Agenda item

To consider the Internal Audit Annual Report 2019/20 and the assurance from the work undertaken during the year on the level of internal control within the systems audited during the year.

29.1          The report of the Chief Audit Executive (Head of Corporate Services), circulated at Pages No. 62-68, provided the Committee with a summary of internal audit work undertaken in 2019/20 to support the internal audit opinion. Members were asked to consider the internal audit opinion and the assurance from work undertaken during the year that, overall, the Council’s governance, risk management and control environment was generally effective. Where areas of concern had been identified, there had been a positive management response to recommendations made and the opinion would inform the Council’s Annual Governance Statement.

29.2          In introducing the report, the Head of Corporate Services explained that Paragraph 2.0 summarised the 2019/20 audit work. The audit plan was informed by a number of activities, namely governance related work, corporate risks, financial related systems, service related work, corporate improvement days, follow up work of previous recommendations and general consultancy and advice. That approach resulted in a comprehensive range of audits that were undertaken during the course of the year to support the overall opinion on the control environment. In compliance with the Public Sector Internal Audit Standards, monitoring reports of internal audit activity were presented at each Audit and Governance Committee. Audit work undertaken in the year consisted of: emergency planning; debtors (finance recovery); fraud and corruption; serious and organised crime framework – licensing; procurement cards; disabled facility grants; website project (corporate improvement); health and safety risk assessment (corporate improvement); General Data Protection Regulation; risk management; discretionary housing payments; complaints; debtors (service related debt); digital platform (corporate improvement); and planning scanning project (corporate improvement). There was one audit outstanding which related to a corporate risk around the effectiveness of the growth hub. Work had commenced on the audit in the latter part of 2019/20 but remained outstanding at the time of writing the report as a result of the internal audit team being deployed to the Council’s response to the COVID-19 pandemic.

29.3          Members were advised that a key area of assurance work, and one that was of particular importance to management and Members, was the follow up of internal audit recommendations. Days were allocated within the plan for the work and the status of recommendations followed up during each quarter were reported to Committee; apart from a handful of recommendations, all that were due to be followed up during the year had been followed up and reported on. The outstanding recommendations were those assigned to the Head of Community Services and had been due to be followed up in the final quarter of 2019/20, however, due to the Council’s emergency response to severe flooding it had been agreed to follow those up at a later stage. The internal audit team was also represented on key corporate groups such as the Corporate Governance Group, the Keep Healthy – Stay Safe Group, the Project Programme Board, the Information Board, the Community Infrastructure Levy Working Group and the Pool Car Project. This approach provided the team with the opportunity to offer advice on key governance frameworks, individual projects and to keep abreast of emerging issues. The team was also contacted on a regular basis to provide ad-hoc advice on a range of activities, for example, compliance with Contract Procedure Rules, general policy issues and proposed changes to systems and processes.

29.4          Paragraph 3.0 set out the team structure, provided assurance of its independence, and how that was maintained, and confirmed that it was adequately resourced. Paragraph 4.0 confirmed that all audit work undertaken during 2019/20 was in accordance with the Quality Assurance and Improvement Programme which had been reported to the Audit and Governance Committee on 24 July 2019. An update on the Programme, and associated action plan, would be provided to the Committee in March 2021. Paragraph 5.0 advised that there were days allocated within the 2019/20 internal audit plan to review the integrity of the corporate risk register which would include the testing of mitigating controls to ensure they were actually deployed and that actions to reduce the risk further were progressing. Paragraph 6.2 set out that internal audit could provide a ‘split’ opinion meaning individual opinions could be provided for different parts of a system being audited - that approach enabled internal audit to identify to management the specific areas of control that were operating/not operating as intended. From the activities audited during the year, the majority of opinions were positive; however, there was one limited opinion and one unsatisfactory opinion issued during the year: General Data Protection Regulation (GDPR) – limited opinion – operational compliance with retention periods – updated GDPR action plan had been developed; and Discretionary Housing Payments – unsatisfactory opinion – payments not being paid in accordance with policy – progress reported to Committee on 23 September 2020 – all recommendations would be followed up by internal audit when capacity allowed. Overall, the number of recommendations made during the year were not significant, with only three categorised as ‘high’. In terms of follow up work, the majority of recommendations that were due to be followed up had been. Over 60 recommendations had been followed up during the year and 86% were either implemented or partially implemented. Paragraph 7.0 set out that the team continued to have an excellent working relationship with the Counter Fraud Unit and met on a regular basis, together with the Head of Finance and Asset Management, and during 2019/20, governance related policies, such as the Whistleblowing Policy and the Fraud and Corruption Policy had been reviewed, updated and supported by staff training. In conclusion, overall, based on the work undertaken, the Council’s controls were sound and, where identified for review, there had been a positive management response.

29.5          Looking forward, the Head of Corporate Services explained that the Council’s response to COVID-19 had significantly impacted on the internal audit team and all internal audit work during 2020/21 had been suspended as the team had been deployed to support the administration of business grants. A six-monthly audit plan for October 2020 to March 2021 had been approved at the last Committee meeting albeit with a reduced staff resource. The lack of internal audit activity to date, and the uncertainty moving forward, would make it difficult to give a meaningful audit opinion for 2020/21. As that opinion informed the Annual Governance Statement, management may need to consider other alternative sources of assurance when producing the statement next year.

29.6          During the discussion which ensued, a Member drew attention to the statement that all recommendations would be followed up ‘when capacity allowed’ and questioned whether the Head of Corporate Services had any idea when that would be. In response, he was advised that the team would be involved in the grant work for the COVID-19 pandemic response, but it depended whether the team was required for work on the scheme in the longer term. If one of the team was able to be released they would be able to pick up the internal audit plan and start looking at the recommendations but it was difficult to put a timescale on when that would happen. The Head of Finance and Asset Management confirmed that the new business grant schemes coming out from the government would be very resource intensive over the next few weeks.

29.7          Accordingly, it was

                 RESOLVED           That the internal audit annual report 2019/20 be NOTED.