Skip to main content

Full text of "Audit and Scrutiny Committee - 01/06/2021"

See other formats


NORTH AYRSHIRE COUNCIL 


1 June 2021 
Audit and Scrutiny Committee 
Title: Internal Audit Annual Report 2020-21 
Purpose: To provide the Committee with an annual report on the work of 


Internal Audit during 2020-21 and provide an opinion on the 
governance, risk management and internal control environment 
of the Council. 


Recommendation: The Committee is asked to note the content of the annual report 


1.1 


1.2 


2.1 


2.2 


2.3 


and the opinion of the Senior Manager on the Council's 
governance, risk management and internal control environment. 


Executive Summary 


The Internal Audit Annual Report attached at Appendix 1 provides information on the 
work carried out during the period of the 2020-21 audit plan. 


It is the opinion of the Senior Manager (Audit, Fraud, Safety and Insurance) that 
reasonable assurance can continue to be placed on the adeguacy and effectiveness of 
the Council's systems of governance, risk management and internal control. 


Background 


The Public Sector Internal Audit Standards (PSIAS) require that the Chief Internal 
Auditor prepares an annual report on the activities of Internal Audit to demonstrate 
performance and that the report should contain a view on the soundness of the Council's 
governance, risk management and internal control frameworks. The Annual Report for 
2020-21 is attached at Appendix 1 and outlines the role of Internal Audit, the 
performance of the section during the year and the key audit findings. It also contains 
the annual audit assurance statement. 


The report gives information on the actual performance against the agreed plan. Overall, 
652 days of audit work took place, which was 63 days less than budgeted. Section 2 of 
the annual report provides more information on the reasons for the shortfall and the 
corrective action which was taken to amend the audit plan. 


Section 3 of the Annual Report provides information on the assurance level given for 
each audit and some of the most significant findings. All audit reports published were 
reported to the Audit and Scrutiny Committee. 


2.4 


All audit findings during the year support and inform the opinion by the Senior Manager 
(Audit, Fraud, Safety and Insurance) on the adequacy of the Council’s governance, risk 
management and internal control environment. The assurance category given to each 
individual audit informs the overall level of assurance. The Public Sector Internal Audit 
Standards require this opinion to be given each year through an annual assurance 
statement. This is included within the annual report at section 6. 


2.5 The opinion in the annual assurance statement also contributes to the Annual 
Governance Statement which is published as part of the Council’s annual accounts and 
is elsewhere on the Audit and Scrutiny Committee agenda for approval. 

2.6 Based on the audit work carried out, the opinion of the Senior Manager (Audit, Fraud, 
Safety and Insurance) is that reasonable assurance can continue to be placed on the 
adequacy and effectiveness of the Council’s systems of governance, risk management 
and internal control. 

3. Proposals 

3.1 Itis proposed that the Committee notes the content of the annual report and the opinion 
of the Senior Manager on the Councils governance, risk management and internal 
control environment. 

4. Implications/Socio-economic Duty 

Financial 

4.1 None. 


Human Resources 


4.2 


None. 


Legal 


4.3 


None. 


Equality/Socio-economic 


4.4 


None. 


Environmental and Sustainability 


4.5 


None. 


Key Priorities 


4.6 


The work of Internal Audit helps to support the efficient delivery of the strategic priorities 
within the Council Plan 2019-2024. 


Community Wealth Building 


4.7 None. 


5. Consultation 


5.1 Council Services are consulted on the findings of Internal Audit throughout the year. No 
specific consultations have taken place in relation to this annual report. 


Mark Boyd 
Head of Service (Finance) 


For further information please contact Paul Doak, Senior Manager (Audit, Fraud, Safety 
and Insurance), on 01294-324561. 


Background Papers 
None. 


INTERNAL AUDIT 
ANNUAL REPORT 


2020-21 





A 


North Ayrshire Council 


Comhairle Siorrachd Air a Tuath 


1.1 


1.2 


1.3 


1.4 


1.5 


2.1 


2.2 


2.3 


INTERNAL AUDIT ANNUAL REPORT 
2020-21 


Introduction 


The Council's Section 95 Officer has overall responsibility for Internal Audit in North 
Ayrshire Council. The Senior Manager (Audit, Fraud, Safety and Insurance) reports to 
the Section 95 Officer, with the right of access to the Chief Executive and the Chair of 
the Audit and Scrutiny Committee on any audit matter. These rights of access help 
ensure the organisational independence of Internal Audit. 


During 2020-21, the section operated in conformance with the ‘Public Sector Internal 
Audit Standards (PSIAS)’. The Standards define the way in which the Internal Audit 
section should be established and undertake its functions. The section complied with 
the PSIAS requirement for an external assessment during every five-year cycle; this 
was last undertaken by Falkirk Council in 2017 through the peer-to-peer review 
network of the Scottish Local Authorities Chief Internal Auditors Group (SLACIAG). 


The Internal Audit section also operated under an ‘Internal Audit Charter’ which was 
most recently approved by the Audit and Scrutiny Committee in September 2020. 


One of the requirements of the PSIAS is the publication of an annual report. The aim 
of this annual report is to give an overview of the work carried out during 2020-21. 
Some information is provided on the resources available to Internal Audit and the 
performance of the section. 


Finally, the report provides an assurance statement on the overall adequacy and 
effectiveness of the Council’s governance, risk management and internal control 
frameworks. 


Planned and Actual Activity during 2020-21 


Due to the pandemic and the cancellation of the Audit and Scrutiny Committee 
scheduled for March 2020, the Internal Audit plan for the period 1st April 2020 to 31% 
March 2021 was approved by the Chief Executive under delegated powers. 


From the total of 715 planned days, 621 days (87%) were budgeted as ‘productive’ and 
allocated for carrying out audit work. A further 94 days (13%) were budgeted for ‘non- 
productive’ time: management and strategy, attendance at meetings, administration 
and staff training and development. Time is determined as ‘productive’ or ‘non- 
productive’ in line with definitions produced by CIPFA. 


During 2020-21, 652 workdays took place; this was 63 days below target. There are 
two main reasons for this reduction: 

1. In the early months of the pandemic, particularly from April to June 2020, 
auditors did not carry out any new work and time was lost; some of this time was 
spent working on other non-audit duties to support front-line services in 
responding to the pandemic. The nature of these duties did not impact on the 
ability of auditors to offer independent assurance. 

2. The Senior Manager spent less time on audit duties and considerably more than 
planned on risk management and business continuity matters during the same 


2.4 


2.5 


2.6 


2.7 


3.1 


3.2 


3.3 


period. From June 2020, a change in the Council structure meant that additional 
time was spent on directly line managing the Insurance team. 


There were 537 actual ‘productive’ days during 2020-21 and 115 ‘non-productive’ days. 
At 82% of total actual days, this meant productive days were around 5% below the 
percentage target. 


In order to compensate for the impact of the pandemic and the factors outlined at 2.3 
above, the following changes were made to the approved plan: 


Museums and Heritage — delayed to 21/22 plan 

State Aid - withdrawn 

Transformation Programme - withdrawn 

Community Alarms — delayed to 21/22 plan 

CCTV in Council buildings — delayed to 21/22 plan 

HRA planned maintenance and repairs — delayed to 21/22 plan 
Cyber resilience — delayed to 21/22 plan 

Performance Indicators - withdrawn 

Social Care establishments — delayed to 21/22 plan 


As noted at 2.5, most of the audits which were not carried out were carried forward into 
the 2021/22 plan which was approved by Audit and Scrutiny Committee in January 
2021 and commenced from 1st February 2021. This provides additional flexibility in the 
timing of this audit work through to March 2022. 


In line with the Council’s defalcation procedures, all instances of suspected fraud and 
irregularity should be reported to Internal Audit. These are investigated by the specialist 
Corporate Fraud team and are not included within this annual report. 


Audit Findings 


All audit reports which were finalised during 2020-21 were reported to meetings of the 
Audit and Scrutiny Committee in September and November 2020, and January, March 
and June 2021. 


A number of the audits which were reported to Committee in September would have 
been reported to meetings which were cancelled due to the pandemic in March and 
May 2020; the findings from these were reflected in the assurance statement for 2019- 
20 and so have not been included here. 


The assurance levels from each of the audits were as follows: 


September 2020 Committee 
Audit Title Assurance Level 
ICT Assets 
Library and Information Service 
Bereavement and Burial Service 
Commercial Refuse 
Licensing 


























Carefirst 





3.4 


3.5 


November 2020 Committee 
Audit Title Assurance Level 
Fuel Controls 











Accounts Payable Transaction testin 

Community Investment Fund 

Financial Intervention Orders 

Roads Procurement 

Payroll Transaction testing 

Fostering, Adoption and Kinship Carer payments 
Planning Application and Building Warrant income 























January 2021 Committee 
Audit Title 
Remote Access controls in the Education network 





Assurance Level 








March 2021 Committee 


Audit Title Assurance Level 
Building Services systems 
Fire Safety 


June 2021 Committee 
Audit Title Assurance Level 
Parent Pay system 

Internet and email controls 

Information Governance and Data Protection 
Accounts Receivable 

Accounts Payable Transaction Testing Q4 
Payroll Transaction Testing Q3 

Allowances and Pay adjustments 


HRA Planned Maintenance and Reactive Repairs [Substantial =| 


The definitions of the assurance levels used by Internal Audit are as follows: 















































The framework of governance, risk management and control is 
adequate and effective. 


Some improvements are required to enhance the adequacy and 
effectiveness of the framework of governance, risk management 
and control. 


There are significant weaknesses in the framework of governance, 
risk management and control such that it could be or could become 
inadequate and ineffective. 


There are fundamental weaknesses in the framework of 
governance, risk management and control such that it is 
inadequate and ineffective or is likely to fail. 





Detailed below are the most significant findings from the audit work finalised during 
2020-21. 


3.6 


3.7 


3.8 


4.1 


4.2 


4.3 


4.4 


ICT Assets 
There were particular concerns around: 
e An absence of budget holder approval for new purchases requested through the 
ICT service desk, with all orders being approved by ICT 
e A lack of monitoring of IT devices which had not been connected to the network 
for over 90 days 
e Inadequate access controls to the Council’s back-up data centre 


Remote Access Controls around the Education Network 
Audit concerns related to: 
e A lack of standard ICT processes and procedures across the Council's schools 
e A significant number of iPad devices which were not being managed through the 
mobile device management system 
e Weak password controls for network logons 
e The ongoing use of ‘cloning’ when setting up access to the network for a new 
employee, despite this having been stopped on the corporate network 
e The lack of a robust process to properly remove ICT access when an employee 
has left 


Education Services within the Communities Directorate have set up a working group to 
address all of these issues, with input from Internal Audit, and the Audit and Scrutiny 
Committee requested that the Service provide a full update report at the meeting in 
June 2021. 


These findings, together with those from other audits carried out and the individual 
assurance levels detailed above, contribute to the assurance statement in section 6 of 
this report. 


Audit Resources 


The Internal Audit section is directly managed by the Team Manager (Internal Audit), 
who reports to the Senior Manager (Audit, Fraud, Safety and Insurance). The Senior 
Manager is responsible for Internal Audit, as well as the Corporate Fraud team, the 
Insurance team and the Corporate Health and Safety team. 


As well as the Team Manager, the Internal Audit team consisted of two part-time 
Internal Auditors as well as a part-time Computer Auditor. 


All staff within the section hold a relevant qualification, either through an institute which 
is part of the CCAB (Consultative Committee of Accountancy Bodies) or the IIA 
(Institute of Internal Auditors). 


In April 2021, the Senior Manager was appointed as Head of Service (Finance and 
Transformation) and Section 95 Officer of the North Ayrshire Integration Joint Board, 
although not taking up post until June 2021. During the period of notice, an additional 
review of any audit report concerning the IJB and Health and Social Care Partnership 
was carried out by the Council's Section 95 Officer prior to issue. This was to mitigate 
against any potential conflict of interest on the part of the Senior Manager. 


5.1 


5.2 


5.3 


5.4 


5.5 


Performance 


During 2020-21, Internal Audit provided regular updates on work carried out to the 
Council's Audit and Scrutiny Committee. Elected Members had the opportunity to discuss 
all Internal Audit reports and question either the Senior Manager or relevant officers from 
Council services. 


The Councils performance management system, Pentana, is utilised to follow-up on 
audit recommendations. Officers with responsibility for implementing recommendations 
are required to update the Pentana system and updates are provided to the Audit and 
Scrutiny Committee on a quarterly basis. Where actions are overdue, officers may be 
required to attend the Committee to update Elected Members on plans to ensure that 
actions are implemented. 


A range of performance indicators are used to monitor performance within the section, 
and these are detailed in the table below, along with the two previous years’ actual 
figures. These are tracked by the Team Manager on a quarterly basis and are discussed 
with audit staff to review performance and identify opportunities for development. 


















































2018/19 | 2019/20 2020/21 | 2020/21 
Actual Actual Target Actual 

% of auditor time spent 87% 87% 87% 82% 
productively 
Training days per auditor 3.7 days | 3.5 days 3.6 days | 4.2 days 
Final reports issued 27 27 n/a 22 
Audits completed within 41% 46% 75% 24% 
budgeted days 
Draft reports issued within 21 81% 85% 100% 83% 
days of fieldwork completion 
Final reports issued within 14 96% 100% 100% 95% 
days of return of action plan 
Actions implemented on time by 83% 80% 80% 68% 
Council services 
Ad-hoc requests for advice from 60 47 n/a 63 
Council services requests | requests requests 








Actual performance against the ‘audits complete in budgeted days” indicator is 
significantly below target. This reflects the completion of individual audit assignments 
rather than the audit plan as a whole. Most audits which were over budget only exceeded 
the target by one or two days; only audits of Roads Procurement (5 days) and Accounts 
Receivable (7 days) were considerably over their target. 


68% of audit actions were implemented on time by Council Services, against a target of 
80%. This is the first time in a number of years that this target has been missed and 
reflects the fact that Council Services had other priorities during the pandemic. 


5.6 


5.7 


5.8 


6.1 


6.2 


6.3 


6.4 


The Internal Audit section also calculates 2 annual performance indicators which are 
required by the CIPFA Directors of Finance group. These are as follows: 














2018-19 2019-20 2020-21 
Productive days achieved per 94.71% 96.72% 86.47% 
audit plan 
Cost of Internal Audit per £1m £466.97 £510.97 £tbc 
of net expenditure 














The ‘productive days achieved per the audit plan’ were considerably lower than the two 
previous years; the reasons for this are outlined at 2.3 above. 


The ‘cost of Internal Audit per £1m of Council net expenditure’ was £510.97 in 2019-20, 
a slight increase from £466.97 in 2018-19. The 2020-21 figure cannot be calculated until 
the closure of the Council’s draft annual accounts and will be reported at a later date. 


Assurance statement 


This statement on the adequacy and effectiveness of the frameworks of governance, risk 
management and internal control is based on the audit work performed during 2020-21 
as reported above. It also draws on the experience of audit work carried out in earlier 
years as well as assurances received from management and external audit findings. 


Internal Audit staff have carried out work, both on a corporate basis and within each of the 
Service groups and, subject to the comments in section 3 above, the conclusion drawn 
from that work was that most of the anticipated governance, risk management and internal 
control frameworks were in place and operating effectively. 


Where Internal Audit identified opportunities for improvement, the responses received 
from managers continued to be positive and there was commitment to implementing 
Internal Audit's recommendations. 


On this basis, it is my opinion that reasonable assurance can be placed on the adequacy 
and effectiveness of the Council's systems of governance, risk management and internal 
control. 


Paul Doak 
Senior Manager (Audit, Fraud, Safety and Insurance) 
1 June 2021