Agenda item

FSD23031

This report was written by the Head of Audit and Assurance to provide her annual opinion for 2022/23 on the Council’s overall system for risk management, governance and control.

Internal Audit had requested that three items for audit be deferred to the 23/24 financial year. These were:

·  Social Care System—Implementation Review

·  Staff Well Being

·  Parking Income 

A Member expressed disappointment that the audit of the Social Care Implementation Review had been delayed. Regarding the Staff Well Being Audit, a Member felt that as recruitment and retention had been flagged on the Risk Register, the review should take place without waiting for accreditation. The Head of Audit and Assurance said that an audit of Recruitment and Retention was planned for the current financial year. A Member expressed disappointment concerning the delayed audit of Assistive Technology. It was explained that this was a consultancy matter and the department concerned had stated that at this time they did not require any consultancy advice from Internal Audit. This meant that this audit had been cancelled rather than delayed. With respect to Parking Income, this audit would be limited purely to income and financial matters and would not be looking at any issues concerning the implementation of RingGo.

The timing of the release of the individual audit reports was discussed. A Member said that to have to read numerous and quite often many substantial reports a short time before meetings was difficult for Members. He supported the idea that had been suggested by an Independent Member that reports be ‘drip-fed’ to Members before the publication of the redacted reports on the web. This would give Members more time to prepare. The Chairman asked if this could be looked into.

(Post Meeting Note: The issue regarding the publication of Internal Audit Redacted Reports has been looked into. There is no reason why all the reports have to be disseminated in one large bundle just before agenda publication. They could for example be sent out at intervals in smaller bundles). 

Members discussed issues concerning policies and procedures that had not been updated for some time and expressed some concern regarding this. It was suggested that consideration be given whereby portfolios/departments would report to Members those policies or procedures that had not been updated for some time. A Member asked if completion rates for data protection training were increasing. He felt that if they were not, this was a developmental issue that should be escalated. The Head of Audit and Assurance responded that the Priority 1 recommendation that had previously existed for cyber security training had now been closed off--because  as of the 1st of June, the completion rate was 90%.  This seemed to be an issue with mandatory training in general. It was mentioned that issues concerning the completion of mandatory training may be something that could be raised with the Director of HR. It was agreed that this would be one of the issues that could be raised with the Director of HR when he attended the November meeting.

An Independent Member highlighted that the Risk Management Framework had not been reviewed since 2018. He felt that this was a priority issue. It was noted that this review was scheduled for 2023/24.

The Chairman drew attention to the Independent External Quality Assessment, and Members were pleased to note that the review was positive. A Member drew attention to some of the recommendations of the Assessment. He asked if consideration was being applied to the recommendation concerning the appointment of a Deputy Head of Audit and Assurance and also if consideration was being given to the recommendation that that the Internal Audit Plan should be run on a 3/5 year cycle rather than the current cycle. The Head of Audit and Assurance responded that the current structure of the team was flat and everyone reported to her. There was a possibility of some flexibility in the future, as a result of requests for reduced hours. It would also be prudent to see what would be the situation after the impending changes to Internal Audit Standards. The Head of Audit and Assurance clarified that the 3/5 year strategic plan referred to a high level approach only, and that the 6 month detailed planning would continue.

A teams skills assessment had recently been completed and there were weaknesses identified in the following areas:

·  Staff not confident with IT Audits

·  Data Analytics

·  Fraud Risks and Controls

Extra training had been provided (and was ongoing) to strengthen staff skill sets in all of these areas. 

RESOLVED that:

1) Members note the report and the Head of Audit and Assurance’s opinion for 2022/23 on the Council’s overall systems of risk management,  governance and control.

2) Members approve the amendments to the 2022/23 Internal Audit Plan as set out in paragraph 3.6.2 of the report. 

3) The Director of HR be asked to attend the November meeting to answer any questions that Members would like to raise concerning the completion of mandatory training modules.