Agenda item
INTERNAL AUDIT - UPDATE REPORT
Minutes:
The Head of Audit and Assurance presented the report. He outlined the following points:
· Of the 34 audits planned, 10 had been reported, 8 were work in progress so at the six-month stage approximately 48% of the Audit Plan 2022/23 had been ‘completed’;
· In terms of Audit Reports with a ‘Limited Assurance’ rating. There were two 2022/23 reports and an additional three reports related to 2021/22 planned work which was completed in this financial year (2022/23).
· S106 – Use of Funding
S106 funding is still significant - there was unallocated funds of around £12M;
There was a reliance on Agresso and other service records to monitor use of funding rather than using the Exacom system, this was a big concern;
· Community Equipment Store (Radstock)
This ‘due diligence’ audit was required based on the transfer of the service from Sirona to the Council. Weaknesses included - failure to control access and movement of stock, failure to adopt stock levels (minimum and reorder quantities). Management agreed to recommendations and a scanning stock control system was being introduced.
· Health and Safety Wellbeing (HSWB) – failure to maintain risk registers to record HSWB risks, lack of clarity around roles of those attending the HSWB Steering Committee meetings, lack of high level HSWB risk monitoring for service areas to enable the Committee to focus their attention on areas of potential weakness. Recommendations were accepted.
· IT capacity & availability – review of management practices to ensure ICT systems and services were sufficient to fulfil user needs. There were two high weakness areas – IT focussed on server operations rather than wider network infrastructure, firewalls, power supply; and, no formal process to identify / review implications of changes in business need;
· Cyber Incident Response – a review of the 2018 Council incident response plan against best practice (National Cyber Security Centre guidance). Accepted that the incident response plan not adequate. Funding has been approved and a consultant is reviewing the incident plan and will report and liaise with the Cyber Security Operational Group (which reports to the IT Steering Group).
· In addition to the planned work the team had carried out other work (some unplanned) which included:
1) grant certification - 24 reviews complete;
2) work related to the National Fraud Initiative which involves co-ordinating the data collection and uploading to enable data matching by the Cabinet Office;
3) anti-fraud awareness work including preparation of training videos available through the Councils intranet on the subjects including – Bank Mandate fraud, procurement fraud and social care fraud;
4) Review of income collection procedures and practices in the Council’s One-Stop Shops following a reported loss of £1000;
5) 8 follow up reviews as recorded in Appendix 2. These were RAG rated and 2 were assessed as amber as the agreed actions had revised implementation dates. The remainder were green based on recommendations being fully implemented.
· Based on the 6 month position it is anticipated that 3 planned audits – Revenue Estate Asset Utilisation, GLL Contract Management and an Income Audit would not be carried out as planned in 2022/23. It was highlighted that there had been issues with recruitment and retention of staff and 2 of the 3 Audit Manager posts were currently vacant. This was a factor in reducing the planned audit reviews from 34 to 31.
During questions the following points were made;
· The One-Stop Shop was a financial irregularity. The loss related to the insufficiently controlled movement of cash from the cash kiosk to the point of banking;
· Section 106 related to the Exacom system not being used properly – members were concerned capital had not been spent and there was a need for this to be monitored properly. The Section 151 Officer reported that it was an important audit that was now on management radar. A follow-up of this audit was programmed and could be reported back to the Committee;
· As regards recruitment there would be a re-structure of the whole audit team. The current issue is at the Audit Manager level not across the whole of the team covering B&NES Council and other clients such as North Somerset and WECA;
· Cycle schemes – in terms of this audit review the Head of Audit and Assurance stated that the work had been limited to a financial grant certification review of two grant funded cycle projects. The initial request from the Director had indicated a need to review compliance with technical guidance but this was not carried out as part of the work completed;
· Street works – this considered the ‘licensing’ process and the income generated. The indication was that income received did not match expenditure such as cost of highways inspection.
· IT Cyber Incident Plan - Audit response - recommendations to be monitored by the Cyber Security Operational Group and the consultant reviewing the cyber incident plan was liaising with IT and Information Governance.
On a motion from Councillor Andy Furse, seconded by Councillor Lucy Hodge it was
RESOLVED to note the progress in delivery of the 2022/23 Annual Audit Assurance Plan and approves the proposed amendment to the Audit Plan 2022/23.
Supporting documents: