To receive an interim report detailing the performance of the Internal Audit Service for the period April to October 2016.
Contact:D Harwood 388115
Minutes:
By way of a report by the Internal Audit and Risk Manager (a copy of which is appended in the Minute Book) the Committee received details on the work completed by the Internal Audit Service during the period April to October 2016, together with associated performance issues.
The Committee were informed that the Internal Audit and Risk Manager’s opinion on the Council’s internal control environment and systems of internal control as at 31 March 2016 was that it provided adequate assurance over key business processes and financial systems. From work completed since, the opinion remained unchanged.
During the reporting period it was noted that one ‘substantial’, eight ‘adequate’ and eight ‘little’ assurance opinions were issued. Eight of the reports related to the 2015/16 Audit Plan.
It was explained that changes had been required to the Audit Plan, resulting in the removal of seven and addition of two audits. The net removal of five audits was due to a substantial amount of additional time being spent on preparing the Shared Service Business Case, completing audits from the 2015/16 Plan and additional work required on three audit areas being Overtime; Flexi-Time Management and Work-Life Balance; and Management of Ill Health and Sickness.
The Committee were informed that the September quarterly review of the Accounts Receivable (Debtors) system had been completed which identified that key controls were generally effective and, whilst some improvements were required, there had been an improvement in control compliance. The findings corresponded with the statement by the Head of Resources at the September Corporate Governance Committee meeting when he presented a specific report on the management of debt (Minute No. 30 referred).
The 3C Partner Councils had jointly purchased a new Financial Management System (FMS) to replace each Council’s current FMS. Whilst the systems would operate and be managed independently of one another, Internal Audit was working in partnership with Internal Audit colleagues at Cambridge City Council who were the lead Internal Auditors on the project. New key controls and working practices would be required when the FMS went live in April 2017.
No Information Technology (IT) audit contract was in place when the 2016/17 Internal Audit Plan was approved in March 2016. The Committee were informed at their September meeting that following a competitive tendering exercise BDO had been appointed as the IT auditors until March 2019. BDO had issued two IT audit reviews and a one in draft. It was anticipated that they would complete a further five reviews within the financial year.
In response to a question as to whether the amount of unplanned additional time spent by Internal Audit was an issue it was explained that audits considered the most important were completed first, in the event that unplanned time occurred resulting in insufficient time to complete all the audits listed within the Audit Plan by the end of the financial year.
There was a query as to whether the Internal Audit Service had the capacity and flexibility to respond to the rapidly changing environment that the Authority was experiencing. It was explained that the Service was managed within the resources it had and the Audit Plan would be amended to allow it to focus on new or emerging risks.
Having commended the executive summary contained within the report it was noted that further to the September meeting where the Committee resolved to recommend to the Cabinet not to proceed with the Business Case for the establishment of a Shared Audit Service, the Cabinet had approved the recommendation. Subsequently South Cambridgeshire District Council and Cambridge City Council had decided to proceed with a joint Internal Audit Shared Service and there had been no work to proceed with Huntingdonshire District Council joining this Partnership in the near future.
At the invitation of the Chairman the Leader of Council addressed the Committee and explained that the Cabinet had based the decision on savings having not yet materialised from the 3C Shared Service Partnership arrangement. With the forthcoming devolution arrangements it was considered appropriate to not proceed with a Shared Internal Audit Service at the present time.
The Committee further noted that they had been concerned that the Business Case did not propose Huntingdonshire District Council as the lead Authority and given the high standard of service provided by Internal Audit, that the service could be diluted with the requirement to support the other local authorities within the Shared Service Partnership. In addition the Committee had not been convinced by the financial savings. The decision to not proceed demonstrated the respect the Internal Audit Service held within the Authority.
Referring to the Service Delivery Targets, listed in paragraph 5.1 of the Appendix to the report, specifically those not achieved, it was explained that the Committee, then Panel, had previously expressed concern at the declining service delivery target for ‘complete audit fieldwork by date stated on the audit brief’. It was explained that due to the variable hour contracts the Internal Audit Team worked, it was difficult to reschedule meetings cancelled at short notice which had impacted upon the target. Subsequently the Head of Resources had contacted Senior Management Team to remind them of the importance of keeping to pre-agreed meeting dates and the number of cancelled meetings had reduced markedly. Internal Audit now retained a record of those meetings that were cancelled and were content with the current position.
It was confirmed to the Committee that draft audit reports took longer to issue than final audit reports as the final report had already been agreed, queries having been resolved at the draft report stage.
In response to a question, it was explained that although the Internal Audit Plan was unlikely to be fully delivered by the end of the financial year the Internal Audit and Risk Manager’s opinion on the Council’s internal control environment and systems of internal control overall was that it provided adequate assurance over key business processes and financial systems.
As the new FMS would be hosted as a ‘cloud’ based system BDO were due to undertake a review of cloud security, to ensure that information was being hosted in a safe and secure environment. The audit reports would be shared across the 3C Internal Audit Teams so that they could be considered as part of the process for delivering the annual internal audit opinion. In conclusion the Committee,
RESOLVED
i. to note that the Internal Audit and Risk Manager’s unchanged opinion of ‘adequate assurance’ over the internal control environment and system of internal control; and
ii. that the Internal Audit Plan as agreed by the Corporate Governance Committee in March 2016 was unlikely to be fully delivered this year.
Supporting documents: