Annex A
INTERNAL AUDIT
ANNUAL REPORT & OPINION
2023/2024
1. Internal Control and the Role of Internal Audit
1.1 All local authorities must make proper provision for internal audit in line with the 1972 Local Government Act (S151) and the Accounts and Audit Regulations 2015. The full role and scope of the Council’s Internal Audit Service is set out within our Internal Audit Charter.
1.2 It is a management responsibility to establish and maintain internal control systems and to ensure that resources are properly applied, risks appropriately managed and outcomes achieved.
1.3 Annually, the Chief Internal Auditor is required to provide an overall opinion on the Council’s internal control environment, risk management arrangements and governance framework to support the Annual Governance Statement.
2. Delivery of the Internal Audit Plan
2.1 The Council’s Internal Audit Strategy and Plan is updated each year based on a combination of management’s assessment of risk (including that set out within the departmental and strategic risk registers) and our own risk assessment of the Council’s major systems and other auditable areas. The process of producing the plan involves extensive consultation with a range of stakeholders to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered.
2.2 In accordance with the audit plan for 2023/24, a programme of audits was carried out covering all Council departments and, in accordance with best practice, this programme was reviewed during the year and revised to reflect changes in risk and priority. All adjustments to the audit plan were agreed with the relevant departments and reported throughout the year to CMT and the Audit Committee as part of our periodic internal audit progress reports. Full details of the adjustments to the plan can be found in Appendix D.
2.3 It should be noted that whilst there were some audit reports in progress or at draft report stage at year-end, outcomes from this work have been taken into account in forming our annual opinion. Full details of these audits will be reported to CMT and the Audit Committee once each of the reports have been finalised with management.
3. Audit Opinion
3.1 No assurance can ever be absolute; however, based on the internal audit work completed, the Chief Internal Auditor can provide reasonable[1] assurance that the Council has in place an adequate and effective framework of governance, risk management and internal control for the period 1 April 2023 to 31 March 2024.
3.2 Further information on the basis of this opinion is provided below. Overall, the majority of audit opinions issued in the year were generally positive, with only a small number of instances where internal audit activities have identified that the operation of internal controls have not been fully effective. We are pleased to report that no minimal assurance opinions were issued in the year. There were, however, eight partial assurance opinions reported (see 5.4 below), all of which will be subject to follow-up reviews in 2024/25.
3.3 Where improvements in controls are required as a result of our work, we have agreed appropriate remedial action with management.
4. Basis of Opinion
4.1 The opinion and the level of assurance given takes into account:
· All audit work completed during 2023/24, planned and unplanned;
· Follow up of actions from previous audits;
· Management’s response to the findings and recommendations;
· Ongoing advice and liaison with management, including regular attendance by the Chief Internal Auditor and Audit Managers at organisational meetings relating to risk, governance and internal control matters;
· Effects of significant changes in the Council’s systems;
· The extent of resources available to deliver the audit plan; and
· Quality of the internal audit service’s performance.
4.2 No limitations have been placed on the scope of Internal Audit during 2023/24.
5. Key Internal Audit Issues for 2023/24
5.1 The overall audit opinion should be read in conjunction with the key issues set out in the following paragraphs. These issues, and the overall opinion, will be taken into account when preparing and approving the Council’s Annual Governance Statement.
5.2 The internal audit plan is delivered each year through a combination of formal reviews with standard audit opinions, direct support for projects and new system initiatives, investigations, grant audits and ad hoc advice. The following graph provides a summary of the outcomes from all audits finalised over the past three years:
Audit Opinions
*Not Applicable: Includes grant certifications and audit reports where we did not give a specific audit opinion. Typically, this tends to be proactive advice and support activity where, due to the advisory nature of the audit work, provision of formal assurance-based opinions is not appropriate.
5.3 A full listing of all 2023/24 completed audits and opinions for the year is included at Appendix B. The status of all planned audits in progress but not completed to final report by year-end is shown in Appendix C.
5.4 As stated above, we are pleased to report that there were no minimal assurance audit opinions issued. Eight audits received partial assurance (all of which have been reported on in our quarterly progress reports) as follows:
· Appointeeship and Deputyship Process
· External Funding
· Contract Management
· Supplier Failure
· Ukraine Funding
· Mental Health Services – Compliance with Corporate and Local Procedures
· Techforge IT Application Controls
· St Richard’s Catholic College
5.5 Whilst actions arising from these reviews will be followed up by Internal Audit, either through specific reviews or via established action tracking arrangements, it is important that management take prompt action to secure the necessary improvements in internal control.
Key Financial Systems
5.6 Given the substantial values involved, each year a significant proportion of our time is spent reviewing the Council’s key financial systems, both corporate and departmental. In 2023/24, in view of the then impending go-live of the Council’s new Enterprise Resource Planning (ERP) system, Oracle, and the recent completion of the 2022/23 audits in these areas, we completed only interim reviews of Accounts Payable, Accounts Receivable and Payroll, whereby we undertook limited sample testing of key controls in order to provide assurance that these continued to operate as expected. For each area, we found that the systems continued to be well controlled and remained fundamentally unchanged since the previous audits. We will complete full reviews of these early in 2024/25, prior to any implementation of the new ERP. In addition, we completed full audits of the General Ledger and Treasury Management, with both of these receiving substantial assurance.
Other Internal Audit Activity
5.7 During 2023/24, Internal Audit has continued to provide advice, support and independent challenge to the organisation on risk, governance and internal control matters across a range of areas. These include:
· Managing Back Office Systems (MBOS) programme;
· The Department for Levelling Up, Housing and Communities deep-dive into the South-East Local Enterprise Partnership; and
· Sea Change Sussex
And attendance at, and support to:
· Statutory Officers’ Group
· Finance Management Team
· Departmental Management Teams
· BSD Business Partners Group
· Pension Board and Pension Committee
5.8 As well as actively contributing to, and advising these groups, we utilise the intelligence gained from the discussions to inform our own current and future work programmes to help ensure our work continues to focus on the most important risk areas.
5.9 During 2023/24, the Internal Audit Counter Fraud Team continued to deliver both reactive and proactive fraud services across the organisation. Details of all counter fraud and investigatory activity for the year, both proactive and reactive, have been summarised within our quarterly progress reports and also a separate Counter Fraud Annual Report due to be presented alongside this Internal Audit annual report. Where relevant, the outcomes from this work have also been used to inform our annual internal audit opinion and future audit plans.
Amendments to the Audit Plan
5.10 In accordance with proper professional practice, the Internal Audit plan for the year was kept under regular review to ensure that the service continued to focus its resources in the highest priority areas based on an assessment of risk. All audits added to and removed from the plan during the year are provided in Appendix D.
6. Internal Audit Performance
6.1 Public Sector Internal Audit Standards (PSIAS) require the internal audit service to be reviewed annually against the Standards, supplemented with a full and independent external assessment at least every five years. The following paragraphs provide a summary of our performance during 2023/24, including the results of our most recent independent PSIAS assessment (2022), our latest self-assessment (2023) and the year end results against our agreed targets.
PSIAS
6.2 The Standards cover the following aspects of internal audit, all of which were independently assessed during late 2022 by the Chartered Institute of Internal Auditors:
· Purpose, authority and responsibility;
· Independence and objectivity;
· Proficiency and due professional care;
· Quality assurance and improvement programme;
· Managing the internal audit activity;
· Nature of work;
· Engagement planning;
· Performing the engagement;
· Communicating results;
· Monitoring progress; and
· Communicating the acceptance of risks.
6.3 As reported to Audit Committee in March 2023, Orbis Internal Audit was assessed as achieving the highest level of conformance available against professional standards, with no areas of non-compliance identified. Our most recent self-assessment against the standards in 2023 found that this continued, with only minor areas for improvement identified.
Key Service Targets
6.4 Performance against our previously agreed service targets is set out in Appendix A. Overall, client satisfaction levels remain high, demonstrated through the results of our post audit questionnaires, discussions with key stakeholders throughout the year through service liaison and annual consultation meetings with Chief Officers.
6.5 Over the course of the year, we have received positive feedback on a range of completed audit assignments from management within services. The following ‘word cloud’ identifies some of the key, positive phrases used to describe our service and that contributed to a 100% satisfaction rate being recorded in the year:
6.6 Internal Audit will continue to liaise with the Council’s external auditors (Grant Thornton) to ensure that the Council obtains maximum value from the combined audit resources available.
6.7 In addition to this annual summary, CMT and the Audit Committee will continue to receive performance information on Internal Audit throughout the year as part of our quarterly progress reports and corporate performance monitoring arrangements.
Appendix A
Internal Audit Performance Indicators 2023/24
|
Aspect of Service |
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
2023/24 Internal Audit Strategy and Plan formally approved by Audit Committee 31 March 2024 |
|
Annual Audit Report and Opinion
|
By end July |
G |
2022/23 Annual Report and Opinion presented to Audit Committee 7 July 2023 |
|
|
Customer Satisfaction Levels |
90% satisfied
|
G |
100% |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
91.2% |
|
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
Dec
2022 - External Quality Assurance completed by the Institute of
Internal Auditors (IIA). Orbis Internal Audit assessed as
achieving the highest level of conformance available against
professional standards with no areas of non-compliance identified,
and therefore no formal recommendations for improvement arising. In
summary the service was assessed as:
|
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified. |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
97% for high priority agreed actions |
G |
100% |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
94%[2] |
Appendix B
Summary of opinions for Internal Audit final reports issued during 2023/24
Substantial Assurance:
(Explanation of assurance levels provided at the bottom of this document)
|
Audit Title |
Department |
|
Pension Fund Investments and Accounting |
BSD |
|
Pension Fund Cyber Security |
BSD |
|
Annual Governance Statement – Directorate Assurance Statements and Policy Review |
Corporate |
|
General Ledger |
BSD |
|
Treasury Management |
BSD |
|
Home to School Transport Follow-Up |
CET |
|
Children’s Services – Quality Assurance Framework |
CSD |
Reasonable Assurance:
|
Audit Title |
Department |
|
Accounts Payable (Procure to Pay) 22/23 |
BSD |
|
Pension Fund Cash Management |
BSD |
|
Pension Fund Administration of Pension Benefits |
BSD |
|
Health and Safety Framework |
Corporate |
|
Subject Access Requests and Freedom of Information Reporting Arrangements |
Corporate |
|
Cyber Security |
BSD |
|
Adults Safeguarding |
ASC |
|
Risk Management |
Corporate |
|
Milton Grange Nursing Home Establishment Review |
ASC |
|
Adult Services Data Handling |
ASC |
|
Firle Church of England Primary School |
CSD |
|
Pevensey and Westham Church of England Primary School |
CSD |
|
Pension Fund Collection of Contributions |
BSD |
|
Procurement of IT Systems |
BSD |
|
Children’s Services Data Handling Follow-Up |
CSD |
|
Children’s Disability Service Direct Payments |
CSD |
|
St. Mary’s Catholic Primary School |
CSD |
|
Mobile Device Management |
BSD |
|
Business Continuity Planning |
Corporate |
|
Integrated Waste Management Services – Contract Management |
CET |
|
Robotic Process Automation Governance Arrangements |
BSD |
|
Forest Row Church of England Primary School Follow-Up |
CSD |
|
Beckley Church of England Primary School |
CSD |
Partial Assurance:
|
Department |
|
|
Appointeeship and Deputyship Process |
ASC |
|
External Funding |
CET / Corporate |
|
St Richard’s Catholic College |
CSD |
|
Contract Management |
Corporate |
|
Techforge IT Application Controls |
BSD |
|
Supplier Failure |
Corporate |
|
Ukraine Funding |
ASC |
|
Mental Health Services – Compliance with Corporate and Local Procedures |
ASC |
Minimal Assurance:
|
Department |
|
|
None |
|
Non-Opinion:
|
Audit Title |
Department |
|
Accounts Receivable (Interim Review) |
BSD |
|
Accounts Payable (Interim Review) |
BSD |
|
Payroll (Interim Review) |
BSD |
|
Sea Change Sussex |
CET |
|
MBOS – Programme Assurance and Ad-Hoc Advice |
Corporate |
|
MBOS – Cutover Arrangements |
Corporate |
|
MBOS – Key Control Testing |
Corporate |
|
MBOS - Security, Roles and Permissions |
Corporate |
|
MBOS - Business Continuity |
Corporate |
|
Supporting Families Programme Grant Certification (Quarterly) |
CSD |
|
Broadband Grant Certification |
CET |
|
Local Authority Bus Subsidy (Revenue) Grant / Bus Services Operators Grant |
CET |
|
Transport Grant Capital Block Funding (Integrated Transport and Highway Maintenance Blocks) Grant |
CET |
|
Bus Recovery Grant Certification |
CET |
|
Migration of SAP to Azure |
BSD |
|
SAP Support Pack – Key Control Testing |
BSD |
|
New Declaration of Interest System |
Corporate |
2023/24 Audit Plan - Audits in Progress at Year-End
|
Audit Title |
Planned/ Unplanned |
Department |
Status |
|
ASC Debt Management and Recovery |
Planned |
ASC |
Draft Report |
|
Parking – Procurement and Monitoring of External Service Providers |
Planned |
CET |
Draft Report |
|
Vehicle Use Follow-Up |
Unplanned |
CET |
Draft Report |
|
Contract Management Group Cultural Compliance Follow-Up |
Planned |
CET |
Draft Report |
|
Climate Change Follow-Up |
Planned |
Corporate |
Draft Report |
|
LAS/Controcc |
Planned |
ASC |
Draft Report |
|
Pension Fund Cash Management |
Planned |
BSD |
Draft Report |
|
Sea Change Sussex |
Unplanned |
CET |
Draft Reports |
|
Health Visiting Contract – Contract Management |
Unplanned |
ASC |
Fieldwork |
|
Domestic Violence and Abuse Refuge Contract – Contract Management |
Unplanned |
ASC |
Fieldwork |
|
Health and Safety Compliance |
Planned |
Corporate |
Fieldwork |
|
Highways Contract Management |
Planned |
CET |
Fieldwork |
|
Workforce Capacity and Working Arrangements |
Planned |
Corporate |
Fieldwork |
|
Pension Fund Investments and Accounting |
Planned |
BSD |
Fieldwork |
|
Pension Fund Administration of Pension Benefits |
Planned |
BSD |
Fieldwork |
|
System Change Control and Release Management |
Planned |
BSD |
Fieldwork |
|
IT Asset Records Management |
Unplanned |
BSD |
Fieldwork |
|
Cyber Security – Response and Resilience |
Planned |
BSD |
Fieldwork |
|
Greenwood Residential Care Home Establishment Review |
Unplanned |
ASC |
Fieldwork |
|
Grangemead Residential Care Home Establishment Review |
Unplanned |
ASC |
Fieldwork |
Appendix D
Audits added to and removed from the plan during 2023/24
Audits Added:
|
Greenwood Residential Care Home Establishment Review |
|
Grangemead Residential Care Home Establishment Review |
|
Sea Change Sussex |
|
Bus Recovery Grant Certification |
|
Migration of SAP to Azure |
|
SAP Support Pack Key Control Testing |
|
Health Visiting Contract – Contract Management |
|
IT Asset Records Management |
|
Broadband Grant Certification |
|
Domestic Violence and Abuse Refuge Contract Management |
|
New Declarations of Interest System |
|
Procurement Cards (Proactive Counter Fraud Work) |
Audits Removed/Deferred:
|
Audit Title |
|
|
Managing Service Demand |
The focus of this review was to be in Children’s Services due to the significant pressures that the Department is facing. However, during the year, the Council engaged a consultant, IMPOWER, to look at ways to mitigate spend pressures and improve outcomes for children. Given this work, the planned audit was not considered necessary. We will undertake work as part of the 24/25 audit plan to assess whether the recommendations arising from this have been implemented. |
|
Procurement Regulatory Changes |
The Procurement Act 2023 received Royal Assent on 26 October 2023, but the new regime will not come into force until October 2024. As a result, Internal Audit support for the updating of Procurement and Contract Standing Orders (PCSO) has not yet been required. |
|
Regulatory changes were expected in 2024 in relation to Social Care Reform. These were postponed but remain in consideration for audit work in 2024/25. |
|
|
System not fully implemented this year. Included in 24/25 audit plan. |
|
|
Property Asset Management System (PAMS) Replacement |
No requirement for additional support for the implementation project as originally expected. |
|
Procurement Data Analytics Follow-Up |
Included in 24/25 audit plan. |
|
External Funding Follow-Up |
Included in 24/25 audit plan. |
|
Contain Outbreak Management Fund – Grant Certification |
No requirement for certification this year. |
|
Schools Basic Needs Allocation – Grant Certification
|
No requirement for certification this year. |
|
Property Services Programme Management |
The focus of this review was to look at the arrangements for the effective management of the programme of work in Property Services. Prior to starting this work, Property engaged a consultant to support them with making improvements in this area. Therefore, the planned audit was not considered necessary. |
Appendix E
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |