Annex A
INTERNAL AUDIT
ANNUAL REPORT & OPINION
2021/2022
1. Internal Control and the Role of Internal Audit
1.1 All local authorities must make proper provision for internal audit in line with the 1972 Local Government Act (S151) and the Accounts and Audit Regulations 2015. The full role and scope of the Council’s Internal Audit Service is set out within our Internal Audit Charter.
1.2 It is a management responsibility to establish and maintain internal control systems and to ensure that resources are properly applied, risks appropriately managed and outcomes achieved.
1.3 Annually, the Chief Internal Auditor is required to provide an overall opinion on the Council’s internal control environment, risk management arrangements and governance framework to support the Annual Governance Statement.
2. Delivery of the Internal Audit Plan
2.1 The Council’s Internal Audit Strategy and Plan is updated each year based on a combination of management’s assessment of risk (including that set out within the departmental and strategic risk registers) and our own risk assessment of the Council’s major systems and other auditable areas. The process of producing the plan involves extensive consultation with a range of stakeholders to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered.
2.2 Covid 19 has continued to have an impact on the Council in 2021/22. This has meant that we have had to continue to adopt flexible working practices, including auditing remotely, and have been required to certify a higher than normal number of government grants, most of which are specific to supporting the Council through the pandemic.
2.3 In accordance with the audit plan for 2021/22, a programme of audits was carried out covering all Council departments and, in accordance with best practice, this programme was reviewed during the year and revised to reflect changes in risk and priority. This has included responding to and investigating allegations of fraud and other irregularities.
2.4 All adjustments to the audit plan were agreed with the relevant departments and reported throughout the year to CMT and the Audit Committee as part of our periodic internal audit progress reports. It should be noted that whilst there were a small number of audit reports in progress or at draft report stage at year-end, outcomes from this work have been taken into account in forming our annual opinion. Full details of these audits will be reported to CMT and the Audit Committee once each of the reports have been finalised with management.
3. Audit Opinion
3.1 No assurance can ever be absolute; however, based on the internal audit work completed, the Chief Internal Auditor can provide substantial[1] assurance that the Council has in place an adequate and effective framework of governance, risk management and internal control for the period 1 April 2021 to 31 March 2022.
3.2 Further information on the basis of this opinion is provided below. Overall, the majority of audit opinions issued in the year were generally positive, with only a small number of instances where internal audit activities have identified that the operation of internal controls have not been fully effective. We are pleased to report that no minimal assurance opinions were issued in the year and only five partial assurance opinions reported, three of which related to schools.
3.3 Where improvements in controls are required as a result of our work, we have agreed appropriate remedial action with management.
4. Basis of Opinion
4.1 The opinion and the level of assurance given takes into account:
· All audit work completed during 2021/22, planned and unplanned;
· Follow up of actions from previous audits;
· Management’s response to the findings and recommendations;
· Ongoing advice and liaison with management, including regular attendance by the Chief Internal Auditor and Audit Managers at organisational meetings relating to risk, governance and internal control matters;
· Effects of significant changes in the Council’s systems;
· The extent of resources available to deliver the audit plan; and
· Quality of the internal audit service’s performance.
4.2 No limitations have been placed on the scope of Internal Audit during 2021/22.
5. Key Internal Audit Issues for 2021/22
5.1 The overall audit opinion should be read in conjunction with the key issues set out in the following paragraphs. These issues, and the overall opinion, will be taken into account when preparing and approving the Council’s Annual Governance Statement.
5.2 The internal audit plan is delivered each year through a combination of formal reviews with standard audit opinions, direct support for projects and new system initiatives, investigations, grant audits and ad hoc advice. The following graph provides a summary of the outcomes from all audits finalised over the past four years:
Audit Opinions
*Not Applicable: Includes grant certifications and audit reports where we did not give a specific audit opinion. Typically, this tends to be proactive advice and support activity where, due to the advisory nature of the audit work, provision of formal assurance-based opinions is not appropriate.
5.3 A full listing of all completed audits and opinions for the year is included at Appendix B, along with an explanation of each of the assurance levels. During 2021/22, and as stated above, we are pleased to report that there were no minimal assurance audit opinions issued and only five audits which received partial assurance (all of which have been reported on in our quarterly progress reports) as follows:
· Building Security
· Vehicle Use
· Alfriston Primary School
· Forest Row Church of England Primary School
· West Rise Junior School
5.4 Whilst actions arising from these reviews will be followed up by Internal Audit, either through specific reviews or via established action tracking arrangements, it is important that management take prompt action to secure the necessary improvements in internal control.
Key Financial Systems
5.5 Given the substantial values involved, each year a significant proportion of our time is spent reviewing the Council’s key financial systems, both corporate and departmental. Of those audits completed during 2021/22, all resulted in either substantial or reasonable assurance being provided over the control environment.
5.6 As of 31 March 2022, the audits of Accounts Receivable, Accounts Payable and LCS/Controcc were still being carried out and are due to be reported on in the first quarter of 2022/23.
Other Internal Audit Activity
5.7 During 2021/22, Internal Audit has continued to provide advice, support and independent challenge to the organisation on risk, governance and internal control matters across a range of areas. These include:
· Managing Back Office Systems (MBOS) programme
· Adult Social Care Transformation
· Highways Maintenance Contract Reprocurement
· UK Community Renewal Fund
And attendance at, and support to:
· Statutory Officers’ Group
· Business Services (BS) Departmental Management Team
· Finance Management Team
· BSD Business Partners Group
· Pension Board and Pension Committee
5.8 As well as actively contributing to, and advising these groups, we utilise the intelligence gained from the discussions to inform our own current and future work programmes to help ensure our work continues to focus on the most important risk areas.
5.9 During 2021/22, the Internal Audit Counter Fraud Team continued to deliver both reactive and proactive fraud services across the organisation. Details of all counter fraud and investigatory activity for the year, both proactive and reactive, have been summarised within a separate Counter Fraud Annual Report due to be presented alongside this Internal Audit annual report. Where relevant, the outcomes from this work have also been used to inform our annual internal audit opinion and future audit plans.
Amendments to the Audit Plan
5.10 In accordance with proper professional practice, the Internal Audit plan for the year was kept under regular review to ensure that the service continued to focus its resources in the highest priority areas based on an assessment of risk. The following additional audit activities were undertaken during the year:
· UK Community Renewal Fund
· Building Security
· Heathfield Community College Follow Up
· DWP Searchlight System Security Compliance
· Robotic Process Automation (to archive electronic HR files)
· Adoption South East
· Vehicle Usage
· Procurement Data Analytics
· Broadband Grant Certification
· Implementation of Altair
5.11 In order to allow this additional audit work to take place, in addition to utilising contingency and emerging risk time, the following audits were removed or deferred from the audit plan. These changes were made on the basis of risk prioritisation and/or as a result of developments within the service areas concerned requiring a rescheduling of audits. All of these are included in the 2022/23 audit plan:
· Health and Safety
· Contract Management Group Cultural Compliance Follow-Up
· Building Condition Asset Management Follow-Up
6. Internal Audit Performance
6.1 Public Sector Internal Audit Standards (PSIAS) require the internal audit service to be reviewed annually against the Standards, supplemented with a full and independent external assessment at least every five years. The following paragraphs provide a summary of our performance during 2021/22, including the results of our first independent PSIAS assessment, an update on our Quality Assurance and Improvement Programme and the year end results against our agreed targets.
PSIAS
6.2 The Standards cover the following aspects of internal audit, all of which were independently assessed during 2018 by the South West Audit Partnership (SWAP) and subject to a refreshed self-assessment in 2021/22:
· Purpose, authority and responsibility;
· Independence and objectivity;
· Proficiency and due professional care;
· Quality assurance and improvement programme;
· Managing the internal audit activity;
· Nature of work;
· Engagement planning;
· Performing the engagement;
· Communicating results;
· Monitoring progress; and
· Communicating the acceptance of risks.
6.3 The results of the SWAP review and our latest self-assessment found a high level of conformance with the Standards with only a small number of minor areas for improvement. Work has taken place to address these issues, none of which were considered significant, and these are subject to ongoing monitoring as part of our quality assurance and improvement plan.
Key Service Targets
6.4 Performance against our previously agreed service targets is set out in Appendix A. Overall, client satisfaction levels remain high, demonstrated through the results of our post audit questionnaires, discussions with key stakeholders throughout the year and annual consultation meetings with Chief Officers.
6.5 Internal Audit will continue to liaise with the Council’s external auditors (Grant Thornton) to ensure that the Council obtains maximum value from the combined audit resources available.
6.6 In addition to this annual summary, CMT and the Audit Committee will continue to receive performance information on Internal Audit throughout the year as part of our quarterly progress reports and corporate performance monitoring arrangements.
Appendix A
Internal Audit Performance Indicators 2021/22
|
Aspect of Service |
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
Approved by Audit Committee in March 2022. |
|
Annual Audit Report and Opinion
|
By end July |
G |
Approved by Audit Committee in July 2021. |
|
|
Customer Satisfaction Levels |
90% satisfied
|
G |
100% |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
94.2% |
|
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
January 2018 – External assessment by the South West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings.
July 2021 - Internal Self-Assessment completed, no major areas of non-compliance with PSIAS identified.
January 2022 - Internal Quality Review completed, no major areas of non-compliance with our own processes identified.
April 2022 - Updated self-assessment against the standards within the PSIAS underway and preparations for the full independent external assessment in progress.
|
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified. |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
97% for high priority agreed actions |
G |
100% |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
91% |
Appendix B
Summary of Opinions for Internal Audit Reports Issued During 2021/22
Substantial Assurance:
(Explanation of assurance levels provided at the bottom of this document)
|
Audit Title |
Department |
|
Pension Fund Investments and External Control Assurance |
BSD |
|
Information Governance Remote Working |
Corporate |
|
Treasury Management |
BSD |
|
Pension Fund Compliance with Regulatory Requirements |
BSD |
|
Adoption South-East |
CSD |
|
Robotic Process Automation (RPA) – Archive Electronic HR Files |
BSD |
|
Management of Social Value Requirements in Procurement Follow Up |
BSD |
|
Pension Fund Investments |
BSD |
|
LAS/Controcc |
ASC |
Reasonable Assurance:
|
Audit Title |
Department |
|
Procure to Pay |
BSD |
|
Pension Administration Information Governance |
BSD |
|
Property Asset Management System Business Processes |
BSD |
|
IT Asset Management during Covid |
Corporate |
|
Pension Administration – People, Processes and Systems |
BSD |
|
Risk Management |
Corporate |
|
Covid-19 Procurement Risk |
Corporate |
|
DWP/Searchlight System Security Compliance |
Corporate |
|
Libraries Asset Management Follow Up |
CET |
|
Etchingham County Primary School |
CSD |
|
Heathfield Community College Follow Up |
CSD |
|
Five Ashes C of E Primary School |
CSD |
|
Pension Fund Governance |
BSD |
|
Revenue Budget Management |
Corporate |
|
Contract Management |
Corporate |
|
Public Sector Bodies (Website and Mobile Applications) Accessibility Regulations |
BSD |
|
Email Communication (Personal and Sensitive Encryption) |
BSD |
|
HR/Payroll |
BSD |
|
MBOS Programme Governance and Risk Management Follow Up |
Corporate |
|
Buzz Active Follow Up |
CSD |
|
Altair Application Audit |
BSD |
Partial Assurance:
|
Audit Title |
Department |
|
Building Security |
BSD |
|
Vehicle Use |
CET |
|
Alfriston Primary School |
CSD |
|
Forest Row Church of England Primary School |
CSD |
|
West Rise Junior School |
CSD |
Minimal Assurance:
|
Audit Title |
Department |
|
None |
|
Other Audit Activity Undertaken During 2021/22
|
Department |
|
|
Modernising Back Office Systems (MBOS) Programme Support |
Corporate |
|
Adult Social Care Transformation |
ASC |
|
UK Community Renewal Fund (UK CRF) |
CET |
|
Broadband UK Grant Return |
CET |
|
Troubled Families Grant Certification |
CSD |
|
Covid-19 Emergency Active Travel Grant Certification |
CET |
|
Additional Dedicated Home to School and College Transport Grant Certification |
CET |
|
Bus Service Operators Grant Certification |
CET |
|
Pension Fund Implementation of Altair |
BSD |
|
Property Asset Management Phase 2 Business Processes |
BSD |
|
Digital Postal Hub Application Review |
BSD |
|
Pension Fund Strategy |
BSD |
|
European Social Fund Transform Project |
CSD |
|
Home to School Transport Grant Certification |
CET |
|
Transport Capital Grant Certification |
CET |
|
Highways Maintenance Contract Reprocurement |
CET |
|
Council Owned Companies |
Corporate |
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |