To consider the Internal Audit work undertaken and the assurance given on the adequacy of internal controls operating in the systems audited.  

38.1          The report of the Head of Corporate Services, circulated at Pages No. 53-77, summarised the work undertaken by the Internal Audit Team since the last Committee.  Members were asked to consider the audit work completed and the assurance given on the adequacy of internal controls operating in the systems audited.

38.2          The Head of Corporate Services advised that the full details of the audits undertaken were attached at Appendix 1 to the report.  A list of audit recommendations that were due to be followed-up could be found at Appendix 2 to the report; of the 20 recommendations, 12 had been implemented, five partially implemented and three were yet to be implemented.

38.3          Members were advised that an audit of procurement cards had been requested by the Head of Finance and Asset Management to give assurance that the framework was working as it should be. During 2018/19, a total of £86,485 had been spent using procurement cards across all services within the Council; there were around 40 Officers with procurement cards which were used for low-level online purchases etc. so there was potential for abuse without careful monitoring.  The audit had found a satisfactory level of control with all card expenditure published on the Council’s website in accordance with the Local Government Transparency Code 2015.  Each cardholder had verified receipt of their cards and signed a declaration to agree to adhere to the guidelines for use and audit testing had concluded that purchases made using procurement cards were genuine with costs incurred in the course of official Council business.  All expenditure was made within the cardholder’s authorised spending limit and all statements had been appropriately authorised with the exception of one which had been authorised by the cardholder.  Procurement card statements were received on a monthly basis and adequate supporting documentation was provided in the majority of cases, although sometimes the appropriate invoice was not received which meant that VAT could not be reclaimed.  The Finance Team had already taken steps to address this issue and corporate business accounts had been set-up with a number of suppliers to ensure that VAT could be reclaimed on all future purchases.  The main recommendation arising from the audit was in relation to a reminder being sent to cardholders alerting them of their responsibility to retain invoices.  A Member questioned whether there was a set limit on the cards and was advised that the average was around £1,000.

38.4           Members were advised that an additional £55m funding had been allocated to local authorities in England for the provision of Disabled Facilities Grants (DFGs) or social care projects, of which £141,363 was allocated to Tewkesbury Borough Council to be spent by the end of the current financial year.  The grant required the Chief Audit Executive to confirm by December 2019 that monies had been spent in accordance with the conditions of the grant and an audit had subsequently been carried out to provide that assurance.  The audit confirmed that money had been spent on the insulation of 15 park homes which met condition 2 of the additional grant funding criteria allowing monies to be allocated to a social care project.  The expenditure had totalled £101,344 but verbal assurance had been given by the Environmental Health Manager that the remaining balance would be spent before the end of the financial year and a future follow-up audit would confirm that was the case.  In terms of internal controls, the Council had an obligation to ensure that monies had been allocated to eligible residents and that works were completed to a satisfactory standard to properties within the borough.  It was noted that the Severn Wye Energy Agency facilitated the park homes scheme and there was an expectation it would be monitored to ensure it met these conditions; whilst, such checks were not necessarily in place, information about how the money had been spent was passed on and there was an expectation that the service area would do checks around customer satisfaction.  As such, it was recommended that a formal process be established and documented in relation to the type of checks that should be carried out by the Council in relation to additional DFG funding.  A Member recalled that not all of the DFG money had been spent during the previous year and the Head of Finance and Asset Management confirmed that the total funding allocation was in the region of £1.1m, of which around £400,000 had been spent - this was in line with the usual spend for the last 10-15 years and was the original level of the government grant.  He explained that the government grant went to Gloucestershire County Council and the balance could be used for social service needs on capital projects so no money was lost.  The Member understood that part of the reason for the underspend was the prescriptive nature of the grant criteria, for instance, the need for referral by an Occupational Therapist, and he questioned whether the core criteria could be changed for important projects.  The Head of Finance and Asset Management confirmed that had been the case to an extent as the money could be spent on related capital expenditure across the county.  He provided reassurance that the money was not going back to central government and was being spent locally at district or county level.  A Member expressed the view that, if the criteria was less prescriptive, the money could be helping more disabled people in the borough and the Head of Finance and Asset Management undertook to discuss the criteria with the relevant Officers following the meeting.

38.5           The Head of Corporate Services advised that an audit of debtors had been completed as part of the 2019/20 Internal Audit Plan and looked at how well debt was managed within the Finance Team and how it was dealt with when passed to service areas.  There were service-specific areas where improvements could be made, particularly in relation to the timely raising of invoices and appropriate documentation to support the integrity of the invoice, especially with regard to grounds maintenance where there were no supporting documents to verify the amount raised and a charging schedule had not been available at the time of the audit.  There was also a need to ensure that outstanding debt was allocated to the right Officer when this was monitored within service areas.  The main recommendation arsing from the audit was that a corporate collection procedure should be developed to cover standardised recovery procedures for issuing chasing letters and the number of contacts attempted; a requirement for services to retain ample supporting evidence to confirm that the invoice information was adequate and the retention period for that information e.g. six years plus the current year or until the debt had been paid in full; and for responsibility and procedures of managers in relation to debt monitoring, including identification of debts incorrectly allocated and the procedure for handling those instances.

38.6           Attention was drawn to Pages No. 63 and 64 of the report which contained a plethora of information in relation to the General Data Protection Regulation (GDPR) audit which had been undertaken on behalf of the Data Protection Officer to give assurance on the arrangements in place.  The Head of Corporate Services explained that the Council had come a long way since the introduction of GDPR but it was now time to take stock, review and develop a new action plan for implementation, for instance, data processing activities should be reviewed to ensure all activities were being captured – prior to GDPR, each service had undertaken a data audit and, whilst the range of activities covered was immense, some areas had not been captured at that time e.g. homelessness, animal boarding licences.  A recommendation from the project management audit was that all key projects should be supported with a privacy impact statement and that would be in place for all new projects going forward.  In terms of data sharing, there were currently seven data sharing agreements in place which needed to be reviewed to ensure there was full coverage of all sharing in the Council.  The asset owners were originally the Operational Managers but there were other Officers who dealt with data management, such as the Community Infrastructure Levy Manager and Garden Towns Director, so this needed to be widened.  There was a Single Point of Contact for GDPR which had been helpful in ensuring the Council was broadly compliant; however, that post had been vacant for the past few months and responsibility for the role would now be undertaken by the Internal Audit Team by increasing the hours of one Officer to allow time to take forward recommendations.   Members were informed that a limited audit opinion had been issued in respect of data retention; a lot of work had gone into producing a corporate retention schedule setting out the retention period for each activity and that needed to be challenged to ensure all services were adhering to it operationally and only keeping data for as long as necessary.  The limited opinion was due to there being no reasonable assurance that arrangements were in place, especially in terms of main processing systems, such as Uniform, and shared data drives.  This would form part of the work of the new Single Point of Contact.  A Member queried how many complaints were received in relation to GDPR and pointed out that, personally, he had not received any.  The Borough Solicitor explained that it was right and proper that the Council took care with personal data and the consequences of getting this wrong were significant.  Whilst the current arrangements were satisfactory, there was always room for improvement and all Officers needed to take responsibility for ensuring data was not collected unnecessarily or retained for any longer than absolutely necessary.  She did not have exact figures to hand but Members would be surprised by the amount of queries and searches from people wanting to know what personal data the Council held about them.  The Head of Corporate Services pointed out that a data breach would have significant consequences for the authority, both reputationally and financially.  A Member recognised the importance of the issue and noted that the implementation date was April 2021 so she queried whether this was due to the amount of work involved.  The Head of Corporate Services confirmed there was a lot of work to do with individual services; work had already commenced and would continue until April 2021.

38.7           Members were reminded that days were allocated in the Internal Audit Plan for corporate improvement work and Page No. 65 detailed work that had been undertaken in relation to the procurement of a new digital platform and a planning files project.  Appendix 2 to the report detailed the recommendations that had been followed-up using a RAG status (red, amber, green).  In terms of the three actions yet to be implemented, Members were advised that the recommendation in relation to Community Infrastructure Levy governance across the three charging authorities was well-known and the target date had been changed to September 2020; the recommendation around financials e-ordering related to bank account details being redacted and deleted and a revised implementation date of February 2020 had been agreed; and, the recommendation around pre-employment checks, which had been identified through the Serious and Organised Crime Framework audit, had a new implementation date of March 2020 and the new HR Manager had been tasked with giving this priority - currently, pre-employment checks were standardised across all jobs.  In response to a query regarding the CIL audit, confirmation was provided that it covered monitoring, the identification of triggers, raising of invoices and collection of monies.  A Member questioned whether there were any implications of this being delayed and the Borough Solicitor explained that CIL was shared between the three charging authorities, it had to be an agreed spend in a particular area and must be used for particular projects.  She clarified that CIL monies had started to be collected and this recommendation was about the identification of projects which would be recipients of CIL.

38.8           Having considered the information provided, it was

RESOLVED          That the Internal Audit Monitoring Report be NOTED.