internal audit progress report - west sussex county …internal audit progress report – august...

Agenda Item No. 7 Appendix A

Internal Audit Progress Report

August 2017

West Sussex County Council

Internal Audit Progress Report – August 2017

2

Contents:

1. Role of Internal Audit 3

2. Purpose of report 4

3. Performance dashboard 5

4. Follow Up Work 6

5. Executive summaries ‘Limited’ and ‘No’ assurance opinions 6

6. Planning and resourcing 6

7. Rolling work programme 7 – 12

8. Adjustments to the Plan 13

Appendix 1 – External Quality Assessment – Action Plan 14 – 19

Appendix 2 – Overdue ‘High Priority’ Management actions 20 – 22

Appendix 3 – Cleared ‘High Priority’ Management actions since last report 23 – 24


3

1. Role of Internal Audit

The requirement for an internal audit function in local government is detailed within the Accounts and Audit (England) Regulations 2015, which states that a relevant body must:

‘Undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.’ The standards for ‘proper practices’ are laid down in the Public Sector Internal Audit Standards [the Standards – updated 2016]. The role of internal audit is best summarised through its definition within the Standards, as an: The County Council is responsible for establishing and maintaining appropriate risk management processes, control systems, accounting records and governance arrangements. Internal audit plays a vital role in advising the County Council that these arrangements are in place and operating effectively. The County Council’s response to internal audit activity should lead to the strengthening of the control environment and, therefore, contribute to the achievement of the organisations objectives.

‘Independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes’.


4

2. Purpose of report

In accordance with proper internal audit practices (Public Sector Internal Audit Standards), and the Internal Audit Charter the Chief Internal Auditor is required to provide a written status report to ‘Senior Management’ and ‘the Board’, summarising:

The status of ‘live’ internal audit reports (outstanding recommendations);

an update on progress against the annual audit plan;

a summary of internal audit performance, planning and resourcing issues; and

a summary of significant issues that impact on the Chief Internal Auditor’s annual opinion. Internal audit reviews culminate in an opinion on the assurance that can be placed on the effectiveness of the framework of risk management, control and governance designed to support the achievement of management objectives of the service area under review. Assurance opinions are categorised as follows:

Substantial There is a sound system of control designed to achieve the objectives. Compliance with the control process is considered to be of a high standard and few or no material errors or weaknesses were found.

Satisfactory While there is a basically sound system, there are weaknesses which put some of the system objectives at risk, and/or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk.

Limited Weaknesses in the system of controls are such as to put the system objectives at risk, and/or the level of non-compliance puts the system objectives at risk.

No Control is generally weak, leaving the system open to significant error or abuse, and/or significant non-compliance with basic controls leaves the system open to error or abuse.


5

3. Performance dashboard

% Positive Customer Feedback

Compliance with Public Sector Internal Audit Standards

An ‘External Quality Assessment’ of the Internal Audit Service was undertaken by Mazars in December 2016. The report concluded:

‘It is our view that West Sussex internal audit service ‘generally conforms’ to the Public Sector Internal Audit Standards (PSIAS). *an action plan to further enhance service provision generated from the external assessment is detailed at Appendix 1

% of revised plan delivered

(incl carry fwd)

11% Complete

54% Yet to

Commence

35% Work in Progress

Target 90%

Actual 92 %


6

4. Follow Up Work

High and medium priority recommendations are monitored for each directorate. The latest information on implementation % rate of high & medium priority recommendations accepted and due from 2015/16 onwards is as follows:

Directorate

High %’age Number

Medium %’age Number

Corporate, Finance, Law & Transformation 91 11 74 162 Children, Adults’, Families, Health & Education 100 5 83 46 Economy, Infrastructure & Environment 80 10 86 37 Communities & Public Protection & Chief Fire Officer N/A 0 22 9

Outstanding high recommendations are detailed in Appendix 2. The appendices include comments from officers in respect of status/action taken. Not all completed actions as described by officers have been verified by Internal Audit. Where actions have been verified this has been stated on the table. All key recommendations will be checked by Internal Audit during the year and any outstanding or not satisfactorily completed will continue to be reported to this committee. High priority recommendations that have been actioned since the last meeting of RAAC are shown in Appendix 3.

5. Executive Summaries of reports published concluding a ‘Limited’ or ‘No’ assurance opinion

None to report.

6. Planning & Resourcing

The internal audit plan for 2017-18 was approved by the County Council’s Executive Leadership Team and the Regulation, Audit & Accounts Committee in March 2017.

The audit plan remains fluid to provide a responsive service that reacts to the changing needs of the County Council. Progress against the plan is detailed within section 7


7

7. Rolling Work Programme

Audit Review Audit

Sponsor Scoping Audit

Outline Issued

Fieldwork Draft Report Issued

Final Report Issued

Assurance Opinion

Comment

No Recourse to Public Funds CAFH&E

Procurement Cards FP&P Aug 17

Cyber Security TC&SS April 17 July 17 Satisfactory

Waste Strategy EIE May 17 June 17 Satisfactory

Payroll FP&P May 17 June 17 Satisfactory

Accounts Payable FP&P May 17

Fire Core Systems C&PP&CFO May 17 June 17 Satisfactory

Pensions – External Bodies FP&P June 17 July 17 Satisfactory

Singleton Primary CAFH&E April 17 April 17 Substantial

Oathall CAFH&E Mar 17 May 17 Satisfactory

Steyning Grammar CAFH&E April 17 May 17 Substantial

Beechfield CAFH&E Oct 16

Capita Services & Contract TC&SS


8

Audit Review Audit Sponsor

Scoping Audit Outline Issued


Final Report Issued

Assurance Opinion

Comment

Service Business Resilience Plans C&PP&CFO

Telecommunications TC&SS

IT Infrastructure TC&SS

E-mail / Exchange Server TC&SS

PC End User Controls TC&SS

GDPR Compliance TC&SS

Access Control TC&SS

Procurement FP&P

Agency Staff TC&SS Aug 17

Health & Safety TC&SS Aug 17

Scheme of Delegation FP&P

Crawley Schools PFI CAFH&E

Safeguarding Children CAFH&E

Unaccompanied Asylum Seeking Children CAFH&E


9




Final Report Issued

Assurance Opinion

Comment

Direct Payments CAFH&E

Special Education Needs CAFH&E

Serious Case Reviews CAFH&E

Public Health Contracts CAFH&E

Domiciliary Care CAFH&E

Customer Financial Administration CAFH&E

Public Transport Contracts EIE

Fleet Management C&PP&CFO

Accounts Receivable FP&P

Main Accounting System FP&P

Capital Accounting & Monitoring FP&P

Treasury Management FP&P

Payments FP&P

Pension Administration FP&P

Internally Managed Investments FP&P

Externally Managed Investments FP&P

Payroll TC&SS


10




Final Report Issued

Assurance Opinion

Comment

Social Care Feeder Systems CAFH&E

Grant Claims FP&P N/A N/A N/A

Think Family CAFH&E N/A N/A N/A

IR35 Compliance TC&SS

Coroner C&PP&CFO

Fire Core Systems C&PP&CFO

Horsham Nursery School CAFH&E Jul 17

West Sussex Alternative Provision College CAFH&E

Bersted Green Primary School CAFH&E

London Meed Community Primary School CAFH&E Jul 17

Northchapel Primary School CAFH&E

Amberley C.E. First School CAFH&E

St James' C.E. Primary School CAFH&E

Rogate C.E. Primary School CAFH&E

Shipley C.E. Primary School CAFH&E

Steyning Primary CAFH&E

Yapton C.E. Primary School CAFH&E

Easebourne C.E. Primary School CAFH&E

Lyndhurst Infants CAFH&E


11




Final Report Issued

Assurance Opinion

Comment

The March C.E. Primary School, CAFH&E

Bishop Tufnell C.E. Infant School, Felpham CAFH&E

English Martyrs Catholic Primary School CAFH&E

Oriel High School CAFH&E Jul 17

Millais School, Horsham CAFH&E

Bourne Community College CAFH&E

Ifield Community College, Crawley CAFH&E

Felpham Community College CAFH&E

St Andrews High School CAFH&E

Littlegreen School CAFH&E

Woodlands Meed CAFH&E

Cissbury Lodge CAFH&E May 17 Jul 17 Satisfactory

Orchard House CAFH&E

May House CAFH&E

18, Teasel Close CAFH&E

Beechfield CAFH&E

Hammonds CAFH&E Jun 17

Tozer House CAFH&E

Strawford Centre CAFH&E Jun 17 Jul 17 Satisfactory

New Tyne Resource Centre CAFH&E


12




Final Report Issued

Assurance Opinion

Comment

Early Years Provider 1 CAFH&E





13

8. Adjustment to the Internal Audit Plan

Audit reviews removed from the plan

Contract Variations Removed Amalgamated into one procurement review.

Contract – Single Tender / Waivers Removed Amalgamated into one procurement review.

Fostercare Removed PWC review work covered this area, removed to avoid duplication.

Direct Payments – Adults Removed Amalgamated into combined DP review with children direct payments

Highways Asset Management System Removed Requirement from CIPFA/LASAAC to move to depreciated replacement cost (DRC) postponed.

Audit reviews added to the plan

Prevent CAFH&E

Early Years Payments to Providers CAFH&E

Capital Programme ‘critical friend’ FP&P

Risk Management FP&P

Project Management Review TC&SS


14

Appendix 1

External Assessment – Action Plan

Recommendation Management Action Priority Responsible Officer

(Due Date)

RAG Status

Comments

1. The Internal Audit function should

undertake a detailed identification of the key outcomes, corporate and operational risks and map these to the assurance requirements of the Council. The outcomes of the new Chief Executive’s ‘100 day plan of action’ will allow Internal Audit to understand and adapt to the different needs and expectations in place in identifying where it needs to focus its coverage in both providing assurance on the adequacy of the other assurance activities, where these exist, and to focus its core assurance (and advisory) work. There is also a need to ensure that the risks identified during the planning process are followed through when formulating and agreeing audit planning memorandums and delivering the audit work.

Ongoing audit needs assessment will incorporate / acknowledge key strategic policies (Chief Executive’s 100 day plan; Future West Sussex Plan etc.) to ensure internal audit are best positioned to add value and assist the organisation in the achievement of their objectives. A process of assurance mapping will be introduced to identify and record the key sources of assurance that inform management and those charged with governance on the effectiveness of the key controls / processes that are relied on to manage risk and achieve the organisations objectives. In forming ‘terms of reference’ at an assignment level a ‘golden thread’ will be evidenced between assessed service risks and the objectives reviewed on which the assurance opinion is to be based.

High Neil Pitman, Head of

Audit (Interim)

Keith Phillips, Audit

Manager Rob Allen,

Audit Manager

(April 2018)

(G) Ongoing

A new template has been introduced as part of the audit scoping to formally

assess and document risks specific to the area under review and align to service

objectives to ensure relevant focus.


15

Recommendation Management Action Priority Responsible Officer

(Due Date)

RAG Status

Comments

2. With the support of the Internal Audit

function, the Council should continue in its attempts to embed a Risk Management Framework across the Council. This will allow a more transparent linking of Internal Audit plans, the nature and coverage of individual assignments, work performed and reports, against key Council outcomes and risks.

Future internal audit planning will include review of risk registers as a primary source of reference in the assessment of audit needs. This in turn will advocate the importance of the risk registers / risk management as part of the governance framework. In forming ‘terms of reference’ at an assignment level a ‘golden thread’ will be evidenced between assessed service risks and the objectives reviewed on which the assurance opinion is to be based.

High Neil Pitman, Head of

Audit (Interim)

(Jan 2018)

(G) Complete

Risk registers are now established within the organisation and the

internal audit team have access to view them to inform audit planning.





16

3. The Audit Charter should be refreshed and communicated consistent with the new PSIAS requirements to clarify:

• Internal Audit’s role as an objective assurance function which is truly independent of management, yet providing robust challenge to management’s response to key business risks; and

• Internal Audit objectives that are fully aligned with the outcomes of the new Chief Executive’s ‘100 day plan of action’ and wider business objectives

Revise, endorse and communicate the internal audit charter to reflect internal audit’s role and responsibilities reflective of the organisational risk. Formulate an internal audit business plan aligned to the organisations priorities, objectives and risks.

Medium Neil Pitman, Head of

Audit (Interim)

(Sep 2017)

(G) Complete

Business plan produced and aligned to directorate

and organisational priorities (July 2017)

Internal audit charter revised and presented to the Regulation Audit & Accounts Committee

(September 2017) 4. Due to the high level of senior

management turnover, the HoIA and the Audit Managers should develop closer relationships and improve communications with senior management across all areas within the Council’s remit. Internal Audit should have regular access to senior management (e.g. via meetings of the corporate leadership team, attendance at and providing input to governance and transformation boards, Internal Audit work reflected in the quarterly management reports etc.) to clearly identify and communicate common themes and emerging issues.

To introduce quarterly (minimum) liaison meetings with Executive Directors and their Senior Management Teams to discuss ongoing internal audit work, relevant departmental risks, upcoming departmental initiatives, horizon scanning etc. Establish clear and timely reporting protocols to CLT, ELT and RAAC etc.


Audit (Interim);

Keith Phillips,

Audit Manager;

Rob Allen,

Audit Manager

(July 2017)

(G) Complete

Quarterly meetings scheduled with Directorate

Management Teams (July 2017)

Quarterly progress reports timetabled to follow due

governance through Senior Management and the

Regulation Audit & Accounts Committee

(July 2017)


17

5. To improve the efficiency and effectiveness; the Internal Audit function should consider the use of techniques such as control risk self-assessment and/or annual testing through a more CAATS-focussed continuous testing approach making use of the data analytics module offered by TeamMate

The compile a ‘Data Analytics Strategy’ to formulate an approach to the effective use of data.


Audit (Interim);

Keith Phillips, Audit

Manager

(Dec 2017)

(G) Ongoing

A data analytics strategy is currently being drafted

along with an assessment of internal acumen to

deliver the strategy. The proposed strategy and

approach will be presented to RAAC in December 2017

6. The audit manual should be updated to clearly define the requirements of a more overtly focused top-down risk-based internal audit approach to be consistently applied across the Internal Audit function.

The approach should clarify the distinct roles of management and internal audit in the design, operation and monitoring of controls; and also make a clear distinction between control design (adequacy of control) and operation (effectiveness of control).

Audit protocol(s) to be reviewed to embed a risk based audit approach to auditing. This will include reference to relevant directorate / corporate risk registers and the introduction of a risk assessment template to consider and appropriately align service risks to objectives assessed for review as part of the assurance engagement.


Audit (Interim)

Audit Team

(Aug 2017)

(G) Complete

Risk registers are now established within the organisation and the

internal audit team have access to view them to inform audit planning.





18

7. The Council should give consideration to devoting additional resources to enable a proactive response to fraud risk management in: • Developing a counter-fraud culture

to increase resilience to fraud; • Preventing fraud through

appropriate and robust internal controls and security measures;

• Using techniques such as data matching to validate data; and

• Publicising the Council’s anti-fraud and corruption stance and the actions it takes against fraudsters

Develop and maintain a ‘Fraud Risk Plan’ to compliment the Internal Audit Plan in allocating resources to support proactive fraud initiatives in the prevention and detection of fraud.


Audit (interim),

Nick Barrett,

Principal Auditor

(Sep 2017)

(G) Complete

A ‘Fraud Risk Plan’ has been developed and

presented to the Regulation Audit &

Accounts Committee (Sept 2017)

8. To ensure an effective, efficient, focussed and consistent approach across all Internal Audit teams; Internal Audit staff should receive refresh training in the focused top-down risk-based internal audit approach

To revise and implement internal audit protocols to ensure a top-down risk-based audit approach to annual planning processes and at an assignment level. Training to be provided to all internal audit staff with regard the principles and application of revised protocols


Audit (Interim)

(Sept 2017)

(G) Ongoing

Training is being scheduled for September to provide

internal audit staff an overview of the risk based

audit approach. Additionally internal

protocols / templates are being updated to

accommodate the risk based approach.


19

9. Given the changes happening across the Council; the format and content of assignment, progress and Regulation, Audit & Accounts Committee reports should be reviewed to ensure these identify key themes and future or potential risks. Consideration should also be given to introducing some more forward-looking updates, including key themes and current issues once the more rigorous approach to performance and risk management becomes embedded across the Council

To review the format and content of reports at all levels (assignment, CLT, ELT and RAAC). Utilise existing channels through the Southern Internal Audit Partnership and networking groups (CCAN, HCCIAG) to attain insight into good practice evident in other Local Authority partners

Medium Neil Pitman Head of

Audit (Interim)

(Sept 2017)

(G) Complete

Report templates have been enhanced to more effectively communicate internal audit outcomes

in accordance with the PSAIS

(Sept 2017)

10. The Internal Audit function should explore opportunities to maintain and improve completion rates of customer satisfaction surveys issued via TeamMate

To review existing customer satisfaction surveys and the relative engagement of key stakeholders. Determine the most effective model and media of engagement moving forward.

Low Neil Pitman, Head of

Audit (Interim)

(Oct 2017)

(G) Ongoing

Currently exploring / benchmarking alternative methods of engaging and receiving feedback from

stakeholders


20

Appendix 2

Overdue ‘High Priority’ Management Actions

Recommendation Management Action(s) Due Date Comments Estates Management –March 2016 Strategic Direction A clear estate / asset management strategy needs to be formally adopted to clarify the authority’s objectives in terms of the estate.

The Programme Director has been assigned the preparation, development and writing the Strategic Asset Management Plan. It is anticipated this will be complete by September 2016. The Corporate Asset Management Group has been established, chaired by the Executive Director Resident Services to review all assets and identify service requirements, additional requirement (acquisitions) and surplus assets which can be either redeveloped via PropCo or disposed of.

Sept 2016 Nov 2016 July 2017 April 2018

Programme Director An Asset Strategy is being developed timescales are for the asset strategy to be in place first quarter 2018/19.

Contract management Contract management should be commensurate to the risk and value of the associated contract.

All KPI’s to be agreed Rent arrears report to be provided to Exec Director Resident Services monthly and process for collection of arrears

June 2016 Oct 2016 Dec 2016 April 2017 July 2017 Oct 2017

Director of Economy Planning & Place Over recent months additional capacity has been brought into the Valuation and Estates Team and business plan(s) and associated KPIs are being developed. Work ongoing with Finance (as biller and collector of rents to generate better financial management information including arrears

Audit Summary of outcomes: A clear strategic plan for the management of the estate and improved contract monitoring arrangements that ensure or statutory obligations are met


21

Recommendation Management Action(s) Due Date Comments Ethical Governance –April 2017

The authority needs to determine whether the current part 5 Section 9 within the constitution is acceptable and fit for purpose. If this is not deemed to be the case then a code of conduct should be considered that prescribes fully what the expectations are for maintaining integrity of employees and the processes for raising and recording any areas which may bring this into question.

A review of this element of the constitution will be undertaken to ensure officers have a clear set of rules in relation to conduct.

June 17

Director of Law, Assurance & Strategy Actioned - Text and scope of the Code of Conduct reviewed by Director of Law, reviewed by the Standards Committee and subsequently endorsed by full Council.

Once in place this framework should be measured in terms of compliance and should feature as part of the monitoring framework for ELT (as per the key findings in the previous section)

Action will also be taken to describe and communicate the mechanisms to ensure compliance to the code can be recorded and measured and will identify how compliance will be monitored. Alignment with related disciplinary and HR policies and guidance will be undertaken.

June 2017 Jan 2018

Director of Transformation, Customer and Support Services There is a review of all HR policies currently underway; this will incorporate alignment with Codes of Conduct.

Audit Summary of outcomes: Employees will have clear guidance around conduct and expectations. This will also include monitoring compliance with the code and ensuring any areas where learning or training is identified as needed are addresses.


22

Recommendation Management Action(s) Due Date Comments Pensions Administration – May 2017 Abatement Monitoring & Recovery The current NFI Abatement matching exercise should be reviewed and the individual cases assessed and where applicable, appropriate action should be taken in accordance with the WSCC Abatement policy including any abatement provision and recovery of any potential overpayment.

To undertake a process mapping exercise to assess completeness / adequacy of controls in place. Internal Audit to assist in a ‘critical friend’ role.

31 Aug 2017 30 Sep 2017

Pensions Operational Delivery Manager (Capita) A first draft of the abatements process note has been completed.

Abatements & Suspension Policy An effective formal process should be implemented to identify and assess any potential pension members that would be subject to an abatement check and potential reduction of pension. This includes clarification on when action should be taken to suspend a member's pension payment for non-compliance with WSCC scheme


31 Aug 2017 30 Sep 2017

Pensions Operational Delivery Manager (Capita) Process mapping has been undertaken to assess the adequacy of controls in place.

Deceased Pensioners Verification The NFI matching exercise identifying deceased pensioners should be completed and appropriate action taken in accordance with WSCC pension regulations. This includes effective work to confirm evidence of the deceased's date of death so any appropriate overpayment can be recovered from the deceased's estate.


31 Aug 2017 30 Sep 2017

Pensions Operational Delivery Manager (Capita) The pension fund investment strategist has been in contact with the General Registrar Office (GRO) regarding a bulk request. All outstanding death cases are to be reviewed and certificates obtained.

Audit Summary of outcomes: Only eligible pensioners are admitted to the pension fund with all transfers in and out checked and verified, and all payments made are to pensioners are accurate.


23

Appendix 3

Cleared Recommendations since last report

Recommendation Management Action(s) Due Date Comments SAP Starters & Leavers – February 2015

SAP User Access Reviews The Council should implement a process to carry out periodic reviews of SAP user access to ensure that staff have the correct access permissions and staff that no longer require access to SAP are identified and their access suspended.

There will be a review of SAP Financials and SAP HR solutions as part of a SAP optimisation project.

April 2016 Aug 2016 Oct 2016 July 2017

Director of Transformation, Customer & Support Services; Director of Finance, Performance & Procurement. ACTIONED As part of SAP Optimisation work a review of user access was undertaken and obvious anomalies (especially those related to widespread, high level access) were corrected at the time.

The SAP SRM workstream has addressed access related to the procure-to-pay processes. These have been built into a best practice SRM build which is ready to go once business processes have been adjusted to support the new approach. From an IT perspective the SRM piece is complete.


24

SAP Changes to Staff Roles SAP access should be defined by the role covering the job a user is in. When a user changes roles they should be provided with SAP access that is specific for that role rather than being provided with additional access rights.

There will be a review of SAP Financials and SAP HR solutions as part of a SAP optimisation project

April 2016 Aug 2016 Oct 2016 July 2017

Director of Transformation, Customer & Support Services; Director of Finance, Performance & Procurement. ACTIONED Appropriate models for handling a shift to role based allocation of access have been developed through the SAP HCM workstream. The proposed closure of the HCM workstream means that these models may not be implemented. However, the shift to roles based authorisation is likely to form part of any future system migration, either as a result of supporting a revised HR operating model or as part of any upgrade/replacement activity associated with the ERP systems. The implementation of roles-based authorisations will be reconsidered at that point.

internal audit progress report - west sussex county …internal audit progress report – august...

Documents