Document 12928168

advertisement
Please Contact: Linda Yarham
Please email: linda.yarham@north-norfolk.gov.uk
Please Direct Dial on: 01263 516019
7 June 2013
A meeting of the Audit Committee of North Norfolk District Council will be held in the
Committee Room at the Council Offices, Holt Road, Cromer on Tuesday 18 June 2013 at
2.00 pm
Members of the public who wish to ask a question or speak on an agenda item are
requested to arrive at least 15 minutes before the start of the meeting. It will not always be
possible to accommodate requests after that time. This is to allow time for the Committee
Chair to rearrange the order of items on the agenda for the convenience of members of the
public. Further information on the procedure for public speaking can be obtained from
Democratic Services, Tel: 01263 516047, Email: democraticservices@north-norfolk.gov.uk
Sheila Oxtoby
Chief Executive
To: Mr N D Dixon, Mr B Jarvis, Mrs A Moore, Miss B Palmer, Mr R Reynolds and Mr D
Young
All other Members of the Council for information.
Members of the Management Team, appropriate Officers, Press and Public
If you have any special requirements in order to attend this meeting, please let us
know in advance
If you would like any document in large print, audio, Braille, alternative format or in a
different language please contact us
Chief Executive: Sheila Oxtoby
Strategic Directors: Nick Baker and Steve Blatch
Tel 01263 513811 Fax 01263 515042 Minicom 01263 516005
Email districtcouncil@north-norfolk.gov.uk Web site northnorfolk.org
AGENDA
1.
TO RECEIVE APOLOGIES FOR ABSENCE
2.
PUBLIC QUESTIONS
To receive public questions, if any
3.
ITEMS OF URGENT BUSINESS
To determine any items of business which the Chairman decides should be
considered as a matter of urgency pursuant to Section 100B(4)(b) of the Local
Government Act 1972.
4.
DECLARATIONS OF INTEREST
Members are asked at this stage to declare any interests that they may have in any
of the following items on the agenda. The Code of Conduct for Members requires
that declarations include the nature of the interest and whether it is a disclosable
pecuniary interest.
5.
(Page 1)
MINUTES
To approve as a correct record, the minutes of the meeting of the Audit Committee
held on 19 March 2013.
6.
AUDIT UPDATE AND ACTION LIST
(Page 6)
To monitor progress on items requiring action from the meeting of 19 March 2013,
including progress on implementation of audit recommendations.
7.
AUDIT COMMITTEE WORK PROGRAMME
(Page 7)
To review the Audit Committee Work Programme
8.
ANNUAL REVIEW OF THE EFFECTIVENESS OF INTERNAL AUDIT
(Appendix A – page 11; Appendix B – page 19)
Summary:
Conclusions:
(Page 8)
This report sets out the results of an annual review of
the effectiveness of Internal Audit, undertaken to
satisfy criteria in the Accounts and Audit Regulations
2011. Internal Audit’s performance and quality
assurance framework has been examined to enable the
Audit Committee to confirm whether Internal Audit
Services are effective, and that the assurances
provided in the Internal Audit Annual Report and
Opinion can be relied upon, and used to inform the
Council’s Annual Governance Statement for 2012/13.
The outcomes of the review are attached at Appendix
A.
The report seeks to demonstrate that due processes have
been followed in relation to conducting an annual review of
the effectiveness of Internal Audit, and on the basis of
information provided, it has been confirmed that reliance
can be placed on the opinions expressed by the Internal
Audit Consortium Manager, which can then be used to
inform the authority’s Annual Governance Statement.
Recommendations:
Cabinet member(s):
All
Contact Officer, telephone
number, and e-mail:
9.
It is recommended that the Committee note the findings of
the review, and the evidence gathered in support of the
effectiveness of the Internal Audit Service, and takes these
into consideration when receiving the Internal Audit
Consortium Manager’s Annual Report and Opinion, and
the Council’s Annual Governance Statement.
Ward(s) affected:
All
Sandra King, Internal Audit Consortium Manager
01508 533863, scking@s-norfolk.gov.uk
INTERNAL AUDIT CONSORTIUM MANAGER’S ANNUAL REPORT AND
OPINION FOR 2012/13 IN RESPECT OF NORTH NORFOLK DISTRICT COUNCIL
(Page 20)
(Appendix C – page 30; Appendix D – page 33; Appendix E – page 35; Appendix F
(exempt) – page 90; Appendix G – page 58; Appendix H – page 59; Appendix I –
page 61)
NB: Appendix F is exempt under Section 100A(4) of the Local Government Act 1972
as it involves the likely disclosure of exempt information as defined in paragraph 1 of
Part I of Schedule 12A (as amended) to the Act.
Summary:
This report has been developed to satisfy the
mandatory requirements of the new Public Sector
Internal Audit Standards (PSIAS), effective from 1 April
2013, and specifically Standard 2450, concerning the
provision of an annual audit opinion on the overall
adequacy and effectiveness of the organisation’s
framework of governance, risk management and
control, which, in turn, should be used to inform the
Council’s Annual Governance Statement.
The report also seeks to confirm compliance with the
Accounts and Audit (England) Regulations 2011,
whereby the Council is required to ‘undertake an
adequate and effective internal audit of its accounting
records and of its system of internal control in
accordance with the proper practices in relation to
internal control’. The standards for ‘proper practices’
for internal audit applying to 2012/13 were detailed in
CIPFA’s Code of Practice for Internal Audit in Local
Government in the United Kingdom (2006), although for
2013/14 onwards, the Code has been superseded by
consolidated Public Sector Internal Audit Standards.
To demonstrate that this authority has met its statutory
requirements, as recognised above, the Internal Audit
Consortium Manager has produced this Annual Report
and Opinion, drawing upon the outcomes of Internal
Audit work performed over the course of the year, to
formulate an opinion concerning the overall internal
control environment which has been operating at the
Council throughout 2012/13.
Conclusions:
Recommendations:
On the basis of Internal Audit work performed during
2012/13, the Internal Audit Consortium Manager is able to
give an adequate opinion to the organisation’s control
framework, an adequate opinion to the Council’s systems of
risk management and a good opinion regarding corporate
governance arrangements currently in place.
It is It ii It is recommended that the Committee:
1. Receive and consider the contents of the Annual
Report of the Internal Audit Consortium Manager.
2. Note that an adequate audit opinion has been given
in relation to the overall adequacy and effectiveness
of the organisation’s governance, risk and control
framework (i.e. control environment) for the year
ended 31 March 2013.
3. Note that good assurance has been awarded to
Corporate Governance provisions for the year
ended 31 March 2013.
4. Note that an adequate audit opinion has been
applied to systems of risk management for the year
ended 31 March 2013.
5. Note that the opinions expressed together with
significant matters arising from internal audit work
and contained within this report should be given due
consideration, when developing and reviewing the
Council’s Annual Governance Statement for
2012/13.
Cabinet member(s)
Wards:
Contact Officer, telephone
number, and e-mail:
10.
All
All
Sandra King, Internal Audit Consortium Manager
01508 533863
scking@s-norfolk.gov.uk
THE STATUS OF AGREED AUDIT RECOMMENDATIONS DUE FOR
IMPLEMENTATION BY 31 MARCH 2013
(Appendix J – page 67)
Summary:
(Page 63)
This report provides an overview of progress made in
implementing the agreed audit recommendations due
for completion by 31 March 2013.
Conclusions:
Good progress has been achieved in relation to the
completion of agreed Internal Audit recommendations.
Recommendations:
It is recommended that the Committee notes management
action taken to date regarding the implementation of audit
recommendations.
Cabinet member(s):
All
Contact Officer, telephone
number, and e-mail:
11.
Ward(s) affected:
All
Sandra King, Internal Audit Consortium Manager
01508 533863, scking@s-norfolk.gov.uk
CORPORATE RISK REGISTER
(Page 68)
To discuss the Corporate Risk Register.
Contact Officer, telephone number and email:
Karen Sly, 01263 516243, Karen.sly@north-norfolk.gov.uk
12.
(Page 82)
BUSINESS CONTINUITY
(Appendix K – page 85)
Summary:
Six monthly update on business continuity planning,
the progress made to date, ability to respond to any
disruptive events that have recently occurred and the
outline of future objectives.
Conclusions:
13.
Recommendations:
That members note the contents of the report.
Cabinet member(s):
All
Contact Officer, telephone
number, and e-mail:
Ward(s) affected:
All
Richard Cook
01263 516269
richard.cook@north-norfolk.gov.uk
IT STRATEGY GROUP MEETING MINUTES 26 MARCH 2013
(Page 88)
To note the minutes of the IT Strategy Group.
14.
EXCLUSION OF THE PRESS AND PUBLIC
To pass the following resolution, if necessary:
“That under Section 100A(4) of the Local Government Act 1972 the press and public
be excluded from the meeting for the following items of business on the grounds that
they involve the likely disclosure of exempt information as defined in
of Part I
of Schedule 12A (as amended) to the Act.”
Agenda item ___5
AUDIT COMMITTEE
Minutes of a meeting of the Audit Committee held on Tuesday 19 March 2013 in the
Committee Room, Council Offices, Holt Road, Cromer at 2.00 pm.
Members Present:
Committee:
Mr N D Dixon (Chairman)
Mrs A Moore
Mr R Reynolds
Mr B Jarvis
Miss B Palmer
Mr D Young
Officers in
Attendance:
The Head of Finance, the Head of Internal Audit, the Revenues and
Benefits Services Manager and the Democratic Services Officer (IV).
Also in
Attendance:
Julian Rickett, Aphrodite Antoniades (PriceWaterhouseCooper)
39. APOLOGIES
None received.
40. PUBLIC QUESTIONS
None received.
41. ITEMS OF URGENT BUSINESS
Although there were no items of urgent business, the Chairman reported upon informal
discussions held before the meeting, to help inform the way that the Committee moved
forward. In recognition of a shortfall identified in training and development, he had
discussed with the External Audit Engagement Leader the provision of a session to
widen the skills required by Audit Committee Members. He asked that Democratic
Services make arrangements for the scheduling of such a session.
42. DECLARATIONS OF INTEREST
None.
43. MINUTES
The Minutes of the meeting of the Audit Committee held on 04 December 2012 were
approved as a correct record.
On Minute 34: Progress on Internal Audit Activity, Mr D Young enquired as to progress
on the recruitment to the Procurement Officer vacancy. The Head of Financial Services
stated that, following an earlier unsuccessful attempt to recruit, the role had now been
incorporated into that of Chief Accountant. Interviews would be taking place in the next
week and Members would be updated at the next meeting.
Following the confirmation of the commitment to reinstate the ICT Strategy Group, as
mentioned under the same Minute, Mr Young asked whether the Group had met. The
Head of Finance said that the Group had not yet been set up. The Democratic Services
Officer undertook to look into this matter.
Audit Committee
1
19 March 2013
In reply to a question from Mr R Reynolds on the absence through sickness of a member
of staff referred to in Minute 36: Business Continuity, the Head of Finance reported that
the officer had now returned to work.
44. AUDIT UPDATE AND ACTION LIST
Members were updated on progress on actions arising from the minutes of the meeting
of 04 December 2012.
A revised version of the Constitution had been completed and recently published,
incorporating all agreed changes and details requiring amendment since the previous
edition. Mrs A Moore was disappointed that it had not been possible to produce this in
the loose-leaf format for which a preference had been expressed.
The Revenues and Benefits Services Manager reported on changes whereby the
Council’s fraud investigation officers would be merged with those of the Department of
Work and Pensions, prior to the introduction of universal credit. It was now understood
that this had been put back to April 2014. The Fraud Policy would need to be amended
to reflect the changes to Council Tax Benefits. A report would go to Cabinet in
September.
The Revenues and Benefits Services Manager gave a detailed progress report on data
merging proposed under the Shared Services Partnership and subsequent events. The
situation had previously been reported to the Overview and Scrutiny Committee. The
new software incorporated the integration of Council Tax, business rates, benefits and
workflow.
The original intention had been a merged database between North Norfolk and the
Borough of King’s Lynn and West Norfolk. Following conversion, there had been
technical difficulties accessing the data held at King’s Lynn. Given these issues,
backlogs at both authorities, coping with legislative changes and poor staff morale, it
had been agreed to delay the data merge until April/May 2013.
The technical problems of accessing the data had continued, impacting on performance
and staff morale problems. It had been agreed by the Steering Group and Partnership
Board that the data would have to be returned to Cromer. Data had been transferred
back in December for testing and then “live” (subject to further testing) in January.
Deadlines had been affected by the approaching annual billing process. The system now
operated in a stable and reliable environment, with the speed of operation,
performance and staff morale improving considerably. Benefits claims were now being
processed in 10-11 days, as opposed to 44 days. The year end had been challenging,
but Council tax bills and benefits statements had all been issued.
In thanking the Revenues and Benefits Services Manager for her report, the Chairman
asked whether she felt any lessons had been learned by the Council. In reply, the officer
stated that assurances had been given that the software would work; this was confirmed
by testing, but not supported when volume was applied. In reply to a question from Mr B
Jarvis, she added that this experience had not been discouraging; the need to be more
challenging had been taken on and had to be put into practice if similar projects were to
be undertaken.
Business Continuity was considered under a separate agenda item (see Minute 48
below).
Other actions had been completed as set out in the report.
Audit Committee
2
19 March 2013
45. CERTIFICATION REPORT (2011/12) – REPORT TO THOSE CHARGED WITH
GOVERNANCE
Julian Rickett, External Audit Engagement Leader, explained that the issue of the Annual
Certification report met an Audit Commission requirement. Certification work was carried
out by external auditors, effectively as agents for the Audit Commission, as a form of
assurance engagement in relation to bodies who made grants to local authorities; it
involved the application of prescribed tests in accordance with certification Instructions,
to give reasonable assurance that claims and returns were fairly stated and in
accordance with specified terms and conditions. He drew attention to claims and returns
certified, with qualifications, in respect of the Housing and Council Tax Benefits Scheme
and the National Non-Domestic Rates, and appendices covering the Management Action
Plan and Certification Fees.
`Mr D Young noted that, in both certified claims, the original and final values remained
constant. Mr Rickett confirmed that this meant that in each case the claim had been
accurate. In reply to a further question from Mr Young, Mr Rickett explained that the
statement on the possibility of a reduction of fees in certain circumstances (Appendix A)
was a standard comment; the areas shown where an authority’s performance could
possibly be improved was not an indication of any weakness on the part of North Norfolk
in these fields.
In reply to Mr R Reynolds, Mr Rickett stated that training for benefits assessors was
ongoing, as agreed in the management response to a recommendation on the Housing
and Council Tax Benefits Subsidy Claim. On the same subject, Mr Rickett confirmed that
the issue of non-compliance with all deadlines for the submission of claim forms had
been addressed.
RESOLVED
That the Certification Report for 2011/12 be accepted.
46. EXTERNAL AUDIT PLAN 2012/13
The External Audit Engagement Partner presented the Audit Plan, which had been
developed with the assistance of Council Members and Officers. He asked the
Committee to consider the proposed scope, whether Members were comfortable with the
audit risks and approach, to consider and respond to the matters relating to fraud and to
agree fees.
The section of the plan relating to Risk Assessment highlighted the two areas of
management override of controls and revenue recognition and the risk of fraud inherent
in both areas. He stressed that the identification of both as “Significant” risks applied to
organisations generally; risks classified as “Elevated” in these areas were also common
among authorities. In reply to a question from Mr Young, he commented that the Plan
contained little in the way of material changes and that the “Significant” and Elevated”
risks were the same as for the previous year.
Members noted that the proposed fees had decreased. Mr Rickett explained that this
was mainly due to changes in the Audit Commission’s billing arrangements.
The Committee expressed its satisfaction with the scope of the plan, the risks and the
general approach taken.
RESOLVED
Audit Committee
3
19 March 2013
1) That the External Audit Plan for 2012/13 be agreed
2) That the proposed audit fees for the year be approved.
47. INTERNAL AUDIT’S TERMS OF REFERENCE, PERFORMANCE INDICATORS,
CODE OF ETHICS, STRATEGY, AUDIT PLANS AND SUMMARY AUDIT
COVERAGE INFORMATION FOR 2013/14
The Head of Internal Audit explained that the report provided an overview of the stages
to be followed towards ensuring that the service met the requirements set out in the
Accounts and Audit Regulations 2011 and appropriate professional standards. The
report also aimed to clarify the links between the various documents presented for
approval to that end.
Current provisions mirrored CIPFA Code of Practice requirements. However, on 1 April
2013, new Public Sector Internal Audit Standards would be introduced. Detailed
guidance on the new standards would not be available before then and, once this had
been published, all aspects of service delivery and documentation would be reviewed
and updated as necessary.
It was known that the proposed Code of Ethics completely reflected the new standards.
The Audit Strategy included a rationalisation exercise which reduced standard times for
many tasks. The resultant savings were identified in the Strategic Audit Plan, which had
been prepared according to current conditions. Detailed consultation had taken place in
the preparation of the Annual Audit Plan, which would serve as the work programme for
the Council’s internal audit services contractor, Deloitte Public Sector Internal Audit Ltd.
The Summary of Internal Audit Coverage documentation provided a good overview and
a framework for the next year’s tasks; it gave service areas a good idea of where Internal
Audit would be concentrating its efforts, whilst at the same time allowing for flexibility.
The Map of Audit Assurances indicated how the controls worked.
Mr Young asked whether another audit was planned on the subject of ”Whistleblowing”
and also when the IT Network infrastructure would be looked at again. In reply, the Head
of Internal Audit said that the “Whistleblowing” problem had been rectified by the
production of a comprehensive policy; the Monitoring Officer had considered that what
had been required was an update of earlier material. The IT Network Infrastructure would
be looked at again in October.
The Chairman emphasised the importance of the documentation in setting the scene for
the coming year, bringing together Internal and External Audit, Management and the
Audit Committee. It was therefore essential that the Committee was satisfied that what
was eventually agreed represented a good approach with adequate coverage. The Head
of Internal Audit explained how Internal and External Audit worked closely together. The
Chairman recognised the benefit of this to the Council, as well as the value of the Head
of Internal Audit’s work with other organisations.
RESOLVED
That the following be approved:
Internal Audit’s Terms of Reference and Performance Indicators for 2013/14
Internal Audit’s Code of Ethics for 2013/14
Internal Audit Audit’s Strategy for 2013/14
Audit Committee
4
19 March 2013
The Strategic Audit Plan for 2013/14 to 2015/16
The Annual Audit Plan for 2013/14
The Summary of Internal Audit Coverage for 2013/14
48. BUSINESS CONTINUITY
The Civil Contingencies Manager had been unable to attend the meeting, but had
submitted a paper providing a six-monthly update on Business Continuity planning.
The Chairman reminded Members that this topic had given rise to concerns for some
time and there was still work to be done towards the production of a plan that would
ensure an agreed standard of continuity for business operations.
Members had some sympathy with the difficulties of co-ordinating the completion of
plans for all service areas. There was general agreement with the observation by Mr B
Jarvis that a third column in the chart attached to the agenda, setting target dates, would
be useful. Not only would this give the Committee forecasts for consideration, but also
assist the Civil Contingencies Manager in securing the necessary action. The Chairman
suggested that the Civil Contingencies Manager be asked to provide this information to
Members in advance of the June meeting, so that the Committee was in a position to
review the matter at that time.
RESOLVED
1) That the contents of the report be noted
2) That the Civil Contingencies Officer be asked to attend the next meeting and, in the
meantime, to provide forecast completion dates for the respective Business
Continuity documents.
49. AUDIT COMMITTEE WORK PROGRAMME
The Chairman referred to the Work Programme for the Committee up to December
2013, as set out in the agenda. He pointed out that the subject of Risk would now be
coming to the June meeting.
RESOLVED
To note the Work Programme.
The meeting ended at 3.30 pm.
______________________
Chairman
Audit Committee
5
19 March 2013
Agenda Item
6
AUDIT COMMITTEE 19 MARCH 2013 – ACTIONS ARISING FROM THE MINUTES
1. ICT Strategy
Group
A query had been raised regarding the reinstatement
of the ICT Strategy Group. This has now met and the
minutes are attached.
Democratic
Services
2. Constitution
A member had asked why the Constitution was not
issued in a loose-leaf format. This had been
considered but there was a cost implication and
there was also a concern that there would be a
reliance on all members to update their version as
soon as an amendment was issued. There was a
risk that potentially there could be several different
versions in circulation. The latest version would also
be on the website at all times so members could
always refer to that if necessary.
Democratic
Services
3. Business
Continuity
To attach an additional column to the chart setting
target dates for completion of service plans
Richard Cook
4. External Audit
training
To arrange a training session on external audit to
widen the skills of the committee.
Democratic Services has contacted Julian Rickett
and this has been set in process. Alison Ridley will
contact Democratic Services to discuss options,
timing and cost.
6
Democratic
Services
Agenda Item 7
AUDIT COMMITTEE WORK PROGRAMME 2013 - 2014
JUNE 2013
SEPTEMBER
2013
DECEMBER
2013
MARCH 2014
PWC
Internal Audit
Annual Review of
the Effectiveness
of Internal Audit
PWC 2012/13
Annual
Governance report
(ISA260)
Protocol for liaison
between internal
and external
auditors
External Audit
training for
Committee
Annual Audit
Letter (PWC)
Audit Plan (PWC)
Annual Grant
Certification Report
Quarterly
Summaries of
completed audits
Half yearly
progress
reports on the
overall
performance of
the audit
contract
Quarterly
Summaries of
completed audits –
not provided this
month as only one
report available.
Report on
follow-up work
Audit Plan
Annual Report
and Opinion
Status of agreed
actions
Undertake selfassessment
NNDC
Corporate Risk
Register/ risk
management
framework
Business
Continuity Plan
Review
Statement of
Accounts (+
informal training)
Business
Continuity
Business
Continuity
Business
Continuity Review
Monitoring
Officer’s Report
(deferred to
September)
Local Code of
Corporate
Governance and
Action Plan –
update
Annual
Governance
Statement 2012/13
– update
7
Corporate Risk
Register / risk
management
framework
Audit Committee
18 June 2013
Agenda Item No____8_______
Annual Review of the Effectiveness of Internal Audit for 2012/13
Summary:
This report sets out the results of an annual review of the
effectiveness of Internal Audit, undertaken to satisfy criteria in
the Accounts and Audit Regulations 2011.
Internal Audit’s
performance and quality assurance framework has been
examined to enable the Audit Committee to confirm whether
Internal Audit Services are effective, and that the assurances
provided in the Internal Audit Annual Report and Opinion can be
relied upon, and used to inform the Council’s Annual
Governance Statement for 2012/13.
The outcomes of the
review are attached at Appendix A.
Conclusions:
The report seeks to demonstrate that due processes have been
followed in relation to conducting an annual review of the
effectiveness of Internal Audit, and on the basis of information
provided, it has been confirmed that reliance can be placed on
the opinions expressed by the Internal Audit Consortium
Manager, which can then be used to inform the authority’s
Annual Governance Statement.
Recommendations:
It is recommended that the Committee note the findings of the
review, and the evidence gathered in support of the
effectiveness of the Internal Audit Service, and takes these into
consideration when receiving the Internal Audit Consortium
Manager’s Annual Report and Opinion, and the Council’s Annual
Governance Statement.
Cabinet member(s):
All
Contact
Officer,
number, and e-mail:
1.
1.1
Ward(s) affected:
All
telephone Sandra King, Internal Audit Consortium Manager
01508 533863, scking@s-norfolk.gov.uk
Background
CIPFA’s Statement on the Role of the Head of Internal Audit in Local
Government states that “the Head of Internal Audit occupies a critical position in
8
Audit Committee
18 June 2013
a local authority, helping it to achieve its objectives by giving assurance on its
internal control arrangements and playing a key role in promoting good
corporate governance”.
1.2
The Accounts and Audit Regulations 2011 further require that a Council the size
of North Norfolk must undertake an annual review of the effectiveness of its
internal audit function, and that this review be undertaken by the same body that
reviews the effectiveness of the system of internal control.
To assist this
process, Internal Audit working practices are required to comply with CIPFA’s
Code of Practice for Internal Audit in Local Government in the United Kingdom
(2006), although these arrangements are set to change from 2013/14 when new
consolidated Public Sector Internal Audit Standards (PSIAS) will replace
CIPFA’s Code of Practice. However, for the purposes of this effectiveness
review, the Code of Practice remains applicable and an assessment has been
undertaken to verify the level of compliance achieved during 2012/13, but it
should also be appreciated that steps are currently under way to migrate to the
new Standards in the new financial year.
1.3
The existing performance and quality assurance framework developed by the
Internal Audit Consortium Manager to ensure adherence to CIPFA’s Code of
Practice predominantly meets much of the newly introduced PSIAS
requirements, although they have also now created an obligation to arrange for
an external assessment of the effectiveness of internal audit at least once every
five years. The way in which external assessments should be conducted is
covered in PSIAS No.1312 and summarised at Appendix B to this report, to
give members early oversight regarding provisions that will need to be
developed in the future.
1.4
With reference to the 2012/13 review of the service’s effectiveness however,
members can be satisfied that the relevant assurances provided are reliable and
based upon a firm foundation, and that the service itself is operating effectively.
1.5
A summary of review outcomes are attached at Appendix A, and essentially
benchmark the service against a range of 8 measures, whilst additional
supporting information generated in the course of the review, has been supplied
to the Council’s Section 151 Officer to afford independent verification of the
detailed processes followed by the Internal Audit Consortium Manager as the
authority’s Head of Internal Audit.
2.
Conclusion
2.1
The outcomes of the Effectiveness Review confirm that Internal Audit:
Is delivering against its aims and objectives.
Is substantially complying with recognised good practice as specified in the
CIPFA Code of Practice for Internal Audit in Local Government and the CIPFA
Statement on the Role of the Head of Internal Audit in Public Service
Organisations.
Is meeting its internal quality standards.
Is supporting management in the monitoring and further development of the
Council’s
internal
control
environment,
making
practical
audit
recommendations and overseeing implementation of agreed actions.
9
Audit Committee
18 June 2013
Is continually looking at ways of improving service delivery, adding value
wherever possible.
Is working closely with its External Audit colleagues to ensure they can place
reliance on its work.
Is supporting the Audit Committee as it strives to be more effective.
These findings therefore indicate that reliance can be placed on the opinions
expressed by the Internal Audit Consortium Manager, which can then be used to
inform the Council’s Annual Governance Statement.
3.
Recommendation
3.1
The Committee is recommended to note the findings of the Annual Effectiveness
Review, and be assured that the opinions given in the Annual Report and
Opinion may be relied upon as a key source of evidence in the Council’s Annual
Governance Statement.
Appendices attached to this report:
Appendix A: Annual Review of the Effectiveness of Internal Audit
Appendix B: Public Sector Internal Audit Standards Requirements concerning External
Assessments of the Effectiveness of Internal Audit
10
Appendix A
Annual Review of the Effectiveness of Internal Audit
The Scope of this Review
This review is primarily about effectiveness, not process. In essence, the
need for the review is to ensure that the opinions expressed by the Internal
Audit Consortium Manager in the Annual Report may be relied upon as key
sources of evidence in the Annual Governance Statement.
In order for North Norfolk District Council to be able to place reliance on the opinions
contained within the Annual Report and Opinion, the Internal Audit Consortium
Manager (as the Council’s Head of Internal Audit) has in place a performance and
quality assurance framework to demonstrate that the Internal Audit Service is:
Meeting its aims and objectives.
Being compliant with the CIPFA Code of Practice for Internal Audit in Local
Government.
Being compliant with the CIPFA Statement on the Role of the Head of Internal
Audit in Public Service Organisations.
Meeting internal quality standards, confirmed through performance indicators and
post audit feedback received.
Putting forward practical audit recommendations that are agreed with senior
management and lead to ongoing improvements to the internal control
environment at the Council, as evidenced by the subsequent implementation of
agreed actions.
Continually seeking to improve service delivery whilst also adding value and
assisting the Council in meeting its objectives.
Producing work which the External Auditor is able to place reliance upon.
Supporting an effective Audit Committee.
Delivering the Aims and Objectives of Internal Audit
The aims and objectives of the Internal Audit Service are established in Internal
Audit’s Terms of Reference, Internal Audit’s Strategy, Annual Audit Needs
Assessment and Strategic and Annual Audit Plans, which are updated each year and
submitted to the Audit Committee for formal approval.
There are essentially three main objectives which drive service delivery:
Objectives
To provide an independent and
objective opinion to the organisation
on
the
control
environment
comprising risk management, control
and governance, by evaluating its
effectiveness
in
achieving
the
organisation’s objectives.
Means of delivery
In June each year, the Head of Internal
Audit provides an annual opinion on the
Council’s system of internal control, and
its
arrangements
for
corporate
governance and risk management.
Internal Audit’s Terms of Reference
(Section
5
–
Internal
Audit’s
Independence and Accountability) and
Code of Ethics explain how the Council’s
Internal Auditors are able to provide
independent and objective opinions in
relation to individual audit assignments
11
and when developing an overarching
annual opinion.
To carry out an examination of the The Internal Audit Strategy and Terms of
accounting, financial and other Reference demonstrate that Internal
operations of the Council.
Audit reviews the full range of operations
at the Council.
All planned audit
coverage is determined with the aid of a
risk
based
annual
audit
needs
assessment.
To assist management with the Through undertaking in-depth reviews of
prevention,
detection
and business operations, the Internal Audit
investigation of fraud and abuse.
Service
supports
management
in
minimising the risk of fraud and abuse.
In the course of 2012/13, the Council has
been additionally proactive in refreshing
its Whistleblowing Policy.
This
document firmly establishes the role of
the Head of Internal Audit in the
whistleblowing process.
It is further appreciated that the Counter
Fraud and Corruption Policy is currently
being
reassessed
for
ongoing
appropriateness by the Revenues and
Benefits Manager.
In the course of the financial year, the Internal Audit Consortium Manager) has had
regular progress meetings with the Head of Finance (Section 151 Officer) to discuss
the status of audit assignments featuring in the Annual Audit Plan and the quality of
service delivery generally, and to debate and agree Draft Audit Plans for the following
year, prior to their submission to Corporate Management Team and Corporate
Leadership Team for their acceptance, and then to the Audit Committee for formal
approval. There was also a need in year for the Internal Audit Consortium Manager
to be present at two Exit Meetings, where the outcomes of audit review work applying
to Council Tax & National Non Domestic Rates and Housing & Council Tax Benefits
were discussed with management.
The Head of Finance has also participated in 2 meetings of the Norfolk Internal Audit
Consortium held in September 2012 and January 2013. These meetings are used
to bring together Consortium members to review progress in relation to Annual Plans,
discuss the performance of the contractor as well as any client officer issues arising,
be appraised of any new developments/changes to working practices designed to
improve service delivery and consider the future arrangements for the Internal Audit
Service, when the contract with Deloitte & Touche Public Sector Internal Audit Ltd
expires at the end of September 2014.
12
Complying with CIPFA’s Code of Practice for Internal Audit in Local
Government
The CIPFA Code of Practice for Internal Audit in Local Government specifies the
standards for Internal Audit. In 2012/13, the Code of Practice self assessment
checklist, completed by the Head of Internal Audit and submitted to the Head of
Finance for independent validation, confirmed substantial compliance had been
achieved in relation to the 11 key criteria stated therein. There were two exceptions
where partial rather than full compliance was recognised.
The first of these items where a deviation was apparent concerned Internal Audit’s
rights of access to all records, assets, personnel and premises. In previous years,
the relevant rights of access have been acknowledged in the Council’s Financial
Regulations but following revisions to the Constitution in April 2011, these
requirements were inadvertently removed. The Internal Audit Consortium Manager
reported the oversight upon completing the 2011/12 review of Internal Audit’s
effectiveness and raised a request to re-instate these rights.
In the course of
conducting the 2012/13 review and examining the latest version of the Constitution, it
has been appreciated that these rights still fail to feature.
The Internal Audit
Consortium Manager has therefore contacted the Monitoring Officer regarding this
matter and has been assured that the appropriate clauses will be incorporated into
Financial Regulations without further delay using delegated powers to update them
accordingly.
The second aspect where partial compliance has been recorded relates to the
Committee’s review of its own remit and effectiveness. In this regard, it has been
appreciated that a self-assessment exercise was not performed during 2012/13,
although previously, there had been annual scrutiny of terms of reference and
operational arrangements. The Chair of the Audit Committee has been made aware
of the situation and upon reviewing the Committee’s work plan has organised for this
important analysis of provisions to take place in September 2013.
Complying with CIPFA’s Statement on the Role of the Head of Internal Audit in
Local Government
This Statement sets out the 5 principles that define the core activities and behaviours
that apply to the role of the Head of Internal Audit, and the organisational
arrangements to support them. The Head of Internal Audit needs to:
Champion best practice in governance, objectively assessing the adequacy of
governance and management of risks, commenting on responses to
emerging risks and proposed developments;
Give an objective and evidence based opinion on all aspects of governance,
risk management and internal control;
Undertake regular and open engagement across the authority, particularly
with the Leadership Team and with the Audit Committee;
Lead and direct an Internal Audit Service that is resourced to be fit for
purpose;
Be professionally qualified and suitably experienced.
Each principle has associated requirements (59 in total) to demonstrate how they
should be employed in practice. The Internal Audit Service has been benchmarked
against these criteria. Two aspects were not applicable based on the current service
delivery model in place, but aside from these, the Internal Audit Consortium Manager
13
was able to satisfy 56 of the 57 remaining elements. The one aspect where there
was a departure from stated requirements applied to unfettered rights of access for
Internal Audit to all papers and people in the organisation. This deviation was also
an issue when examining compliance against CIPFA’s Code of Practice for Internal
Audit. However, the Monitoring Officer is in the process of resolving this matter.
To assist Internal Audit in delivering an appropriately informed service to the Council,
it has been additionally concluded that:
Internal Audit will continue to look to the Section 151 Officer for updates
about third party assurers undertaking work on behalf of the authority (with
a view to Internal Audit placing reliance on this work, wherever possible and
avoiding unnecessary duplication of work).
Internal Audit will maintain close ties with senior management regarding
counter fraud measures in place at the Council, developed to minimise the
risk of fraud and abuse, and will provide support for special investigations
and the further development of the Counter Fraud and Corruption Policy, as
required.
N.B. The detailed assessment of the Internal Audit Consortium Manager’s
compliance with the key governance requirements and core responsibilities as
specified in the CIPFA Statement has been forwarded to the Head of Finance for
independent scrutiny and verification.
Quality Standards applying to the Internal Audit Service
The Internal Audit Service is benchmarked against a number of performance
indicators as agreed by the Audit Committee within the Terms of Reference for
Internal Audit. Actual performance against these targets is outlined within the table
below and overleaf:
Indicator
% of audit
recommendations
accepted
% of high priority
recommendations
implemented
Days between
issue of audit brief
and fieldwork
commencing
Target
2012/13
Performance
95%
2011/12
Performance
96%
100%
Not
applicable
100%
More
than 10
days
(average)
9.63
21.18
100%
38%
82%
90%
14
Comment
This continues to
exceed target.
There were no high
priority
recommendations in
2012/13 requiring
action.
Audit briefs are issued
ahead of audit fieldwork
commencing on-site but
the lead-in time involved
has varied significantly
during 2012/13 from 2 to
17 working days, which
has then averaged out
at 9.63 days. Hence,
there has been a
marked reduction in
performance in this
area, compared with the
previous year.
Indicator
Number of days
between expected
fieldwork
completion and
actual
0 days
2012/13
Performance
5.9
100%
44%
53%
Number of days
between
completion of audit
fieldwork and draft
report issue
10 days
or less
(average)
18.7
11.1
100%
38%
47%
Number of days
between issue of
draft and final
reports
15 days
or less
(average)
19.3
15.3
100%
25 days
or less
(average)
63%
38.0
71%
26.4
100%
44%
59%
Adequate
(4 out of
6)
Adequate
(4.77)
Good
(5.15)
Number of days
between
completion of
fieldwork and final
report issue
Average score
given to audit
feedback
Target
2011/12
Performance
1.3
Comment
This provides another
example where
performance has
noticeably dipped,
whereby finish dates for
concluding fieldwork are
not being met on every
occasion.
After significant efforts
by the contractor in
2011/12 to bring down
timeframes for turning
around draft reports, the
time taken has
increased once again,
and is almost double the
targeted time stipulated.
Performance has also
dropped here in terms of
converting draft to final
audit reports.
This is a further area
where performance has
failed to meet the
targeted timescale set.
The time taken has
lapsed back to the level
of performance being
reported in 2010/11.
Client satisfaction has
detiorated slightly,
although we are still
receiving positive
feedback within targeted
average scores
required.
The table clearly shows that the performance of the Internal Audit Services contractor
has dropped in 2012/13, compared with the preceding 12-month period.
After
considerable efforts during 2011/12 to improve service delivery, performance
standards in a number of areas have detiorated again and in some cases, are now
significantly adrift of targeted requirements, although the percentage of audit
recommendations agreed with management has remained at a consistently high
level, surpassing the target set in this area; there have been no high priority audit
recommendations requiring action in year, and post audit feedback has been positive
albeit the average score now equates to an adequate whereas previously, a good
assessment had been obtained.
The timescales for completing audits is where performance monitoring information
has indicated that there are fundamental issues which will need to be properly
addressed in 2013/14.
With reference to the formal circulation of audit briefs in advance of commencing
fieldwork, there were occasions where the Internal Audit Services contractor was
15
responsible for the short lead-in times, or, it was determined that the Christmas
holidays had delayed progress with the confirmation of audit scopes. Conversely,
there had been a late request from management to broaden the scope of one
particular review, and this, in turn, had led to an amended brief being circulated at
short notice, whilst another brief had been subject to late issue as the Deloitte
auditors had been obliged to wait for input from a client officer who had been
approached to give a steer to the focus of review work.
Once audit assignments were under way, there were then situations where some
audit fieldwork overran, and in the majority of these cases, Deloittes’ internal review
processes to quality assure the work of junior staff were largely responsible for the
delays incurred. Deloittes’ clearance of Audit Management Team review points also
led to instances where fieldwork took longer than first expected. There was one
review where management intervention impacted on timeframes involved, and this
had been due to receipt of a request to expand the scope of the planned review
which additionally led to a corresponding lengthening of the fieldwork to
accommodate the extra work sought. Gaining access to key personnel and records
to inform audit testing also contributed to problems delivering fieldwork on time, and
finally there was one other occasion where an audit could not be progressed as first
envisaged because it relied on two other pieces of work being finalised before linked
audit testing work could be completed.
The late progression of draft audit reports was predominantly due to the delayed
finalisation of audit fieldwork and clearance of further review points raised by either
Deloittes’ Field Manager, Deloittes’ internal review processes or the Audit
Management Team.
As for unsatisfactory timeframes between draft and final audit reports, these were
largely due to the late receipt of management responses; needing to obtain greater
clarity regarding aspects of management responses or having to factor in Exit
Meetings which led to the development of revised draft reports then forwarded to
management for their comment and clearance before final reports could be
produced.
In view of the issues highlighted above adversely affecting the progress of audits, in
the course of the last quarter of the year, the Audit Management Team has worked
closely with both management and Deloittes to ensure that the Annual Audit Plan
was finished in sufficient time to provide an Annual Report and Opinion based on
completed assignments. Moreover, a Workshop between the Audit Management
Team and Deloittes has now been organised in July 2013 (and the Head of Finance
has also been invited to attend), which will be revisiting audit working practices and
exploring how improvements to performance can be secured in 2013/14.
Strengthening the Council’s Systems of Internal Control
Our work has confirmed that assurance levels for individual audits carried out in
2012/13 were resoundingly positive, with 4% receiving a good assurance and 88% an adequate assurance.
The remaining 8% were awarded limited assurances.
The previous financial year, 18.75% of assurances were good, 56.25% were
adequate and 25% were limited, thus the internal control environment is clearly
improving year-on-year.
This year, after giving a succession of adequate audit opinions to Corporate
Governance arrangements, we have been able to award a good assurance.
16
Moreover, where adequate assurances have been prevalent in relation to other areas
audited, it was noted that the systems of internal control in respect of Leisure
Complexes has improved since our last visit, with the opinion progressing from a
limited to an adequate assurance. On the other hand, our scrutiny of Council Tax
and National Non Domestic Rates, and Housing and Council Tax Benefits during
2012/13 resulted in limited audit opinions. The background to these audits and the
contributing factors to the assurance levels subsequently given are explored in more
depth in the Annual Report and Opinion, but in terms of this effectiveness review, it is
noted that previously, these areas had received adequate audit opinions.
The
shared service partnership arrangement for the provision of Revenues and Benefits
Services with the Borough Council of Kings Lynn and West Norfolk and the initial
transfer of data to a new jointly procured Revenues and Benefits system from Civica
have clearly had an impact on and contributed to the change in the internal control
environment.
Our year end review of audit recommendations has also indicated that when
comparing the last 6 months of this financial year with the same period in the
preceding year, the number of recommendations has fractionally increased from 83
to 84, but more significantly, the number of completed and/or superseded
recommendations has improved immensely from 34.9% to 85.7%.
Moreover, as
mentioned previously within the section on Quality Standards applying to the Internal
Audit Service, there were no high priority recommendations requiring implementation
within the year.
All of these findings suggest that Internal Audit work has been supporting the further
development of the Council’s internal control environment and management have
been extremely co-operative in accepting audit recommendations which had been
designed to enhance existing provisions, and then arranging for their subsequent
implementation.
Improving Service Delivery and Adding Value
We constantly strive to improve the Internal Audit Service, with reference to the way
we operate and the quality of our outputs, and in the pursuit of this ethos, during the
year, we have redeveloped our audit brief and reporting templates, to improve the
approach taken to the scoping of projects and communication of audit findings,
together with submitting greater justification for audit opinions given. Furthermore,
we now require Deloittes to provide us with individual opinions on core financial
systems, when carrying out work to support the preparation of the Annual
Governance Statement.
The continuing production of Audit Newsletters over the course of the year and our
ongoing membership of the Norfolk Chief Auditors Group – an excellent forum where
we are able to network with our peers, discuss developments within the sphere of
auditing and share best practice, further represent additional ways in which we seek
to add value for our clients.
Finally, another key marker of our willingness to demonstrate added value has been
the flexibility we have been able to show with regards to the Annual Audit Plan, i.e.
deferring planned work to enable more constructive reviews to be carried out at a
later date within the current year, e.g. Audit Nos. NN/13/07 Council Tax and National
Non Domestic Rates, NN/13/08 Payroll and Human Resources, NN/13/09 Housing
and Council Tax Benefits, NN/13/10 Exchequer Services – Creditors etc, NN/13/15
17
Data Centre, Back Up and Disaster Recovery, and NN/13/16 ABS eFinancials
Application.
External Audit’s Reliance on Internal Audit’s Work
We continue to work closely with the Council’s External Auditors to deliver an
effective and efficient audit function, and as a consequence, have regular meetings
and periodic emails/telephone exchanges with our External Audit colleagues to
discuss progress with the Annual Audit Plan, plus any key findings and issues arising
from our work. Added to this, in September 2012, we agreed and presented to the
Audit Committee a Protocol for Liaison between Internal and External Auditors for
2012/13.
It is further appreciated that when External Audit presented their Audit Plan for
2012/13 to the Audit Committee on 19 March 2013, it was recorded in their audit
approach that ‘we aim to rely on the work done by internal audit wherever this is
appropriate. We will ensure that a continuous dialogue is maintained with internal
audit throughout the year. We receive copies of all relevant internal audit reports,
allowing us to understand the impact of their findings on our planned audit approach’.
Supporting an Effective Audit Committee
The Internal Audit Consortium Manager and Deputy Audit Manager have had
considerable contact with members of the Audit Committee throughout the year,
providing a presence at all scheduled Committee meetings, and have taken part in
private discussions, as well as Pre Agenda meetings convened, whilst also
consistently contributing to Committee agendas with reports on the outcomes of
Internal Audit work carried out at the authority.
In addition to the above, the Audit Committee periodically takes responsibility for
reviewing its own remit and effectiveness. In the past, as mentioned already, the
Committee has followed an annual self assessment programme but there has been a
departure from this cycle of input during 2012/13, although the Action Plan arising
from the 2011/12 exercise and presented to the Audit Committee in March 2012, has
been progressed in year. Following recent discussions with the Chair of the Audit
Committee, it has been agreed that the checklist attaching to the IPF publication: ‘A
Toolkit for Local Authority Audit Committees’ will be revisited by members in
September 2013. In the meantime, however, it is noted that the 4 key actions
arising from the last review have developed thus far:
Member training sessions have been and are continuing to be provided, with
arrangements currently being finalised with the External Auditors for the next
session planned.
Active steps are being taken to enhance the Council’s counter fraud
framework representing the Council’s response to the risk of fraud, in so far
as the Whistleblowing Policy has been refreshed and the Counter Fraud and
Corruption Policy is about to be re-examined.
Private discussions between the Chair of the Audit Committee, the Internal
Audit Consortium Manager and the External Audit Manager now take place
on a regular basis.
A mechanism now exists by which the performance of the External Auditors is
examined, i.e. customer satisfaction surveys are completed.
18
Appendix B
Additional Requirements specified by the Public Sector Internal Audit
Standards (PSIAS) concerning External Assessments of the Effectiveness of
Internal Audit
1. The requirement for an external assessment to be carried out at least once
every 5 years may be satisfied by either arranging for a ‘full’ external
assessment or by undertaking a self-assessment with independent validation.
2. PSIAS 1312 states that the Head of Internal Audit must discuss the format of
the external assessments with the Audit Committee and therefore the Head of
Internal Audit will have to consider the pros and cons for each type of external
assessment before presenting the outcomes of such a deliberation to the
Audit Committee.
3. If a local authority Head of Internal Audit elects to carry out a validated selfassessment, CIPFA’s Local Government Application Note is recommended
for externally validated self-assessments although other available checklists
may be used to inform the process.
4. An independent person or team must be sourced to validate that selfassessment in order to meet the requirements set out in the PSIAS that
arrangements are put in place to avoid conflict of interest and impairment to
objectivity.
5. In ascertaining whether the external assessor or assessment team are
appropriately qualified to carry out the full assessment or independent
external validation of the self-assessment, it is key that the two areas of
competence as set out in the PSIAS are met. This is particularly important
where a system of peer review is set up to provide the external assessment.
6. Although it is possible that a local authority’s external auditor may be
appropriately independent to act as the external assessor or assessment
team, the reviews that may already be carried out by the external auditor for
placing reliance on the work of the internal audit activity, for example, do not
automatically correspond with the requirements laid out in the PSIAS and
CIPFA’s Local Government Application Note.
7. The Head of Internal Audit must also set out, and discuss with senior
management and the Audit Committee, the qualifications and independence
of the external assessor or assessment team in accordance with both the
main standard and the public sector requirement which go into detail on how
an external assessor or assessment team should demonstrate their
competence.
8. The public sector requirement mandates that local authorities must find an
appropriate sponsor and suggests that this could be another officer within the
organisation (for example the Chief Finance Officer or Chief Executive
Officer).
This is intended to further safeguard the independence of the
external assessment process.
19
Audit Committee
18 June 2013
Agenda Item No_____9_______
Internal Audit Consortium Manager’s Annual Report and Opinion for 2012/13 in
respect of North Norfolk District Council
Summary:
This report has been developed to satisfy the mandatory
requirements of the new Public Sector Internal Audit Standards
(PSIAS), effective from 1 April 2013, and specifically Standard
2450, concerning the provision of an annual audit opinion on the
overall adequacy and effectiveness of the organisation’s
framework of governance, risk management and control, which,
in turn, should be used to inform the Council’s Annual
Governance Statement.
The report also seeks to confirm compliance with the Accounts
and Audit (England) Regulations 2011, whereby the Council is
required to ‘undertake an adequate and effective internal audit of
its accounting records and of its system of internal control in
accordance with the proper practices in relation to internal
control’. The standards for ‘proper practices’ for internal audit
applying to 2012/13 were detailed in CIPFA’s Code of Practice
for Internal Audit in Local Government in the United Kingdom
(2006), although for 2013/14 onwards, the Code has been
superseded by consolidated Public Sector Internal Audit
Standards.
To demonstrate that this authority has met its statutory
requirements, as recognised above, the Internal Audit
Consortium Manager has produced this Annual Report and
Opinion, drawing upon the outcomes of Internal Audit work
performed over the course of the year, to formulate an opinion
concerning the overall internal control environment which has
been operating at the Council throughout 2012/13.
Conclusions:
On the basis of Internal Audit work performed during 2012/13,
the Internal Audit Consortium Manager is able to give an
adequate opinion to the organisation’s control framework, an
adequate opinion to the Council’s systems of risk management
and a good opinion regarding corporate governance
arrangements currently in place.
20
Audit Committee
18 June 2013
Recommendations:
It is It ii It is recommended that the Committee:
1. Receive and consider the contents of the Annual Report
of the Internal Audit Consortium Manager.
2. Note that an adequate audit opinion has been given in
relation to the overall adequacy and effectiveness of the
organisation’s governance, risk and control framework
(i.e. control environment) for the year ended 31 March
2013.
3. Note that good assurance has been awarded to
Corporate Governance provisions for the year ended 31
March 2013.
4. Note that an adequate audit opinion has been applied to
systems of risk management for the year ended 31
March 2013.
5. Note that the opinions expressed together with significant
matters arising from internal audit work and contained
within this report should be given due consideration,
when developing and reviewing the Council’s Annual
Governance Statement for 2012/13.
Cabinet member(s)
Wards:
Contact
Officer,
telephone number,
and e-mail:
All
All
Sandra King, Internal Audit Consortium Manager
01508 533863
scking@s-norfolk.gov.uk
1.
Background
1.1
Public Sector Internal Audit Standards, which came into force from 1 April 2013, have
effectively replaced CIPFA’s Code of Practice for Internal Audit in Local Government
in the United Kingdom (2006). The new Standards are very similar to the old Code of
Practice in terms of year end Internal Audit reporting requirements, in so far as:
 An annual opinion should be generated which concludes on the overall adequacy
and effectiveness of the organisation’s framework of governance, risk
management and control;
 A summary of the work that supports the opinion should be submitted;
 Reliance placed on other assurance providers should be recognised;
 Any qualifications to that opinion, together with the reason for qualification must
be provided;
 There should be disclosure of any impairments or restriction to the scope of the
opinion;
 There should be a comparison of actual audit work undertaken with planned work;
 The performance of internal audit against its performance measures and targets
should be summarised; and,
 Any other issues considered relevant to the Annual Governance Statement should
be recorded.
1.2
In addition, a Commentary on compliance with new Standards must now be
prepared in much the same way as the extent of compliance achieved against the
21
Audit Committee
18 June 2013
CIPFA Code of Practice had to be documented (although for the purposes of this
report, when looking back over 2012/13 – delivery of Internal Audit provisions
against the old Code of Practice remains applicable).
1.3
It is further appreciated that a continuing need remains to communicate the results
of the Internal Audit quality assurance and improvement programme (QAIP) and
any progress made against any improvement plans resulting from the QAIP.
1.4
The new Standards also have extra year end reporting obligations, namely the risk
or control framework or other criteria used as a basis for the overall audit opinion
must be identified.
1.5
This report therefore seeks to address the key items specified above, where
appropriate, although recognising that some aspects are covered in additional
reports, e.g. an evaluation of the performance of the Internal Audit Service is subject
to separate reporting, and will feature in a report headed up ‘Annual Review of the
Effectiveness of Internal Audit for 2012/13’, whereas the conclusions of audit follow
up work are covered in a further report entitled ‘Status of Audit Recommendations
due for Implementation by 31 March 2013’.
1.6
When considering this report and its attaching opinions, the statements made
therein should be viewed as key items which need to be used to inform the
organisation’s Annual Governance Statement, but there are also a number of other
important sources to which the Audit Committee and statutory officers of the Council
should be looking to gain assurance.
Moreover, in the course of developing
overarching audit opinions for the authority, it should be noted that the assurances
provided here, can never be absolute and therefore, only reasonable assurance can
be provided that there are no major weaknesses in the processes subject to internal
audit review. The annual opinion is thus subject to inherent limitations (covering
both the control environment and the assurance over controls) and these are
examined more fully at Appendix I.
2.
Internal Audit Service Provisions and Costs
2.1
The Internal Audit Service arrangements at North Norfolk District Council have
remained unchanged in relation to 2012/13, in so far as the Internal Audit
Consortium Manager and Deputy Audit Manager at South Norfolk Council have
continued to be responsible for managing the delivery of the Internal Audit Service
to the organisation and controlling the work of Deloitte and Touche Public Sector
Internal Audit Ltd, which is contracted to deliver the programme of work as detailed
in the Annual Audit Plan.
2.2
All work performed on behalf of North Norfolk District Council has been undertaken
in accordance with Internal Audit’s approved Terms of Reference for 2012/13. The
Internal Audit Service is essentially an assurance function that provides an
independent and objective opinion to the organisation on the control environment
comprising risk management, control and governance, by evaluating its
effectiveness in achieving the organisation’s objectives.
This is achieved by
Internal Audit objectively examining, evaluating and reporting on the adequacy of
the control environment as a contribution to the proper, economic, efficient and
effective use of resources.
22
Audit Committee
2.3
18 June 2013
The work of Internal Audit during 2012/13 has been determined by a risk based
Audit Plan. The priorities of the Annual Audit Plan have been consistent with the
Council’s priorities/corporate objectives, whilst also taking into account the
authority’s risk management framework and the relative risk maturity of the
organisation. Added to this, the Plan has been regularly reviewed throughout the
year to ensure that it has been continually responsive to the changing needs of the
Council. For example, if priorities have altered, organisational restructures have
taken place or existing risks have subsequently escalated, diminished, disappeared
or been overtaken by other emerging risks, the Plan has been revisited and its
constituent audits reassessed, resulting in the rescheduling of work to a later stage
in the financial year, the scope of the audit being redeveloped or review work being
deferred to the following year. The extent of revisions needing to be made to the
2012/13 Plan, and what triggered them, are considered at Section 6 of this report.
3.
Internal Audit Service Provisions and Costs
3.1
To ensure full transparency of the service, this report contains information about the
costs associated with the provision of the Internal Audit function to the Council,
identifying input by the Internal Audit Services contractor to undertake the planned
audit assignments and any ad-hoc work requested, and the level of support
administered by the Audit Management Team to oversee all aspects of the service
provision to officers and members. The cost of the service compared with the
previous year is shown below:
Nature of the work
2011/12
2012/13
Cost of the planned work (Deloitte & Touche
Public Sector Internal Audit Ltd – the Internal
Audit Services contractor)
£62,410
£67,479
Cost of managing the service and supplying
additional investigative support (South Norfolk
Council)
£31,411
£34,377
Cost of additional work by Deloitte & Touche
Public Sector Internal Audit Ltd
£6,336
£1,992
£100,157
£103,848
TOTAL COST
3.2
Internal Audit costs have increased by 3.7% compared with the previous year. This
has been due to an expanded Internal Audit Plan being delivered in 2012/13, i.e.
231.6 days compared with 217 days in 2011/12. All additional days were at the
specific request of management and the adjustments required to the Plan can be
found itemised within Section 6 of this report.
3.3
The 2012/13 Audit Plan was originally approved by the Audit Committee on 6 March
2012 and to date, has been the subject of two Progress Reports covering the period
1 April to 12 November 2012. These reports were considered by members on 18
September and 4 December 2012. The Activity Reports essentially outlined the
then status of audit assignments and provided copies of management summaries
relating to completed reviews. This Annual Report now reflects on the audit work
processed between 13 November 2012 and 22 May 2013, the latter being the date
that the Annual Audit Plan was subsequently completed. This report also takes into
account the assurance levels awarded to those audits finalised prior to 13
23
Audit Committee
18 June 2013
November 2012, given that the annual opinion is required to draw upon the
outcomes of all internal audit review work carried out in the course of the year.
4.
Opinion of the Internal Audit Consortium Manager on the Overall Adequacy
and Effectiveness of the Organisation’s Governance, Risk and Control
Framework
4.1
In order to give the Council an overall opinion on its control environment, the
Internal Audit Consortium Manager as the organisation’s Head of Audit has revisited
the assurance levels given to individual audit assignments throughout the year,
relating to both financial and non financial systems. These are summarised below
for management and member information.
Nature of System
Financial
Non Financial
Assurance Level Awarded
Adequate
Limited
Good
Adequate
Total
Assurance Level Awarded
Good
Adequate
Limited
No. of Areas
evaluated
1
22
2
25
No. of Areas
evaluated
9
2
1
13
25
% Applicable
4%
88%
8%
100%
4.2
All planned work completed is itemised at Appendix C. An analysis of the internal
control environment and how it has been developing over the last 5 years is
attached at Appendix H, whilst definitions of our assurance levels are explained at
Appendix G.
Essentially, good and adequate assurances are positive audit
opinions, with limited and unsatisfactory assurances equating to negative audit
opinions.
4.3
This year, it should also be appreciated that, although a joint audit of Corporate
Governance and Risk Management arrangements was performed, 2 separate audit
opinions were extracted, which are analysed in more detail in paragraphs 4.5 and 5.1
of the report. Further, a change of methodology was applied to work carried out to
support the preparation of the Annual Governance Statement. This coincided with
the unveiling of a new reporting template aimed at generating more meaningful
information on systems of internal control for management and members alike, such
that separate audit opinions are now provided by the Internal Audit Services
contractor in respect of those areas subject to high level key control testing. Hence
the level of assurances available has increased dramatically this year compared with
previously. A total of 16 planned reviews would have been expected to generate 15
audit opinions for the authority, but instead, revised arrangements have led to a more
insightful 25 assurances being produced in relation to those audit assignments
completed in the course of 2012/13.
4.4
On the basis of the audit work undertaken in 2012/13, it is my opinion that an
adequate assurance can be applied to the overall adequacy and effectiveness
of the organisation’s governance, risk and control framework (i.e. control
24
Audit Committee
18 June 2013
environment) for the year ended 31 March 2013. As can be seen in the tables at
paragraph 4.1 above, 92% of audits have received positive assurance levels, with an
adequate opinion expressed in the majority of cases with reference to individual
systems of internal control and key control testing subject to audit scrutiny. On one
occasion, operational provisions have actually mirrored best practice and merited
receipt of good assurance in consequence. The position in respect of 2012/13
represents a noticeable improvement on 2011/12, which boasted 75% of assurances
awarded in year being either good or adequate.
4.5
The good assurance given in 2012/13 was following examination of Corporate
Governance arrangements.
The Management Summary for the Corporate
Governance and Risk Management audit is included at Appendix E (6) and more
focus on this positive assessment is given in Section 5 of the report.
4.6
The table of individual audit opinions at paragraph 4.1 also confirms that there have
been 2 audits where less favourable limited assurances have been issued. These
represent significant issues for noting in the Council’s Annual Governance Statement
and concern Council Tax and National Non-Domestic Rates (Audit No. NN/13/07)
and Housing and Council Tax Benefit (Audit No. NN/13/09).
The respective
management summaries for these audits are included at Appendices E (1) and E
(3). When auditing the Revenues and Benefits systems, we found evidence that the
control environment had been compromised during systems migration to the new
CIVICA application, which had been jointly procured with the Borough Council of
Kings Lynn and West Norfolk.
4.7
A total of 4 fundamental financial systems have been audited in-depth during
2012/13, with a further 6 areas subject to high level key control testing. Eight of
these generated positive assurances. Conversely, as already alluded to above,
review work pertaining to Council Tax and National Non-Domestic Rates and
Housing and Council Tax Benefit resulted in limited/negative assurances being
awarded and 13 audit recommendations being raised, one of which carried a high
priority rating. This related specifically to Housing and Council Tax Benefit and
concerned the processing of new claims and changes of circumstances.
Management have disputed the high priority rating and despite providing us with
additional processing information which we have used to update our findings and
recommendation, we have been unable to revise the original rating given. This
situation is a highly unusual one and although our Terms of Reference ensure that
we present rejected recommendations to members, we feel on this occasion, it is
also appropriate to submit details of the debate with management regarding the
rejected rating.
Thus, the relevant details within the Action Plan for Audit No.
NN/13/09 pertaining to the high priority recommendation have also been incorporated
into Appendix E (3) for members’ noting. Management have confirmed that work is
currently in progress to address the control weakness reported. In view of the high
priority rating assessment attaching to this recommendation, this particular item also
requires separate acknowledgement in the Council’s Annual Governance Statement
for 2012/13.
4.8
As previously discussed, we perform additional key controls testing work in year,
which focuses on those fundamental financial systems that were not otherwise
subject to detailed audit evaluation in the 12-month period. Our work here is
necessary to further inform the Internal Audit Consortium Manager’s annual opinion,
support the preparation of the organisation’s Annual Governance Statement and
assist External Audit in their work. Upon completion of requisite testing this year, we
25
Audit Committee
18 June 2013
have raised 2 audit recommendations with medium priority ratings.
The
Management Summary for this particular piece of work is located at Appendix E (5).
4.9
In respect of the Council’s non-financial systems, upon completion of these audit
assignments we are pleased to report that all 14 areas examined were in receipt of
satisfactory levels of assurance (with one, namely Corporate Governance achieving
good assurance) compared with 76.9% achieved in 2011/12.
4.10
As mentioned already at paragraph 1.5, we provide a separate report to the Audit
Committee on the implementation of audit recommendations. This report effectively
confirms that the Council has made considerable advances in terms of progressing
audit recommendations over the course of the financial year. An impressive 103
agreed recommendations were implemented, and at 31 March 2013, we recorded
just 11 recommendations as outstanding and 1 recommendation where we had not
received management feedback and thus were unable to confirm its current status.
This is a huge improvement on the position we reported as at 31 March 2012 and
demonstrates good commitment and co-operation on the part of management to
improve the organisation’s internal control environment. There were also no high
priority recommendations needing to be actioned in year, which further enforces the
strength of the systems of internal control in operation at the authority.
As
recognised earlier, there is one high priority recommendation arising from a recently
finalised audit of Housing and Council Tax Benefit, which requires management
input, however, we have already been advised that extra resources have been
allocated to deal with this problem which is speedily being resolved.
5.
Corporate Governance and Risk Management
5.1
An internal audit review of Corporate Governance and Risk Management provisions
was undertaken in the final quarter of the financial year. On the basis of findings
made in these two areas, we have applied a good opinion to Corporate Governance,
recognising that these arrangements have been enhanced since our previous visit,
whilst in the case of Risk Management, the assurance level remains adequate. The
Management Summary included at Appendix E (6) elaborates as to the basis for the
opinions given and a flavour of the audit recommendations put forward.
5.2
It should also be noted at this juncture that, in the future, North Norfolk District
Council’s Corporate Governance and Risk Management arrangements will be
reviewed on a 2-yearly cycle, thus moving away from annual scrutiny. This revision
to the frequency of such audits has been directly influenced by the previous track
record of positive assurances awarded in these areas.
6.
Review of Audit Work delivered in 2012/13 compared with the Annual Audit
Plan approved on 6 March 2012
6.1
The table overleaf shows in summary the audit coverage that was originally planned,
where it has proved necessary to revise audit input in year and then compared
amended planned days with those actually delivered, whilst a more detailed overview
can be found at Appendix C, highlighting when audit assignments were completed
and the Management Summaries extracted from the final audit reports were
submitted to the Audit Committee for member noting.
26
Audit Committee
Description
Days originally
planned for
2012/13
Revised
planned
days for
2012/13
Actual
days
delivered
in
2012/13
% of Revised
Planned
Work
Delivered
Systems audit
169
175
175
100%
Computer audit
43
38
38
100%
Extra work –
Systems audit
2.5
2.5
100%
Ad-hoc
Investigative
Work
16.1
16.1
100%
231.6
231.6
100%
Total
6.2
18 June 2013
212
The Annual Audit Plan has been adjusted to accommodate both the rescheduling of
assignments and alterations to audit input/coverage agreed with management. The
two Progress Reports developed earlier in the year explained changes required up
to 12 November 2012. Since that time, there have been two further adjustments
whereby an extra day had to be added to the job budget for Corporate Governance
and Risk Management, and 16.1 days were channelled into 2 reviews linked to a
complaint received by the Council. All amendments are recorded below to afford
an overview of modifications duly actioned, whilst their overall impact on the Plan is
effectively documented at Appendix C:
The job budget for the Property Services review (Audit No. NN/13/01) was
increased from 14 to 19 days to enable additional scrutiny of the Measured
Term Contract for the provision of coastal repairs and other minor coastal
works.
An extra 2.5 days was required to analyse data verification and governance
arrangements pertaining to the Revenues and Benefits Shared Services
Partnership.
The job budgets for 2 computer audits focusing on Cash Receipting (Audit
No. NN/13/13) and Project Management (Audit No. NN/13/14) were
collectively commuted by 5 days at the request of management.
Consequently, the scope of review work had to be redefined given the
reduced number of days then available to carry out evaluations of provisions
in place.
The Corporate Governance and Risk Management job budget was increased
from 9 to 10 days to take on board extra elements sought by management
and the Chair of the Audit Committee, involving an analysis of arrangements
post the recent management restructure and to give attention to the way in
which Committees are operating at the authority.
Upon receipt of a complaint, Internal Audit was called upon to carry out
investigative work which was undertaken in 2 stages and incurred 16.1 days
of input.
27
Audit Committee
18 June 2013
The modifications listed above resulted in a combined 19.6 days being added to the
approved Audit Plan for 2012/13.
6.3
As to the actual outcomes of audit work undertaken over the preceding 12 months,
members will recall that to date, a total of 8 Management Summaries and a
Summary Letter have already been reviewed and debated by Committee following
receipt of 2 previous Internal Audit Activity Reports submitted by the Internal Audit
Consortium Manager. Appendices D (1), E (1)-(7) and F (Exempt) are now
attached, to provide the Management Summaries and Briefing Note in respect of
the remaining 9 pieces of work finalised since early December 2012.
7.
Effectiveness of Internal Audit
7.1
As mentioned previously, elsewhere on this Committee agenda is a report setting
out the results of our end of year review of the effectiveness of the Internal Audit
Service. This includes:
The performance of the Internal Audit Service contractor;
The degree of compliance with the Code of Practice for Internal Audit in
Local Government;
The degree of compliance with CIPFA’s Statement on the Head of Internal
Audit; and,
The level of compliance being achieved in respect of other quality assurance
measures for the service.
8.
Conclusion
8.1
The Internal Audit Consortium Manager’s report should be treated as a key source
of evidence for the Council when preparing its Annual Governance Statement for
2012/13, and primarily provides independent assurance that internal control and risk
management systems are adequate, corporate governance arrangements are good,
and in the event of any significant control weaknesses being identified during audit
work, these matters are brought to management’s attention and action plans
developed to address issues found. As such, the Committee should therefore be
mindful of the contents of this report when subsequently reviewing the Council’s
Annual Governance Statement.
9.
Recommendation
9.1
The Committee is asked to note the Internal Audit Consortium Manager’s Annual
Report and the opinions contained therein, which should be used to inform the
development and subsequent agreement of the Council’s Annual Governance
Statement.
Appendices attached to this report:
Appendix C: Review Work delivered in accordance with the Annual Audit Plan 2012/13 plus AdHoc Work requested by Management
Appendix D: Old Style Management Summary in respect of Completed Audit Assignment
Appendix D (1) NN/13/05 Partnerships
28
Audit Committee
18 June 2013
Appendix E: New Style Management Summaries in respect of Completed Audit
Assignments
Appendix E (1) NN/13/07 Council Tax and National Non-Domestic Rates
Appendix E (2) NN/13/08 Payroll and Human Resources
Appendix E (3) NN/13/09 Housing and Council Tax Benefit
Appendix E (4) NN/13/10 Exchequer Services
Appendix E (5) NN/13/11 Work to Support the Preparation of the Annual Governance Statement
Appendix E (6) NN/13/12 Corporate Governance and Risk Management
Appendix E (7) NN/13/16 ABS eFinancials Application
Appendix F:
Private and Confidential Briefing Note
Appendix G: Norfolk Internal Audit Consortium Definitions / Categories of Audit Opinions relating
to Individual Audit Assignments
Appendix H:
Appendix I:
Levels of Assurance awarded from 2008/09 onwards
Limitations and Responsibilities
29
Appendix C
Review Work delivered in accordance with the Annual Audit Plan for 2012/13 plus Ad-Hoc Work requested by Management
Frequency of
Audit Coverage
Original Days
Planned
Revised
Days
Planned
Days
Delivered
Scheduling
PLANNED SYSTEMS AUDIT WORK
NN/13/01
Property Services
3-yearly
14
19
19
May
NN/13/02
Strategic Housing and Homelessness
2-yearly
15
15
15
July
NN/13/03
3-yearly
10
10
10
July
NN/13/04
Corporate Policy, Planning and
Performance Management
Procurement
3-yearly
12
12
12
August
NN/13/05
Partnerships
3-yearly
7
7
7
NN/13/06
Leisure Complexes, Sports, Arts and
Entertainment, Pier Pavilion
3-yearly
10
10
10
NN/13/07
Council Tax and NNDR
2-yearly
20
20
20
NN/13/08
Payroll and Human Resources
2-yearly
19
19
19
NN/13/09
Housing Benefit CTB
2-yearly
20
20
20
NN/13/10
Exchequer Services - Creditors etc
2-yearly
15
15
15
NN/13/11
Work to support the AGS
Annually
10
10
10
Audit No.
Description of Audit
Fixed Assets
General Ledger
Debtors
Treasury Management - Investments /
Loans
Budgetary Control
Car Parks Income
Assurance Framework
Status
Assurance
Level
applicable
Summary Report
Details presented to
Members
Complete
Final Report issued 10 August 2012
Complete
Final Report issued 10 August 2012
Complete
Final Report issued 23 August 2012
Complete
Final Report issued 9 November 2012
Adequate
Audit Committee
18 September 2012
Audit Committee
18 September 2012
Audit Committee
18 September 2012
Audit Committee
4 December 2012
September
October
September
Complete
Final Report issued 15 January 2013
Complete
Final Report issued 12 November 2012
Adequate
October
November
November
January
November
early
December
Complete
Final Report issued 21 May 2013
Complete
Final Report issued 4 April 2013
Complete
Final Report issued 22 May 2013
December
January
January
Complete
Final Report issued 9 April 2013
Complete
Final Report issued 21 May 2013
Adequate
Adequate
Adequate
Adequate
Limited
Adequate
Limited
Adequate
See below
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
30
Audit Committee
18 June 2013
Audit Committee
4 December 2012
Audit Committee
18 June 2013
Audit Committee
18 June 2013
Audit Committee
18 June 2013
Audit Committee
18 June 2013
Audit Committee
18 June 2013
Audit No.
NN/13/12
Description of Audit
Corporate Governance
Frequency of
Audit Coverage
Original Days
Planned
Annually
9
Revised
Days
Planned
10
Days
Delivered
Scheduling
10
February
Status
Complete
Final Report issued 15 May 2013
Risk Management
Systems Audit Follow Up
TOTAL PLANNED SYSTEMS AUDIT WORK
PLANNED COMPUTER AUDIT WORK
NN/13/13
Cash Receipting Application
Assurance
Level
applicable
Good
Adequate
Annually
Summary Report
Details presented to
Members
Audit Committee
18 June 2013
Audit Committee
18 June 2013
8
169
8
175
8
175
100%
2 x 6-monthly validation
Ad-hoc request
10
8
8
August
Complete
Final Report issued 12 November 2012
Adequate
Audit Committee
4 December 2012
NN/13/14
Project Management
3-yearly
10
7
7
August
Complete
Final report issued 28 September 2012
Adequate
Audit Committee
4 December 2012
NN/13/15
Data Centre, Back Up, Disaster
Recovery
3-yearly
10
10
10
September
July
Complete
Final report issued 12 September 2012
Adequate
Audit Committee
4 December 2012
NN/13/16
Cedar Financial Application
3-yearly
9
9
9
Adequate
Audit Committee
18 June 2013
Annually
4
43
4
38
4
38
100%
212
213
213
100%
Computer Audit Follow Up
TOTAL PLANNED COMPUTER AUDIT WORK
TOTAL PLANNED WORK
31
October
Complete
Late February Final Report issued 26 April 2013
2 x 6-monthly validation
Description of Audit
Audit No.
EXTRA WORK REQUESTED
NN/13/17
Revenue and Benefits Partnership - Data
Transfer, Governance and Risk
Frequency of
Audit Coverage
Original Days
Planned
Revised
Days
Planned
Days
Delivered
Ad-hoc request
0
2.5
2.5
Scheduling
Status
Phase 1 June
Job budget originally 14 days to cover 2
reviews.
Phase 1 - 2.5 days - Letter produced 13
July 2012.
Assurance
Level
applicable
Summary Report
Details presented to
Members
Phase 1 - Not
Applicable
Phase 1 - summary of
Letter contents to Audit
Committee
18 September 2012
Phase 2 - Phase 2 - 11.5 days - It has
September / subsequently been agreed with
October
management to defer this work to
2013/14 due to problems experienced
with the data merging process. The
work has thus been been rescheduled
to April/May 2013.
NN/13/18
Complaint received - First Stage Review
Ad-hoc request
0
3
3
NN/13/19
Complaint received - Second Stage
Review
Ad-hoc request
0
13.1
13.1
0
18.6
18.6
100%
212
231.6
231.6
100%
TOTAL OF EXTRA WORK UNDERTAKEN
GRAND WORK TOTAL
32
AugustSeptember
Briefing note produced and preparatory
work undertaken to investigate further
November to Audit Report and Briefing Note
March
produced by Audit Management Team
N/A
N/A
Briefing Note to Audit
Committee
18 June 2013
Old Style Management Summary in respect of Completed Audit Assignment
Appendix D (1)
Report No. NN/13/05 Final Report issued 15 January 2013
Audit Report on Partnerships
Audit Opinion
Adequate Assurance given
Rationale supporting award of opinion
The audit work carried out by Internal Audit indicated that:
While there is a basically sound system of internal control, there are weaknesses, which
put some of the client’s objectives at risk.
There is evidence that the level of non-compliance with some of the control processes
may put some of the client’s objectives at risk.
This opinion results
recommendations.
from
having
raised
two
medium
and
two
low
priority
The direction of travel shows an improvement in the level of assurance provided from the
previous audit (NN/10/02, issued October 2009) which received ‘limited’ assurance.
Summary of Findings
Policy and Procedure
As part of the audit testing was undertaken in relation to two partnerships; the Museums Service
(made up of the Norfolk Museums and Archaeology Service at a countywide level and the North
Norfolk Museums Forum at a district level) and the North Norfolk Fisheries Local Action Group
(FLAG).
Objectives of partnerships are to link to corporate objectives. Both partnerships were found to
support the objectives of the Corporate Plan.
A Partnership Framework (the framework) has been drafted however has not been completed.
The framework is to be passed to Performance and Risk Management Board for further review.
An estimated date of completion of the framework could not been provided. The framework is to
set down the Council’s approach and procedures over partnership arrangements.
The draft framework sets down the requirement to produce a register of partnerships. We were
advised by the Head of Finance that a register is not in place although there are only three
partnerships with the Council.
Governance
Terms of reference are in place for both of the partnerships reviewed. Service level agreements
had been produced between the Council and the relevant partnering authorities, however the
agreement between the Council and the Norfolk Museums and Archaeology Service had not
been signed or subject to documented agreement by both parties over responsibilities and
services to be provided.
33
Strategies are in place for the two partnerships tested. For the museums partnership, strategic
direction is considered within the meetings of the local partnership group and the Norfolk
Museums and Archaeology service within Norfolk. For the North Norfolk FLAG, strategies had
been defined at the outset of the project. Bodies set up allow for the monitoring of progress
against these strategies.
Governance structures are in place for the two partnerships tested. These allow for monitoring of
progress and performance. The FLAG Project structure, in particular, contains a structure which
allows for a number of levels of monitoring and decision making.
Monitoring, including Risk Management
Bodies have been set up for the monitoring of progress and performance of partnerships with
clear terms of reference set out. Risks are considered within partnership meetings.
Financial controls are in place over the release of funds with authorisation made. An annual fee
of £45,500 is made for the museums partnership, however the service agreement between the
Council and the Norfolk Museums and Archaeology Service states that the fee should be £45,000
and we were advised by the Leisure and Cultural Services Manager that no amendments had
been made. A £50,000 loan was made to the North Norfolk Business Forum for the FLAG
project.
The following number of recommendations has been raised:
Area of Scope
Adequacy
and
Effectiveness
Assessments
Adequacy
of
Controls
Effectiveness
of Controls
Recommendations
Raised
High
Medium
Low
Policy and
Procedure
Amber
Amber
0
1
1
Governance
Amber
Amber
0
1
0
Monitoring,
including Risk
Management
Green
Amber
0
0
1
0
2
2
Total
High Priority Recommendations
No high priority recommendations have been raised as a result of this audit
Management Responses
Management have accepted the recommendations raised.
34
New Style Management Summaries in respect of Completed Audit Assignments
Appendix E (1)
Report No. NN13/07 – Final Report issued 21 May 2013
Audit Report on Council Tax and National Non-Domestic Rates
Assurance Opinion
Unsatisfactory
Assurance
Limited Assurance
Adequate
Assurance
Good Assurance
Rationale supporting the award of the opinion
In order to provide appropriate context to our rationale, it is noted that during 2012/13, North
Norfolk District Council entered into a shared service partnership arrangement for the
provision of Revenues and Benefits Services with the Borough Council of Kings Lynn and
West Norfolk (BCKLWN).
All existing data was transferred to a new, jointly procured
Revenues and Benefits system from CIVICA, with IT services being hosted by BCKLWN.
th
th
Data migration took place on 28 May 2012 but then had to be transferred back on 13 and
th
14 January 2013 following recommendations by the partnership Steering group in response
to significant operational issues arising.
There is evidence that the control environment has been compromised during systems
migration, with controls that had been confirmed to be adequate and effective during the
previous audit (NN/11/07– final report issued April 2011) having lapsed during the 2012/13
financial year.
The opinion results from the fact that six medium and two low priority recommendations have
been raised. This includes one medium priority recommendation over controls for the
treatment of retrospective voids. This area was not included in the original brief but was
subsequently covered due to an issue raised at another Deloitte client, which was considered
as being significant to warrant inclusion of this area in this audit in order to prevent the risk of
potential fraud. Despite this, we did not undertake any specific testing nor were we made
aware of any particular issues by management relating to this Council.
Issues have also been raised over controls relating to credit balances, refunds, discounts,
exemptions and reliefs, suppression of debt recovery and write offs. In addition it was not
possible to carry out full audit testing in relation to credit balances, refunds and write offs due
to the lack of controls in place.
It was noted that controls had lapsed in relation to timeliness of issuing bills in relation to
amended accounts between April 2012 and September 2012. However, testing of the more
recent months of October 2012 and December 2012 have confirmed that the issues have
since been rectified and we therefore do not regard it necessary to incorporate a
recommendation focusing on this matter, within our current audit report.
The consequences of the systems migration have also adversely impacted on auditor input in
terms of access to information being supported by the old (prior to May 2012) and new
th
systems (from 28 May 2012). Furthermore, some issues that we initially noted during the
course of our fieldwork, were subsequently addressed prior to formally reporting our findings,
and this then led to a need to further update the draft audit report, supporting working papers
and test schedules.
st
It is also acknowledged that since receipt of the final information provided to audit on 1
February 2013, that management has taken steps in the areas reported upon in the findings
of this report to improve controls. At the time of reporting, management has indicated that
action has been taken to address issues relating to three of the six medium priority rated
recommendations and one of the two low priority recommendations. We will be verifying
implementation of these recommendations and any further action taken, in the course
of our audit follow up work later in the year.
35
Positive Findings
We found that the Council has demonstrated areas where sound controls are in place and
operating consistently, in particular:
Suspense accounts are subject to regular review and monitored on a regular basis.
Performance information and collection rates are monitored against target rates and
NNDR is currently above targeted percentages.
Returned cheques and rejected direct debits are recorded and are correctly actioned
Control weaknesses to be addressed
No high priority recommendations have been raised as a result of this audit
During our work we have identified the following key areas where we believe that the
processes / arrangements within North Norfolk Council would benefit from being
strengthened, and as a result of these findings medium priority recommendations have been
made.
Reconciliation of refunds to the general ledger was not undertaken between April
2012 and September 2012.
There are no controls in place with regards to the independent checking of discounts,
exemptions and reliefs, including retrospective void reliefs.
Arrears reports regarding monitoring and collection of outstanding debts were not
produced from May 2012 to January 2013. Outstanding amounts were monitored
through „Reminders‟ and „Summons‟ reports instead although these controls do not
fully mitigate the risks of debts being held in abeyance unnecessarily.
Suppression reports for CT were not produced from May 2012 to October 2012 due
to the recent system restructuring.
Write-offs have not been processed for CT since May 2012. Regarding NNDR, 188
cases of greater than £25 are pending Senior Management‟s authorisation.
Summary of the adequacy and effectiveness of controls
Area of Scope
Adequacy
and
Effectiveness
Assessments
Valuation and Billing
Billing
Collection of Income
Suspense Account
Reconciliation to the
General Ledger
Refunds and Transfers
Discounts, Exemptions
and Reliefs
Arrears Recovery
Writs Offs
IT Security
Adequacy
of
Controls
Effectiveness
of Controls
Green
Green
Green
Green
Green
Green
Amber
Green
High
0
0
0
0
Medium
0
0
0
0
Low
0
0
1
0
Green
Amber
0
1
0
Green
Amber
0
1*
0
Amber
Amber
0
3
0
Green
Green
Green
Amber
Amber
Green
0
0
0
0
1
0
1
0
0
0
6
2
Total
Recommendations
Raised
*- The assurance level in this area also takes account of recommendations relating to the
Collection of Income and the Reconciliaiton to the General Ledger.
Management Responses
Management have accepted the recommendations raised and by the time of reporting to
Committee, had given assurances that 4 recommendations (2 medium and 2 low) had been
implemented. We will be verifying this position in the course of our next round of audit follow
up work.
36
Appendix E (2)
Report No. NN13/08 – Final Report issued 4 April 2013
Audit Report on Payroll and Human Resources
Assurance Opinion
Unsatisfactory
Assurance
Limited Assurance
Adequate
Assurance
Good Assurance
Rationale supporting the award of the opinion
The audit work carried out indicated that there is basically a sound system of internal control
within Payroll and HR, however there are weaknesses that can be addressed through the
recommendations raised, which will mitigate risks further.
The opinion results from the fact that two medium and three low priority recommendations
have been raised, which has reduced the assurance level from the previous audit.
Issues have been raised over controls relating to updating policy and procedures, staff
verification checks, performance management, completion of expense claim forms, and
mobile phones issued to staff for business use.
Additionally, it was not possible to carry out audit testing across the financial year in relation
to amendments made to payroll records, due to the lack of system reports available.
At the time of the audit there was also no guidance or agreement in place for staff in relation
to mobile phones. A draft 'Agreement for a Work Funded Mobile Phone or Device' has been
created, and the IT Manager and Head of Organisational Development are currently
consulting other department leads for suggestions and improvements.
Positive Findings
We found that the Council has demonstrated the following points of good practice as
identified in this review and we will be sharing details of these operational provisions with
other member authorities in the Consortium:
A spreadsheet of CRB and DBS checks is in place, which shows when each check
was conducted, and these are re-performed after three years have elapsed in order
to confirm that staff are still eligible.
It is also acknowledged there are areas where sound controls are in place and operating
consistently:
All new starters and leavers documentation sampled was in place, complete and had
been updated on the system in a timely manner.
All sampled amendments made by the Payroll Officer were found to have been
checked by another member of the team through examination of the supporting
documentation against the change as implemented on the Payroll system, and is
signed off and dated by the performing officer.
The access rights of system users sampled on the Resourcelink payroll system were
found to be up to date.
Staff and managers are required to check all expense claims submitted and to
confirm by signature that the details on each claim are correct. Line managers are
also required to confirm that all staff using cars for Council business have the
appropriate licence, insurance, MOT and vehicle excise duty documentation in place.
37
Control weaknesses to be addressed
No high priority recommendations have been raised as a result of this audit.
During our work we have identified the following key areas where we believe that the
processes within the Council could be improved or would benefit from being operated more
effectively, and as a result of these findings one medium priority recommendation has been
made:
A review of mobile phone contract, issuance, billing, and returns management and
controls has not been scheduled. This review is necessary in order to investigate
potential solutions to known issues in this area that have previously been identified by
the IT Manager, including cost management and administration, contractual
obligations and service levels received, lack of central electronic records of mobile
phones issued to staff, and lack of approved corporate guidance and user
agreements for mobile usage.
A further four low priority recommendations have also been made to address minor control
weaknesses.
Summary of the adequacy and effectiveness of controls
Area of Scope
Adequacy and
Effectiveness
Assessments
Policies and
Procedures
Starters and
Leavers
Deductions and
Changes to
Payroll Records
Payments and
Financial
Records
HR and
Organisational
Development
Officers‟
Expenses
Use of Mobile
Phones
Adequacy
of
Controls
Effectiveness
of Controls
Recommendations
Raised
High
Medium
Low
Green
Amber
0
0
1
Green
Green
0
0
0
Green
Green
0
0
0
Green
Green
0
0
0
Green
Amber
0
0
2
Green
Amber
0
0
1
Green
Amber
0
1
0
0
1
4
Total
38
Management Responses
Management have disagreed with one recommendations made – see below for further
details.
Policy and Procedures (Recommendation 1 – Low Priority Rating)
Policies and procedures relating to payroll should be reviewed on a regular basis and updated
as required. The version history record should be updated with the date of review.
Recommendation developed from following Finding
The version history for payroll processing procedures documents that these have not been
subject to review since August 2011. Management advised that the procedures have been
subject to review, but not annotated to provide evidence as such.
Rationale supporting this Recommendation
Reviewing policies and procedures on a regular basis helps to confirm they are up to date,
accurate and contain any new information that has arisen since the documents were last
updated.
Management Response
This recommendation is not accepted as discussed with the auditor on site. Where changes
to procedures take place, the appropriate documents are amended on the system. It was
explained that unless changes take place, we do not periodically check and print off
procedure notes simply to update the version history. When changes need to be made, they
are made otherwise we know the procedure notes are correct. This would not be a good use
of our time and does not add anything to the process.
Audit Comment
We acknowledge management‟s comments although consider version control to be good
practice so as to prevent the stated risks from materialising.
39
Appendix E (3)
Report No. NN13/09 – Final Report issued 22 May 2013
Audit Report on Housing and Council Tax Benefit
Assurance Opinion
Unsatisfactory
Assurance
Limited Assurance
Adequate
Assurance
Good Assurance
Rationale supporting the award of the opinion
In order to provide appropriate context to our rationale, it is noted that during 2012/13, NNDC
entered into a shared service partnership arrangement for the provision of Revenues and
Benefits Services with BCKL&WN.
All existing data was transferred to a new, jointly
procured Revenues and Benefits system from Civica, with IT services being hosted by
th
BCKL&WN. Data migration took place on 28 May 2012 although had to be transferred back
th
th
on 13 and 14 January 2013 following recommendations by the partnership Steering Group
in response to significant operational issues arising.
There is evidence that the control environment has been compromised during systems
migration, with several controls that had been confirmed as adequate and effective during
2010/11 as per the previous audit in this area (NN/11/09 final report issued April 2011) having
subsequently lapsed during 2012/13.
This opinion results from the fact that one high and four medium priority recommendations
have been raised. Weaknesses resulting in a high priority recommendation have been
identified regarding the processing of new claims and amendments to existing claims. At the
time of the audit, scrutiny of management information generated in December 2012 confirmed
that 1,464 cases remained outstanding. We do acknowledge however that previous
management information extracted in October 2012 had identified 5,172 outstanding cases.
This though compares to a weekly average for new claims and changes of 948 for the period
th
th
26 March 2012 to 6 May 2012 when the old Civica system was closed down prior to data
conversion. This is in relation to a local target of 20 days for processing new claims and
seven days for processing changes of circumstances. The outturn figures for the whole of
2012/13 were 30 days for new claims and 18 days for processing changes.
Issues have also been identified regarding the lack of regular review and prompt processing
of items in suspense and identifying and processing cases for write-off, the lack of restricted
access for members of staff who have declared personal interests in existing claims and the
timeliness in the processing of appeals and reconsiderations.
As a consequence of the new partnership working arrangements with BCKL&WN, it was
noted that monitoring of outstanding overpayment reports had not been regularly undertaken
since the end of May 2012 when the new Civica system was introduced. One report was
rd
produced on 23 November 2012, in order to monitor and process all the outstanding
overpayments since April 2012. However, through top up testing completed as part of our
audit on the work to support the preparation of the Annual Governance Statement (AGS) –
(NN/13/11), we established that reports had been produced and details checked thereafter as
confirmed through sight of the reports for January and February 2013. We therefore do not
regard it necessary to incorporate a recommendation focusing on this matter, within our
current audit report.
The consequences of the systems migration have also adversely impacted on auditor input in
terms of access to information being supported by the old (prior to May 2012) and new
th
systems (from 28 May 2012). Furthermore, some issues that we initially noted during the
course of our fieldwork, were subsequently addressed prior to formally reporting our findings,
40
and this then led to a need to further update the draft audit report, supporting working papers
and test schedules.
Positive Findings
We found that the Council has demonstrated areas where sound controls are in place and
operating consistently, in particular:
Up to date procedures for housing and council tax benefit are in place and reflect
current legislative practice and are communicated to staff
Staff training takes into account issues arising from the quality control processes. We
th
nd
also noted that that due to the system migration in May 2012, from 24 May to 2
September 2012 instead of a 4% check the Council performed a 20% check in order
to secure a smooth transition into the new system and minimise any associated risks.
Applications are securely received with documentary evidence present to support the
accuracy and validity of new applications and changes in circumstances. There is
also consistency between the electronic document system and the benefits system.
Backdated applications are processed and paid in line with legislative requirements
and / or where good cause is demonstrated and supported with documentary
evidence.
Discretionary payments are based on applications received with supporting evidence
with segregation of duty between the processing and authorising of payments.
Control weaknesses to be addressed
During our work we have identified the following key areas where we believe that the
processes / arrangements within NNNDC would benefit from being strengthened, and as a
result of these findings one high priority recommendation has been made.
High priority recommendation:
Data from the weekly workflow reports for the period April 2012 to December 2012
showed a significant amount of outstanding cases regarding new claims and
amendments pending to be processed.
Four medium priority recommendations have also been made.
Delays in clearing the suspense account were noted with 42 items dated between
April 2012 and January 2013, totalling £2,991.66, to be resolved at the time of our
review. This included one item dated July 2012 and two further items from October
2012.
Monthly write-off reports were found not to be consistently produced between April
2012 and December 2012 with only one report produced in October 2012.
Declaration forms, for staff declaring a personal interest in specific benefit claims,
have been completed. However, those completed since November 2012 had not
been processed on Civica, in order to restrict the levels of access to those accounts
declared.
Appeals have not been processed in a timely manner as a consequence of the recent
Council restructuring and the development of the partnership arrangement with
BCKL&WN. Furthermore, since April 2012, there had been 35 reconsiderations. We
examined 10 and found that eight took more than a month to resolve.
41
Summary of the adequacy and effectiveness of controls
Area of Scope
Adequacy and
Effectiveness
Assessments
Procedures
and Legislation
Receipt of
Applications
Assessment of
Applications
Payment of
Housing
Benefit
Overpayments,
Arrears and
Write Offs
Fraud and
Interventions
Backdated
Claims
Discretionary
Claims
Appeals
Adequacy
of
Controls
Effectiveness
of Controls
Recommendations
Raised
High
Medium
Low
Green
Green
0
0
0
Green
Green
0
0
0
Green
Red
1
0
0
Green
Amber
0
1
0
Green
Amber
0
1
0
Amber
Amber
0
1
0
Green
Green
0
0
0
Green
Green
0
0
0
Green
Amber
0
1
0
1
4
0
Total
Management Responses
Management have accepted the recommendations raised, but disputed the high priority rating
attaching to our recommendation that new claims and amendments should be dealt with
promptly, requesting that it be changed to a medium rating. Extra information was submitted
by management in support of revising the rating but in our professional judgement, there was
not appropriate grounds for redefining the priority level applied. An extract from the Audit
Report‟s Action Plan is duly attached to provide more information on this matter.
With reference to the delivery of the agreed audit recommendations, management have
specified that the 4 medium priority recommendations have been delivered by the time of
presenting this management summary to Committee and that further work is ongoing
regarding the high priority recommendation. We will be verifying this position in the course of
our next round of audit follow up work.
42
3
Action Plan for NN/13/09 Housing and Council Tax Benefit
Assessment of Applications
Recommendation 1 – New claims and amendments should be dealt with promptly
No.
Finding and Risk
Recommendation and
Rationale
Priority
Management response and action
Deadline and
responsibility
1.
Finding – As a
consequence of the
new
partnership
working arrangements
with
BCKL&WN,
significant increases in
processing new claims
and
changes
to
circumstances
were
noted.
From
the
report produced on 9th
December 2012, the
number of outstanding
cases for both new
claims
and
amendments
was
1,464.
Recommendation – New
claims and amendments
should be processed in a
timely manner, in particular
within set targets wherever
possible. If targets are not
being
achieved
then
management should take
the necessary actions to
address the reasons for not
doing so.
High
Strongly disagree with this rating.
The outstanding cases as at Dec 12 was 1464 however the
report reads as if these cases had been outstanding since
April 12 which was not the position. The introduction
acknowledges that since Oct 12 to Dec 12 there had been a
substantial improvement – during the life of this audit.
However this is not reflected in this rating. Processing times
for the year were new claims 30 days and change of circs
18 days. Below are the processing times for the other LAS
in Norfolk.
Work in progress
– 30/06/13
We acknowledge that
this
figure
had
decreased significantly
from the 5,172 cases
reported as at week
th
ending 7
October
2012.
This compares to a
Rationale – Regular and
timely processing of new
applications
and/or
amendments for Housing
and Council Tax Benefits
will help to confirm that the
Council applies the social
strategy it has set in place,
provides applicants with
appropriate
levels
of
housing benefit in a timely
manner and in so doing,
meets the targets set in
relation to the payment of
LA
New Claims
Changes
Broadland
28
12
Breckland
-
-
GYBC
26
9
Kings Lynn
28
23
NNDC
30
18
Norwich City
40
16
43
No.
Finding and Risk
Recommendation and
Rationale
weekly average of new
claims and changes of
th
948 for the period 26
th
March 2012 to 6 May
2012 when the old
Civica system was
closed down prior to
data conversion.
benefits
and
the
reassessment of benefits
when
claimants‟ personal
circumstances change.
We also established
that the Council has
set a local target of 20
days for processing
new claims and seven
days for processing
changes
of
circumstances.
Having subsequently
obtained the outturn
figures for the whole of
2012/13
we
established that new
claims were processed
in
30
days
and
changes in 18.
We were informed by
the Revenues and
Benefits Manager that
it became apparent
with the problems
following the data
Priority
Management response and action
SNC
10
Deadline and
responsibility
7
Currently new claims 17 days and changes 7.45 days.
The recommendation states we need to action claims in a
timely manner – what is audits recommendation to enable
this to become a smart objective.
It was acknowledged in Cabinet reports that with the data
conversion performance would be compromised. Additional
staff were recruited, however what was not envisaged was
the subsequent un reliability of the Citrix link to Kings Lynn
where NNDC data was held. This severely impacted on
performance and staff morale across the service. It was not
th
addressed until the data was returned to NNDC 13/14
Jan13. Obviously the workloads did increase following year
end March/April 13.
Audit Comment
We acknowledge management‟s comments which have
th
been discussed in detail at an exit meeting on 8 May 2013
and having reviewed additional information. This resulted in
some updates to the actual findings and recommendation
but has not resulted in any change to the high priority rating
due to the associated risks as stated. We have therefore
th
inserted an implementation date of 30 June 2013 in order
to revisit performance with the 2013/14 targets for
processing new claims and changes of circumstances.
44
No.
Finding and Risk
Recommendation and
Rationale
Priority
Management response and action
conversion that the
above targets were not
achievable.
The Revenues and
Benefits Manager also
advised
that
no
monitoring
was
possible between July
- Sept 2012 due to the
problems with the
system
and
understanding
what
the system reported
on.
Reporting of
performance
then
resumed from October
2012 onwards.
Targets of 18 and nine
days respectively have
been set for 2013/14.
From
benchmarking
against
six
other
Norfolk
authorities,
NNDC‟s outturn of 30
days for processing
new claims was the
second longest period;
the longest reported
was 40 days. It was
also
the
second
45
Deadline and
responsibility
No.
Finding and Risk
Recommendation and
Rationale
Priority
Management response and action
longest for processing
changes
of
circumstances with the
longest being 23 days.
Risk
–
Where
outstanding items in
respect of new claims
and amendments are
not processed in a
timely fashion, there is
a risk that housing
benefits are being paid
at an inappropriate
rate, or of greater
concern, not paid at all
to eligible claimants,
potentially
creating
cases of hardship.
46
Deadline and
responsibility
Appendix E (4)
Report No. NN13/10 – Final Report issued 9 April 2013
Audit Report on Exchequer Services
Assurance Opinion
Unsatisfactory
Assurance
Limited Assurance
Adequate
Assurance
Good Assurance
Rationale supporting the award of the opinion
The audit work carried out by Internal Audit indicated that there is a basically sound system of
internal controls within the Council regarding Exchequer Services and Insurances. However
there are weaknesses that can be addressed to give the Council greater assurance that their
objectives are mitigated from risk.
As part of this audit, we have raised one medium priority recommendation and three low
priority recommendations. The medium priority recommendation relates to the utilisation of
the Council‟s electronic purchase ordering system. It had previously been reported that the
use of manual coding slips had been phased out and staff had been trained to ensure the
electronic purchasing order system was utilised. However, it is apparent that the manual
forms are still in use, which increases the risk of committing to expenditure that is not within
budget, nor appropriately approved.
In addition, one medium priority recommendation in relation to strengthening budgetary
controls raised in the previous audit of Exchequer Services (NN/11/08) remains outstanding.
Positive Findings
It is acknowledged there are areas where sound controls are in place and operating
consistently.
Controls are in operation with regards to the following areas of scope, in particular;
policies, procedures and systems; VAT and insurances.
Testing of five months of reconciliations between the Human Resources (HR) list of
leavers and joiners and the system access rights confirmed that access rights were
correctly aligned to the officer‟s responsibilities and are changed when appropriate.
With review of the E-financials system also confirming that there are only four users
of the system who have administrative access.
Segregation of duties exists throughout all types of payment processing, both through
the electronic purchase ordering system; in the absence of an electronic order all
invoices are attached to a code box which demonstrates segregation of duties
between the officer goods receipting the invoice and the officer authorising the
invoice for payment.
Control weaknesses to be addressed
No high priority recommendations have been raised as a result of this audit.
During our work we have identified the following key area where we believe that the
processes / arrangements within Exchequer Services would benefit from being strengthened,
and as a result of these findings, a medium priority recommendation has been raised:
We established that some purchases are being made without using the electronic
purchasing ordering system, but instead, are being processed using the manual
47
coding slips, which are ordinarily applied where no orders are required e.g. precept
payments to town and parish councils, grant payments, utilities. A recommendation
has been raised to address this issue
We also noted that despite no cases appearing in our test sample, the Council is still
using manual orders. In the previous audit report of Exchequer Services (NN/11/08),
a recommendation was raised to phase out manual purchase order pads and to
utilise the electronic purchase ordering system. The recommendation was
subsequently closed as a result of the internal audit follow up process, after being
advised by management that manual purchase order pads had been phased out from
August 2011. However, we have since been advised by the Head of Finance that this
was a misunderstanding and that the Council still requires the use of manual orders,
for example, officers within Property Services when they are out of the office and
need to make a purchase at a supplier where the Council has an account. Therefore,
the recommendation is not restated although a new recommendation has been
developed, advocating the use of the electronic purchase ordering system wherever
possible.
In addition, three low priority recommendations have been raised in respect of; prompt
processing of invoices; signing of pre-payment reports; and providing supporting records for
purchases made through corporate credit cards.
Furthermore, one medium priority recommendation remains outstanding from the previous
audit (NN/11/08) regarding utilising the budgetary controls within the electronic purchase
ordering system.
The Council currently makes available on the website all spend over £500, in line with the
Governments Transparency Agenda. The Department for Communities and Local
Government (DCLG) want to encourage Council‟s to display payments over £250; North
Norfolk may therefore want to consider implementing this enhancement to follow
recommended practice.
Summary of the adequacy and effectiveness of controls
Area of
Scope
Adequacy and
Effectiveness
Assessments
Policy,
Procedure
and Systems
Ordering
Creditors
VAT
Visa Purchase
Cards
Insurances
Adequacy
of
Controls
Effectiveness
of Controls
Recommendations
Raised
High
Medium
Low
Green
Green
0
0
0
Amber*
Amber
Green
Amber
Amber
Green
0
0
0
1
0
0
0
2
0
Green
Amber
0
0
1
Green
Green
0
0
0
0
1
3
Total
* One medium priority recommendation remains outstanding from the previous audit of
Exchequer Services (NN/11/08) which impacts the „adequacy of controls‟ rating for this area.
Management Responses
Management have disagreed with one recommendations made – see overleaf for further
details.
48
Creditors - Pre-Payment Run Reports (Recommendation 3 – Low Priority Rating)
Pre-payment run reports should be signed and dated by the officer checking the accuracy of
input of invoice batches.
Recommendation developed from following Finding
Weekly Pre-payment run reports are checked by the Exchequer Assistants prior to processing
the payment run, to confirm that invoice batches have been entered correctly. Although there
was evidence to suggest checking takes place through tick checks, the Pre-payment run
reports are not signed or dated by the officer to confirm this level of check.
Rationale supporting this Recommendation
Signing Pre-payment run reports helps to confirm that an officer has checked the accuracy of
invoice batches prior to payment and ensures accountability.
Management Response
Not agreed - The detail of each batch is checked back to the original invoice to confirm
correct supplier and amount prior to being submitted to be included on the proposed payment
listing. The fact that the batches are clearly ‟ticked‟ off (line by line) provides sufficient
evidence to be honest this recommendation appears to be somewhat tenuous and
unnecessary.
Audit Comment
We acknowledge management‟s comments, however, still consider the recommendation valid
in so far as a „tick‟ can be applied by any person, whereas initialling or signing the report
provides greater evidence as to who has actually undertaken those checks. This provides
improved audit trail over accountability in terms of who actually applied those checks,
particularly in the event of an issue with a payment coming to light where responsibility for
having applied those checks can be easily identified.
49
Appendix E (5)
Report No. NN/13/11 – Final Report issued 21 May 2013
Audit Report on Work to Support the Preparation of the Annual Governance Statement
Assurance Opinions
Key System
Fixed Assets
Covered in
2012 / 13
No
General Ledger
No
Debtors/Accounts
No
Receivable
Cash
No
Treasury
No
Management –
Date of
Review
N/A
Audit Ref.
Opinion
N/A
Adequate
No. of
recs
0
N/A
N/A
Adequate
0
N/A
N/A
Adequate
0
N/A
N/A
Adequate
1*
N/A
N/A
Adequate
0
Investments/Loans
Budgetary Control
No
N/A
N/A
Adequate
0
Car Parks Income
No
N/A
N/A
Adequate
1*
Payroll
Yes
NN/13/08
Adequate
5
NN/13/10
Adequate
4
NN/13/07
Limited
8
NN/13/09
Limited
5
N/A
Adequate
0
Creditors/Accounts
Payable
Yes
Council Tax and
National-Non
Yes
2013
December
December
Yes
Benefits
Framework
January
2012
Housing Benefits
Assurance
2013
November /
Domestic Rates
and Council Tax
January
2012 /
January
2013
No
N/A
* - Denotes additional recommendations made in this AGS report.
Rationale supporting the award of the opinion
There are a number of key controls within the material systems as agreed with External Audit
and the Head of Internal Audit at North Norfolk District Council that are required to be covered
by Internal Audit each financial year.
Under the agreed Internal Audit Plan for 2012 / 13, a number of these material systems have
been reported on in detail and those key controls have been addressed in each system
reviewed. Recommendations have been raised in these individual audit reports and the
issues identified in this report should be viewed in conjunction with those reports. This report
provides the top up testing for these material systems, thus ensuring the systems are subject
to full year testing. These are identified at Appendix A as “Key Controls subject to full
systems review in 2012 / 13”.
50
We have also reviewed controls in the material systems that were not covered as part of the
agreed Internal Audit Plan for 2012 / 13, these are identified at Appendix A as “Key Controls
not subject to full systems review in 2012 / 13”.
As a result of this work two further recommendations have been made in the areas of Cash,
in particular over bank reconciliations and Car Parks Income with regards reconciling income,
both carrying a medium priority rating.
Positive Findings
Assurance statements are issued to managers to provide assurance over the areas of their
responsibility. Administration of the assurance statement process is undertaken by the Policy
and Performance Management Officer. Testing of the process for the issue and receipt of
assurance statements during 2011/12 highlighted no issues. For 2012/13, statements have
been sent out to the responsible managers with a return deadline on 19/04/2013. Findings of
the assurance review are presented to Cabinet on an annual basis. Please refer to Appendix
F for full details of the assurance statements.
High Priority Recommendations
No high priority recommendations have been raised as a result of this audit
Management Responses
Management have accepted the recommendation raised.
51
Appendix E (6)
Report No. NN13/12 – Final Report issued 15 May 2013
Audit Report on Corporate Governance and Risk Management
Assurance Opinion
We have provided two separate Assurance Opinions; one for Corporate Governance to reflect
an improvement since the previous review and one for Risk Management to reflect no change
since the last time this area was audited by Deloitte.
Corporate Governance
Unsatisfactory
Assurance
Limited Assurance
Adequate
Assurance
Good Assurance
Limited Assurance
Adequate
Assurance
Good Assurance
Risk Management
Unsatisfactory
Assurance
Rationale supporting the award of the opinion
The audit work carried out indicated that there is basically a sound system of internal control
within corporate governance and risk management although with some control weaknesses
where it has been necessary to develop audit recommendations, designed to further
strengthen risk management provisions.
The two opinions result from the fact that one low priority recommendation has been raised
with regards corporate governance compared to the previous review which included one
medium and two low priority recommendations; hence an improved direction of travel.
Whilst risk management was omitted from the previous audit (NN/12/10 – issued February
2012) due to the Council being in the process of reviewing its risk management arrangements
at that time, the previous report (NN/11/11 issued in April 2011) raised one medium and one
low recommendation related to risk management, which similarly compares with one medium
and one low priority recommendations in this report.
Recommendations have been raised in respect of the following corporate governance and
risk management weaknesses:
Corporate Governance
 We found a lack of up to date and approved Terms of Reference (ToR) with respect
to the Performance and Risk Management Board (P&RMB).
Risk Management

The Council's Risk Management Framework was scheduled for review by December
2012 to help confirm it reflected new operational arrangements which have been
subject to development since April 2012, however, the exercise has yet to be
completed.

The presentation of the Corporate Risk Register to the Audit Committee should be
more frequent / formalised since it has not been tabled since June 2012; and
processes to confirm that all risks are subject to regular review needs enhancing and
was not on the work plan to be re-examined until June 2013. The existing Risk
52
Management Framework requires that the Corporate Risk Register is presented to
the Audit Committee twice during the year.
Positive Findings
We found that the Council has demonstrated the following points of good practice as
identified in this review and we will be sharing details of these operational provisions with
other member authorities in the Consortium:
The Council has undertaken a full review of its governance arrangements following
the management restructuring during 2012/13, culminating in the updating of its
Constitution, including the Scheme of Delegation. Outcomes of this review have
been documented, and were subject to levels of scrutiny through an evident
consultation process, with formal approvals granted from both the Constitution
Working Party (CWP) and Full Council.
Up to date ToR have been approved for the revised Management Team (Formerly
Senior Management Team).
It is also acknowledged there are areas where sound controls are in place and operating
consistently:
Mechanisms have been developed to help identify and assess both service and
corporate level risks to the organisation, reviewing the likelihood of their materialising
and their potential impact on the Council‟s achievement of its objectives. This
includes the Policy and Performance Management Officer taking a central role in this
process by meeting with heads of service every six months to work through existing
risks falling within their responsibility and which acts as „on job training‟.
The committee reporting template prompts officers to identify the risk implications of
new initiatives and modified service provisions. This is used as a checklist to help
ensure that reports are produced that meet key requirements and can therefore be
reasonably relied upon for the purposes of decision making.
There is consultation with relevant officers and managers when constructing
committee reports to confirm their accuracy including risk considerations.
The Corporate Leadership Team (CLT) attends both Cabinet meetings and also the
P&RMB meetings as a matter of course. This process therefore allows for a joined
up approach whereby senior officers are aware of, and can escalate any concerns, as
and when required. Both meetings cover key risk elements, with the P&RMB in
particular receiving a full copy of the Corporate Risk Register twice a year.
Testing confirmed ToR had been adhered to for the sample of committee meetings
tested across the following committees: Cabinet, Overview and Scrutiny Committee;
Development Committee; Licensing Committee. This included evidence of
compliance with levels of scrutiny performed by the Overview and Scrutiny
Committee.
Control weaknesses to be addressed
No high priority recommendations have been raised as a result of this audit.
During our work we have identified the following key areas where we believe that the
processes within the Council could be improved or would benefit from being operated more
effectively, and as a result of these findings one medium priority recommendation has been
made:
The Audit Committee should receive a copy of the Corporate Risk Register on a
regular basis throughout the year (this was last tabled in June 2012 from the
evidence available). Subsequent tabling was not expected until June 2013.
53
Summary of the adequacy and effectiveness of controls
Area of Scope
Adequacy and
Effectiveness
Assessments
Corporate
Governance
Risk
Management
Committee
Activities and
Decision
Making
Adequacy
of
Controls
Effectiveness
of Controls
Recommendations
Raised
High
Medium
Low
Green
Amber
0
0
1
Green
Amber
0
1
1
Green
Green
0
0
0
0
1
2
Total
*Excludes one recommendation included in the report on Partnerships (NN/13/05) issued
January 2013 relating to the need for a Partnership Framework.
Management Responses
Management have accepted the recommendations raised.
54
Appendix E (7)
Report No. NN13/16 – Final Report issued 26 April 2013
Audit Report on ABS eFinancials Application
Assurance Opinion
Unsatisfactory
Assurance
Limited Assurance
Adequate
Assurance
Good Assurance
Rationale supporting the award of the opinion
The audit work carried out by Internal Audit indicated that there is a basically sound system of
internal controls within the Council regarding the eFinancials Application. However, there are
weaknesses that can be addressed to give the Council greater assurance that their objectives
are mitigated from risk.
This area was last audited in 2009 and, as detailed above; this audit has confirmed that the
weaknesses previously identified have all been mitigated through the implementation of the
recommendations. Areas where weaknesses were previously identified included Access
Controls, Backup and Recovery and Support Arrangements and Change Control.
As part of this audit, we have raised two low recommendations in relation to Backup and
Recovery and Access Controls, having recognised an issue with a review of the Business
Continuity arrangements and a minor aspect in exploiting some newly available system
functionality.
Positive Findings
We found the Council has a number of areas where sound controls have been developed and
were found to be operating consistently:
The application has adequate password controls;
Role profiles are in place to control access to the application according to need;
Interface reconciliation controls are in place;
Audit trail functionality is active and available on demand; and
Support arrangements were in place and change was being appropriately managed.
Control weaknesses to be addressed
No high priority recommendations have been raised as a result of this audit.
During our work we have identified the following area where we believe that the processes /
arrangement within the ABS eFinancials application would benefit from being strengthened,
however, as a result of this issue having been previously identified by management who are
working to resolve this issue, a formal recommendation has not been raised.
A number of users have the ability to set up their own accounts receivable 'suppliers',
which has resulted in duplications.
In addition, two low priority recommendations have been raised in respect of; reviewing the
business continuity plan, and running and reviewing the newly available „database
connections‟ report on a regular basis to assist in the identification of any unauthorised
connections.
55
Summary of the adequacy and effectiveness of controls
Area of Scope
Adequacy and
Effectiveness
Assessments
Access
Controls
Data
Processing
Interfaces
Management
Trails
Backup and
Recovery
Support
arrangements
and Change
Controls
Adequacy
of
Controls
Effectiveness
of Controls
Recommendations
Raised
High
Medium
Low
1
Amber
Amber
0
0
Amber
Amber
0
0*
0
Green
Green
0
0
0
Green
Green
0
0
0
Amber
Amber
0
0
1
Green
Green
0
0
0
0
0*
Total
1
1
2
*1
A control weakness was identified whereby certain users have the ability to set up
their own accounts receivable 'suppliers', which has resulted in duplications; however, as this
weakness had been identified by management who are working to resolve them, a formal
recommendation has not been made.
Management Responses
Management have disagreed with one recommendations made – see below for further
details.
Access Controls – Database Connections Report (Recommendation 1 – Low Priority Rating)
The Database connections report should be run and reviewed on a periodic basis.
Recommendation developed from following Finding
The audit noted that the application has the ability to report on "database connections" over a
time period that can be specified by the system administrator. This is a new function that has
become available since the application upgrade completed in February 2013. The report has
been reviewed, although there has been no continued review process given its recent
implementation.
Rationale supporting this Recommendation
Reviewing the database connections report will assist in the early identification of potential
sustained and irregular activity.
Management Response
Management do not agree with this recommendation. The reasons for this are as follows:
Database Connections report would monitor failed logons and enable user access to
be monitored. There are satisfactory controls in place already for setting up new
users, limiting access and also removing leavers from the system.
Individual access is limited so that Officers only have access to what is required for
their job role.
56
A recent review of all users access has been conducted and each individuals access
signed off by the manager.
In relation to failed logins, after three unsuccessful attempts the user would need to
contact the administrator to be reset, which also provides a control in itself.
Audit Comment
Whilst we acknowledge management comments about the controls identified above; with the
exception of the automatic lock out of accounts after a pre-set number of failed access
attempts, these are not directly related to the risk we are looking to mitigate against. We
believe that this report, extracted on a weekly or monthly basis, could be used to identify
sustained and irregular activity that is occurring. Examples of this activity could be excessive
attempts to access accounts that would indicate a „brute force‟ type attacks to compromise
passwords, this is even more important where there are accounts that are not subject to the
failed log-in controls for example built in „administrator‟ type accounts. This functionality
would also provide additional information on activity that could be used to identify where other
types of attacks are occurring, for example an attempted Denial of Service (DoS) attack
where the automated lock out control is used to lock out legitimate users out of the system.
57
Appendix G
Norfolk Internal Audit Consortium Definitions / Categories of Audit Opinions
relating to Individual Audit Assignments
Deloitte and Touche Public Sector Internal Audit Ltd have four categories of audit opinion, by which
they classify internal audit assurance over the processes that they have examined, and these are
defined as follows:
Good Assurance
There is a sound system of internal control designed to achieve the client’s
objectives.
The control processes tested are being consistently applied.
Adequate
Assurance
While there is a basically sound system of internal control, there are weaknesses,
which put some of the client’s objectives at risk.
There is evidence that the level of non-compliance with some of the control
processes may put some of the client’s objectives at risk.
Limited
Assurance
Weaknesses in the system of internal controls are such as to put the client’s
objectives at risk.
The level of non-compliance puts the client’s objectives at risk.
Unsatisfactory
Assurance
Control processes are generally weak leaving the processes/systems open to
significant error or abuse.
Significant non-compliance with basic control processes leaves the
processes/systems open to error or abuse.
The assurance gradings provided above are not comparable with the International Standard on
Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board
and as such the grading of ‘Good Assurance’ does not imply that there are no risks to the stated
objectives.
58
Appendix H
North Norfolk District Council
Map of Audit Assurances provided since 2008/09
2008-09
2009-10
2010-11
2011-12
Adequate
Adequate
Adequate
Adequate
2012-13
Annual Opinion Audits
Corporate Governance and
Risk Management
Corporate Governance
Risk Management
Good
Adequate
Ethical Governance
Adequate
One-off audit
AGS - Assurance Framework
Adequate
Key - AGS relates to Work to Support the preparation of the Annual Governance Statement. This work scrutinises key controls
only, rather than providing for an in-depth review of systems in their entirety and because of this, the type of assurance that we are
able to give is restricted to adequate or limited.
Fundamental Financial Systems
Sundry Debtors
AGS - Sundry Debtors
Remittances
AGS - Cash
Accountancy Services
AGS - Fixed Assets
AGS - General Ledger
AGS - Treasury Management
AGS - Budgetary Control
Housing Benefits
Council Tax / NNDR
Exchequer/Creditors
Payroll / HR
Budgetary Control
Revenues and Benefits
Partnership - Data Transfer,
Governance and Risk
Adequate
Limited
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Limited
Limited
Adequate
Adequate
Adequate
Adequate
Adequate
Good
Good
Incorporated into accountancy
Adequate
Head of Economic and Community Development
Tourism and Economic
Development
Foreshore and coastal
management / Coastal
Change and Pathfinder
Management
Adequate
Homelessness and Strategic
Housing
Affordable Housing
Adequate
Private Sector Housing and
Disabled Facilities Grants
Adequate
Communities and Safety
Adequate
Good
Adequate
Adequate
Good
Adequate
Absorbed into future audits concerning
Localism and Communities
Limited
Head of Development Management & Head of Economic and Community Development
Development Management,
Planning, s106 Agreements,
Community Infrastructure
Levy and Land Charges
Adequate
Head of Assets and Leisure & Head of Economic and Community Development
Partnerships
Limited
Head of Environmental Health
Waste Management
Environmental Health
Head of Assets and Leisure
Sports Halls/Centres
Leisure Complexes
Property Services
Car Parking and Markets
AGS - Car Park Income
Limited
Adequate
Adequate
Limited
Limited
Adequate
Adequate
Adequate
Limited
Adequate
Adequate
Adequate
Limited
Adequate
May 2013
59
Appendix H
North Norfolk District Council
Map of Audit Assurances provided since 2008/09
Head of Assets and Leisure & Head of Environmental Health
Parks and Open Spaces
Limited
Head of Organisational Development
Elections / Electoral
Registration
Data Quality
Adequate
Performance Management,
Corporate Policy, Planning
Adequate
Limited
Adequate
Head of Finance
Projects and Procurement
Car Allowances
Adequate
Good
Good
Discontinued as NI's ending
Deferred to 2012/13
Business Manager (Corporate and Democratic Services)
Legal Services, Data
Protection, Freedom of
Information
Head of Legal
Whistleblowing
Concessionary Fares
Adequate
Unsatisfactory
Adequate
Adequate
One-off audit
Function transferred to County Council
Adequate
Adequate
One-off audit
IT Audits
General Ledger/Cedar
Financials Application
Project Management
General IT Controls
Cash Receipting
Document Imaging - Civica Revenues and Benefits
IT Security
IT Security, Procurement and
End User Controls
Software Licensing
Revenues and Benefits
Application
Network Infrastructure
Business Continuity
Data Centre, Back Up,
Disaster Recovery
Data Consistency
Payroll and Personnel
Content Management
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Limited
Limited
Adequate
Adequate
Adequate
Adequate
May 2013
60
Appendix I
Limitations and Responsibilities
Limitations inherent to the Internal Auditor’s work
I have prepared the Internal Audit Annual Report and engaged Deloitte (the Internal
Audit Services contractor) to undertake the agreed programme of work as approved by
management and the Audit Committee, subject to the limitations outlined below.
Opinions
The opinions expressed are based solely on the work undertaken in delivering the
approved 2012/13 Annual Audit Plan, which originally involved 212 days, although this
figure was then revised in year to 231.6 days. The work addressed the risks and control
objectives agreed for each individual planned assignment as set out in the
corresponding audit briefs and reports.
Internal Control
The system of internal control is designed to manage risk to a reasonable level rather
than to eliminate the risk of failure to achieve corporate/service policies, aims and
objectives: it can therefore only provide reasonable and not absolute assurance of
effectiveness.
Internal control systems essentially rely on an ongoing process of
identifying and prioritising the risks to the achievement of the organisation’s policies,
aims and objectives, evaluating the likelihood of those risks being realised and the
impact should they be realised, and to manage them efficiently, effectively and
economically. That said, internal control systems, no matter how well they have been
constructed and operated, are affected by inherent limitations.
These include the
possibility of poor judgement in decision-making, human error, control processes being
deliberately circumvented by employees and others, management overriding controls
and the occurrence of unforeseeable circumstances.
Future Periods
Internal Audit’s assessment of controls relating to North Norfolk District Council is for the
year ended 31 March 2013. Historic evaluation of effectiveness may not be relevant to
future periods due to the risk that:
 The design of controls may become inadequate because of changes in the operating
environment, law, regulation or other matters; or,
 The degree of compliance with policies and procedures may detiorate.
The timings of the individual internal audit reviews carried out in relation to the 2012/13
Audit Plan are recorded in Appendix A to this report.
Responsibilities of Management and Internal Auditors
It is management’s responsibility to develop and maintain sound systems of risk
management, internal control and governance and for the prevention and detection of
irregularities and fraud. Internal Audit work should not be seen as a substitute for
management’s responsibilities for the design and operation of these systems.
61
The Internal Audit Consortium Manager has sought to plan Internal Audit work, so that
there is a reasonable expectation of detecting significant control weaknesses and, if
detected, additional work will then be carried out which is directed towards identification
of consequent fraud or other irregularities. However, internal audit procedures alone,
even when carried out with due professional care, do not guarantee that fraud will be
detected and Deloittes’ examinations as the Council’s internal auditors should not be
relied upon to disclose all fraud, defalcations or other irregularities which may exist.
62
Audit Committee
18 June 2013
Agenda Item No___10______
The Status of Agreed Audit Recommendations due for Implementation by 31
March 2013
Summary:
This report provides an overview of progress made in
implementing the agreed audit recommendations due for
completion by 31 March 2013.
Conclusions:
Good progress has been achieved in relation to the completion
of agreed Internal Audit recommendations.
Recommendations:
It is recommended that the Committee notes management
action taken to date regarding the implementation of audit
recommendations.
Cabinet member(s):
Ward(s) affected:
All
All
Sandra King, Internal Audit Consortium Manager
01508 533863, scking@s-norfolk.gov.uk
Contact Officer, telephone
number, and e-mail:
1.
Background
1.1.
In accordance with agreed internal audit review and reporting cycles, we revisit
the status of audit recommendations on a 6-monthly basis and last presented our
findings in this area to Committee on 4 December 2012, concentrating on the
period April to September 2012. This report therefore provides an update on the
status of audit recommendations following recent verification work in April 2013,
and subsequent updates to this in May 2013, which examined the level of activity
concerning the completion of audit recommendations falling due between 1
October 2012 and 31 March 2013.
1.2.
The process used to monitor the status of recommendations during this period
has remained unchanged from previously noted, i.e. recommendations are input
on the TEN performance system at the time the final audit report is issued, and
managers are then required to provide progress reports as recommendations
approach their agreed implementation date. At the end of the reporting period,
the Deloitte auditors then visit services to confirm there is supporting evidence to
demonstrate the completion of audit recommendations and undertake some
selective review work to verify that appropriate action has been initiated by
management.
63
Audit Committee
18 June 2013
2.
Overall Position
2.1.
The number of outstanding recommendations, listed per audit, is identified at
Appendix J to this report. A summary of the current, and previously reported
positions, is shown in the table below:
Status of Recommendations for the period 1 October 20111 to 31 March 2012
High
Medium
Low
Total
%
Complete
1
15
13
29
34.9
Partly
Implemented
0
11
1
12
14.5
Outstanding
0
26
16
42
50.6
1
52
30
83
Unable to
confirm
status
Total
Status of Recommendation for the period 1 April to 30 September 2012
High
Medium
Low
Total
%
Complete
0
25
6
31
43.0
Partly
Implemented
0
8
2
10
13.9
Outstanding
0
12
6
18
25.0
Unable to
confirm
status
0
7
6
13
18.1
Total
0
52
20
72
Status of Recommendation for the period 1 October 2012 to 31 March 2013
High
Medium
Low
Total
%
0
48
24
72
85.7
Outstanding
0
10
1
11
13.1
Unable to
confirm
status
0
1
0
1
1.2
Total
0
59
25
84
Complete
Partly
Implemented
64
Audit Committee
18 June 2013
Key:
H – High priority: A fundamental weakness in the system that puts the Council at risk.
To be addressed as a matter of urgency, within a 3-month time frame wherever
possible, or, to put in place compensating controls to mitigate the risk identified until
such a time as full implementation of the recommendation can be achieved.
M – Medium priority: A weakness within the system that leaves the system open to risk.
To be resolved within a 4 - 6 month timescale.
L – Low priority: Desirable improvement to the system. To be introduced within a 7 - 9
month period.
2.2.
Members attention is drawn to the following findings made in the course of our
latest audit follow up exercise:
We would usually provide additional details to the Committee in respect of
high priority recommendations. However, on this occasion there were no
agreed actions carrying a high priority rating which warranted implementation
during the second 6 months of the year.
The cumulative position for completed recommendations during 2012/13 is
103 and as acknowledged in the table at paragraph 2.1; there has been a
marked increase in the percentage of completed recommendations over the
financial year. Between April and September 2012, 31 (43%) had been
completed, and in the second half of the year, the number of finalised agreed
actions had risen by a further 72 (85.7%).
There has also been a significant reduction in the number of
recommendations remaining outstanding during the year; in the first 6
months of 2012/13, 18 agreed actions (25%) were reported to Committee as
outstanding, and this position has further improved in the 6-months leading
up to year end, with the figure dropping to 11 (13.1%) which fall into this
outstanding category.
We have established that 10 of the 11
recommendations carry a medium priority rating, whilst the remaining one
has a low priority rating. Appendix J contains more information about the
service areas where these recommendations still need to be progressed.
Committee’s attention is additionally drawn to the fact that there has been a
considerable improvement in responses received from management such
that we only had 1 recommendation, where we were unable to confirm its
status. The item identified here related to a medium priority recommendation
attaching to Waste Management (Audit No.NN/12/03).
It is finally important to note that of the 55 recommendations agreed with
management following completion of 2012/13 audit assignments, 36 of these
are not yet due for implementation, see Appendix J for the audit areas to
which these relate. The recommendations are split between 1 high priority,
22 medium priority and 13 low priority. As mentioned although the dates set
for their completion have not been reached but, until they are actioned, they
represent wide ranging weaknesses in the control environment (one of which
is at a significant level) which leave the authority open to risk.
65
Audit Committee
18 June 2013
3.
Conclusion
3.1
Good progress is being made in relation to the completion of agreed Internal
Audit recommendations.
4.
Recommendation
4.1
It is recommended that the Committee notes management action taken to date
regarding the implementation of audit recommendations.
Appendices attached to this report:
Appendix J: Summary of Agreed Internal Audit Recommendations as at 31 March
2013
66
Summary of Agreed Audit Recommendations at 31 March 2013
Reference
Description
Assurance Level
NN0901
NN0911
NN0912
NN1002
NN1009
NN1016
NN1017
NN1101
NN1102
NN1103
Corporate Governance and Risk Management
Council Tax and NNDR
Housing and Council Tax Benefits
Partnerships
Tourism and Economic Development
Housing and Council Tax Benefits
Sundry Debtors
Environmental Health
Private Sector Housing
Ethical Governance
Adequate
Adequate
Adequate
Limited
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
NN1104
NN1107
NN1108
NN1111
Conveyancing, Data Protection, FOI, and Gifts and Hospitality
Council Tax and NNDR
Exchequer Services
Corporate Governance and Risk Management
Adequate
Adequate
Adequate
Adequate
NN1112
NN1118
NN1202
NN1203
NN1205
NN1206
NN1208
NN1209
NN1210
NN1212
NN1213
NN1218
NN1301
NN1302
NN1303
NN1304
NN1305
NN1306
NN1307
NN1308
NN1309
NN1310
NN1311
Development Management, Building Control and Land Charges
Fraud Investigation
Affordable Housing
Waste Management Contract
Accountancy Services
Car Parking and Markets
Sundry Debtors
Sports Halls/Centres
Corporate Governance
Work to Support the Annual Governance Statement
Parks and Open Spaces
Electoral Registration
Property Services and Coastal Protection
Strategic Housing and Homelessness
Corporate Policy, Planning and Performance Management
Procurement
Partnerships
Leisure Complexes
Council Tax and NNDR
Payroll and HR
Housing and Council Tax Benefits
Exchequer Services
Work to Support the Annual Governance Statement
Corporate Governance and
Risk Management
Adequate
Not applicable
Good
Limited
Adequate
Limited
Limited
Adequate
Adequate
Not applicable
Adequate
Good
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Limited
Adequate
Limited
Adequate
Not applicable
Good
Adequate
NN1312
SYSTEMS AUDIT TOTALS
NN0917
NN1020
NN1021
NN1022
NN1116
NN1117
NN1214
NN1215
NN1216
NN1217
NN1220
NN1313
NN1314
NN1315
NN1316
Cedar eFinancials Application
CIVICA
Document Imaging Application Audit
IT Security, Procurement and End User Controls Audit
CIVICA Revenues and Benefits Application Audit
Network Infrastructure, Security and Telecommunications
Business Continuity
Data Consistency
Content Management
Payroll and HR Application
Remote Access
Cash Receipting
Project Management
DR, Backup and Server Room Controls
ABS eFinancials Application
COMPUTER AUDIT TOTALS
Completed - April - September
2012
H
M
L
Completed October 2012 - March
2013
H
M
L
H
Outstanding
M
Appendix J
L
Unable to confirm status
H
M
L
1
1
1
4
1
1
3
1
1
1
1
2
1
1
1
1
1
1
3
1
1
1
1
4
1
2
1
1
1
4
1
3
1
2
2
1
1
1
2
1
2
2
1
2
3
1
1
2
1
1
3
Total
Outstanding
Not yet due to be implemented
H
M
L
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
4
0
0
0
1
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
1
0
0
4
0
0
0
1
0
0
1
0
0
0
0
4
2
1
8
4
5
3
2
1
0
0
0
Adequate
Adequate
Adequate
Adequate
Adequate
Limited
Limited
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
Adequate
13
5
0
1
28
23
0
8
1
0
1
0
1
1
1
3
3
3
2
7
2
1
1
1
1
2
1
4
0
12
1
0
20
1
67
0
2
10
1
0
0
0
0
0
1
0
1
0
0
0
0
0
0
0
1
0
0
0
0
Total Audit
Recommendations to be
actioned
2
2
1
2
1
6
1
4
1
2
2
3
1
2
3
18
12
41
1
0
0
0
0
0
1
0
1
0
0
0
0
0
4
1
1
7
2
4
0
4
Corporate Risk Register June 2013
Audit Committee 18 June 2013
Corporate Risk Register June 2013 (Updated following PRMB May 2013)
(references eg (CC) 077 – refer to TEN system)
No
1. Cause of risk
Existing controls
2. Description of risk or potential
event
Central government funding (uncertainties)
1. Uncertainty about the Council
receiving adequate funding from central
government through the Formula Grant
and/or other targeted funding stream.
2. Uncertainty around funding streams
creates difficulties in financial planning
for the medium to long term. The
freezing of Council Tax has meant a
focus on tax base growth for Council
Tax Income growth. The new Local
Government funding regimes including
localised Council tax and retained
business rates increases a further
uncertainty in terms of year on year
funding.
3. The Corporate Plan may not be
delivered to the identified timescales.
The level of service currently provided
would be at risk especially some of the
discretionary service areas.
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
015(CR)
Score (with
controls)
(CC)077 - Policy work
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
Delivering
the Vision
Karen Sly –
Head of
Finance
(CC)083 - Project
Management Plans
(CC)078 - Lobbying
Central Government
(CC)082 - Budget
Process / Budget
Monitoring
The Localised Council Tax
Support Scheme for 2013/14
was approved in January
2013 and came into
operation in April 2013.
Further discussion/approval
of the scheme for 2014/15
will need to take place
during the second quarter of
2013/14 to enable a scheme
to be recommended and
approved for implementation
in April 2014.
New – Utilisation of
the New Homes
Bonus grant within the
base budget from
2014/15 (reported to
Full Council May
2013)
(CC)088 Regular monitoring
system of the impact of the
business rates retention and
the localised council tax
support system compared to
the government start-up
funding methodology.
(CC)079 - Medium
Term Financial
Strategy/update
(CC)081 - Corporate
Planning / Service
Planning
Target
Score
5x5=25
68
4x3=12
1
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Coastal Erosion - (the effects of)
1. Lack of Government funding to
maintain coast defences and / or to
support local compensation claims
2. Coastal erosion and blight of coastal
settlements through loss of public and
private infrastructure and assets.
The Council has devoted significant
resources to pursuing sustainable
answers to coastal management
issues. There is a considerable Health
and Safety context here which serves
to increase the reputational risk for the
Council at the same time.
3. Increased coastal erosion through
loss of defences presents a reputational
risk to the authority in the eyes of local
communities and direct loss of Council
owned assets / infrastructure which are
fundamental to the district's tourism
offer and therefore the economic wellbeing of the district. Loss of confidence
in respect of business investment and
residential property market; blight of
properties in erosion zone; direct loss of
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
002(CR)
Score (with
controls)
(CC)002 - The
Pathfinder Project
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
Coast,
Countryside
and Built
Heritage
Brian
Farrow Coastal
Engineer
(CC)004 - Shoreline
Management Plan (SMP).
SMP6 adopted and
approved by the
Environment Agency. Post
Adoption procedures are
now nearing completion.
(CC)005 - Repairs &
Maintenance
Programme (revenue
budgets)
(CC) 011 - Cromer Sea
Defence Works
(CC)006 Procurement
practices
Coast monitoring
(CC)012 - Coastal
Monitoring
5x4=20
(CC)008 – Health &
Safety checking and
monitoring –
Implemented
Control of coastal
management schemes
through procurement and
regular checking.
4x3=12
(CC)010 - DEFRA
funding of capital
schemes Implemented
69
2
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Score (with
controls)
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
tourism assets and infrastructure
promenades, beach chalets, cafés,
public toilets, car parks etc.; loss of
tourism income / employment.
003(CR)
Transformation Agenda
(CC)015 - Strategies
1. It is clear that there is urgency about
change in local government driven by
the current financial pressures and the
ambition to ignite community
engagement. Authorities need to
ensure they are positioned to respond
to the changes and challenges facing
them.
(CC)016 - Reporting New legislation and
consultation
2. The risk is that in moving to a new
agenda so quickly there is no basic
framework within which the new
arrangements can be undertaken.
3. Vision and action may not be fully
supported by a sound assessment and
a solid understanding of policy
implications at national and local level.
Further discussions/
consideration of options
around shared services
IT transformation work that
is currently being
undertaken.
(CC)017 - Network
development
(CC)018 - Maintain
technical competence
3x4=12
Financial strategy
workstreams that are
ongoing
2x4=8
Delivering
the Vision
Sheila
Oxtoby Chief
Executive
(CC)014 - Training,
learning & policy
initiatives Implemented
70
3
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Localised Council Tax Support
Scheme (was Council Tax Benefit
replacement)
1. The new localised council tax support
scheme which came into operation in
April 2013, the funding for the scheme
has been reduced and whilst there are
some projections (of individuals) within
the scheme some households will be
required to pay Council Tax when they
have been previously entitled to 100%
benefit.
2. Under the Local Government Finance
Act each Local Authority is required to
implement a localised system of
Council Tax support, this replaced the
previous Council Tax Benefit system.
Fundamentally this has shifted the risk
from national to Local Government.
Each billing authority was required to
develop a scheme for its area.
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
012(CR)
Score (with
controls)
(CC)061 - Software
provider contact
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
Early decision making
required for the 2014/15
scheme including impact on
Parish Councils funding.
(CC)062 - Establish
working groups
(CC)087 - County Wide
working group – to be
reconvened.
CC)063 - Discussions
with County Council
/Police
(CC)064 - Staff
Training
Target
Score
5x4=20
(CC)065 - Networking
(CC)086 - LCTS
Member working
group – Implemented.
5x3=15
Delivering
the Vision
Louise
Wolsey Revenue
and
Benefits
Services
Manager
3. For 2013/14 there is transitional
funding for local schemes that meet
Government prescribed criteria, the
scheme for NNDC for 2013/14 meets
this criteria. As the funding is only
71
4
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Score (with
controls)
Impact x
Likelihood =
Total
3. Consequence of risk happening
Action (to achieve target
score) and Date for action
to be completed
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
transitional there is still a risk
associated with implementing a fully
funded scheme in 2014/15. This will
require further work during 2013/14.
Furthermore collection of council tax
will impact on all authorities (not just
NNDC as the billing authority), whilst
some element of the impact on the
collection fund has been taken into
account in the 2013/14 budget, the full
extent will depend on the actual
performance in the year.
004(CR)
The Localism Act - (ineffective
implementation)
(CC)020 - Establish a
working party
1. Lack of detailed preparation
(CC)019 - The
development of best
practice –
Implemented
2. This new act contains a number of
new initiatives which will be
implemented over the medium term.
The "general power of competence"
provides the Council with certain
freedoms but issues such as charging,
commercial service companies,
standards, annual pay policy, are
combined with Council Tax referenda
requirements. In planning the Act
introduces the "Community Right to
N/A
N/A
Delivering
the Vision
Sheila
Oxtoby Chief
Executive
The Localism agenda
is being embraced
and embedded within
the authority and is
therefore no longer
considered to be one
72
5
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
Build" and the Community Infrastructure
Levy. And for housing services
requirements include the ability to offer
private tenancies to homeless people
and a complaints procedure focused on
the Independent Housing Ombudsman.
The Open Public Services White Paper
(July 2011) puts the Localism Act into a
wider context and longer time frame.
Score (with
controls)
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
of the high risks.
Delivery of Localism
remains a priority
within the Corporate
Plan, examples of this
are the Big Society
Fund.
It is important that the immediate
requirements of the Act are in place by
31/03/2012.
3. The initiatives in this legislation may
be ill considered and piecemeal.
005(CR)
Organisational Restructuring (potential instability)
1. The ineffective management of
change.
2. Following the changes at strategic
level and the emergence of the new
Corporate Leadership and
Management Teams, Heads of Service
will be reviewing their areas to ensure
that structures are aligned to service
(CC)021 - Effective
staff communication –
regular updates,
briefing and CE
update emails.
Implement the outcomes of
the Planning Peer Review
Individual staff support
4x4=16
(CC)022 - Effective
Member engagement
Review by Joint Staff
Consultative Committee
2 x 4 =8
Delivering
the Vision
Sheila
Oxtoby Chief
Executive
Learning and Development
Programme
(CC)024 - Monitor the
73
6
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Score (with
controls)
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
delivery and organisational priorities.
impact
3. A lack of understanding of the
proposals, low staff morale and
resistance to any changes proposed.
(CC)025 - Provide
team building activity
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
(CC)026 - Provide
training/mentoring
(CC)023 - Strengthen
the Communications
Strategy Implemented
Pay & Grading Review - (impact)
006(CR)
1. Now that the pay and grading review
has been completed the authority is
now moving to the normal job
evaluation scheme and the associated
backlog with job evaluation.
2. There is a risk of low staff morale
due to the legacy of pay and grading.
3. Impact on the overall financial
position and on staff morale/ increase in
turnover of staff. There may potentially
(CC)022 - Effective
Member engagement
Individual staff support
(CC)027 - Revisit job
evaluation scores
(CC)029 - Obtain
professional advice
Review by Joint Staff
Consultative Committee
4x4=16
(CC)030 - Pay and
Grading Appeals
process
Learning and Development
Programme
Re-launch of job evaluation
scheme including
programme of panels
3x3=9
Delivering
the Vision
Julie
Cooke Head of
Organisational
Development
(CC)031 - Work with
74
7
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
be a significant impact on staff morale
as a result of this process (which may
lead to staff losses).
Score (with
controls)
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
staff and trades Union
representatives
(CC)028 - Resource
effectively –
Implemented
(CC)055 - Enhance Housing
Association delivery, Local
Investment Strategy
proposes provision of loan to
assist with lack of / cost of
finance.
Housing Delivery
010(CR)
1. A combination of lack of developer
confidence because of recession /
weak financial markets and pressure on
public finances meaning reduced
availability of grant funding for
affordable housing provision. Inability to
secure planning permission for
provision of affordable housing
(CC)048 - Use of
capital
2. A challenge over the Council's ability
to provide a target number of
affordable homes
(CC)050 - Local
Investment Plan
3. Increased housing need and
reputational risk in non-delivery of key
corporate priority.
(CC)051 - Local
Development
Framework (LDF)
policies
(CC)049 - Partnership
work with Registered
Providers
4x4=16
Identified partner to work
with Council and Housing
Associations to bring
forward affordable (and
market) housing schemes in
a way which reduces upfront
costs to Housing
Associations. First phase of
schemes identified.
4x2=8
Housing
and
Infrastructure
Nicola
Turner Housing
Team
Leader Strategy
(CC)056 - Development plan
- affordable housing
provision.
(CC)052 - Internal
planning protocol
Ongoing forward
75
8
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Score (with
controls)
Impact x
Likelihood =
Total
3. Consequence of risk happening
(CC)054 Housing Strategy
discussion document
(2010)
Shared Services plans - (failure to
complete)
(CC)057 - Project
Management Group
1. A combination of the potential for an
incomplete implementation, in addition
for Revenues and Benefits service, this
project is being undertaken against a
back cloth of the Coalition
Government's intention to introduce
Universal Credit from 2014 and the
detailed changes in the shape and
detail of Council Tax support and the
Business rates retention scheme
(CC)058 - Improved
staff communication
(CC)059 - Formulation
of a detailed plan
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
development plan needs
attention to ensure ongoing
pipeline of affordable
housing schemes. New
Housing Development
Officer post (1 year fixed
term contract) recruited to
and post holder starts on 3
June 2013. Post will be
responsible for developing a
new pipeline of affordable
housing schemes.
(CC)053 - Increased
Focus –
Implemented
011(CR)
Action (to achieve target
score) and Date for action
to be completed
Further discussions/
consideration of options
around shared services
(links to Transformation
Agenda risk also.
4x4=16
(CC)060 - Dedicated
risk assessment
completed
Consideration of shared
service proposals and
business cases.
4x2=8
Delivering
the Vision
Steve
Blatch,
Corporate
Director
2. A failure to fully implement shared
76
9
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Score (with
controls)
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
services proposals could occur
3. Reputational damage, reduce staff
morale, financial impact to current and
ongoing budgets.
Property assets - (the condition of)/
Asset Management
(CC)009 - Effective
team resourcing
(CC)001 - Work on repairs
and maintenance schedules
1. A lack of investment and sound
decision-making.
(CC)013 - Asset
Management Plan
2. Deteriorating property assets may
lead to a loss of revenue and possible
legal liability.
(CC)003 - The
introduction of a
property risk
assessment and
inspection regime
Condition surveys continue
to be carried out with full
reports being written and
forward maintenance plan
compiled.
001(CR
3. The Council does not achieve value
for money from its investment and/or
possible legal liabilities either directly or
through its leasing arrangements.
4x3=12
This scenario is detrimental to the local
tourism economy as well as damaging
to local communities contributing to a
lack of community pride and possible
increase in vandalism. The capital tied
up in assets cannot be released to
77
(CC)007 - Implement asset
management software – The
software is now being used
regularly by some of the
team and is gaining
momentum slowly. There
are a few glitches with the
systems speed and interface
with efinancials but this risk
is diminishing as the
cleansing/build up of data
continues.
3x3=9
Delivering
the Vision
Duncan
Ellis –
Head of
Assets and
Leisure
10
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Score (with
controls)
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
Target
Score
Corporate
Objective /
Service
Priority
Officer
2x3=6
Delivering
the Vision
Karen Sly Head of
Finance
3x1=3
Delivering
the Vision
Karen Sly,
Head of
Finance
Impact x
Likelihood
= Total
support wider Council initiatives and
income streams are not maximised.
Partnership/s - (potential failure)
1. Failure to engage appropriately
and/or commit resources
2. The organisation is involved in a
number of key partnerships which may
have the potential to become
ineffective. There is a need to engage
appropriately with and commit
resources (staff, finances, actions)
to key partnership structures.
3. Failure of partnerships to deliver
stated objectives / outcomes
Non-delivery of key outcomes leading
to reputational risk to Council.
(CC)032 - Revise and
improve The
Partnership
Framework
(CC)034 - Complete the
Partnership Register
(CC)036 - Annual review
process of partnership
operations.
(CC)033 - Monitor
(CC)035 - Clarify
Members' roles
3x3=9
(CC) NEW – Regular
review of Outside
bodies and no new
partnerships entered
into unless reported
through Cabinet.
Procurement - (lack of value for
money)
009(CR)
1. The current financial climate, recent
resourcing issues causing an absence
of a focus for this work, together with a
reduction in the available accountancy
3x3=9
78
(CC)047 - A procurement
evaluation. To re-evaluate
the current procurement
arrangements, strengthen
the procurement tool kit and
provide a greater degree of
self-service.
11
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Impact x
Likelihood =
Total
3. Consequence of risk happening
resources going forward increases the
risk of a lack of continuous
improvement in this area.
2. Following the development of the
procurement toolkit and the large scale
exercise for Waste procurement there
has been an absence of focus on
procurement which has led to a risk that
the Council will not achieve value for
money procuring the goods and
services it uses.
3. The Council may not achieve value
for money
Score (with
controls)
Action (to achieve target
score) and Date for action
to be completed
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
(CC)043 Procurement
Strategy,
(CC)044 Procurement
Framework,
(CC)045 - Joint
procurement protocol,
(CC)046 - Advice for
external suppliers.
Information - (loss of)
008(CR)
1. Lax security - Information may be
lost, mislaid or stolen Increased use of
mobile technology such as I Pads etc.
2. There exists an inherent potential for
the loss of organisational information at
any security level. ICT is responsible for
ensuring electronic data is secure (in
conjunction with system owners who
control access to their databases),
(CC)037 - Information
Management
Strategy,
(CC)039 - ICT
Security Policy
4x2=8
4x1=4
Delivering
the Vision
Helen
Mitchell ICT
Manager
(CC)040 - ICT
Monitoring,
(CC)042 - Code of
79
12
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
3. Information may be inappropriately
used. Fraud or data corruption may
occur. Systems may suffer damage.
The Council's reputation may be
harmed.
Score (with
controls)
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
Connection
compliance
(CC)038 - Implement
data security
protocols on mobile
devices
(CC)041 - Data
Protection training Implemented
013(CR)
Operational disruption - (significant
event)
1. Both the National and Community
Risk Registers have more information
regarding the risk of specific events
(e.g. Pandemic) occurring.
(CC)066 - Response
& Recovery Planning
4x2=8
2. Any Internal or external event that
has a significant impact on the ability of
the Council to deliver services.
(CC)067 - Continuity
Planning
3. a) Loss of staff for 'usual' service
delivery
b) Loss of premises
c) Loss of key partners/suppliers
d) Loss of infrastructure services
(CC)085 – Corporate
Business Continuity
key role training -
80
(CC)068 - Complete critical
services' BCPs – On track.
All Critical services now
have carried out Business
Impact analyses except
Revenues and Benefits
which is now at draft stage.
All critical services have
plans except Revenues and
Benefits. The Civil
Contingencies Manager is
continuing to work with the
manager concerned and
work is under way to
complete the
documentation. All plans
are expected to be in place
4x2=8
Delivering
the Vision
Richard
Cook - Civil
Contingenc
ies
Manager,
Steve
Hems Head of
Environme
ntal Health
13
Corporate Risk Register June 2013
No
1. Cause of risk
Audit Committee 18 June 2013
Existing controls
2. Description of risk or potential
event
Score (with
controls)
Action (to achieve target
score) and Date for action
to be completed
Impact x
Likelihood =
Total
3. Consequence of risk happening
Implemented
Target
Score
Impact x
Likelihood
= Total
Corporate
Objective /
Service
Priority
Officer
by June 2013.
A reduction in the ability of the Council
to deliver services, possibly at a time of
increased demand from the community.
Next Review – July 2013, including format of presentation.
81
14
Audit
18 June 2013
Agenda Item No____12_______
Business Continuity
Summary:
Six monthly update on business continuity planning, the
progress made to date, ability to respond to any disruptive
events that have recently occurred and the outline of future
objectives.
Conclusions:
Recommendations:
That members note the contents of the report.
Cabinet member(s):
Ward(s) affected:
All
All
Contact Officer, telephone number, Richard Cook
01263 516269
and e-mail:
richard.cook@north-norfolk.gov.uk
1.
Introduction
Part of the Civil Contingencies team’s (CCT) role is to ensure that the Authority has a
robust and effective business continuity plan (BCP) in place. As reported previously
CCT are working with Service Managers to ensure that all relevant plans are up to date
and appropriate.
2.
Team Business Continuity Plans
All teams should produce a Business Impact Assessment (BIA), this will allow an
analysis of the team to be carried out and give an indication that a team delivers a
critical service or not.
Below is a table that sets out the latest position of team BC plans:
82
Audit
18 June 2013
The Column below shows teams
with BC Plans in place
The Column below
shows teams with no
BC plans
Planned
completion
dates
HR
Benefits (draft)
1st week
June13
Housing (Strategy & Options)
Electoral Services
End May 2013
CLT
Environmental Health (EP,
Comm, Licensing & CCT)
Finance
Payroll
Environmental Services (Waste)
IT
Property Services BIA & Plan
Customer Services
Web & Comms
Non Critical Services
Non Critical Services
Sustainability
Leisure (Draft)
End July 13
Reprographics
Economic Development
1st week June
Policy and Performance
Legal (now in draft)
End of May 13
Building Control
Democratic Service
End of May 13
Planning
A spread sheet is being produced as part of the analysis of all the BC documentation
and this will allow the authority to see what staffing levels, equipment and specific
functions will be required at each period of the disruption. This information will allow for
a more strategic view to be taken with the BC planning in the event of an incident.
3.
Business Continuity Working Group (BCWG)
The BCWG still continues to meet and is ensuring that business continuity is embedded
within the organisation. During these meeting the group continue to refine and to carry
out on-going review of the top level Business Continuity Plan.
83
Audit
4.
18 June 2013
Disruptive Events
On 18th January the Crisis Management Group (CMG) met to plan for the potential
disruptive weather that was predicted. The CMG put into place a strategy that ensured
that we were able to deliver the authorities critical services. This was the first use of the
new business continuity plan.
The CMG meeting was successful as it was attended by the key managers who were
able to make the decisions to control the event. The contingency plan put into place
allowed non-critical staff to travel home within day light hours, whilst ensuring that
critical service could still be maintained.
It should be noted that very good levels of staff flexibility helped with the management
and service delivery during this disrupted event.
After the event the Civil Contingencies Manager conducted a structured reflective debrief exercise with service managers and the lesson identified have been investigated.
Any improvements and will be implemented to allow an enhanced BC response in the
future. The report can be seen at Appendix K to this briefing note.
5.
Corporate BC Plan
The NNDC Corporate BC Plan has been revised and is ready for issue and is just
awaiting sign off by CLT. The plan and the staff action cards have now been simplified
with flow diagrams. The Civil Contingencies Manager has undertaken one to one
training on all the action cards with the relevant Managers and the critical members of
staff. This has served as the initial training requirement for the new plan. In addition a
consultant has been procured to deliver business continuity training in June. This will be
aimed at service managers so they will be able to deliver BC training to all their staff
during their own team briefings.
6.
Disaster Recovery (DR) and Work Action Recovery (WAR) Site
The disaster recovery suite is now in place within the Fakenham Connect building and
work will continue with setting up the Work Action Recovery site once the IT work load
has reduced. It is anticipated that this work will be completed by September 2013
providing the funding has been secured.
84
APPENDIX K
Business Continuity - Snow and Ice Friday 18th Jan 2013
Reflective Debrief Summary
Managers were asked to record three things that did not work well and need to be
reviewed/followed up, these are summarised here.
Messages about the weather were sent from 3 or more sources although helpful it
could have led to mixed messages being sent out.
Home working capabilities was underestimated.
Could have had issues if an emergency HHSRS or fire inspection was required.
Customer services phones were diverted to CEx’s PA.
Was the BCP evoked to late, if earlier this may have helped a more co-ordinated
approach
Enhanced car share scheme
Issues around reception phone, not equipment.
Fakenham DR/WAR could have helped if it was in place.
Not enough staff to cover Customer Services phones.
Kier stood down whilst Customer services at NNDC was still in.
Managers were asked to record three positive things relating to the response that worked
well, these are summarised here.
Team BC plans worked well
Liked travel and weather links that were put onto the intranet pages
Staff understood the importance to get into work
Internal communications was satisfactory
Staff were flexible and worked late if required
Good support from CMG
Senior management checked what staff had got into work
CMG meet and put in place a procedure to reduce the staffing levels to allow staff to
travel during daylight.
The Authority delivered its essential services.
BC plan for waste collection was put into place and the media and public information
worked well.
Members were kept informed.
Team plans worked well.
Managers were asked to record what three things they would change/implement to improve
the response to a flooding emergency in Wells, these are summarised here:
Home working Levels
Better internal staff communications
Work Action Recovery site would have helped
Better use of staff and x training if required
Despite good media coverage in the local media and on NNDC website a lot of
residents seemed unaware of the scale of disruption and how it would affect
85
APPENDIX K
them. I would like to look at technology solutions to enhance communications
abilities e.g Twitter/social networking and Text messaging
Look at ways to improve real time communications with residents
Run a similar de-brief exercise with Kier to look at ways to improve their
processes and response.
Positive Learning
Managers were asked to record what the most significant thing they have learnt from taking
part in the exercise and identify future use of that learning.
The most significant thing I have learnt from this
event is….
I can use this positively in the future
by….
Home working levels
To reduce save staff travelling levels.
Internal messages for all staff
To ensure a co-ordinated message being sent
out to all staff.
How the WAR/DR site could have helped to
improve service and staff safety
Staff living in the west of the district could
have worked out of the Fakenham office and
reduced travelling to the Cromer offices.
Flexibility to move staff to busy areas
During BC events some teams will become
busier and will need their staff levels to be
reinforced form less busy service areas.
Control and understanding of telephone systems
To allow phones to be transferred to staffed
work areas.
General Comments:
Overall the BC plan worked well and the Authority was able to deliver is critical functions.
Staff proved to be flexible and helpfully.
Civil Contingencies Manager Summary
Overall I think that the Authority coped well with the poor weather conditions that were
experienced on the 18th January 2013. The Business Continuity Plan was invoked and the
Crisis Management Group (CMG) met the day before the predicted disruption. CMG put into
place a strategy that ensured that we were able to deliver the authorities critical services.
This was the first use of the new business continuity plan and the correct managers were
available and able to make the decisions for the CMG meeting. The contingency plan also
allowed non-critical staff to travel home within day light hours. It should be noted that very
good levels of staff flexibility helped with the management and service delivery during this
disrupted event.
86
APPENDIX K
Below is a table detailing lessons learnt:
Action point
Ensure a co-ordinated approach
to messages being given to all
staff
Home working levels not at
expected levels
Issued with shortage of
correctly trained staff
Who
CMG/CLT and CCM
Customer Services phones
CCM/IT Manager & Customer
Service Manager
Enhanced car share scheme
All team managers and CCM
DR/WAR site could have helped
in this case
CCM/IT Manager and Property
Services Manager
Contractor staff stood down
without informing customer
services.
Not all members of the public
were aware of the disruption to
the waste collection service
Run structured debrief with
Kier the waste contractor
ES officer and CCM to discuss
CCM/IT Manager
All service managers/CCM
ES officer
Progress / Completed
Staff message will be put on the
intranet, this was implemented
during this disruption
On-going progress with CCm &
IT
Check that team BCP reflect
need for additionally trained
staff i.e. HHSRS ( speak to Hof
EH)
Arrange a meeting to discuss a
way forward. All managers to
be aware to inform CMG of
potential staff shortages.
Managers to look to make this
part of their team BC plan.
Corporately this could be
delivered via the intranet?
This project is underway and is
a priority task for the IT
manager. It will bring major
benefits to the authority with
all types of BC incidents
Will form part of the structured
de-brief with Kier staff
ES officer to discuss this issue
with media team. Possible use
or social Media
Arrange a date for CCM to
facilitate this with Kier and ES
team/ Customer services
ES officer and CCM
Richard Cook
Civil Contingencies Manager
87
Agenda item
13
MINUTES FROM
IT STRATEGY GROUP MEETING
26 MARCH 2013
NICK BAKER’S OFFICE
Present:
Nick Baker (NB)
Estelle Packham (EP)
Helen Mitchell (HM)
Cllr Tom FitzPatrick (TFP)
Steve Hems (SH)
Jeanette Wilson (Minutes)(JW)
Actions
1.
Apologies
None received
2.
Introduction
NB introduced the draft IT Strategy and confirmed that this has been
condensed down. We are now at a point where we need to move
forward with a longer term strategy and identify IT priorities and vision
separately to the more operational work contained in this document.
The strategy contains the main areas that will benefit the Council in
terms of supporting and delivering already planned service and
corporate improvements
3.
Existing Strategy Draft
HM went through the strategy in detail and confirmed that this will need to
be agreed at CLT level but with broad agreement across the Council.
The following priorities were briefly discussed:
Customer Services
Corporate Systems
Exploit and improving existing IT assets and systems –
o HM was asked to change this to read - Maximise the use of
the functionality and capability of the system
Enable flexible/mobile/ working
Maximise efficiencies whilst maintaining the right level of service
Reliable IT Service
IT investment strategy
4.
Current workplan
HM went through the IT workplan both current and future as of February
2013 and highlighted the following tasks:
88
HM
Office moves – only doing essential office moves which are around
telephony and Electoral Registration with Customer Services during
August
Democratic Services system (workflow and documents) – this project
has aggressive timescales. Initial demo and scoping meeting took
place last week with officers. HM was reminded that Members need
to be included in any future demos once a decision has been made
on systems
Mobile telephones –
o 1) make sure we have appropriate guidance and the right
phones etc
o 2) members equipment – ipads for Members has been agreed
and HM to order a further 7 for those members who have yet
to receive one
Twitter – A corporate approach to social media messages is required
for the authority to ensure quality control
New Housing Allocations scheme – Agreement has been reached to
extend the contract with the current supplier. EP to make sure Lisa
Grice reports this back to the Housing Delivery Board
M3 DMS – negotiated as part of the new contract
OPEN Revenues additional modules – Negotiation with Civica needs
to take place, as the contract states we still have to pay even if not
implemented by 31 May
Integrated Payroll, Personnel and Recruitment System Procurement Northgate contract with Payroll runs out in June, and a way forward is
being discussed
5.
Staff Structure
HM/EP will be presenting a plan to CLT shortly for a mini restructure
in the IT team
6.
HM/EP
Longer Term Work
Extra resource is required to facilitate the longer term workplan and to
buy in some help on an “invest to save” basis
7.
Any other business
The workplan has been circulated to Heads of Service for comment
and HM has been liaising with service areas to gain their buy-in
8.
Date of next meeting
JW to schedule a meeting for early May
89
JW
Download