Audit Manager had considered assurances obtained through:

 

• All of the information reported above

• Internal Audit outcomes
• Annual Risk Management Review
• The Council’s assurance framework
• Management assurance through the Annual Governance Statement process
• External inspections
• Ongoing engagement with the business
• Monitoring and reporting the implementation of agreed management actions

 

All major actions due, had been reported to the Audit Committee and all moderate actions were managed through the audit follow-up process with the service area.

 

The Internal Audit Manager was satisfied that sufficient work was completed in 2023/24 to draw a reasonable conclusion on the adequacy and effectiveness of the Council’s activities. The internal control environment continued to remain stable with some significant changes in specific service areas which had been reported to the Audit Committee throughout the year as part of the periodic reporting arrangements. An open dialogue with Senior Management on risk remained in place and a generally sound system of internal control had been assessed across the majority of the Councils operational areas.

 

The governance issues related to project management had made the overall decision more difficult due to the challenges that the Council face in the next few years to deliver significant benefits to Tendring residents via levelling up funding. If the current issues were not addressed and the same issues arose with future projects, it would be very difficult to provide an unqualified opinion in future years.

 

After considering all of the above, an overall unqualified opinion of ‘Adequate Assurance’ could be provided for the 2023/24 financial year with a commitment from Management Team that all significant issues raised by the Councils statutory officers are addressed as soon as possible.

 

In noting this opinion, it should be acknowledged that Internal Audit had not reviewed all risks and assurances and cannot provide absolute assurance on the internal control environment.

INTERNAL AUDIT PROGRESS 2024/25

 

The Committee heard that the Internal Audit Team were yet to finalise an audit within the 2024/25 Internal Audit Plan. A total of 6 audits were in fieldwork phase.

 

The Internal Audit Team had monitored outstanding actions and worked hard to ensure that services work with them to confirm that agreed actions were completed in a timely manner.

 

Work had begun in areas such as Parking Services, Private Sector Housing, Environmental Health, Cremations and Burials, Disabled Facilities Grants and Identity and Access Management.

 

Appendix B – 2024/25 Internal Audit Plan progress report; provided an update on the status of each audit to date.

 

There were no significant issues or particular areas of concern to report at this time.

 

The Corporate Director (Operations and Delivery) gave a brief summery on the Spendells project but explained that as there was an internal review underway, he was limited in what he could say about that matter.

 

After a short discussion it was moved by Councillor Fairley, seconded by Councillro Steady and unanimously RESOLVED to note:

 

a.    the annual opinion statement within this report,

b.    the completion of audit work against the 2023/24 and 2024/25 Internal Audit Plans; and

c.     any significant audit findings provided.

 

The Committee further RESOLVED;

 

d.    that in respect of the Spendells House issue, the Committee looks forward to reviewing the outcome from the work being undertaken by the Chief Executive; and

 

e.    notes and endorses the proposed joint working with the Resources and Services Overview and Scrutiny Committee and will seek to identify the associated opportunities for a combined exercise with that Committee going forward.