Agenda item

To consider the Internal Audit annual opinion and the assurance from the work undertaken during the year on the level of internal control within the systems audited.

14.1           Attention was drawn to the report of the Head of Corporate Services, circulated at Pages No. 173-181, which provided Members with a summary of the internal audit work undertaken in 2018/19, together with an opinion on the overall adequacy and effectiveness of the organisation’s control environment.  Members were asked to consider the report and the assurance that, overall, the Council’s framework of governance, risk management and control was generally effective and, where concerns had been identified, there had been a positive management response.

14.2          Members were advised that the Public Sector Internal Audit Standards (PSIAS) required the Council to produce an annual internal audit opinion and report which could be used by the organisation to inform its Annual Governance Statement.  The audit plan took a risk-based approach and was informed by governance-related work; work on fundamental financial systems; work of a service-based nature; corporate improvement work; follow-up work; and consultancy and advice. Page No. 175, Paragraph 2.2 of the report gave an overview of the audits undertaken during the year and it was noted that one audit was outstanding in relation to ICT disaster recovery which would be completed during the first half of 2019/20.  Paragraph 2.3 of the report set out the corporate improvement work that had been carried out.  A key area of assurance work that was of particular importance to management and Members was the follow-up of internal audit recommendations and a number of days were allocated within the plan for this work.  It was noted that the team was also represented on key corporate groups such as the ‘Keep Safe, Stay Healthy’ Group.

14.3           The structure of the Internal Audit team was outlined at Page No. 176, Paragraph 3.0 of the report, and Members were informed that team comprised two part-time employees and one full-time employee with one undertaking a senior role.  This resource was deemed appropriate, sufficient and was effectively deployed to achieve the plan.  As defined in the Internal Audit Charter, the team had remained organisationally independent during 2018/19 and internal audit sat independently within the Council.  The Head of Corporate Services reported directly to the Chief Executive so had free and unfettered access and, if necessary, could also have access to the Chair of the Audit and Governance Committee.  With regard to the independence of the Head of Corporate Services, it was not uncommon for the internal audit strategic lead to also have operational responsibility for service areas.  The Head of Corporate Services explained that he had a wide managerial remit including ICT, Customer Services, Human Resources and Policy and Communications.  In cases where an audit was undertaken in any of those areas, he could give assurance that all audit opinions were exercised objectively and with integrity so that the opinions issued were open, transparent and accurate.

14.4           Members were advised that an independent assessment of internal audit activity had been undertaken in November 2017, as required by PSIAS, and implementation of recommendations arising from that review had been the focus for improvement during the course of 2018/19.  The majority of these had been delivered and reported to the Committee as set out at Page No. 177, Paragraph 4.2 of the report, and the outcome of the review had been formally reported at the last Audit Committee meeting.  It was noted that a review of the Council’s risk management arrangements had been undertaken during the year which had led to the approval of a new Risk Management Strategy and implementation of a new corporate risk register which would be presented later in the meeting.  This was a positive outcome for internal audit and days had been allocated within the 2019/20 Internal Audit Plan to monitor the risks and give assurance it was being effectively managed.

14.5           The opinion on the overall adequacy of the control environment was based upon, and limited to, activities audited during the year.  A total of 36 opinions had been given, 13 of which were ‘good’, 15 ‘satisfactory’ and eight ‘limited’.  It was not unexpected to conclude a ‘limited’ or ‘unsatisfactory’ level of control given the variety and complexity of systems, procedures and services operated by the Council so it was pleasing to note that no ‘unsatisfactory’ opinions had been issued in 2018/19.  The eight limited opinions were detailed at Page No. 178, Paragraph 6.3 of the report and these would be followed-up during the year; some had already been implemented, for instance, garden waste stock control of sticker licences.  It was noted that two of the risk areas were included within the Annual Governance Statement which would be considered under the next Agenda Item.  A total of 55 recommendations had been made with five categorised as high risk, 31 as medium risk and 18 as low risk.  The team had followed-up 80 recommendations, 44 of which had been implemented, 15 partially implemented and 21 not yet implemented.  New implementation dates had been agreed for all outstanding recommendations and they would be followed-up in accordance with those dates.  Members were advised that no incidents of fraud, theft, corruption or whistleblowing had been reported during the year.

14.6           A summary of audit performance during the year was included at Page No. 180, Paragraph 8.1 of the report which showed that 93.75% of planned audits had been completed; 80% of audits had been completed within time; and client satisfaction, derived from a survey at the end of each audit, was generally positive.  In terms of the overall audit opinion for the year, given the complexities of the Council’s control environment there would always be areas identified by internal audit that required improvement; however, the internal audit opinions issued during the year demonstrated that, overall, the Council’s governance, risk management and control environment was generally sound.  Where areas of concern had been identified there had been a positive management response and all recommendations subject to follow-up by internal audit had been followed-up and reported to the Audit and Governance Committee at the appropriate time.

14.7           It was

RESOLVED          That the internal audit annual report be NOTED.