Agenda item

(To receive a report from Lucy Pledge, Audit and Risk Manager, which gives the Head of Internal Audit opinion on the adequacy of the Council's Governance, Risk and Control environment and delivery of the Internal Audit Plan for 2016/17)

Consideration was given to a report which provided the Committee with the Head of Internal Audit opinion on the adequacy of the Council's Governance, Risk and Control environment and delivery of the Internal Audit Plan 2016/17.

Members were advised that the purpose of the Annual Internal Audit Report was to meet the Head of Internal Audit annual reporting requirements as set out in the Public Sector Internal Audit Standards (PSIAS) and the Accounts and Audit Regulations 2015.  In particular to include an opinion on the overall adequacy of and effectiveness of the Council's governance, risk and control framework and therefore the extent to which the Council could rely on it; inform how the plan was discharged and the overall outcomes of the work undertaken which supports that opinion; provides a statement on conformance with the PSIAS and the results of the Internal Audit Quality Assurance and Improvement Programme (QAIP); and draws attention to any issues particularly relevant to the Annual Governance Statement.

It was reported that the Head of Internal Audit Opinion was spilt into four areas – governance, risk, internal control and financial control.  It was noted that financial control had moved from red to amber as there had been some improvements within budget management.  It was reported that during the year the Council's risk management arrangements had been independently reviewed by Kerberos Risk and the report concluded that risk management was embedded and integrated within the Council.  It was highlighted that the review found many examples of very good risk management practice.

It was reported that some of the days which had been lost from the audit plan were due to the restructure in 2015, however, recruitment had since taken place and all staff were now embedded in their roles. 

Members were guided through the Annual Report and provided with the opportunity to ask questions to the officers present in relation to the information contained within the report and some of the points raised during discussion included the following:

·         It was queried whether there was any indication of what the Head of Internal Audit Opinion would be for the 2017/18 report.  However, members were advised that the information was not available for an opinion to be given, and a judgement could not be made until all evidence had been received.  But it was noted that there were still some problems in some areas.  Progress had been seen in all areas but was not enough in IMT and payroll to move the opinion.

·         It was queried how the Council could get from where it was to where it wanted to be, but it was reported that there were still many risks facing the Council around the delivery of IMT and the financial control environment.  A meeting with the Audit and Risk Manager, Executive Director for Finance and Public Protection, and the Chairman and Vice-Chairman of the Audit Committee would be taking place in the coming weeks and the Chairman advised that she would circulate a briefing note to the Committee after this meeting.

·         It was noted that the opinion for governance and internal control was likely to remain green/amber given the operating environment.

·         It was queried what would be necessary get to green on all aspects of the opinion, and it was stated that it would be very difficult to put a cash value on it, it was about having assurance intelligence and stability as well as being about resources, staff and processes to implement an effective control environment.  Risk and cost of control needed to be considered and there was no absolute formula.  The level of risk the Council was prepared to accept also needed to be taken into account.

·         A concern was raised regarding the split between the internal audit work and work that was carried out for management as consultancy and whether the work which was carried out for management should be scaled back in light of the reduction of days in the plan. It was queried whether the Committee should be concerned about the reduction in days of 1330 to 966 days in the audit plan, and whether this had been agreed by the Committee.  Members were advised that the consultancy work was not working outside of the role of internal audit, the work involved independent and proactive advice on governance risk and control for new systems, emerging risk, the only difference was that for consultancy work an assurance opinion would not be given.  The role of internal audit in these situations was to look at things in the early or developmental stages.  It was made clear to management that recommendations and agreed action would be given but auditors would not give an audit opinion.  This work was about adding value, insight and strengthening the control environment.  There were controls in place to ensure that this work remained independent.

·         Internal audit was seen as a challenge to management in the early stages of development of processes and policies, and managers would rather have issues picked up as the system was being developed instead of when it was operational.  It was the responsibility of management to determine, agree and implement the recommendations and controls.

·         If there were any areas of the Council where internal audit felt their access was being restricted this would be raised with the Chairman of the Audit Committee and the Executive Director Finance and Public Protection.

·         Members thanked the Audit and Risk Manager for her professional approach and being proactive in process design.

·         It was queried what steps were being taken now to ensure that management made time for the audits.  Members were informed that the Audit and Risk Manager had met with the Executive Director and was working with senior management on this.  Principal Auditors were starting to engage earlier with the senior managers so they knew what would be expected during the process.

·         There was confidence that when the Committee saw this report the following year there would be an improvement as principal auditors would escalate issues much quicker.  Work already taken around senior management engagement had been very positive.

·         In relation to the £1.6m of duplicate payments identified during data analytics work, it was noted that a lot of these payments had been made in the first 6 months of the year and the controls which had been put in place to detect the duplicate payments were now working. 

·         It was queried what proportion of the duplicate payments had been due to deliberate fraud and what proportion were error.  It was acknowledged that this had not yet been identified but the Counter Fraud team would be doing more work on this.  However, the majority were thought to be through error.  Members were advised that many of the duplicate payments had arisen due to urgent payments being made to suppliers and then the original invoice being paid again. The vast majority of these duplicate payments were being offset against future payments to suppliers' accounts to recover these funds. 

RESOLVED

            That the content of the Internal Audit Annual Report be noted.