Agenda item
Internal Audit Annual Report 2012/13
To note the content of the annual audit report, the summary of audits undertaken which have not been previously reported and also the opinion of the Head of Audit.
Minutes:
The Head of Risk Management and Audit presented the report at agenda item 6.2 which summarised all of the work carried out by Council’s auditors during 2012/13. The Committee was advised that the report contained the following five elements:
A the annual internal audit opinion in accordance with the CIPFA code of practice
B summary of audits not previously reported
C resources used in providing internal audits
D the number of audits completed but not previously presented and
E a guide on how Tower Hamlets compares as part of the CIPFA benchmarking club
Internal Audit Opinion - The Head of Risk Management and Audit summarised the professional opinion provided in the report. He advised that, in his opinion, systems of control were adequate and noted 108 system audits had been undertaken 75% of which achieved full or substantial assurance. And 18% returned limited assurance. The remaining 7% were audits where assurances had yet to be returned or where assurance was not applicable. He advised that these results had been achieved not only by audits procedures but also by offering assistance and support to departments that, having been audited, wished to improve their controls and implemented actions to this end. He noted that two of the planned audits had not been completed within the annual timescale and advised that work on these had now begun.
Audits not previously reported. - The Head of Risk Management and Audit reported on management of audit recommendations, advising the Committee that a 6-month post-audit review of the implementation of all agreed recommendations had returned that, as a whole, 84% of priority one recommendations had been implemented and 82% of priority two recommendations had been implemented. He acknowledged that this could be a concern and agreed to follow up limited and nil assurance reports so that a satisfactory level of assurance can be obtained. .
Concerning the summary of audit assurance published in the table at paragraph 8.3 of the report, Councillor Gibbs enquired why significantly more substantial assurances had been assigned to extensive audits than to non-extensive audits. The Head of Risk Management and Audit advised that this was because the risks around extensive systems were greater therefore the Council needed to ensure that arrangements were robust. He advised that most moderate systems were in fact schools and referred to past issues that had been raised around the number of poor assurances that had been returned from their audits.
Concerning audit performance data given in the table at paragraph 9.1 of the report, Councillor Gibbs noted that percentage of priority one and two recommendations implemented at the six-month post audit review were both 84% and considered this figure to be low. The Head of Risk Management and Audit acknowledged that there was presently no system to monitor whether or not recommendations had been implemented after the six-monthly review. However this was an area that he was looking to develop.
Resources used - The Head of Risk Management and Audit advised that in 2012/13 costs were £174,900, a saving of £4000 against planned costs. He advised that, in the period, Deloitte had undertaken a larger number of audits than had been planned as a member of the internal audit team had been assigned to the anti-fraud project. This work had now been completed and therefore this officer time could now be allocated back to normal audits that were planned for the forthcoming year. Additionally it was intended that, during this time, some further data matching work would be undertaken.
Councillor Eaton noted that the costs of audits carried out by Deloitte and a council auditor were comparable and queried whether the work undertaken by Deloitte should be retained in the forthcoming year to release the council’s auditor to undertake other projects due to HR issues.
Audits completed but not previously presented - The Head of Risk Management and Audit advised that 32 audits had been undertaken and the key findings were presented at appendix 2 of the report. He noted that some limited assurances had been returned and advised that these would be discussed with Members. A number of Service Heads were in attendance to respond to Members questions arising from the audit results and the Head of Risk Management and Audit invited each of them to respond to Members questions.
Safeguarding vulnerable adults systems audit – The Head of Risk Management and Audit advised that the audit revealed the following:
· Not all staff had a current CRB check at the time of audit. This was a key issue at the time however it had been subsequently resolved
· Not all staff had received regular training as frequently as had been expected
· Policies and procedures were dated 2011 but some policies were outdated
· A sample check of procedures showed that 10% of reviews had not been carried out
The Interim Service Head, Adult Social Care, Education Social Care and Wellbeing provided the following responses to Members’ questions:
· Concerning why the delay in updating CRB statuses had occurred, the Committee was advised that the time of the audit had coincided with his appointment and, at this time, he had not been involved in the oversight of this process. However this had now been addressed. He advised that, on an operational level, practice was good but processes to evidence this were poor. Since April new processes had been brought in which delivered a better audit trail.
· Concerning whether applicants were required to have a CRB check before starting work, he advised that in most cases this would be required. However he was empowered, under certain circumstances, to authorise an applicant to start work on the condition that no unauthorised access would be given to vulnerable adults until the CRB process had been completed.
· Concerning who would be accountable for any incident, he advised that any applicant who possessed a criminal record would not necessarily be barred from employment. However he would scrutinise any such applications and decide whether the nature of the conviction / criminal record would cause a risk. Furthermore all such applications would be scrutinised and assessed individually.
Software licensing audit – The Head of Risk Management and Audit noted that the purpose of the audit was to ensure that there were effective systems around software licensing. The audit revealed the following:
· That there was a good system for the purchase of licences however no inventory of licenses purchased was kept
· The current VDI environment was resilient but an auditor had recorded a non-standard download and therefore this resulted in returning a limited assurance
· There was training around software licensing but no inclusion of the implications or consequences of using not licensed software.
The Service Head, Customer Access and ICT provided the following responses to Members’ questions:
· Concerning whether there was a policy on downloading unauthorised software, she advised that there was a policy in place which clearly stated the criteria and sanctions. She advised that since the implementation of VDI it was no longer possible for departments to purchase smaller licences; these were now all centrally held.
· Concerning the risks around duplicate software purchasing, she advised that a corporate standard for software packages had been devised which incorporated a list of every package used and enabled staff to identify where these could be used throughout the organisation.
Planning and building control fees audit - The Head of Risk Management and Audit advised that the audit had revealed:
· That fees and charges payments were mostly made by cheque and that the Council was trying to expand its methods of receiving payments
· A limited assurance had been returned because there was no clear process for the collection and prompt banking of fees and charges
· There was no evidence of robust reconciliation to give assurance that all of the fees and charges due had been banked.
The Service Head Planning and Building Control, Development & Renewal provided the following responses to Members’ questions:
· Concerning cost incurred in terms of interest lost due to late banking of cheques and fees, Members were advised that auditors did not feel this was a great risk because the time delay between receipt and banking was small; additionally interest rates were presently low. He noted that a greater risk was that of cheques lost before banking.
· Concerning progress of staff training on financial payment processes, Members were advised that a proactive training programme was being undertaken and would be completed in the next few weeks.
· Concerning reasons for the delay in delivering the required the financial training, Mr Whalley advised that training had coincided with the reorganisation of the services from three teams into one. While the service had been divided across three areas, each had been focused on its own priorities and therefore training had taken longer to deliver. However, a unified system was now in operation.
· Concerning the methodology for training, Members were advised that there was on-going professional, technical and payment process training. Mr Whalley noted that since the reorganisation there had been a culture change in the way that processes were operated.
· Concerning reasons why cheque payments were preferred over other payment methods, Members were advised that while cash payments could not be accepted, portal payments and cheques were acceptable. Mr Whalley noted that in relation to the different types of payments used, applicants often preferred to make cheque payments, especially in relation to payments for section 106 matters although the Council's systems were able to accept electronic payments. However, where applications were initially refused and then later approved, payments would then often be made by credit card for speed.
· Concerning additional costs in terms of officer time for the additional controls instigated, Mr Jani advised that auditors tried to design controls to deliver higher levels of control for the lowest possible cost. He noted that the value of the extra costs incurred was in the controls and assurances that the new processes created.
· Concerning whether there would be additional costs incurred from operating electronic payments, Mr Jani advised that the costs would be no greater than normal.
· Concerning whether the Council would be able to promote electronic payments, over other forms, Mr Thorogood advised that the Council was presently reviewing the costs of different payment methods.
· Concerning whether the Council could require payments to be made electronically, Members were advised that to refuse certain types of payment methods would run the risk of increasing the Council’s debt.
Water systems audit - The Head of Risk Management and Audit noted:
· That the audit investigated the Council’s arrangements for checking water installations to ensure that there was robust systems to minimise the risk of water-borne infections.
The Director of Investment, Tower Hamlets Homes provided the following responses to Members’ questions:
· The water systems in question comprised of cold water tanks and communal hot water systems throughout the THH housing stock.
· Concerning the key risks that were revealed through the audit, Members were advised that the nature of the risk was a public health one through the potential for waterborne infections. Three tests for each water system were carried out per year and the audit revealed a weakness in the recording of the test outcomes. Since the audit, a more systematic approach to tracking the tests had been taken and an application (Keystone) purchased which would provide at-a-glance management information to track and monitor actions. This system was due to go live in September 2013.
· Concerning why monitoring processes, in terms of reporting and follow-up, had not been agreed at the outset of the water testing contract, the Committee was advised that contractors had met their obligations but recording processes were not sufficient to enable tracking and planning of maintenance.
· Concerning lessons learned in terms of monitoring, Members were advised that THH would be using Keystone application to ensure that information was uploaded earlier and could be tracked more easily. Additionally it would be possible to determine where servicing inspections had not been completed. It was expected that the system would be extended to all planned maintenance activity.
· Concerning why contract review meetings had been omitted and how THH would ensure records would be held properly in future, the Committee was advised that the audit report had identified lapses by members of staff; however the Keystone application would ensure that this did not occur in future. Additionally the results of the audit would be reported to the Tower Hamlets Homes Board. He advised also that since the audit a full backward review of processes had been carried out to ensure that all inspections had been acted upon.
Trading standards storage of goods - The Head of Risk Management and Audit noted:
- That the audit had been undertaken to establish a system for cataloguing storing and tracking confiscated goods.
- A limited assurance had been returned around management of the stores.
The Service Head Safer Communities, Crime Reduction Services, Communities, Localities and Culture provided the following responses to Members’ questions:
- Concerning whether there was evidence of goods lost or of materials contamination that might compromise a court prosecution, the Committee was advised that there were none as service had been restructured and potential risks had been quantified. The audit had enabled systems to be realigned and a robust solution put in place.
- Concerning security of the stores and whether goods could have been stolen before the audit, the Committee was advised that theft was not possible but the audit had revealed that the process for tracking confiscated goods was insufficient and the procedure for exhibit handling was not adequate; these might affect the continuity of evidence used in prosecutions. Despite the limited assurance in these areas, it was found that these factors had not caused any issues.
- Concerning whether the services would implement Crimson software, the Committee was informed that APP was in use which was a corporate system and was adequate for its purpose. Although Crimson application was better, it was not a good use of money to upgrade as APP was sufficient even though the process took longer.
Schools audits - The Head of Risk Management and Audit advised that reports on this matter would be deferred until the Audit Committee in September.
Oyster cards - The Head of Risk Management and Audit noted:
- This was a small system audit but nonetheless it was undertaken to address a reported misuse
- The aim of the audit was to ascertain whether there were weaknesses in the system and were they occurred
- A limited assurance had been returned because methods of authorising and recording Oyster card journeys were inconsistent which raised a risk of abuse of card use
- The financial risk was small but the reputational risk was much higher
- The audit had and revealed that journeys were not being correctly coded in the departmental financial systems
The Head of Risk Management and Audit provided the following responses to Members’ questions:
- Oyster cards were used for small journeys where out of Borough travel was necessary. This authorised method of travel saved operational and time costs involved with formal petty cash applications and journey reimbursements. It was noted however, that the use of Oyster cards for this purpose needed to be regularised.
- Season tickets issued to staff through the Council's season ticket loan scheme could also be used for work journeys where applicable.
Benchmarking club – Concerning the benchmarking club results at appendix 7, it was noted:
· That the costs were higher. Members were advised that this was due to the use of external providers. However it had been found that the provision was a better model and therefore this provision was intended to continue.
· That the audit team presently comprised four officers at PO4 grade and other benchmarking club structures may engage lower graded staff. However it was noted that higher graded staff provided better value as they were able to design systems as well as execute them. Notwithstanding this, to address cost issues, the Head of Risk Management and Audit intended to explore ways of filling the vacancy current vacancy at a lower grade.
RESOVLED:
That:
1. the content of the annual audit report be noted
2. the summary of audits undertaken which have not been previously reported be noted
3. the Head of Audit opinion be noted
Supporting documents: