Report to: |
West Devon Audit Committee |
||||||
Date: |
25 July 2023 |
||||||
Title: |
Annual Internal Audit Report for 2022-23 |
||||||
Portfolio Area: |
Performance & Resources - Cllr C Edmonds |
||||||
Wards Affected: |
All |
||||||
Urgent Decision: |
N |
Approval and clearance obtained: |
Y |
||||
|
|
||||||
Author: |
Paul Middlemass |
Role: |
Audit Manager |
||||
Contact: |
Paul.Middlemass@devon.gov.uk 07736 155687 Tony.d.Rose@devon.gov.uk 01392 383000 |
||||||
RECOMMENDATION: That members note the Internal Audit Report for 2022-23 and consider it when reviewing the Annual Governance Statement. |
1. Executive summary
The purpose of this report is to provide members with the annual report summarising internal audit assurances provided during 2022-23 to inform the Annual Governance Statement.
2. Background
The Audit Committee, under its Terms of Reference contained in West Devon Borough Council’s Constitution, is required to monitor and review the internal audit programme and findings, and the associated progress and performance of Internal Audit.
The Accounts and Audit (Amendment) (England) Regulations 2015 require that all Authorities need to carry out an annual review of the effectiveness of their internal audit system and need to incorporate the results of that review into their Annual Governance Statement (AGS), published with the annual Statement of Accounts.
The purpose and role of Internal Audit, and of the related Council responsibilities is also contained in the Internal Audit Charter and Strategy.
3. Outcomes/outputs
4. Options available and consideration of risk
No alternative operation has been considered as the function of internal audit is a requirement of Corporate Governance.
5. Proposed Way Forward
That Audit Committee notes the Annual Report of Internal Audit (Appendix A).
6. Implications
Implications
|
Relevant |
Details and proposed measures to address |
Legal/Governance
|
Y |
The Accounts and Audit Regulations 2015 issued by the Secretary of State require every local authority to undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards.
The work of the internal audit service assists the Council in maintaining high standards of public accountability and probity in the use of public funds. The service has a role in promoting robust service planning, performance monitoring and review throughout the organisation, together with ensuring compliance with the Council’s statutory obligations. |
Financial
|
Y |
There are no additional or new financial implications arising from this report. The cost of the internal audit team is in line with budget expectations. |
Risk |
Y |
The work of the internal audit service is an intrinsic element of the Council’s overall corporate governance, risk management and internal control framework. |
Supporting Corporate Strategy |
Y |
This Annual Report and the work of Internal; Audit supports all of the Council’s corporate strategy themes. |
Climate Change – Carbon / Biodiversity Impact |
Y |
None directly arising from this report. The Internal Audit function, managed by Devon Audit Partnership is mindful of the need to minimise cost in completing the internal audit plan. Where efficient, desk-top review of documents, and the use of electronic records, is used to support the audit process, although it is inevitable that on-site verification may be required at times. The team use an audit management system (Pentana) which enables managerial review to take place remotely, thus also saving on the need for travel. |
Comprehensive Impact Assessment Implications
|
||
Equality and Diversity |
N |
There are no specific equality and diversity issues arising from this report. |
Safeguarding
|
N |
There are no specific safeguarding issues arising from this report. |
Community Safety, Crime and Disorder |
N |
There are no specific community safety, crime and disorder issues arising from this report. |
Health, Safety and Wellbeing |
N |
There are no specific health, safety and wellbeing issues arising from this report. |
Other implications |
N |
There are no other specific implications arising from this report. |
Supporting Information
Appendices:
Appendix A – Internal Audit Annual Report for 2022-23
Background Papers:
Internal Audit Plan 2022/23 as approved by Audit Committee.
Approval and clearance of report
Process checklist |
Completed |
Portfolio Holder briefed |
Yes |
SLT Rep briefed |
Yes |
Relevant Exec Director sign off (draft) |
Yes |
Data protection issues considered |
Yes |
If exempt information, public (part 1) report also drafted. (Committee/Scrutiny) |
N/A |
|
|
||
Annual Internal Audit Report 2022-23 |
|
||
|
|
||
West Devon Audit Committee |
|
||
|
|
||
25 July 2023 |
|||
Contents |
Page |
Introduction |
1 |
Opinion Statement |
2 |
Summary Assurance Opinions |
3 |
Audit Coverage and Performance against the Plan |
4 |
|
|
Appendices |
|
1 Remaining Audit Reports & Findings |
7 |
2. Professional Standards and Customer Service |
13 |
3 Audit Authority |
14 |
4 AGS Annual Governance Assurance Framework |
15 |
6 Customer Service Excellence |
16 |
6 Basis for Opinion |
17 |
The Audit Committee, under its Terms of Reference contained in the Council’s Constitution, is required to consider the Chief Internal Auditor’s annual report, to review and approve the Internal Audit programme, and to monitor the progress and performance of Internal Audit.
The Accounts and Audit (Amendment) (England) Regulations 2015 introduced the requirement that all Authorities carry out an annual review of the effectiveness of their internal audit system, and to incorporate the results of that review into their Annual Governance Statement (AGS), published with the annual Statement of Accounts.
The Internal Audit plan for 2022-23 was presented and approved by the Audit Committee in March 2022. The following report and appendices set out the background to audit service provision, a review of work undertaken during the year and provides an opinion on the overall adequacy and effectiveness of the Authority’s internal control environment.
The Public Sector Internal Audit Standards require the Head of Internal Audit to provide an annual report providing an opinion that can be used by the organisation to inform its governance statement. This report provides that opinion.
Expectations of the Audit Committee from this annual report
Audit Committee members are requested to consider:
· the assurance statement within this report.
· the basis of our opinion and the completion of audit work against the plan.
· the scope and ability of audit to complete the audit work.
· audit coverage and findings provided.
· the overall performance and customer satisfaction on audit delivery.
In review of the above the Audit Committee are required to consider the assurance provided alongside that of the Hub Committee, Corporate Risk Management and external assurance including that of the External Auditor as part of the Governance Framework (see appendix 5) and satisfy themselves from this assurance to support signing the Annual Governance Statement.
This opinion statement will provide Members with an indication of the direction of travel for their consideration for the Annual Governance Statement see appendix 4.
The Authority’s internal audit plan for the year includes specific assurance, risk, governance, and value-added reviews which, with prior years audit work, provide a framework and background within which we assess the Authority’s control environment. The Head of Internal Audit’s Opinion is informed by the assurance conclusions obtained in the audits undertaken in 2022-23. Significant weaknesses identified should be considered by the Authority in preparing its Annual Governance Statement for 2022-23.
In undertaking our audits, Internal Audit assesses whether controls are operating satisfactorily and provide an overall opinion on the adequacy of controls to management within the audit report. Audit reports include an action plan with responsible officers and target dates to address control issues. While implementation of action plans rests with management, high priority and other recommendations are reviewed during subsequent audits or as part of specific follow-ups.
Underpinning our overall Reasonable Assurance Opinion are the twelve Substantial, twelve Reasonable, and three Limited Assurance Opinions provided. The summary Assurance Opinions chart provides a “Themed” overview.
Internal Control Framework The control environment comprises the policies, procedures and operational systems including processes to establish and monitor the achievement of the Council’s objectives; facilitate policy and decision making; ensure economical, effective, and efficient use of resources, compliance with established policy, procedure, law and regulation; and safeguard the Council’s assets and interests from losses of all kinds. The Council’s overall internal control framework is considered to have operated effectively during the year. This is supported by the high proportion of Substantial Assurances we have provided. Core financial and administrative systems were reviewed by us and found to be largely effective. Where we have highlighted some weaknesses in compliance to key controls, none are considered to have had a material impact on the Authority’s operations. A concern relates to monitoring the implementation of management actions agreed in audit reports. Work is now underway to review management actions to ascertain if they have been completed. |
||
Risk Management Risks were discussed in appropriate forums including members, and there is a Risk Management Group although notes of these meetings should be kept. The formal Risk Management Strategy needs review and refreshing, and risk management embedded in all business areas. |
Governance Arrangements Corporate Strategies have recently been updated and there was good linkage to performance management arrangements. Good partnership arrangements are held with several organisations. There was a good framework of policies, activities, and training supported staff health and wellbeing. |
Performance Management A hierarchy of strategies and delivery plans support reporting to senior management and members. Most service areas had performance measures, but work is needed to ensure coverage in all areas. |
Substantial Assurance |
A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited. |
Limited Assurance |
Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited. |
Reasonable Assurance |
There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited. |
No Assurance |
Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited. |
We have grouped our audit assurance opinions during 2022-23 under the responsible Service area in the diagram below. The ratings are relevant at the time of the audit review and assurance may have improved since that time.
We completed 92% of the plan agreed for 2022/23 (to draft /final report stage) by May 2023. This was despite re-allocation of the internal audit team resource to support grant checking (85 days on C-19 Business Grants) and other work during the year. DAP provided audit resource and delivered several audits to compensate for these days. Some audits were cancelled or deferred at management request. There is allocation of days in the 2023-24 audit plan to complete the audits carried forward into 2023/24.
The Chart opposite shows the mix of assurance opinions provided over the year.
Our assurances include three Limited Assurance opinions, which relate to the following reviews:
Building Maintenance - Follow Up: Significant weaknesses remain as previously reported, including the absence of a strategy to guide asset maintenance and a large part of the work undertaken is reactive, rather than planned. We are confident management has prioritised actions to address these weaknesses.
Procurement: Work is needed to take forward the actions in the procurement strategy and create a comprehensive contract register. The limited procurement expertise limits the amount of value-added activity that can be undertaken.
Markets (South Hams only): Existing procedures need improvement to improve current controls and protect the officers managing them and market users.
We also reviewed progress to implement improvements on Council Tax, and Business Rates. Our annual report for 2021-22 reported the Limited Assurance opinions for these audits. We undertook follow up reviews in April 2023 and confirm that work is being progressed to implement the agreed recommendations. Further reviews will be undertaken in 2023-24 to assess if the assurance level has improved.
This year’s mix of opinions compare to the six Substantial, seven Reasonable, and five Limited Assurance audit opinions provided for 2021/22.
Implementation of Internal Audit Recommendations: In our audits we assess if management actions from previous reviews have been implemented. During the year we identified audits where these had not been implemented, meaning that the control weakness and risk remains. The council has now reviewed previous management actions. Of the 219 High / Medium management actions with target dates to the end of 2022, 68 are complete, 12 are superseded (for instance relate to systems no longer in use), 55 are in progress but overdue, and 12 are overdue and not started. Management is continuing to progress the remaining management actions.
At Appendix 1 we include a summary of the audits delivered since the Audit Committee of March 2023. Summaries of the other audits delivered prior to that meeting were included in reports to the Committee during the year.
· Providing objective and relevant assurance.
· Contributing to the effectiveness and efficiency of the governance, risk management and internal control processes.
This current year, we have sought to add value by increasing the number of similar audits undertaken in different partners to support compare and contrast activity, and to identify best practice. We also actively worked with management to progress actions to reduce their risk in areas such as Building Maintenance and Procurement and focused on high-risk areas such as Cyber Security.
We also issued relevant information bulletins on:
· Good practice and reflections on District Councils’ progress to meet Climate Change objectives.
· Comparison of agenda items presented to Devon District Audit and Governance Committee.
Finally, we have provided advice and guidance on good practice related to Governance, Risk Management and Fraud. Appendix 5 provides details of the specific feedback for the council and all our clients.
Overall, the risk of fraud at the Council is considered low. We continue work with managers to discuss their fraud risks and assess whether controls are sufficient / effective. We have recently helped the council to update the following counter fraud documents:
· Anti-Fraud Bribery and Corruption Policy.
· Anti-Fraud Bribery and Corruption Strategy and Response Plan.
· Whistleblowing Policy.
· Fraud risk register – we produced an initial draft setting out what we consider were the most significant risks.
These policies will be presented to the September Audit and Governance Committee meeting.
As part of the review, we competed an assessment of the council’s arrangements against the CIPFA best practice framework. Our benchmarking review concluded that the result of the councils “benchmarking against best practice is encouraging and supports the opinion that the Council is committed to reducing fraud losses to the minimum level possible”. We provide a summary of the report in Appendix 1.
All our internal audit assignments include considering the potential for fraud and how the council prevents such fraud occurring. Our audits on the key financial systems (Payroll, Creditors, Council Tax etc) consider the suitability and robustness of the control framework to prevent, detect and address fraud. The national data matching exercise (National Fraud Initiative - NFI) is supported by the Council. There were no significant investigations required during the year.
At management request we undertook extensive work to confirm that controls over grants were effective:
· Covid Business Grant: we provided evidence to Business Energy and Industrial Strategy that grants awarded were in line with scheme requirements, identified a minimal number of instances where grants were incorrectly issued and supported their recovery, and ensured grant records were retained. We provided a Substantial Assurance opinion that payments were accurately made, and scheme administration conformed with the guidance.
· South Devon Local Action Group / Greater Dartmoor Local Enterprise Action Fund (LAG / LEAF): we completed work to confirm the reasonableness of work undertaken by Diverse Regeneration Company, and the accuracy of their management and administration costs. Grant claims were compiled on behalf of SH&DC and evidence collated for submitted to the RDPE in accordance with strict rules. The Programme concluded in 2023 with submission of the final claim for management and administration costs.
|
|
|
||||||||||||||||
|
|
Devon Audit Partnership conforms to the requirements of the PSIAS for its internal audit activity. The purpose, authority and responsibility of the internal audit activity is defined in our internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics and the Standards. Our internal audit charter was approved by senior management and the Audit Committee in 2022. This is supported through DAP self-assessment of conformance with Public Sector Internal Audit Standards & Local Government Application note.
Quality Assessment –The Head of Devon Audit Partnership maintains a quality assessment process which includes review by audit managers of all audit work. The quality assessment process and improvement is supported by a development programme.
External Assessment - The PSIAS states that a quality assurance and improvement programme must be developed; the programme should be informed by both internal and external assessments.
An external assessment must be conducted at least once every five years by a suitably qualified, independent assessor. For DAP this was recently conducted at the end of 2021 by the Head of Southwest London Audit Partnership, and the Chief Internal Auditor of Orbis (a partnership organisation covering Brighton and Hove, East Sussex, and Surrey County Council).
The assessment result was that “Based on the work carried out, it is our overall opinion that DAP generally conforms* with the Standards and the Code of Ethics”. The report noted that “As a result of our work, a small number of areas where partial conformance was identified. These were minor observations, none of which were significant enough to affect the overall opinion”. DAP is actively addressing these improvement areas.
*Generally Conforms – This is the top rating and means that the internal audit service has a charter, policies and processes that are judged to be in conformance to the Standards
Improvement Programme –DAP maintains a rolling development plan of improvements to the service and customers. All recommendations of the external assessment of PSIAS and quality assurance were included in this development plan and have been completed. This will be further embedded with revision of our internal quality process through peer review. Our development plan is regularly updated, and a status report reported to the DAP Management Board.
DAP was successful in re-accreditation by G4S Assessment Services of the CSE standard during January 2023. This accreditation is a UK-wide quality mark which recognises organisations the prioritise customer service and are committed to continuous improvement.
During the year we have issued client survey forms for some of our reports, and the results of the surveys returned were very good / positive. The overall result is very pleasing, with near 97% being "satisfied” or better across our services (see Appendix 4). It is very pleasing to report that our clients continue to rate the overall usefulness of the audit and the helpfulness of our auditors highly.
The conclusions of this report provide the internal audit assurance on the internal control framework necessary for the Committee to consider when reviewing the Annual Governance Statement.
The Annual Governance Statement provides assurance that
o the Authority’s policies have been complied with in practice.
o high quality services are delivered efficiently and effectively.
o ethical standards are met.
o laws and regulations are complied with.
o processes are adhered to.
o performance statements are accurate.
The statement relates to the governance system as it is applied during the year for the accounts that it accompanies. It should:
· be prepared by senior management and signed by the Chief Executive and Chair of the Audit Committee.
· highlight significant events or developments in the year.
· acknowledge the responsibility on management to ensure good governance.
· indicate the level of assurance that systems and processes can provide.
· provide a narrative on the process that has been followed to ensure that the governance arrangements remain effective. This will include comment upon;
o The Authority.
o Audit Committee.
o Risk Management.
o Internal Audit.
o Other reviews / assurance.
Provide confirmation that the Authority complies with CIPFA
/ SOLACE Framework Delivering Good Governance in Local
Government. If not, a statement is required stating how other
arrangements provide the same level of assurance
For each audit we issue a customer feedback form. The results we receive help us shape our service; it helps to identify possible training needs for staff and helps us understand the areas of our process that are more challenging for the auditee. The diagram below shows the feedback results for the whole of DAP.
The Chief Internal Auditor is required to provide the Council with an opinion on the adequacy and effectiveness of its accounting records and its system of internal control in the Council. In giving our opinion, it should be noted that this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance, formed from risk-based reviews and sample testing, of the framework of governance, risk management and control.
This report compares the work carried out with the work that was planned through risk assessment; presents a summary of the audit work undertaken; includes an opinion on the adequacy and effectiveness of the Authority’s internal control environment; and summarises the performance of the Internal Audit function against its performance measures and other criteria. The report outlines the level of assurance that we are able to provide, based on the internal audit work completed during the year. It gives:
· a statement on the effectiveness of the system of internal control in meeting the Council’s objectives:
· a comparison of internal audit activity during the year with that planned;
· a summary of the results of audit activity and;
· a summary of significant fraud and irregularity investigations carried out during the year and anti-fraud arrangements.
The Devon Audit Partnership has been formed under a joint committee arrangement. We aim to be recognised as a high quality internal audit service in the public sector. We work with our partners by providing a professional internal audit service that will assist them in meeting their challenges, managing their risks and achieving their goals. In carrying out our work we are required to comply with the Public Sector Internal Audit Standards along with other best practice and professional standards.
The Partnership is committed to providing high quality, professional customer services to all; if you have any comments or suggestions on our service, processes or standards, the Head of Partnership would be pleased to receive them at Tony.D.Rose@Devon.gov.uk.
This report is protectively marked in accordance with the National Protective Marking Scheme. It is accepted that issues raised may well need to be discussed with other officers within the Council, the report itself should only be copied/circulated/disclosed to anyone outside of the organisation in line with the organisation’s disclosure policies.
This report is prepared for the organisation’s use. We can take no responsibility to any third party for any reliance they might place upon it.