Joint Audit and Governance Committee

Vale of White Horse District small

Report of Internal Audit and Risk Manager

Author: Victoria Dorman-Smith

Telephone: 01235 422430

E-mail: victoria.dorman-smith@southandvale.gov.uk

South cabinet member responsible: Councillor Pieter-Paul Barker

Tel: 01844 212438

E-mail: pieter-paul.barker@southoxon.gov.uk

Vale cabinet member responsible: Councillor Andy Crawford

Telephone: 01235 772134

E-mail: andy.crawford@whitehorsedc.gov.uk

 

To: Joint Audit and Governance Committee

DATE: 30 January 2024

AGENDA ITEM

 

Internal audit update report Q3 2023/24

Recommendation(s)

 

(a)  That members review the results of recent internal audit work and monitor progress of management actions.

 

 

Purpose of report

1.            The purpose of this report is to summarise the outcomes of recent internal audit activity at both councils for the committee to review. 

2.            The committee is asked to monitor progress of management actions to ensure actions are completed correctly in the timescales originally offered by management, and that controls are managing risk more effectively.

3.            The contact officer for this report is Victoria Dorman-Smith, Internal Audit and Risk Manager for South Oxfordshire District Council (South) and Vale of White Horse District Council (Vale), email victoria.dorman-smith@southandvale.gov.uk.

 

 

 

Strategic objectives

4.            Delivery of an effective internal audit function will support the councils in meeting their strategic objectives.

 

Background

5.            Internal audit is an independent assurance function that primarily provides an objective opinion on the degree to which the internal control environment supports and promotes the achievements of council objectives.  It assists the councils by evaluating the adequacy of governance, risk management, and controls.  After each audit, internal audit has a duty to report to management its findings on the control environment and risk exposure and recommend changes for improvements where applicable.  Managers are responsible for considering audit reports and taking the appropriate action to address control weaknesses.

 

6.            The Public Sector Internal Audit Standards (PSIAS) state that the head of internal audit should prepare a risk-based audit plan, which should outline the assignments to be carried out and the resource requirements to deliver the plan, for audit committee approval. The Joint Audit and Governance Committee (JAGC) approved the 2023/24 internal audit plan on 28 March 2023.  The PSIAS also states that the head of internal audit must periodically report on performance relative to the plan. 

 

7.            Overall assurance given by internal audit indicate the following:

Overall assurance definitions

Substantial

A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.

Reasonable

There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.

Limited

Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.

No Assurance

Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.

 

8.            In addition to providing overall assurance, it is important that management know how important the required action is to their service. Each action has been given a priority rating at service level with the following definitions:

Categorisation of actions

Priority 1

Findings that are fundamental to the integrity of the service’s business processes and require the immediate attention of management.

Priority 2

Important findings that need to be resolved by management.

Priority 3

Finding that requires attention.

 

 

 

 

Progress against the internal audit plan

9.            Overview: Progress against the 2022/23 and 2023/24 internal audit plans is summarised in appendix 1 and appendix 2 respectively. All audits on the 2022/23 plan have now been completed, with the last remaining audits of Grounds and Parks Maintenance and Mobile Home Parks issued in the quarter. From the 2023/24 plan, three audits have been completed, one audit issued in draft, and 12 audits in progress.

 

10.         Mid-Year Review: In September, we reviewed the 2023/24 plan in consultation with the senior management team (SMT) and the Head of Finance. The purpose of the review is to ensure the plan responds to the changing risks and priorities of the organisation, with a focus on high priority or high risk areas.

 

11.         Completed audits*: since quarter two, we have adopted a new approach with updated terminology (e.g., overall assurance and categorisation of actions). The two 2022/23 completed audits were started prior to the new terminology and still refer to high/medium/low risk recommended actions. However, the table still shows the overall assurance ratings:

*See appendix 3 for completed audit reports

 

Other audit work

12.         In addition to the planned internal audit work, the team have provided support in several other areas:

a.    Government returns: we audited the latest UKSPF reporting for the period 1 April to 30 September 2023 (both internal working papers and government app).

b.    Advisory work: we sit on the South and Vale housing response and waste depot programme boards. Once initiated, we will form part of the transformation programme board.

c.    Ad-hoc advice: we responded to one FOI in relation to internal and external reviews of the audit committee.

d.    Internal procedures: through consultation with the Finance service managers and Head of Finance, we are refreshing the scope of our key financial audits.

 

 

 

Management actions follow up

13.         In line with the PSIAS, the chief audit executive (in these councils the internal audit and risk manager) must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.  Responsibility to resolve issues and manage agreed actions lies with management.

14.         Overall, we received a 93% response rate from action owners, which is lower than quarter two but remains high. We raised 57 new actions from the six audits completed in the quarter. 18 actions were implemented, and 139 actions are open and past due, with 16 high risk actions in relation to the grounds and parks maintenance, information security, and health and safety audits (all from 2022/23).

15.         Analysis of quarter three 2023/24 follow up activity is summarised below:

16.         Analysis of open actions by year and status is summarised below:

*See appendix 4 for details of the 75 medium/high and 10 priority 1/priority 2 actions that are not implemented and past due.

Climate and ecological impact implications

17.         There are no direct climate or ecological implications arising from this report.

 

Financial implications

18.         There are no financial implications attached to this report.

 

Legal implications

19.         None.

 

Risk implications

20.         Identification of risk is an integral part of all audits.

 

Attached:

Appendix 1 – Progress against the internal audit plan 2022/23

Appendix 2 – Progress against the internal audit plan 2023/24

Appendix 3 – Completed audit reports quarter three 2023/24

Appendix 4 – Open actions (past due, priority 1 and 2)

 

 

VICTORIA DORMAN-SMITH

INTERNAL AUDIT AND RISK MANAGER