NORTH AYRSHIRE COUNCIL
1 June 2021
Audit and Scrutiny Committee
Title: Internal Audit Annual Report 2020-21
Purpose: To provide the Committee with an annual report on the work of
Internal Audit during 2020-21 and provide an opinion on the
governance, risk management and internal control environment
of the Council.
Recommendation: The Committee is asked to note the content of the annual report
and the opinion of the Senior Manager on the Council's
governance, risk management and internal control environment.
The Internal Audit Annual Report attached at Appendix 1 provides information on the
work carried out during the period of the 2020-21 audit plan.
It is the opinion of the Senior Manager (Audit, Fraud, Safety and Insurance) that
reasonable assurance can continue to be placed on the adeguacy and effectiveness of
the Council's systems of governance, risk management and internal control.
The Public Sector Internal Audit Standards (PSIAS) require that the Chief Internal
Auditor prepares an annual report on the activities of Internal Audit to demonstrate
performance and that the report should contain a view on the soundness of the Council's
governance, risk management and internal control frameworks. The Annual Report for
2020-21 is attached at Appendix 1 and outlines the role of Internal Audit, the
performance of the section during the year and the key audit findings. It also contains
the annual audit assurance statement.
The report gives information on the actual performance against the agreed plan. Overall,
652 days of audit work took place, which was 63 days less than budgeted. Section 2 of
the annual report provides more information on the reasons for the shortfall and the
corrective action which was taken to amend the audit plan.
Section 3 of the Annual Report provides information on the assurance level given for
each audit and some of the most significant findings. All audit reports published were
reported to the Audit and Scrutiny Committee.
All audit findings during the year support and inform the opinion by the Senior Manager
(Audit, Fraud, Safety and Insurance) on the adequacy of the Council’s governance, risk
management and internal control environment. The assurance category given to each
individual audit informs the overall level of assurance. The Public Sector Internal Audit
Standards require this opinion to be given each year through an annual assurance
statement. This is included within the annual report at section 6.
2.5 The opinion in the annual assurance statement also contributes to the Annual
Governance Statement which is published as part of the Council’s annual accounts and
is elsewhere on the Audit and Scrutiny Committee agenda for approval.
2.6 Based on the audit work carried out, the opinion of the Senior Manager (Audit, Fraud,
Safety and Insurance) is that reasonable assurance can continue to be placed on the
adequacy and effectiveness of the Council’s systems of governance, risk management
and internal control.
3.1 Itis proposed that the Committee notes the content of the annual report and the opinion
of the Senior Manager on the Councils governance, risk management and internal
4. Implications/Socio-economic Duty
Environmental and Sustainability
The work of Internal Audit helps to support the efficient delivery of the strategic priorities
within the Council Plan 2019-2024.
Community Wealth Building
5.1 Council Services are consulted on the findings of Internal Audit throughout the year. No
specific consultations have taken place in relation to this annual report.
Head of Service (Finance)
For further information please contact Paul Doak, Senior Manager (Audit, Fraud, Safety
and Insurance), on 01294-324561.
North Ayrshire Council
Comhairle Siorrachd Air a Tuath
INTERNAL AUDIT ANNUAL REPORT
The Council's Section 95 Officer has overall responsibility for Internal Audit in North
Ayrshire Council. The Senior Manager (Audit, Fraud, Safety and Insurance) reports to
the Section 95 Officer, with the right of access to the Chief Executive and the Chair of
the Audit and Scrutiny Committee on any audit matter. These rights of access help
ensure the organisational independence of Internal Audit.
During 2020-21, the section operated in conformance with the ‘Public Sector Internal
Audit Standards (PSIAS)’. The Standards define the way in which the Internal Audit
section should be established and undertake its functions. The section complied with
the PSIAS requirement for an external assessment during every five-year cycle; this
was last undertaken by Falkirk Council in 2017 through the peer-to-peer review
network of the Scottish Local Authorities Chief Internal Auditors Group (SLACIAG).
The Internal Audit section also operated under an ‘Internal Audit Charter’ which was
most recently approved by the Audit and Scrutiny Committee in September 2020.
One of the requirements of the PSIAS is the publication of an annual report. The aim
of this annual report is to give an overview of the work carried out during 2020-21.
Some information is provided on the resources available to Internal Audit and the
performance of the section.
Finally, the report provides an assurance statement on the overall adequacy and
effectiveness of the Council’s governance, risk management and internal control
Planned and Actual Activity during 2020-21
Due to the pandemic and the cancellation of the Audit and Scrutiny Committee
scheduled for March 2020, the Internal Audit plan for the period 1st April 2020 to 31%
March 2021 was approved by the Chief Executive under delegated powers.
From the total of 715 planned days, 621 days (87%) were budgeted as ‘productive’ and
allocated for carrying out audit work. A further 94 days (13%) were budgeted for ‘non-
productive’ time: management and strategy, attendance at meetings, administration
and staff training and development. Time is determined as ‘productive’ or ‘non-
productive’ in line with definitions produced by CIPFA.
During 2020-21, 652 workdays took place; this was 63 days below target. There are
two main reasons for this reduction:
1. In the early months of the pandemic, particularly from April to June 2020,
auditors did not carry out any new work and time was lost; some of this time was
spent working on other non-audit duties to support front-line services in
responding to the pandemic. The nature of these duties did not impact on the
ability of auditors to offer independent assurance.
2. The Senior Manager spent less time on audit duties and considerably more than
planned on risk management and business continuity matters during the same
period. From June 2020, a change in the Council structure meant that additional
time was spent on directly line managing the Insurance team.
There were 537 actual ‘productive’ days during 2020-21 and 115 ‘non-productive’ days.
At 82% of total actual days, this meant productive days were around 5% below the
In order to compensate for the impact of the pandemic and the factors outlined at 2.3
above, the following changes were made to the approved plan:
Museums and Heritage — delayed to 21/22 plan
State Aid - withdrawn
Transformation Programme - withdrawn
Community Alarms — delayed to 21/22 plan
CCTV in Council buildings — delayed to 21/22 plan
HRA planned maintenance and repairs — delayed to 21/22 plan
Cyber resilience — delayed to 21/22 plan
Performance Indicators - withdrawn
Social Care establishments — delayed to 21/22 plan
As noted at 2.5, most of the audits which were not carried out were carried forward into
the 2021/22 plan which was approved by Audit and Scrutiny Committee in January
2021 and commenced from 1st February 2021. This provides additional flexibility in the
timing of this audit work through to March 2022.
In line with the Council’s defalcation procedures, all instances of suspected fraud and
irregularity should be reported to Internal Audit. These are investigated by the specialist
Corporate Fraud team and are not included within this annual report.
All audit reports which were finalised during 2020-21 were reported to meetings of the
Audit and Scrutiny Committee in September and November 2020, and January, March
and June 2021.
A number of the audits which were reported to Committee in September would have
been reported to meetings which were cancelled due to the pandemic in March and
May 2020; the findings from these were reflected in the assurance statement for 2019-
20 and so have not been included here.
The assurance levels from each of the audits were as follows:
September 2020 Committee
Audit Title Assurance Level
Library and Information Service
Bereavement and Burial Service
November 2020 Committee
Audit Title Assurance Level
Accounts Payable Transaction testin
Community Investment Fund
Financial Intervention Orders
Payroll Transaction testing
Fostering, Adoption and Kinship Carer payments
Planning Application and Building Warrant income
January 2021 Committee
Remote Access controls in the Education network
March 2021 Committee
Audit Title Assurance Level
Building Services systems
June 2021 Committee
Audit Title Assurance Level
Parent Pay system
Internet and email controls
Information Governance and Data Protection
Accounts Payable Transaction Testing Q4
Payroll Transaction Testing Q3
Allowances and Pay adjustments
HRA Planned Maintenance and Reactive Repairs [Substantial =|
The definitions of the assurance levels used by Internal Audit are as follows:
The framework of governance, risk management and control is
adequate and effective.
Some improvements are required to enhance the adequacy and
effectiveness of the framework of governance, risk management
There are significant weaknesses in the framework of governance,
risk management and control such that it could be or could become
inadequate and ineffective.
There are fundamental weaknesses in the framework of
governance, risk management and control such that it is
inadequate and ineffective or is likely to fail.
Detailed below are the most significant findings from the audit work finalised during
There were particular concerns around:
e An absence of budget holder approval for new purchases requested through the
ICT service desk, with all orders being approved by ICT
e A lack of monitoring of IT devices which had not been connected to the network
for over 90 days
e Inadequate access controls to the Council’s back-up data centre
Remote Access Controls around the Education Network
Audit concerns related to:
e A lack of standard ICT processes and procedures across the Council's schools
e A significant number of iPad devices which were not being managed through the
mobile device management system
e Weak password controls for network logons
e The ongoing use of ‘cloning’ when setting up access to the network for a new
employee, despite this having been stopped on the corporate network
e The lack of a robust process to properly remove ICT access when an employee
Education Services within the Communities Directorate have set up a working group to
address all of these issues, with input from Internal Audit, and the Audit and Scrutiny
Committee requested that the Service provide a full update report at the meeting in
These findings, together with those from other audits carried out and the individual
assurance levels detailed above, contribute to the assurance statement in section 6 of
The Internal Audit section is directly managed by the Team Manager (Internal Audit),
who reports to the Senior Manager (Audit, Fraud, Safety and Insurance). The Senior
Manager is responsible for Internal Audit, as well as the Corporate Fraud team, the
Insurance team and the Corporate Health and Safety team.
As well as the Team Manager, the Internal Audit team consisted of two part-time
Internal Auditors as well as a part-time Computer Auditor.
All staff within the section hold a relevant qualification, either through an institute which
is part of the CCAB (Consultative Committee of Accountancy Bodies) or the IIA
(Institute of Internal Auditors).
In April 2021, the Senior Manager was appointed as Head of Service (Finance and
Transformation) and Section 95 Officer of the North Ayrshire Integration Joint Board,
although not taking up post until June 2021. During the period of notice, an additional
review of any audit report concerning the IJB and Health and Social Care Partnership
was carried out by the Council's Section 95 Officer prior to issue. This was to mitigate
against any potential conflict of interest on the part of the Senior Manager.
During 2020-21, Internal Audit provided regular updates on work carried out to the
Council's Audit and Scrutiny Committee. Elected Members had the opportunity to discuss
all Internal Audit reports and question either the Senior Manager or relevant officers from
The Councils performance management system, Pentana, is utilised to follow-up on
audit recommendations. Officers with responsibility for implementing recommendations
are required to update the Pentana system and updates are provided to the Audit and
Scrutiny Committee on a quarterly basis. Where actions are overdue, officers may be
required to attend the Committee to update Elected Members on plans to ensure that
actions are implemented.
A range of performance indicators are used to monitor performance within the section,
and these are detailed in the table below, along with the two previous years’ actual
figures. These are tracked by the Team Manager on a quarterly basis and are discussed
with audit staff to review performance and identify opportunities for development.
2018/19 | 2019/20 2020/21 | 2020/21
Actual Actual Target Actual
% of auditor time spent 87% 87% 87% 82%
Training days per auditor 3.7 days | 3.5 days 3.6 days | 4.2 days
Final reports issued 27 27 n/a 22
Audits completed within 41% 46% 75% 24%
Draft reports issued within 21 81% 85% 100% 83%
days of fieldwork completion
Final reports issued within 14 96% 100% 100% 95%
days of return of action plan
Actions implemented on time by 83% 80% 80% 68%
Ad-hoc requests for advice from 60 47 n/a 63
Council services requests | requests requests
Actual performance against the ‘audits complete in budgeted days” indicator is
significantly below target. This reflects the completion of individual audit assignments
rather than the audit plan as a whole. Most audits which were over budget only exceeded
the target by one or two days; only audits of Roads Procurement (5 days) and Accounts
Receivable (7 days) were considerably over their target.
68% of audit actions were implemented on time by Council Services, against a target of
80%. This is the first time in a number of years that this target has been missed and
reflects the fact that Council Services had other priorities during the pandemic.
The Internal Audit section also calculates 2 annual performance indicators which are
required by the CIPFA Directors of Finance group. These are as follows:
2018-19 2019-20 2020-21
Productive days achieved per 94.71% 96.72% 86.47%
Cost of Internal Audit per £1m £466.97 £510.97 £tbc
of net expenditure
The ‘productive days achieved per the audit plan’ were considerably lower than the two
previous years; the reasons for this are outlined at 2.3 above.
The ‘cost of Internal Audit per £1m of Council net expenditure’ was £510.97 in 2019-20,
a slight increase from £466.97 in 2018-19. The 2020-21 figure cannot be calculated until
the closure of the Council’s draft annual accounts and will be reported at a later date.
This statement on the adequacy and effectiveness of the frameworks of governance, risk
management and internal control is based on the audit work performed during 2020-21
as reported above. It also draws on the experience of audit work carried out in earlier
years as well as assurances received from management and external audit findings.
Internal Audit staff have carried out work, both on a corporate basis and within each of the
Service groups and, subject to the comments in section 3 above, the conclusion drawn
from that work was that most of the anticipated governance, risk management and internal
control frameworks were in place and operating effectively.
Where Internal Audit identified opportunities for improvement, the responses received
from managers continued to be positive and there was commitment to implementing
Internal Audit's recommendations.
On this basis, it is my opinion that reasonable assurance can be placed on the adequacy
and effectiveness of the Council's systems of governance, risk management and internal
Senior Manager (Audit, Fraud, Safety and Insurance)
1 June 2021