Agenda item

(To receive a report from Lucy Pledge, Audit and Risk Manager, which provides the Committee with details of the audit work during the period 1 September to 31 December 2017 and advises on progress with the 2017/18 plan)

Consideration was given to a report which provided details of the audit work undertaken during the period 1 September and 31 December 2017, as well as advising on the progress with the 2017/18 audit plan.

Members were advised that 20 final audit reports had been issued, with 16 being given high or substantial assurance.  Three audits were issued with limited assurance and the full executive summaries were available in Appendix 2 of the report.  It was reported that representatives from the service areas would be in attendance to give members updates on what actions had been taken to address the concerns highlighted in the audits.

It was also noted that one consultancy assignment had been completed, and a further 9 audits had been completed to draft stage. 

Officers reported that performance against targets was showing significant improvements.  It was also noted that there had been some changes to the Plan since its approval at the start of the year, with some audits being added, and others being moved back.

Members were provided with the opportunity to ask questions to the officers present in relation to the information contained within the report and some of the points raised during discussion included the following:

·         In Appendix 3 to the report, outstanding actions as of 30^th November 2017, were listed, and it was noted that some dated back to March 2015 and it was queried why they had not been completed.  Members were advised that these recommendations related to the integration of IT systems, however, they were still being followed up with the Information Governance team.

·         In relation to the Agresso upgrade, it was noted that this would not be going live until March 2018, and it was queried why this had been delayed an extra month.  Members were advised that the final testing phase had revealed one or two problems, but nothing major, but they required intervention from the supplier.  It was noted that user acceptance testing needed to be completed, as well as penetration testing, where external people would try and get into the system.  It was envisaged that the upgrade would be live four weeks from the date of this meeting.

·         It was noted that the audit on Cyber Security had not started and it was queried what the reason for this was.  Officers advised that this audit had been postponed due to staffing changes with the Chief Digital Officer role.  Whilst there was someone acting up in this role audit would continue to work with them until they were in a position for an audit to be carried out.  It was confirmed that the main issue in delaying this audit was the change of personnel.

·         The significance of these areas was recognised, but it was also recognised that the interim Chief Digital Officer needed time to get to know the systems.  The IMT assurance map was due to come to the Committee in March 2018.  It was also acknowledged that cyber security was still recognised as a strategic risk.

·         It was requested whether the Committee could see a copy of the Cap Gemini report, and it was noted that it was a very technical report.

·         In relation to the Agresso upgrade, it was queried whether the testing had been done with live data sets, and it was noted that three payroll runs had been carried out.

·         In terms of the outstanding recommendations, it was queried how significant it was that they were still outstanding.  It was noted that there would be more impact on the control and risk environment if the assurance given was limited and the recommendations were high priority.

·         It was queried whether a comment could be included with the list of outstanding recommendations so the Committee could understand the impact of these recommendations being outstanding.  It was noted that alongside the recommendations was an agreed action plan and the implementation of the recommendations would be tracked, why some had not been implemented would also be looked at.

·         The time frame for implementation of recommendations needed to be agreed with management, but, this was generally about three months for high priority recommendations.  It was requested whether the manager could be asked to come to the Committee if recommendations had not been implemented six months after the audit, and it was agreed that this would be added into the work plan.

·         It was noted that the majority of the outstanding recommendations were related to payroll functions and members were advised that this was on officers' radars.

·         It was commented that at the time that reports were completed, managers accepted that the recommendations were high priority, and so it was clear that timescales needed to be realistic.  If the recommendations could not be implemented in three months there was a need to set a realistic timescale.

Officers were in attendance to update members on actions taken in relation to the audits carried out for the Wellbeing Service, Adult Social Care Client Contributions and Housing Related Support which were all issued with limited assurance.

In relation to the Housing Support and Wellbeing Service, the following was reported to the Committee:

·         All contracts were transferred to the Commercial Team in October 2016 and it was identified very quickly that there were some key risks and so assistance was sought from the Audit Team.

·         At the point when the audit was being undertaken, many things had started to be addressed by the Team.  Existing contract arrangements were due to come to an end, and these contracts were not always meeting what people required.

·         It was an opportunity to demonstrate what governance was put in place, and the audit was able to see that lessons had been learnt.

·         All procurement was reviewed in line with the new framework.

·         All areas of concerns had been addressed, and through management feedback, the team was keen for Audit to come back to see where processes had been improved.

·         Following the transfer of the procurement and contracting, it was noted that from a commissioner perspective, there was reassurance on how contracts would now be delivered.  Previously the approach had been very provider led, but was now commissioner led, which was very positive.

In relation to the Client Contributions Policy, the following was reported to the Committee:

·         There had been issues around the time lines of assessments.  The target was for 75% of assessments to be conducted within 14 days.

·         Performance had started to improve, particularly in relation to system issues and timeliness.  75% were now completed within the required timeframe.

·         However, there were still concerns about the other 25%, and steps were being taken to make sure that the impacts were mitigated.

·         Issues were being dealt with on a case by case basis.

·         It was noted that what other authorities did had been looked at, and it was found that all were doing something slightly different in terms of deadlines.  It was up to the authority to look at what was realistic in terms of timelines.

·         Serco were supportive of the help being provided by the Council.

·         There would be a need to look openly at the policy and the KPI's.

RESOLVED

1.    That the outcomes of Internal Audit's work be noted.

2.    That relevant managers be asked to attend a meeting of the Audit Committee if recommendations of audits were not implemented within six months.