Agenda item

To provide the Committee with a periodic report on the Internal Audit function for the period September to December 2019.

 

There was a report submitted by the Council’s Internal Audit Manager (Craig Clawson) (report A.1) which provided a periodic update on the Internal Audit function for the period September to December 2019. The report was split into two sections as follows:-

 

(1) Internal Audit Plan Progress 2019/20; and

(2) Quality Assurance Improvement Programme.

 

(1)    INTERNAL AUDIT PLAN PROGRESS 2019/20

 

It was reported that a total of eleven audits had been completed since the previous update given to Members in September 2019. A further ten audits were at the fieldwork stage and another four audits had been allocated to be completed.

 

Nine of the eleven audits had received a satisfactory level of assurance, however; two audits; Planning Enforcement and Housing Repairs and Maintenance, had received an overall audit opinion of ‘Improvement Required’.

 

As there were a number of audits that were continuous or consultative, the Internal Audit Manager had provided the following summary of progress:-

 

Office Transformation Programme

 

The transformation board continued to meet on a regular basis to review progress with the Office Transformation Programme. No significant issues had been raised regarding operational processes or internal controls.

 

Digital Transformation Programme

 

At the last digital transformation meeting attended by Internal Audit, no operational or internal control concerns had been raised within the meeting. Cloud migration was the current priority within the programme.

 

The next phases of the programme had been discussed. As there was a lot of work being carried out within the Council depot as part of the Northbourne Security Review (which Internal Audit were supporting) it had been raised at the meeting that a new field management software was due to be implemented which would improve the efficiency of day to day operations and provide an electronic solution for Job and workflow management, scheduling and resource management and parts and stock management. It had been agreed that the IT Team would be involved in the process and determine how the new system would work with the Council’s self-service objectives.

 

Project Management

 

As reported at the previous meeting of the Committee, the Project Management Board was now in place with projects being assessed under the previously reported headings and criteria in order to ensure adequate assessments of projects were undertaken to ensure all relevant information was available prior to the progression of a project.

 

No significant issues had been identified to date and the feedback from Officers had been positive as it had allowed constructive challenge to take place and further development of business cases prior to approval and progression.

 

Northbourne Security Review

 

As reported above, Internal Audit had been supporting the Head of Building and Engineering Services in improving the security arrangements of Northbourne Depot. An electronic gate was shortly due to be installed whereby only authorised personnel would have access. Improved CCTV was also being installed covering all areas of the Depot. A new field management system was also to be implemented in order to improve stock control, job and workflow management and scheduling efficient, logistical workloads.

 

Quality Assurance

 

The Internal Audit function, as a matter of course, issued satisfaction surveys for each audit completed. In the period under review 100% of the responses received indicated that the auditee was satisfied with the audit work undertaken.

 

Resourcing

 

At the previous meeting of the Committee it had been reported that a member of the audit teamwas on long term absence and another member of the team was on maternity leave. Both Officers had subsequently left the Council’s employment.

 

An assessment of resourcing would be undertaken and an update would be submitted to the Committee at its next meeting to the Audit Committee in March 2020. In the short term, if any material resourcing issues arose, third party suppliers would be sought in order to cover any potential delays in the delivery of the Audit Plan.

 

Outcomes of Internal Audit Work

 

The Public Sector Internal Audit Standards required the Internal Audit Manager to report to the Committee on significant risk exposures and control issues. Since the last such report eleven audits had been completed and the final report issued. Two audits had received a ‘Substantial assurance’ audit opinion and seven had received an ‘Adequate Assurance’ audit opinion. The remaining two audits had received an ‘Improvement Required’ audit opinion. Those audits were in relation to Planning Enforcement and Housing Repairs and Maintenance. The significant issues arising and required actions were:-

 

(i)         Planning Enforcement

 

The following significant issues and associated actions have been identified within the audit;

 

1.   The current planning enforcement policy was dated November 2010. As well as questions whether the policy reflected current regulations, working practices and political thinking, it was noted that it also contained references to former council officers and former Government Departments.

 

·           An up to date Enforcement Policy is to be reviewed and adopted, following correct authorisation.

 

2.   Once it had been established that a planning breach had occurred, a scored HARM assessment should be carried out and checked to evaluate whether further action and resource was justified. Throughout the audit, there were cases where no assessment could be located or had not been checked by the Planning Enforcement Manager, in line with guidance notes which provided evidence of an independent check.

 

·           The format of HARM assessments is to be reviewed and adopted. Use of the form is to be incorporated within Officer Guidance and used and recorded appropriately on the Enforcement System.

 

3.   Planning Enforcement had use of the Enterprise module of the Planning Software. This was a real time monitoring software, which showed what stage each case was at, and whether it had reached its milestone. Due to the amount of technically overdue cases, this was not used to manage cases effectively. In addition, it was advised that some of the target timings on the software were wrong.

 

·           Use of the Enterprise software and pre-set milestones to be reviewed and amended, in liaison with IT. Use of global or diverted Uniform diaries also to be investigated and solution sought to enable other officer’s access to overdue case diaries, as appropriate.

 

4.   To provide an effective and timely enforcement service, potential breaches needed to be managed and a process followed. There had been cases where there had been large gaps between any actions being taken, which could give the impression of allowing breaches to progress or complaints being ignored. Due to a lack of consistent procedures and notes, it was problematic to know the exact status at a glance, especially if an officer had left the Council’s employment.

 

·         All cases should have all activity, diary dates and next steps clearly recorded on the enforcement system, and officers reminded to this effect.

 

(ii)        Housing Repairs and Maintenance

 

1.   Variation orders were not written down when changing the value of a job with a third party contractor, therefore no record was available to determine the nature of why the change had been required.

 

·         Written Variation orders to be enforced and retained. A linked process to be created to ensure these are managed and matched with invoices.

 

2.   The software used for Housing Repairs - Northgate - continued to lack full capability, with several sub-routines defective. Examples included reporting issues, adjusting Schedule of Rates items, and communication issues with third party e-mail recipients.

 

·                A workflow system will be installed and used as the default software for recording Building Repairs jobs. Also to be used for other functionality such as stock control and electronic ordering.

 

(iii)      Information Governance – GDPR Review

 

No significant issues had been identified during the review; however, an issue of non-compliance with the Data Protection Act 2018 had been identified for consideration along with proposed actions by this Committee.

 

1.         There had been occasions in the past where personal and special category TDC data had been forwarded to personal emails by both Officers and Members. It was however recognised that this was for ease of use rather than anything malicious. However, Data Protection Act 2018 legislation, particularly Article 5, Paragraph 1(f), required personal data to be “processed in a manner that ensures appropriate security of the personal data”. The Council was unable to demonstrate compliance in this regard as personal devices and their cyber-security remained outside of the sphere of Council knowledge, control and management.

 

·                It is therefore recommended that Officers be reminded of the need to ensure that TDC data be retained within TDC encrypted, secure ‘official’ emails and not forwarded to personal emails. In respect of Members, the recommended control is that only Council issued equipment and email addresses should be used to prevent the need of forwarding data to personal emails and increasing the risk of non-compliance and the wider financial and reputational consequences if personal data is not secure.

 

The IT & Resilience Team are reviewing this issue and exploring the most appropriate option in terms of providing the necessary equipment to Members.

 

Update on significant issues previously reported to the Audit Committee

 

Housing Allocations

 

(1)       Allocations System

 

Agreed Action Update: A business case was currently being written to adopt a new allocations system via Housing Partners.

 

(2)       Validation of Declarations

 

Agreed Action Update: The Housing Allocations Manager had been liaising with the Safer Communities Manager to determine the best way of getting relevant information quickly. TDC had adopted the Essex Wide Prisoner Release Protocol which had also been adopted by all other Essex Authorities. By being part of this group information relevant to a new applicant should be available.

 

(3)       Scanned Documentation

 

Agreed Action Update: The Team had begun scanning documentation on to the Council’s Corporate EDRMS System. They were currently working their way through the backlog of older hard copy files.

 

(2)        QUALITY ASSURANCE IMPROVEMENT PROGRAMME UPDATE

 

The Internal Audit function was required to be assessed externally every five years on compliance with the Public Sector Internal Audit Standards (PSIAS). This had last been undertaken two years ago and actions from that assessment had been implemented as previously reported to the Committee. Within the five year assessment period, Internal Audit were required to undertake a periodic self-assessment against the PSIAS in order to develop a Quality Assurance Improvement Programme (QAIP). The QAIP had now been completed identifying areas where further development and partial compliance had been recognised.

 

The QAIP was before the Committee as Appendix B to the report. Actions and target dates had been attached against the standards where further development was required.

 

The Council’s Head of Building and Engineering Services (Damian Williams) attended the meeting and answered Members’ questions in relation to improving the security arrangements of Northbourne Depot and the implementation of a new field management system in order to improve stock control, job and workflow management and scheduling efficient, logistical workloads.

 

Mr Williams also gave an update on the Council’s business continuity response following the liquidation of ROALCO, the Council’s former external contractor for repairs and refurbishment of the Council’s housing stock and answered Members’ questions thereon.

 

The Council’s Corporate Director (Planning and Regeneration) also attended the meeting and answered Members’ questions in relation to the significant issues and associated actions that had been identified within the audit of Planning Enforcement.

 

Having considered and discussed the contents of the Internal Audit Manager’s report and its appendices it was:-

 

RESOLVED that –

 

(a)       the contents of the periodic report be noted;

 

(b)       the Quality Assurance Improvement Programme be approved and periodically assessed in order to ensure the actions within it are implemented;

 

(c)       the Committee supports the implementation, as soon as possible, of the proposal set out within the report for providing the necessary IT equipment and training to Members to ensure that only Council equipment is used when conducting Council business in order to reduce the financial and reputational risk associated with processing personal data; and

 

(d)       the Corporate Director (Planning and Regeneration) be invited to attend to give updates to the Committee, when sufficient material information is available, on the implementation of the action plan arising from the recent audit of Planning Enforcement.