Please Contact: Lydia Hall
Please email: lydia.hall@north-norfolk.gov.uk
Please Direct Dial on: 01263 516047
7 March 2016
A meeting of the Audit Committee of North Norfolk District Council will be held in the
Committee Room at the Council Offices, Holt Road, Cromer on Tuesday 15 March 2016 at
2.00 pm
Members of the public who wish to ask a question or speak on an agenda item are
requested to arrive at least 15 minutes before the start of the meeting. It will not always be
possible to accommodate requests after that time. This is to allow time for the Committee
Chair to rearrange the order of items on the agenda for the convenience of members of the
public. Further information on the procedure for public speaking can be obtained from
Democratic Services, Tel: 01263 516047, Email: democraticservices@north-norfolk.gov.uk
Anyone attending this meeting may take photographs, film or audio-record the proceedings
and report on the meeting. Anyone wishing to do so must inform the Chairman. If you are a
member of the public and you wish to speak on an item on the agenda, please be aware that
you may be filmed or photographed.
Sheila Oxtoby
Chief Executive
To: Mr V FitzPatrick, Mr S Hester, Mr B Jarvis, Mr M Knowles, Mrs A Moore
and Mr D Young
All other Members of the Council for information.
Members of the Management Team, appropriate Officers, Press and Public
If you have any special requirements in order to attend this meeting, please let us
know in advance
If you would like any document in large print, audio, Braille, alternative format or in a
different language please contact us
Chief Executive: Sheila Oxtoby
Strategic Directors: Nick Baker and Steve Blatch
Tel 01263 513811 Fax 01263 515042 Minicom 01263 516005
Email districtcouncil@north-norfolk.gov.uk Web site northnorfolk.org
AGENDA
1.
TO RECEIVE APOLOGIES FOR ABSENCE
2.
PUBLIC QUESTIONS
To receive public questions, if any.
3.
ITEMS OF URGENT BUSINESS
To determine any items of business which the Chairman decides should be
considered as a matter of urgency pursuant to Section 100B(4)(b) of the Local
Government Act 1972.
4.
DECLARATIONS OF INTEREST
Members are asked at this stage to declare any interests that they may have in any
of the following items on the agenda. The Code of Conduct for Members requires
that declarations include the nature of the interest and whether it is a disclosable
pecuniary interest.
5.
MINUTES
(Page 4)
To approve as a correct record, the minutes of the meeting of the Audit Committee
held on 8 December 2015.
6.
AUDIT UPDATE AND ACTION LIST
(Page 11)
To monitor progress on items requiring action from the meeting of 8 December 2015
including progress on implementation of audit recommendations.
7.
AUDIT COMMITTEE WORK PROGRAMME
(Page 12)
To review the Audit Committee Work Programme.
8.
ERNST & YOUNG AUDIT PLAN
(Page 13)
To receive the Audit Plan from the External Auditors.
9.
INTERNAL AUDIT PROGRESS REPORT
(Page 30)
(Appendix 1 – p.38, Appendix 2 – p.40, Appendix 3 – p.58, Appendix 4 – p.59)
To receive a follow up report on the recommendations made by Internal Audit.
10.
INTERNAL AUDIT STRATEGIC AND ANNUAL AUDIT PLANS
(Page 61)
(Appendix 1 – p.67, Appendix 2 – p.74, Appendix 3 – p.78, Appendix 4 – p.80,
Appendix 5 – p.83)
To receive a report on the Audit Strategy and annual audit plans by Internal Audit.
11.
INTERNAL AUDIT SELF- ASSESSMENT
(Page 84)
(Appendix 1 – p.87)
To undertake the annual self-assessment of Audit Committee.
12.
CORPORATE RISK REGISTER – DRAFT VERSION
(Page 94)
To receive a report on the Corporate Risk Register.
13.
RISK MANAGEMENT FRAMEWORK – DRAFT VERSION
(Page 108)
(Appendix 1 p.121, Appendix 2 – p.124)
To receive a report on the Risk Management Framework.
14.
EXCLUSION OF THE PRESS AND PUBLIC
To pass the following resolution, if necessary:
“That under Section 100A(4) of the Local Government Act 1972 the press and public
be excluded from the meeting for the following items of business on the grounds that
they involve the likely disclosure of exempt information as defined in
of Part I
of Schedule 12A (as amended) to the Act.”
Agenda item _5 _
AUDIT COMMITTEE
Minutes of a meeting of the Audit Committee held on Tuesday 8 September 2015 in
the Committee Room, Council Offices, Holt Road, Cromer at 2.00 pm.
Members Present:
Committee:
Mr V FitzPatrick (Chairman)
Mr M Knowles
Mrs A Moore
Mr D Young
Other
Members:
Mr T FitzPatrick
Officers in
Attendance:
The Head of Finance, the Internal Audit Consortium Manager, the Head of
Environmental Health and the Democratic Services officer
25.
APOLOGIES
Mr S Hester
26.
PUBLIC QUESTIONS
None received.
27.
ITEMS OF URGENT BUSINESS
None
28.
DECLARATIONS OF INTEREST
None
29.
MINUTES
The Minutes of the meeting of the Audit Committee held on 15 September 2015 were
approved as a correct record and signed by the Chairman.
30.
AUDIT UPDATE AND ACTION LIST
The Audit Update and Action List update requested is covered in item 34. The Head of
Finance said that she would circulate the statistics for the Monitoring Officer’s Annual
Report.
Audit Committee
4
08 December 2015
Mr D Young asked whether the Openwide contract had been amended following the
Committee’s concerns at the September meeting.
The Internal Audit Consortium Manager said that there had been a miscommunication
in the audit and explained that when the figure for the contract was set in 2003 it was
due to increase with inflation from the baseline. She explained that when the extension
was agreed the original figure as quoted in 2003 was the only figure in writing, this was
re set and then inflation applied to the extension thus reflecting the new payment
amount. The Internal Audit Consortium Manager assured Members that the correct
figures were referred to.
31.
AUDIT COMMITTEE WORK PROGRAMME
The Chairman requested that the 2016/2017 work programme was available at the
March meeting and the Internal Audit Consortium Manager said that a version would
be drafted for approval.
The Internal Audit Consortium Manager advised Members that the self-assessment
was on the work programme for March and that she would send the self-assessment
checklist in January 2016 with the Committee’s terms of reference. She explained that
it was an important exercise that covered the reports received, support from officers
and that it covered the whole agenda of the Audit Committee and was from CIPFA best
practice.
The Committee requested that the Internal Audit Consortium Manager added factual
information and leave the opinions blank for Members to complete.
Mr D Young asked why the Corporate Risk Register had been deferred until March.
The Head of Finance said that the Performance and Risk Management Board were
meeting in January and that she would have more information therefore for the March
meeting.
32. ANNUAL AUDIT LETTER
Members considered the Annual Audit Letter.
Mrs A Moore, referring to page 15 of the letter, asked why the grant income was no
longer shown as such in the accounts, against the external auditors recommendation.
The Head of Finance said that Norfolk Community Foundation had been tasked with
administering the grant but that when it was returned it was treated as a capital receipt
and not as a material entry in the unadjusted statements. She assured Members that
the funds were the same amount and would still be used for the correct purpose – as
grants for businesses and in keeping with the original intentions.
The Chairman, referring to page 14 of the letter, asked about the Final Report for 30 th
September and asked whether it should go on the website in the interest of
transparency.
The Head of Finance said that it had been circulated by the external auditors to the
Audit Committee and that it could go on the website.
The Chairman asked about an issue on page 14 of the letter regarding related parties
and relatives of councillors.
Audit Committee
5
08 December 2015
The Head of Finance explained that the external auditors had asked officers to check
all relatives and related parties. NNDC had said that the declaration of interests signed
at the beginning of office covered this and that the guidance notes explained that it was
for the councillor and all related parties. She said that they were reliant on the
councillor to ensure that this was correct.
Mr D Young commented that the guidance notes explain all related parties but that the
paperwork did not.
The Head of Finance said that the form would be amended for 2015/16 declarations.
The Chairman agreed that they should be confident in the declarations made by
councillors.
The Internal Audit Consortium Manager suggested getting the opinion of the newly
contracted external auditors to which Members agreed.
Mr M Knowles asked about the certification of claims and returns on page 16.
The Head of Finance explained that this was in relation to the benefits subsidy which
was in the region of £30m and that it was not unusual due to the nature of the claim for
the qualification. She informed Members that the 2013/14 claims had been finalised
but that the 2014/15 claims were outstanding. The Head of Finance said that external
audit extrapolated a sample of the claim form to test and analyse to produce a claw
back figure and that in the sample for the 2014/15 claim they had found one error. The
external auditor uses the test and compounds it as a representation of the claim and
this resulted in them believing that NNDC needed to pay back in the region of
£100,000 despite NNDC’s reassurance that the error was unique having carried out
their own testing.
The Head of Finance reassured Members that the error was an isolated one and that
they were liaising with the external auditors and the DWP to rectify but that it was a
long process. She said that the Council maintained an earmarked reserve in relation to
benefits of £400,000 to mitigate losses of this nature.
The Chairman said that further testing was sensible considering the amount it
concerned.
The Committee AGREED to RECEIVE the Annual Audit Letter.
33.
INTERNAL AUDIT PROGRESS REPORT
The Internal Audit Consortium Manager introduced the report and said that 72% of the
annual internal audit plan was complete and that there were 3audits left for quarter 4
and that there were no concerns at this time in relation to completing the plan. She
said that they had issued five final reports at the time of writing the report and that 18
recommendations had been raised with 10 of priority 2 status and 8 of priority 3.
The Internal Audit Consortium Manager gave a brief summary of the final reports that
had been issued;

Corporate Governance and Risk Management – need to ensure that the risk
management framework was reviewed in line with requirements as it was last
Audit Committee
6
08 December 2015
looked at in 2010 and to have the contracts register reviewed against purchase
ledger soend

Housing Strategy – reasonable assurance was concluded with one of the
recommendations relating to the extension of a key officer post, which has since
been extended

Homelessness and Housing Options

Parks, Open Spaces and Woodland Management

Register of Electors – this was an IT audit and recommendations related to
recognising the system admin role and ensuring that access levels are
appropriate.
The Internal Audit Consortium Manager said that all five reports had concluded in a
positive assurance.
Mrs A Moore said that there were accounting issues in 2007 at Holt Country Park and
commented that the issue had been raised countless times.
The Internal Audit Consortium Manager said that the issue had been raised through
audit recommendations and that it was really about reminding staff how to work and
that these officers did work remotely. She confirmed that the issue had been raised
before, but that it had been closed before but that a change in staff meant that it had
become a vulnerable area once more. The Internal Audit Consortium Manager
assured Members that the managers in the team affected had taken the issue
seriously and that there had recently been a department restructure.
The Chairman said that proper controls and procedures were needed to protect both
the Council and officers. He asked whether there would be regular monitoring.
The Internal Audit Consortium Manager said that regular monitoring was part of the
recommendations and managers and officers were aware of the new procedures and
would ensure a clear audit trail.
Mr D Young asked whether the issues raised were being addressed; whether they
were being challenged or accepted by officers.
The Internal Audit Consortium Manager said that all of the recommendations made
within the reports had been agreed with managers, where recommendations are
disagreed then these are brought to the Committee’s attention. Internal Audit were
keen to work with the officers to ensure that the recommendations are feasible /
reasonable and time scales agreed. She said that the guidelines for each priority
recommendation were just that and that discussions were held between audit and
officers to ensure that if the guideline date cannot be met (for appropriate reasons)
then an achievable deadline is agreed. All deadlines that go over the guidelines are
reviewed and agreed by the Internal Audit Consortium Manager.
The Chairman raised concerns pertaining to pages 29 and 30 of the report, in
particular resilience for risk management.
The Internal Audit Consortium Manager explained that each manager managed their
teams risks and that the reporting of all of these goes through to one officer and then
Audit Committee
7
08 December 2015
on to the Performance and Risk Management Board. She said that it wasn’t a big risk
and was assessed as a priority 3. She said that the risk management framework was
dealt with by one person and that this recommendation was to cover unforeseen
circumstances.
Mr Young asked whether they expected the issue to be actioned in the 6 month
timeframe and the Internal Audit Consortium manager said that the deadline was 31st
March 2016 as it was an issue that could be easily addressed.
The Chairman asked who was dealing with the contracts register compared to the
purchase ledger and the Head of Finance confirmed that it was a Finance
responsibility.
Mr Young, referring to page 32, on the acquisition of affordable housing said that he
was not aware of this and asked whether it had been approved. It was confirmed that it
had been approved through the correct channels.
The Chairman said of the electoral access that the tools that people needed should be
able to be accessed but no more.
The Internal Audit Consortium Manager said that the manager of the team was
currently away and so the unrestricted access had been beneficial for officers but that
on return the access levels would be assessed by the manager and proper restrictions
would be put in place for each staff role.
The Chairman thanked the Internal Audit Consortium Manager for her report and
congratulated all those involved.
The Internal Audit Consortium Manager said that that the new contract was working
well and that there was good communication with officers during the audits, however
feedback at the end of audits from officers need improving.
The Committee AGREED to RECEIVE the Progress Report.
34.
INTERNAL AUDIT RECOMMENDATIONS FOLLOW UP REPORT
The Internal Audit Consortium Manager explained that the report was the position as at
31st October and said that there were 12 outstanding recommendations with an overall
summary provided.
The Internal Audit Consortium Manager said that there were three reported previously
as outstanding:
 Section 106 monitoring – to be completed by the end of the year
 Waste Management contract – which was near completion
 Reconciliation between planning and building control – an extension had been
requested
The Internal Audit Consortium Manager said that there were a further 19
recommendations raised within the year, and that the current position was
encouraging.
The Chairman asked about the three outstanding recommendations in relation to the
Leisure and Pier Pavilion audit on page 49.
Audit Committee
8
08 December 2015
The Internal Audit Consortium Manager said that this was following a recent audit and
that a longer time frame than originally thought was required.
Mr M Knowles said that there were concerns in the planning team and that the
department was having issues.
The Internal Audit Consortium Manager said that there were difficulties with
recruitment for planners, and that this was a widespread problem for other councils as
well. She said that she was due to have a discussion with the service head in January
to explore how to make the recommendations achievable.
The Chairman commented that the planning work was increasing but that the
recommendations needed to be completed. He asked whether there was a log of
recommendations that had not been accepted.
The Internal Audit Consortium Manager said that any recommendations not agreed
with would continue to be brought to the Committee’s attention, as was the disagreed
recommendation in relation to the Openwide contract issue, which was dealt with by
the Committee due to the original disagreement at the previous meeting.
The Chairman asked about the priority 2 recommendation regarding compliance with
HMRC requirements for self-employed, contractors and consultants detailed on page
50 of the report and whether the 30th November deadline date had been achieved.
The Head of Finance confirmed that the recommendation had been implemented and
records would be updated to reflect this.
Mr D young, also referring to page 50 of the report, asked about the 18 th December
deadline for the Waste Management contract and whether this deadline would be
achieved.
The Internal Audit Consortium Manager said that the recommendation was in relation
to finalising the last lease for bowling greens and that management were working
towards achieving this date.
The Committee AGREED to RECEIVE the Follow Up Report.
35.
BUSINESS CONTINUITY
The Head of Environmental Health introduced the report and said that there had been
no major incidents. He informed Members that they had undertaken exercises in
flooding at Bacton which was contingency based. He explained that trained staff took
part so they could test capacity and that they had also recently run a rest centre event
at Tattersett. The Head of Environmental Health said that they rehearsed activity for an
emergency and that the skills used were transferable to many situations.
The Head of Environmental Health said that business continuity plans were in place
and that this was done through the Council teams so that there was a team knowledge
and responsibility and that the contingencies team ensured that there was a consistent
approach to the plans. He said that agile working would assist with contingencies and
that the work recovery site at Fakenham Connect had been equipped with 10
additional work stations for agile working and as a contingency.
Audit Committee
9
08 December 2015
The Internal Audit Consortium Manager added that the Fakenham Disaster Recovery
site had recently been audited and that the results of this would be explored at the
March meeting but that there were no major concerns.
The Head of Environmental Health said that the server room backup at Fakenham
Connect also housed similar for the DWP and West Norfolk and King’s Lynn Borough
Council.
The Chairman asked whether there would be any testing of the additional work stations
at Fakenham.
The Head of Environmental Health said that IT would do some testing but that the
stations would be used by officers for agile working and that they would be operational
and ready to use in an emergency situation.
The Chairman asked if there were plans to hold similar exercises in other coastal areas
of the district.
The Head of Environmental Health said that they had previously done similar exercises
in Wells, Cley and Salthouse and that they organised one flooding exercise a year. He
added that it was quite challenging as many people involved had experienced a real
flooding situation and so the focus was on community resilience.
Mr D Young asked about the issue of mobile phone signal during an emergency and
said that he understood that there had been no signal between Salthouse and Wells.
The Head of Environmental Health said that it was variable and that local people
tended to use the provider with the best signal locally. He said that there were local
point to point radios for emergencies and that the police and other organisations
provided support to ensure effective communication.
The Head of Finance asked Members whether they wanted to keep Business
Continuity on the work programme as a regular item or whether they wanted to change
it to an annual report.
The Members agreed to continue to receive six monthly updates on business
continuity.
The Committee AGREED to RECEIVE the Business Continuity Report.
The meeting closed at 3.29pm
______________________
Chairman
Audit Committee
10
08 December 2015
Agenda Item
AUDIT COMMITTEE 08 December 2015 – ACTIONS ARISING FROM THE
MINUTES
32. Annual Audit
Letter
Agreed that the final report from 30th September
should be added to the NNDC website in the
interests of transparency.
Karen Sly
32. Annual Audit
Letter
Amend financial declaration to include guidance
regarding related parties.
Karen Sly
11
6
Agenda Item 7
AUDIT COMMITTEE WORK PROGRAMME 2016
DECEMBER
2015
External Audit
PWC Annual Audit
Letter
Internal Audit
Progress Report
on Internal Audit
Activity
MARCH
2016
JUNE
2016
E&Y Audit Plan
(with overview)
Annual Grant
Certification
Report from
PWC
Progress Report
on Internal Audit
Activity
Follow Up Report
Strategic and
on Internal Audit
Annual Audit
Recommendations Plans
SEPTEMBER
2016
E&Y 201/16
Annual
Governance report
(ISA260)
Annual Report and Progress Report
Opinion and
on Internal Audit
Review of the
Activity
Effectiveness of
Internal Audit
Progress report on
Internal Audit
Activity
Undertake selfassessment
Follow up on
Internal Audit
Recommendations
Corporate Risk
Register
(deferred from
December)
Risk
Management
Framework
Corporate Risk
Register/ risk
management
framework
Business
Continuity Plan
Review
Statement of
Accounts
Business
Continuity training
update
Monitoring
Officer’s Report
NNDC
Business
Continuity
Local Code of
Corporate
Governance and
Action Plan
Internal Audit report: External Quality Assessment of Internal Audit – date TBC
12
Agenda Item 8
North Norfolk District Council
Year ending 31 March 2016
Audit Plan
10 February 2016
Ernst & Young LLP
13
Ernst & Young LLP
One Cambridge Business Park
Cambridge
CB4 0WZ
Tel: + 44 1223 394 400
Fax: + 44 1223 394 401
ey.com
10 February 2016
Audit Committee
North Norfolk District Council
Council Offices
Holt Road
Cromer
Norfolk
NR27 9EN
Dear Committee Members
Audit Plan
We are pleased to attach our Audit Plan which sets out how we intend to carry out our responsibilities as
auditor. Its purpose is to provide the Audit Committee with a basis to review our proposed audit approach
and scope for the 2015/16 audit in accordance with the requirements of the Local Audit and
Accountability Act 2014, the National Audit Office’s 2015 Code of Audit Practice, the Statement of
Responsibilities issued by Public Sector Audit Appointments (PSAA) Ltd, auditing standards and other
professional requirements. It is also to ensure that our audit is aligned with the Committee’s service
expectations.
This plan summarises our initial assessment of the key risks driving the development of an effective
audit for the Council, and outlines our planned audit strategy in response to those risks.
2015/16 will be our first year as your external auditor. We are currently working through the transitional
arrangements with our predecessors, PWC, including a review of their files. This Plan therefore
summarises our preliminary assessment of the key issues which drive the development of an effective
audit for the Council, and outlines our planned audit strategy in response to those risks. We will present
you with an update of our Audit Plan at a subsequent meeting if our view on audit risks changes as a
result of completing all transitional arrangements and our interim planning work.
We welcome the opportunity to discuss this Audit Plan with you on 08 March 2016 and to understand
whether there are other matters which you consider may influence our audit.
Yours faithfully
Rob Murray
Executive Director
For and behalf of Ernst & Young LLP
Enc
14
The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global
Limited.
A list of members’ names is available for inspection at 1 More London Place, London
SE1 2AF, the firm’s principal place of business and registered office.
Contents
Contents
1.
Overview ..................................................................................................................... 1
2.
Financial statement risks ........................................................................................... 2
3.
Value for money risks ................................................................................................. 4
4.
Our audit process and strategy.................................................................................. 5
5.
Independence.............................................................................................................. 9
Appendix A
Fees .......................................................................................................... 11
Appendix B
UK required communications with those charged with governance .... 12
In April 2015 Public Sector Audit Appointments Ltd (PSAA) issued ‘‘Statement of responsibilities of auditors and
audited bodies 2015-16’. It is available from the Chief Executive of each audited body and via the PSAA website
(www.psaa.co.uk)
The Statement of responsibilities serves as the formal terms of engagement between appointed auditors and audited
bodies. It summarises where the different responsibilities of auditors and audited bodies begin and end, and what is
to be expected of the audited body in certain areas.
The ‘Terms of Appointment from 1 April 2015’ issued by PSAA sets out additional requirements that auditors must
comply with, over and above those set out in the National Audit Office Code of Audit Practice (the Code) and statute,
and covers matters of practice and procedure which are of a recurring nature.
This Audit Plan is prepared in the context of the Statement of responsibilities. It is addressed to the Audit Committee,
and is prepared for the sole use of the audited body. We, as appointed auditor, take no responsibility to any third
party.
Our Complaints Procedure – If at any time you would like to discuss with us how our service to you could be
improved, or if you are dissatisfied with the service you are receiving, you may take the issue up with your usual
partner or director contact. If you prefer an alternative route, please contact Steve Varley, our Managing Partner, 1
More London Place, London SE1 2AF. We undertake to look into any complaint carefully and promptly and to do all
we can to explain the position to you. Should you remain dissatisfied with any aspect of our service, you may of
course take matters up with our professional institute. We can provide further information on how you may contact
our professional institute.
15
EY ÷ i
Overview
1.
Overview
This Audit Plan covers the work that we plan to perform to provide you with:
►
Our audit opinion on whether the financial statements of North Norfolk District Council,
the Council, give a true and fair view of the financial position as at 31 March 2016 and of
the income and expenditure for the year then ended;
►
Our conclusion on the Council arrangements to secure economy, efficiency and
effectiveness;
We will also review and report to the National Audit Office (NAO), to the extent and in the
form required by them, on the Council’s Whole of Government Accounts return.
Our audit will also include the mandatory procedures that we are required to perform in
accordance with applicable laws and auditing standards.
When planning the audit we take into account several key inputs:
►
Strategic, operational and financial risks relevant to the financial statements;
►
Developments in financial reporting and auditing standards;
►
The quality of systems and processes;
►
Changes in the business and regulatory environment; and,
►
Management’s views on all of the above.
By considering these inputs, our audit is focused on the areas that matter and our feedback is
more likely to be relevant to the Council.
Changes in our audit scope
We will provide an update to the Audit Committee on the results of our work in these areas in
our report to those charged with governance scheduled for delivery in September 2016.
16
EY ÷ 1
Financial statement risks
2.
Financial statement risks
We outline below our current assessment of the financial statement risks facing the Council,
identified through our knowledge of the Council’s operations and discussion with those
charged with governance and officers.
At our meeting, we will seek to validate these with you.
Significant risks (including fraud risks)
Our audit approach
Property, Plant and Equipment
Property, Plant and Equipment (PPE) represent the
largest value on the Council’s balance sheet. PPE are
initially measured at cost and then revalued to fair value
(determined by the amount that would be paid for the
asset in its existing use) on a 5 year rolling basis. This is
carried out by an expert valuer and is based on a
number of complex assumptions. Annually assets are
assessed to identify whether there is any indication of
impairment.
Our approach will focus on:
►
Consideration of any revaluations in year, the basis
of valuation of significant assets and any significant
changes in use to ensure they remain appropriate if
circumstances change.
►
The valuation expertise used by the Council
►
The reasonableness of the estimations and
judgements used.
►
Testing capitalisation of expenditure to ensure that it
meets accounting standard requirements
ISAs (UK and Ireland) 500 and 540 require us to
undertake procedures on the use of experts and
assumptions underlying fair value estimates.
Due to the nature, size and complexity of PPE
accounting we consider this a significant risk.
Risk of fraud in revenue recognition
Under ISA (UK and Ireland) 240 there is a presumed risk
that revenue may be misstated due to improper
recognition of revenue.
In the public sector, this requirement is modified by
Practice Note 10, issued by the Financial Reporting
Council, which states that auditors should also consider
the risk that material misstatements may occur by the
manipulation of expenditure recognition.
We will
►
Review and test revenue and expenditure
recognition policies
►
Review and discuss with management any
accounting estimates on revenue or expenditure
recognition for evidence of bias
►
Develop a testing strategy to test material revenue
and expenditure streams
►
Review and test revenue cut-off at the period end
date
Risk of management override
As identified in ISA (UK and Ireland) 240, management
is in a unique position to perpetrate fraud because of its
ability to manipulate accounting records directly or
indirectly and prepare fraudulent financial statements by
overriding controls that otherwise appear to be operating
effectively. We identify and respond to this fraud risk on
every audit engagement.
Our approach will focus on:
►
Testing the appropriateness of journal entries
recorded in the general ledger and other
adjustments made in the preparation of the financial
statements
►
Reviewing accounting estimates for evidence of
management bias, and
►
Evaluating the business rationale for significant
unusual transactions
Other financial statement risks
Pensions
The Council operates a defined benefits pension
scheme. Accounting for this scheme involves significant
estimation and judgement. The Pension liability is the
largest value liability on the balance sheet. Due to the
nature, volume and size of the transactions we consider
this to be a risk.
17
Our approach will focus on:
►
The actuarial expertise used by the Council
►
The reasonableness of the estimations and
judgements used.
EY ÷ 2
Financial statement risks
2.1
Responsibilities in respect of fraud and error
We would like to take this opportunity to remind you that management has the primary
responsibility to prevent and detect fraud. It is important that management, with the oversight
of those charged with governance, has a culture of ethical behaviour and a strong control
environment that both deters and prevents fraud.
Our responsibility is to plan and perform audits to obtain reasonable assurance about
whether the financial statements as a whole are free of material misstatements whether
caused by error or fraud. As auditors, we approach each engagement with a questioning
mind that accepts the possibility that a material misstatement due to fraud could occur, and
design the appropriate procedures to consider such risk.
Based on the requirements of auditing standards our approach will focus on:
►
Identifying fraud risks during the planning stages;
►
Enquiry of management about risks of fraud and the controls to address those risks;
►
Understanding the oversight given by those charged with governance of management’s
processes over fraud;
►
Consideration of the effectiveness of management’s controls designed to address the risk
of fraud;
►
Determining an appropriate strategy to address any identified risks of fraud, and,
►
Performing mandatory procedures regardless of specifically identified risks.
18
EY ÷ 3
Value for money risks
3.
Value for money risks
We are required to consider whether the Council has put in place ‘proper arrangements’ to
secure economy, efficiency and effectiveness on its use of resources.
For 2015-16 this is based on the overall evaluation criterion:
“In all significant respects, the audited body had proper arrangements to ensure it took
properly informed decisions and deployed resources to achieve planned and sustainable
outcomes for taxpayers and local people”
Proper arrangements are defined by statutory guidance issued by the National Audit Office.
They comprise your arrangements to:
·
Take informed decisions;
·
Deploy resources in a sustainable manner; and
·
Work with partners and other third parties.
In considering your proper arrangements, we will draw on the requirements of the
CIPFA/SOLACE framework for local government to ensure that our assessment is made
against a framework that you are already required to have in place and to report on through
documents such as your annual governance statement.
We are only required to determine whether there are any risks that we consider significant,
which the Code of Audit Practice which defines as:
“A matter is significant if, in the auditor’s professional view, it is reasonable to conclude that
the matter would be of interest to the audited body or the wider public”
Our risk assessment supports the planning of sufficient work to enable us to deliver a safe
conclusion on arrangements to secure value for money and enables us to determine the
nature and extent of further work that may be required. If we do not identify any significant
risks there is no requirement to carry out further work.
Our risk assessment has therefore considered both the potential financial impact of the
issues we have identified, and also the likelihood that the issue will be of interest to local
taxpayers, the Government and other stakeholders. This has not identified any risks which
we view as relevant to our value for money conclusion.
19
EY ÷ 4
Our audit process and strategy
4.
Our audit process and strategy
4.1
Objective and scope of our audit
Under the Code of Audit Practice our principal objectives are to review and report on the
Council’s:
►
Financial statements
►
Arrangements for securing economy, efficiency and effectiveness in its use of resources
to the extent required by the relevant legislation and the requirements of the Code.
We issue an audit report that covers:
1.
Financial statement audit
Our objective is to form an opinion on the financial statements under International Standards
on Auditing (UK and Ireland).
Alongside our audit report, we also:
►
2.
Review and report to the NAO on the Whole of Government Accounts return to the extent
and in the form they require;
Arrangements for securing economy, efficiency and effectiveness (value
for money)
We are required to consider whether the Council has put in place ‘proper arrangements’ to
secure economy, efficiency and effectiveness on its use of resources.
4.2
Audit process overview
Our Audit involves:
►
Assessing the key internal controls in place and, where we consider it appropriate to do
so, testing the operation of these controls
►
Review and re-performance of the work of Internal Audit where appropriate
►
Reliance on the work of experts in relation to areas such as pensions and property
valuations
►
Substantive tests of detail of transactions and amounts
Analytics
We will use our computer-based analytics tools [tailor as appropriate] to enable us to capture
whole populations of your financial data, in particular journal entries. These tools:
►
Help identify specific exceptions and anomalies which can then be subject to more
traditional substantive audit tests
►
Give greater likelihood of identifying errors than random sampling techniques.
We will report the findings from our process and analytics work, including any significant
weaknesses or inefficiencies identified and recommendations for improvement, to
management and the Audit Committee.
20
EY ÷ 5
Our audit process and strategy
Internal audit
We will review internal audit plans and the results of their work. We will reflect the findings
from these reports, together with reports from any other work completed in the year, in our
detailed audit plan, where we raise issues that could have an impact on the year-end
financial statements
Use of specialists
When auditing key judgements, we are often required to rely on the input and advice
provided by specialists who have qualifications and expertise not possessed by the core audit
team. The areas where either EY or third party specialists provide input for the current year
audit are:
Area
Specialists
Pensions
Actuary/EY Pensions team
Property, plant and Equipment
Expert Valuer/ EY Valuations team
In accordance with Auditing Standards, we will evaluate each specialist’s professional
competence and objectivity, considering their qualifications, experience and available
resources, together with the independence of the individuals performing the work.
We also consider the work performed by the specialist in light of our knowledge of the
Council’s environment and processes and our assessment of audit risk in the particular area.
For example, we would typically perform the following procedures:
4.3
►
Analyse source data and make inquiries as to the procedures used by the expert to
establish whether the source date is relevant and reliable;
►
Assess the reasonableness of the assumptions and methods used;
►
Consider the appropriateness of the timing of when the specialist carried out the work;
and
►
Assess whether the substance of the specialist’s findings are properly reflected in the
financial statements.
Mandatory audit procedures required by auditing standards
and the Code
As well as the financial statement risks (section two) and value for money risks (section
three), we must perform other procedures as required by auditing, ethical and independence
standards, the Code and other regulations. We outline below the procedures we will
undertake during the course of our audit.
Procedures required by standards
►
Addressing the risk of fraud and error;
►
Significant disclosures included in the financial statements;
►
Entity-wide controls;
►
Reading other information contained in the financial statements and reporting whether it
is inconsistent with our understanding and the financial statements;
►
Auditor independence.
21
EY ÷ 6
Our audit process and strategy
Procedures required by the Code
►
Reviewing, and reporting on as appropriate, other information published with the
financial statements, including the Annual Governance Statement.
►
Reviewing and reporting on the Whole of Government Accounts return, in line with the
instructions issued by the NAO
Finally, we are also required to discharge our statutory duties and responsibilities as
established by the Local Audit and Accountability Act 2014.
4.4
Materiality
For the purposes of determining whether the financial statements are free from material error,
we define materiality as the magnitude of an omission or misstatement that, individually or in
aggregate, could reasonably be expected to influence the users of the financial statements.
Our evaluation requires professional judgement and so takes into account qualitative as well
as quantitative considerations implied in the definition.
We have determined that overall materiality for the financial statements of the Council is £1m
based on 2% of gross expenditure on deficit on provision of services. We will communicate
uncorrected audit misstatements greater than £50,000 to you.
The amount we consider material at the end of the audit may differ from our initial
determination. At this stage, however, it is not feasible to anticipate all the circumstances that
might ultimately influence our judgement. At the end of the audit we will form our final opinion
by reference to all matters that could be significant to users of the financial statements,
including the total effect of any audit misstatements, and our evaluation of materiality at that
date.
4.5
Fees
The duty to prescribe fees is a statutory function delegated to Public Sector Audit
Appointments Ltd (PSAA) by the Secretary of State for Communities and Local Government.
PSAA has published a scale fee for all relevant bodies. This is defined as the fee required by
auditors to meet statutory responsibilities under the Local Audit and Accountability Act 2014 in
accordance with the NAO Code. The indicative fee scale for the audit of North Norfolk District
Council is £54,113.
4.6
Your audit team
The engagement team is led by Rob Murray, who has significant experience on Local
Government audits. Rob is supported by Sappho Powell who is responsible for the day-today direction of audit work and is the key point of contact for the Head of Finance.
4.7
Timetable of communication, deliverables and insights
We have set out below a timetable showing the key stages of the audit, including the value
for money work and the Whole of Government Accounts. The timetable includes the
deliverables we have agreed to provide to the Council through the Audit Committee’s cycle in
2015/16. These dates are determined to ensure our alignment with PSAA’s rolling calendar of
deadlines.
From time to time matters may arise that require immediate communication with the Audit
Committee and we will discuss them with the Chair as appropriate.
Following the conclusion of our audit we will prepare an Annual Audit Letter to communicate
the key issues arising from our work to the Council and external stakeholders, including
members of the public.
22
EY ÷ 7
Our audit process and strategy
Audit phase
Timetable
High level planning
December
Risk assessment and
setting of scopes,
Testing routine
processes and
controls
Year-end audit
January
Completion of audit
July
Audit
Committee
timetable
Deliverables
March 2016
Audit Plan
Audit Fee Letter
Progress Report
June/July
TBC
Report to those charged with governance via the
Audit Results Report
Audit report (including our opinion on the
financial statements; and overall value for money
conclusion).
Audit completion certificate
Reporting to the NAO on the Whole of
Government Accounts return.
Conclusion of
reporting
September
TBC
Annual Audit Letter
In addition to the above formal reporting and deliverables we will seek to provide practical
business insights and updates on regulatory matters.
23
EY ÷ 8
Independence
5.
Independence
5.1
Introduction
The APB Ethical Standards and ISA (UK and Ireland) 260 ‘Communication of audit matters
with those charged with governance’, requires us to communicate with you on a timely basis
on all significant facts and matters that bear on our independence and objectivity. The Ethical
Standards, as revised in December 2010, require that we do this formally both at the planning
stage and at the conclusion of the audit, as well as during the audit if appropriate. The aim of
these communications is to ensure full and fair disclosure by us to those charged with your
governance on matters in which you have an interest.
Required communications
Planning stage
Final stage
►
The principal threats, if any, to objectivity and
independence identified by EY including
consideration of all relationships between you, your
affiliates and directors and us;
►
The safeguards adopted and the reasons why they
are considered to be effective, including any
Engagement Quality Review;
►
The overall assessment of threats and safeguards;
►
Information about the general policies and process
within EY to maintain objectivity and independence.
►
A written disclosure of relationships (including the
provision of non-audit services) that bear on our
objectivity and independence, the threats to our
independence that these create, any safeguards that
we have put in place and why they address such
threats, together with any other information
necessary to enable our objectivity and
independence to be assessed;
►
Details of non-audit services provided and the fees
charged in relation thereto;
►
Written confirmation that we are independent;
►
Details of any inconsistencies between APB Ethical
Standards, the PSAA Terms of Appointment and
your policy for the supply of non-audit services by
EY and any apparent breach of that policy; and
►
An opportunity to discuss auditor independence
issues.
During the course of the audit we must also communicate with you whenever any significant
judgements are made about threats to objectivity and independence and the appropriateness
of our safeguards, for example when accepting an engagement to provide non-audit services.
We also provide information on any contingent fee arrangements, the amounts of any future
contracted services, and details of any written proposal to provide non-audit services;
We ensure that the total amount of fees that EY and our network firms have charged to you
and your affiliates for the provision of services during the reporting period are disclosed,
analysed in appropriate categories.
5.2
Relationships, services and related threats and safeguards
We highlight the following significant facts and matters that may be reasonably considered to
bear upon our objectivity and independence, including any principal threats. However we
have adopted the safeguards below to mitigate these threats along with the reasons why they
are considered to be effective.
Self-interest threats
A self-interest threat arises when EY has financial or other interests in your entity. Examples
include where we have an investment in your entity; where we receive significant fees in
respect of non-audit services; where we need to recover long outstanding fees; or where we
enter into a business relationship with the Council.
At the time of writing, there are no long outstanding fees.
24
EY ÷ 9
Independence
A self-interest threat may also arise if members of our audit engagement team have
objectives or are rewarded in relation to sales of non-audit services to the Council. We
confirm that no member of our audit engagement team, including those from other service
lines, is in this position, in compliance with Ethical Standard 4.
There are no other self-interest threats at the date of this report.
Self-review threats
Self-review threats arise when the results of a non-audit service performed by EY or others
within the EY network are reflected in the amounts included or disclosed in the financial
statements.
There are no other self-review threats at the date of this report.
Management threats
Partners and employees of EY are prohibited from taking decisions on behalf of management
of your entity. Management threats may also arise during the provision of a non-audit service
where management is required to make judgements or decisions based on that work.
There are no management threats at the date of this report.
Other threats
Other threats, such as advocacy, familiarity or intimidation, may arise.
There are no other threats at the date of this report.
Overall Assessment
Overall we consider that the adopted safeguards appropriately mitigate the principal threats
identified, and we therefore confirm that EY is independent and the objectivity and
independence of Rob Murray, the audit engagement Executive Director and the audit
engagement team have not been compromised.
5.3
Other required communications
EY has policies and procedures that instil professional values as part of firm culture and
ensure that the highest standards of objectivity, independence and integrity are maintained.
Details of the key policies and processes within EY for maintaining objectivity and
independence can be found in our annual Transparency Report, which the firm is required to
publish by law. The most recent version of this report is for the year ended June 2015 and
can be found here:
http://www.ey.com/UK/en/About-us/EY-UK-Transparency-Report-2015
25
EY ÷ 10
Fees
Appendix A
Fees
A breakdown of our agreed fee is shown below.
Planned Fee
2015/16
Scale fee
2015/16
Outturn fee
2014/15
£
£
£
Opinion Audit and VFM
Conclusion
54,113
54,113
72,150
Total Audit Fee – Code work
54,113
54,113
72,150
Certification of claims and
1
returns
26,390
26,390
35,480
Explanation
Deduction due to 25%
decrease in fees from
PSAA
Deduction due to 25%
decrease in fees from
PSAA
All fees exclude VAT.
The agreed fee presented above is based on the following assumptions:
►
Officers meeting the agreed timetable of deliverables;
►
Our accounts opinion and value for money conclusion being unqualified;
►
Appropriate quality of documentation is provided by the Council; and
►
The Council has an effective control environment.
If any of the above assumptions prove to be unfounded, we will seek a variation to the agreed
fee. This will be discussed with the Council in advance.
Fees for the auditor’s consideration of correspondence from the public and formal objections
will be charged in addition to the scale fee.
1
Our fee for the certification of grant claims is based on the indicative scale fee set by the PSAA.
26
EY ÷ 11
UK required communications with those charged with governance
Appendix B
UK required communications with
those charged with governance
There are certain communications that we must provide to the Audit Committee. These are
detailed here:
Required communication
Reference
Planning and audit approach
►
Audit Plan
►
Report to those charged
with governance
►
Report to those charged
with governance
►
Report to those charged
with governance
►
Report to those charged
with governance
►
Report to those charged
with governance
►
Report to those charged
with governance
Communication of the planned scope and timing of the audit including any limitations.
Significant findings from the audit
►
Our view about the significant qualitative aspects of accounting practices
including accounting policies, accounting estimates and financial statement
disclosures
►
Significant difficulties, if any, encountered during the audit
►
Significant matters, if any, arising from the audit that were discussed with
management
►
Written representations that we are seeking
►
Expected modifications to the audit report
►
Other matters if any, significant to the oversight of the financial reporting process
Misstatements
►
Uncorrected misstatements and their effect on our audit opinion
►
The effect of uncorrected misstatements related to prior periods
►
A request that any uncorrected misstatement be corrected
►
In writing, corrected misstatements that are significant
Fraud
►
Enquiries of the Audit Committee to determine whether they have knowledge of
any actual, suspected or alleged fraud affecting the entity
►
Any fraud that we have identified or information we have obtained that indicates
that a fraud may exist
►
A discussion of any other matters related to fraud
Related parties
Significant matters arising during the audit in connection with the entity’s related
parties including, when applicable:
►
Non-disclosure by management
►
Inappropriate authorisation and approval of transactions
►
Disagreement over disclosures
►
Non-compliance with laws and regulations
►
Difficulty in identifying the party that ultimately controls the entity
External confirmations
►
Management’s refusal for us to request confirmations
►
Inability to obtain relevant and reliable audit evidence from other procedures
Consideration of laws and regulations
►
Audit findings regarding non-compliance where the non-compliance is material
and believed to be intentional. This communication is subject to compliance with
legislation on tipping off
►
Enquiry of the Audit Committee into possible instances of non-compliance with
laws and regulations that may have a material effect on the financial statements
and that the Audit Committee may be aware of
27
EY ÷ 12
UK required communications with those charged with governance
Required communication
Reference
Independence
►
Audit Plan
Communication of all significant facts and matters that bear on EY’s objectivity and
independence
►
Report to those charged
with governance
►
Report to those charged
with governance
Significant deficiencies in internal controls identified during the audit
►
Report to those charged
with governance
Fee Information
►
Audit Plan
►
Report to those charged
with governance
►
Annual Audit Letter if
considered necessary
Communication of key elements of the audit engagement director’s consideration of
independence and objectivity such as:
►
The principal threats
►
Safeguards adopted and their effectiveness
►
An overall assessment of threats and safeguards
►
Information about the general policies and process within the firm to maintain
objectivity and independence
Going concern
Events or conditions identified that may cast significant doubt on the entity’s ability to
continue as a going concern, including:
►
Whether the events or conditions constitute a material uncertainty
►
Whether the use of the going concern assumption is appropriate in the
preparation and presentation of the financial statements
►
The adequacy of related disclosures in the financial statements
►
Breakdown of fee information at the agreement of the initial audit plan
►
Breakdown of fee information at the completion of the audit
Opening Balances (initial audits)
►
Findings and issues regarding the opening balance of initial audits
Certification work
►
Summary of certification work undertaken
28
Report to those charged with
governance
Annual Report to those
charged with governance
summarising grant
certification, and Annual
Audit Letter if considered
necessary
EY ÷ 13
EY | Assurance | Tax | Transactions | Advisory
Ernst & Young LLP
© Ernst & Young LLP. Published in the UK.
All Rights Reserved.
The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales
with registered number OC300001 and is a member firm of Ernst & Young Global Limited.
Ernst & Young LLP, 1 More London Place, London, SE1 2AF.
ey.com
29
Audit Committee
15 March 2016
Agenda Item No_____________
9
Progress Report on Internal Audit Activity: 25 November 2015 to 2 March 2016
Summary:
This report examines the progress made between 25 November
2015 and 2 March 2016 in relation to delivery of the Annual
Internal Audit Plan for 2015/16.
Conclusions:
Progress in relation to delivery of the Internal Audit Plan is line
with expectations with the audit plan now being 90% complete;
and positive assurances have been awarded in the six audit
reviews finalised in this period.
Recommendations:
It is recommended that the Committee notes the outcome of the
audits completed between 25 November 2015 and 2 March
2016 where assurance levels have been given.
Cabinet member(s):
Ward(s) affected:
All
All
Emma Hodds, Internal Audit Consortium Manager
01508 533791, ehodds@s-norfolk.gov.uk
Contact Officer, telephone
number, and e-mail:
1.
Background
1.1.
This report reflects progress made with regard to assignments featuring in the
approved Annual Internal Audit Plan for 2015/16 which was endorsed by the
Audit Committee on 17 March 2015.
2.
Overall Position
2.1.
The overall position in relation to the progress made against the Internal Audit
Plan is within the attached report.
3.
Conclusion
3.1
Progress in relation to delivery of the Internal Audit Plan is line with expectations
and positive assurances have been awarded in the six audit reviews finalised in
this period.
30
Audit Committee
15 March 2016
4.
Recommendation
4.1
It is recommended that the Committee notes the outcome of the audits
completed between 25 November 2015 and 2 March 2016 where assurance
levels have been given.
Appendices attached to this report:
Progress Report on Internal Audit Activity
31
Eastern Internal Audit Services
NORTH NORFOLK DISTRICT COUNCIL
Progress Report on Internal Audit Activity
Period Covered: 25 November 2015 to 2 March 2016
Responsible Officer: Emma Hodds – Internal Audit Consortium Manager (IACM)
CONTENTS
1. INTRODUCTION ............................................................................................................. 2
2. SIGNIFICANT CHANGES TO THE APPROVED INTERNAL AUDIT PLAN ................... 2
3. PROGRESS MADE IN DELIVERING THE AGREED AUDIT WORK ............................. 2
4. THE OUTCOMES ARISING FROM OUR WORK ........................................................... 2
5. PERFORMANCE MEASURES ....................................................................................... 5
APPENDIX 1 – PROGRESS IN COMPLETING THE AGREED AUDIT WORK .................. 7
APPENDIX 2 – AUDIT REPORT EXECUTIVE SUMMARIES ............................................. 9
APPENDIX 3 – PERFORMANCE MEASURES ................................................................. 27
APPENDIX 4 SUMMARY OF RESULTS FROM CROSS AUTHORITY REVIEW ............. 28
Page 1 of 29
32
1.
INTRODUCTION
1.1
This report is issued to assist the Authority in discharging its responsibilities in relation to the
internal audit activity.
1.2
The Public Sector Internal Audit Standards also require the Chief Audit Executive (known in
this context as the Internal Audit Consortium Manager) to report to the Audit Committee on
the performance of internal audit relative to its plan, including any significant risk exposures
and control issues. The frequency of reporting and the specific content are for the Authority
to determine.
1.3
To comply with the above this report includes:



Any significant changes to the approved Audit Plan;
Progress made in delivering the agreed audits for the year;
Any significant outcomes arising from those audits; and
Performance Indicator outcomes to date.
2.
SIGNIFICANT CHANGES TO THE APPROVED INTERNAL AUDIT PLAN
2.1
At the meeting on 15 March 2015, the Annual Internal Audit Plan for the year was approved,
identifying the specific audits to be delivered, with the IT audits confirmed at the previous
Committee meeting in September. Since then there have been no further changes to the
plan.
3.
PROGRESS MADE IN DELIVERING THE AGREED AUDIT WORK
3.1
The current position in completing audits to date within the financial year is shown in
Appendix 1 and progress to date is in line with expectations. .
3.2
In summary 153 days of programmed work has been completed, equating to 90% of the
(revised) Audit Plan for 2015/16. The only audit remaining is the Key Controls and
Assurance audit which commenced on 7 March 2016; all other audits are now complete.
4.
THE OUTCOMES ARISING FROM OUR WORK
4.1
On completion of each individual audit an assurance level is awarded using the definitions
shown in the table below.
Substantial
Assurance
Based upon the issues identified there is a robust series of suitably
designed internal controls in place upon which the organisation relies to
manage the risks to the continuous and effective achievement of the
objectives of the process, and which at the time of our review were being
consistently applied.
Reasonable
Assurance
Based upon the issues identified there is a series of internal controls in
place, however these could be strengthened to facilitate the organisation’s
management of risks to the continuous and effective achievement of the
objectives of the process. Improvements are required to enhance the
controls to mitigate these risks.
Limited
Based upon the issues identified the controls in place are insufficient to
ensure that the organisation can rely upon them to manage the risks to the
Page 2 of 29
33
Assurance
continuous and effective achievement of the objectives of the process.
Significant improvements are required to improve the adequacy and
effectiveness of the controls to mitigate these risks.
No Assurance Based upon the issues identified there is a fundamental breakdown or
absence of core internal controls such that the organisation cannot rely
upon them to manage risk to the continuous and effective achievement of
the objectives of the process. Immediate action is required to improve the
controls required to mitigate these risks.
4.2
Recommendations made on completion of audit work are prioritised using the definitions
shown in the table below.
Urgent
Fundamental control issue on which action to implement should be taken within
1 month.
Important Control issue on which action to implement should be taken within 3 months.
Needs
Attention
Control issue on which action to implement should be taken within 6 months.
4.3
In addition, on completion of audit work “Operational Effectiveness Matters” are proposed,
these set out matters identified during the assignment where there may be opportunities for
service enhancements to be made to increase both the operational efficiency and enhance
the delivery of value for money services. These are for management to consider and are not
part of the follow up process.
4.4
During the period covered by the report Internal Audit Services have issued six final reports
and the Executive Summary of these reports are attached at Appendix 2, full copies of
these reports can be requested by Members from the Internal Audit Consortium Manager.
4.5
As a result of these audits 23 recommendations have been raised; no priority one (urgent)
recommendations, seven priority two (important) recommendations and 16 priority three
(needs attention) recommendations. All of which have been agreed by management. In
addition 10 Operational Effectiveness Matters have been proposed to management for
consideration.
4.6
In summary the final reports issued conclude the following:
Remittances / Income
The scope of this covered; policies & procedures, receipting, posting & reconciling of
income; and physical security. The audit concluded with a substantial assurance, and three
needs attention recommendations agreed with management, all of which have already been
actioned by management.
Page 3 of 29
34
Car Parks
The audit covered the service level agreement with Kings Lynn and West Norfolk Borough
Council (KLWNBC); enforcement; cash collection; appeals; season tickets; and fees &
charges. On conclusion a reasonable assurance was awarded, with four important and one
needs attention recommendations agreed with management.
The four important recommendations relate to; ensuring that any future variations to the
service level agreement are formally documented & retained; investigating differences as a
result of the income reconciliations; undertaking a monthly reconciliation of cash collection
records to ticket machine cash collection, in support of the existing reconciliation of car park
income records; and to discuss with KLWNBC the information in relation to penalty charge
notices (PCN) to enable the Council to more accurately monitor the PCN income received.
Accountancy Services
The scope of the audit covered; treasury management; control accounts; banking; bank
reconciliations; asset register; journal entries - general ledger maintenance; and budgetary
control. On conclusion a reasonable assurance was awarded, with one important and five
needs attention recommendations agreed with management.
The important recommendation relates to; ensuring that the current Barclays mandate
reflects the correct signatories on the correct bank accounts as per the Council’s list of
authorised bank signatories.
Accounts Receivable
This audit covered; policies, procedures & security of the system; raising of sundry debtors,
refunds & transfers; direct debits; suspense account; and recovery & write off of outstanding
debts. A substantial assurance opinion was concluded with only one needs attention
recommendation agreed with management.
Disaster Recovery
The objective of the IT audit was to ensure that the controls in place to manage Disaster
Recovery (DR) and Physical Access at the Fakenham DR site are operating securely and
effectively. The audit concluded with a reasonable assurance, and five needs attention
recommendations were agreed with management. The audit also recognised that the
Fakenham DR site is a purpose built facility within a recently-refurbished Council-owned
building and is an appropriate distance from the Cromer Head Office, thus ensuring a safe
site at which to recover systems.
Cash Receipting Application
This objective of the IT audit was to review the systems and controls in place within the Cash
Receipting Application to ensure that these are operating adequately, effectively and
efficiently. The audit concluded with a reasonable assurance, and two important and one
needs attention recommendations were agreed with management.
The two important recommendations relate to; clarifying system ownership of the Paye.net,
AIM and ACR systems; and to initiate a process whereby the application's contract is
reviewed with a view to renewing it or tendering for a replacement by the expiry date of
August 2016.
Page 4 of 29
35
4.7
It is pleasing to note that all audits concluded in a positive opinion being awarded, indicating
a strong and stable control environment to date, with no issues that would need to be
considered at year end and included in the Annual Governance Statement.
4.8
In addition, as part of the new contract with TIAA a Cross Authority review has been
undertaken of the Accounts Payable services, the Council’s involved in this review were;
Breckland, North Norfolk & South Norfolk District Council’s and Gt Yarmouth Borough
Council.
The overall objective of the review was to identify where there are opportunities to generate
savings in processing of transactions within the Accounts Payable function.
The review evaluates the arrangements at the Council in respect to Creditor Payments and
those at three other Councils in the region to identify and share opportunities for good
practice.
Key Points
o None of the Councils were significant outliers
o Opportunities identified for efficiencies in procurement
o All Councils made creditor payments within their target
o Variances existed in the analysis of payments made without a purchase order
6 points were raised on conclusion of the review:
1. The Council may wish to establish whether it has appropriate process in place to
minimize the risk of overpayments being made through Direct Debits.
2. The Council may wish to revisit its position regarding prompt payment discounts.
3. The Council may wish to communicate these performance indicators to demonstrate
their commitment to the local community.
4. Whilst prompt payment of suppliers is required this should not be achieved at the
expense of establishing why a purchase order was not raised.
5. The Councils may wish to consider putting in place a joint procurement process
initially for stationary, printing and recruitment.
6. The Councils may wish to consider a joint analysis exercise on capital expenditure to
identify any common suppliers, and potentially enter in to joint contracts.
Appendix 4 provides a summary of the results.
5.
PERFORMANCE MEASURES
5.1
The new Internal Audit Services contract includes a suite of key performance measures
against which the new contractor will be reviewed on a quarterly basis. There are a total of
13 indicators, over 4 areas. From the first year of the contract records will be maintained for
all 13, however performance can only be recorded on 11 of these as base line data is
required for the final 2. The performance measures can be seen at Appendix 3.
5.2
There are individual requirements for performance in relation to each measure; however
performance will be assessed on an overall basis as follows (for the first year):



9-11 KPIs have met target = Green Status.
5-8 KPIs have met target = Amber Status.
4 or below have met target = Red Status.
Where performance is amber or red a Performance Improvement Plan will be developed by
the contractor and agreed with the Internal Audit Consortium Manager to ensure that
appropriate action is taken.
Page 5 of 29
36
5.3
The first three quarters work has been completed and a report on the performance
measures provided to the Internal Audit Consortium Manager shows that performance is
currently at green status with targets having been satisfactorily met for all quarters.
5.4
In addition to these quarterly reports from the Contractors Audit Director, ongoing weekly
updates are provided to ensure that delivery of the audit plan for the current financial year is
on track. A review of the most recent update indicates that the work is on track for
completion by the end of the financial year.
Page 6 of 29
37
APPENDIX 1 – PROGRESS IN COMPLETING THE AGREED AUDIT WORK
Audit Area
Audit Ref No. of days Revised
Days
Status
Days Delivered
Assurance
Level
Recommendations
Date to
Committee
Urgent
Important
Needs
Attention
Op
Quarter 1
Leisure, Arts and Pier Pavilion
NN1601
10
10
10
Final Report issued 17 July
2015
Reasonable
0
5
3
1
15 September
2015
Waste Management
NN1602
17
17
17
Final Report issued 9 July 2015 Reasonable
0
2
1
1
15 September
2015
TOTAL
Quarter 2
Corporate Governance and Risk Management NN1603
27
27
27
8
8
8
Reasonable
0
2
2
0
Housing Strategy & Affordable Housing,
including Housing Enabling & Empty
Properties
Homelessness and Housing Options
NN1604
10
10
10
Final Report issued 25
November 2015
Final Report issued 30
October 2015
Reasonable
0
2
0
1
8 December
2015
8 December
2015
NN1605
10
10
10
Reasonable
0
1
3
1
Parks and Open Spaces & Woodland
Management
TOTAL
Quarter 3
Remittances
NN1606
10
10
10
Final Report issued 3
November 2015
Final Report issued 28
October 2015
Reasonable
0
3
1
2
38
38
38
NN1607
12
12
12
Substantial
0
0
3
1
15 March 2016
Car Parking
NN1608
10
10
10
Final Report issued 2
December 2015
Final Report issued 27
November 2015
Reasonable
0
4
1
2
15 March 2016
22
22
22
Reasonable
0
1
5
1
15 March 2016
Substantial
0
0
1
2
15 March 2016
TOTAL
Quarter 4
Key Controls and Assurance
NN1609
15
15
1
Accountancy Services
NN1610
16
16
16
Accounts Receivables
NN1611
10
10
10
41
41
27
TOTAL
Audit due to start 7 March
2016
Final Report issued 2 March
2016
Final Report issued 2 March
2016
Page 7 of 29
38
8 December
2015
8 December
2015
Audit Area
Audit Ref No. of days Revised
Days
Status
Days Delivered
IT Audits
Disaster Recovery
NN1612
0
8
8
Software Licensing
NN1613
0
6
6
Register of Electors
NN1614
0
8
8
Cash Receipting Application
NN1615
0
8
8
IT audits to be confirmed
TOTAL
Follow Up
Follow Up
TOTAL
NN TBC
30
30
0
30
0
30
NN NA
12
12
12
12
9
9
170
170
153
TOTAL
Percentage of plan completed
Assurance
Level
Recommendations
Date to
Committee
Final Report issued 10
December 2015
Final Report issued 7 August
2015
Reasonable
0
0
5
2
15 March 2016
Reasonable
0
3
2
1
15 September
2015
Final Report issued 6
November 2015
Final Report issued 7
December 2015
Reasonable
0
2
2
0
Reasonable
0
2
1
2
8 December
2015
15 March 2016
0
27
30
17
90%
Page 8 of 29
39
APPENDIX 2 – AUDIT REPORT EXECUTIVE SUMMARIES
Assurance Review of Remittances
Executive Summary
OVERALL ASSURANCE ASSESSMENT
ACTION POINTS
Control Area
Urgent
Important
Needs
Attention
Operational
Physical security surrounding
the making of payments
0
0
1
0
Receipting of monies
0
0
1
*1
Reconciling income
0
0
1
*0
Total
0
0
3
1
Control Areas where no recommendations raised: Policies and Procedures and
Posting of Income.
*Relates to procedures for both areas.
SCOPE
The objective of the audit was to review the systems and controls in place within Remittances, to help confirm that these are operating adequately, effectively and efficiently.
Page 9 of 29
40
RATIONALE
 The systems and processes of internal control are, overall, deemed ‘Substantial’ in managing the risks associated with the Remittances Audit. The
assurance opinion has been derived as a result of three ‘needs attention’ recommendations being raised upon the conclusion of our work.
 The audit has also raised one Operational Effectiveness Matter, which sets out matters identified during the assignment where there may be opportunities
for service enhancements to be made to increase both the operational efficiency and the delivery of value for money services.
KEY FINDINGS
Positive findings
It is acknowledged there are areas where sound controls are in place and operating consistently:

Documented procedures are in place and regularly reviewed to govern the receipt and banking of income at the Tourist Information Centres (TIC),
and to manage cash and bank functions undertaken by Cashiers at the Council.

Income is received by the Council through secure methods and processes are in place for the cashing up and daily banking of income at the TICs,
and within the Cashiers Office at the Council.

Weekly TIC returns are processed and checked against bank statements regularly, with discrepancies identified and resolved as per procedure.

A daily download is posted accurately to the Axis income system.

Exception reports for the direct credits account are run daily to highlight any errors or omissions, which are then promptly investigated.

A monthly reconciliation is undertaken between the cash and deposits book and the bank statements, with discrepancies identified and resolved in
line with procedure.
Issues to be addressed
The audit has also highlighted the following areas where three ‘needs attention’ recommendations have been made.
Physical security surrounding the making of payments

A record is not retained of those Council staff, working at the TICs, who have been given access to the TIC till system. Without a process for
documenting access provided to the till system, there is a risk that unauthorised use of the till system may occur.
Receipting of monies

As a recent stock take had been undertaken it was possible to walk through the process and obtain assurance that the correct process was followed,
however evidence of this is not retained. Without the retention of documentation for stock takes undertaken, there is a risk that investigations cannot
be undertaken if stock were misappropriated.
Page 10 of 29
41
Reconciling income

Not all reconciliations of TIC returns to bank statements were subject to independent review. Without an independent review in place, there is a risk
that financial loss could occur through unidentified fraud or error.
Operational Effectiveness Matters
The operational effectiveness matter for management to consider relates to a structured three yearly review of the procedures produced by the Exchequer
Services Team for the handling of the functions in relation to income, banking, exceptions and reconciliations.
In addition, there is a backlog in relation to the completion of bank reconciliations, this is due to the responsible member of staff being on leave during the
summer period. The risk of non-completion within a timely manner is mitigated due to the ability to identify differences through the Cash and Deposits
reconciliations, and due to resilience procedures for the completion of these reconciliations being in place, whereby the Finance Team Leader can undertake
these reconciliations. Furthermore, prior to August 2015, a segregation of duties had not always been in place between the completion and checking of the
daily reconciliations of bank statements and income accounts. The Finance Team Leader stated that, since August 2015, a segregation of duties has been in
place and this has been verified through testing during the fieldwork for this audit. As such, no further recommendations are raised in this report relating to
these points.
Page 11 of 29
42
Assurance Review of Car Parks
Executive Summary
OVERALL ASSURANCE ASSESSMENT
ACTION POINTS
Control Area
Urgent
Important
Needs Attention
Operational
Service Level Agreements
0
1
1
1
Enforcement
0
1
0
0
Cash Collection
0
2
0
1
Total
0
4
1
2
Control Areas where no recommendations raised: Appeals, Season Tickets and Fees
& Charges.
SCOPE
The objective of the audit was to review the systems and controls in place within Car Parks, as detailed in the action points section above, to help confirm that these are
operating adequately, effectively and efficiently.
Page 12 of 29
43
RATIONALE
 The systems and processes of internal control are, overall, deemed ‘Reasonable’ in managing the risks associated with the Car Parks Audit. The
assurance opinion has been derived as a result of four ‘important’ recommendations and one ‘needs attention’ recommendation being raised upon the
conclusion of our work.
 The audit has also raised two ‘operational effectiveness matters’, which set out matters identified during the assignment where there may be opportunities
for service enhancements to be made to increase both the operational efficiency and enhance the delivery of value for money services.
KEY FINDINGS
Positive Findings
It is acknowledged there are areas where sound controls are in place and operating consistently:

A service level agreement is in place with Kings Lynn & West Norfolk Borough Council (KL&WNBC) which confirms the arrangements, expectations
and liabilities regarding service provision.

Contingency plans exist for the continuity of the service in the absence of the Leisure and Locality Services Manager.

Procedures are in place for the review and approval of car park fees and charges.

A full breakdown of income levels is produced on a regular basis to allow for the analysis of variances and trends.

Season tickets are held securely, can be accounted for and correct payment for those issued is received.
Issues to be addressed
The audit has highlighted the following areas where four ‘important’ recommendations have been made.
Service Level Agreements

Formal and documented variation agreements have not been completed and retained to reflect changes to the SLA between the Council and
KL&WNBC. Where formal and documented variation agreements are not in place, there is a risk that disputes may arise over changes to contractual
arrangements, leading to reputational loss for the Council.
Cash Collection

Instances were identified where differences resulting from the reconciliation between income recorded on the Parkeon system and KL&WNBC
collection records were not investigated. Where differences resulting from income reconciliations are not identified and investigated in a timely
manner, there is an increased risk that cash may be misappropriated and not accounted for, leading to financial loss for the Council.
Page 13 of 29
44

Cash collection income figures reported by KL&WNBC are not checked against ticket machine income records prior to the reconciliation of car park
income records to the Council’s bank statements at the end of each month. Where cash collection records are not checked to ticket machine income
records prior to this monthly reconciliation, there is a risk that financial loss could occur through unidentified fraud or error at the point of collection.
Enforcement

Monthly reports received by the Council from KL&WNBC in relation to the numbers of PCN’s issued and the amount of income received from PCN’s
do not provide sufficient information to undertake a reconciliation between the numbers of PCN’s issued each month and the amount of income
received for those PCN’s issued within the month. Where a full breakdown in relation to the amount of income received for PCN’s issued within the
month is not provided, there is an increased risk that discrepancies through fraud or error will not be identified leading to financial loss for the Council.
The audit has highlighted the following areas where one ‘needs attention’ recommendation has been made.
Service Level Agreements

One instance was identified where the Council had not retained a Field Service Report for repair work undertaken on a car park ticket machine by
Parkeon. Where supporting documentation is not retained for repair work undertaken, there is a risk that payments made for repair work will not be
accounted for, and correct, leading to financial loss for the Council.
Operational Effectiveness Matters
The operational effectiveness matters, for management to consider relate to periodic analysis undertaken between the maintenance schedule and the
incidences of fault reported on ticket machines through the Parkeon system to allow monitoring of Parkeon’s activity in relation to general maintenance work
undertaken and further investigation undertaken in order to resolve the issues of timeliness for the receipt of invoices and the Annual Summary Report.
Page 14 of 29
45
Assurance Review of Accountancy Services
Executive Summary
OVERALL ASSURANCE ASSESSMENT
ACTION POINTS
Control Area
Urgent
Important
Needs Attention
Operational
Policies and Procedures
0
0
0
1
Treasury Management
0
0
1
0
Control Accounts
0
0
1
0
Banking
0
1
0
0
Asset Register
0
0
3*
0
Total
0
1
5
1
No Recommendations or Operational Effectiveness Matters were raised in the areas
of Journal Entries - General Ledger Maintenance and Budgetary Control.
Bank Reconciliations were reviewed as part of the NN/16/07 Remittances audit and
will be subject to top-up testing during the Key Controls and Assurance (NN/16/09)
review scheduled in March 2016.
* Relates to one previous recommendation remaining outstanding.
SCOPE
The objective of the audit was to review the systems and controls in place within Accountancy Services, as detailed in the action points above, to help confirm that these are
operating adequately, effectively and efficiently.
Page 15 of 29
46
RATIONALE
 The systems and processes of internal control are, overall, deemed ‘Reasonable’ in managing the risks associated with Accountancy Services. The
assurance opinion has been derived as a result of one ‘important’ recommendation and five ‘needs attention’ recommendations being raised upon the
conclusion of our work.
 The audit has also raised one ‘operational effectiveness matter’, which sets out matters identified during the assignment where there may be opportunities
for service enhancements to be made to increase both the operational efficiency and enhance the delivery of value for money services.
KEY FINDINGS
Positive Findings
It is acknowledged there are areas where sound controls are in place and operating consistently:
Treasury Management

Investment activity, including the investigation and approval of new investments and the monitoring and reporting of current investments, is in line
with policy.
Asset Register

The asset register is promptly updated as and when acquisitions and disposals arise with the appropriate valuation, depreciation and capital charge
parameters applied.

Council acquisitions are authorised and processed in line with policy.
Journal Entries - General Ledger Maintenance

Manual journal entries are undertaken accurately and authorised in line with policy.
Budgetary Control

Capital and revenue budgets are approved prior to the start of the financial year, based upon, realistic, appropriate and reasonable assumptions and
are entered on the general ledger and profiled accurately.

Capital and revenue budgets are monitored regularly throughout the year with designated budget holders and in-year budget virements authorised in
line with policy.

All service heads are actively involved in setting the budgets for their own service areas and a process is in place for the Corporate Leadership Team
to challenge the budgets put forward by service areas.
Issues to be addressed
The audit has highlighted the following areas where one ‘important’ recommendation has been made.
Page 16 of 29
47
Banking

To amend to the current Barclays mandate to reflect the correct signatories for the correct bank accounts as per the Council’s list of authorised bank
signatories to prevent the risk of unauthorised access to the Council’s bank accounts.
The audit has also highlighted the following areas where five ‘needs attention’ recommendations have been made.
Treasury Management

Review the procedure for undertaking the treasury management reconciliations to the general ledger to ensure independent review is obtained on a
regular basis to prevent the risk that investment income is incorrectly accounted for within the Council’s bank accounts and the general ledger.
Control Accounts

Reconciliation of the creditor control account to the general ledger be reviewed in a timely manner i.e. within a month of period end, to prevent the
risk of errors or fraudulent activities remaining undetected for longer than necessary and therefore harder to resolve.
Asset Register

The Assets Team notifies the Group Accountant in relation to all reviews on assets due for revaluation to prevent the risk that the assets register
displays misleading or inaccurate information.

Contingency arrangements be introduced in relation to the maintenance of the Assets Register for periods of staff member absence thereby
preventing the risk of assets not being accurately accounted for in the Asset Register or assets not being recorded.

Reconciliation of the Asset Register to the general ledger be fully documented and independently reviewed to prevent the risk that Council assets will
be incorrectly accounted for within the Council’s accounts.
Operational Effectiveness Matters
The operational effectiveness matter, for management to consider relates to a structured three yearly review of the procedures produced by the Sundry
Income, Exchequer and Accountancy Teams for the handling of the functions in relation to Accountancy services.
Previous audit recommendations
The audit reviewed the previous internal audit recommendations, of which one remains outstanding, in relation to a review of the Council's Disposal,
st
Investment and Acquisition Policy. This was discussed with management and a revised implementation date of 31 May 2016 was agreed. Progress with
implementing this recommendation will continue to be monitored through internal audit’s cyclical follow up checks. The fact that the recommendation remains
outstanding has been taken in to account in assessing the overall assurance opinion.
Page 17 of 29
48
In addition, the review identified that manual journals under £100,000 in value are not subject to authorisation when processed. This is seen as a control
th
weakness and has been raised previously, including in the report for NN/15/13 – Work to Support the Annual Governance Statement (AGS) – issued 30
March 2015, with management accepting the associated risks in not having this level of control in place. As such, no recommendation is made.
Page 18 of 29
49
Assurance Review of Accounts Receivable
Executive Summary
OVERALL ASSURANCE ASSESSMENT
ACTION POINTS
Control Area
Urgent
Important
Needs Attention
Operational
Policies, Procedures and
Security of the system
0
0
0
1
Raising of sundry debtors,
refunds and transfers
0
0
1
1
Suspense account
0
0
0*
0
Total
0
0
1
2
No recommendations or Operational Effectiveness Matters were raised in the
areas of Direct Debits and Recovery & Write off of outstanding debts.
*Relates to procedures for both areas.
SCOPE
The objective of the audit was to review the systems and controls in place within Accounts Receivable, as detailed in the action points above, to help confirm
that these are operating adequately, effectively and efficiently.
Page 19 of 29
50
RATIONALE
 The systems and processes of internal control are, overall, deemed ‘Substantial’ in managing the risks associated with Accounts Receivable. The
assurance opinion has been derived as a result of one ‘needs attention’ recommendation being raised upon the conclusion of our work.
 The audit has also raised two ‘operational effectiveness matter(s)’, which set out matters identified during the assignment where there may be
opportunities for service enhancements to be made to increase both the operational efficiency and enhance the delivery of value for money services.
KEY FINDINGS
Positive Findings
It is acknowledged there are areas where sound controls are in place and operating consistently:

Documented procedures are in place to govern the functions within accounts receivable.

Invoices, credit notes and refunds are raised promptly and authorised as per Council procedures.

Direct debit instructions are set up accurately and in a timely manner. Where errors are identified by the system these are recognised and corrected
prior to being collected.

The system is set up for the automatic posting of unallocated items to the bucket customer (suspense) account. This account is regularly reviewed
and unallocated items are investigated and appropriately allocated.

Arrears action in relation to outstanding debt is carried out promptly in accordance with the recovery strategy and timetable.

Irrecoverable debts are appropriately authorised prior to being written off in accordance with the Corporate Debt and Write off policies.
Issues to be addressed
The audit has also highlighted the following areas where one ‘needs attention’ recommendation has been made:
Raising of sundry debtors, refunds and transfers

Arrangements be made to ensure that the vacant post within the Sundry Income Team is filled. Where this post is not filled, there is a risk that
essential processes are not undertaken leading to financial and reputational loss to the Council.
Operational Effectiveness Matters
The operational effectiveness matters, for management to consider relate to a structured three yearly review of the procedures produced by the Sundry
Income Team for the handling of the functions in relation to income, banking, exceptions and reconciliations and progressing arrangements on the financial
system (EFinancials) to enable reviews be undertaken to identify duplicate invoices raised and customer accounts held.
Page 20 of 29
51
Assurance Review of Disaster Recovery (DR) & Fakenham Physical Controls
Executive Summary
ACTION POINTS
OVERALL ASSURANCE ASSESSMENT
Control Area
Urgent
Important
Needs Attention
Operational
Adequacy of DR Provision
0
0
1
1
DR Testing
0
0
1
0
Continuous Improvement
0
0
1
0
Physical Controls at the
Fakenham DR site
0
0
2
1
Total
0
0
5
2
No recommendations were made in the areas of; Backup & Recovery Capabilities,
Alignment with Business Continuity Plan, DR Development for new systems and Third
Party Management.
SCOPE
The objective of the audit was to review the systems and controls in place for DR & Fakenham Physical Controls, as detailed in the action points above, to help confirm that
these are operating adequately, effectively and efficiently.
Page 21 of 29
52
RATIONALE
 The systems and processes of internal control are, overall, deemed ‘Reasonable’ in managing the risks associated with DR & Fakenham Physical
Controls. The assurance opinion has been derived as a result of five ‘needs attention’ recommendations being raised upon the conclusion of our work.
 The audit has also raised two ‘operational effectiveness matters’, which sets out matters identified during the assignment where there may be
opportunities for service enhancements to be made to increase both the operational efficiency and enhance the delivery of value for money services.
KEY FINDINGS
Positive Findings
We found that the Council has demonstrated the following points of good practice as identified in this review and we will be sharing details of these
operational provisions with other member authorities in the Consortium:

The Fakenham DR site is a purpose built facility within a recently-refurbished Council-owned building and is an appropriate distance from the Cromer
Head Office, thus ensuring a safe site at which to recover systems.
It is acknowledged there are areas where sound controls are in place and operating consistently:

IT DR Plans have undergone review within the last 12 months.

There is adequate backup and recovery infrastructure in place that replicates from Cromer to Fakenham each night.

There is adequate communication between IT DR and Business Continuity management.

Historic IT DR testing is evident.

Training on Business Continuity Management is in place and is being rolled out over the coming months.

The IT DR Plan is aligned with the Business Continuity plan where priority “Must Continue” functions are listed.

The Council’s Lync and Skype telecommunications platforms are recent upgrades, which have been replicated to Fakenham.

The Fakenham DR suite is adequately secured when not being visited and incorporates adequate external and internal CCTV within the shared office
spaces used by the Department for Work and Pensions.
Issues to be addressed
The audit has highlighted the following areas whereby controls would benefit from being strengthened, and as a result of these findings five ‘needs attention’
recommendations have been made.
Adequacy of DR Provision
Page 22 of 29
53

As part of the review of the DR plan, which is due in December 2015, the improved IT infrastructure should be taken into account. There are
additional ‘good practice’ processes that should also be considered. DR Plans that are not aligned to accepted good practice in this area increase
the risk of an inability to support the recovery of priority business area functions.
DR testing

The historic DR test planning processes to be reinstated. Where DR plans are not tested regularly, there is an increased risk of unforeseen events
inadvertently hindering the ability to recover priority functions.
Continuous Improvement

IT DR Plan documentation is not routinely distributed outside of the IT department. Whilst it is recognised that the content of the documentation may
be technical in nature, the lack of such distribution increases the risk of a lack of knowledge of the general IT plans.
Fakenham Physical Controls

The Fakenham DR suite has no internal CCTV monitoring in place, although it is acknowledged that such systems are present elsewhere at the site.
The lack of monitoring of the DR suite itself increases the risk of undetected unauthorised access.

There is no built-in fire suppression installed in the DR suite itself. As this is a shared facility with King’s Lynn & West Norfolk Borough Council and
the Department for Work and Pensions, the lack of built-in fire suppression increases the risk of loss of IT infrastructure for these organisations as
well as North Norfolk District Council.
Operational Effectiveness Matters
The operational effectiveness matters, for management to consider relate to the need to keep hard copies of relevant DR documentation at relevant locations
such as Cromer and Fakenham and the need to consider the implementation of a visitor log at the Fakenham DR suite.
Page 23 of 29
54
Assurance Review of the Cash Receipting Application
Executive Summary
OVERALL ASSURANCE ASSESSMENT
ACTION POINTS
Control Area
Urgent
Important
Needs Attention
Operational
Application Management &
Governance
0
1
1
0
System Security
0
0
0
1
Interface & Processing
Controls
0
0
0
1
Support Arrangements
0
1
0
0
Total
0
2
1
2
No recommendations were raised in the areas of change controls, management trails
and system resilience & recovery.
SCOPE
The objective of the audit was to review the systems and controls in place within the Cash Receipting Application, as detailed in the action points above, to help confirm that
these are operating adequately, effectively and efficiently.
Page 24 of 29
55
RATIONALE
 The systems and processes of internal control are, overall, deemed Reasonable in managing the risks associated with the Cash Receipting Application.
The assurance opinion has been derived as a result of two ‘important’ recommendations and one ‘needs attention’ recommendation being raised upon the
conclusion of our work.
 The audit has also raised two ‘Operational Effectiveness Matters’, which sets out matters identified during the assignment where there may be
opportunities for service enhancements to be made to increase both the operational efficiency and enhance the delivery of value for money services.
KEY FINDINGS
Positive Findings
It is acknowledged there are areas where sound controls are in place and operating consistently:

The data processed by the application has been adequately documented in the Council’s Data Protection Register entry logged at the Information
Commissioner’s Office.

User passwords are encrypted within the application.

User account activity is regularly reviewed with accounts no longer required being disabled in a timely manner.

Interface processes have been formally documented.

Daily bank statement and automated payment data is imported and reconciled on a daily basis.

Relevant application processing jobs are scheduled and monitored for completion.

Change control processes are in place and operating effectively.

Nightly backups are performed and replicated to the Fakenham Offsite location as part of the corporate backup process.
Issues to be addressed
The audit has highlighted the following areas whereby controls would benefit from being strengthened, and as a result of these findings two important
recommendations have been made.
Application Management and Governance

Ownership and administration of the cash receipting application requires review following recent organisational changes, thus ensuring formal
Information Governance accountability for the data processed within the systems and reducing the risk of weak information governance.
Support Arrangements

The vendor contract expires in August 2016 and there is currently no project to manage the strategy for the application going forward, weak transition
management can increase the risk of service disruption if there is a lack of support from the current vendor.
Page 25 of 29
56
The audit has also highlighted the following areas where one ‘needs attention’ recommendation has been made.
Application Management and Governance

Customer Services procedures require review to ensure their continued alignment to changing processes and provide the necessary support to new
users and for absence. Inadequate procedure documentation can increase the risk of service disruption.
Operational Effectiveness Matters
The operational effectiveness matters, for management to consider relate to enhancing the application’s password configuration to include at least one
special character (for example, *, %, $, £) and amending the email address to send scheduled job failure notifications to a shared, rather than an individual,
mailbox.
Page 26 of 29
57
APPENDIX 3 – PERFORMANCE MEASURES
Area / Indicator
Audit Committee / Senior Management
1. Audit Committee Satisfaction – measured
annually
2. Chief Finance Officer Satisfaction –
measured quarterly
Internal Audit Process
3. Each quarters audits completed to draft
report within 10 working days of the end
of the quarter
4. Quarterly assurance reports to the
Contract Manager within 15 working days
of the end of each quarter
5. An audit file supporting each review and
showing clear evidence of quality control
review shall be completed prior to the
issue of the draft report ( a sample of
these will be subject to quality review by
the Contract Manager)
6. Compliance with Public Sector Internal
Audit Standards
7. Respond to the Contract Manager within
3 working days where unsatisfactory
feedback has been received.
Clients
8. Average feedback score received from
key clients (auditees)
9. Percentage of recommendations
accepted by management
Innovations and Capabilities
10. Percentage of qualified (including
experienced) staff working on the
contract each quarter
11. Number of training hours per member of
staff completed per quarter
12. Number of high and medium priority
recommendations made per quarter
13. Number of audits which are considered
to add value
Target
Adequate
Good
100%
100%
100%
Full
100%
Adequate
90%
60%
1 day
To decrease over the life of the contract (from
year 2)
To increase over the life of the contact (from
year 2)
Page 27 of 29
58
APPENDIX 4 SUMMARY OF RESULTS FROM CROSS AUTHORITY REVIEW
Analysis of the number of payments made by banding
Number of payments
North
South
Great
Mean (%)
made
Norfolk
Norfolk
Yarmouth
0-9
3%
4%
3%
10 - 999
73%
77%
74%
1000 - 9999
21%
16%
21%
10000 +
3%
2%
3%
*Data does not include payments to Councils/Gov't/HMRC/refunds
3%
76%
19%
2%
Analysis of the number of payments made by type
North
South
Great
Type of payments made Mean (%)
Norfolk
Norfolk
Yarmouth
BACS
Cheques
DD
Bank Transfer
Other
89%
7%
5%
0.1%
0.2%
87%
12%
0%
1%
91%
0.31%
8%
0.0%
0%
84%
10%
6%
0.0%
0%
Analysis of the number of payments made for utility bills
Number of payments
North
South
Great
Mean (%)
made
Norfolk
Norfolk
Yarmouth
Utilities Total
Percentage
521
8%
858
12%
265
3%
550
6%
Average payment time from date of receipt of invoice
North
South
Great
Average Time:
Mean (%)
Norfolk
Norfolk
Yarmouth
Average Number of Days
24
22
27
22
Number of payments made to East Anglia postcodes
Number of payments
North
South
Great
Mean (%)
made
Norfolk
Norfolk
Yarmouth
Number
Percentage
3466
48%
3615
45%
3856
48%
4467
53%
Analysis of the value of payments made by banding
Value of payments
made
Breckland
Mean (%)
North Norfolk
South Norfolk
Great Yarmouth
0-9
0.01%
0.02%
0.01%
10 - 999
13%
14%
13%
1000 - 9999
46%
41%
48%
10000 +
41%
45%
38%
*Data does not include payments to Councils/Gov't/HMRC/refunds
3%
65%
28%
4%
0.01%
13%
42%
44%
Breckland
0.01%
10%
52%
38%
Analysis of the value of payments made by type
Type of payments
made
Breckland
92%
7%
1%
0.3%
0%
Mean (%)
BACS
Cheques
DD
Bank Transfer
Other
North Norfolk
92%
4%
5%
0.1%
0.2%
South Norfolk
91%
8%
Great Yarmouth
91%
0.15%
9%
0%
0%
0%
1%
88%
5%
7%
0%
0%
Breckland
96%
3%
0.1%
0.6%
0%
Analysis of the value of payments made for utility bills
Value of payments
made
Breckland
410
10%
Utilities Total
Percentage
Mean (%)
£
North Norfolk
393,787.94 £
4%
South Norfolk
256,575.24 £
3%
Great Yarmouth
342,047.67 £
3%
761,285.01 £
7%
Breckland
215,243.85
3%
Analysis of the value of payments made by transaction cards
Type of payments
made
Breckland
24
Mean (%)
North Norfolk
Transaction Cards*
2%
* Transaction card data not listed elsewhere
South Norfolk
Great Yarmouth
1%
Breckland
1%
3%
Value of payments made to East Anglia postcodes
Value of payments
made
Breckland
1926
47%
Value
Percentage
Page 28 of 29
59
Mean (%)
North Norfolk
South Norfolk
Great Yarmouth
£ 4,374,443.61 £ 4,678,478.16 £ 4,804,735.30 £
47%
54%
45%
Breckland
4,612,630.26 £ 3,401,930.73
45%
45%
Number of payments processed without a purchase order
North
South
Great
Number of payments made Mean (%)
Norfolk
Norfolk
Yarmouth
Number
Percentage
2764
37%
2553
35%
2519
31%
5252
62%
Value of payments processed without a purchase order
Breckland
731
18%
Value of payments
made
Value
Percentage
Number of local suppliers used
Number of local suppliers
used
East Anglian
Within Councils' Boundaries
Mean (%)
61%
33%
North
Norfolk
60%
31%
South
Norfolk
Great
Yarmouth
61%
-
58%
-
Breckland
64%
34%
Page 29 of 29
60
Mean (%)
North Norfolk
South Norfolk
Great Yarmouth
£ 3,547,525.81 £ 2,770,157.21 £ 3,439,090.57 £
32%
12%
33%
7,166,912.92 £
70%
Breckland
813,942.52
11%
Audit Committee
15 March 2016
10
Agenda Item No_____________
Strategic and Annual Internal Audit Plans 2016/17
Summary:
This report provides an overview of the stages followed prior to the
formulation of the Strategic Internal Audit Plan for 2016/17 to 2018/19
and the Annual Internal Audit Plan for 2016/17. The Annual Internal
Audit Plan will then serve as the work programme for the Council’s
Internal Audit Services Contractor; TIAA Ltd. It will also provide the
basis for the Annual Audit Opinion on the overall adequacy and
effectiveness of North Norfolk District Council’s framework of
governance, risk management and control.
Conclusions:
The attached report provides the Council with Internal Audit Plans that
will ensure key business risks will be addressed by Internal Audit, thus
ensuring that appropriate controls are in place to mitigate such risks
and also ensure that the appropriate and proportionate level of action
is taken.
Recommendations:
It is recommended that the Committee notes and approves:
a) the Internal Audit Charter for 2016/17;
b) the Internal Audit Strategy for 2016/17;
c) the Strategic Internal Audit Plans 2016/17 to 2018/19; and
d) the Annual Internal Audit Plan 2016/17.
Cabinet member(s):
Ward(s) affected:
All
All
Emma Hodds, Internal Audit Consortium Manager
01508 533791, ehodds@s-norfolk.gov.uk
Contact Officer, telephone number,
and e-mail:
1.
Background
1.1
The Accounts and Audit Regulations 2015 require that “a relevant authority must
undertake an effective internal audit to evaluate the effectiveness of its risk
management, control and governance processes, taking into account public sector
internal auditing standards or guidance”.
1.2
Those standards are set out in the Public Sector Internal Audit Standards (PSIAS) which
came into effect in April 2013
61
Audit Committee
15 March 2016
2.
Overall Position
2.1
The attached report contains;
o the Internal Audit Charter which formally defines the internal audit’s purpose,
authority and responsibility, and is a mandatory document. The charter also
displays formal commitment to the definition of internal auditing, the code of
ethics and the Public Sector Internal Audit Standards;
o the Internal Audit Strategy, which is a strategic high level statement on how the
internal audit service will be delivered and developed in accordance with the
charter and how it links to the organisational objectives and priorities;
o the Strategic Internal Audit Plan, which details the plan of work for the next 3
financial years;
o the Annual Internal Audit Plan, which details the timing and the purpose of each
audit agreed for inclusion in 2016/17; and
o provides the Committee with the performance measures against which the new
contractor will be monitored.
3.
Conclusion
3.1
The attached report provides the Council with Internal Audit Plans that will ensure key
business risks will be addressed by Internal Audit, thus ensuring that appropriate
controls are in place to mitigate such risks and also ensure that the appropriate and
proportionate level of action is taken.
4.
Recommendation
4.1
It is recommended that the Committee notes and approves:
a) the Internal Audit Charter for 2016/17;
b) the Internal Audit Strategy for 2016/17;
c) the Strategic Internal Audit Plans 2016/17 to 2018/19; and
d) the Annual Internal Audit Plan 2016/17.
Appendices attached to this report:
Strategic and Annual Internal Audit Plans 2016/17
62
Eastern Internal Audit Services
NORTH NORFOLK DISTRICT COUNCIL
Strategic and Annual Internal Audit Plans 2016/17
Responsible Officer: Emma Hodds – Internal Audit Consortium Manager
CONTENTS
1. INTRODUCTION............................................................................................................ 2
2. AUDIT CHARTER .......................................................................................................... 2
3. INTERNAL AUDIT STRATEGY ..................................................................................... 3
4. STRATEGIC INTERNAL AUDIT PLAN .......................................................................... 3
5. ANNUAL INTERNAL AUDIT PLAN ................................................................................ 3
6. PERFORMANCE MANAGEMENT................................................................................. 4
APPENDIX 1 – INTERNAL AUDIT CHARTER ..................................................................... 5
APPENDIX 2 – INTERNAL AUDIT STRATEGY ..................................................................12
APPENDIX 3 – STRATEGIC INTERNAL AUDIT PLAN ......................................................16
APPENDIX 4 – ANNUAL INTENAL AUDIT PLAN ...............................................................18
APPENDIX 5 – PERFORMANCE MEASURES ...................................................................21
Page 1 of 21
63
1. INTRODUCTION
1.1
The Accounts and Audit Regulations 2015 require that “a relevant authority must undertake
an effective internal audit to evaluate the effectiveness of its risk management, control and
governance processes, taking into account public sector internal auditing standards or
guidance”.
1.2
The PSIAS mandate a periodic preparation of a risk-based plan, which must incorporate or
be linked to a strategic high level statement on how the internal audit service will be
delivered and developed in accordance with the charter and how it links to the organisational
objectives and priorities, this is set out in the Internal Audit Strategy.
1.3
Risk is defined as 'the possibility of an event occurring that will have an impact on the
achievement of objectives’. Risk can be a positive and negative aspect, so as well as
managing things that could have an adverse impact (downside risk) it is also important to
look at potential benefits (upside risk).
1.4
The development of a risk-based plan takes into account the organisation's risk
management framework. The process identifies the assurance (and consulting) assignments
for a specific period, by identifying and prioritising all those areas on which objective
assurance is required. This is then also applied when carrying out individual risk based
assignments to provide assurance on part of the risk management framework, including the
mitigation of individual or groups of risks.
1.5
The following factors are also taken into account when developing the internal audit plan:






1.6
Any declarations of interest so as to avoid conflicts of interest;
The requirements of the use of specialists e.g. IT auditors;
Striking the right balance over the range of reviews needing to be delivered, for
example systems and risk based reviews, specific key controls testing, value for
money and added value reviews;
The relative risk maturity of the Council;
Allowing contingency time to undertake ad-hoc reviews or fraud investigations as
necessary;
The time required to carry out the audit planning process effectively as well as
regular reporting to and attendance at Audit Committee, the development of the
annual report and opinion and the Quality Assurance and Improvement Programme.
In accordance with best practice the Audit Committee should ‘review and assess the annual
internal audit work plan’.
2. AUDIT CHARTER
2.1
The Audit Charter was developed as part of the planning process in 2014/15 and
incorporated the requirements of the PSIAS. There is an obligation under the PSIAS for the
Charter to be periodically reviewed and presented. This Charter is therefore reviewed
annually by the Internal Audit Consortium Manager to confirm its ongoing validity and
completeness. In addition the Charter will be presented to the Section 151 Officer, senior
management and the Audit Committee every 2 years for review.
2.2
The Audit Charter has been reviewed by the Internal Audit Consortium Manager for the
2016/17 financial year and amendments have been made to reflect the operation of the
internal audit team, under the new contract with TIAA Ltd, which commenced on 1 April
2015, and to take on board improvements made to the service during the 2015/16 financial
Page 2 of 21
64
year. This updated Charter is attached at Appendix 1, for review and approval by the Audit
Committee.
2.3
As part of the review of the Audit Charter the Code of Ethics are also reviewed by the
Internal Audit Consortium Manager, and it is ensured that the Internal Audit Services
contractor staff, as well as the Internal Audit Consortium Manager adhere to these,
specifically with regard to; integrity, objectivity, confidentiality and competency. Formal sign
off to acceptance of the Code of Ethics is retained by the Internal Audit Consortium
Manager.
3. INTERNAL AUDIT STRATEGY
3.1
The purpose of the Internal Audit Strategy (see Appendix 2) is to confirm:




How internal audit services will be delivered;
How internal audit services will be developed in accordance with the internal audit
charter;
How internal audit services links to organisational objectives and priorities; and
How the internal audit resource requirements have been assessed.
4. STRATEGIC INTERNAL AUDIT PLAN
4.1
The overarching objective of the Strategic Audit Plan (see Appendix 3) is to provide a
comprehensive programme of review work over the next three years, with each year
providing sufficient audit coverage to give annual opinions, which can be used to inform the
organisation’s Annual Governance Statement.
4.2
In February 2016 a report was taken to Cabinet with regards to seeking approval to establish
a wholly owned property company in the form of a company limited by shares to undertake
the development of and investment in property in order to generate a revenue and capital
return to the Council. It was resolved that the Chief Executive would prepare a business
case for the establishment of a property company for consideration by Full Council and if
approved by Full Council, to take steps to establish a wholly owned property company.
This area has therefore been recognised for future review, however the year within which
this will be looked at is yet to be determined as this is dependent on the pace of progress
with regard to the business case and the actual set up of the company.
5. ANNUAL INTERNAL AUDIT PLAN
5.1
Having developed the Strategic Audit Plan, the Annual Audit Plan is an extract of this for the
forthcoming financial year (see Appendix 4). This details the areas being reviewed by
Internal Audit, the number of days for each review, the quarter during which the audit will
take place and a brief summary / purpose of the review.
5.2
The Annual Internal Audit Plan for 2016/17 totals 189 days, encompassing;



11 assignments which will conclude in an audit opinion;
a cross authority review which will compare four Council’s operation of accounts
receivable and share best practice items on conclusion; and
Four IT audit assignments which will conclude in an audit opinion.
Page 3 of 21
65
5.3
Audit verification work concerning audit recommendations implemented to improve the
Council’s internal control environment will also be undertaken throughout the financial year.
6. PERFORMANCE MANAGEMENT
6.1
The new Internal Audit Services contract includes a suite of key performance indicators (see
Appendix 5) against which the new contractor will be reviewed on a quarterly basis. There
are a total of 13 indicators, over 4 areas. From the first year of the contract records will be
maintained for all 13, however performance can only be recorded on 11 of these as base
line data is required for the final 2. Monitoring of these will commence in 2016/17.
6.2
There are individual requirements for performance in relation to each indicator; however
performance will be assessed on an overall basis as follows (for the first year):



9-11 KPIs have met target = Green Status.
5-8 KPIs have met target = Amber Status.
4 or below have met target = Red Status.
Where performance is amber or red a Performance Improvement Plan will be developed and
agreed with the contractor to ensure that appropriate action is taken.
6.3
Performance in relation to these indicators will be reported to the Committee as part of the
Progress Reports and the Annual Report and Opinion, ensuring that Members are kept up to
date on a regular basis.
Page 4 of 21
66
APPENDIX 1 – INTERNAL AUDIT CHARTER
EASTERN INTERNAL AUDIT SERVICES
NORTH NORFOLK DISTRICT COUNCIL
INTERNAL AUDIT CHARTER FOR 2016/17
1. Introduction
1.1
The Public Sector Internal Audit Standards (PSIAS) came into effect from 1 April 2013, these
provide a consolidated approach across the public sector thus ensuring continuity, sound
corporate governance and transparency.
1.2
The Standards require all internal audit services to implement, monitor and review an
internal audit charter; this formally defines the internal audit’s purpose, authority and
responsibility, and is a mandatory document. The charter also displays formal commitment
to the definition of internal auditing, the code of ethics and the PSIAS.
1.3
The charter also:
 Establishes the position and reporting lines of internal audit;
 Provides unrestricted access;
 Sets the tone for internal audit activities;
 Defines the nature and scope of internal audit services, in particular assurance and
consultancy services; and
 Sets out the nature and scope of assurance provided to other parties.
1.4
The charter is to be periodically reviewed and presented to Senior Management and the
Board (Audit Committee) for approval, for Eastern Internal Audit Services the charter will be
reviewed annually by the Internal Audit Consortium Manager (Chief Audit Executive) to
confirm its ongoing completeness and validity, and presented to Senior Management and
the Board every 2 years for review.
1.5
This Charter applies to all Authority’s which are part of Eastern Internal Audit Services,
currently; Breckland, Broadland, North Norfolk and South Norfolk District Councils, Gt
Yarmouth Borough Council and the Broads Authority. From April 2016 this will also include
South Holland District Council.
2. Purpose, Authority and Responsibility
2.1
Purpose
2.1.1
Internal auditing is defined as; “an independent, objective assurance and consulting activity
designed to add value and improve an organisation’s operations. It helps an organisation
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes”.
2.1.2
Internal audit will provide reasonable assurance to all organisations that are part of Eastern
Internal Audit Services that necessary arrangements are in place and operating effectively,
and to identify risk exposures and areas where improvements can be made.
Page 5 of 21
67
2.2
Authority
2.2.1
The Accounts and Audit Regulations (England) 2015, states that the relevant body must;
“undertake an effective internal audit to evaluate the effectiveness of its risk management,
control and governance processes, taking into account public sector internal auditing
standards or guidance”. The statutory requirement for internal audit is recognised in the
Constitution of each Authority and the internal auditing standards in this regard are the
Public Sector Internal Audit Standards.
2.2.2
The Chartered Institute of Public Finance and Accountancy (CIPFA) Statement on the Role
of the Head of Internal Audit confirms that this person is responsible for the organisations
internal audit service, including drawing up the internal audit strategy and annual plan and
giving the annual audit opinion. The requirements of this statement are fully adhered to by
the Internal Audit Consortium Manager.
2.3
Responsibility
2.3.1
The responsibility for maintaining an effective internal audit to evaluate risk management,
control and governance processes lies with each Authority’s Chief Finance Officer (Section
151 Officer).
2.3.2
The Authority and it Members must be satisfied about the adequacy of the advice and
support it receives from internal audit.
2.3.3
Internal audit is provided by Eastern Internal Audit Services, with the Internal Audit
Consortium Manager responsible for ensuring the internal audit activity is undertaken in
accordance with the definition of internal auditing, the code of ethics and the standards.
2.3.4
Senior management are responsible for ensuring that internal control, risk management and
governance arrangements are sufficient to address the risks facing the Authority.
Accountability for responding to internal audit rests with senior management who either
accept and implement the recommendations, or formally reject it. Any advice that is rejected
will be formally reported.
3. Key Relationships and Position in the Organisation
3.1
The PSIAS require the terms ‘Chief Audit Executive’, ‘Board’ and ‘Senior Management’ to be
defined in the context of the governance arrangements in each public sector organisation in
order to safeguard the independence and objectivity of internal audit. The following
interpretations are applied within Eastern Internal Audit Services.
3.2
Chief Audit Executive
3.2.1
The Chief Audit Executive is the Internal Audit Consortium Manager who provides the role of
the Head of Internal Audit to all organisations part of the Eastern Internal Audit Services. The
delivery of the annual internal audit plan, and any ad-hoc assignments is provided by an
external contractor; TIAA Ltd since 1 April 2015.
3.2.2
The Internal Audit Consortium Manager reports functionally to the Board and administratively
to the Director of Business Development at South Norfolk Council. In addition the Internal
Audit Consortium Manager also reports administratively to the Section 151 Officer at each
organisation.
Page 6 of 21
68
3.2.3
The Internal Audit Consortium Manager also has a direct line of reporting and unfettered
access to the Chief Executive, the Senior Management Team at each Authority and the
Chair of the Audit Committee.
3.3
Board
3.3.1
The ‘Board’ is the governance group charged with independent assurance on the adequacy
of the risk management framework, the internal control environment and the integrity of the
financial reporting. At North Norfolk District Council this is the Audit Committee, whose
responsibilities are discharged through the Constitution and explicitly referred to in the terms
of reference.
3.3.2
This functional reporting includes;
 Approving the audit charter, audit strategy and annual plans;
 Receiving regular reports on the outcomes of internal audit activity and performance;
 Receiving regular reports on management action in relation to agreed internal audit
recommendations;
 Receiving the Annual Report and Opinion of the Internal Audit Consortium Manager,
alongside a conclusion as to the effectiveness of internal audit;
3.3.3
In addition the Audit Committee also; assesses its own effectiveness on an annual basis to
ensure it meets best practice, receives reports in relation to relevant Policy / Strategy
updates i.e. Fraud and will, in the future, receive and oversee the results of external
assessments of internal audit.
3.4
Senior Management
3.4.1
‘Senior Management’ is those responsible for the leadership and direction of the
organisation, and are responsible for specific aspects of internal control, risk management
and governance arrangements. There is effective liaison between internal audit and senior
management to ensure that independence remains, and provides for a critical challenge.
3.4.2
The Internal Audit Consortium Manager meets regularly with the Section 151 Officer, both
formally and informally, to ensure organisational awareness is maintained and that good
working relationships are in place. The formal arrangements facilitate discussion in relation
to the delivery of the current internal audit plan to ensure it remains on track and is
responsive to changes and emerging risks. The meeting also highlights any areas which
require immediate attention, that are not in the current annual plan, and also areas for future
consideration.
3.4.3
In addition the Internal Audit Consortium Manager meets with officers of the senior
management team through the annual audit planning process to enable a risk based internal
audit plan. These relationships are maintained throughout the year to ensure awareness of
developments within service areas, to keep up to date, and to ensure internal audit
involvement where necessary. These are key relationships to the effective delivery of
internal audit and to ensure a value-added service is provided.
3.5
Other key relationships
3.5.1
There are other key relationships that are maintained which are important to the effective
and efficient delivery of internal audit.
Page 7 of 21
69
3.5.2
Regular liaison is maintained with External Audit to consult on audit plans, and to discuss
matters of mutual interest. The external auditors have the opportunity to take account of the
work of internal audit where appropriate.
3.5.3
Where appropriate internal audit will liaise with other internal audit providers, where shared
arrangements exist. In such cases, a dialogue will be opened with the Chief Audit Executive
to agree a way forward regarding the auditing of such shared services. This is to ensure an
efficient and effective approach, and enable reliance on each other’s outcomes. Where
formal arrangements are entered into a protocol will be determined and agreed by both Chief
Audit Executives.
3.5.4
Internal audit will also co-operate with all external review and inspection bodies that are
authorised to access and evaluate the activities of the Authority, to determine compliance
with regulations and standards. Assurances arising from this work will be taken into account
where applicable.
4. Rights of Access
4.1
Internal audit, with strict accountability for confidentiality and safeguarding records and
information, is authorised to have the right of access to all records, assets, personnel and
premises and has authority to obtain such information and explanations as it considers
necessary to fulfil its responsibilities. This access is full, free and unrestricted and is set out
in each Authority’s Constitution.
4.2
Such access shall be granted on demand and shall not be subject to prior notice, although in
principle, the provision of prior notice will be given wherever possible and appropriate,
unless circumstances dictate otherwise.
5. Objective and Scope
5.1
Assurance services is the primary role of internal audit services, which primarily feeds into
the annual audit opinion on the adequacy and effectiveness of the Authority’s framework of
governance, risk management and control, together with reasons if the opinion is
unfavourable. This opinion covers the entire control environment of the Authority and not just
the financial controls.
5.2
Internal audit also provides consultancy services, where required, which is advisory in nature
and generally performed to facilitate improved governance, risk management and control.
5.3
It is management’s responsibility to manage the risk of fraud and corruption; however
internal audit will be alert to such risks in all the work that is undertaken. In addition the
Internal Audit Consortium is consulted on, related policy / strategy, for example the
Whistleblowing Policy.
5.4
Through the contract in place with TIAA Ltd there are other services that can be provided,
these include: fraud investigations, grant certification and digital forensics.
5.5
Whichever role / remit is carried out by internal audit the scope is to be determined by
internal audit, through discussion with senior management, however this scope will not be
unduly bias nor shall it be restricted.
6. Independence, Objectivity and Due Professional Care
6.1
Internal audit must be sufficiently independent of the activities that are audited to enable an
impartial, unbiased and effective professional judgement. Internal auditors must maintain an
Page 8 of 21
70
unbiased attitude that allows work to be performed in such a manner that no quality
compromises are made. To this end all internal auditors working within Eastern Internal
Audit Services, annually review and sign up to the Code of Ethics, which sets out the
minimum standards for performance and conduct. The four core principles are integrity,
objectivity, confidentiality and competency.
6.2
Internal auditors have no operational responsibility or authority over any of the activities
which they are required to review. In addition, internal auditors will not review operations for
which they were previously responsible for in the preceding 12 months. Internal auditors may
provide consulting services relating to such operations.
6.3
If independence or objectivity is impaired, or appears to be, the details of the impairment will
be disclosed to the Internal Audit Consortium Manager and / or senior management. The
nature of the disclosure will depend upon the impairment.
6.4
Internal auditors will perform work with due professional care, competence and diligence.
Internal auditors cannot be expected to identify every control weakness or irregularity but
their work is designed to enable them to provide reasonable assurance regarding the
controls examined.
7. Resourcing
7.1
The Internal Audit Consortium Manager will be professionally qualified (CMIIA, CCAB or
equivalent) and have a wide range of internal audit management experience to enable them
to deliver the responsibilities that arise from the need to liaised internally and externally with
councillors, senior management, officers and other professionals.
7.2
The Internal Audit Consortium Manager, through the contract with the external provider, shall
ensure access to a team of staff who have the appropriate range of knowledge, skills,
qualification and experience to deliver the audit service. The types of reviews are referred to
in section 5 of the charter.
8. Audit Planning
8.1
The Internal Audit Consortium Manager develops a strategy, alongside a strategic and
annual internal audit plan, using a risk based approach.
8.2
The Internal Audit Strategy is a high level statement of; how the internal audit service will be
delivered; how internal audit services will be developed in accordance with the internal audit
charter; how internal audit services links to the organisational objectives and priorities; and
how the internal audit resource requirements have been assessed. The purpose of the
strategy is to provide a clear direction for internal audit services and creates a link between
the Charter, the strategic plan and the annual plan.
8.3
On an annual basis the internal audit plan of work, developed as per the Internal Audit
Strategy, is submitted to senior management and the Audit Committee for approval. The
Internal Audit Consortium Manager is responsible for the delivery of the internal audit plan,
which will be kept under regular review and reported through to the Committee.
9. Audit Reporting
9.1
As mentioned at section 8 the resultant internal audit plans will be received on an annual
basis for approval by both senior management and the Audit Committee.
Page 9 of 21
71
9.2
On conclusion of each assurance review a draft audit report will be provided to management
that;
 Provides an assurance opinion on the systems and controls in place as to whether
these are operating adequately, effectively and efficiently. These reports contribute to
the annual report and opinion on the overall adequacy and effectiveness of the
Authority’s framework of governance, risk management and control.
 Provides a formal report of points arising from the review and management
responses to the issues raised, this includes; acceptance (or not) of the
recommendation, with responsibility and timescales for implementation.
 Provides Operational Efficiency Matters (as appropriate) which sets out matters
identified during the assignment where there may be opportunities for service
enhancements to be made to increase both the operational efficiency and enhance
the delivery of value for money services.
On receipt of responses from management the report can then be finalised, post review by
the Internal Audit Consortium Manager.
9.3
As mentioned in 9.2, management can choose not to accept / implement the
recommendations raised by internal audit. In all such instances this will be reported through
to the Audit Committee, especially in instances whereby there are no compensating controls
justifying the course of action.
9.4
The Executive Summary of all final reports is reported through periodically to the Audit
Committee as part of the progress reports. The PSIAS require this to report on the
performance of internal audit relative to its plan, including any significant risk exposures and
control issues. To comply this report includes:; any significant changes to the approved Audit
Plan; progress made in delivering the agreed audits for the year; any significant outcomes
arising from those audits; and performance Indicator outcomes to date.
9.5
Where management agree to recommendations resulting in an action plan, these are
regularly followed up to assess progress on implementation. The internal audit contractor
undertakes verification work on closed recommendations, and also receives response from
management in relation to progress made. The results of which are reported periodically to
the Audit Committee as part of the follow up reports.
9.6
On conclusion of the annual internal audit plan for the financial year the Internal Audit
Consortium Manager provides an annual report and opinion to senior management and the
Audit Committee.
9.7
The annual report and opinion provides:
 The opinion on the overall adequacy and effectiveness of the Authority’s framework
of governance, risk management and control during the financial year, together with
reasons if the opinion is unfavourable;
 A summary of the internal audit work carried from which the opinion is derived, the
follow up of management action taken to ensure implementation of agreed action as
at financial year end and any reliance placed upon third party assurances;
 Any issues that are deemed particularly relevant to the Annual Governance
Statement (AGS);and
 The Annual Review of the Effectiveness of Internal Audit, which includes; the level of
compliance with the PSIAS and the results of any quality assurance and
improvement programme, the outcomes of the performance indicators and the
degree of compliance with CIPFA’s Statement on the Role of the Head of Internal
Audit.
Page 10 of 21
72
10. Quality Assurance and Improvement Programme
10.1
The PSIAS require a quality assurance and improvement programme to be developed that
covers all aspects of internal audit; including both internal and external assessments.
10.2
If an improvement plan is required as a result of the internal and / or the external
assessment, in order to further develop the existing service provisions, the Internal Audit
Consortium Manager will coordinate appropriate action and report against this.
10.3
On an annual basis the quality assurance and improvement programme, and any resulting
improvement plan will be reported to senior management and the Audit Committee, as part
of the annual report and opinion.
10.4
Internal Assessment
10.4.1 Internal assessment includes the ongoing monitoring of the performance of the contractor
through the performance measures which form a key part of the contract and through the
quality review of all completed audits, both of which is undertaken by the Internal Audit
Consortium Manager.
10.4.2 On conclusion of audit reviews a feedback form is provided to the key client on the audit
process; the outcomes of which are reviewed to look to improve the service and any criticism
received is investigated immediately and action take with the contractor to resolve the issue.
10.4.3 The PSIAS also require periodic self-assessment in relation to the effectiveness of internal
audit, the detail and outcomes of which are then forwarded to the Section 151 Officer for
their independent scrutiny, before the summary of which is provided to the Audit Committee
as part of the annual report and opinion. This information enables the Audit Committee to be
assured that the internal audit service is operating in accordance with best practice.
10.5
External Assessment
10.5.1 External assessments must be conducted at least once every five years by a qualified,
independent assessor or assessment team from outside the Authority. This can be in the
form of a full external quality assessment that involves interviews with relevant stakeholders,
supported by examination of the internal audit approach and methodology leading to the
completion of an independent report, or a validated self-assessment, which the Internal Audit
Consortium Manager compiles against the PSIAS assessment tool, which is then validated
by an external assessor / team.
10.5.2 An external assessment will:
 Provide an assessment on the internal audit function’s conformance to the PSIAS;
 Assess the performance of the internal audit activity in light of its charters, the
expectations of the various boards and executive management;
 Identify opportunities and offer ideas and counsel for improving the performance of
the internal audit activity, raising the value that internal audit provides to the
organisation; and
 Benchmark the activities of the internal audit function against best practice.
10.5.3 The Internal Audit Consortium Manager will agree with the Section 151 Officer and the Audit
Committee the approach to be taken and the qualifications and independence of the external
assessor / team, including any potential conflict of interest.
Page 11 of 21
73
APPENDIX 2 – INTERNAL AUDIT STRATEGY
EASTERN INTERNAL AUDIT SERVICES
NORTH NORFOLK DISTRICT COUNCIL
INTERNAL AUDIT STRATEGY FOR 2016/17
1.
Introduction
1.1
The Internal Audit Strategy is a high level statement of;
 how the internal audit service will be delivered;
 how internal audit services will be developed in accordance with the internal audit
charter;
 how internal audit services links to the organisational objectives and priorities; and
 how the internal audit resource requirements have been assessed.
The provision of such a strategy is set out in the Public Sector Internal Audit Standards
(PSIAS).
1.2
The purpose of the strategy is to provide a clear direction for internal audit services and
creates a link between the Charter, the strategic plan and the annual plan.
2.
How the internal audit service will be delivered
2.1
The Role of the Head of Internal Audit and contract management is provided by South
Norfolk Council (the Internal Audit Consortium Manager) to; Breckland, Broadland, North
Norfolk, and South Norfolk District Councils, Great Yarmouth Borough Council and The
Broads Authority, and from 1 April 2016 South Holland District Council. All Authorities are
bound by a Partnership Agreement.
2.2
The delivery of the internal audit plans for each Authority is provided by an external audit
contractor, who reports directly to the Internal Audit Consortium Manager. The current
contract is with TIAA Ltd, and commenced on 1 April 2015, for an initial period of 5 years.
3.
How internal audit services will be developed in accordance with the internal audit
charter
3.1
Internal Audit objective and outcomes
3.1.1
Internal audit is an independent, objective assurance and consulting activity designed to add
value and improve the Authority’s operations. It helps the Authority accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control and governance processes.
3.1.2
The outcomes of the internal audit service are detailed in the Internal Audit Charter and can
be summarised as; delivering a risk based audit plan in a professional, independent manner,
to provide the Authority with an opinion on the level of assurance it can place upon the
internal control environment, systems of risk management and corporate governance
arrangements, and to make recommendations to improve these provisions, where further
development would be beneficial.
Page 12 of 21
74
3.1.3
The reporting of the outcomes from internal audit is through direct reports to senior
management in respect of the areas reviewed under their remit, in the form of an audit
report. The Audit Committee and the Section 151 Officer also receive:
 The Audit Plans Report, which is risk based and forms the next financial year’s plan
of work;
 The Progress Reports which provide summaries of the work achieved throughout the
year and the individual opinions awarded on conclusion of reviews;
 The Follow Up Reports which detail the level of management action taken in respect
of agreed internal audit recommendations; and
 The Annual Report and Opinion on the overall adequacy and effectiveness of the
Authority’s framework of governance, risk management and control.
3.2
Internal Audit Planning
3.2.1
A risk-based internal audit plan (RBIA) is established in consultation with senior
management that identifies where assurance and consultancy is required.
3.2.2
The audit plan establishes a link between the proposed audit areas and the priorities and
risks of the Authority taking into account:
 Stakeholder expectations, and feedback from senior and operational managers;
 Objectives set in the strategic plan and business plans;
 Risk maturity in the organisation to provide an indication of the reliability of risk
registers;
 Management’s identification and response to risk, including risk mitigation strategies
and levels of residual risk;
 Legal and regulatory requirements;
 The audit universe – all the audits that could be performed; and
 Previous IA plans and the results of audit engagements.
3.2.3
In order to ensure that the internal audit service adds value to the Authority, assurance
should be provided that major business risks are being managed appropriately, along with
providing assurance over the system of internal control, risk management and governance
processes.
3.2.4
Risk based internal audit planning starts with the Authority’s Corporate Plan, linking through
to the priority areas and the related high level objectives. The focus is then on the risks, and
opportunities, that may hinder, or help, the achievement of the objectives. The approach also
focuses on the upcoming projects and developments for the Authority.
3.2.5
The approach ensures; better and earlier identification of risks and increased ability to
control them; greater coherence with the Authority’s priorities; an opportunity to engage with
stakeholders; the Committee and Senior Management better understand how the internal
audit service helps to accomplish its objectives; and this ensures that best practice is
followed.
3.2.6
The key distinction with establishing plans derived from a risk based internal audit approach
is that the focus should be to understand and analyse management’s assessment of risk and
to base audit plans and efforts around that process.
3.2.7
Consultation with the Section 151 Officer and senior manager’s takes place through specific
meetings during which current and future developments, changes, risks and areas of
concerns are discussed and the plan amended accordingly to take these into account.
Page 13 of 21
75
3.2.8
The outcome of this populates a strategic internal audit plan, and the resulting annual
internal audit plan, which are discussed with and approved by the Corporate Leadership
Team prior to these being brought to the Audit Committee. In addition External Audit is also
provided with early sight of the plans.
3.3
Internal Audit Annual Opinion
3.3.1
The annual opinion provides senior management and the Audit Committee with an
assessment of the overall adequacy and effectiveness of the Authority’s framework of
governance, risk management and control.
3.3.2
The opinion is based upon:
 The summary of the internal audit work carried out;
 The follow up of management action taken to ensure implementation of agreed
action as at financial year end;
 Any reliance placed upon third party assurances;
 Any issues that are deemed particularly relevant to the Annual Governance
Statement (AGS);
 The Annual Review of the Effectiveness of Internal Audit, which includes; the level of
compliance with the PSIAS and the results of any quality assurance and
improvement programme, the outcomes of the performance indicators and the
degree of compliance with CIPFA’s Statement on the Role of the Head of Internal
Audit.
3.3.3
In order to achieve the above internal audit operates within the PSIAS and uses a risk based
approach to audit planning and to each audit assignment undertaken. The control
environment for each audit area reviewed is assessed for its adequacy and effectiveness of
the controls and an assurance rating applied.
4.
How internal audit services links to the organisational objectives and priorities
4.1
In addition to the approach taken as outlined in section 3.2 (Internal Audit Planning), which
ensures that the service links to the organisations objectives and priorities and thereby
through the risk based approach adds value, internal audit also ensure an awareness is
maintained of local and national Issues and risks.
4.2
The annual audit planning process ensures that new or emerging risks are identified and
considered at a local level. This strategy ensures that the planning process is all
encompassing and reviews the records held by the Authority in respect of risks and issue
logs and registers, reports that are taken through the Authority Committee meetings, and
through extensive discussions with senior management.
4.3
Awareness of national issues is maintained through the contract in place with the external
internal audit provider through regular “horizon scanning” updates, and annually a particular
focus provided on issues to be considered during the planning process. Membership and
subscription to professional bodies such as the Institute of Internal Auditors and the CIPFA
on-line query service, liaison with External Audit, and networking with colleagues through the
Norfolk Chief Internal Auditors Group, all help to ensure developments are noted and
incorporated where appropriate.
5.
How internal audit resource requirements have been assessed
5.1
Through utilising an external audit contractor the risk based internal audit plan can be
developed without having to take into account the existing resources, as you would with an
Page 14 of 21
76
in-house team, thus ensuring that audit coverage for the year is appropriate to the
Authority’s needs and not tied to a particular resource.
5.2
That said a core team of staff is provided to deliver the audit plan, and these staff bring with
them considerable public sector knowledge and experience. These core staff can be
supplemented with additional staff should the audit plan require it, and in addition specialists,
e.g. computer auditors, contract auditor, fraud specialists, can be drafted in to assist in
completing the internal audit plan and focusing on particular areas of specialism.
5.3
All audit professionals are encouraged to continually develop their skills and knowledge
through various training routes; formal courses of study, in-house training, seminars and
webinars. As part of the contract with TIAA Ltd the contractor needs to ensure that each
member of staff completes a day’s training per quarter.
Page 15 of 21
77
APPENDIX 3 – STRATEGIC INTERNAL AUDIT PLAN
Audit Area
Annual Opinion audits
Corporate Governance (Information Governance 2016/17)
Risk Management
Key Controls and Assurance
Fundamental Financial Systems
Accountancy Services includes control accounts, banking,
bank reconciliation, asset management / capital
expenditure, budgetary control and treasury management
Accounts Payable (insurance)
Accounts Receivable
Remittances
Council Tax and National Non-Domestic Rates
Local Council Tax Support and Housing Benefits
Payroll and Human Resources includes member and officer
expenses
Cross Authority Review - Accounts Receivable
Service audits
Head of Finance
Procurement
Housing Company
Head of Economic and Community Development
Economic Growth
Coastal Management
Housing Strategy and Affordable Housing, including
housing enabling and empty properties
Private Sector Housing includes DFGs and discretionary
grants
Head of Business Transformation and IT
Homelessness and Housing Options
Last review & assurance Associated Risk
2015/16 - Reasonable
2014/15 - Reasonable
High
High
High
2015/16 - review due
High
2014/15 - Reasonable
2015/16 - review due
2015/16 - Substantial
2014/15 - Substantial
2014/15 - Reasonable
2014/15 - Reasonable
High
High
High
High
High
High
Specific review
2016/17
2017/18
8
10
6
6
15
12
12
10
7
20
20
17
20
20
17
6
Medium
TBC
10
2013/14 - Reasonable
2014/15 - Reasonable
2015/16 - Reasonable
Medium
Medium
Medium
10
4
2013/14 - Reasonable
Medium
2015/16 - Reasonable
Medium
78
10
16
2014/15 - Reasonable
New future area
Page 16 of 21
2018/19
10
10
10
Audit Area
Head of Assets and Leisure
Sports Halls
Leisure and Pier Pavilion
Property Services
Car Parking
Markets
Parks and Open Spaces and Woodland Management
Head of Organisational Development
Elections and Electoral Registration
Performance Management, Corporate Policy and Business
Planning (includes action plans)
Democratic Services
Head of Environmental Health
Waste Management including contract / agreement
monitoring, income collection & monitoring, refuse
collection, street cleansing, recycling, clinical waste,
abandoned vehicles and grounds maintenance
Environmental Health includes emergency planning, food
safety, environmental protection, pest control, dog warden,
licensing and pollution control
Head of Planning
Development Management includes planning applications,
planning enforcement, s106 agreements, CIL, Land
Charges and Building Control
ICT Audits - Head of Business Transformation and IT
Social Media
e-financials application
SharePoint
IT hardware Asset Disposal
Audits to be confirmed
Follow Up of audit recommendations
All agree internal audit recommendations
Total number of days
Last review & assurance Associated Risk
2014/15 - Reasonable
2014/15 -Reasonable
2012/13 - Reasonable
2015/16 - Substantial
2013/14 - Reasonable
2015/16 - Reasonable
Medium
Medium
Medium
High
Medium
Medium
2014/15 - Substantial
2014/15 - Substantial
Medium
Medium
New audit area
Low
2014/15 -Reasonable
High
2013/14 - Reasonable
Medium
2014/15 - Reasonable
Medium
New area
2008/09 - Reasonable
Management request
Management request
High
Medium
High
Medium
2016/17
79
2018/19
12
10
12
10
6
10
12
8
8
17
18
22
7
10
10
3
12
189
Page 17 of 21
2017/18
30
30
12
201
12
167
APPENDIX 4 – ANNUAL INTENAL AUDIT PLAN
Audit Area
No of days
Q1
Q2
Q3
Q4
Annual Opinion audits
Corporate Governance
8
8
Key Controls and Assurance
10
10
Fundamental Financial Systems
Accounts Payable
12
12
Scope will include; Policy, Procedure and Systems, Ordering, Creditors,
and Insurances.
The key areas within this service will be risk assessed and appropriate
attention given to those areas, along with a review of the key controls.
Potential areas include; valuation & billing records, billing, collection of
income, suspense accounts, reconciliations, refunds & transfers, discounts,
exemptions & reliefs, arrears recovery and write offs.
The key areas within this service will be risk assessed and appropriate
attention given to those areas, along with a review of the key controls.
Potential areas include; receipt & assessment of applications, payments,
overpayments, arrears, write offs, backdated claims, discretionary
payments, appeals and reconciliations.
This regular review will focus on legislative requirements, starters & leavers,
changes to payroll records, financial records, payroll processing and
sickness absence. In addition the review will also focus of online expenses,
currently being piloted and being rolled out in 2016/17.
New initative, trialled in 2015/16 in accounts payable - positive outcomes
achieved and agreed to undertake in this area in 2016/17.
Council Tax and National NonDomestic Rates
20
10
10
Local Council Tax Support and
Housing Benefits
20
10
10
Payroll and Human Resources
includes member and officer
expenses
17
17
Cross Authority Review Accounts Receivable
6
TBC
Notes
This area requires a review in relation to the role of the Senior Information
Risk Officer, the administrative role in relation to Data Protection and
Freedom of Information, the risk approach and the operational effectiveness
of the area.
Annual review of key controls that feed into the Statement of Accounts for
those systems not subject to an audit review within the year. This will cover;
general ledger maintenance, control accounts, asset register, treasury
management, budgetary control, accounts receivable, income and the
assurance framework.
6
Page 18 of 21
80
Service audits
Head of Economic and Community Development
Private Sector Housing includes
10
DFGs and discretionary grants
10
There are a number of potential changes that might impact on the service
and how it is delivered, the service is currently awaiting confirmation of
capital funding for the next financial year for DFG and revenue funding for
the Home Improvement Agency which is a key part of the service. The
service are also moving forward with implementing a Competency
Framework which increases assessment capacity and streamlines the
work of the team. County is looking to implement a prevention assessment
in April which will further streamline the service and reduce the amount of
time spent on assessment and it would be good to evaluate the impact of
this as part of the audit.
Head of Assets and Leisure
Property Services
12
12
The team are currently procuring a Strategic Property Partner with a view to
this being in place from April 2016, this, along with the restructure within the
team will enable projects to progressed. This audit will review these projects
and also the general management of the Council's property and assets.
Markets
6
6
This audit will review Sherignham and Cromer Markets, with particular focus
on trading terms and licences and income collection.
Head of Organisational Development
Democratic Services
8
Head of Environmental Health
Environmental Health includes
emergency planning, food safety,
environmental protection, pest
control, dog warden, licensing and
pollution control
18
8
The audit will focus on members expenses (online) & allowances, and also
review the training provided to members to fulfil their role following the
election sin May 2015. In addition the outcomes from the Members
Development Group will also be assessed.
18
The service is currently in the early stages of a procurement exercise for IT
platform utilised by the team. In addition the service have recently gone
paperless and are hoping to undertake a business process re-engineering
exercise. Once this is all complete it would be beneficial to review the
service to ensure enhancements have been realised.
Page 19 of 21
81
ICT Audits
7
Social Media
7
10
e-financials application
10
10
SharePoint
Social media is becoming an increasingly critical tool for the Council to communicate
with its customers and has not been reviewed to date. As there have not been any
identified operational weaknesses in this area, the audit has been placed within the
16/17 year.
The e-financials application is critical to the smooth operation of the Council's
finances and was last reviewed in 2008/09 having received Adequate Assurance at
that time. As it has been seven years since the last review, it has been placed within
the 16/17 plan.
The Council has implemented SharePoint and has asked for assurance and advice
around the management infrastructure of the implementation. The review will be
conducted in conjunction with a wider Corporate Information Governance audit scope.
10
3
IT hardware Asset Disposal
3
Follow Up of audit recommendations
All agreed internal audit
12
recommendations
Total number of days
189
The Council has asked for assurance over its existing IT Hardware disposal
processes and procedures. The audit will be a focussed review of this area in
isolation.
3
3
3
3
21
24
71
73
Bi-monthly follow up of agreed recommendations and evidence of closure verified.
Page 20 of 21
82
APPENDIX 5 – PERFORMANCE MEASURES
Area / Indicator
Audit Committee / Senior Management
1. Audit Committee Satisfaction – measured
annually
2. Chief Finance Officer Satisfaction –
measured quarterly
Internal Audit Process
3. Each quarters audits completed to draft
report within 10 working days of the end
of the quarter
4. Quarterly assurance reports to the
Contract Manager within 15 working days
of the end of each quarter
5. An audit file supporting each review and
showing clear evidence of quality control
review shall be completed prior to the
issue of the draft report ( a sample of
these will be subject to quality review by
the Contract Manager)
6. Compliance with Public Sector Internal
Audit Standards
7. Respond to the Contract Manager within
3 working days where unsatisfactory
feedback has been received.
Clients
8. Average feedback score received from
key clients (auditees)
9. Percentage of recommendations
accepted by management
Innovations and Capabilities
10. Percentage of qualified (including
experienced) staff working on the
contract each quarter
11. Number of training hours per member of
staff completed per quarter
12. Number of high and medium priority
recommendations made per quarter
13. Number of audits which are considered
to add value
Target
Adequate
Good
100%
100%
100%
Full
100%
Adequate
90%
60%
1 day
To decrease over the life of the contract (from
year 2)
To increase over the life of the contact (from
year 2)
Page 21 of 21
83
Audit Committee
15 March 2016
11
Agenda Item No_____________
Audit Committee Self-Assessment
Summary:
The Chartered Institute for Public Finance and Accountancy
(CIPFA) “Toolkit for Local Authority Audit Committees” identifies
that it is good practice for Audit Committees to complete a
regular self-assessment exercise against the checklist of
operational requirements, to be satisfied that the Committee is
performing effectively.
The Audit Committee has been regularly undertaking selfassessments and the CIPFA Audit Committee Self-Assessment
Checklist is attached to this report for Members to discuss and
finalise.
Conclusions:
Undertaking a review of its performance against best practice
has ensured that the Committee has properly assessed the way
in which it discharges its duties.
Recommendations:
That Members note the attached checklist at Appendix 1 to this
report, complete the areas whereby further Member clarification
is required and either (a) confirm that full compliance has been
recognised in relation to each of the 6 key areas subject to
scrutiny or (b) note action required to ensure full compliance.
Cabinet member(s):
Ward(s) affected:
All
All
Emma Hodds, Internal Audit Consortium Manager
01508 533791, ehodds@s-norfolk.gov.uk
Contact Officer, telephone
number, and e-mail:
1.
1.1.
Background
The Chartered Institute for Public Finance and Accountancy (CIPFA) “Toolkit for
Local Authority Audit Committees” identifies that it is good practice for Audit
Committees to complete a regular self-assessment exercise against the checklist
of operational requirements, to be satisfied that the Committee is performing
effectively.
84
Audit Committee
15 March 2016
1.2.
In addition the Public Sector Internal Audit Standards also call for the Audit
Committee to assess their remit and effectiveness, in relation to Purpose,
Authority and Responsibility, in order to facilitate the work of this Committee.
1.3.
The Audit Committee annually carries out the self-assessment exercise and
takes action where necessary to ensure full compliance with best practice, with
the last review undertaken in June 2014.
1.4.
The self-assessment was due to be undertaken in June 2015, however as the
Audit Committee had a number of new members it was agreed to postpone this
to March 2016, to allow a full cycle of meetings to have taken place.
1.5.
The self-assessment was shared with members prior to this meeting and updates
have been provided by some of the members. There are 66 individual aspects of
operations, across the following 6 headings that the Audit Committee is assessed
upon:






Establishment, Operations and Duties;
Internal Control;
Financial Reporting and Regulatory Matters;
Internal Audit;
External Audit; and
Administration.
2.
Issues for discussion
2.1.
Three of the Audit Committee members have completed responses on the selfassessment checklist, attached at Appendix 1 to this report. The factual
responses were confirmed by the Internal Audit Consortium Manager and the
appendix highlights the member responses i.e., their interpretation in bold on the
appendix.
2.2.
Of the responses received it is apparent there are areas whereby clarification is
sought by members or that requests have been raised for consideration. The
areas for further discussion at the meeting are as follows:
Member Induction and training
Annual “top up” training has been requested, for example in the form of
eLearning (1.12).
Attendance of meetings by members needs to be discussed at the March
meeting, however it is noted that a quorate is always met (1.19).
Internal Control
In this section there are four questions that were posed that have been required
to be discussed at the March Committee meeting.
Does the audit committee consider how meaningful the Annual Governance
Statement is (2.3)?
85
Audit Committee
15 March 2016
Has the audit committee (with delegated authority) of the full council adopted
“Managing the Risk of Fraud – Action to Counter Fraud and Corruption” (2.6)?
Does the audit committee ensure that the “Actions to Counter Fraud and
Corruption” are being implemented (2.7)?
Does the audit committee monitor how the authority assesses its risk (2.11)?
Financial Reporting and Regulatory Matters
Responses indicate that the committee has a role in reviewing the accounts, but
has requested further discussion in relation to annual review of accounting
policies (3.5)?
Clarification has been requested in relation to the audit committee gaining an
understanding of management’s procedures for preparing the annual accounts
(3.6)?
Internal Audit and External Audit
Responses have indicated that members wish to discuss further periodic private
discussions with the Head of Internal Audit and the External Auditors (4.5 and
5.2)?
Administration
Earlier circulation of agenda papers and minutes has been noted as being
beneficial (6.2 and 6.7).
2.3.
At the meeting in March the above points need to be discussed and if appropriate
a plan of action determined to ensure full compliance with the checklist.
3.
Conclusion
3.1
Undertaking a review of its performance against best practice will ensure that the
Committee has properly assessed the way in which it discharges its duties. This
review has highlighted that the Committee effectively discharges its duties in
relation to best practice.
4.
Recommendation
4.1
That Members note the attached checklist at Appendix 1 to this report, complete
the areas whereby further Member clarification is required and either (a) confirm
that full compliance has been recognised in relation to each of the 6 key areas
subject to scrutiny or (b) note action required to ensure full compliance
Attachment
Appendix 1 – Self Assessment Checklist
86
Appendix A
North Norfolk District Council - Audit Committee Self Assessment Checklist
No.
Priority
Issue
1. ESTABLISHMENT, OPERATION AND DUTIES
Yes
No
√
√
N/A
Comments
Role and Remit
1.1
1
Does the audit committee have written terms of reference?
√
Well established terms of reference are in place.
1.2
1
√
Developed in line with best practice.
1.3
1
√
Terms of Reference are revisited when the Constitution is reviewed/updated.
1.4
1
√
The Chair has indicated that the Committee is politically balanced and members can
independently seek support from NNDC officers.
1.5
1
1.6
1
1.7
2
1.8
2
Do the terms of reference cover the core functions of an
audit committee as identified in the CIPFA guidance?
Are the terms of reference approved by the council and
reviewed periodically?
Has the audit committee been provided with sufficient
membership, authority and resources to perform its role
effectively and independently?
Can the audit committee access other committees and full
council as necessary?
Does the authority's Annual Governance Statement include
a description of the audit committee's establishment and
activities?
Does the audit committee periodically assess its own
effectiveness?
Does the audit committee make a formal annual report on
its work and performance during the year to full council?
√
√
This is covered in the Annual Governance Statement included with the Statement of
Accounts.
√
This is done on an annual basis and is part of the work programme for the Committee.
√
The Committee had previously decided not to take a formal report through to Full Council, as
they receive the minutes from each Audit Committee meeting, thus summarising the work
and performance undertaken throughout the year. The process here has slightly changed
whereby Full Council are now made aware that such minutes exist and are asked to note
these, members are then able to review the minutes in full if they wish.
Membership, Induction and training
1.9
1
1.10
1.11
1
1
1.12
1
Has the membership of the audit committee been formally
agreed and a quorum set?
Is the chair independent of the executive function?
Has the audit committee chair either previous knowledge
of, or received appropriate training on, financial and risk
management, accounting concepts and standards, and the
regulatory regime?
Are new audit committee members provided with an
appropriate induction?
√
Quorum set as part of the terms of reference.
√
√
The Chairman has confirmed that he is not a member of Cabinet.
The Chairman has confirmed that he has professional experience of risk, finance and
accounting.
√
An audit training session was provided for both new and existing members.
The Chairman has indicated he would like to see an annual "top up" training on a
regular basis i.e. eLearning.
87
No.
Priority
1.13
1
Have all members' skills and experiences been assessed
and training given for identified gaps?
√
1.14
1
Has each member declared his or her business interests?
√
1.15
2
Are members sufficiently independent of the other key
committees of the council?
√
Some members serve in other Committees e.g. Development Management Committee
but that does not lead to conflicts of interest and no Audit Committee member serves
on Overview and Scrutiny Committee.
Meetings
1.16
1.17
1
1
√
√
Yes meetings are held 4 times a year.
Yes quarterly
1.18
1
√
A work programme of future meetings is a standing agenda item.
1.19
1
1.20
1
√
Responses received indicate that we need to review attendance at the fourth meeting
in 2015/16. However quorate has always been met.
Committee is politically balanced.
1.21
1
√
Yes the Section 151 Officer attends all meetings of the Committee
1.22
1
Does the audit committee meet regularly?
Do the terms of reference set out the frequency of
meetings?
Does the audit committee calendar meet the authority's
business needs, governance needs and the financial
calendar?
Are members attending meetings on a regular basis and if
not, is appropriate action taken?
Are meetings free and open without political influences
being displayed?
Does the authority's S151 officer or deputy attend all
meetings?
Does the audit committee have the benefit of attendance of
appropriate officers at its meetings?
√
Report authors attends Audit Committee to present their reports.
Issue
Yes
No
N/A
Comments
Confirmed as addressed as part of induction training.
88
No.
Priority
Issue
Yes
No
N/A
Does the audit committee consider the findings of the
annual review of the effectiveness of the system of internal
control (as required by the Accounts and Audit
Regulations) including the review of the effectiveness of
the system of internal audit?
Does the audit committee have responsibility for review
and approval of the Annual Governance Statement and
does it consider it separately from the accounts?
Does the audit committee consider how meaningful the
Annual Governance Statement is?
Does the audit committee satisfy itself that the system of
internal control has operated effectively throughout the
reporting period?
Has the audit committee considered how it integrates with
other committees that may have responsibility for risk
management?
Has the audit committee (with delegated responsibility) or
the full council adopted "Managing the Risk of Fraud Actions to Counter Fraud and Corruption?"
Does the audit committee ensure that the "Actions to
Counter Fraud and Corruption" are being implemented?
Is the audit committee made aware of the role of risk
management in the preparation of the internal audit plan?
√
This is presented annually to the Committee as part of the Annual Report and Opinion in
June for the Committee to note and consider.
√
This is included within the terms of reference
√
This is included in the Audit Plans report received by the Committee each March.
Does the audit committee review the authority's strategic
risk register at least annually?
Does the audit committee monitor how the authority
assesses its risk?
Do the audit committee's terms of reference include
oversight of the risk management processes?
√
Confirmed that this was last reviewed in June 2015.
Comments
INTERNAL CONTROL
2.1
1
2.2
1
2.3
1
2.4
1
2.5
1
2.6
1
2.7
1
2.8
2
2.9
2
2.10
2
2.11
2
Requested to be discussed at the meeting.
Regular reports are provided to the Committee in relation to progress made against the
internal audit plan and in relation to the follow up of internal audit recommendations.
√
√
This Committee has responsibility for risk management.
Requested to be discussed at the meeting.
Requested to be discussed at the meeting.
Requested to be discussed at the meeting.
√
This is included in the terms of reference.
89
No.
Priority
Issue
Yes
No
N/A
Comments
FINANCIAL REPORTING AND REGULATORY MATTERS
3.1
1
3.2
1
3.3
1
3.4
1
3.5
2
3.6
2
3.7
2
Is the audit committee's role in the consideration and/or
approval of the annual accounts clearly defined?
Does the audit committee consider specifically:
- the suitability of accounting policies and treatments;
- major judgements made;
- large write-offs;
- changes in accounting treatment;
- the reasonableness of accounting estimates;
- the narrative aspects of reporting?
Is an audit committee meeting scheduled to receive the
external auditor's report to those charged with governance
including a discussion of proposed adjustments to the
accounts an other issues arising form the audit?
√
This is included in the terms of reference.
√
As part of the review of the annual accounts.
√
This is included as a regular item on the work programme.
Does the audit committee review management's letter of
representation?
Does the audit committee annually review the accounting
policies of the authority?
Does the audit committee gain an understanding of
management's procedures for preparing the authority's
annual accounts?
Does the audit committee have a mechanism to keep it
aware of topical legal and regulatory issues, for example by
receiving circulars and through training?
√
This is included as a regular item on the work programme.
Requested to discuss further, recognises that discussed as part of the review of
accounts but no separate discussion.
Clarification requested.
As mentioned previously top up training / refresher training annually is requested.
Responses also queried whether there is a mechanism as such.
90
No.
Priority
Issue
Yes
No
N/A
Does the audit committee approve annually and in detail,
the internal audit strategic and annual plans including
consideration of whether the scope of internal audit work
addresses the authority's significant risks?
Does internal audit have an appropriate reporting line to
the audit committee?
Does the audit committee receive periodic reports from the
internal audit service including an annual report from the
Head of Internal Audit?
Are follow-up audits by internal audit monitored by the audit
committee and does the committee consider the adequacy
of implementation of recommendations?
Does the audit committee hold periodic private discussions
with the Head of Internal Audit?
Is there appropriate co-operation between the internal and
external auditors?
Does the audit committee review the adequacy of internal
audit staffing and other resources?
Has the audit committee evaluated whether its internal
audit service complies with CIPFA's Code of Practice for
Internal Audit in Local Government in the United Kingdom?
√
This is included in the Audit Plans report received by the Audit Committee in March.
√
In addition to reporting into the meeting, officers can contact members directly.
√
Regular progress and follow up reports are provided to the Committee throughout the year,
culminating in the Annual Report and Opinion.
√
As part of the follow up reports to the Committee.
Are internal audit performance measures monitored by the
audit committee?
Has the audit committee considered the information it
wishes to receive from internal audit?
√
Comments
INTERNAL AUDIT
4.1
1
4.2
1
4.3
1
4.4
1
4.5
1
4.6
1
4.7
1
4.8
1
4.9
2
4.10
2
Requested to be discussed at the meeting.
√
Liaison is undertaken as necessary i.e. in setting the annual internal audit plan.
√
This is included and referred to in the Audit Plans report provided to the Audit Committee in
March.
This has now been replaced by the Public Sector Internal Audit Standards, and the annual
review of the Effectiveness of Internal Audit, which is now part of the Annual Report and
Opinion will comment on compliance with these standards.
√
Performance Measures are included in all the reports received by the Audit Committee from
internal audit.
91
No.
Priority
Issue
Yes
Do the external auditors present and discuss their audit
plans and strategy with the audit committee (recognizing
the statutory duties of external audit)?
Does the audit committee hold periodic private discussions
with the external auditor?
Does the audit committee review the external auditor's
annual report to those charged with governance?
Does the audit committee ensure that officers are
monitoring action taken to implement external audit
recommendations?
Are reports on the work of external audit and other
inspection agencies presented to the committee, including
the Audit Commission's annual audit and inspection letter?
√
Does the audit committee assess the performance of
external audit?
Does the audit committee consider and approve the
external audit fee?
√
No
N/A
Comments
EXTERNAL AUDIT
5.1
1
5.2
1
5.3
1
5.4
1
5.5
1
5.6
1
5.7
1
Received annually by the Audit Committee.
Requested to be discussed at the meeting.
√
Received annually by the Audit Committee.
√
√
Received annually by the Audit Committee.
What would happen if these weren't approved.
92
No.
Priority
Issue
Yes
No
N/A
Comments
ADMINISTRATION
Agenda administration
6.1
1
6.2
1
6.3
2
6.4
2
Does the audit committee have a designated secretary
from Committee/Member Services?
Are agenda papers circulated in advance of meetings to
allow adequate preparation by audit committee members?
√
√
Earlier circulation would be beneficial.
Are outline agendas planned one year ahead to cover
issues on a cyclical basis?
Are inputs for Any Other Business formally requested in
advance from committee members, relevant officers,
internal and external audit?
√
Audit Committee Work Programme is a standard agenda item, continually rolled forward.
Do reports to the audit committee communicate relevant
information at the right frequency, time, and in a format
that is effective?
Does the audit committee issue guidelines and/or a
proforma concerning the format and content of the papers
to be presented?
√
It was recognised that the Audit Committee has a work programme which is clear in
confirming when different reports will be made available.
√
For the most part, Audit Committee reports follow the Council's approved Committee
reporting template. The Committee reserves the right, however, on occasions, to revise
the format when requesting ad-hoc reports.
Are minutes prepared and circulated promptly to the
appropriate people?
Is a report on matters arising made and minuted at the
audit committee's next meeting?
Do action points indicate who is to perform what and by
when?
√
Earlier circulation would be beneficial, and as the Committee only meet quarterly
could these be circulated earlier.
Assume this is included in the minutes.
√
This is not strictly applicable to the Audit Committee.
Papers
6.5
1
6.6
2
Actions arising
6.7
1
6.8
1
6.9
1
√
√
Committee agendas recognise Action Points arising from the minutes of previous meetings.
Specific target dates are not added but the Action Points are revisited each time the
Committee is convened.
93
Agenda Item 12
PRMB – February 2016
Draft Corporate Risk Register February 2016
Summary Register
Ref.
Current
Score
Target
Score
Medium Term Financial Plan
015(CR)
20
12
Karen Sly - Head of Finance
Coastal Erosion - (the effects of)
002(CR)
20
12
Rob Goodliffe - Coastal Management Team Leader
Transformation Agenda/Business Transformation Work
003(CR)
16
8
Sheila Oxtoby - Chief Executive
Property assets (the condition of)/ Asset Management
001(CR)
12
9
Duncan Ellis - Head of Assets & Leisure
Procurement - (lack of value for money)
009(CR)
9
3
Karen Sly - Head of Finance
Information - (loss of)
008(CR)
8
4
Sean Kelly - Head of Business Transformation and IT
Housing Delivery
010(CR)
6
6
Nicola Turner - Strategic Housing Team Leader
Operational disruption - (significant event)
013(CR)
6
6
Richard Cook - Civil Contingencies Manager, Steve
Hems - Head of Environmental Health
Homeworking - security, staff health and safety
019(CR)
6
6
Sean Kelly - Head of Business Transformation and IT
Disclosure and Barring Checks (DBS) for staff
020(CR)
6
4
Julie Cooke - Head of Organisational Development
Risk
Officer
Proposal to remove Individual Electoral Registration causing potential disenfranchisement 021(CR) from the Corporate Risk Register as there is no
longer a risk of IER failing.
Potential New Risks
Ref.
Current
Score
Recruitment (inability)
Target
Score
Officer
Julie Cooke - Head of Organisational Development
94
1
PRMB – February 2016
Draft Corporate Risk Register February 2016
KEY
Impact Type
Objectives
Financial
Impact (Loss)
Likelihood
Catastrophic - 5
The key objectives in the
Corporate Plan will not be
achieved.
Critical - 4
One or more Key Objectives
in the Corporate Plan will not
be achieved.
Moderate - 3
Significant impact on the
success of the Corporate
Plan.
Marginal - 2
Some impact on more than
one Service.
Negligible - 1
Insignificant impact on more
than one Service.
Over £1m
£400K - £1m
£200K - £400K
£10K - £200K
£0-10K
Very High - 5
High - 4
Moderate - 3
Low - 2
Very Low - 1
Probability
Over 90%
60 - 90%
40 - 60%
10 - 40%
below 10%
Timing
Within six months
This year
Next year
Probably within 15 years
Probably over 15 years
95
2
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Medium Term Financial Plan 015(CR)
1. Uncertainty around the Governments
spending reduction programme and the
impact on the Council’s funding. The
business rates retention system has
shifted the risk of business rates
fluctuations to the local level, meaning
that Local Authority funding will be
impacted directly from decline in
business and also planned reductions to
the revenue support grant and reliance
on New Homes Bonus funding
influenced by delivery of new homes
and reductions in long term empty
properties.
2. Failure to produce a balanced budget
position and funded future projections in
the medium term and to deliver a
freezing of Council Tax increases.
3. The Corporate Plan may not be
delivered to the identified timescales.
The level of service currently provided
could be at risk, unplanned use of
reserves which is unsustainable in the
longer term. Higher level of savings
requirement in future years.
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Policy work
Score
(with
controls)
Impact x
Likelihoo
d = Total
5x4=20
Lobbying Central Government
Medium Term Financial Strategy
Corporate Planning / Service
Planning
Budget Process / Budget Monitoring
Regular monitoring system of the
impact of the business rates
retention and the localised council
tax support system
Utilisation of (part of) the New
Homes Bonus grant within the base
budget from 2014/15
Action (to achieve target
score) and progress to date
Growth forecasting models to be
developed for housing and
business rates to inform future
financial forecasts and budget. –
Some Problems - Business rates
forecasting has been informed
by the annual NNDR returns and
also outcome of appeals. Timing
of businesses coming on track to
be reviewed with Planning and
also informed by visiting officers
progress. Housing forecast
updated annual as part of the
Tax Base setting and monitoring
of the collection fund position,
monthly CTB reports for Long
term empties to be reviewed for
new property reporting also.
Target
Score
Impact x
Likelihood
= Total
4x3=12
Corporate
Objective /
Service
Priority
Officer
Delivering the
Vision
Karen Sly Head of
Finance
Early update of the Financial
Strategy to inform the 2017/18
budget process
Annual review of the Councils
reserves
Reporting - New legislation and
consultation
Impact of changes to the NHB
scheme from 2017/18 to be
quantified and considered within
future budgets.
Timely agreement of the annual
Localised Council Tax Support
Scheme
Project Management Plans
Short term budget surplus forecast
(2016/17 and 2017/18)
96
3
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Coastal Erosion - (the effects of) 002(CR)
The Pathfinder Project
Score
(with
controls)
Impact x
Likelihoo
d = Total
5x4=20
Cromer Sea Defence Works –
On Track - Works are
progressing with programmed
finish date end of March 2016
dependent on external
influences e.g. weather.
Programme risk actively
managed.
Shoreline Management Plan (SMP)
1. Lack of Government funding to
maintain coast defences and / or to
support local compensation claims
2. Coastal erosion and blight of coastal
settlements through loss of public and
private infrastructure and assets. The
Council has devoted significant
resources to pursuing sustainable
answers to coastal management issues.
There is a considerable Health and
Safety context here which serves to
increase the reputational risk for the
Council at the same time.
3. Increased coastal erosion through
loss of defences presents a reputational
risk to the authority in the eyes of local
communities and direct loss of Council
owned assets / infrastructure which are
fundamental to the district's tourism
offer and therefore the economic wellbeing of the district. Loss of confidence
in respect of business investment and
residential property market; blight of
properties in erosion zone; direct loss of
tourism assets and infrastructure
promenades, beach chalets, cafés,
public toilets, car parks etc.; loss of
tourism income / employment.
Action (to achieve target
score) and progress to date
Repairs & Maintenance Programme
Procurement practices
Health & Safety checking and
monitoring
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
4x3=12
Coast,
Countryside
and Built
Heritage
Rob
Goodliffe Coastal
Manageme
nt Team
Leader
DEFRA funding of capital schemes
Coast monitoring
Control of coastal management
schemes through procurement and
regular checking
97
4
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Transformation Agenda/Project 003(CR)
1. It is clear that there is a new urgency
about change in local government
driven by the current financial pressures
and the ambition to ignite community
engagement. Previous incremental
change is being replaced by a more
wholesale restructuring of local
government and its place in local
service delivery.
2. The risk is that in moving to a new
agenda so quickly there is no basic
framework within which the new
arrangements can be undertaken.
3. Vision and action may not be fully
supported by a sound assessment and
a solid understanding of policy
implications at national and local level.
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Training, learning & policy initiatives
Score
(with
controls)
Impact x
Likelihoo
d = Total
4x4=16
Strategies
Action (to achieve target
score) and progress to date
IT transformation work that is
currently being undertaken –
Some Problems - Potential
imbalance between resources
and workload remains. Of
particular concern are the
recruitment difficulties relating
to highly technical positions.
Funding was approved by
Cabinet on 30 November
2015 for additional project
and technical resources to
provide access to short term
resource. However the longer
term skilled resource
availability to sustain the
business benefits delivered
by the Digital Transformation
remains to be addressed. The
Planning BPR is currently
being implemented.
Reporting - New legislation and
consultation
Network development
Maintain technical competence
Medium Term Financial Strategy
Approval of the Business
Transformation Programme
Appointment of a Head of Business
Transformation to deliver the
programme
Business Transformation Board
monitoring projects progress
Target
Score
Impact x
Likelihood
= Total
2x4=8
Corporate
Objective /
Service
Priority
Officer
Delivering the
Vision
Sheila
Oxtoby Chief
Executive
Managing delivery of
workstreams as included in
the Transformation
programme – On Track –
Overall the programme
remains broadly on track.
However, conflicting priorities
and resource demands will
have to be closely monitored
to ensure planned timelines
remain viable.
98
5
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Property assets - (the condition of) 001(CR)
1. A lack of investment and sound
decision-making.
2. Deteriorating property assets may
lead to a loss of revenue and possible
legal liability.
3. The Council does not achieve value
for money from its investment and/or
possible legal liabilities either directly or
through its leasing arrangements.
This scenario is detrimental to the local
tourism economy as well as damaging
to local communities contributing to a
lack of community pride and possible
increase in vandalism. The capital tied
up in assets cannot be released to
support wider Council initiatives and
income streams are not maximised.
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Work is on-going in relation to the
R&M schedules and inputting this
detail onto the Concerto system. The
schedules were used to support the
update of the Asset Management
Plan and the capital works
highlighted within the plan were
included as part of the capital budget
for 2015/16 (subject to further
businesses cases where
appropriate).
Score
(with
controls)
Impact x
Likelihoo
d = Total
4x3=12
Action (to achieve target
score) and progress to date
Managed risk
Target
Score
Impact x
Likelihood
= Total
3x3=9
Corporate
Objective /
Service
Priority
Officer
Delivering the
Vision
Duncan
Ellis –
Head of
Assets and
Leisure
Rolling asset condition surveys
continue to be undertaken to ensure
that the R&M schedules remain up to
date.
Various policies are in place to help
manage property risks and risk
assessment inspections and review
works continue to be developed and
improved and officers are currently
working on the introduction of a new
compliance contract that will further
support this area which is expected
to be in place from the summer of
2016. Regular routine inspections
take place on all of the Council’s car
parks for example to review, monitor
and help manage a number of risks
and these visits are logged on
Concerto to help provide an audit
trail..
The majority of the new posts are
now in place following the
restructure, part of which includes a
99
6
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Score
(with
controls)
Impact x
Likelihoo
d = Total
Action (to achieve target
score) and progress to date
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
dedicated resource to progress the
Concerto Asset Management
system. While the Asset Strategy
Manager post remains unfilled at the
start of March 2016 interviews are
imminent and these will hopefully
result in an appointment.
The Asset Management Plan has
been updated and agreed by Cabinet
and Full Council, this contains an
improvement plan which is currently
being implemented and forms part of
the Ten performance monitoring
system.
The procurement of a Strategic Asset
Development Partner is almost
complete with the contract due to
start in April 2016. This partner will
help to provide the Property Services
team with additional skills, expertise
and capacity to help take forward
some of the current projects, the
partner will review the current asset
portfolio and help to bring additional
challenge as to why we are holding
certain assets and what we might
consider doing differently, as well as
advising on potential acquisitions.
This partner will provide a contract
for the Property team to access skills
which are not available internally,
such as architectural support,
quantity surveyors, structural
engineers and land agents etc.
100
7
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Procurement - (lack of value for
money) - 009(CR)
Procurement Strategy
Score
(with
controls)
Impact x
Likelihoo
d = Total
3x3=9
Procurement Framework
1. The current financial climate, recent
resourcing issues causing an absence
of a focus for this work, together with a
reduction in the available accountancy
resources going forward increase the
risk of a lack of continuous improvement
in this area.
2. Failure to adopt new procurement
practices and delivery of efficient and
timely procurement processes could
mean that the Council will not achieve
value for money procuring the goods
and services it uses.
Joint procurement protocol and
opportunities for joint/shared
procurement with other authorities
where possible
Action (to achieve target
score) and progress to date
A procurement evaluation – On
Track - An increased awareness
of the location and use of the
Toolkit (including the Quotation
Value Path) has been
undertaken including
presentations to Management
groups and on one-to-one basis.
Target
Score
Impact x
Likelihood
= Total
3x1=3
Corporate
Objective /
Service
Priority
Officer
Delivering the
Vision
Karen Sly
– Head of
Finance
Analysis of procurement
outcomes and the value for
money achieved has started.
Advice for external suppliers
Procurement responsibility assigned
to the Chief Accountant
Note – Chief Accountant left in
May and post is yet to be filled.
Regular procurement refresh and
review of procedures
Joint procurement support
options to be considered, similar
format to the Internal Audit
Consortium.
3. The Council may not achieve value
for money, financial/procedural
inefficiencies possible challenge to
contracting procedures.
101
8
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Information - (loss of) - 008(CR)
Information Management Strategy
1. Lax security - Information may be
lost, mislaid or stolen. Increased use of
mobile technology such as I Pads etc.
Implement data security protocols on
mobile devices
Score
(with
controls)
Impact x
Likelihoo
d = Total
4x2=8
ICT Security Policy
2. There exists an inherent potential for
the loss of organisational information at
any security level. ICT is responsible for
ensuring electronic data is secure (in
conjunction with system owners who
control access to their databases),
3. Information may be inappropriately
used. Fraud or data corruption may
occur. Systems may suffer damage.
The Council's reputation may be
harmed.
IT Monitoring
Data Protection training
Action (to achieve target
score) and progress to date
Interim generic information on
information security and data
protection to be shared with staff
through intranet. – On Track Has been mitigated by the
implementation of the e-learning
system which has some InfoSec
content. All posts with a
requirement for increased
awareness will be identified and
appropriate an appropriate
learning plan implemented.
Target
Score
Impact x
Likelihood
= Total
4x1=4
Corporate
Objective /
Service
Priority
Officer
Delivering the
Vision
Sean Kelly
- Head of
Business
Transform
ation and
IT
Code of Connection compliance
Regular audits of IT security
arrangements
rd
Regular 3 party data protection and
integrity testing
Information security and data
protection training - Implemented
102
9
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Housing Delivery - 010(CR)
1. A combination of lack of developer
confidence because of recession / weak
financial markets and pressure on public
finances meaning reduced availability of
grant funding for affordable housing
provision.
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Use of capital
Score
(with
controls)
Impact x
Likelihoo
d = Total
Action (to achieve target
score) and progress to date
3x2=6
All controls are implemented and
risk is currently under control, to
be reviewed in six months.
Partnership work with Registered
Providers
Local Investment Plan
Target
Score
Impact x
Likelihood
= Total
3x2=6
Corporate
Objective /
Service
Priority
Officer
Housing and
Infrastructure
Nicola
Turner Housing
Team
Leader Strategy
Local Development Framework
(LDF) policies
2. Inability to secure planning
permission for provision of affordable
housing.
Internal planning protocol
3. A challenge over the Council's ability
to deliver sufficient affordable homes
Housing Strategy discussion
document (2010)
Increased Focus
Enhance Housing Association
delivery
103
10
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Operational disruption - (significant
event) - 013(CR)
Response & Recovery Planning
Score
(with
controls)
Impact x
Likelihoo
d = Total
3x2=6
Continuity Planning
1. Both the National and Community
Risk Registers have more information
regarding the risk of specific events
(e.g. Pandemic) occurring.
2. Any Internal or external event that
has a significant impact on the ability of
the Council to deliver services.
Corporate Business Continuity key
role training
Action (to achieve target
score) and progress to date
All controls are implemented and
risk is currently under control, to
be reviewed in six months.
Target
Score
Impact x
Likelihood
= Total
3x2=6
Corporate
Objective /
Service
Priority
Officer
Delivering the
Vision
Richard
Cook Civil
Contingenc
ies
Manager,
Steve
Hems Head of
Environme
ntal Health
Critical Services Business Continuity
Plans completed.
3. a) Loss of staff for 'usual' service
delivery
b) Loss of premises
c) Loss of key partners/suppliers
d) Loss of infrastructure services
A reduction in the ability of the Council
to deliver services, possibly at a time of
increased demand from the community.
104
11
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Homeworking - security, staff health
and safety - 019(CR)
1. All aspects of remote working not
covered by corporate policies. There are
procedures in place for IT risks.
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Score
(with
controls)
Impact x
Likelihoo
d = Total
2x3=6
IT Monitoring
Action (to achieve target
score) and progress to date
Produce and implement staff
policies and procedures for
homeworking – On Track -
Agile Working document
drafted and being reviewed
by senior managers.
2. Security put at risk. Cost of home
working not adequately budgeted for. All
managers have a responsibility for their
staff working from home.
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
2x2=4
Delivering
the Vision
Sean Kelly
- Head of
Business
Transform
ation and
IT
A range of standard
technology solutions available
to meet the needs of
identified patterns of agile
working.
3. Remote staff unable to access
technology needed to do their jobs and
for business continuity.
All solutions configured using
best practice and tested by
thoird party for security.
105
12
PRMB – February 2016
Draft Corporate Risk Register February 2016
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Existing Controls
Controls that have been
implemented since the last review
are shown in green
Disclosure and Barring Checks (DBS)
for staff - 020(CR)
Pre employment checklist
1. Management and HR not adhering to
set internal processes around applying/
renewing DBS checks, particularly in a
timely manner.
2. Specific jobs require pre-employment
checks and on-going (minimum every 3
years) checks to comply with the
relevant legislation where the post
holder has works with or has access to
children and vulnerable adults.
Score
(with
controls)
Impact x
Likelihoo
d = Total
3x2=6
Reminder process to the service
manager.
Reporting of lack of compliance
with agreed process. The process
includes escalation to the relevant
Head of Service and to the Head of
Organisational Development if the
check is not initiated/completed
within the relevant timescales.
Action (to achieve target
score) and progress to date
Update report – managed
risk?
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
2x2=4
Delivering
the Vision
Officer
Julie
Cooke Head of
Organisati
onal
Developme
nt
3. If checks aren't completed in a timely
way there is the risk that someone who
may be barred from working with
children/ vulnerable adults has access
to those groups through Council
activities.
106
13
PRMB – February 2016
Draft Corporate Risk Register February 2016
Proposed New Risks
Risk
1. Cause of risk
2. Description of Risk or potential
event
3. Consequence of risk happening
Existing Controls
Controls that have been
implemented since the last
review are shown in green
Recruitment (inability)
Reviewed relocation policy
1. Needs discussion
2. Difficulty recruiting into key posts,
particularly in Planning Services
3. Not able to recruit skills and
knowledge to deliver plans –
corporate plan, business
transformation, planning
performance and delivery etc.
Increased stress levels on existing
staff, Increased workload in HR of
repeated recruitment exercises
Score (with
controls)
Impact x
Likelihood =
Total
Action (to achieve target score)
and progress to date
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
Further reviews of the outcomes
of the amended policies.
Pay Policy has been
updated to reflect Golden
Hello’s’ and retention
payments
Julie
Cooke Head of
Organisati
onal
Developme
nt
Recommendation to remove the following from the register: - Individual Electoral Registration
107
14
Agenda Item 13
Risk Management
Policy and
Framework
February 2016
Version 1.03
(Draft refresh for Audit Committee – March 2016)
108
108
Risk Management Framework Version 1.03
Page 1 of 19
10 February 2016
Foreword
The fundamental principles adopted by the Council on Risk Management are
described in the policy statement on Risk Management.
Adopting and implementing the strategy detailed below will achieve compliance with
the policy.
109
109
Risk Management Framework Version 1.03
Page 2 of 19
10 February 2016
Contents
Foreword ................................................................................... 2
Contents .................................................................................... 3
Policy Statement....................................................................... 4
2. Strategy Background ........................................................ 4
3. Leadership and Responsibility......................................... 5
4. Corporate Governance ...................................................... 5
5. Resourcing Risk Management ......................................... 6
6. Role and Composition of the Corporate Performance
and Risk Management Board................................................... 6
7. Risk Management Role in the Cabinet and Audit
Committee ................................................................................. 7
8. Risk Management Approach ............................................ 7
9. Methodology ...................................................................... 7
10.
Risk Scoring, Matrix and Risk Tolerance ..................... 8
Corporate Risks................................................................................... 8
Instructions issued with service plans ................................................. 8
Risk Matrix..........................................................................................10
Risk Tolerance ...................................................................................10
11.
Risk Identification ........................................................ 10
12.
Risk Registers .............................................................. 11
13.
Involvement of Other Related Groups ........................ 12
14.
External Contacts......................................................... 12
15.
Linked Policies ............................................................. 13
16.
Review Process ............................................................ 13
Appendix 1: Shared Leadership – Role and Responsibilities
................................................................................................. 14
Appendix 2: Performance and Risk Management Board
Terms of Reference ................................................................ 17
Document Information and Version Control ......................... 19
110
Risk Management Framework Version 1.03
110
Page 3 of 19
10 February 2016
Policy Statement
This policy will take effect from the date of approval (Audit Committee).
It is the policy of the Council to adopt a proactive approach, through its
management processes, to risk management of the services it delivers both for
itself and in partnership with others.
It is recognised that a certain amount of risk is necessary and indeed that it can be
a positive force in the development of the services we provide. However, this needs
to be managed in order to:
Safeguard our clients or service users, Members and employees and all other
persons to whom the Council has a duty of care

Ensure compliance with statutory obligations

Preserve and enhance service delivery

Protect our property, including buildings, equipment, vehicles and all other
assets and resources

Maintain effective control of public funds

Protect and promote the reputation of the Council

Support the quality of the environment

Achieve the objectives in the Corporate Plan and Service Plans
All of these objectives will be achieved by applying the Council’s risk management
strategy, which outlines responsibilities for managing risks and defines how risk
management should be applied across the Council.
The master copy of this document, a record of review and decision making
processes will be held by the Head of Finance. All documentation will be available
for audit as necessary.
This policy will be available to all staff and Members on the corporate document
register on the intranet.
2. Strategy Background
All organisations face a wide variety of risks including physical risks to people or
property, financial loss, failure of service delivery, information management and
damage to the organisation's reputation. Risk for this purpose is defined as "the
111
Risk Management Framework Version 1.03
111
Page 4 of 19
10 February 2016
chance of an event happening and leading to unintended effects which will impair
the organisation's ability to achieve its objectives".
Risk management is intended to be a planned and systematic approach to the
identification, assessment and management of the risks facing the organisation.
The traditional means of protecting against the more obvious risks has been
through insurance. However, there are many risks which cannot be insured against
and which must be addressed in different ways. Even in the case of those risks
which are insurable, action can be taken to reduce the potential risks with
consequent savings of premiums and disruption of work.
The risk management strategy aims to:
Clarify responsibilities for identifying and managing risks

Ensure that an appropriate level of risk management is consistently applied
across the Council

Increase awareness and use of risk management as a normal element of
service management and improvement

Facilitate sharing of experience and good practice across the Council and with
other bodies
3. Leadership and Responsibility
Given the diversity of Council services and the wide range of potential risks, it is
essential that responsibility for identifying and taking action to address potential
risks is clear.
Responsibility for effective risk management rests with all Members and Officers of
the Council.
The Chief Executive is the Officer with overall responsibility for securing adherence
to the Council’s policy on Risk Management.
The framework of roles and responsibilities in Appendix One shows how these are
allocated.
4. Corporate Governance
North Norfolk District Council has adopted a Local Code of Corporate Governance
setting out the framework through which it will carry out its responsibilities to deliver
effective services.
112
Risk Management Framework Version 1.03
112
Page 5 of 19
10 February 2016
Core principle four requires “taking informed and transparent decisions which are
subject to effective scrutiny and managing risk”. This requires that an effective risk
management system is in place.
As part of the Local Code it states that the authority should prepare and publish an
annual governance statement. This statement is a key corporate document and will
include an assessment of the authority’s effectiveness of managing risk; it is signed
by the Chief Executive and Leader of the Council.
The assessment of the authority’s effectiveness of managing risk is provided by an
annual report to the Audit Committee.
To enable links to be made to the Corporate Plan the Corporate Risk Register
identifies the Corporate Objective / Service priority to which that risk is identified.
5. Resourcing Risk Management
Risk management is not a new issue and, as identified in the Leadership and
Responsibility Section, every Member and Officer is responsible for considering risk
implications as they relate to their actions. Since the adoption and implementation
of the Risk Management Framework in 2010 the concept of risk management has
been formalised and is part and parcel of the culture of the Council.
The designated Risk Champion(s) at Management Team Level is the Head of
Finance.
The Corporate Risk Officer will be the link for all aspects of risk management.1
Information Technology is used in the form of the Performance and Risk System.
6. Role and Composition of the Corporate
Performance and Risk Management Board
Whilst acknowledging the wide variety of risks that face the Council, and the
differing circumstances that apply in different services, it is essential that there is
some consistency in the way that risks are identified and assessed. This helps to
ensure that all areas of risk are adequately considered and relative priorities for
action can be judged.
The Corporate Performance and Risk Management Board will provide this
consistency of approach. The Board acts as a link between service managers,
specialised groups dealing with particular areas of risk, senior management and
Members.
The Board consists of the Leader and Deputy Leader of the Council and the
1
We do not have an identified Risk Officer. This role and the duties associated with it need
discussion.
113
Risk Management Framework Version 1.03
113
Page 6 of 19
10 February 2016
Portfolio Holder for Finance, all the Corporate Leadership Team, The Head of
Finance and the Head of Organisational Development.
The Terms of Reference and membership of the Performance and Risk
Management Board are available on the Intranet.
The Corporate Risk Register will be a standing item on the agenda (for any issues
or changes that arise) and a full review of the register will take place every six
months.
7. Risk Management Role in the Cabinet and Audit
Committee
The Cabinet is responsible for ensuring that an adequate risk management
framework and associated control environment exists within the Council.
The Audit Committee was established in 2006. This Committee is responsible for
monitoring the arrangements in place for the identification, monitoring and
management of strategic and operational risk.
To provide the Audit Committee with the necessary information to undertake these
responsibilities, regular progress updates on the Corporate Risk Register are
reported at specific Audit Committee meetings.
8. Risk Management Approach
The development of a consistent, corporate approach to risk management is done
in a methodical and proportionate way in order to avoid the creation of a selfdefeating bureaucratic burden.
To ensure that risk management is handled in the most efficient way within the
Council, the risk element has been included in the Service Plans and the work to
implement the risk management strategy has been included in the Performance and
Risk System.
9. Methodology
A methodology for identifying, assessing and managing risk within the Council has
been developed. This methodology has the advantage of being relatively
straightforward to use and can be applied to both the strategic risks of the Council
and as part of the routine service and project planning processes.
Guidance for managers on the application of the risk management methodology has
been produced and is embedded in the Performance and Risk System. Risk review
meetings between the Policy and Performance Management Officer and Service
Managers are held at least every six months to review and updated the assessment
of existing risk and their management, to identify new risks and risks that should be
114
Risk Management Framework Version 1.03
114
Page 7 of 19
10 February 2016
put forward for inclusion in the Corporate risk Register.
Risk assessments should be produced to support strategic policy decisions and all
major projects. The Guide to Project Management (on the Intranet) includes how to
assess risk and has forms to capture the data. The Council’s risk management
methodology should be followed to produce these risk assessments and a summary
of the findings given in reports to Members.
Risk management training will be provided for managers to assist with implementing
the risk management methodology. Managing Risk is a tutorial in the e-learning
portal.
10. Risk Scoring, Matrix and Risk Tolerance
Corporate Risks
Each corporate risk (a similar matrix is used for service risks) will be assessed
against the following criteria:
Corporate Risk
Impact
Catastrophic
Critical
Type
5
4
Objectives The key
One or
objectives in
more Key
the
Objectives
Corporate
in the
Plan will not
Corporate
be achieved. Plan will
not be
achieved.
Financial
Impact
(Loss)
Over £1.5m
£500K £1.5m
Moderate
3
Significant
impact on
the
success of
the
Corporate
Plan.
Marginal
2
Some
impact on
more than
one
Service.
Negligible
1
Insignificant
impact on
more than
one
Service.
£300K £500K
£0K £300K
£0-20K
Likelihood ratings and dimensions are tabled below
Grade
Likelihood
Probability
Timing
5
Very High
Over 90%
Within six months
4
High
60 - 90%
This year
3
Moderate
40 - 60%
Next year
2
Low
10 - 40%
Probably within 15 years
1
Very Low
below 10%
Probably over 15 years
Instructions issued with service plans
Impact ratings and dimensions are tabled below
115
Risk Management Framework Version 1.03
115
Page 8 of 19
10 February 2016
Corporate Risk
Impact
Catastrophic
Critical
Type
5
4
Objectives The key
One or
objectives in
more Key
the
Objectives
Corporate
in the
Plan will not
Corporate
be achieved. Plan will
not be
achieved.
Financial
Impact
(Loss)
Over £1.5m
£500K £1.5m
Moderate
3
Significant
impact on
the
success of
the
Corporate
Plan.
Marginal
2
Some
impact on
more than
one
Service.
Negligible
1
Insignificant
impact on
more than
one
Service.
£300K £500K
£20K £300K
£0-20K
Moderate
3
Significant
impact on
the
success of
the Service
Business
Plan.
Marginal
2
Personal
or team
objectives
not met.
Negligible
1
Insignificant
impact.
£10K £75K
£0-10K
Service Risk
Impact
Catastrophic
Critical
Type
5
4
Objectives The key
One or
objectives in
more Key
the Business Objectives
Plan will not
in the
be achieved
Business
Plan will
not be
achieved.
Financial
Impact
(Loss)*
Service
provision
Over £500K
£300K £500K
£75K £300K
Service
suspended
long term or
statutory
duties not
delivered.
Service
suspended
short term.
Service
Slightly
reduced
reduced
significantly
No effect
* Note: these are indicative figures it may be better to use % of budget for some of the
smaller services.
Likelihood ratings and dimensions are tabled below
Grade
Likelihood
Probability
Timing
5
Very High
Over 90%
Within six months
4
High
60 - 90%
This year
3
Moderate
40 - 60%
Next year
2
Low
10 - 40%
Probably within 15 years
1
Very Low
below 10%
Probably over 15 years
The probability and timing are guidelines only and should be used with judgement.
116
Risk Management Framework Version 1.03
116
Page 9 of 19
10 February 2016
For example: an identified risk happened in the last six months but had not occurred
previously for over 10 years. The likelihood of it happening again is still probably still Low,
particularly if you feel that any new controls put in place since the risk happened have
made it less likely.
Risk Matrix
The scoring by using a 5x5 matrix, which multiplies the numbers together, gives a
wider range of scores.
Matrix
Likelihood
of
occurrence
5
4
3
2
1
Multiply
5
4
3
2
1
1
10
8
6
4
2
2
15
12
9
6
3
3
20
16
12
8
4
4
25
20
15
10
5
5
Severity of impact / consequences
A very high likelihood with a catastrophic impact would score 25 but something that
was very low likelihood and negligible impact would only score 1.
Risk Tolerance
Matrix
Likelihood
of
occurrence
5
4
3
2
1
Multiply
5
4
3
2
1
1
10
8
6
4
2
2
15
12
9
6
3
3
20
16
12
8
4
4
25
20
15
10
5
5
Severity of impact / consequences
A score of 6 or under is deemed marginal and requires no further action
A score of between 7 and 14 is deemed moderate and requires action to reduce the
score.
A score of over 15 is deemed critical and requires immediate action.
11. Risk Identification
To meet the requirements of this framework, risk(s) must be capable of being
identified at any level, and by anybody, within the Authority.
117
Risk Management Framework Version 1.03
117
Page 10 of 19
10 February 2016
The key people are the service managers who will be actively monitoring their
service plan to identify risks and change management practices and controls to
reduce their impact. They can also be escalated to being a corporate risk through
the Performance and Risk Management Board.
Members and Senior Officers can also identify corporate or service risks through
the Performance and Risk Board.
12. Risk Registers
The authority has two levels of risk register. The Corporate Risk Register which is
maintained by the Corporate Risk Officer and monitored by the Performance and
Risk Management Board. The service risks are monitored through the service plans
and recorded on the TEN system. Reviewing service risks is the responsibility of
the service manager with the support of the Policy and Performance Management
Officer.
There is no “classic” definition of corporate risk as each organisation is different,
however, as a guide a risk that would be described as corporate is one that would
adversely affect the delivery of the corporate plan or mean the failure to deliver a
corporate objective or affects more than one area of operation.
The Corporate Risk Register is in the following format:
Name
No
1. Cause of risk
Existing
Controls
2. Description of
Risk or potential
event
Score (with
controls)
Impact x
Likelihood =
Total
Action (to
achieve
target
score) and
Date for
action to be
completed
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Responsi
-ble
Officer
3.
Consequence
of
risk
happening
The method of scoring likelihood and impact is in section 10.
Similarly there is no “classic” definition of service risk and it is the clear intention to
only collect and monitor the main risks that face a service. In a similar way to the
corporate risk, a service risk is one that would adversely affect the delivery of the
services business plan or mean the failure to deliver a service objective or affects
more than one area within the service.
The service risks are gathered in a similar way:
Existing
Risk
Action to
R Description of risk/
opportunity
factor
controls
in
Score
reduce risk
e
place to
score with
f 1. Cause of risk
reduce the
timescale and
risk.
responsible
officer
2. Description of risk
Target
Score
Affected
Corporate
Objective or
Service
Activity
118
Risk Management Framework Version 1.03
118
Page 11 of 19
10 February 2016
3. Consequence of
risk occurring
I
L
I
L
All service plans will have the risk element completed and signed off by the relevant
Head of Service
For each risk the category or categories of risk are identified to assist in assessing
the kind of control, mitigation and contingencies that should be put in place.
Categories of risk;
A Financial
B Reputational
C Capacity/ Delivery?
D Statutory Compliance
E Human Resources
F Partnership
G Health and Safety
The TEN Performance system will show risks by service and risks and controls
must be reviewed on a regular basis, the framework requires a six monthly update
which will be facilitated by the Policy and Performance Management Officer
13. Involvement of Other Related Groups
There are a number of other officer groups in existence which deal with specific
areas of risk management. These include both the Health and Safety Group and the
Corporate Business (Service) Continuity Group. These groups are represented on
the Performance and Risk Management Board by their Corporate Directors so that
their work can be coordinated with the overall management of the risks facing the
Council.
In addition to the groups listed above, the Council’s Internal Audit section also
contributes to the management of risk. The work of Internal Audit is based on a
needs and risk assessment process that identifies and focuses resources on higher
risk areas. Audit findings are reported to the relevant Chief Officer and Service
Manager together with recommendations for improvement and an action plan.
Checks are undertaken by Internal Audit to ensure agreed recommendations are
implemented.
The Corporate Risk Officer 2will receive copies of all finalised internal and external
audit reports to assess if any change is required for the risk registers.
14. External Contacts
The potential risks faced by the Council are in many cases similar to those faced by
other authorities and it is practical and cost effective to learn from the experience of
2
Responsibility for this to be assigned
119
Risk Management Framework Version 1.03
119
Page 12 of 19
10 February 2016
others.
In order to share risk management information and experiences, the Council has
established networks with other authorities and agencies. Specifically, the Council is
a member of the Norfolk Risk Managers’ Group. This Group, whose members
include local authorities, police authority and others from Norfolk, meets on a
regular basis to discuss risk management issues that are common to organisations
and to share examples of best practice.
15. Linked Policies
There are a number of policies that are or will be linked to this framework:
Health and Safety Policy
IT Security Policy
Information Management Strategy
Business Continuity Policy
16. Review Process
This Framework will be reviewed by the Corporate Performance and Risk
Board and any amendments will be agreed by the Audit Committee and
Cabinet.
120
Risk Management Framework Version 1.03
120
Page 13 of 19
10 February 2016
Appendix 1: Shared Leadership – Role and
Responsibilities
Everyone has a role to play in an integrated risk management framework.
Combining shared leadership with a team approach will help contribute to its
ultimate success. Roles as identified at present are:
1.
FULL COUNCIL
Approve the Corporate Risk Management Framework which includes the Policy
Statement and Strategy.
2.
CABINET
To provide leadership and direction for the Council. To keep the Council’s policies
and objectives under review, including the Council’s corporate strategic risks, and
agree a programme of risk reduction where appropriate.
Receive progress reports on risk reduction programme and agree revisions to
“corporate risk register”.
Assess risks attached to proposals for new / changed policies and service delivery
arrangements and make recommendations to Full Council.
3.
AUDIT COMMITTEE
Monitor to ensure that an adequate risk management framework and associated
control environment is in place.
Monitor arrangements for the identification, monitoring and management of strategic
and operational risk within the Council
Receive progress reports on the corporate risk register at each meeting.
4.
CHIEF EXECUTIVE
Overall responsibility for securing adherence to the Council’s Policy on Risk
Management.
5.
CORPORATE LEADERSHIP TEAM (CLT)
Appoint a Corporate Director and Member to jointly take responsibility for risk
management.
Agree the Corporate Risk Management Framework including the Policy Statement
and Strategy.
121
Risk Management Framework Version 1.0
1213
Page 14 of 19
10 February 2016
Consider risks attached to proposals for new / changed policies and service delivery
arrangements.
Ensure that this framework is applied.
6.
PERFORMANCE AND RISK MANAGEMENT BOARD (PRMB)
See Terms of Reference (page 13) but amongst those is to:
Consider and agree the Council’s corporate strategic risks and identify those
requiring further action.
Allocate responsibility to Corporate Directors to develop action plans for corporate
strategic risks.
Receive progress reports on risk reduction programme and propose revisions to
“corporate risk register”
The Corporate Risk Register will be a standing item on the agenda (for any issues
or changes that arise) and a full review of the register will take place every six
months.
7.
CORPORATE HEALTH AND SAFETY GROUP
Reports directly to the Performance and Risk Management Board and is charged
with delivering health and safety policy across the Council.
8.
CORPORATE RISK OFFICER3
Coordinate risk management activity across the Council
Report on risk management activity to Performance and Risk Management
Board (PRMB), Corporate Leadership Team (CLT)4 and Members
Maintain a corporate risk register and liaise with Service Managers relating
to service risks. Ensuring that the service risks are update on the risk system
every six months.
Provide risk management training for officers and Members, appropriate to
their needs and responsibilities.
9.
INDIVIDUAL SERVICE MANAGERS
Develop action plans in relation to corporate strategic risks as they relate to
3
There is currently not an identified Corporate Risk Officer. Role still required? Assign
responsibilities to other officers? These are currently carried out by the Head of Finance(duties 1 and
2 and part of 4) and the Policy and Performance Management Officer (3 and part of 4)
4
Should this be Management Team instead of CLT?
122
Risk Management Framework Version 1.03
122
Page 15 of 19
10 February 2016
their area.
Identify risks attached to proposals for new / changed policies and service
delivery arrangements
Ensure that a service risk register is maintained and updated every six
months on the risk system and that action plans are implemented
10.
EMPLOYEES
Maintain awareness of risk management principles and take responsibility
for managing risk within their own working environment
Apply risk management to those risks requiring further action, particularly
new developments and "project" work
Maintain a record of risk assessments undertaken relating to them and any
resulting action plans
11.
INTERNAL AUDIT
Reporting to Management on the organisations performance under the Risk
Management Framework.
12.
EXTERNAL AUDIT
Reporting to Management via Use of Resources etc on the organisations
performance on risk management.
123
Risk Management Framework Version 1.03
123
Page 16 of 19
10 February 2016
Appendix 2: Performance and Risk Management Board
Terms of Reference
Members5
The Performance & Risk Management Board is composed of the following members:Leader of the Council
Cabinet Portfolio Holder
Chief Executive
Corporate Director (2)
Head of Organisational Development
Head of Finance
Monitoring Officer
The Board will request the attendance of other officers, Members or contractors to their
meetings where their input will be of assistance to the work of the Board. The Board is
accountable to the Cabinet and has a relationship with the Audit Committee, particularly on
risk-related matters.
The Board will request the attendance of other officers, Members or contractors to their
meetings where their input will be of assistance to the work of the Board.
Purpose
The purpose of the Board is to embed performance and risk management within the culture
of the Council as a means of:



driving organisational improvement forward;
providing evidence of priority achievements; and
minimising and managing the Council’s on-going risk exposure.
Objectives
1.
2.
3.
4.
5.
To maintain a performance management framework that is understood and
implemented by all.
To identify and manage the Council’s strategic and operational risks and
strengthen business continuity.
To ensure that all staff and Members have a shared understanding of the
council’s priorities and of what is needed to be done to realise those
priorities.
To ensure that the commitment given to performance and risk management
is commensurate with the importance placed on embedding a successful
performance and risk management culture.
To ensure that services deliver the corporate objectives by challenging the
measures and targets put forward by service heads / managers.
5
This TOR is very out-of-date but the current one is not complete. Have reviewed with Jeanette
Wilson. Suggest removing these TOR from the policy document and replace with references to
availability on Intranet where mentioned.
124
Risk Management Framework Version 1.03
124
Page 17 of 19
10 February 2016
6.
To ensure that management and Council decisions are based on valid,
accurate and timely information.
Tasks
1. To review performance and risk management information monthly, in accordance
with the Performance Management Framework.
2. To review service business plans to ensure that appropriate performance
measures, indicators and targets have been set and to monitor progress on key
activities within the plans, which contribute to the delivery of the Corporate Plan.
3. To look at and consider value for money in delivery of projects and improvements
plans.
4. To review the risks identified in the service business plans to ensure that
appropriate action is taken to mitigate significant risks.
5. To review and update the strategic risk register on a quarterly basis.
6. To ensure the Council discharges its Health and Safety obligations and delivers an
agreed development programme.
7. To ensure that effective business continuity plans are established and
implemented and that the Council discharges its Civil Contingencies obligations.
8. To raise awareness and understanding of the importance of performance and risk
management amongst staff and Members.
9. To ensure that a corporate approach is taken to developing project management
by maintaining a current project management toolkit and supporting processes to
improve skills and techniques.
10. To establish project groups as required and agree and monitor detailed project
plans for the work of those groups.
11. To take appropriate action in response to external assessment of performance and
risk management, for example through the annual Direction of Travel statement or
audit of statutory performance indicators.
12. To review the Annual Governance Statement.
125
Risk Management Framework Version 1.03
125
Page 18 of 19
10 February 2016
Document Information and Version Control
Document Name
Document Description
Document Status
Lead Officer
Sponsor
Produced by (service name)
Relevant to the services listed or all NNDC
Approved by
Approval date
Type of document
Equality Impact Assessment details
Review interval
Next review date
Version
1
1.01
1.02
1.03
Originator
Peter
Gollop
Helen
Thomas
Helen
Thomas
Karen Sly
Risk Management Policy and
Framework
The framework outlines responsibilities for
managing risks and defines how risk
management should be applied across the
Council.
Under Review
Helen Thomas
Karen Sly
Policy and Performance
All
Policy and Framework
Not required
Every 2 years
Description including reason for changes
Transferred to policy template
Marked up version showing out-of-date elements
and suggested changes
Draft refresh presented to Audit Committee pending
further review
Date
August
2010
23 October
2015
09/11/2015
February
2016
126
Risk Management Framework Version 1.03
126
Page 19 of 19
10 February 2016