Cabinet_Report

Joint Audit and Governance Committee

Report of Internal Audit Manager Author: Victoria Dorman-Smith Telephone: 01235 422430 E-mail: victoria.dorman-smith@southandvale.gov.uk South cabinet member responsible: Councillor Pieter-Paul Barker Tel: 01844 212438 E-mail: pieter-paul.barker@southoxon.gov.uk Vale cabinet member responsible: Councillor Andy Crawford Telephone: 01235 772134 E-mail: andy.crawford@whitehorsedc.gov.uk To: Joint Audit and Governance Committee DATE: 31 January 2023	AGENDA ITEM

Internal audit recommendations follow up quarter three 2022/23

Recommendations

(a) That members note the content of the report

Purpose of report

1. The purpose of this report is to summarise the outcomes of recent follow up of open recommended actions at both councils for the committee to consider. The committee is asked to review the report and seek assurance that the agreed actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively.

2. The contact officer for this report is Victoria Dorman-Smith, Internal Audit Manager for South Oxfordshire District Council (South) and Vale of White Horse District Council (Vale), email victoria.dorman-smith@southandvale.gov.uk.

Strategic objectives

3. Delivery of an effective internal audit function will support the councils in meeting their strategic objectives.

Background

4. In line with the Public Sector Internal Audit Standards (PSIAS), the chief audit executive (in these councils the Internal Audit Manager) must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. Responsibility to resolve issues and manage agreed actions lies with management.

5. Historically, internal audit has undertaken follow-up engagements for all internal audits within six calendar months of the date of issue of the final internal audit report, and annually for key financial audits. However, there is no formal monitoring and reporting of internal audit recommendations which have not been implemented following completion of the six-monthly follow-up engagement. Lack of regular monitoring of recommendations increases the likelihood that actions are not implemented on a timely basis, exposing the councils to risk.

6. In November 2022 the Joint Audit and Governance Committee approved the revised follow up process, which was subsequently launched in December 2022 (i.e., quarter three 2022/23):

Step 1: Quarterly, the internal audit manager emails the open recommendations tracker to action owners and their service managers and/or heads of service requesting an update of progress against agreed actions.

Step 2: Action owners provide their updates, along with supporting information for actions that have been fully implemented.

Step 3: The internal audit manager collates responses and updates the recommendations tracker and internal audit recommendations database, escalating non-responses to the deputy chief executives, section 151 officer, and/or monitoring officer, as appropriate.

Step 4: The status of progress against agreed management actions is reported by to the joint audit and governance committee (JAGC) for their consideration.

7. The roles and responsibilities in the follow-up process are summarised below:

Internal audit manager: track implementation of actions and report progress to the JAGC.

Action owners: implement agreed actions, manage associated risk(s) and provide quarterly status updates to the internal audit manager.

Senior management team: support the internal audit manager in tracking agreed actions and accept the risk of not taking actions.

Deputy chief executives, S151 officer, monitoring officer: support the internal audit manager in responding to non-responses and maintain oversight of open recommendations.

Joint audit and governance committee: monitor progress of agreed actions to ensure that the actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively.

Analysis of quarter three follow up activity:

Audit Year	Total Actions	Open at 1 Dec 22	Q3 Follow Up Activity				Open at 19 Jan 23
Audit Year	Total Actions	Open at 1 Dec 22	Implemented	Not Implemented	No Longer Applicable	Other*	Open at 19 Jan 23
2013/14	72	0	-	-	-	-	0
2014/15	113	0	-	-	-	-	0
2015/16	267	0	-	-	-	-	0
2016/17	160	0	-	-	-	-	0
2017/18	148	0	-	-	-	-	0
2018/19	160	19	8	11	0	0	8
2019/20	210	54	16	24	7	7	31
2020/21	133	4	3	0	1	0	0
2021/22	135	107	27	31	4	45	76
2022/23	60	58	25	33	0	0	33
Totals	1,458	242	79	97	12	52	151

*Progress against these recommended actions will be followed up during 2022/23 planned audits in these areas.

Analysis of open actions by year and status:

		Other	Not Implemented* (Past Due)				Not Implemented (Not Yet Due)
Audit Year	Open at 19 Jan 23	Other	High	Medium	Low	Total	High	Medium	Low	Total
2013/14 to 2017/18	0	No open actions
2018/19	11	0	2	6	3	11	0	0	0	0
2019/20	31	7	0	15	9	24	0	0	0	0
2020/21	0	No open actions
2021/22	76	45	1	8	13	22	0	8	1	9
2022/23	33	0	2	5	2	9	6	3	15	24
Totals	151	52	5	34	27	66	6	11	16	33

*See appendix 1 for a full list of not implemented and past due actions.

Climate and ecological impact implications

8. There are no direct climate or ecological implications arising from this report.

Financial implications

9. There are no financial implications attached to this report.

Legal implications

10. There are no legal implications attached to this report.

Risks

11. Identification of risk is an integral part of all audits.

VICTORIA DORMAN-SMITH

INTERNAL AUDIT MANAGER

Appendix 1 – Not implemented and past due actions, analysed by audit year / audit name

No.	Audit Year	Audit Name	Service Area(s)	Rec ID	Recommended Action	Risk Rating	Original / Revised Due Dates	Action Owner Comments	Expected Implementation Date
1	2018/19	Petty Cash Procedures	Development & Corporate Landlord	889	a) Cornerstone should, with support from accountancy, establish an agreed upon process to regularly reconcile petty cash records against the petty cash float, ensuring any discrepancies are investigated and resolved. b) The Beacon should, with support from accountancy, establish an agreed upon process to regularly reconcile petty cash records against the petty cash float, ensuring any discrepancies are investigated and resolved.	High	30.6.2019	A review of open actions relating to Cornerstone operations is in progress. No other updates at this time.	31.1.2023
2				890	Formal reminder or training, from accountancy, should be provided to ensure that Cornerstone: - purchase all stationary through the councils contracted stationary supplier, Lyreco. - Purchase all tools and materials via the accounts payable system. - Claim back all expenses, i.e. eye tests, taxi fare, train tickets and fuel, via payroll expenses on the MyView system - Only accept petty cash claims if a valid VAT receipt is submitted.	High	30.6.2019
3				891	a) A review of the stock control processes should be undertaken to identify the reason for regular petty cash spend on food/drink. b) Based on the results of a), Cornerstone should establish controls to ensure that regular petty cash is limited in the future.	Medium	31.7.2019
4				892	a) Formal reminder or training, from accountancy, should be provided to Cornerstone staff about the requirement to separate VAT on the accounts payable payment voucher and to ensure it is coded correctly, to enable the councils to reclaim the VAT. b) Formal reminder or training, from accountancy, should be provided to The Beacon staff about the requirement to separate VAT on the accounts payable payment voucher and to ensure it is coded correctly, to enable the councils to reclaim the VAT.	Medium	30.6.2019

No	Audit Year	Audit Name	Service Area(s)	Rec ID	Recommended Action	Risk Rating	Original / Revised Due Dates	Action Owner Comments	Expected Implementation Date
5	2018/19	Insurance	Policy & Programmes	925	Review, update and obtain approval for working procedures to ensure that they are version controlled and formally document all aspects of insurance management activities.	Low	30.7.2020	WIP these procedures have been updated and are due another review 2022/23. When resourcing allows.	30.9.2023
6				926	A management reporting process should be introduced for insurance claims including reports on caseloads and status of claims for review.	Low	30.11.2019 / 30.6.2020	High risk service areas identified. Monthly review with these service teams to anticipate potential claims and agree mitigation routes. There is also a monthly H&S meeting to review incidents and claims which feeds into the meeting above and into the H&S SMT report. There is also a monthly meeting with all interested parties regarding Cyber and data security which again reviews potential risk and identifies mitigations, reported and minuted as well as feeds into the quarterly data and cyber security campaign. There is also a data breach triage forum that meets when required to avert incredulous potential claims of data breach comprising of Capita/legal/Data security and insurance and risk, procedures have been updated to ensure insurance are alerted in the first instance via Capita.	30.9.23
7				929	Consider creating an insurance webpage on the council websites, which includes useful information for the public.	Low	31.3.2020 / 30.4.2020	Assurance team to chase up Communications team as webpage information is not showing on the council websites.	30.4.2023
8	2018/19	Risk Management	Policy & Programmes	978	Incorporate mandatory risk management training into the updated corporate induction to ensure that new starters are aware of their responsibilities.	Medium	31.12.2019 / 30.6.2020	Incorporated into Leah however there has been a requirement since 2020 to review the risk framework, various methods have been shared with HofS. We now have a consultant to review the risk framework, methodology etc and therefore we await his findings before moving this action on in 2023 via the consultant.	TBD
9	2018/19	Risk Management	Policy & Programmes	981	Develop a risk management training plan/ schedule to be delivered to new and existing officers, service managers and senior management (i.e. identifying risks within their area, undertaking risk assessments and establishing controls making the risks manageable).	Medium	31.10.2020	Workshop written await sign off, however there has been a requirement since 2020 to review the risk framework, various methods have been shared with HofS. We now have a consultant to review the risk framework, methodology etc and therefore we await his findings before moving this action on in 2023 via the consultant.	30.6.2023
10	2018/19	Street Naming & Numbering	Corporate Services	826	Agree a method of receiving monthly street naming and numbering payment receipts from Capita's finance team.	Medium	31.1.2019	SNN Team receive weekly receipts list detailing payments made. Wider transformation programme will look to smarten payments to improve this process. Team are reviewing the process for applications for SNN to align with customer and digital transformation. Adjustment to the application process to request electronic payment as part of application process which reduces the potential for non-paid applications being completed. Requires development of the application eform. Wider transformation would see this become part of CRM. This would likely remove this weakness.	31.3.2023
11	2018/19	Street Naming & Numbering	Corporate Services	828	Agree a method of regularly communicating non-payment of applications to the debt recovery team for invoicing and collection.	Medium	31.1.2019	SNN team are reviewing the process for applications for SNN to align with customer and digital transformation. Adjustment to the application process to request electronic payment as part of application process which reduces the potential for non-paid applications being completed. Requires development of the application eform. Wider transformation would see this become part of CRM.	31.3.2023

No.	Audit Year	Audit Name	Service Area(s)	Rec ID	Recommended Action	Risk Rating	Original / Revised Due Dates	Action Owner Comments	Expected Implementation Date
12	2019/20	Budgetary Control	Finance	950	Review and update the accountancy charter to reflect the recent restructuring within Finance.	Low	31.3.2020	Awaiting action owner comments.	TBD
13				953	Review the current process for recording and approving virement and budget transfer requests and investigate the functionality of the automated approval workflow within Agresso to formally document virement requisitions and approvals. In the meantime, remind relevant officers of the requirement for virements to be formally approved by the relevant head of service.	Medium	31.3.2020	Online validation through Unit4 is possible but would require Unit 4 development and implementation this isn’t considered cost effective, manual virements are not considered an onerous problem and can be reversed if not correct	TBD
14				954	Review and update the financial procedure rules to provide guidance on what approval should be sought on the approval of urgent virement requests during pre-election periods when cabinet and full council meetings do not take place.	Medium	31.3.2020	Awaiting action owner comments.	TBD
15	2019/20	Cornerstone	Development & Corporate Landlord	973	Establish a process to regularly review and update Cornerstone policies and procedures.	Low	31.3.2020	A review of open actions relating to Cornerstone operations is in progress. No other updates at this time.	31.1.2023
16				974	A reminder should be given to all staff not to authorise any refunds that they have processed.	Low	30.11.2019		31.1.2023
17				975	A review of credit card transactions should be undertaken to identify regular payments where the standard accounts payable should be followed. Appropriate actions should be taken to ensure that future payments are processed via accounts payable.	Medium	31.3.2020		31.1.2023
18				976	Remind officers of the requirement to only use corporate credit cards for exceptional purchases, especially the need to follow the accounts payable process where suppliers are already setup on Agresso.	Medium	30.11.2019		31.1.2023
19				977	The stocktake record should be signed by both the officer undertaking the stocktake and the officer independently reviewing the stocktake to ensure that an audit trail is in place and to confirm accuracy.	Low	30.11.2019		31.1.2023

No.

Audit Year

Audit Name

Service Area(s)

Rec ID

Recommended Action

Risk Rating

Original / Revised Due Dates

Action Owner Comments

Expected Implementation Date

2019/20

Data Protection / GDPR

Legal & Democratic

1102

Review the roles associated to the councils' DPO and SIRO against GDPR/DPA guidance, taking necessary actions to ensure there is no conflict of interest with the nominated positions and any other tasks/positions held.

Low

31.10.2020 / 31.7.2021

Since the initial audit, responsibility has moved to the Head of Legal and Democratic Services who has the role of both named DPO and SIRO.

The DPO function on a day-to-day basis is managed by the Information Governance and Data Protection Officer with only significant or high-risk issues escalated to the named DPO.

This does still present an issue with one officer holding two roles which are ordinarily independent. Issues to be discussed and decision record as either to accept the risk and add to risk register or to resolve.

31.3.2023

1104

Establish a formal, regular programme of training to ensure officers and councillors receive and maintain the appropriate knowledge to conduct their duties.

Medium

30.11.2020 / 31.10.2021

The corporate delivery method for training, LEAH, is not user friendly and the Information Governance and Data Protection Officer is exploring the use of metcompliance modules to delivery targeted and refresher training.

In the meantime, more information is added to Jarvis as policies and procedures are adopted.

30.6.2023

1106

Review and update the data retention and disposal policy and associated record management guidance documents, as listed on Jarvis.

Medium

30.11.2020 / 30.9.2021

This is included within the information Governance Framework as set out in rec 1d. This specific guidance is not yet updated.

31.3.2023

1107

Communicate and publish the updated guidance for officers in relation to data retention and disposal.

Medium

30.11.2020 / 30.9.2021

This is almost the same as rec 3d above, when updated they will be published on Jarvis, which will be promoted through Info Governance Champions?

31.3.2023

1112

Establish an agreed upon process to regularly review and update the ROPA and to reflect any changes in data processing activities across service areas.

Medium

31.3.2021 / 30.9.2021

As the Information Governance Team becomes aware of any changed or new processes, such as through project documents or DPIA's, teams are asked to update their RoPA and privacy notices.

A RoPA policy and procedure has been approved by the Head of Legal and Democratic services and is to be presented to SMT for review. Once done this will be published on Jarvis and communicated through Information Governance Champions.

31.3.2023

1114

Conduct a review across all service teams to ensure data sharing agreements are in place, where required.

Low

31.3.2021 / 30.9.2021

Work is in progress as a part of the Information Governance self-assessment process.

A large number of sharing agreements are embedded within contract terms and only sharing agreements that sit outside of those contracts will form part of the record of sharing agreements.

30.9.2023

1116

Conduct a review across all service teams to ensure DPIAs are in place for new projects, where required.

Low

31.3.2021 / 30.9.2021

This was partly implemented at the time of follow up. The agreed action was to embed as a process for all new projects - hence to review information about DPIA's to ensure it is embedded within project documents. The Information Governance & Data Protection Officer advises in all GW1 documents if a DPIA is needed. The need for a DPIA is stated on Jarvis in the data protection pages.

An update to the existing DPIA policy and procedure is in progress which will simplify the form and make it less cumbersome for officers to use. This will be published on Jarvis and promoted through the Information Governance Champions. Once this is in place the recommendation will be fully implemented.

31.3.2023

No.

Audit Year

Audit Name

Service Area(s)

Rec ID

Recommended Action

Risk Rating

Original / Revised Due Dates

Action Owner Comments

Expected Implementation Date

2019/20

Moorings

(Vale only)

Development & Corporate Landlord

1076

Review the moorings policy and establish a procedure to ensure the policy is regularly reviewed on an ongoing basis.

Medium

31.10.2020 / 1.6.2021

The Technical Projects team have recently taken over as action owner and are working on reviewing and implementing the Moorings audit actions. A draft mooring policy is under review, along with officer training, digital permits, charging, and a winter permit system.

31.3.2023

1077

Develop procedure notes detailing the tasks which must be completed in relation to moorings and establish a procedure to regularly review and update the notes.

Medium

31.10.2020 / 9.4.2021

1078

Review payment methods for the moorings service and consider other possible methods, such as BACS.

Medium

31.10.2020 / 31.5.2021

1082

Undertake a health and safety risk assessment.

Medium

31.8.2020 / 9.4.2021

1085

Ensure the moorings officer attends health and safety and lone working training.

Medium

30.9.2020 / 30.9.2021

1086

Set up the moorings officer on the LoneAlert system and establish a process to ensure that it is used during patrols.

Medium

30.9.2020 / 1.5.2021

1087

Review the mooring rent on an annual basis. As part of the annual review, consider performing a comparison to other local authorities, e.g. nature and type of fees, additional fees for overstaying permit.

Low

31.10.2020 / 1.6.2021

1088

In order to accommodate residents on the reserve list, and to maximize income to the authority, consider allowing part year moorings when a mooring becomes vacant.

Low

31.10.2020 / 1.6.2021

No.	Audit Year	Audit Name	Service Area(s)		Rec ID	Recommended Action	Risk Rating	Original / Revised Due Dates	Action Owner Comments	Expected Implementation Date
35	2021/22	Car Parking & Enforcement	Development & Corporate Landlord		1297	SABA to continue the recruitment drive to ensure there is adequate resource to conduct car park inspections and patrols in line with the agreed service specification.	Medium	31.5.2022 / 31.8.2022	Saba have now identified a number of different options to advertise posts but are still struggling to recruit staff (this is a national problem). However, they are short of a weekend worker to work Sundays but are covering on a temp bases with employed staff while still looking to appoint a suitable Sunday operative. Saba failed to meet the KPI for last year financial deductions have been implemented	TBD
36			Development & Corporate Landlord		1298	A review of the car park patrol schedule should be considered to ensure there is suitable coverage of all car parks where recent changes in SODC charging periods have been implemented (Sunday charges now apply).	Low	1.2.2022 / 12.9.2022	This implementation of the recommendation has been affected by moving Parking enforcement to CPE (first ticket issued 23 November 2022). Information is now being built up on Chipside (parking software) as to where the inspection is most effective/required and then the patrol schedule will be reviewed. It is considered that 6 months information is required in the system, so the review is planned to take place in June 2023.	1.6.2023
37			Finance		1304	Pay360 system settings to be adjusted to deliver summary level output files for transactions imported to Unit4.	Low	31.3.2022 / 31.12.2022	After agreeing the recommendation, it was discovered that the Pay360 settings appeared correct so further investigation would be required, and it was decided to pick this up as part of the Pay360 upgrade project. It had been expected that the upgrade to Pay360 would take place this calendar year. The upgrade is now due to commence in January 2023 with go-live in May 2023 - this recommendation will be picked up as part of that project	31.5.2023
38	2021/22	Contract Management	Finance		1380	Remind heads of service of their requirement to perform regular contract monitoring activities, including obtaining management information from suppliers as stated in the contract.	Low	31.12.2022	This will be covered as part of the procurement training that will be rolled out during the first half of 2023	30.6.2023
39					1381	Remind heads of service of their requirement to perform regular contract monitoring activities, including formally documenting contract monitoring meetings with suppliers.	Low	31.12.2022		30.6.2023
40					1382	Remind heads of service of their requirement to perform regular contract monitoring activities, including ensuring payments are being made in line with contract terms and conditions.	Low	31.12.2022		30.6.2023
41	2021/22	Covid-19 Grants	Development & Corporate Landlord		1426	A record of file access codes to be retained on the secure drive.	Low	1.9.2022	Relevant data is being stored at U:\Discretionary Covid Grants - Secure Data. This data is only accessible to the EcDev and Audit teams. The data is currently being populated, and a standard simplified password process will be implemented.	1.7.2023
42	2021/22	Garden Waste	Corporate Services		1440	A review of the non-direct debit paying customers should be undertaken to establish whether resident circumstances have changed, which may enable payment via direct debit.	Low	31.12.2022	This is inked to the migration of Garden Waste to the CRM - now scheduled for Q1 2023.	31.3.2023
43	2021/22	Garden Waste	Corporate Services		1441	A review should be undertaken of all customers that have not provided an email address and contact should be made to obtain one, so that paper invoices are no longer issued.	Low	31.12.2022		31.3.2023
No.	Audit Year	Audit Name		Service Area(s)	Rec ID	Recommended Action	Risk Rating	Original / Revised Due Dates	Action Owner Comments	Expected Implementation Date
44	2021/22	Information Governance		Legal & Democratic	1437	The information governance and data protection officer could explore the possibility of purchasing a more efficient system to manage information requests.	Low	31.12.2022	The CRM system being introduced does have a module available for managing information requests but that is not a part of the current project business case. If a business case to include the module were to be approved, the CRM supplier recommends it is left to the end of the project so all teams are familiar with the CRM and this will not be for a couple of years. To be discussed with Head of Service	31.12.2023
45	2021/22	Land Charges		Legal & Democratic	1292	The area of the website showing the incorrect charges is corrected and in future appropriate checks are made to ensure that both areas are correct.	Medium	30.11.2021	The same format spreadsheet is now used by both finance and the service teams for fees and charges currently being set for 2023/24. Therefore, the differences should not be present for the 2023/24 charges currently being finalised.	31.3.2023
46	2021/22	Learning & Development		Corporate Services	1409	Load the approved courses onto LEAH in line with an agreed up3on timescale.	Medium	31.10.2022	All mandatory courses have now been uploaded. The long list of approved catalogue courses is ongoing. No dedicated resource for this work, but low risk now.	30.6.2023
47					1413	Continue to develop the training matrix identifying the health and safety training required for each role within the council.	Medium	31.12.2022	Single resource in H&S currently, so focus often on day-to-day support, responding to incidents etc. Seeking to recruit second person to accelerate actioning recommendations.	30.6.2023
48					1417	Develop a process to monitor progress of the Lets Talk process by service teams.	Medium	31.12.2022	Discussions held with IT to add automated workflow but held up by general IT / 5Cs issues and priorities.	30.6.2023
49					1418	Consider whether it would be beneficial to implement post training delivery evaluation.	Low	31.12.2022	As per management response, induction programme launched in November 2022, so will now review potential to evaluate training.	31.3.2023
50					1420	Establish a process to provide the agreed reports in the agreed timescale.	Low	31.10.2022	As we began sending HR data so SMT in October and induction programme rolled out in November, this deferred to consider how to report on L&D and discuss what would be relevant for SMT and/or committees.	31.3.2023

No.	Audit Year	Audit Name	Service Area(s)	Rec ID	Recommended Action	Risk Rating	Original / Revised Due Dates	Action Owner Comments	Expected Implementation Date
51	2021/22	Property Compliance	Development & Corporate Landlord	1313	A full review of properties where the councils hold responsibility should be undertaken to ensure that there are appropriate service contracts in place to ensure full adherence to regulatory and legislative standards.	High	30.4.2022 / 30.9.2022	Service level agreements (SLA's) reviewed November 2022. Not all SLA's signed off due to gaps in training and resources. Training to completed by 1st Quarter of next financial year (2023-24).	30.6.2023
52				1316	A review of assets to be conducted and where there may be contention of associated responsibilities, appropriate controls to be implemented to ensure there is clear ownership and acknowledgment of compliance management across services.	Medium	30.4.2022 / 30.9.2022	Linked to above item 3(a) (Rec ID 1313). In terms of roles and responsibilities going forward this is linked to the of Corporate Landlord Model project. Expected implementation date to be confirmed on Corporate Landlord Model projects approval for the transformation and implementation phase.	TBD
53				1319	Consider implementing a centralised Compliance Performance Report to distribute to responsible officers and/or service teams that displays the status of compliance performance for individual properties and/or service areas, to raise awareness of scheduled works, due dates and outstanding tasks required to be completed.	Low	30.6.2022 / 1/1/2023	This outcome is aligned to the Concerto upgrade project and the report and dashboard training. Training is scheduled to be delivered on 12 January 2023	12.1.2023
54				1322	A regular programme of building stock condition surveys to be in place to ensure that council assets are suitably managed and maintained.	Medium	30.6.2022 / 30.9.2022	New staff resource due to start January 2023. To then schedule the forward maintenance plans. To be completed by second quarter of the financial year (2023-24)	30.9.2023
55			Corporate Services	1311	In coordination with HR, review that adequate training is available and provided to individuals to conduct operational duties safely in respect of property management compliance.	Medium	30.6.2022 / 31.12.2022	Corporate Landlord not yet implemented. Training matrix in progress and not yet supplied to HR to review and implement.	31.12.2023
56	2022/23	Gifts & Hospitality	Corporate Services	1451	a) Issue a reminder to officers of the requirement to declare any gifts or hospitality received to their service manager, even if the offer was accepted or declined. b) Issue an email to all service managers regarding the process of officers declaring gifts and hospitality and their role in managing it and reporting it to human resources on a regular basis.	Medium	30.11.2022	The action is transferred to HR ownership. Mark Minion is seeking an update from David Fairall and has advised that he is happy for HR to own this recommendation	TBD
57	2022/23	Gifts & Hospitality	Legal & Democratic	1452	Risks identified and control in place regarding officers’ gifts and hospitality should be entered on either the corporate or operational risk registers.	Medium	30.9.2022	This risk will be added to the corporate risk register	31.3.2023
58	2022/23	Grievance Policy	Corporate Services	1430	Review and update the contractual polices page on SODC and VWHDC websites.	Low	31.10.2022	In progress - date extended.	31.1.2023

No.	Audit Year	Audit Name	Service Area(s)	Rec ID	Recommended Action	Risk Rating	Original / Revised Due Dates	Action Owner Comments	Expected Implementation Date
59	2022/23	Information Security	Corporate Services	1476	Review requirements for agency staff, contractors, and members to complete mandatory information/cyber security training to ensure awareness of council IT security practices.	High	31.12.2022	Actively working with IT to develop and upload Leah courses. On track to implement on time.	31.12.2023
60	2022/23	Information Security	Corporate Services	1486	Capita to provide a suitable offline immutable backup solution for servers hosted within the Capita provided platforms (e.g., Nuvem, Azure), currently being pursued by the 5CP security working group.	High	30.11.2022	Completed CCRF received from Capita on 16/12/22. Now sat with 5C for sign-off and into delivery. Expected 31 March 2023 however the migration of Mendip out of 5C might cause delay and will take priority.	31.3.2023
61	2022/23	Payroll	Corporate Services	1459	Develop a checklist of the training required by new starters and record the completion of training.	Low	31.12.2022	This is in progress, but date extended to enable chance to test and review with new members of the team.	31.3.2023
62				1461	Senior managers remind officers that they must submit adequate fuel receipts to support their mileage claim and that if they are not submitted then their mileage will not be authorised.	Medium	31.12.2022	A new draft mileage log has been created, but not yet ready to be rolled out (as seeking feedback from high-mileage users). When ready, will communicate new process as well as reminding everyone of the need to attach a receipt AND the log.	31.1.2023
63				1462	Consider introducing a standardised business mileage log that details full journey details, (including start and end locations), vehicle details (make model/engine size) and a claimant declaration that can be reconciled to route planners as part of a management review.	Medium	31.12.2022		31.1.2023
64				1463	Consider requiring a copy of the authorised log to be attached to the claim submission within the MyView system, ensuring claim documentation is supported, easily accessible and provides a suitable audit trail within the system.	Medium	31.12.2022		31.1.2023

Actions awaiting action owner comments:

No.	Audit Year	Audit Name	Service Area(s)	Rec ID	Recommended Action	Risk Rating	Original / Revised Due Dates	Action Owner Comments	Expected Implementation Date
65	2019/20	Development Management	Planning	969	Update the draft delegation protocol document to include authorisation of delegated reports prepared by team leaders and the protocol for review of pre-application letters.	Medium	31.12.2019 / 31.10.2020	Awaiting action owner comments.	TBD
66	2021/22	Council Fees and Charges	Finance	1284	Consider developing a standard format for each page within the fees and charges schedules.	Low	31.12.2021 / 30.9.2022	Awaiting action owner comments.	TBD