Cabinet_Report

Joint Audit and Governance Committee

Report of Internal Audit and Risk Manager Author: Victoria Dorman-Smith Telephone: 01235 422430 E-mail: victoria.dorman-smith@southandvale.gov.uk South cabinet member responsible: Councillor Pieter-Paul Barker Tel: 01844 212438 E-mail: pieter-paul.barker@southoxon.gov.uk Vale cabinet member responsible: Councillor Andy Crawford Telephone: 01235 772134 E-mail: andy.crawford@whitehorsedc.gov.uk To: Joint Audit and Governance Committee DATE: 28 March 2023	AGENDA ITEM

Internal audit update report Q1 2023/24

Recommendation(s)

(a) That members note the content of the report.

Purpose of report

1. The purpose of this report is to summarise the outcomes of recent internal audit activity at both councils for the committee to consider.

2. The committee is asked to seek assurance that the agreed actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively.

3. The contact officer for this report is Victoria Dorman-Smith, Internal Audit and Risk Manager for South Oxfordshire District Council (South) and Vale of White Horse District Council (Vale), telephone 07766 780835, email victoria.dorman-smith@southandvale.gov.uk.

Strategic objectives

4. Delivery of an effective internal audit function will support the councils in meeting their strategic objectives.

Background

5. Internal audit is an independent assurance function that primarily provides an objective opinion on the degree to which the internal control environment supports and promotes the achievements of council objectives. It assists the councils by evaluating the adequacy of governance, risk management, and controls. After each audit, internal audit has a duty to report to management its findings on the control environment and risk exposure and recommend changes for improvements where applicable. Managers are responsible for considering audit reports and taking the appropriate action to address control weaknesses.

6. The Public Sector Internal Audit Standards (PSIAS) state that the head of internal audit should prepare a risk-based audit plan, which should outline the assignments to be carried out and the resource requirements to deliver the plan, for audit committee approval. The Joint Audit and Governance Committee (JAGC) approved the 2023/24 internal audit plan on 28 March 2023. The PSIAS also states that the head of internal audit must periodically report on performance relative to the plan.

7. Overall assurance given by internal audit indicate the following:

Overall assurance definitions
Substantial	A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.
Reasonable	There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.
Limited	Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.
No Assurance	Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.

8. In addition to providing overall assurance, it is important that management know how important the required action is to their service. Each action has been given a priority rating at service level with the following definitions:

Categorisation of actions
Priority 1	Findings that are fundamental to the integrity of the service’s business processes and require the immediate attention of management.
Priority 2	Important findings that need to be resolved by management.
Priority 3	Finding that requires attention.

Progress against the internal audit plan

9. Progress against the 2022/23 internal audit plan is summarised in appendix 1 and audits completed since the last JAGC meeting are summarised in the below table. The quarter one completed audits have not adopted our new terminology and still refer to high/medium/low risk recommended actions. However, the table still shows the overall assurance ratings:

10. Progress against the 2023/24 internal audit plan is summarised in appendix 2. The 2023/24 audits have adopted a new approach with updated terminology (e.g., overall assurance and categorisation of actions).

Other audit work

11. In addition to the planned internal audit work, the team have provided support in several other areas including review and/or signoff of government returns (COMF, Biodiversity Net Gain, UKSPF), review and analysis of South and Vale contracts register, and analysis of account codes in the financial system (Unit 4). The internal audit team is engaging in emerging projects and service offerings (e.g., transformation, housing).

Follow up of recommended actions

12. In line with the PSIAS, the chief audit executive (in these councils the internal audit and risk manager) must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. Responsibility to resolve issues and manage agreed actions lies with management.

13. Analysis of quarter one 2023/24 follow up activity is summarised below: