Agenda item

To consider the Internal Audit work undertaken and the assurance given on the adequacy of internal controls operating in the systems audited.

11.1           The report of the Head of Corporate Services, circulated at Pages No. 44-65, was the final monitoring report of the financial year and detailed the findings of Internal Audit for the remaining audits within the Audit Plan 2016/17.  Members were asked to consider the audit work completed and the assurance given on the adequacy of internal controls operating in the systems audited.

11.2           Members were advised that full details of the work undertaken were attached at Appendix 1 to the report and a list of audits within the 2016/17 Audit Plan, and their progress to date, could be found at Appendix 2 to the report.  With regard to the debtors audit, the Head of Corporate Services advised that this was a key financial system and income stream for the Council.  As it was an established system there was an expectation that it would be well-managed and this had been confirmed by the audit and the ‘good’ level of assurance identified.  In respect of the safeguarding audit, the Council had an up-to-date policy which had been approved by the Executive Committee in November 2016.  The policy was available to staff and Members through the intranet; however, there were some recommendations around making sure that the information was embedded in the heart of the organisation.  In terms of awareness, whilst staff were required to undertake compulsory online training, it was suggested that it should be relevant to job role, for example, auditors may not need the same level of training as someone working in housing, and this was being considered by the management team.  It was noted that the importance of safeguarding was recognised through its inclusion within the Community Portfolio and a designated safeguarding officer reported to the Lead Member on a regular basis.  Further consideration needed to be given to the level of training volunteers should receive, for instance, volunteer litter pickers who were frequently out and about in the community.  A decision had been taken in October 2016 to make safeguarding training mandatory for all licenced taxi drivers and some recommendations had been made around updating the website and application form to reflect this. 

11.3           A ‘limited’ opinion had been given in relation to the audit on information governance as it was considered that the overarching Information Governance Policy should be supported by a number of more detailed policies and codes of practice that related to particular risk areas.  At the time of the audit, 11 policies were due for review and a number required updating; this would need to be done to ensure compliance with the General Data Protection Regulations (GDPR) coming into force in May 2018 and it was noted that a dedicated officer had been appointed, and an action plan drawn up, to support that.  Furthermore, recommendations had been made around the documentation and handling of Environmental Information Regulations (EIR).  The Head of Corporate Services explained that there had been no corporate plan of action for the GDPR at the time the recommendations for the information governance audit had been agreed and they would need to be amended to reflect that plan.  In response to a query, confirmation was provided that any audits with a limited or unsatisfactory opinion would be brought back to the Committee.  A ‘limited’ opinion had also been issued in respect of business continuity.  It was noted that five of the 15 service specific business continuity plans were yet to be fully completed or updated to the most recent template.  The Corporate Business Continuity Plan was also out of date and this had been identified in the Annual Governance Statement 2016/17 which was due to be considered later on the Agenda.  Good progress had been made since the audit - all services now had a plan in place and the Head of Corporate Services was currently in the process of drafting the Corporate Business Continuity Plan which would be tested through a desktop exercise and would then be brought to a future meeting of the Audit Committee. 

11.4           In terms of the client monitoring for Tewkesbury Leisure Centre, the Internal Audit team had observed that the positive relationship between Tewkesbury Borough Council and Places for People helped considerably in resolving any issues.  The Leisure Centre had only been in operation for a year so a lot of information was based on comparisons with baseline data; going forward arrangements would need to be put in place to receive surplus/deficit data on a yearly basis in order to maintain oversight of the potential additional shared surplus sums due from the end of year three of the contract.  A review of the insurance arrangements in place showed that, whilst the insurance was adequate, the policy did have conditions attached in relation to fire extinguishing appliances and security and, therefore, consideration needed to be given as to how compliance could be demonstrated.  The Places for People service delivery proposals within the contract provided for the implementation of a strategic partnership board and the Executive Committee had approved the establishment of this board in November 2016.  Recommendations had been made to enhance the standards in respect of catering and the environment which had previously been reported on an exception basis but should be a standard item.  Several days had been set aside within the Audit Plan 2017/18 for the performance team to help to set up the template.  A Member felt it was important that the relationship between the Council and Places for People did not become too comfortable and that a proper monitoring and reporting system was maintained.  The Head of Finance and Asset Management provided assurance that it was a working relationship and there was sufficient challenge when there needed to be.  In terms of the recommendations to enhance the reporting framework, there was already a significant amount of reporting; all recommendations had been agreed with Places for People and were included in the quarterly monitoring reports received by the Leisure Centre Strategic Partnership Board which was attended by the Lead Members for Health and Wellbeing and Finance and Asset Management.  Consideration was currently being given as to which Committee would be most appropriate to receive an annual report on the contract.  The Member welcomed this proposal as it was in the interest of accountability for a report to be considered in the public arena.

11.5           It was noted that there was a ‘good’ level of assurance in relation to treasury management with investments placed in accordance with the Council’s Treasury Management Strategy and the investment register reconciled to the main accounting system on a monthly basis, as such, there were no recommendations arising from this audit.

11.6           Appendix 3 to the report set out the audit recommendations due to be followed-up and confirmation was provided that all had been done, although they were at various stages of implementation and this was reflected by their RAG (Red, Amber, Green) status.  Where the recommendations had not been implemented, revised dates had been agreed.  A Member noted that the revised dates had been agreed by Officers, rather than the Committee, and whilst he accepted that there may be plausible reasons for targets not being met, he felt that more effort should be made to achieve those initial deadlines.  The Head of Corporate Services agreed that it was important to manage the process and indicated that he was trying to raise the profile of outstanding audit recommendations through the management team.  Clearly implementation of the recommendations was dependent on workload; however, he suggested that, if the responsible officer was unable to achieve a revised implementation date agreed by officers, it might be reasonable to require them to appear before the Audit Committee.  The Member expressed concern that it could be nine months before Members had the opportunity to question what was happening which was a significant slippage.  The Deputy Chief Executive reiterated the importance of taking corporate ownership of audit recommendations and he felt the management team had a role to play in terms of ensuring that officers were aware of what the Committee wanted and adhered to the deadlines. If it appeared that a target would not be met, he felt a better approach might be for the Internal Audit team to put a plan together for getting the work completed, and to set a timescale for the responsible officers to appear before the Committee if the work had not been done.

11.7           A brief debate ensued in respect of safeguarding which had been flagged as an important issue for some time and several Members raised concern that the link to the online safeguarding training had not worked meaning many had been unable to complete it.  The Head of Corporate Services provided assurance that there were recommendations around raising awareness for volunteers and Members and implementation dates had been agreed with the safeguarding officer.  When the audit was reviewed, any outstanding recommendations would appear in Appendix 3 to the report.  A Member went on to draw attention to the different opinions issued for the audits, and their definitions, set out at Page No. 55 of the report.  He expressed the view that the Council should be working to ensure that all audit opinions were ‘good’ as opposed to just ‘satisfactory’, particularly for such important issues as safeguarding.  Another Member felt that the Committee should ask for this to be made a priority because of what had happened in other public bodies across the country.  The Head of Corporate Services clarified that, once the audit recommendations had been implemented, the audit opinion would be ‘good’ rather than ‘satisfactory’.  A Member asked for Officers to put a plan in place for this to be done as soon as possible and the Deputy Chief Executive undertook to discuss with the management team what needed to be done and bring something back to the Committee to show how this would be achieved. The Head of Corporate Services pointed out that the Audit Committee Agenda for the meeting on 13 December included a report on compliance with safeguarding activities which would give Officers time to address the issues identified.  He provided assurance that the audit process was constantly being reviewed and consideration was being given to introducing another level of audit opinion which would sit above ‘good’ e.g. ‘very good’.

11.8           Having considered the information provided, it was

RESOLVED                                  That the Internal Audit Plan Monitoring Report be NOTED.