ANNEXE A
INTERNAL AUDIT
ANNUAL REPORT & OPINION
2020/2021
1. Internal Control and the Role of Internal Audit
1.1 All local authorities must make proper provision for internal audit in line with the 1972 Local Government Act (S151) and the Accounts and Audit Regulations 2015. The full role and scope of the Council’s Internal Audit Service is set out within our Internal Audit Charter.
1.2 It is a management responsibility to establish and maintain internal control systems and to ensure that resources are properly applied, risks appropriately managed and outcomes achieved.
1.3 Annually, the Chief Internal Auditor is required to provide an overall opinion on the Council’s internal control environment, risk management arrangements and governance framework to support the Annual Governance Statement.
2. Delivery of the Internal Audit Plan
2.1 The Council’s Internal Audit Strategy and Plan is updated each year based on a combination of management’s assessment of risk (including that set out within the departmental and strategic risk registers) and our own risk assessment of the Council’s major systems and other auditable areas. The process of producing the plan involves extensive consultation with a range of stakeholders to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered.
2.2 The impact of Covid 19 has made 2020/21 a unique year for Internal Audit, as was the case for the services we have audited. This has meant that we have had to adapt our working practices, reschedule audits and make a much great number of amendments to the year’s audit plan than would normally be the case.
2.3 The significant changes to our workplan meant that it was necessary to produce a revised audit plan part way through the year. This was agreed by Audit Committee in November 2020 and replaced the Internal Audit Plan that had been approved in May 2020.
2.4 In addition, Orbis Internal Audit redeployed some of its resources during the year to support the Covid 19 response and recovery workstreams across the Council. This work has been detailed in our quarterly update reports but is also summarised below.
2.5 During 2020/21, we have seen a substantial increase in the number of government grants that need to be certified by Internal Audit, all of which are specific to supporting the County Council through the pandemic. In addition, significant resources have been directed to providing advice and support on system changes (to support remote working) and data analytics to identify any issues arising from new ways of working.
2.6 Notwithstanding the above, we have still been able to deliver sufficient audit and assurance activity within the year to enable us to form an overall annual audit opinion for the Council in the normal away. This includes delivery of the revised programme of audits and investigating any allegations of fraud and other irregularities.
2.7 All adjustments to the audit plan were agreed with the relevant departments and reported throughout the year to Audit Committee as part of our periodic internal audit progress reports. It should be noted that whilst there were some audit reports still in draft at the year-end, the outcomes from this work have been taken into account in forming our annual opinion. Full details of these audits will be reported to Audit Committee once each of the reports have been finalised with management.
3. Audit Opinion
3.1 No assurance can ever be absolute; however, based on the internal audit work completed, the Chief Internal Auditor can provide reasonable[1]assurance that the Councilhas in place an adequate and effective framework of governance, risk management and internal control for the period 1 April 2020 to 31 March 2021.
3.2 Further information on the basis of this opinion is provided below. Overall, whilst the majority of audit opinions issued in the year were generally positive, internal audit activities have identified some areas where the operation of internal controls has not been fully effective, as reflected by one minimal assurance opinion and the small number of partial assurance opinions issued in the year.
3.3 Where improvements in controls are required as a result of any of our work, we have agreed appropriate remedial action with management.
4. Basis of Opinion
4.1 The opinion and the level of assurance given takes into account:
· All audit work completed during 2020/21, planned and unplanned;
· Follow up of actions from previous audits;
· Management’s response to the findings and recommendations;
· Ongoing advice and liaison with management, including regular attendance by the Chief Internal Auditor and Audit Managers at organisational meetings relating to risk, governance and internal control matters;
· Effects of significant changes in the Council’s systems;
· The extent of resources available to deliver the audit plan; and
· Quality of the internal audit service’s performance.
4.2 No limitations have been placed on the scope of Internal Audit during 2020/21, however, as explained above, Covid 19 and remote working have impacted on how our work was delivered, with a number of specific audits having to be rescheduled or in some cases, replaced with other activities.
5. Key Internal Audit Issues for 2020/21
5.1 The overall audit opinion should be read in conjunction with the key issues set out in the following paragraphs. These issues, and the overall opinion, have been taken into account when preparing and approving the Council’s Annual Governance Statement.
5.2 The internal audit plan is delivered each year through a combination of formal reviews with standard audit opinions, direct support for projects and new system initiatives, investigations, grant audits and ad hoc advice. The following graphs provide a summary of the outcomes from all audits finalised during 2020/21:
Audit Opinions
*Not applicable: Includes grant certifications and audit reports where we did not give a specific audit opinion. Typically, this tends to be proactive advice and support activity where, due to the advisory nature of the audit work, provision of formal assurance-based opinions is not appropriate.
5.3 A full listing of all completed audits and opinions for the year is included at Appendix B, along with an explanation of each of the assurance levels. During 2020/21, there was one audit, relating to the Commissioning and Delivery of Property Projects, where we concluded an audit opinion of minimal assurance. In completing this work, we identified areas that required significant improvement, including ensuring roles and responsibilities over project management are clearly defined, a robust project management framework is followed, key project documentation is used to support delivery, and engagement, communication and collaboration between departments is enhanced. Further detail on the findings of this review can be found in Annexe B.
5.4 In addition to the above, a total of 4 audits received partial assurance opinions within the year as follows:
· Direct Payments;
· Libraries Asset Management;
· Contract Management Group Cultural Compliance; and
· MBOS Programme Governance and Risk Management Arrangements – Phase 2.
5.5 Whilst actions arising from these reviews will be followed up by Internal Audit, either through specific reviews or via established action tracking arrangements, it is important that management take prompt action to secure the necessary improvements in internal control.
Key Financial Systems
5.6 Given the substantial values involved, each year a significant proportion of our time is spent reviewing the Council’s key financial systems, both corporate and departmental. Of those audits completed during 2020/21, all, apart from the audit of Direct Payments (see Appendix B) resulted in either substantial or reasonable assurance being provided over the control environment.
Other Internal Audit Activity
5.7 During 2020/21, Internal Audit has continued to provide advice, support and independent challenge to the organisation on risk, governance and internal control matters across a range of areas. These include:
· Property Asset Management System replacement;
· Managing Back Office Systems (MBOS) programme;
· Adult Social Care transformation;
· Digital postal hub; and
· Highways maintenance contract reprocurement.
And attendance at:
· Statutory Officers’ Group;
· Orbis Leadership Team;
· Business Services (BS) Departmental Management Team;
· BSD Covid Response Group;
· BSD Business Partners Group;
· Finance Management Team; and
· Pension Board and Pension Committee.
5.8 As well as actively contributing to, and advising these groups, we utilise the intelligence gained from the discussions to inform our own current and future work programmes to help ensure our work continues to focus on the most important risk areas.
5.9 In addition, for 2020/21, we have provided significant advice and support on risk and control issues, especially where services looked to modify their ways of working in response to the pandemic. Many of these related to back-office, administrative functions, with some of these historically having a heavy reliance on paper-based processes. Our work has included:
· The redeployment of some of our team to support other services, particularly in relation to the sourcing and distribution of personal protective equipment (PPE);
· Reviewing and advising on controls in relation to the Department for Education laptop scheme;
· The provision of advice on risk and control issues associated with the implementation of an online claims process for staff to submit claims for mileage and travel;
· Advice on the Council’s provision of support to its key providers in line with central government guidance;
· A review of the proposed system for delivering ICT equipment to new members of staff during lockdown;
· Reviewing alternative arrangements for the receipt and processing of cheque payments, the electronic receipt and subsequent processing of invoices from suppliers, and the approval of treasury management transactions by electronic means;
· Waivers to Procurement and Contract Standing Orders – consideration of alternative arrangements to help ensure the continued delivery of key services where contracts with providers were due to come to an end during Covid-19;
· Use of electronic signatures – reviewing arrangements for the increased and expanded use of electronic signatures for Council contracts;
· Data analytics on creditors data to help provide assurance that selected key controls within Procure to Pay processes across the Council were continuing to work effectively during the pandemic; and
· In light of the increased information governance risks associated with the significant numbers of staff working remotely, working with the Information Governance team to provide further guidance and advice for staff in this area.
5.10 During 2020/21, the Internal Audit Counter Fraud Team continued to deliver both reactive and proactive fraud services across the Orbis Partnership.
5.11 The team logged 18 allegations under the Council’s Anti-Fraud and Corruption Strategy, with cases being identified through the Council’s confidential reporting hotline or referrals from other departments. As a result of the allegations, 18 cases were taken forward to investigation by Internal Audit or support was provided to a management investigation.
5.12 The following provides a summary of the investigation activity undertaken by the Internal Audit Counter Fraud Team in the last 12 months:
· Following a referral from Adult Social Care, we provided the service with advice in relation to a potential salary overpayment for an employee. The employee had submitted pay claims for hours that were already included in their annual salary. The employee accepted a formal warning and the overpayment has been recovered;
· Following a whistleblowing, we investigated an allegation that an Adult Social Care provider continued to receive payment but did not deliver a service during the pandemic due to making staff redundant. The investigation found that there was no case to answer;
· Internal Audit investigated an allegation that an employee had breached access rules relating to the Department of Work and Pensions (DWP) system ‘Searchlight’. Following the investigation, a formal warning was issued;
· Following receipt of a whistleblowing report alleging overcharging by a Highways subcontractor, we undertook a review of a sample of works to confirm that these complied with job specifications and cost schedules. The investigation found no case to answer;
· Advice was provided to a Sports Centre following a member of a sports club making a payment due to be paid to the Council to a fraudulent bank account. The matter was reported to Action Fraud;
· An investigated was carried out in relation to an anonymous allegation of misuse of a Council vehicle. The investigation reviewed the use of the vehicle and associated record keeping. The review did not identify any misconduct but did identify some control improvements to strengthen record keeping and compliance with corporate policy;
· Enquiries were made into an allegation of a potential contract breach in relation to Home to School Transport. The case was subsequently closed with no evidence of fraud found;
· Following initial enquiries into an allegation that an employee was abusing their position by accessing a colleague’s email account, we concluded that there was insufficient evidence to progress to a full investigation;
· We have continued to provide advice and support to Adult Social Care on individual cases where concerns have been expressed over the potential deprivation of capital and misuse of personal budgets; and
· Nine investigations remain open at the time of writing this report.
5.13 Any internal control weaknesses identified during our investigation work are reported to management and actions for improvement are agreed. This work is also used to inform future internal audit activity.
5.14 As well as the investigation work referred to above, we continue to be proactive in the identification and prevention of potential fraud and corruption activity across the authority and in raising awareness amongst staff.
Priority |
Progress to Date |
Reactive Investigations |
The Counter Fraud Team is responsible for assessing and evaluating fraud referrals received by each sovereign partner, and then leading on subsequent investigations. The team have implemented a coordinated approach to assessing and logging referrals and adopted consistent procedures for recording investigations. The team continue to work with sovereign audit teams to investigate allegations across the partnership. |
NFI Exercise |
|
Counter Fraud Policies |
We have reviewed the Counter Fraud Strategy to align with best practice and to ensure a robust and consistent approach to tackling fraud. This was approved by Audit Committee on 10 July 2020 and is available on the Council’s intranet.
|
Fraud Risk Assessments |
Fraud risk assessments are regularly reviewed to ensure that the current fraud threat for the Council has been considered and appropriate mitigating actions identified. We have updated the risk assessment to include new and emerging threats as a result of the Covid 19 pandemic. This includes potential threats to payroll, staff frauds relating to home working and cyber frauds |
Fraud Response Plans |
The Fraud Response Plans take into consideration the results of the fraud risk assessments and emerging trends across the public sector in order to provide a proactive counter fraud programme. The Fraud Response Plan for 2020/21 included a pilot data analytics programme for key financial systems. The pilot is currently paused and will be reviewed. The Fraud Response Plans are being refreshed for 2021/22 and will set out the proactive work plan for Internal Audit. |
Fraud Awareness |
The team have published fraud bulletins raising awareness to emerging threats, in particular risks from the Covid 19 pandemic. These have been published on the intranet and shared with high risk service areas. In addition, the team continue to monitor intelligence alerts and work closely with neighbouring councils to share intelligence and best practice. |
Amendments to the Audit Plan
5.15 In accordance with proper professional practice, the Internal Audit plan for the year was kept under regular review to ensure that the service continued to focus its resources in the highest priority areas based on an assessment of risk. As already noted, Covid 19 meant that for the first time, we found it necessary to revise and re-issue the audit plan part way through the year. This update was presented to, and approved at, the November 2020 Audit Committee. However, since then, a number of further additions and amendments have taken place, principally as a result of the most recent national lockdown. This includes the following additional audit activities:
· Pension Fund – Altair Implementation Data Governance;
· Robertsbridge SEN Capital Project;
· Building Security;
· MBOS Programme Governance and Risk Management Arrangements (Phase 2);
· Covid-19 Emergency Active Travel Grant;
· Travel Demand Management Grant; and
· Department for Transport – Local Transport Authority Covid-19 Bus Service Support Grant Restart (Revenue).
5.16 In order to allow this additional audit work to take place, the following audits have been removed or deferred from the audit plan and, where appropriate, were considered for inclusion in the 2021/22 audit plan, as part of the overall risk assessment completed during the annual audit planning process. These changes were made on the basis of risk prioritisation and/or as a result of developments within the service areas concerned requiring a rescheduling of audits:
· Adoption South East;
· Health and Safety;
· Children’s Safeguarding Data Handling;
· LCS/Controcc;
· Buzz Active Follow Up;
· Libraries Asset Management Follow Up;
· Contract Management Group Cultural Compliance Follow Up;
· Building Condition Asset Management Follow Up;
· Social Value in Procurement Follow Up; and
· Atrium Follow Up.
6. Internal Audit Performance
6.1 Public Sector Internal Audit Standards (PSIAS) require the internal audit service to be reviewed annually against the Standards, supplemented with a full and independent external assessment at least every five years. The following paragraphs provide a summary of our performance during 2020/21, including the results of our first independent PSIAS assessment, an update on our Quality Assurance and Improvement Programme and the year end results against our agreed targets.
PSIAS
6.2 The Standards cover the following aspects of internal audit, all of which were independently assessed during 2018 by the South West Audit Partnership (SWAP) and subject to a refreshed self-assessment in 2020/21:
· Purpose, authority and responsibility;
· Independence and objectivity;
· Proficiency and due professional care;
· Quality assurance and improvement programme;
· Managing the internal audit activity;
· Nature of work;
· Engagement planning;
· Performing the engagement;
· Communicating results;
· Monitoring progress; and
· Communicating the acceptance of risks.
6.3 The results of the SWAP review and our latest self-assessment found a high level of conformance with the Standards with only a small number of minor areas for improvement. Work has taken place to address these issues, none of which were considered significant, and these are subject to ongoing monitoring as part of our quality assurance and improvement plan.
Key Service Targets
6.4 Performance against our previously agreed service targets is set out in Appendix A. Overall, client satisfaction levels remain high, demonstrated through the results of our post audit questionnaires, discussions with key stakeholders throughout the year and annual consultation meetings with Chief Officers.
6.5 Internal Audit will continue to liaise with the Council’s external auditors (Grant Thornton) to ensure that the Council obtains maximum value from the combined audit resources available.
6.6 In addition to this annual summary, CMT and the Audit Committee will continue to receive performance information on Internal Audit throughout the year as part of our quarterly progress reports and corporate performance monitoring arrangements.
Appendix A
Internal Audit Performance Indicators 2020/21
Aspect of Service |
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
Approved by Audit Committee in May 2020 (March Audit Committee meeting was cancelled because of Covid-19) |
Annual Audit Report and Opinion
|
By end July |
G |
Approved by Audit Committee on 10 July 2020. |
|
Customer Satisfaction Levels |
90% satisfied
|
G |
100% |
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
Not Applicable |
During the COVID-19 pandemic, the audit plan was suspended to allow the Internal Audit Service to support the organisation’s response. In addition, the audit plan was revised (approved by Audit Committee in November 2020). Given the continual changes during the year, this performance indicator has not been monitored. |
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
January 2018 – External assessment by the South West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings.
June 2020 – Internal self-assessment and internal quality review completed – no major areas of non-compliance. |
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified. |
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
97% for high priority agreed actions |
G |
100% |
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
94% |
Appendix B
Summary of Opinions for Internal Audit Reports Issued During 2020/21
Substantial Assurance:
(Explanation of assurance levels provided at the bottom of this document)
Audit Title |
Department |
Annual Governance Statement |
GS |
Property Asset Management System (PAMS) Replacement – Programme Governance and Risk Management |
BSD |
Business Operations Cultural Compliance Follow Up |
BSD |
Pension Fund Compliance with Regulatory Requirements |
BSD |
Accounts Receivable |
BSD |
Reasonable Assurance:
Audit Title |
Department |
Procure to Pay |
BSD |
Declarations of Interests, Gifts, Hospitality and Secondary Employment |
Corporate |
Powers of Entry Follow-Up |
CET |
Pension Fund Strategy and Investments |
BSD |
Payroll |
BSD |
Pension Fund Governance |
BSD |
Education, Health and Care Plans |
CSD |
Network Security |
BSD |
MBOS Programme Governance and Risk Management Arrangements – Phase 1 |
Corporate |
Patch Management |
BSD |
Cloud Computing |
BSD |
Mobile Device Management |
BSD |
Cyber Security during Covid |
BSD |
PAMS Data Governance and Migration |
BSD |
Partial Assurance:
Audit Title |
Department |
Library Asset Management |
CET |
Cultural Compliance – Contracts Management Group |
CET |
Direct Payments |
ASC |
MBOS Programme Governance and Risk Management Arrangements – Phase 2 |
Corporate |
Minimal Assurance:
Audit Title |
Department |
Commissioning and Delivery of Property Projects |
BSD |
Other Audit Activity Undertaken During 2020/21
Department |
|
MBOS Requirements Catalogue |
Corporate |
Digital Postal Hub Control Environment Review |
BSD |
Troubled Families Grant Funding (quarterly) |
CSD |
Covid Response Work |
Corporate |
Data Analytics – Creditors |
Corporate |
Department for Transport Capital Grants |
CET |
Bus Services Operators Grant |
CET |
Covid 19 Bus Service Support Grant |
CET |
Blue Badge Grant |
ASC |
Pension Fund Altair Data Governance |
BSD |
Robertsbridge SEN Project |
BSD |
MBOS Advice and Support |
BSD |
PAMS Advice and Support |
BSD |
Department for Transport Local Transport Authority Covid 19 Restart Buse Service Support Restart Grant |
CET |
Highways Maintenance Contract Reprocurement |
CET |
Adult Social Care Transformation Programme |
ASC |
Audit Opinions and Definitions
Opinion |
Definition |
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |
[1] This opinion is based on the activities set out in the paragraphs below. It is therefore important to emphasise that it is not possible or practicable to audit all activities of the Council within a single year.