Joint Audit and Governance Committee

Vale of White Horse District small

Report of Internal Audit and Risk Manager

Author: Victoria Dorman-Smith

Telephone: 01235 422430

E-mail: victoria.dorman-smith@southandvale.gov.uk

South cabinet member responsible: Councillor Pieter-Paul Barker

Tel: 01844 212438

E-mail: pieter-paul.barker@southoxon.gov.uk

Vale cabinet member responsible: Councillor Andy Crawford

Telephone: 01235 772134

E-mail: andy.crawford@whitehorsedc.gov.uk

 

To: Joint Audit and Governance Committee

DATE: 3 October 2023

AGENDA ITEM

 

Internal audit update report Q2 2023/24

Recommendation(s)

 

(a)  That members review the results of recent internal audit work and monitor progress of management actions.

 

 

Purpose of report

1.            The purpose of this report is to summarise the outcomes of recent internal audit activity at both councils for the committee to review. 

2.            The committee is asked to monitor progress of management actions to ensure actions are completed correctly in the timescales originally offered by management, and that controls are managing risk more effectively.

3.            The contact officer for this report is Victoria Dorman-Smith, Internal Audit and Risk Manager for South Oxfordshire District Council (South) and Vale of White Horse District Council (Vale), telephone 07766 780835, email victoria.dorman-smith@southandvale.gov.uk.

 

 

 

Strategic objectives

4.            Delivery of an effective internal audit function will support the councils in meeting their strategic objectives.

 

Background

5.            Internal audit is an independent assurance function that primarily provides an objective opinion on the degree to which the internal control environment supports and promotes the achievements of council objectives.  It assists the councils by evaluating the adequacy of governance, risk management, and controls.  After each audit, internal audit has a duty to report to management its findings on the control environment and risk exposure and recommend changes for improvements where applicable.  Managers are responsible for considering audit reports and taking the appropriate action to address control weaknesses.

 

6.            The Public Sector Internal Audit Standards (PSIAS) state that the head of internal audit should prepare a risk-based audit plan, which should outline the assignments to be carried out and the resource requirements to deliver the plan, for audit committee approval. The Joint Audit and Governance Committee (JAGC) approved the 2023/24 internal audit plan on 28 March 2023.  The PSIAS also states that the head of internal audit must periodically report on performance relative to the plan. 

 

7.            Overall assurance given by internal audit indicate the following:

Overall assurance definitions

Substantial

A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited.

Reasonable

There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited.

Limited

Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited.

No Assurance

Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited.

 

8.            In addition to providing overall assurance, it is important that management know how important the required action is to their service. Each action has been given a priority rating at service level with the following definitions:

Categorisation of actions

Priority 1

Findings that are fundamental to the integrity of the service’s business processes and require the immediate attention of management.

Priority 2

Important findings that need to be resolved by management.

Priority 3

Finding that requires attention.

 

 

 

 

Progress against the internal audit plan

9.            Overview: Progress against the 2022/23 and 2023/24 internal audit plans is summarised in appendix 1 and appendix 2 respectively. Good progress has been made against the 2022/23 plan, with the last remaining audit of Grounds and Parks Maintenance due to be finalised in October. From the 2023/24 plan, two audits have been completed, with seven audits underway. Two quarter two audits (Central Government Support Schemes and IT Asset Management) may need to be delayed to prioritise key financial audits and availability of auditees.

 

10.         Audits on hold: Six audits (one 2022/23 and five 2023/24) are on hold due to auditor sickness absence since August. A plan to pick up these reviews will be formed as part of the mid-year IA plan review, where we will undertake a holistic review of the plan and identify priorities for the second half of the year.

 

11.         Completed audits: In quarter two, we adopted a new approach with updated terminology (e.g., overall assurance and categorisation of actions). Some of the quarter two completed audits were issued prior to the new terminology and still refer to high/medium/low risk recommended actions. However, the table still shows the overall assurance ratings:

*See appendix 3 and 4 for Limited assurance reports

 

Other audit work

12.         In addition to the planned internal audit work, the team have provided support in several other areas:

a.    Annual Governance Statement: work is progressing on the AGS 2022/23 template and development of an assurance map.

b.    Government returns: no UKSPF reporting in Q2, next reporting due in October 2023. We audited the South and Vale Biodiveristy Net Gain evidence of spend forms (1 April to 31 August 2023) with no issues.

c.    Account codes: we undertook analysis of four of the six areas identified by Finance to support in their review of account codes in Unit 4.

d.    Critical friend support: we sit on the South and Vale housing response programme board and have been recently invited to the waste depot project. Once initiated, we will form part of the transformation programme board.

e.    Ad-hoc advice: We responded to one FOI in relation to audit days and recommendations and provided advice to HR and planning teams on confidential matters.

f.     Internal procedures: the internal audit team are making improvements to our feedback form and process, creating Unit4 workspaces for use in our key financial audits, and reports are now distributed to all JAGC members.

 

Management actions follow up

13.         In line with the PSIAS, the chief audit executive (in these councils the internal audit and risk manager) must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.  Responsibility to resolve issues and manage agreed actions lies with management.

14.         Overall, we received a 100% response rate from action owners, an improvement on previous quarters. 38 actions were implemented and 86 actions remain open and past due, with 3 high risk actions in relation to the information security and health and safety audits (both from 2022/23).

15.         Analysis of quarter two 2023/24 follow up activity is summarised below:

*See appendix 5 for details of the 4 actions that are awaiting evidence to close.

16.         Analysis of open actions by year and status is summarised below:

*See appendix 5 for details of the 41 high/medium actions that are not implemented and past due.

 

 

Climate and ecological impact implications

17.         There are no direct climate or ecological implications arising from this report.

 

Financial implications

18.         There are no financial implications attached to this report.

 

Legal implications

19.         None.

 

Risk implications

20.         Identification of risk is an integral part of all audits.

 

Attached:

Appendix 1 – Progress against the internal audit plan 2022/23

Appendix 2 – Progress against the internal audit plan 2023/24

Appendix 3 – Report Lifecycle Process 2022/23 report (Limited assurance)

Appendix 4 – Health & Safety 2022/23 report (Limited assurance)

Appendix 5 – Open actions (past due, high/medium risk) and actions awaiting evidence

 

 

VICTORIA DORMAN-SMITH

INTERNAL AUDIT AND RISK MANAGER