Annexe A
Internal Audit and Counter Fraud
Quarter 3 Progress Report 2024/25
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of Completed Audits
1.1 The Accounts Receivable (AR) function is responsible for ensuring that all income due to the Council is collected effectively and efficiently, banked promptly and correctly accounted for.
1.2 This audit aimed to provide assurance over the key controls operating within AR, including those in place for ensuring the accuracy of customer details, the timeliness and accuracy of invoicing, the recording and matching of payments to invoices, and completeness of debt recovery processes.
1.3 In completing this review, we have been able to provide an opinion of reasonable assurance. We found that:
· Proof of debt is provided in order to support the raising of invoices;
· All invoice requests are subject to quality review and reasonableness checks prior to issue, in order to reduce the risk of duplicate records;
· Credit note, write off and refund processes are operating as expected, with approval being obtained at the correct level and documentation being retained; and
· Unallocated income held in the Council’s suspense accounts is regularly reviewed to ensure that monies are allocated to the correct account.
1.4 There were, however, a small number of areas where further improvements could be made, including to ensure that:
· Invoice requests are sent in a timely manner, in line with policy requirements;
· Secondary review of completed reconciliations is undertaken in a timely manner; and
· Cases with associated complaints are moved promptly to the appropriate block, ensuring that recovery action or complaint resolution takes place as appropriate.
1.5 Actions were agreed with management to support areas where further improvement is required.
Procurement Data Analytics Follow-Up
1.6 A previous audit of Procurement Data Analytics resulted in an audit opinion of partial assurance. The purpose of the audit was to use data analytic techniques to assess whether all contracts let by the Council over £25,000 had been captured within the Corporate Contracts Register and let in accordance with the Council’s Procurement and Contract Standing Orders (PCSOs); the rules that must be followed when procuring goods, works or services. We found instances of non-compliance with PCSOs, including where formal contracts had not been publicly advertised via full tender and where formal contracts were not in place where they should have been.
1.7 A follow-up audit was therefore undertaken to assess the extent to which the agreed actions for improvement had been implemented. In doing so, we were conscious that some of the agreed actions were dependent upon the implementation of the Oracle Enterprise Resource Planning (ERP) system, and that the programme delivering this had been delayed. In these instances, we reviewed whether the identified risk has been addressed via an alternative route.
1.8 In completing the follow-up audit, we found that:
· Where actions were reliant upon the delayed implementation of the Oracle ERP system, alternative action has been taken to support the mitigation of risks associated with these;
· Instances of non-compliant spend identified in the previous audit had been investigated, and remedial action taken as appropriate; and
· Reporting now takes place on purchase orders where there is potential non-compliance, with these being logged and investigated. The Procurement Team then work with services to put contracts in place as needed.
1.9 Given the improvements made, we were able to provide an updated opinion of reasonable assurance. Some further actions were, however, agreed with management, including to ensure that the Procurement Team have access to Oracle (once implemented) to help identify areas of non-compliant spend.
Contract Management Follow-Up
1.10 The Contract Management Framework provides a structured approach for the management of contracts, to ensure delivery of value and quality of goods and services purchased from suppliers. In 2022/23, we undertook an audit focussing on the degree to which contract managers were complying with the Framework, concluding an opinion of partial assurance. This audit sought to assess and provide assurance on the progress made in implementing the agreed actions arising from the review.
1.11 In completing the follow-up, we were able to provide an improved opinion of substantial assurance. Based on our work, we found that all agreed actions had been implemented, including the:
· Circulation of contract management guidance, advice and tools to all employees;
· Provision of contract management training sessions to staff;
· Correction of inconsistent language within the Contract Management Framework and other guidance documentation, to reduce the risk of confusion.
1.12 No further areas for improvement were identified.
Oracle Implementation Programme - Programme Governance and Risk Management
1.13 The Oracle Programme, formerly known as the Modernising Back Office Systems Programme (MBOS) was approved by the Corporate Management Team (CMT) in September 2019, when Oracle Fusion was selected as the replacement ERP (Enterprise Resource Planning) system. The Council’s ERP system is the mission critical software system for financial management, income processing, budgeting and reporting functions, as well as payments to employees, suppliers and billing of revenue.
1.14 During 2023, the programme was paused, and subsequently scaled down to allow for independent assessments of its viability and direction to be carried out. Following a review of these, the programme restarted with a view to a phased go-live, which at the time of our audit was likely to be between late 2024 for Finance, and summer 2025 for HR/Payroll (these dates have subsequently been revised, with Finance, Procurement and Recruitment due to go-live in April 2025, and HR/Payroll in 2026).
1.15 The aim of this work was to support and provide advice on the governance and risk management arrangements within the programme. As this was an advisory piece, we did not provide a formal audit opinion. However, in conclusion, we found that the governance arrangements for the programme required improvement to enable it to fully understand and achieve its objectives. We agreed a number of actions to make improvements to the governance arrangements which included:
· Updating key governance documents, including the Governance Terms of Reference, Business Case and Programme Initiation Document, to reflect the current status of the programme;
· Revising the Highlight Report that is presented to the Programme Board to give an indication of overall progress against each of the programme workstreams in the form of a Red, Amber or Green (RAG) status;
· Ensuring the gateway/checkpoint process is followed with clear reporting to the Programme Board before moving between each phase of the programme;
· Ensuring everyone with a role in the programme understands what is expected of them and ensuring sufficient internal and external resources are in place to meet current and future programme demands; and
· Appointing a contract manager to oversee the complex relationships between parties.
1.16 Actions for improvement to address these areas were agreed with programme management.
New Declaration of Interest System
1.17 All employees are required to complete a declaration of interests (DOI) on an annual basis, or more frequently where their circumstances change, whether there is a potential conflict present or not. Given the lack of continued support for the existing Sharepoint DOI system, a project was undertaken to redevelop the DOI system on a new SharePoint platform to allow for current functionality to remain, whilst providing a new look and feel to aid usability. The project also sought to ensure that agreed actions from a previous audit review had been considered and implemented to strengthen control.
1.18 We attended meetings of the working group to provide independent audit advice in respect of the new system. We also completed limited testing to assess the extent to which controls are in place and operating effectively. This included Internal Audit team members assuming different roles with the system and reviewing the processes and controls for both nil and positive declarations. Based on this work, we found that the system worked as expected and there were no significant control issues which would have prevented the system from going live. The system was subsequently implemented in October 2024.
Civica Property Management (CPM) Application Control Follow-up
1.19 Civica Property Management, or CPM, is a web-based property management system provided by Civica. It comprises modules to facilitate a variety of property and asset management functions, including reactive maintenance. The Council uses the system to hold information on building condition and all property ownership details, as well as statutory compliance information, e.g., fire safety reports following site visits.
1.20 In 2022/23, an application control audit of CPM was completed, for which we provided an audit opinion of partial assurance. As part of our planned work for 2024/25, we agreed with management to undertake a follow-up review.
1.21 In completing this work, we were able to provide an improved opinion of reasonable assurance. We found that:
· The number of generic user accounts has been reduced significantly, with these being subject to regular review to ensure that they remain relevant and appropriate;
· A process has been developed to support with system updates and enhance visibility of these;
· An IT risk assessment has been carried out to identify any changes to the risk profile following the change of server locations and system ownership; and
· The process for reconciliation of payments between SAP and CPM has been documented and includes detail of appropriate action should the reconciliation fail.
1.22 A few areas for further improvement were identified, and appropriate action agreed with management, including the need to ensure that overarching responsibilities for the management of the system are clearly defined and documented, and that procedure documents are developed to support the operation of the system.
Civica Property Management (CPM) Payment Controls
1.23 In February 2024, duplicate payments (total £72,396) originating from CPM were identified and blocked before any payment was actually made. As a result, we were asked to review the adequacy of payment, interface and reporting controls within CPM.
1.24 Overall, we were able to provide an opinion of reasonable assurance in this area. It transpired that the potential duplicates arose as a result of unannounced system changes by the CPM software provider which caused some payment runs to time out during the data transfer from CPM to SAP. The failed batches were resubmitted by the Property Team who were unaware that some invoices from the failed batches had already transferred successfully to SAP. At the time, no CPM to SAP reconciliation process was in place, which would have identified the issue when the data transfer took place. A daily reconciliation was implemented immediately to resolve this issue.
1.25 In completing this work, we found that:
· Works are subject to appropriate approval prior to being carried out;
· Payments are checked to ensure that they match the works ordered;
· Daily reconciliations are carried out to confirm that data transfers between CPM and SAP are complete and accurate, with a defined process in place to aid understanding and consistency.
1.26 Some areas for improvement were, however, identified and agreed with management, including the need to ensure that:
· Financial reporting requirements are defined to support effective budget monitoring;
· CPM approval levels are appropriate and in-line with those in SAP; and
· Worksheets from contractors are signed on behalf of the Council to confirm that the works have been completed.
1.27 Actions in respect of the above areas were agreed with management.
Health and Safety Compliance – Property Management
1.28 The Health and Safety at Work Act 1974 (HSaW Act) sets out wide-ranging duties on employers to protect the health, safety and welfare of employees and the general public, insofar as is reasonably practicable. Serious harm to an employee or a service user can result in significant costs to the Council as well as reputational damage. There are also individual responsibilities under the Act. Failure of individuals and organisations to comply can lead to unlimited fines and possible imprisonment. The importance of effective health and safety management and compliance has become even more crucial with the introduction of the offence of corporate manslaughter.
1.29 This review is the second part of a two-phase review of health and safety. The first review was carried out as part of the 2022/23 internal audit plan where we assessed the adequacy of the Council’s health and safety framework, providing an opinion of reasonable assurance over this.
1.30 In this second review, we assessed compliance with health and safety requirements set out in relevant legislation and corporate policies (e.g. asbestos, legionella, fire etc.) at the Council’s operational premises.
1.31 In completing this work, we were able to provide an opinion of reasonable assurance, finding that:
· There is a high statutory compliance rate in respect of safety checks and inspections, for those properties which have been appropriately onboarded into the CPM system; and
· Safety incidents reported to the Property Helpdesk are actioned in a timely manner, including making sites safe whilst awaiting longer-term solutions.
1.32 There were, however, some areas where improvements were required to improve controls, and actions have been agreed with management to resolve these, including ensuring that:
· All lease agreements and servicing and safety inspection details are onboarded onto the CPM to help ensure inspections are carried-out where required;
· There is corporate oversight to ensure that fire risk assessments, and visual inspections where asbestos containing materials are identified, are subject to annual review by controllers of premises; and
· Data relating to equipment and assets which require regular assessment is maintained within the CPM system.
Appointee and Deputyship Process Follow-Up
1.33 Appointee and Deputyships allow the Council to assume responsibility for an individual’s financial affairs where the individual no longer has the mental capacity to do so themselves, and there are no available family, friends or associates who could undertake this role on their behalf. Both roles are discretionary, and the Council is under no statutory obligation to provide this function.
1.34 An audit of the Appointee and Deputyship process was completed in 2022/23, which concluded an opinion of partial assurance. This follow-up audit sought to provide assurance that progress had been made in implementing the agreed actions for improvement.
1.35 In completing this review, we were able to provide an improved opinion of reasonable assurance, with the majority of agreed actions from the previous review having been implemented. We found that:
· Significant numbers of historical transactions have been allocated to client accounts, resulting in corrected balances;
· In-person visits are taking place on a routine basis, with income and expenditure being reviewed annually to ensure the accuracy of client accounts; and
· A process for investing clients’ money, that is in excess of their annual needs, has been established and documented.
1.36 Opportunities for improvement were, however, identified where some of the previously agreed actions had only been partially implemented. These were discussed with management and additional actions were agreed to further strengthen the control environment, including the need to:
· Seek further advice and guidance from the Finance Team in relation to the remaining historical transactions that have not yet been allocated to client accounts;
· Develop Key Performance Indicators (KPIs) to support monitoring and delivery of the function; and
· Ensure that the schedule of guidance is updated to reflect the creation of new guidance, and the refresh of existing guidance.
1.37 PAX is a cloud-based passenger transport scheduling and payment management system which supports the provision of home to school, adult social care, and public transport. The Transport Hub has 22 users of the system, with four additional users within the Safeguarding and Emotional Wellbeing Team with read-only access. The system interfaces with the Council’s financial management software, SAP, to receive and process payments.
1.38 Within this application control audit, we reviewed all major input, processing and output controls, including access controls and interfaces with other systems. We also assessed the adequacy of arrangements for system ownership and responsibilities.
1.39 In completing this review, we were able to provide an opinion of reasonable assurance. We found that:
· A technical risk assessment had been completed and appropriate action taken to improve the security of the system;
· A file export ensures that financial data is transferred from PAX to SAP, with controls in place to maintain appropriate separation of duties and approval processes to help ensure that data is accurate and reliable;
· Controls over system upgrades are robust and well communicated; and
· Audit trails are maintained where client accounts are created or modified.
1.40 There were, however, a small number of areas where further improvement was required, including the need to ensure that:
· Regular user access audits are undertaken, including the review of user permissions;
· Formal approval is given by the System Owner prior to updates going live within the production environment; and
· A Business Impact Assessment and Disaster Recovery Plan are produced to help ensure that functionality is recovered in the event of system outage.
1.41 Actions have been agreed with management in respect of these areas.
Transition of Local Enterprise Partnerships
1.42 In August 2023, the government announced its decision to withdraw central government support (core funding) for Local Enterprise Partnerships from April 2024 and to transfer their functions to upper-tier local authorities. In East Sussex, this meant that most economic growth functions previously delivered by the South-East Local Enterprise Partnership (SELEP) would transfer to the Council. This transition is currently in progress.
1.43 To support this process, we have attended LEP transition meetings in an advisory capacity, providing audit advice and feedback on the draft East Sussex Local Growth Assurance Framework which builds on the existing governance, management and oversight of the local growth capital programme. We will continue to support the transition where required as it progresses.
School Audit Work
1.44 We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The key objectives of our work include seeking assurance that:
· Decision making is transparent, well documented and free from bias;
· The school is able to operate within its budget through effective planning;
· Staff are paid in accordance with the school pay policy;
· Expenditure is controlled and funds are used for an educational purpose. The school ensures value for money on contracts and larger purchases; and
· All voluntary funds are held securely, and funds are used in accordance with the agreed aims.
1.45 We undertake school audits through a range of both remote and on-site working arrangements.
1.46 The table below shows a summary of the one school audit completed in Q3, together with the level of assurance received and areas for improvement.
|
Name of School |
Audit Opinion |
Areas Requiring Improvement |
|
Saint Richard’s Catholic College Follow-Up |
Reasonable Assurance |
Including to ensure that: · The Scheme of Delegation remains relevant and up-to-date, particularly in relation to staff roles; · All staff declarations of interest, where a potential conflict has been declared, are subject to appropriately documented and agreed mitigations; · Mileage claims are only submitted in a single approved format and only paid where there is appropriate evidence to support the claim; and · The Contracts Register is updated and appropriately maintained in order to support appropriate oversight and timely renewal or cancellation of contracts. |
Grant Related Audit Work
Supporting Families Programme 2024/25 Quarter 3
1.47 The Supporting Families (SF) programme has been running in East Sussex since January 2015 and is an extension of the original Troubled Families scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Ministry of Housing, Communities and Local Government (MHCLG), based on the level of engagement and evidence of appropriate progress and improvement.
1.48 Children’s Services submit periodic claims to the MHCLG to claim grant funding under its ‘payment by results’ scheme. MHCLG requires Internal Audit to verify 10% of claims (capped at 20) prior to the Local Authority’s submission of its claim. We therefore reviewed 16 of the 164 families included in the October to December 2024 grant cohort.
1.49 In completing this work, we found that valid ‘payment by results’ (PbR) claims had been made and outcome plans had been achieved and evidenced. All the families in the sample of claims reviewed had, firstly, met the criteria to be eligible for the SF programme, and had achieved significant and sustained progress. We therefore concluded that the conditions attached to the SF grant determination programme had been complied with.
Traffic Signal and Green Light Fund
1.50 The Department for Transport (DfT) has provided funding to local authorities to support the upgrading of traffic signal systems by replacing obsolete equipment and tuning up traffic signals to better reflect current traffic conditions and get traffic moving. This grant was ringfenced for these purposes and required the Authority to comply with certain conditions.
1.51 We were required to undertake testing to ensure that proposed projects were in line with grant conditions and that submissions had been made on time. Based on our testing, we were able to confirm that the Council had complied with the terms of the grant. A signed declaration was returned to the DfT within the required timescales.
Contain Outbreak Management Fund
1.52 The Contain Outbreak Management Fund (COMF) is provided by the Department of Health and Social Care (DHSC) in response to the COVID-19 pandemic. The fund is ringfenced for public health purposes, in order to support the reduction of COVID-19 transmissions.
1.53 We were required to undertake sample testing to ensure that planned and actual expenditure was in line with grant conditions, including ensuring that all funding was committed and that it was to be used for purposes which would support the reduction of COVID-19 transmissions. The samples tested met the purpose and conditions set out in the application and awarding documentation, and we were able to return a signed declaration to the DHSC.
2. Counter Fraud and Investigation Activities
Counter Fraud Activities
2.1 The team continue to monitor intel alerts and share information with relevant services when appropriate.
2.2 In addition, the team are currently reviewing recent matches released as part of the National Fraud Initiative. High risk matches will be prioritised for investigation and support provided to services reviewing the reports.
Summary of Completed Investigations
School Meals
2.3 An allegation was received alleging that a school meals contactor was inflating the number of meals provided. An investigation was undertaken and found no case to answer; robust processes were in place for the recording and reconciliation of meals.
Theft of Travel Warrants
2.4 We were advised of the theft of travel warrants from a safe in a Children’s residential home. Due to the age of the travel warrants and elapsed time, it was not viable to undertake an investigation, however, advice was provided on safe security and a control report issued agreeing actions to improve premises security.
3. Action Tracking
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking, whereby we seek written confirmation from services that these have been implemented. As at the end of quarter 3, it was confirmed that 14/15 (93.3%) of the high-risk actions due to be implemented on a 12-month rolling basis had been actioned. The one outstanding action, relating to resource planning for the Oracle Implementation Programme, has not been fully implemented. The Programme Sponsor considers that the risk has been mitigated to the fullest extent possible within the available financial envelope. This mitigation means that there is sufficient resource available to go-live though it is acknowledged that there remain vulnerabilities as there are many single points of failure within that resource. Should these resources be heavily depleted for any reason, this would put go-live at risk. This risk features on the programme risk register with compensating controls in place to manage the risk, including ongoing monitoring of resource levels.
4. Amendments to the Audit Plan
4.1 In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews have been added to the audit plan so far this year:
|
Review |
Rationale for Addition |
|
Registration Service |
Identified as an area for review after the audit plan had been agreed. Reported in our Q2 progress report. |
|
Declaration of Interest System Upgrade Project |
Advice on risk and control in relation to the upgraded declaration of interest system (as reported above). |
|
SAP Support Costs |
Requested by IT&D management to investigate the implications of removing the SAP security and access role. Reported in our Q1 progress report. |
|
Civica Property Management (CPM) system - Payment Controls |
To review internal controls in the system following the identification of potential duplicate payments (as reported above). |
|
Early Years Childcare Expansion Grant |
New grant requiring certification. Reported in our Q1 report. |
|
Home to School Transport |
Audit requested by the Corporate Management Team due to the continued financial challenge in this area. |
|
Traffic Signal Obsolescence and DfT Green Light Fund |
New grant requiring certification (as reported above). |
|
Oracle Programme Governance and Risk Management Arrangements |
To review programme governance and risk management arrangements (as reported above). |
|
Oracle Implementation Programme Controls Assurance – Enterprise Performance Management (EPM) |
To assess controls within the Enterprise Performance Management module of Oracle (as reported above). |
|
Oracle Procure to Pay |
Assessment of the ‘to-be’ controls prior to the proposed Oracle go-live date of April 2025. |
|
Oracle Accounts Receivable |
As above. |
|
Oracle General Ledger |
As above. |
|
Oracle HR Recruitment |
As above. |
|
Oracle Testing Arrangements |
Assessment of the testing arrangements for Oracle implementation, prior to proposed go-live of April 2025. |
|
Oracle Interfaces and Reconciliation |
Assessment of the interfaces and reconciliation arrangements for Oracle implementation, prior to the proposed go-live of April 2025. |
|
Oracle Data Cleansing and Migration |
Assessment of the data cleansing and migration arrangements for Oracle implementation, prior to the proposed Oracle go-live of April 2025. |
|
Oracle System Security and Administration |
Assessment of the system security and administration arrangements for Oracle implementation, prior to the proposed Oracle go-live of April 2025. |
|
Oracle Business Continuity |
Assessment of the business continuity arrangements for Oracle implementation, prior to the proposed go-live of April 2025. |
4.2 To-date, the following audits have been removed or deferred from the audit plan and, where appropriate, will be considered for inclusion in the 2025/26 plan as part of the overall risk assessment completed during the annual audit planning process. These changes are made on the basis of risk prioritisation and/or as a result of developments within the service areas concerned, requiring a rescheduling of audits. Of particular significance, as referred to in our quarter 2 progress report, is the planned go-live of the next phase (Phase 2) of Oracle implementation (Finance, Procurement and Recruitment) in April 2025, and the need for Internal Audit to provide significant resource to support the assurance arrangements ahead of the eventual implementation, which has resulted in further amendments to the plan.
|
Planned Audit |
Rationale for Removal |
|
Capital Budgetary Control |
In-year reduction in audit plan days to generate required budget savings, as reported in the quarter 2 progress report. |
|
Alternative Education Provision Commissioning for Children |
Cancelled due to delays (external factors) in transferring the Pupil Referral Unit (a key part of alternative education provision) to a new trust. The cancellation of this audit has contributed to the required budget savings above. |
|
Broadband Grant |
Cancelled - no grant certification required this year. The cancellation of this audit has contributed to the required budget savings above. |
|
Financial and Benefit Assessments |
Cancelled due to new process changes being implemented in this area. The cancellation of this audit has contributed to the required budget savings above. |
|
Accounts Payable (Procure to Pay) |
Started, but cancelled once it was proposed that Phase 2 of Oracle would go-live April 2025, where there are significant pressures on staff involved in the implementation of Oracle. Audit resources diverted to Oracle pre-implementation audit work. |
|
Implementation of Impower Recommendations |
Audit resources diverted to Oracle pre-implementation work. |
|
Children’s Liquidlogic (LCS) and Controcc Systems |
Significant pressures on staff involved in the implementation of Oracle. Audit resources diverted to Oracle pre-implementation work. |
|
Organisational Response to Financial Challenges |
Replaced with Home to School Transport - see table in 4.1 above. |
|
Volunteers |
Audit resources diverted to Oracle pre-implementation work. |
|
Accountable Body Status |
Audit resources diverted to Oracle pre-implementation work. |
|
Unaccompanied Asylum-Seeking Children |
Audit resources diverted to Oracle pre-implementation work. |
|
Emergency Planning |
Audit resources diverted to Oracle pre-implementation work. |
|
Artificial Intelligence |
Audit resources diverted to Oracle pre-implementation work. |
|
External Funding Follow-Up |
Audit resources diverted to Oracle pre-implementation work. |
4.3 The following audit work is currently in progress at the time of writing this report (including those at draft report stage, as indicated) or is scheduled for quarter 4:
· Workforce Capacity and Working Arrangements (draft report)
· Home Care Contract Management (draft report)
· IT Asset Records Management (draft report)
· Surveillance Cameras (draft report)
· Oracle Procure to Pay
· Oracle Accounts Receivable (incl. cash management)
· Oracle General Ledger
· Oracle HR Recruitment
· Oracle Testing Arrangements
· Oracle Interfaces and Reconciliation
· Oracle Data Cleansing and Migration
· Oracle System Security and Administration
· Oracle Business Continuity
· IT&D Project Management
· Home to School Transport
· Waivers to Procurement and Contract Standing Orders
· Mobile Phone Application Management
· Direct Payments
· Pension Fund - Financial Controls (presented to Pension Board on 13 February 2025, and Pension Committee on 27 February 2025)
· Pension Fund - The Administration of Benefit Payments
· Pension Fund - Compliance with Regulatory Requirements
· Pension Fund - Investments and Accounting
· Risk Management
· Transition of Young People into Adult Social Care
· Supporting Families Q4
· Microsoft Teams – Governance
· Supply Chain Cyber Security
5. Internal Audit Performance
5.1 Based on our last self-assessment against Public Sector Internal Audit Standards, Internal Audit remain fully compliant with 319 of the standards and partially compliant with the other 2 standards (in both cases proportionate arrangements remain in place).
5.2 In addition, our last Quality Review exercise in November 2023, identified no major areas of non-conformance. The need to ensure consistency in the quality of the evidence contained within a small number of audit working papers was highlighted, and this has been addressed at service development days in 2024/25.
5.3 In addition to our periodic self-assessments of effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
*Includes part-qualified staff and those undertaking professional training.
Appendix B
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |