Please Contact: Linda Yarham Please email: linda.yarham@north-norfolk.gov.uk Please Direct Dial on: 01263 516019 7 June 2013 A meeting of the Audit Committee of North Norfolk District Council will be held in the Committee Room at the Council Offices, Holt Road, Cromer on Tuesday 18 June 2013 at 2.00 pm Members of the public who wish to ask a question or speak on an agenda item are requested to arrive at least 15 minutes before the start of the meeting. It will not always be possible to accommodate requests after that time. This is to allow time for the Committee Chair to rearrange the order of items on the agenda for the convenience of members of the public. Further information on the procedure for public speaking can be obtained from Democratic Services, Tel: 01263 516047, Email: democraticservices@north-norfolk.gov.uk Sheila Oxtoby Chief Executive To: Mr N D Dixon, Mr B Jarvis, Mrs A Moore, Miss B Palmer, Mr R Reynolds and Mr D Young All other Members of the Council for information. Members of the Management Team, appropriate Officers, Press and Public If you have any special requirements in order to attend this meeting, please let us know in advance If you would like any document in large print, audio, Braille, alternative format or in a different language please contact us Chief Executive: Sheila Oxtoby Strategic Directors: Nick Baker and Steve Blatch Tel 01263 513811 Fax 01263 515042 Minicom 01263 516005 Email districtcouncil@north-norfolk.gov.uk Web site northnorfolk.org AGENDA 1. TO RECEIVE APOLOGIES FOR ABSENCE 2. PUBLIC QUESTIONS To receive public questions, if any 3. ITEMS OF URGENT BUSINESS To determine any items of business which the Chairman decides should be considered as a matter of urgency pursuant to Section 100B(4)(b) of the Local Government Act 1972. 4. DECLARATIONS OF INTEREST Members are asked at this stage to declare any interests that they may have in any of the following items on the agenda. The Code of Conduct for Members requires that declarations include the nature of the interest and whether it is a disclosable pecuniary interest. 5. (Page 1) MINUTES To approve as a correct record, the minutes of the meeting of the Audit Committee held on 19 March 2013. 6. AUDIT UPDATE AND ACTION LIST (Page 6) To monitor progress on items requiring action from the meeting of 19 March 2013, including progress on implementation of audit recommendations. 7. AUDIT COMMITTEE WORK PROGRAMME (Page 7) To review the Audit Committee Work Programme 8. ANNUAL REVIEW OF THE EFFECTIVENESS OF INTERNAL AUDIT (Appendix A – page 11; Appendix B – page 19) Summary: Conclusions: (Page 8) This report sets out the results of an annual review of the effectiveness of Internal Audit, undertaken to satisfy criteria in the Accounts and Audit Regulations 2011. Internal Audit’s performance and quality assurance framework has been examined to enable the Audit Committee to confirm whether Internal Audit Services are effective, and that the assurances provided in the Internal Audit Annual Report and Opinion can be relied upon, and used to inform the Council’s Annual Governance Statement for 2012/13. The outcomes of the review are attached at Appendix A. The report seeks to demonstrate that due processes have been followed in relation to conducting an annual review of the effectiveness of Internal Audit, and on the basis of information provided, it has been confirmed that reliance can be placed on the opinions expressed by the Internal Audit Consortium Manager, which can then be used to inform the authority’s Annual Governance Statement. Recommendations: Cabinet member(s): All Contact Officer, telephone number, and e-mail: 9. It is recommended that the Committee note the findings of the review, and the evidence gathered in support of the effectiveness of the Internal Audit Service, and takes these into consideration when receiving the Internal Audit Consortium Manager’s Annual Report and Opinion, and the Council’s Annual Governance Statement. Ward(s) affected: All Sandra King, Internal Audit Consortium Manager 01508 533863, scking@s-norfolk.gov.uk INTERNAL AUDIT CONSORTIUM MANAGER’S ANNUAL REPORT AND OPINION FOR 2012/13 IN RESPECT OF NORTH NORFOLK DISTRICT COUNCIL (Page 20) (Appendix C – page 30; Appendix D – page 33; Appendix E – page 35; Appendix F (exempt) – page 90; Appendix G – page 58; Appendix H – page 59; Appendix I – page 61) NB: Appendix F is exempt under Section 100A(4) of the Local Government Act 1972 as it involves the likely disclosure of exempt information as defined in paragraph 1 of Part I of Schedule 12A (as amended) to the Act. Summary: This report has been developed to satisfy the mandatory requirements of the new Public Sector Internal Audit Standards (PSIAS), effective from 1 April 2013, and specifically Standard 2450, concerning the provision of an annual audit opinion on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control, which, in turn, should be used to inform the Council’s Annual Governance Statement. The report also seeks to confirm compliance with the Accounts and Audit (England) Regulations 2011, whereby the Council is required to ‘undertake an adequate and effective internal audit of its accounting records and of its system of internal control in accordance with the proper practices in relation to internal control’. The standards for ‘proper practices’ for internal audit applying to 2012/13 were detailed in CIPFA’s Code of Practice for Internal Audit in Local Government in the United Kingdom (2006), although for 2013/14 onwards, the Code has been superseded by consolidated Public Sector Internal Audit Standards. To demonstrate that this authority has met its statutory requirements, as recognised above, the Internal Audit Consortium Manager has produced this Annual Report and Opinion, drawing upon the outcomes of Internal Audit work performed over the course of the year, to formulate an opinion concerning the overall internal control environment which has been operating at the Council throughout 2012/13. Conclusions: Recommendations: On the basis of Internal Audit work performed during 2012/13, the Internal Audit Consortium Manager is able to give an adequate opinion to the organisation’s control framework, an adequate opinion to the Council’s systems of risk management and a good opinion regarding corporate governance arrangements currently in place. It is It ii It is recommended that the Committee: 1. Receive and consider the contents of the Annual Report of the Internal Audit Consortium Manager. 2. Note that an adequate audit opinion has been given in relation to the overall adequacy and effectiveness of the organisation’s governance, risk and control framework (i.e. control environment) for the year ended 31 March 2013. 3. Note that good assurance has been awarded to Corporate Governance provisions for the year ended 31 March 2013. 4. Note that an adequate audit opinion has been applied to systems of risk management for the year ended 31 March 2013. 5. Note that the opinions expressed together with significant matters arising from internal audit work and contained within this report should be given due consideration, when developing and reviewing the Council’s Annual Governance Statement for 2012/13. Cabinet member(s) Wards: Contact Officer, telephone number, and e-mail: 10. All All Sandra King, Internal Audit Consortium Manager 01508 533863 scking@s-norfolk.gov.uk THE STATUS OF AGREED AUDIT RECOMMENDATIONS DUE FOR IMPLEMENTATION BY 31 MARCH 2013 (Appendix J – page 67) Summary: (Page 63) This report provides an overview of progress made in implementing the agreed audit recommendations due for completion by 31 March 2013. Conclusions: Good progress has been achieved in relation to the completion of agreed Internal Audit recommendations. Recommendations: It is recommended that the Committee notes management action taken to date regarding the implementation of audit recommendations. Cabinet member(s): All Contact Officer, telephone number, and e-mail: 11. Ward(s) affected: All Sandra King, Internal Audit Consortium Manager 01508 533863, scking@s-norfolk.gov.uk CORPORATE RISK REGISTER (Page 68) To discuss the Corporate Risk Register. Contact Officer, telephone number and email: Karen Sly, 01263 516243, Karen.sly@north-norfolk.gov.uk 12. (Page 82) BUSINESS CONTINUITY (Appendix K – page 85) Summary: Six monthly update on business continuity planning, the progress made to date, ability to respond to any disruptive events that have recently occurred and the outline of future objectives. Conclusions: 13. Recommendations: That members note the contents of the report. Cabinet member(s): All Contact Officer, telephone number, and e-mail: Ward(s) affected: All Richard Cook 01263 516269 richard.cook@north-norfolk.gov.uk IT STRATEGY GROUP MEETING MINUTES 26 MARCH 2013 (Page 88) To note the minutes of the IT Strategy Group. 14. EXCLUSION OF THE PRESS AND PUBLIC To pass the following resolution, if necessary: “That under Section 100A(4) of the Local Government Act 1972 the press and public be excluded from the meeting for the following items of business on the grounds that they involve the likely disclosure of exempt information as defined in of Part I of Schedule 12A (as amended) to the Act.” Agenda item ___5 AUDIT COMMITTEE Minutes of a meeting of the Audit Committee held on Tuesday 19 March 2013 in the Committee Room, Council Offices, Holt Road, Cromer at 2.00 pm. Members Present: Committee: Mr N D Dixon (Chairman) Mrs A Moore Mr R Reynolds Mr B Jarvis Miss B Palmer Mr D Young Officers in Attendance: The Head of Finance, the Head of Internal Audit, the Revenues and Benefits Services Manager and the Democratic Services Officer (IV). Also in Attendance: Julian Rickett, Aphrodite Antoniades (PriceWaterhouseCooper) 39. APOLOGIES None received. 40. PUBLIC QUESTIONS None received. 41. ITEMS OF URGENT BUSINESS Although there were no items of urgent business, the Chairman reported upon informal discussions held before the meeting, to help inform the way that the Committee moved forward. In recognition of a shortfall identified in training and development, he had discussed with the External Audit Engagement Leader the provision of a session to widen the skills required by Audit Committee Members. He asked that Democratic Services make arrangements for the scheduling of such a session. 42. DECLARATIONS OF INTEREST None. 43. MINUTES The Minutes of the meeting of the Audit Committee held on 04 December 2012 were approved as a correct record. On Minute 34: Progress on Internal Audit Activity, Mr D Young enquired as to progress on the recruitment to the Procurement Officer vacancy. The Head of Financial Services stated that, following an earlier unsuccessful attempt to recruit, the role had now been incorporated into that of Chief Accountant. Interviews would be taking place in the next week and Members would be updated at the next meeting. Following the confirmation of the commitment to reinstate the ICT Strategy Group, as mentioned under the same Minute, Mr Young asked whether the Group had met. The Head of Finance said that the Group had not yet been set up. The Democratic Services Officer undertook to look into this matter. Audit Committee 1 19 March 2013 In reply to a question from Mr R Reynolds on the absence through sickness of a member of staff referred to in Minute 36: Business Continuity, the Head of Finance reported that the officer had now returned to work. 44. AUDIT UPDATE AND ACTION LIST Members were updated on progress on actions arising from the minutes of the meeting of 04 December 2012. A revised version of the Constitution had been completed and recently published, incorporating all agreed changes and details requiring amendment since the previous edition. Mrs A Moore was disappointed that it had not been possible to produce this in the loose-leaf format for which a preference had been expressed. The Revenues and Benefits Services Manager reported on changes whereby the Council’s fraud investigation officers would be merged with those of the Department of Work and Pensions, prior to the introduction of universal credit. It was now understood that this had been put back to April 2014. The Fraud Policy would need to be amended to reflect the changes to Council Tax Benefits. A report would go to Cabinet in September. The Revenues and Benefits Services Manager gave a detailed progress report on data merging proposed under the Shared Services Partnership and subsequent events. The situation had previously been reported to the Overview and Scrutiny Committee. The new software incorporated the integration of Council Tax, business rates, benefits and workflow. The original intention had been a merged database between North Norfolk and the Borough of King’s Lynn and West Norfolk. Following conversion, there had been technical difficulties accessing the data held at King’s Lynn. Given these issues, backlogs at both authorities, coping with legislative changes and poor staff morale, it had been agreed to delay the data merge until April/May 2013. The technical problems of accessing the data had continued, impacting on performance and staff morale problems. It had been agreed by the Steering Group and Partnership Board that the data would have to be returned to Cromer. Data had been transferred back in December for testing and then “live” (subject to further testing) in January. Deadlines had been affected by the approaching annual billing process. The system now operated in a stable and reliable environment, with the speed of operation, performance and staff morale improving considerably. Benefits claims were now being processed in 10-11 days, as opposed to 44 days. The year end had been challenging, but Council tax bills and benefits statements had all been issued. In thanking the Revenues and Benefits Services Manager for her report, the Chairman asked whether she felt any lessons had been learned by the Council. In reply, the officer stated that assurances had been given that the software would work; this was confirmed by testing, but not supported when volume was applied. In reply to a question from Mr B Jarvis, she added that this experience had not been discouraging; the need to be more challenging had been taken on and had to be put into practice if similar projects were to be undertaken. Business Continuity was considered under a separate agenda item (see Minute 48 below). Other actions had been completed as set out in the report. Audit Committee 2 19 March 2013 45. CERTIFICATION REPORT (2011/12) – REPORT TO THOSE CHARGED WITH GOVERNANCE Julian Rickett, External Audit Engagement Leader, explained that the issue of the Annual Certification report met an Audit Commission requirement. Certification work was carried out by external auditors, effectively as agents for the Audit Commission, as a form of assurance engagement in relation to bodies who made grants to local authorities; it involved the application of prescribed tests in accordance with certification Instructions, to give reasonable assurance that claims and returns were fairly stated and in accordance with specified terms and conditions. He drew attention to claims and returns certified, with qualifications, in respect of the Housing and Council Tax Benefits Scheme and the National Non-Domestic Rates, and appendices covering the Management Action Plan and Certification Fees. `Mr D Young noted that, in both certified claims, the original and final values remained constant. Mr Rickett confirmed that this meant that in each case the claim had been accurate. In reply to a further question from Mr Young, Mr Rickett explained that the statement on the possibility of a reduction of fees in certain circumstances (Appendix A) was a standard comment; the areas shown where an authority’s performance could possibly be improved was not an indication of any weakness on the part of North Norfolk in these fields. In reply to Mr R Reynolds, Mr Rickett stated that training for benefits assessors was ongoing, as agreed in the management response to a recommendation on the Housing and Council Tax Benefits Subsidy Claim. On the same subject, Mr Rickett confirmed that the issue of non-compliance with all deadlines for the submission of claim forms had been addressed. RESOLVED That the Certification Report for 2011/12 be accepted. 46. EXTERNAL AUDIT PLAN 2012/13 The External Audit Engagement Partner presented the Audit Plan, which had been developed with the assistance of Council Members and Officers. He asked the Committee to consider the proposed scope, whether Members were comfortable with the audit risks and approach, to consider and respond to the matters relating to fraud and to agree fees. The section of the plan relating to Risk Assessment highlighted the two areas of management override of controls and revenue recognition and the risk of fraud inherent in both areas. He stressed that the identification of both as “Significant” risks applied to organisations generally; risks classified as “Elevated” in these areas were also common among authorities. In reply to a question from Mr Young, he commented that the Plan contained little in the way of material changes and that the “Significant” and Elevated” risks were the same as for the previous year. Members noted that the proposed fees had decreased. Mr Rickett explained that this was mainly due to changes in the Audit Commission’s billing arrangements. The Committee expressed its satisfaction with the scope of the plan, the risks and the general approach taken. RESOLVED Audit Committee 3 19 March 2013 1) That the External Audit Plan for 2012/13 be agreed 2) That the proposed audit fees for the year be approved. 47. INTERNAL AUDIT’S TERMS OF REFERENCE, PERFORMANCE INDICATORS, CODE OF ETHICS, STRATEGY, AUDIT PLANS AND SUMMARY AUDIT COVERAGE INFORMATION FOR 2013/14 The Head of Internal Audit explained that the report provided an overview of the stages to be followed towards ensuring that the service met the requirements set out in the Accounts and Audit Regulations 2011 and appropriate professional standards. The report also aimed to clarify the links between the various documents presented for approval to that end. Current provisions mirrored CIPFA Code of Practice requirements. However, on 1 April 2013, new Public Sector Internal Audit Standards would be introduced. Detailed guidance on the new standards would not be available before then and, once this had been published, all aspects of service delivery and documentation would be reviewed and updated as necessary. It was known that the proposed Code of Ethics completely reflected the new standards. The Audit Strategy included a rationalisation exercise which reduced standard times for many tasks. The resultant savings were identified in the Strategic Audit Plan, which had been prepared according to current conditions. Detailed consultation had taken place in the preparation of the Annual Audit Plan, which would serve as the work programme for the Council’s internal audit services contractor, Deloitte Public Sector Internal Audit Ltd. The Summary of Internal Audit Coverage documentation provided a good overview and a framework for the next year’s tasks; it gave service areas a good idea of where Internal Audit would be concentrating its efforts, whilst at the same time allowing for flexibility. The Map of Audit Assurances indicated how the controls worked. Mr Young asked whether another audit was planned on the subject of ”Whistleblowing” and also when the IT Network infrastructure would be looked at again. In reply, the Head of Internal Audit said that the “Whistleblowing” problem had been rectified by the production of a comprehensive policy; the Monitoring Officer had considered that what had been required was an update of earlier material. The IT Network Infrastructure would be looked at again in October. The Chairman emphasised the importance of the documentation in setting the scene for the coming year, bringing together Internal and External Audit, Management and the Audit Committee. It was therefore essential that the Committee was satisfied that what was eventually agreed represented a good approach with adequate coverage. The Head of Internal Audit explained how Internal and External Audit worked closely together. The Chairman recognised the benefit of this to the Council, as well as the value of the Head of Internal Audit’s work with other organisations. RESOLVED That the following be approved: Internal Audit’s Terms of Reference and Performance Indicators for 2013/14 Internal Audit’s Code of Ethics for 2013/14 Internal Audit Audit’s Strategy for 2013/14 Audit Committee 4 19 March 2013 The Strategic Audit Plan for 2013/14 to 2015/16 The Annual Audit Plan for 2013/14 The Summary of Internal Audit Coverage for 2013/14 48. BUSINESS CONTINUITY The Civil Contingencies Manager had been unable to attend the meeting, but had submitted a paper providing a six-monthly update on Business Continuity planning. The Chairman reminded Members that this topic had given rise to concerns for some time and there was still work to be done towards the production of a plan that would ensure an agreed standard of continuity for business operations. Members had some sympathy with the difficulties of co-ordinating the completion of plans for all service areas. There was general agreement with the observation by Mr B Jarvis that a third column in the chart attached to the agenda, setting target dates, would be useful. Not only would this give the Committee forecasts for consideration, but also assist the Civil Contingencies Manager in securing the necessary action. The Chairman suggested that the Civil Contingencies Manager be asked to provide this information to Members in advance of the June meeting, so that the Committee was in a position to review the matter at that time. RESOLVED 1) That the contents of the report be noted 2) That the Civil Contingencies Officer be asked to attend the next meeting and, in the meantime, to provide forecast completion dates for the respective Business Continuity documents. 49. AUDIT COMMITTEE WORK PROGRAMME The Chairman referred to the Work Programme for the Committee up to December 2013, as set out in the agenda. He pointed out that the subject of Risk would now be coming to the June meeting. RESOLVED To note the Work Programme. The meeting ended at 3.30 pm. ______________________ Chairman Audit Committee 5 19 March 2013 Agenda Item 6 AUDIT COMMITTEE 19 MARCH 2013 – ACTIONS ARISING FROM THE MINUTES 1. ICT Strategy Group A query had been raised regarding the reinstatement of the ICT Strategy Group. This has now met and the minutes are attached. Democratic Services 2. Constitution A member had asked why the Constitution was not issued in a loose-leaf format. This had been considered but there was a cost implication and there was also a concern that there would be a reliance on all members to update their version as soon as an amendment was issued. There was a risk that potentially there could be several different versions in circulation. The latest version would also be on the website at all times so members could always refer to that if necessary. Democratic Services 3. Business Continuity To attach an additional column to the chart setting target dates for completion of service plans Richard Cook 4. External Audit training To arrange a training session on external audit to widen the skills of the committee. Democratic Services has contacted Julian Rickett and this has been set in process. Alison Ridley will contact Democratic Services to discuss options, timing and cost. 6 Democratic Services Agenda Item 7 AUDIT COMMITTEE WORK PROGRAMME 2013 - 2014 JUNE 2013 SEPTEMBER 2013 DECEMBER 2013 MARCH 2014 PWC Internal Audit Annual Review of the Effectiveness of Internal Audit PWC 2012/13 Annual Governance report (ISA260) Protocol for liaison between internal and external auditors External Audit training for Committee Annual Audit Letter (PWC) Audit Plan (PWC) Annual Grant Certification Report Quarterly Summaries of completed audits Half yearly progress reports on the overall performance of the audit contract Quarterly Summaries of completed audits – not provided this month as only one report available. Report on follow-up work Audit Plan Annual Report and Opinion Status of agreed actions Undertake selfassessment NNDC Corporate Risk Register/ risk management framework Business Continuity Plan Review Statement of Accounts (+ informal training) Business Continuity Business Continuity Business Continuity Review Monitoring Officer’s Report (deferred to September) Local Code of Corporate Governance and Action Plan – update Annual Governance Statement 2012/13 – update 7 Corporate Risk Register / risk management framework Audit Committee 18 June 2013 Agenda Item No____8_______ Annual Review of the Effectiveness of Internal Audit for 2012/13 Summary: This report sets out the results of an annual review of the effectiveness of Internal Audit, undertaken to satisfy criteria in the Accounts and Audit Regulations 2011. Internal Audit’s performance and quality assurance framework has been examined to enable the Audit Committee to confirm whether Internal Audit Services are effective, and that the assurances provided in the Internal Audit Annual Report and Opinion can be relied upon, and used to inform the Council’s Annual Governance Statement for 2012/13. The outcomes of the review are attached at Appendix A. Conclusions: The report seeks to demonstrate that due processes have been followed in relation to conducting an annual review of the effectiveness of Internal Audit, and on the basis of information provided, it has been confirmed that reliance can be placed on the opinions expressed by the Internal Audit Consortium Manager, which can then be used to inform the authority’s Annual Governance Statement. Recommendations: It is recommended that the Committee note the findings of the review, and the evidence gathered in support of the effectiveness of the Internal Audit Service, and takes these into consideration when receiving the Internal Audit Consortium Manager’s Annual Report and Opinion, and the Council’s Annual Governance Statement. Cabinet member(s): All Contact Officer, number, and e-mail: 1. 1.1 Ward(s) affected: All telephone Sandra King, Internal Audit Consortium Manager 01508 533863, scking@s-norfolk.gov.uk Background CIPFA’s Statement on the Role of the Head of Internal Audit in Local Government states that “the Head of Internal Audit occupies a critical position in 8 Audit Committee 18 June 2013 a local authority, helping it to achieve its objectives by giving assurance on its internal control arrangements and playing a key role in promoting good corporate governance”. 1.2 The Accounts and Audit Regulations 2011 further require that a Council the size of North Norfolk must undertake an annual review of the effectiveness of its internal audit function, and that this review be undertaken by the same body that reviews the effectiveness of the system of internal control. To assist this process, Internal Audit working practices are required to comply with CIPFA’s Code of Practice for Internal Audit in Local Government in the United Kingdom (2006), although these arrangements are set to change from 2013/14 when new consolidated Public Sector Internal Audit Standards (PSIAS) will replace CIPFA’s Code of Practice. However, for the purposes of this effectiveness review, the Code of Practice remains applicable and an assessment has been undertaken to verify the level of compliance achieved during 2012/13, but it should also be appreciated that steps are currently under way to migrate to the new Standards in the new financial year. 1.3 The existing performance and quality assurance framework developed by the Internal Audit Consortium Manager to ensure adherence to CIPFA’s Code of Practice predominantly meets much of the newly introduced PSIAS requirements, although they have also now created an obligation to arrange for an external assessment of the effectiveness of internal audit at least once every five years. The way in which external assessments should be conducted is covered in PSIAS No.1312 and summarised at Appendix B to this report, to give members early oversight regarding provisions that will need to be developed in the future. 1.4 With reference to the 2012/13 review of the service’s effectiveness however, members can be satisfied that the relevant assurances provided are reliable and based upon a firm foundation, and that the service itself is operating effectively. 1.5 A summary of review outcomes are attached at Appendix A, and essentially benchmark the service against a range of 8 measures, whilst additional supporting information generated in the course of the review, has been supplied to the Council’s Section 151 Officer to afford independent verification of the detailed processes followed by the Internal Audit Consortium Manager as the authority’s Head of Internal Audit. 2. Conclusion 2.1 The outcomes of the Effectiveness Review confirm that Internal Audit: Is delivering against its aims and objectives. Is substantially complying with recognised good practice as specified in the CIPFA Code of Practice for Internal Audit in Local Government and the CIPFA Statement on the Role of the Head of Internal Audit in Public Service Organisations. Is meeting its internal quality standards. Is supporting management in the monitoring and further development of the Council’s internal control environment, making practical audit recommendations and overseeing implementation of agreed actions. 9 Audit Committee 18 June 2013 Is continually looking at ways of improving service delivery, adding value wherever possible. Is working closely with its External Audit colleagues to ensure they can place reliance on its work. Is supporting the Audit Committee as it strives to be more effective. These findings therefore indicate that reliance can be placed on the opinions expressed by the Internal Audit Consortium Manager, which can then be used to inform the Council’s Annual Governance Statement. 3. Recommendation 3.1 The Committee is recommended to note the findings of the Annual Effectiveness Review, and be assured that the opinions given in the Annual Report and Opinion may be relied upon as a key source of evidence in the Council’s Annual Governance Statement. Appendices attached to this report: Appendix A: Annual Review of the Effectiveness of Internal Audit Appendix B: Public Sector Internal Audit Standards Requirements concerning External Assessments of the Effectiveness of Internal Audit 10 Appendix A Annual Review of the Effectiveness of Internal Audit The Scope of this Review This review is primarily about effectiveness, not process. In essence, the need for the review is to ensure that the opinions expressed by the Internal Audit Consortium Manager in the Annual Report may be relied upon as key sources of evidence in the Annual Governance Statement. In order for North Norfolk District Council to be able to place reliance on the opinions contained within the Annual Report and Opinion, the Internal Audit Consortium Manager (as the Council’s Head of Internal Audit) has in place a performance and quality assurance framework to demonstrate that the Internal Audit Service is: Meeting its aims and objectives. Being compliant with the CIPFA Code of Practice for Internal Audit in Local Government. Being compliant with the CIPFA Statement on the Role of the Head of Internal Audit in Public Service Organisations. Meeting internal quality standards, confirmed through performance indicators and post audit feedback received. Putting forward practical audit recommendations that are agreed with senior management and lead to ongoing improvements to the internal control environment at the Council, as evidenced by the subsequent implementation of agreed actions. Continually seeking to improve service delivery whilst also adding value and assisting the Council in meeting its objectives. Producing work which the External Auditor is able to place reliance upon. Supporting an effective Audit Committee. Delivering the Aims and Objectives of Internal Audit The aims and objectives of the Internal Audit Service are established in Internal Audit’s Terms of Reference, Internal Audit’s Strategy, Annual Audit Needs Assessment and Strategic and Annual Audit Plans, which are updated each year and submitted to the Audit Committee for formal approval. There are essentially three main objectives which drive service delivery: Objectives To provide an independent and objective opinion to the organisation on the control environment comprising risk management, control and governance, by evaluating its effectiveness in achieving the organisation’s objectives. Means of delivery In June each year, the Head of Internal Audit provides an annual opinion on the Council’s system of internal control, and its arrangements for corporate governance and risk management. Internal Audit’s Terms of Reference (Section 5 – Internal Audit’s Independence and Accountability) and Code of Ethics explain how the Council’s Internal Auditors are able to provide independent and objective opinions in relation to individual audit assignments 11 and when developing an overarching annual opinion. To carry out an examination of the The Internal Audit Strategy and Terms of accounting, financial and other Reference demonstrate that Internal operations of the Council. Audit reviews the full range of operations at the Council. All planned audit coverage is determined with the aid of a risk based annual audit needs assessment. To assist management with the Through undertaking in-depth reviews of prevention, detection and business operations, the Internal Audit investigation of fraud and abuse. Service supports management in minimising the risk of fraud and abuse. In the course of 2012/13, the Council has been additionally proactive in refreshing its Whistleblowing Policy. This document firmly establishes the role of the Head of Internal Audit in the whistleblowing process. It is further appreciated that the Counter Fraud and Corruption Policy is currently being reassessed for ongoing appropriateness by the Revenues and Benefits Manager. In the course of the financial year, the Internal Audit Consortium Manager) has had regular progress meetings with the Head of Finance (Section 151 Officer) to discuss the status of audit assignments featuring in the Annual Audit Plan and the quality of service delivery generally, and to debate and agree Draft Audit Plans for the following year, prior to their submission to Corporate Management Team and Corporate Leadership Team for their acceptance, and then to the Audit Committee for formal approval. There was also a need in year for the Internal Audit Consortium Manager to be present at two Exit Meetings, where the outcomes of audit review work applying to Council Tax & National Non Domestic Rates and Housing & Council Tax Benefits were discussed with management. The Head of Finance has also participated in 2 meetings of the Norfolk Internal Audit Consortium held in September 2012 and January 2013. These meetings are used to bring together Consortium members to review progress in relation to Annual Plans, discuss the performance of the contractor as well as any client officer issues arising, be appraised of any new developments/changes to working practices designed to improve service delivery and consider the future arrangements for the Internal Audit Service, when the contract with Deloitte & Touche Public Sector Internal Audit Ltd expires at the end of September 2014. 12 Complying with CIPFA’s Code of Practice for Internal Audit in Local Government The CIPFA Code of Practice for Internal Audit in Local Government specifies the standards for Internal Audit. In 2012/13, the Code of Practice self assessment checklist, completed by the Head of Internal Audit and submitted to the Head of Finance for independent validation, confirmed substantial compliance had been achieved in relation to the 11 key criteria stated therein. There were two exceptions where partial rather than full compliance was recognised. The first of these items where a deviation was apparent concerned Internal Audit’s rights of access to all records, assets, personnel and premises. In previous years, the relevant rights of access have been acknowledged in the Council’s Financial Regulations but following revisions to the Constitution in April 2011, these requirements were inadvertently removed. The Internal Audit Consortium Manager reported the oversight upon completing the 2011/12 review of Internal Audit’s effectiveness and raised a request to re-instate these rights. In the course of conducting the 2012/13 review and examining the latest version of the Constitution, it has been appreciated that these rights still fail to feature. The Internal Audit Consortium Manager has therefore contacted the Monitoring Officer regarding this matter and has been assured that the appropriate clauses will be incorporated into Financial Regulations without further delay using delegated powers to update them accordingly. The second aspect where partial compliance has been recorded relates to the Committee’s review of its own remit and effectiveness. In this regard, it has been appreciated that a self-assessment exercise was not performed during 2012/13, although previously, there had been annual scrutiny of terms of reference and operational arrangements. The Chair of the Audit Committee has been made aware of the situation and upon reviewing the Committee’s work plan has organised for this important analysis of provisions to take place in September 2013. Complying with CIPFA’s Statement on the Role of the Head of Internal Audit in Local Government This Statement sets out the 5 principles that define the core activities and behaviours that apply to the role of the Head of Internal Audit, and the organisational arrangements to support them. The Head of Internal Audit needs to: Champion best practice in governance, objectively assessing the adequacy of governance and management of risks, commenting on responses to emerging risks and proposed developments; Give an objective and evidence based opinion on all aspects of governance, risk management and internal control; Undertake regular and open engagement across the authority, particularly with the Leadership Team and with the Audit Committee; Lead and direct an Internal Audit Service that is resourced to be fit for purpose; Be professionally qualified and suitably experienced. Each principle has associated requirements (59 in total) to demonstrate how they should be employed in practice. The Internal Audit Service has been benchmarked against these criteria. Two aspects were not applicable based on the current service delivery model in place, but aside from these, the Internal Audit Consortium Manager 13 was able to satisfy 56 of the 57 remaining elements. The one aspect where there was a departure from stated requirements applied to unfettered rights of access for Internal Audit to all papers and people in the organisation. This deviation was also an issue when examining compliance against CIPFA’s Code of Practice for Internal Audit. However, the Monitoring Officer is in the process of resolving this matter. To assist Internal Audit in delivering an appropriately informed service to the Council, it has been additionally concluded that: Internal Audit will continue to look to the Section 151 Officer for updates about third party assurers undertaking work on behalf of the authority (with a view to Internal Audit placing reliance on this work, wherever possible and avoiding unnecessary duplication of work). Internal Audit will maintain close ties with senior management regarding counter fraud measures in place at the Council, developed to minimise the risk of fraud and abuse, and will provide support for special investigations and the further development of the Counter Fraud and Corruption Policy, as required. N.B. The detailed assessment of the Internal Audit Consortium Manager’s compliance with the key governance requirements and core responsibilities as specified in the CIPFA Statement has been forwarded to the Head of Finance for independent scrutiny and verification. Quality Standards applying to the Internal Audit Service The Internal Audit Service is benchmarked against a number of performance indicators as agreed by the Audit Committee within the Terms of Reference for Internal Audit. Actual performance against these targets is outlined within the table below and overleaf: Indicator % of audit recommendations accepted % of high priority recommendations implemented Days between issue of audit brief and fieldwork commencing Target 2012/13 Performance 95% 2011/12 Performance 96% 100% Not applicable 100% More than 10 days (average) 9.63 21.18 100% 38% 82% 90% 14 Comment This continues to exceed target. There were no high priority recommendations in 2012/13 requiring action. Audit briefs are issued ahead of audit fieldwork commencing on-site but the lead-in time involved has varied significantly during 2012/13 from 2 to 17 working days, which has then averaged out at 9.63 days. Hence, there has been a marked reduction in performance in this area, compared with the previous year. Indicator Number of days between expected fieldwork completion and actual 0 days 2012/13 Performance 5.9 100% 44% 53% Number of days between completion of audit fieldwork and draft report issue 10 days or less (average) 18.7 11.1 100% 38% 47% Number of days between issue of draft and final reports 15 days or less (average) 19.3 15.3 100% 25 days or less (average) 63% 38.0 71% 26.4 100% 44% 59% Adequate (4 out of 6) Adequate (4.77) Good (5.15) Number of days between completion of fieldwork and final report issue Average score given to audit feedback Target 2011/12 Performance 1.3 Comment This provides another example where performance has noticeably dipped, whereby finish dates for concluding fieldwork are not being met on every occasion. After significant efforts by the contractor in 2011/12 to bring down timeframes for turning around draft reports, the time taken has increased once again, and is almost double the targeted time stipulated. Performance has also dropped here in terms of converting draft to final audit reports. This is a further area where performance has failed to meet the targeted timescale set. The time taken has lapsed back to the level of performance being reported in 2010/11. Client satisfaction has detiorated slightly, although we are still receiving positive feedback within targeted average scores required. The table clearly shows that the performance of the Internal Audit Services contractor has dropped in 2012/13, compared with the preceding 12-month period. After considerable efforts during 2011/12 to improve service delivery, performance standards in a number of areas have detiorated again and in some cases, are now significantly adrift of targeted requirements, although the percentage of audit recommendations agreed with management has remained at a consistently high level, surpassing the target set in this area; there have been no high priority audit recommendations requiring action in year, and post audit feedback has been positive albeit the average score now equates to an adequate whereas previously, a good assessment had been obtained. The timescales for completing audits is where performance monitoring information has indicated that there are fundamental issues which will need to be properly addressed in 2013/14. With reference to the formal circulation of audit briefs in advance of commencing fieldwork, there were occasions where the Internal Audit Services contractor was 15 responsible for the short lead-in times, or, it was determined that the Christmas holidays had delayed progress with the confirmation of audit scopes. Conversely, there had been a late request from management to broaden the scope of one particular review, and this, in turn, had led to an amended brief being circulated at short notice, whilst another brief had been subject to late issue as the Deloitte auditors had been obliged to wait for input from a client officer who had been approached to give a steer to the focus of review work. Once audit assignments were under way, there were then situations where some audit fieldwork overran, and in the majority of these cases, Deloittes’ internal review processes to quality assure the work of junior staff were largely responsible for the delays incurred. Deloittes’ clearance of Audit Management Team review points also led to instances where fieldwork took longer than first expected. There was one review where management intervention impacted on timeframes involved, and this had been due to receipt of a request to expand the scope of the planned review which additionally led to a corresponding lengthening of the fieldwork to accommodate the extra work sought. Gaining access to key personnel and records to inform audit testing also contributed to problems delivering fieldwork on time, and finally there was one other occasion where an audit could not be progressed as first envisaged because it relied on two other pieces of work being finalised before linked audit testing work could be completed. The late progression of draft audit reports was predominantly due to the delayed finalisation of audit fieldwork and clearance of further review points raised by either Deloittes’ Field Manager, Deloittes’ internal review processes or the Audit Management Team. As for unsatisfactory timeframes between draft and final audit reports, these were largely due to the late receipt of management responses; needing to obtain greater clarity regarding aspects of management responses or having to factor in Exit Meetings which led to the development of revised draft reports then forwarded to management for their comment and clearance before final reports could be produced. In view of the issues highlighted above adversely affecting the progress of audits, in the course of the last quarter of the year, the Audit Management Team has worked closely with both management and Deloittes to ensure that the Annual Audit Plan was finished in sufficient time to provide an Annual Report and Opinion based on completed assignments. Moreover, a Workshop between the Audit Management Team and Deloittes has now been organised in July 2013 (and the Head of Finance has also been invited to attend), which will be revisiting audit working practices and exploring how improvements to performance can be secured in 2013/14. Strengthening the Council’s Systems of Internal Control Our work has confirmed that assurance levels for individual audits carried out in 2012/13 were resoundingly positive, with 4% receiving a good assurance and 88% an adequate assurance. The remaining 8% were awarded limited assurances. The previous financial year, 18.75% of assurances were good, 56.25% were adequate and 25% were limited, thus the internal control environment is clearly improving year-on-year. This year, after giving a succession of adequate audit opinions to Corporate Governance arrangements, we have been able to award a good assurance. 16 Moreover, where adequate assurances have been prevalent in relation to other areas audited, it was noted that the systems of internal control in respect of Leisure Complexes has improved since our last visit, with the opinion progressing from a limited to an adequate assurance. On the other hand, our scrutiny of Council Tax and National Non Domestic Rates, and Housing and Council Tax Benefits during 2012/13 resulted in limited audit opinions. The background to these audits and the contributing factors to the assurance levels subsequently given are explored in more depth in the Annual Report and Opinion, but in terms of this effectiveness review, it is noted that previously, these areas had received adequate audit opinions. The shared service partnership arrangement for the provision of Revenues and Benefits Services with the Borough Council of Kings Lynn and West Norfolk and the initial transfer of data to a new jointly procured Revenues and Benefits system from Civica have clearly had an impact on and contributed to the change in the internal control environment. Our year end review of audit recommendations has also indicated that when comparing the last 6 months of this financial year with the same period in the preceding year, the number of recommendations has fractionally increased from 83 to 84, but more significantly, the number of completed and/or superseded recommendations has improved immensely from 34.9% to 85.7%. Moreover, as mentioned previously within the section on Quality Standards applying to the Internal Audit Service, there were no high priority recommendations requiring implementation within the year. All of these findings suggest that Internal Audit work has been supporting the further development of the Council’s internal control environment and management have been extremely co-operative in accepting audit recommendations which had been designed to enhance existing provisions, and then arranging for their subsequent implementation. Improving Service Delivery and Adding Value We constantly strive to improve the Internal Audit Service, with reference to the way we operate and the quality of our outputs, and in the pursuit of this ethos, during the year, we have redeveloped our audit brief and reporting templates, to improve the approach taken to the scoping of projects and communication of audit findings, together with submitting greater justification for audit opinions given. Furthermore, we now require Deloittes to provide us with individual opinions on core financial systems, when carrying out work to support the preparation of the Annual Governance Statement. The continuing production of Audit Newsletters over the course of the year and our ongoing membership of the Norfolk Chief Auditors Group – an excellent forum where we are able to network with our peers, discuss developments within the sphere of auditing and share best practice, further represent additional ways in which we seek to add value for our clients. Finally, another key marker of our willingness to demonstrate added value has been the flexibility we have been able to show with regards to the Annual Audit Plan, i.e. deferring planned work to enable more constructive reviews to be carried out at a later date within the current year, e.g. Audit Nos. NN/13/07 Council Tax and National Non Domestic Rates, NN/13/08 Payroll and Human Resources, NN/13/09 Housing and Council Tax Benefits, NN/13/10 Exchequer Services – Creditors etc, NN/13/15 17 Data Centre, Back Up and Disaster Recovery, and NN/13/16 ABS eFinancials Application. External Audit’s Reliance on Internal Audit’s Work We continue to work closely with the Council’s External Auditors to deliver an effective and efficient audit function, and as a consequence, have regular meetings and periodic emails/telephone exchanges with our External Audit colleagues to discuss progress with the Annual Audit Plan, plus any key findings and issues arising from our work. Added to this, in September 2012, we agreed and presented to the Audit Committee a Protocol for Liaison between Internal and External Auditors for 2012/13. It is further appreciated that when External Audit presented their Audit Plan for 2012/13 to the Audit Committee on 19 March 2013, it was recorded in their audit approach that ‘we aim to rely on the work done by internal audit wherever this is appropriate. We will ensure that a continuous dialogue is maintained with internal audit throughout the year. We receive copies of all relevant internal audit reports, allowing us to understand the impact of their findings on our planned audit approach’. Supporting an Effective Audit Committee The Internal Audit Consortium Manager and Deputy Audit Manager have had considerable contact with members of the Audit Committee throughout the year, providing a presence at all scheduled Committee meetings, and have taken part in private discussions, as well as Pre Agenda meetings convened, whilst also consistently contributing to Committee agendas with reports on the outcomes of Internal Audit work carried out at the authority. In addition to the above, the Audit Committee periodically takes responsibility for reviewing its own remit and effectiveness. In the past, as mentioned already, the Committee has followed an annual self assessment programme but there has been a departure from this cycle of input during 2012/13, although the Action Plan arising from the 2011/12 exercise and presented to the Audit Committee in March 2012, has been progressed in year. Following recent discussions with the Chair of the Audit Committee, it has been agreed that the checklist attaching to the IPF publication: ‘A Toolkit for Local Authority Audit Committees’ will be revisited by members in September 2013. In the meantime, however, it is noted that the 4 key actions arising from the last review have developed thus far: Member training sessions have been and are continuing to be provided, with arrangements currently being finalised with the External Auditors for the next session planned. Active steps are being taken to enhance the Council’s counter fraud framework representing the Council’s response to the risk of fraud, in so far as the Whistleblowing Policy has been refreshed and the Counter Fraud and Corruption Policy is about to be re-examined. Private discussions between the Chair of the Audit Committee, the Internal Audit Consortium Manager and the External Audit Manager now take place on a regular basis. A mechanism now exists by which the performance of the External Auditors is examined, i.e. customer satisfaction surveys are completed. 18 Appendix B Additional Requirements specified by the Public Sector Internal Audit Standards (PSIAS) concerning External Assessments of the Effectiveness of Internal Audit 1. The requirement for an external assessment to be carried out at least once every 5 years may be satisfied by either arranging for a ‘full’ external assessment or by undertaking a self-assessment with independent validation. 2. PSIAS 1312 states that the Head of Internal Audit must discuss the format of the external assessments with the Audit Committee and therefore the Head of Internal Audit will have to consider the pros and cons for each type of external assessment before presenting the outcomes of such a deliberation to the Audit Committee. 3. If a local authority Head of Internal Audit elects to carry out a validated selfassessment, CIPFA’s Local Government Application Note is recommended for externally validated self-assessments although other available checklists may be used to inform the process. 4. An independent person or team must be sourced to validate that selfassessment in order to meet the requirements set out in the PSIAS that arrangements are put in place to avoid conflict of interest and impairment to objectivity. 5. In ascertaining whether the external assessor or assessment team are appropriately qualified to carry out the full assessment or independent external validation of the self-assessment, it is key that the two areas of competence as set out in the PSIAS are met. This is particularly important where a system of peer review is set up to provide the external assessment. 6. Although it is possible that a local authority’s external auditor may be appropriately independent to act as the external assessor or assessment team, the reviews that may already be carried out by the external auditor for placing reliance on the work of the internal audit activity, for example, do not automatically correspond with the requirements laid out in the PSIAS and CIPFA’s Local Government Application Note. 7. The Head of Internal Audit must also set out, and discuss with senior management and the Audit Committee, the qualifications and independence of the external assessor or assessment team in accordance with both the main standard and the public sector requirement which go into detail on how an external assessor or assessment team should demonstrate their competence. 8. The public sector requirement mandates that local authorities must find an appropriate sponsor and suggests that this could be another officer within the organisation (for example the Chief Finance Officer or Chief Executive Officer). This is intended to further safeguard the independence of the external assessment process. 19 Audit Committee 18 June 2013 Agenda Item No_____9_______ Internal Audit Consortium Manager’s Annual Report and Opinion for 2012/13 in respect of North Norfolk District Council Summary: This report has been developed to satisfy the mandatory requirements of the new Public Sector Internal Audit Standards (PSIAS), effective from 1 April 2013, and specifically Standard 2450, concerning the provision of an annual audit opinion on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control, which, in turn, should be used to inform the Council’s Annual Governance Statement. The report also seeks to confirm compliance with the Accounts and Audit (England) Regulations 2011, whereby the Council is required to ‘undertake an adequate and effective internal audit of its accounting records and of its system of internal control in accordance with the proper practices in relation to internal control’. The standards for ‘proper practices’ for internal audit applying to 2012/13 were detailed in CIPFA’s Code of Practice for Internal Audit in Local Government in the United Kingdom (2006), although for 2013/14 onwards, the Code has been superseded by consolidated Public Sector Internal Audit Standards. To demonstrate that this authority has met its statutory requirements, as recognised above, the Internal Audit Consortium Manager has produced this Annual Report and Opinion, drawing upon the outcomes of Internal Audit work performed over the course of the year, to formulate an opinion concerning the overall internal control environment which has been operating at the Council throughout 2012/13. Conclusions: On the basis of Internal Audit work performed during 2012/13, the Internal Audit Consortium Manager is able to give an adequate opinion to the organisation’s control framework, an adequate opinion to the Council’s systems of risk management and a good opinion regarding corporate governance arrangements currently in place. 20 Audit Committee 18 June 2013 Recommendations: It is It ii It is recommended that the Committee: 1. Receive and consider the contents of the Annual Report of the Internal Audit Consortium Manager. 2. Note that an adequate audit opinion has been given in relation to the overall adequacy and effectiveness of the organisation’s governance, risk and control framework (i.e. control environment) for the year ended 31 March 2013. 3. Note that good assurance has been awarded to Corporate Governance provisions for the year ended 31 March 2013. 4. Note that an adequate audit opinion has been applied to systems of risk management for the year ended 31 March 2013. 5. Note that the opinions expressed together with significant matters arising from internal audit work and contained within this report should be given due consideration, when developing and reviewing the Council’s Annual Governance Statement for 2012/13. Cabinet member(s) Wards: Contact Officer, telephone number, and e-mail: All All Sandra King, Internal Audit Consortium Manager 01508 533863 scking@s-norfolk.gov.uk 1. Background 1.1 Public Sector Internal Audit Standards, which came into force from 1 April 2013, have effectively replaced CIPFA’s Code of Practice for Internal Audit in Local Government in the United Kingdom (2006). The new Standards are very similar to the old Code of Practice in terms of year end Internal Audit reporting requirements, in so far as:  An annual opinion should be generated which concludes on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control;  A summary of the work that supports the opinion should be submitted;  Reliance placed on other assurance providers should be recognised;  Any qualifications to that opinion, together with the reason for qualification must be provided;  There should be disclosure of any impairments or restriction to the scope of the opinion;  There should be a comparison of actual audit work undertaken with planned work;  The performance of internal audit against its performance measures and targets should be summarised; and,  Any other issues considered relevant to the Annual Governance Statement should be recorded. 1.2 In addition, a Commentary on compliance with new Standards must now be prepared in much the same way as the extent of compliance achieved against the 21 Audit Committee 18 June 2013 CIPFA Code of Practice had to be documented (although for the purposes of this report, when looking back over 2012/13 – delivery of Internal Audit provisions against the old Code of Practice remains applicable). 1.3 It is further appreciated that a continuing need remains to communicate the results of the Internal Audit quality assurance and improvement programme (QAIP) and any progress made against any improvement plans resulting from the QAIP. 1.4 The new Standards also have extra year end reporting obligations, namely the risk or control framework or other criteria used as a basis for the overall audit opinion must be identified. 1.5 This report therefore seeks to address the key items specified above, where appropriate, although recognising that some aspects are covered in additional reports, e.g. an evaluation of the performance of the Internal Audit Service is subject to separate reporting, and will feature in a report headed up ‘Annual Review of the Effectiveness of Internal Audit for 2012/13’, whereas the conclusions of audit follow up work are covered in a further report entitled ‘Status of Audit Recommendations due for Implementation by 31 March 2013’. 1.6 When considering this report and its attaching opinions, the statements made therein should be viewed as key items which need to be used to inform the organisation’s Annual Governance Statement, but there are also a number of other important sources to which the Audit Committee and statutory officers of the Council should be looking to gain assurance. Moreover, in the course of developing overarching audit opinions for the authority, it should be noted that the assurances provided here, can never be absolute and therefore, only reasonable assurance can be provided that there are no major weaknesses in the processes subject to internal audit review. The annual opinion is thus subject to inherent limitations (covering both the control environment and the assurance over controls) and these are examined more fully at Appendix I. 2. Internal Audit Service Provisions and Costs 2.1 The Internal Audit Service arrangements at North Norfolk District Council have remained unchanged in relation to 2012/13, in so far as the Internal Audit Consortium Manager and Deputy Audit Manager at South Norfolk Council have continued to be responsible for managing the delivery of the Internal Audit Service to the organisation and controlling the work of Deloitte and Touche Public Sector Internal Audit Ltd, which is contracted to deliver the programme of work as detailed in the Annual Audit Plan. 2.2 All work performed on behalf of North Norfolk District Council has been undertaken in accordance with Internal Audit’s approved Terms of Reference for 2012/13. The Internal Audit Service is essentially an assurance function that provides an independent and objective opinion to the organisation on the control environment comprising risk management, control and governance, by evaluating its effectiveness in achieving the organisation’s objectives. This is achieved by Internal Audit objectively examining, evaluating and reporting on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. 22 Audit Committee 2.3 18 June 2013 The work of Internal Audit during 2012/13 has been determined by a risk based Audit Plan. The priorities of the Annual Audit Plan have been consistent with the Council’s priorities/corporate objectives, whilst also taking into account the authority’s risk management framework and the relative risk maturity of the organisation. Added to this, the Plan has been regularly reviewed throughout the year to ensure that it has been continually responsive to the changing needs of the Council. For example, if priorities have altered, organisational restructures have taken place or existing risks have subsequently escalated, diminished, disappeared or been overtaken by other emerging risks, the Plan has been revisited and its constituent audits reassessed, resulting in the rescheduling of work to a later stage in the financial year, the scope of the audit being redeveloped or review work being deferred to the following year. The extent of revisions needing to be made to the 2012/13 Plan, and what triggered them, are considered at Section 6 of this report. 3. Internal Audit Service Provisions and Costs 3.1 To ensure full transparency of the service, this report contains information about the costs associated with the provision of the Internal Audit function to the Council, identifying input by the Internal Audit Services contractor to undertake the planned audit assignments and any ad-hoc work requested, and the level of support administered by the Audit Management Team to oversee all aspects of the service provision to officers and members. The cost of the service compared with the previous year is shown below: Nature of the work 2011/12 2012/13 Cost of the planned work (Deloitte & Touche Public Sector Internal Audit Ltd – the Internal Audit Services contractor) £62,410 £67,479 Cost of managing the service and supplying additional investigative support (South Norfolk Council) £31,411 £34,377 Cost of additional work by Deloitte & Touche Public Sector Internal Audit Ltd £6,336 £1,992 £100,157 £103,848 TOTAL COST 3.2 Internal Audit costs have increased by 3.7% compared with the previous year. This has been due to an expanded Internal Audit Plan being delivered in 2012/13, i.e. 231.6 days compared with 217 days in 2011/12. All additional days were at the specific request of management and the adjustments required to the Plan can be found itemised within Section 6 of this report. 3.3 The 2012/13 Audit Plan was originally approved by the Audit Committee on 6 March 2012 and to date, has been the subject of two Progress Reports covering the period 1 April to 12 November 2012. These reports were considered by members on 18 September and 4 December 2012. The Activity Reports essentially outlined the then status of audit assignments and provided copies of management summaries relating to completed reviews. This Annual Report now reflects on the audit work processed between 13 November 2012 and 22 May 2013, the latter being the date that the Annual Audit Plan was subsequently completed. This report also takes into account the assurance levels awarded to those audits finalised prior to 13 23 Audit Committee 18 June 2013 November 2012, given that the annual opinion is required to draw upon the outcomes of all internal audit review work carried out in the course of the year. 4. Opinion of the Internal Audit Consortium Manager on the Overall Adequacy and Effectiveness of the Organisation’s Governance, Risk and Control Framework 4.1 In order to give the Council an overall opinion on its control environment, the Internal Audit Consortium Manager as the organisation’s Head of Audit has revisited the assurance levels given to individual audit assignments throughout the year, relating to both financial and non financial systems. These are summarised below for management and member information. Nature of System Financial Non Financial Assurance Level Awarded Adequate Limited Good Adequate Total Assurance Level Awarded Good Adequate Limited No. of Areas evaluated 1 22 2 25 No. of Areas evaluated 9 2 1 13 25 % Applicable 4% 88% 8% 100% 4.2 All planned work completed is itemised at Appendix C. An analysis of the internal control environment and how it has been developing over the last 5 years is attached at Appendix H, whilst definitions of our assurance levels are explained at Appendix G. Essentially, good and adequate assurances are positive audit opinions, with limited and unsatisfactory assurances equating to negative audit opinions. 4.3 This year, it should also be appreciated that, although a joint audit of Corporate Governance and Risk Management arrangements was performed, 2 separate audit opinions were extracted, which are analysed in more detail in paragraphs 4.5 and 5.1 of the report. Further, a change of methodology was applied to work carried out to support the preparation of the Annual Governance Statement. This coincided with the unveiling of a new reporting template aimed at generating more meaningful information on systems of internal control for management and members alike, such that separate audit opinions are now provided by the Internal Audit Services contractor in respect of those areas subject to high level key control testing. Hence the level of assurances available has increased dramatically this year compared with previously. A total of 16 planned reviews would have been expected to generate 15 audit opinions for the authority, but instead, revised arrangements have led to a more insightful 25 assurances being produced in relation to those audit assignments completed in the course of 2012/13. 4.4 On the basis of the audit work undertaken in 2012/13, it is my opinion that an adequate assurance can be applied to the overall adequacy and effectiveness of the organisation’s governance, risk and control framework (i.e. control 24 Audit Committee 18 June 2013 environment) for the year ended 31 March 2013. As can be seen in the tables at paragraph 4.1 above, 92% of audits have received positive assurance levels, with an adequate opinion expressed in the majority of cases with reference to individual systems of internal control and key control testing subject to audit scrutiny. On one occasion, operational provisions have actually mirrored best practice and merited receipt of good assurance in consequence. The position in respect of 2012/13 represents a noticeable improvement on 2011/12, which boasted 75% of assurances awarded in year being either good or adequate. 4.5 The good assurance given in 2012/13 was following examination of Corporate Governance arrangements. The Management Summary for the Corporate Governance and Risk Management audit is included at Appendix E (6) and more focus on this positive assessment is given in Section 5 of the report. 4.6 The table of individual audit opinions at paragraph 4.1 also confirms that there have been 2 audits where less favourable limited assurances have been issued. These represent significant issues for noting in the Council’s Annual Governance Statement and concern Council Tax and National Non-Domestic Rates (Audit No. NN/13/07) and Housing and Council Tax Benefit (Audit No. NN/13/09). The respective management summaries for these audits are included at Appendices E (1) and E (3). When auditing the Revenues and Benefits systems, we found evidence that the control environment had been compromised during systems migration to the new CIVICA application, which had been jointly procured with the Borough Council of Kings Lynn and West Norfolk. 4.7 A total of 4 fundamental financial systems have been audited in-depth during 2012/13, with a further 6 areas subject to high level key control testing. Eight of these generated positive assurances. Conversely, as already alluded to above, review work pertaining to Council Tax and National Non-Domestic Rates and Housing and Council Tax Benefit resulted in limited/negative assurances being awarded and 13 audit recommendations being raised, one of which carried a high priority rating. This related specifically to Housing and Council Tax Benefit and concerned the processing of new claims and changes of circumstances. Management have disputed the high priority rating and despite providing us with additional processing information which we have used to update our findings and recommendation, we have been unable to revise the original rating given. This situation is a highly unusual one and although our Terms of Reference ensure that we present rejected recommendations to members, we feel on this occasion, it is also appropriate to submit details of the debate with management regarding the rejected rating. Thus, the relevant details within the Action Plan for Audit No. NN/13/09 pertaining to the high priority recommendation have also been incorporated into Appendix E (3) for members’ noting. Management have confirmed that work is currently in progress to address the control weakness reported. In view of the high priority rating assessment attaching to this recommendation, this particular item also requires separate acknowledgement in the Council’s Annual Governance Statement for 2012/13. 4.8 As previously discussed, we perform additional key controls testing work in year, which focuses on those fundamental financial systems that were not otherwise subject to detailed audit evaluation in the 12-month period. Our work here is necessary to further inform the Internal Audit Consortium Manager’s annual opinion, support the preparation of the organisation’s Annual Governance Statement and assist External Audit in their work. Upon completion of requisite testing this year, we 25 Audit Committee 18 June 2013 have raised 2 audit recommendations with medium priority ratings. The Management Summary for this particular piece of work is located at Appendix E (5). 4.9 In respect of the Council’s non-financial systems, upon completion of these audit assignments we are pleased to report that all 14 areas examined were in receipt of satisfactory levels of assurance (with one, namely Corporate Governance achieving good assurance) compared with 76.9% achieved in 2011/12. 4.10 As mentioned already at paragraph 1.5, we provide a separate report to the Audit Committee on the implementation of audit recommendations. This report effectively confirms that the Council has made considerable advances in terms of progressing audit recommendations over the course of the financial year. An impressive 103 agreed recommendations were implemented, and at 31 March 2013, we recorded just 11 recommendations as outstanding and 1 recommendation where we had not received management feedback and thus were unable to confirm its current status. This is a huge improvement on the position we reported as at 31 March 2012 and demonstrates good commitment and co-operation on the part of management to improve the organisation’s internal control environment. There were also no high priority recommendations needing to be actioned in year, which further enforces the strength of the systems of internal control in operation at the authority. As recognised earlier, there is one high priority recommendation arising from a recently finalised audit of Housing and Council Tax Benefit, which requires management input, however, we have already been advised that extra resources have been allocated to deal with this problem which is speedily being resolved. 5. Corporate Governance and Risk Management 5.1 An internal audit review of Corporate Governance and Risk Management provisions was undertaken in the final quarter of the financial year. On the basis of findings made in these two areas, we have applied a good opinion to Corporate Governance, recognising that these arrangements have been enhanced since our previous visit, whilst in the case of Risk Management, the assurance level remains adequate. The Management Summary included at Appendix E (6) elaborates as to the basis for the opinions given and a flavour of the audit recommendations put forward. 5.2 It should also be noted at this juncture that, in the future, North Norfolk District Council’s Corporate Governance and Risk Management arrangements will be reviewed on a 2-yearly cycle, thus moving away from annual scrutiny. This revision to the frequency of such audits has been directly influenced by the previous track record of positive assurances awarded in these areas. 6. Review of Audit Work delivered in 2012/13 compared with the Annual Audit Plan approved on 6 March 2012 6.1 The table overleaf shows in summary the audit coverage that was originally planned, where it has proved necessary to revise audit input in year and then compared amended planned days with those actually delivered, whilst a more detailed overview can be found at Appendix C, highlighting when audit assignments were completed and the Management Summaries extracted from the final audit reports were submitted to the Audit Committee for member noting. 26 Audit Committee Description Days originally planned for 2012/13 Revised planned days for 2012/13 Actual days delivered in 2012/13 % of Revised Planned Work Delivered Systems audit 169 175 175 100% Computer audit 43 38 38 100% Extra work – Systems audit 2.5 2.5 100% Ad-hoc Investigative Work 16.1 16.1 100% 231.6 231.6 100% Total 6.2 18 June 2013 212 The Annual Audit Plan has been adjusted to accommodate both the rescheduling of assignments and alterations to audit input/coverage agreed with management. The two Progress Reports developed earlier in the year explained changes required up to 12 November 2012. Since that time, there have been two further adjustments whereby an extra day had to be added to the job budget for Corporate Governance and Risk Management, and 16.1 days were channelled into 2 reviews linked to a complaint received by the Council. All amendments are recorded below to afford an overview of modifications duly actioned, whilst their overall impact on the Plan is effectively documented at Appendix C: The job budget for the Property Services review (Audit No. NN/13/01) was increased from 14 to 19 days to enable additional scrutiny of the Measured Term Contract for the provision of coastal repairs and other minor coastal works. An extra 2.5 days was required to analyse data verification and governance arrangements pertaining to the Revenues and Benefits Shared Services Partnership. The job budgets for 2 computer audits focusing on Cash Receipting (Audit No. NN/13/13) and Project Management (Audit No. NN/13/14) were collectively commuted by 5 days at the request of management. Consequently, the scope of review work had to be redefined given the reduced number of days then available to carry out evaluations of provisions in place. The Corporate Governance and Risk Management job budget was increased from 9 to 10 days to take on board extra elements sought by management and the Chair of the Audit Committee, involving an analysis of arrangements post the recent management restructure and to give attention to the way in which Committees are operating at the authority. Upon receipt of a complaint, Internal Audit was called upon to carry out investigative work which was undertaken in 2 stages and incurred 16.1 days of input. 27 Audit Committee 18 June 2013 The modifications listed above resulted in a combined 19.6 days being added to the approved Audit Plan for 2012/13. 6.3 As to the actual outcomes of audit work undertaken over the preceding 12 months, members will recall that to date, a total of 8 Management Summaries and a Summary Letter have already been reviewed and debated by Committee following receipt of 2 previous Internal Audit Activity Reports submitted by the Internal Audit Consortium Manager. Appendices D (1), E (1)-(7) and F (Exempt) are now attached, to provide the Management Summaries and Briefing Note in respect of the remaining 9 pieces of work finalised since early December 2012. 7. Effectiveness of Internal Audit 7.1 As mentioned previously, elsewhere on this Committee agenda is a report setting out the results of our end of year review of the effectiveness of the Internal Audit Service. This includes: The performance of the Internal Audit Service contractor; The degree of compliance with the Code of Practice for Internal Audit in Local Government; The degree of compliance with CIPFA’s Statement on the Head of Internal Audit; and, The level of compliance being achieved in respect of other quality assurance measures for the service. 8. Conclusion 8.1 The Internal Audit Consortium Manager’s report should be treated as a key source of evidence for the Council when preparing its Annual Governance Statement for 2012/13, and primarily provides independent assurance that internal control and risk management systems are adequate, corporate governance arrangements are good, and in the event of any significant control weaknesses being identified during audit work, these matters are brought to management’s attention and action plans developed to address issues found. As such, the Committee should therefore be mindful of the contents of this report when subsequently reviewing the Council’s Annual Governance Statement. 9. Recommendation 9.1 The Committee is asked to note the Internal Audit Consortium Manager’s Annual Report and the opinions contained therein, which should be used to inform the development and subsequent agreement of the Council’s Annual Governance Statement. Appendices attached to this report: Appendix C: Review Work delivered in accordance with the Annual Audit Plan 2012/13 plus AdHoc Work requested by Management Appendix D: Old Style Management Summary in respect of Completed Audit Assignment Appendix D (1) NN/13/05 Partnerships 28 Audit Committee 18 June 2013 Appendix E: New Style Management Summaries in respect of Completed Audit Assignments Appendix E (1) NN/13/07 Council Tax and National Non-Domestic Rates Appendix E (2) NN/13/08 Payroll and Human Resources Appendix E (3) NN/13/09 Housing and Council Tax Benefit Appendix E (4) NN/13/10 Exchequer Services Appendix E (5) NN/13/11 Work to Support the Preparation of the Annual Governance Statement Appendix E (6) NN/13/12 Corporate Governance and Risk Management Appendix E (7) NN/13/16 ABS eFinancials Application Appendix F: Private and Confidential Briefing Note Appendix G: Norfolk Internal Audit Consortium Definitions / Categories of Audit Opinions relating to Individual Audit Assignments Appendix H: Appendix I: Levels of Assurance awarded from 2008/09 onwards Limitations and Responsibilities 29 Appendix C Review Work delivered in accordance with the Annual Audit Plan for 2012/13 plus Ad-Hoc Work requested by Management Frequency of Audit Coverage Original Days Planned Revised Days Planned Days Delivered Scheduling PLANNED SYSTEMS AUDIT WORK NN/13/01 Property Services 3-yearly 14 19 19 May NN/13/02 Strategic Housing and Homelessness 2-yearly 15 15 15 July NN/13/03 3-yearly 10 10 10 July NN/13/04 Corporate Policy, Planning and Performance Management Procurement 3-yearly 12 12 12 August NN/13/05 Partnerships 3-yearly 7 7 7 NN/13/06 Leisure Complexes, Sports, Arts and Entertainment, Pier Pavilion 3-yearly 10 10 10 NN/13/07 Council Tax and NNDR 2-yearly 20 20 20 NN/13/08 Payroll and Human Resources 2-yearly 19 19 19 NN/13/09 Housing Benefit CTB 2-yearly 20 20 20 NN/13/10 Exchequer Services - Creditors etc 2-yearly 15 15 15 NN/13/11 Work to support the AGS Annually 10 10 10 Audit No. Description of Audit Fixed Assets General Ledger Debtors Treasury Management - Investments / Loans Budgetary Control Car Parks Income Assurance Framework Status Assurance Level applicable Summary Report Details presented to Members Complete Final Report issued 10 August 2012 Complete Final Report issued 10 August 2012 Complete Final Report issued 23 August 2012 Complete Final Report issued 9 November 2012 Adequate Audit Committee 18 September 2012 Audit Committee 18 September 2012 Audit Committee 18 September 2012 Audit Committee 4 December 2012 September October September Complete Final Report issued 15 January 2013 Complete Final Report issued 12 November 2012 Adequate October November November January November early December Complete Final Report issued 21 May 2013 Complete Final Report issued 4 April 2013 Complete Final Report issued 22 May 2013 December January January Complete Final Report issued 9 April 2013 Complete Final Report issued 21 May 2013 Adequate Adequate Adequate Adequate Limited Adequate Limited Adequate See below Adequate Adequate Adequate Adequate Adequate Adequate Adequate 30 Audit Committee 18 June 2013 Audit Committee 4 December 2012 Audit Committee 18 June 2013 Audit Committee 18 June 2013 Audit Committee 18 June 2013 Audit Committee 18 June 2013 Audit Committee 18 June 2013 Audit No. NN/13/12 Description of Audit Corporate Governance Frequency of Audit Coverage Original Days Planned Annually 9 Revised Days Planned 10 Days Delivered Scheduling 10 February Status Complete Final Report issued 15 May 2013 Risk Management Systems Audit Follow Up TOTAL PLANNED SYSTEMS AUDIT WORK PLANNED COMPUTER AUDIT WORK NN/13/13 Cash Receipting Application Assurance Level applicable Good Adequate Annually Summary Report Details presented to Members Audit Committee 18 June 2013 Audit Committee 18 June 2013 8 169 8 175 8 175 100% 2 x 6-monthly validation Ad-hoc request 10 8 8 August Complete Final Report issued 12 November 2012 Adequate Audit Committee 4 December 2012 NN/13/14 Project Management 3-yearly 10 7 7 August Complete Final report issued 28 September 2012 Adequate Audit Committee 4 December 2012 NN/13/15 Data Centre, Back Up, Disaster Recovery 3-yearly 10 10 10 September July Complete Final report issued 12 September 2012 Adequate Audit Committee 4 December 2012 NN/13/16 Cedar Financial Application 3-yearly 9 9 9 Adequate Audit Committee 18 June 2013 Annually 4 43 4 38 4 38 100% 212 213 213 100% Computer Audit Follow Up TOTAL PLANNED COMPUTER AUDIT WORK TOTAL PLANNED WORK 31 October Complete Late February Final Report issued 26 April 2013 2 x 6-monthly validation Description of Audit Audit No. EXTRA WORK REQUESTED NN/13/17 Revenue and Benefits Partnership - Data Transfer, Governance and Risk Frequency of Audit Coverage Original Days Planned Revised Days Planned Days Delivered Ad-hoc request 0 2.5 2.5 Scheduling Status Phase 1 June Job budget originally 14 days to cover 2 reviews. Phase 1 - 2.5 days - Letter produced 13 July 2012. Assurance Level applicable Summary Report Details presented to Members Phase 1 - Not Applicable Phase 1 - summary of Letter contents to Audit Committee 18 September 2012 Phase 2 - Phase 2 - 11.5 days - It has September / subsequently been agreed with October management to defer this work to 2013/14 due to problems experienced with the data merging process. The work has thus been been rescheduled to April/May 2013. NN/13/18 Complaint received - First Stage Review Ad-hoc request 0 3 3 NN/13/19 Complaint received - Second Stage Review Ad-hoc request 0 13.1 13.1 0 18.6 18.6 100% 212 231.6 231.6 100% TOTAL OF EXTRA WORK UNDERTAKEN GRAND WORK TOTAL 32 AugustSeptember Briefing note produced and preparatory work undertaken to investigate further November to Audit Report and Briefing Note March produced by Audit Management Team N/A N/A Briefing Note to Audit Committee 18 June 2013 Old Style Management Summary in respect of Completed Audit Assignment Appendix D (1) Report No. NN/13/05 Final Report issued 15 January 2013 Audit Report on Partnerships Audit Opinion Adequate Assurance given Rationale supporting award of opinion The audit work carried out by Internal Audit indicated that: While there is a basically sound system of internal control, there are weaknesses, which put some of the client’s objectives at risk. There is evidence that the level of non-compliance with some of the control processes may put some of the client’s objectives at risk. This opinion results recommendations. from having raised two medium and two low priority The direction of travel shows an improvement in the level of assurance provided from the previous audit (NN/10/02, issued October 2009) which received ‘limited’ assurance. Summary of Findings Policy and Procedure As part of the audit testing was undertaken in relation to two partnerships; the Museums Service (made up of the Norfolk Museums and Archaeology Service at a countywide level and the North Norfolk Museums Forum at a district level) and the North Norfolk Fisheries Local Action Group (FLAG). Objectives of partnerships are to link to corporate objectives. Both partnerships were found to support the objectives of the Corporate Plan. A Partnership Framework (the framework) has been drafted however has not been completed. The framework is to be passed to Performance and Risk Management Board for further review. An estimated date of completion of the framework could not been provided. The framework is to set down the Council’s approach and procedures over partnership arrangements. The draft framework sets down the requirement to produce a register of partnerships. We were advised by the Head of Finance that a register is not in place although there are only three partnerships with the Council. Governance Terms of reference are in place for both of the partnerships reviewed. Service level agreements had been produced between the Council and the relevant partnering authorities, however the agreement between the Council and the Norfolk Museums and Archaeology Service had not been signed or subject to documented agreement by both parties over responsibilities and services to be provided. 33 Strategies are in place for the two partnerships tested. For the museums partnership, strategic direction is considered within the meetings of the local partnership group and the Norfolk Museums and Archaeology service within Norfolk. For the North Norfolk FLAG, strategies had been defined at the outset of the project. Bodies set up allow for the monitoring of progress against these strategies. Governance structures are in place for the two partnerships tested. These allow for monitoring of progress and performance. The FLAG Project structure, in particular, contains a structure which allows for a number of levels of monitoring and decision making. Monitoring, including Risk Management Bodies have been set up for the monitoring of progress and performance of partnerships with clear terms of reference set out. Risks are considered within partnership meetings. Financial controls are in place over the release of funds with authorisation made. An annual fee of £45,500 is made for the museums partnership, however the service agreement between the Council and the Norfolk Museums and Archaeology Service states that the fee should be £45,000 and we were advised by the Leisure and Cultural Services Manager that no amendments had been made. A £50,000 loan was made to the North Norfolk Business Forum for the FLAG project. The following number of recommendations has been raised: Area of Scope Adequacy and Effectiveness Assessments Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Policy and Procedure Amber Amber 0 1 1 Governance Amber Amber 0 1 0 Monitoring, including Risk Management Green Amber 0 0 1 0 2 2 Total High Priority Recommendations No high priority recommendations have been raised as a result of this audit Management Responses Management have accepted the recommendations raised. 34 New Style Management Summaries in respect of Completed Audit Assignments Appendix E (1) Report No. NN13/07 – Final Report issued 21 May 2013 Audit Report on Council Tax and National Non-Domestic Rates Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion In order to provide appropriate context to our rationale, it is noted that during 2012/13, North Norfolk District Council entered into a shared service partnership arrangement for the provision of Revenues and Benefits Services with the Borough Council of Kings Lynn and West Norfolk (BCKLWN). All existing data was transferred to a new, jointly procured Revenues and Benefits system from CIVICA, with IT services being hosted by BCKLWN. th th Data migration took place on 28 May 2012 but then had to be transferred back on 13 and th 14 January 2013 following recommendations by the partnership Steering group in response to significant operational issues arising. There is evidence that the control environment has been compromised during systems migration, with controls that had been confirmed to be adequate and effective during the previous audit (NN/11/07– final report issued April 2011) having lapsed during the 2012/13 financial year. The opinion results from the fact that six medium and two low priority recommendations have been raised. This includes one medium priority recommendation over controls for the treatment of retrospective voids. This area was not included in the original brief but was subsequently covered due to an issue raised at another Deloitte client, which was considered as being significant to warrant inclusion of this area in this audit in order to prevent the risk of potential fraud. Despite this, we did not undertake any specific testing nor were we made aware of any particular issues by management relating to this Council. Issues have also been raised over controls relating to credit balances, refunds, discounts, exemptions and reliefs, suppression of debt recovery and write offs. In addition it was not possible to carry out full audit testing in relation to credit balances, refunds and write offs due to the lack of controls in place. It was noted that controls had lapsed in relation to timeliness of issuing bills in relation to amended accounts between April 2012 and September 2012. However, testing of the more recent months of October 2012 and December 2012 have confirmed that the issues have since been rectified and we therefore do not regard it necessary to incorporate a recommendation focusing on this matter, within our current audit report. The consequences of the systems migration have also adversely impacted on auditor input in terms of access to information being supported by the old (prior to May 2012) and new th systems (from 28 May 2012). Furthermore, some issues that we initially noted during the course of our fieldwork, were subsequently addressed prior to formally reporting our findings, and this then led to a need to further update the draft audit report, supporting working papers and test schedules. st It is also acknowledged that since receipt of the final information provided to audit on 1 February 2013, that management has taken steps in the areas reported upon in the findings of this report to improve controls. At the time of reporting, management has indicated that action has been taken to address issues relating to three of the six medium priority rated recommendations and one of the two low priority recommendations. We will be verifying implementation of these recommendations and any further action taken, in the course of our audit follow up work later in the year. 35 Positive Findings We found that the Council has demonstrated areas where sound controls are in place and operating consistently, in particular: Suspense accounts are subject to regular review and monitored on a regular basis. Performance information and collection rates are monitored against target rates and NNDR is currently above targeted percentages. Returned cheques and rejected direct debits are recorded and are correctly actioned Control weaknesses to be addressed No high priority recommendations have been raised as a result of this audit During our work we have identified the following key areas where we believe that the processes / arrangements within North Norfolk Council would benefit from being strengthened, and as a result of these findings medium priority recommendations have been made. Reconciliation of refunds to the general ledger was not undertaken between April 2012 and September 2012. There are no controls in place with regards to the independent checking of discounts, exemptions and reliefs, including retrospective void reliefs. Arrears reports regarding monitoring and collection of outstanding debts were not produced from May 2012 to January 2013. Outstanding amounts were monitored through „Reminders‟ and „Summons‟ reports instead although these controls do not fully mitigate the risks of debts being held in abeyance unnecessarily. Suppression reports for CT were not produced from May 2012 to October 2012 due to the recent system restructuring. Write-offs have not been processed for CT since May 2012. Regarding NNDR, 188 cases of greater than £25 are pending Senior Management‟s authorisation. Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Valuation and Billing Billing Collection of Income Suspense Account Reconciliation to the General Ledger Refunds and Transfers Discounts, Exemptions and Reliefs Arrears Recovery Writs Offs IT Security Adequacy of Controls Effectiveness of Controls Green Green Green Green Green Green Amber Green High 0 0 0 0 Medium 0 0 0 0 Low 0 0 1 0 Green Amber 0 1 0 Green Amber 0 1* 0 Amber Amber 0 3 0 Green Green Green Amber Amber Green 0 0 0 0 1 0 1 0 0 0 6 2 Total Recommendations Raised *- The assurance level in this area also takes account of recommendations relating to the Collection of Income and the Reconciliaiton to the General Ledger. Management Responses Management have accepted the recommendations raised and by the time of reporting to Committee, had given assurances that 4 recommendations (2 medium and 2 low) had been implemented. We will be verifying this position in the course of our next round of audit follow up work. 36 Appendix E (2) Report No. NN13/08 – Final Report issued 4 April 2013 Audit Report on Payroll and Human Resources Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion The audit work carried out indicated that there is basically a sound system of internal control within Payroll and HR, however there are weaknesses that can be addressed through the recommendations raised, which will mitigate risks further. The opinion results from the fact that two medium and three low priority recommendations have been raised, which has reduced the assurance level from the previous audit. Issues have been raised over controls relating to updating policy and procedures, staff verification checks, performance management, completion of expense claim forms, and mobile phones issued to staff for business use. Additionally, it was not possible to carry out audit testing across the financial year in relation to amendments made to payroll records, due to the lack of system reports available. At the time of the audit there was also no guidance or agreement in place for staff in relation to mobile phones. A draft 'Agreement for a Work Funded Mobile Phone or Device' has been created, and the IT Manager and Head of Organisational Development are currently consulting other department leads for suggestions and improvements. Positive Findings We found that the Council has demonstrated the following points of good practice as identified in this review and we will be sharing details of these operational provisions with other member authorities in the Consortium: A spreadsheet of CRB and DBS checks is in place, which shows when each check was conducted, and these are re-performed after three years have elapsed in order to confirm that staff are still eligible. It is also acknowledged there are areas where sound controls are in place and operating consistently: All new starters and leavers documentation sampled was in place, complete and had been updated on the system in a timely manner. All sampled amendments made by the Payroll Officer were found to have been checked by another member of the team through examination of the supporting documentation against the change as implemented on the Payroll system, and is signed off and dated by the performing officer. The access rights of system users sampled on the Resourcelink payroll system were found to be up to date. Staff and managers are required to check all expense claims submitted and to confirm by signature that the details on each claim are correct. Line managers are also required to confirm that all staff using cars for Council business have the appropriate licence, insurance, MOT and vehicle excise duty documentation in place. 37 Control weaknesses to be addressed No high priority recommendations have been raised as a result of this audit. During our work we have identified the following key areas where we believe that the processes within the Council could be improved or would benefit from being operated more effectively, and as a result of these findings one medium priority recommendation has been made: A review of mobile phone contract, issuance, billing, and returns management and controls has not been scheduled. This review is necessary in order to investigate potential solutions to known issues in this area that have previously been identified by the IT Manager, including cost management and administration, contractual obligations and service levels received, lack of central electronic records of mobile phones issued to staff, and lack of approved corporate guidance and user agreements for mobile usage. A further four low priority recommendations have also been made to address minor control weaknesses. Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Policies and Procedures Starters and Leavers Deductions and Changes to Payroll Records Payments and Financial Records HR and Organisational Development Officers‟ Expenses Use of Mobile Phones Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Green Amber 0 0 1 Green Green 0 0 0 Green Green 0 0 0 Green Green 0 0 0 Green Amber 0 0 2 Green Amber 0 0 1 Green Amber 0 1 0 0 1 4 Total 38 Management Responses Management have disagreed with one recommendations made – see below for further details. Policy and Procedures (Recommendation 1 – Low Priority Rating) Policies and procedures relating to payroll should be reviewed on a regular basis and updated as required. The version history record should be updated with the date of review. Recommendation developed from following Finding The version history for payroll processing procedures documents that these have not been subject to review since August 2011. Management advised that the procedures have been subject to review, but not annotated to provide evidence as such. Rationale supporting this Recommendation Reviewing policies and procedures on a regular basis helps to confirm they are up to date, accurate and contain any new information that has arisen since the documents were last updated. Management Response This recommendation is not accepted as discussed with the auditor on site. Where changes to procedures take place, the appropriate documents are amended on the system. It was explained that unless changes take place, we do not periodically check and print off procedure notes simply to update the version history. When changes need to be made, they are made otherwise we know the procedure notes are correct. This would not be a good use of our time and does not add anything to the process. Audit Comment We acknowledge management‟s comments although consider version control to be good practice so as to prevent the stated risks from materialising. 39 Appendix E (3) Report No. NN13/09 – Final Report issued 22 May 2013 Audit Report on Housing and Council Tax Benefit Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion In order to provide appropriate context to our rationale, it is noted that during 2012/13, NNDC entered into a shared service partnership arrangement for the provision of Revenues and Benefits Services with BCKL&WN. All existing data was transferred to a new, jointly procured Revenues and Benefits system from Civica, with IT services being hosted by th BCKL&WN. Data migration took place on 28 May 2012 although had to be transferred back th th on 13 and 14 January 2013 following recommendations by the partnership Steering Group in response to significant operational issues arising. There is evidence that the control environment has been compromised during systems migration, with several controls that had been confirmed as adequate and effective during 2010/11 as per the previous audit in this area (NN/11/09 final report issued April 2011) having subsequently lapsed during 2012/13. This opinion results from the fact that one high and four medium priority recommendations have been raised. Weaknesses resulting in a high priority recommendation have been identified regarding the processing of new claims and amendments to existing claims. At the time of the audit, scrutiny of management information generated in December 2012 confirmed that 1,464 cases remained outstanding. We do acknowledge however that previous management information extracted in October 2012 had identified 5,172 outstanding cases. This though compares to a weekly average for new claims and changes of 948 for the period th th 26 March 2012 to 6 May 2012 when the old Civica system was closed down prior to data conversion. This is in relation to a local target of 20 days for processing new claims and seven days for processing changes of circumstances. The outturn figures for the whole of 2012/13 were 30 days for new claims and 18 days for processing changes. Issues have also been identified regarding the lack of regular review and prompt processing of items in suspense and identifying and processing cases for write-off, the lack of restricted access for members of staff who have declared personal interests in existing claims and the timeliness in the processing of appeals and reconsiderations. As a consequence of the new partnership working arrangements with BCKL&WN, it was noted that monitoring of outstanding overpayment reports had not been regularly undertaken since the end of May 2012 when the new Civica system was introduced. One report was rd produced on 23 November 2012, in order to monitor and process all the outstanding overpayments since April 2012. However, through top up testing completed as part of our audit on the work to support the preparation of the Annual Governance Statement (AGS) – (NN/13/11), we established that reports had been produced and details checked thereafter as confirmed through sight of the reports for January and February 2013. We therefore do not regard it necessary to incorporate a recommendation focusing on this matter, within our current audit report. The consequences of the systems migration have also adversely impacted on auditor input in terms of access to information being supported by the old (prior to May 2012) and new th systems (from 28 May 2012). Furthermore, some issues that we initially noted during the course of our fieldwork, were subsequently addressed prior to formally reporting our findings, 40 and this then led to a need to further update the draft audit report, supporting working papers and test schedules. Positive Findings We found that the Council has demonstrated areas where sound controls are in place and operating consistently, in particular: Up to date procedures for housing and council tax benefit are in place and reflect current legislative practice and are communicated to staff Staff training takes into account issues arising from the quality control processes. We th nd also noted that that due to the system migration in May 2012, from 24 May to 2 September 2012 instead of a 4% check the Council performed a 20% check in order to secure a smooth transition into the new system and minimise any associated risks. Applications are securely received with documentary evidence present to support the accuracy and validity of new applications and changes in circumstances. There is also consistency between the electronic document system and the benefits system. Backdated applications are processed and paid in line with legislative requirements and / or where good cause is demonstrated and supported with documentary evidence. Discretionary payments are based on applications received with supporting evidence with segregation of duty between the processing and authorising of payments. Control weaknesses to be addressed During our work we have identified the following key areas where we believe that the processes / arrangements within NNNDC would benefit from being strengthened, and as a result of these findings one high priority recommendation has been made. High priority recommendation: Data from the weekly workflow reports for the period April 2012 to December 2012 showed a significant amount of outstanding cases regarding new claims and amendments pending to be processed. Four medium priority recommendations have also been made. Delays in clearing the suspense account were noted with 42 items dated between April 2012 and January 2013, totalling £2,991.66, to be resolved at the time of our review. This included one item dated July 2012 and two further items from October 2012. Monthly write-off reports were found not to be consistently produced between April 2012 and December 2012 with only one report produced in October 2012. Declaration forms, for staff declaring a personal interest in specific benefit claims, have been completed. However, those completed since November 2012 had not been processed on Civica, in order to restrict the levels of access to those accounts declared. Appeals have not been processed in a timely manner as a consequence of the recent Council restructuring and the development of the partnership arrangement with BCKL&WN. Furthermore, since April 2012, there had been 35 reconsiderations. We examined 10 and found that eight took more than a month to resolve. 41 Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Procedures and Legislation Receipt of Applications Assessment of Applications Payment of Housing Benefit Overpayments, Arrears and Write Offs Fraud and Interventions Backdated Claims Discretionary Claims Appeals Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Green Green 0 0 0 Green Green 0 0 0 Green Red 1 0 0 Green Amber 0 1 0 Green Amber 0 1 0 Amber Amber 0 1 0 Green Green 0 0 0 Green Green 0 0 0 Green Amber 0 1 0 1 4 0 Total Management Responses Management have accepted the recommendations raised, but disputed the high priority rating attaching to our recommendation that new claims and amendments should be dealt with promptly, requesting that it be changed to a medium rating. Extra information was submitted by management in support of revising the rating but in our professional judgement, there was not appropriate grounds for redefining the priority level applied. An extract from the Audit Report‟s Action Plan is duly attached to provide more information on this matter. With reference to the delivery of the agreed audit recommendations, management have specified that the 4 medium priority recommendations have been delivered by the time of presenting this management summary to Committee and that further work is ongoing regarding the high priority recommendation. We will be verifying this position in the course of our next round of audit follow up work. 42 3 Action Plan for NN/13/09 Housing and Council Tax Benefit Assessment of Applications Recommendation 1 – New claims and amendments should be dealt with promptly No. Finding and Risk Recommendation and Rationale Priority Management response and action Deadline and responsibility 1. Finding – As a consequence of the new partnership working arrangements with BCKL&WN, significant increases in processing new claims and changes to circumstances were noted. From the report produced on 9th December 2012, the number of outstanding cases for both new claims and amendments was 1,464. Recommendation – New claims and amendments should be processed in a timely manner, in particular within set targets wherever possible. If targets are not being achieved then management should take the necessary actions to address the reasons for not doing so. High Strongly disagree with this rating. The outstanding cases as at Dec 12 was 1464 however the report reads as if these cases had been outstanding since April 12 which was not the position. The introduction acknowledges that since Oct 12 to Dec 12 there had been a substantial improvement – during the life of this audit. However this is not reflected in this rating. Processing times for the year were new claims 30 days and change of circs 18 days. Below are the processing times for the other LAS in Norfolk. Work in progress – 30/06/13 We acknowledge that this figure had decreased significantly from the 5,172 cases reported as at week th ending 7 October 2012. This compares to a Rationale – Regular and timely processing of new applications and/or amendments for Housing and Council Tax Benefits will help to confirm that the Council applies the social strategy it has set in place, provides applicants with appropriate levels of housing benefit in a timely manner and in so doing, meets the targets set in relation to the payment of LA New Claims Changes Broadland 28 12 Breckland - - GYBC 26 9 Kings Lynn 28 23 NNDC 30 18 Norwich City 40 16 43 No. Finding and Risk Recommendation and Rationale weekly average of new claims and changes of th 948 for the period 26 th March 2012 to 6 May 2012 when the old Civica system was closed down prior to data conversion. benefits and the reassessment of benefits when claimants‟ personal circumstances change. We also established that the Council has set a local target of 20 days for processing new claims and seven days for processing changes of circumstances. Having subsequently obtained the outturn figures for the whole of 2012/13 we established that new claims were processed in 30 days and changes in 18. We were informed by the Revenues and Benefits Manager that it became apparent with the problems following the data Priority Management response and action SNC 10 Deadline and responsibility 7 Currently new claims 17 days and changes 7.45 days. The recommendation states we need to action claims in a timely manner – what is audits recommendation to enable this to become a smart objective. It was acknowledged in Cabinet reports that with the data conversion performance would be compromised. Additional staff were recruited, however what was not envisaged was the subsequent un reliability of the Citrix link to Kings Lynn where NNDC data was held. This severely impacted on performance and staff morale across the service. It was not th addressed until the data was returned to NNDC 13/14 Jan13. Obviously the workloads did increase following year end March/April 13. Audit Comment We acknowledge management‟s comments which have th been discussed in detail at an exit meeting on 8 May 2013 and having reviewed additional information. This resulted in some updates to the actual findings and recommendation but has not resulted in any change to the high priority rating due to the associated risks as stated. We have therefore th inserted an implementation date of 30 June 2013 in order to revisit performance with the 2013/14 targets for processing new claims and changes of circumstances. 44 No. Finding and Risk Recommendation and Rationale Priority Management response and action conversion that the above targets were not achievable. The Revenues and Benefits Manager also advised that no monitoring was possible between July - Sept 2012 due to the problems with the system and understanding what the system reported on. Reporting of performance then resumed from October 2012 onwards. Targets of 18 and nine days respectively have been set for 2013/14. From benchmarking against six other Norfolk authorities, NNDC‟s outturn of 30 days for processing new claims was the second longest period; the longest reported was 40 days. It was also the second 45 Deadline and responsibility No. Finding and Risk Recommendation and Rationale Priority Management response and action longest for processing changes of circumstances with the longest being 23 days. Risk – Where outstanding items in respect of new claims and amendments are not processed in a timely fashion, there is a risk that housing benefits are being paid at an inappropriate rate, or of greater concern, not paid at all to eligible claimants, potentially creating cases of hardship. 46 Deadline and responsibility Appendix E (4) Report No. NN13/10 – Final Report issued 9 April 2013 Audit Report on Exchequer Services Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion The audit work carried out by Internal Audit indicated that there is a basically sound system of internal controls within the Council regarding Exchequer Services and Insurances. However there are weaknesses that can be addressed to give the Council greater assurance that their objectives are mitigated from risk. As part of this audit, we have raised one medium priority recommendation and three low priority recommendations. The medium priority recommendation relates to the utilisation of the Council‟s electronic purchase ordering system. It had previously been reported that the use of manual coding slips had been phased out and staff had been trained to ensure the electronic purchasing order system was utilised. However, it is apparent that the manual forms are still in use, which increases the risk of committing to expenditure that is not within budget, nor appropriately approved. In addition, one medium priority recommendation in relation to strengthening budgetary controls raised in the previous audit of Exchequer Services (NN/11/08) remains outstanding. Positive Findings It is acknowledged there are areas where sound controls are in place and operating consistently. Controls are in operation with regards to the following areas of scope, in particular; policies, procedures and systems; VAT and insurances. Testing of five months of reconciliations between the Human Resources (HR) list of leavers and joiners and the system access rights confirmed that access rights were correctly aligned to the officer‟s responsibilities and are changed when appropriate. With review of the E-financials system also confirming that there are only four users of the system who have administrative access. Segregation of duties exists throughout all types of payment processing, both through the electronic purchase ordering system; in the absence of an electronic order all invoices are attached to a code box which demonstrates segregation of duties between the officer goods receipting the invoice and the officer authorising the invoice for payment. Control weaknesses to be addressed No high priority recommendations have been raised as a result of this audit. During our work we have identified the following key area where we believe that the processes / arrangements within Exchequer Services would benefit from being strengthened, and as a result of these findings, a medium priority recommendation has been raised: We established that some purchases are being made without using the electronic purchasing ordering system, but instead, are being processed using the manual 47 coding slips, which are ordinarily applied where no orders are required e.g. precept payments to town and parish councils, grant payments, utilities. A recommendation has been raised to address this issue We also noted that despite no cases appearing in our test sample, the Council is still using manual orders. In the previous audit report of Exchequer Services (NN/11/08), a recommendation was raised to phase out manual purchase order pads and to utilise the electronic purchase ordering system. The recommendation was subsequently closed as a result of the internal audit follow up process, after being advised by management that manual purchase order pads had been phased out from August 2011. However, we have since been advised by the Head of Finance that this was a misunderstanding and that the Council still requires the use of manual orders, for example, officers within Property Services when they are out of the office and need to make a purchase at a supplier where the Council has an account. Therefore, the recommendation is not restated although a new recommendation has been developed, advocating the use of the electronic purchase ordering system wherever possible. In addition, three low priority recommendations have been raised in respect of; prompt processing of invoices; signing of pre-payment reports; and providing supporting records for purchases made through corporate credit cards. Furthermore, one medium priority recommendation remains outstanding from the previous audit (NN/11/08) regarding utilising the budgetary controls within the electronic purchase ordering system. The Council currently makes available on the website all spend over £500, in line with the Governments Transparency Agenda. The Department for Communities and Local Government (DCLG) want to encourage Council‟s to display payments over £250; North Norfolk may therefore want to consider implementing this enhancement to follow recommended practice. Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Policy, Procedure and Systems Ordering Creditors VAT Visa Purchase Cards Insurances Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Green Green 0 0 0 Amber* Amber Green Amber Amber Green 0 0 0 1 0 0 0 2 0 Green Amber 0 0 1 Green Green 0 0 0 0 1 3 Total * One medium priority recommendation remains outstanding from the previous audit of Exchequer Services (NN/11/08) which impacts the „adequacy of controls‟ rating for this area. Management Responses Management have disagreed with one recommendations made – see overleaf for further details. 48 Creditors - Pre-Payment Run Reports (Recommendation 3 – Low Priority Rating) Pre-payment run reports should be signed and dated by the officer checking the accuracy of input of invoice batches. Recommendation developed from following Finding Weekly Pre-payment run reports are checked by the Exchequer Assistants prior to processing the payment run, to confirm that invoice batches have been entered correctly. Although there was evidence to suggest checking takes place through tick checks, the Pre-payment run reports are not signed or dated by the officer to confirm this level of check. Rationale supporting this Recommendation Signing Pre-payment run reports helps to confirm that an officer has checked the accuracy of invoice batches prior to payment and ensures accountability. Management Response Not agreed - The detail of each batch is checked back to the original invoice to confirm correct supplier and amount prior to being submitted to be included on the proposed payment listing. The fact that the batches are clearly ‟ticked‟ off (line by line) provides sufficient evidence to be honest this recommendation appears to be somewhat tenuous and unnecessary. Audit Comment We acknowledge management‟s comments, however, still consider the recommendation valid in so far as a „tick‟ can be applied by any person, whereas initialling or signing the report provides greater evidence as to who has actually undertaken those checks. This provides improved audit trail over accountability in terms of who actually applied those checks, particularly in the event of an issue with a payment coming to light where responsibility for having applied those checks can be easily identified. 49 Appendix E (5) Report No. NN/13/11 – Final Report issued 21 May 2013 Audit Report on Work to Support the Preparation of the Annual Governance Statement Assurance Opinions Key System Fixed Assets Covered in 2012 / 13 No General Ledger No Debtors/Accounts No Receivable Cash No Treasury No Management – Date of Review N/A Audit Ref. Opinion N/A Adequate No. of recs 0 N/A N/A Adequate 0 N/A N/A Adequate 0 N/A N/A Adequate 1* N/A N/A Adequate 0 Investments/Loans Budgetary Control No N/A N/A Adequate 0 Car Parks Income No N/A N/A Adequate 1* Payroll Yes NN/13/08 Adequate 5 NN/13/10 Adequate 4 NN/13/07 Limited 8 NN/13/09 Limited 5 N/A Adequate 0 Creditors/Accounts Payable Yes Council Tax and National-Non Yes 2013 December December Yes Benefits Framework January 2012 Housing Benefits Assurance 2013 November / Domestic Rates and Council Tax January 2012 / January 2013 No N/A * - Denotes additional recommendations made in this AGS report. Rationale supporting the award of the opinion There are a number of key controls within the material systems as agreed with External Audit and the Head of Internal Audit at North Norfolk District Council that are required to be covered by Internal Audit each financial year. Under the agreed Internal Audit Plan for 2012 / 13, a number of these material systems have been reported on in detail and those key controls have been addressed in each system reviewed. Recommendations have been raised in these individual audit reports and the issues identified in this report should be viewed in conjunction with those reports. This report provides the top up testing for these material systems, thus ensuring the systems are subject to full year testing. These are identified at Appendix A as “Key Controls subject to full systems review in 2012 / 13”. 50 We have also reviewed controls in the material systems that were not covered as part of the agreed Internal Audit Plan for 2012 / 13, these are identified at Appendix A as “Key Controls not subject to full systems review in 2012 / 13”. As a result of this work two further recommendations have been made in the areas of Cash, in particular over bank reconciliations and Car Parks Income with regards reconciling income, both carrying a medium priority rating. Positive Findings Assurance statements are issued to managers to provide assurance over the areas of their responsibility. Administration of the assurance statement process is undertaken by the Policy and Performance Management Officer. Testing of the process for the issue and receipt of assurance statements during 2011/12 highlighted no issues. For 2012/13, statements have been sent out to the responsible managers with a return deadline on 19/04/2013. Findings of the assurance review are presented to Cabinet on an annual basis. Please refer to Appendix F for full details of the assurance statements. High Priority Recommendations No high priority recommendations have been raised as a result of this audit Management Responses Management have accepted the recommendation raised. 51 Appendix E (6) Report No. NN13/12 – Final Report issued 15 May 2013 Audit Report on Corporate Governance and Risk Management Assurance Opinion We have provided two separate Assurance Opinions; one for Corporate Governance to reflect an improvement since the previous review and one for Risk Management to reflect no change since the last time this area was audited by Deloitte. Corporate Governance Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Limited Assurance Adequate Assurance Good Assurance Risk Management Unsatisfactory Assurance Rationale supporting the award of the opinion The audit work carried out indicated that there is basically a sound system of internal control within corporate governance and risk management although with some control weaknesses where it has been necessary to develop audit recommendations, designed to further strengthen risk management provisions. The two opinions result from the fact that one low priority recommendation has been raised with regards corporate governance compared to the previous review which included one medium and two low priority recommendations; hence an improved direction of travel. Whilst risk management was omitted from the previous audit (NN/12/10 – issued February 2012) due to the Council being in the process of reviewing its risk management arrangements at that time, the previous report (NN/11/11 issued in April 2011) raised one medium and one low recommendation related to risk management, which similarly compares with one medium and one low priority recommendations in this report. Recommendations have been raised in respect of the following corporate governance and risk management weaknesses: Corporate Governance  We found a lack of up to date and approved Terms of Reference (ToR) with respect to the Performance and Risk Management Board (P&RMB). Risk Management  The Council's Risk Management Framework was scheduled for review by December 2012 to help confirm it reflected new operational arrangements which have been subject to development since April 2012, however, the exercise has yet to be completed.  The presentation of the Corporate Risk Register to the Audit Committee should be more frequent / formalised since it has not been tabled since June 2012; and processes to confirm that all risks are subject to regular review needs enhancing and was not on the work plan to be re-examined until June 2013. The existing Risk 52 Management Framework requires that the Corporate Risk Register is presented to the Audit Committee twice during the year. Positive Findings We found that the Council has demonstrated the following points of good practice as identified in this review and we will be sharing details of these operational provisions with other member authorities in the Consortium: The Council has undertaken a full review of its governance arrangements following the management restructuring during 2012/13, culminating in the updating of its Constitution, including the Scheme of Delegation. Outcomes of this review have been documented, and were subject to levels of scrutiny through an evident consultation process, with formal approvals granted from both the Constitution Working Party (CWP) and Full Council. Up to date ToR have been approved for the revised Management Team (Formerly Senior Management Team). It is also acknowledged there are areas where sound controls are in place and operating consistently: Mechanisms have been developed to help identify and assess both service and corporate level risks to the organisation, reviewing the likelihood of their materialising and their potential impact on the Council‟s achievement of its objectives. This includes the Policy and Performance Management Officer taking a central role in this process by meeting with heads of service every six months to work through existing risks falling within their responsibility and which acts as „on job training‟. The committee reporting template prompts officers to identify the risk implications of new initiatives and modified service provisions. This is used as a checklist to help ensure that reports are produced that meet key requirements and can therefore be reasonably relied upon for the purposes of decision making. There is consultation with relevant officers and managers when constructing committee reports to confirm their accuracy including risk considerations. The Corporate Leadership Team (CLT) attends both Cabinet meetings and also the P&RMB meetings as a matter of course. This process therefore allows for a joined up approach whereby senior officers are aware of, and can escalate any concerns, as and when required. Both meetings cover key risk elements, with the P&RMB in particular receiving a full copy of the Corporate Risk Register twice a year. Testing confirmed ToR had been adhered to for the sample of committee meetings tested across the following committees: Cabinet, Overview and Scrutiny Committee; Development Committee; Licensing Committee. This included evidence of compliance with levels of scrutiny performed by the Overview and Scrutiny Committee. Control weaknesses to be addressed No high priority recommendations have been raised as a result of this audit. During our work we have identified the following key areas where we believe that the processes within the Council could be improved or would benefit from being operated more effectively, and as a result of these findings one medium priority recommendation has been made: The Audit Committee should receive a copy of the Corporate Risk Register on a regular basis throughout the year (this was last tabled in June 2012 from the evidence available). Subsequent tabling was not expected until June 2013. 53 Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Corporate Governance Risk Management Committee Activities and Decision Making Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Green Amber 0 0 1 Green Amber 0 1 1 Green Green 0 0 0 0 1 2 Total *Excludes one recommendation included in the report on Partnerships (NN/13/05) issued January 2013 relating to the need for a Partnership Framework. Management Responses Management have accepted the recommendations raised. 54 Appendix E (7) Report No. NN13/16 – Final Report issued 26 April 2013 Audit Report on ABS eFinancials Application Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion The audit work carried out by Internal Audit indicated that there is a basically sound system of internal controls within the Council regarding the eFinancials Application. However, there are weaknesses that can be addressed to give the Council greater assurance that their objectives are mitigated from risk. This area was last audited in 2009 and, as detailed above; this audit has confirmed that the weaknesses previously identified have all been mitigated through the implementation of the recommendations. Areas where weaknesses were previously identified included Access Controls, Backup and Recovery and Support Arrangements and Change Control. As part of this audit, we have raised two low recommendations in relation to Backup and Recovery and Access Controls, having recognised an issue with a review of the Business Continuity arrangements and a minor aspect in exploiting some newly available system functionality. Positive Findings We found the Council has a number of areas where sound controls have been developed and were found to be operating consistently: The application has adequate password controls; Role profiles are in place to control access to the application according to need; Interface reconciliation controls are in place; Audit trail functionality is active and available on demand; and Support arrangements were in place and change was being appropriately managed. Control weaknesses to be addressed No high priority recommendations have been raised as a result of this audit. During our work we have identified the following area where we believe that the processes / arrangement within the ABS eFinancials application would benefit from being strengthened, however, as a result of this issue having been previously identified by management who are working to resolve this issue, a formal recommendation has not been raised. A number of users have the ability to set up their own accounts receivable 'suppliers', which has resulted in duplications. In addition, two low priority recommendations have been raised in respect of; reviewing the business continuity plan, and running and reviewing the newly available „database connections‟ report on a regular basis to assist in the identification of any unauthorised connections. 55 Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Access Controls Data Processing Interfaces Management Trails Backup and Recovery Support arrangements and Change Controls Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low 1 Amber Amber 0 0 Amber Amber 0 0* 0 Green Green 0 0 0 Green Green 0 0 0 Amber Amber 0 0 1 Green Green 0 0 0 0 0* Total 1 1 2 *1 A control weakness was identified whereby certain users have the ability to set up their own accounts receivable 'suppliers', which has resulted in duplications; however, as this weakness had been identified by management who are working to resolve them, a formal recommendation has not been made. Management Responses Management have disagreed with one recommendations made – see below for further details. Access Controls – Database Connections Report (Recommendation 1 – Low Priority Rating) The Database connections report should be run and reviewed on a periodic basis. Recommendation developed from following Finding The audit noted that the application has the ability to report on "database connections" over a time period that can be specified by the system administrator. This is a new function that has become available since the application upgrade completed in February 2013. The report has been reviewed, although there has been no continued review process given its recent implementation. Rationale supporting this Recommendation Reviewing the database connections report will assist in the early identification of potential sustained and irregular activity. Management Response Management do not agree with this recommendation. The reasons for this are as follows: Database Connections report would monitor failed logons and enable user access to be monitored. There are satisfactory controls in place already for setting up new users, limiting access and also removing leavers from the system. Individual access is limited so that Officers only have access to what is required for their job role. 56 A recent review of all users access has been conducted and each individuals access signed off by the manager. In relation to failed logins, after three unsuccessful attempts the user would need to contact the administrator to be reset, which also provides a control in itself. Audit Comment Whilst we acknowledge management comments about the controls identified above; with the exception of the automatic lock out of accounts after a pre-set number of failed access attempts, these are not directly related to the risk we are looking to mitigate against. We believe that this report, extracted on a weekly or monthly basis, could be used to identify sustained and irregular activity that is occurring. Examples of this activity could be excessive attempts to access accounts that would indicate a „brute force‟ type attacks to compromise passwords, this is even more important where there are accounts that are not subject to the failed log-in controls for example built in „administrator‟ type accounts. This functionality would also provide additional information on activity that could be used to identify where other types of attacks are occurring, for example an attempted Denial of Service (DoS) attack where the automated lock out control is used to lock out legitimate users out of the system. 57 Appendix G Norfolk Internal Audit Consortium Definitions / Categories of Audit Opinions relating to Individual Audit Assignments Deloitte and Touche Public Sector Internal Audit Ltd have four categories of audit opinion, by which they classify internal audit assurance over the processes that they have examined, and these are defined as follows: Good Assurance There is a sound system of internal control designed to achieve the client’s objectives. The control processes tested are being consistently applied. Adequate Assurance While there is a basically sound system of internal control, there are weaknesses, which put some of the client’s objectives at risk. There is evidence that the level of non-compliance with some of the control processes may put some of the client’s objectives at risk. Limited Assurance Weaknesses in the system of internal controls are such as to put the client’s objectives at risk. The level of non-compliance puts the client’s objectives at risk. Unsatisfactory Assurance Control processes are generally weak leaving the processes/systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes/systems open to error or abuse. The assurance gradings provided above are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board and as such the grading of ‘Good Assurance’ does not imply that there are no risks to the stated objectives. 58 Appendix H North Norfolk District Council Map of Audit Assurances provided since 2008/09 2008-09 2009-10 2010-11 2011-12 Adequate Adequate Adequate Adequate 2012-13 Annual Opinion Audits Corporate Governance and Risk Management Corporate Governance Risk Management Good Adequate Ethical Governance Adequate One-off audit AGS - Assurance Framework Adequate Key - AGS relates to Work to Support the preparation of the Annual Governance Statement. This work scrutinises key controls only, rather than providing for an in-depth review of systems in their entirety and because of this, the type of assurance that we are able to give is restricted to adequate or limited. Fundamental Financial Systems Sundry Debtors AGS - Sundry Debtors Remittances AGS - Cash Accountancy Services AGS - Fixed Assets AGS - General Ledger AGS - Treasury Management AGS - Budgetary Control Housing Benefits Council Tax / NNDR Exchequer/Creditors Payroll / HR Budgetary Control Revenues and Benefits Partnership - Data Transfer, Governance and Risk Adequate Limited Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Limited Limited Adequate Adequate Adequate Adequate Adequate Good Good Incorporated into accountancy Adequate Head of Economic and Community Development Tourism and Economic Development Foreshore and coastal management / Coastal Change and Pathfinder Management Adequate Homelessness and Strategic Housing Affordable Housing Adequate Private Sector Housing and Disabled Facilities Grants Adequate Communities and Safety Adequate Good Adequate Adequate Good Adequate Absorbed into future audits concerning Localism and Communities Limited Head of Development Management & Head of Economic and Community Development Development Management, Planning, s106 Agreements, Community Infrastructure Levy and Land Charges Adequate Head of Assets and Leisure & Head of Economic and Community Development Partnerships Limited Head of Environmental Health Waste Management Environmental Health Head of Assets and Leisure Sports Halls/Centres Leisure Complexes Property Services Car Parking and Markets AGS - Car Park Income Limited Adequate Adequate Limited Limited Adequate Adequate Adequate Limited Adequate Adequate Adequate Limited Adequate May 2013 59 Appendix H North Norfolk District Council Map of Audit Assurances provided since 2008/09 Head of Assets and Leisure & Head of Environmental Health Parks and Open Spaces Limited Head of Organisational Development Elections / Electoral Registration Data Quality Adequate Performance Management, Corporate Policy, Planning Adequate Limited Adequate Head of Finance Projects and Procurement Car Allowances Adequate Good Good Discontinued as NI's ending Deferred to 2012/13 Business Manager (Corporate and Democratic Services) Legal Services, Data Protection, Freedom of Information Head of Legal Whistleblowing Concessionary Fares Adequate Unsatisfactory Adequate Adequate One-off audit Function transferred to County Council Adequate Adequate One-off audit IT Audits General Ledger/Cedar Financials Application Project Management General IT Controls Cash Receipting Document Imaging - Civica Revenues and Benefits IT Security IT Security, Procurement and End User Controls Software Licensing Revenues and Benefits Application Network Infrastructure Business Continuity Data Centre, Back Up, Disaster Recovery Data Consistency Payroll and Personnel Content Management Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Limited Limited Adequate Adequate Adequate Adequate May 2013 60 Appendix I Limitations and Responsibilities Limitations inherent to the Internal Auditor’s work I have prepared the Internal Audit Annual Report and engaged Deloitte (the Internal Audit Services contractor) to undertake the agreed programme of work as approved by management and the Audit Committee, subject to the limitations outlined below. Opinions The opinions expressed are based solely on the work undertaken in delivering the approved 2012/13 Annual Audit Plan, which originally involved 212 days, although this figure was then revised in year to 231.6 days. The work addressed the risks and control objectives agreed for each individual planned assignment as set out in the corresponding audit briefs and reports. Internal Control The system of internal control is designed to manage risk to a reasonable level rather than to eliminate the risk of failure to achieve corporate/service policies, aims and objectives: it can therefore only provide reasonable and not absolute assurance of effectiveness. Internal control systems essentially rely on an ongoing process of identifying and prioritising the risks to the achievement of the organisation’s policies, aims and objectives, evaluating the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically. That said, internal control systems, no matter how well they have been constructed and operated, are affected by inherent limitations. These include the possibility of poor judgement in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances. Future Periods Internal Audit’s assessment of controls relating to North Norfolk District Council is for the year ended 31 March 2013. Historic evaluation of effectiveness may not be relevant to future periods due to the risk that:  The design of controls may become inadequate because of changes in the operating environment, law, regulation or other matters; or,  The degree of compliance with policies and procedures may detiorate. The timings of the individual internal audit reviews carried out in relation to the 2012/13 Audit Plan are recorded in Appendix A to this report. Responsibilities of Management and Internal Auditors It is management’s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal Audit work should not be seen as a substitute for management’s responsibilities for the design and operation of these systems. 61 The Internal Audit Consortium Manager has sought to plan Internal Audit work, so that there is a reasonable expectation of detecting significant control weaknesses and, if detected, additional work will then be carried out which is directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected and Deloittes’ examinations as the Council’s internal auditors should not be relied upon to disclose all fraud, defalcations or other irregularities which may exist. 62 Audit Committee 18 June 2013 Agenda Item No___10______ The Status of Agreed Audit Recommendations due for Implementation by 31 March 2013 Summary: This report provides an overview of progress made in implementing the agreed audit recommendations due for completion by 31 March 2013. Conclusions: Good progress has been achieved in relation to the completion of agreed Internal Audit recommendations. Recommendations: It is recommended that the Committee notes management action taken to date regarding the implementation of audit recommendations. Cabinet member(s): Ward(s) affected: All All Sandra King, Internal Audit Consortium Manager 01508 533863, scking@s-norfolk.gov.uk Contact Officer, telephone number, and e-mail: 1. Background 1.1. In accordance with agreed internal audit review and reporting cycles, we revisit the status of audit recommendations on a 6-monthly basis and last presented our findings in this area to Committee on 4 December 2012, concentrating on the period April to September 2012. This report therefore provides an update on the status of audit recommendations following recent verification work in April 2013, and subsequent updates to this in May 2013, which examined the level of activity concerning the completion of audit recommendations falling due between 1 October 2012 and 31 March 2013. 1.2. The process used to monitor the status of recommendations during this period has remained unchanged from previously noted, i.e. recommendations are input on the TEN performance system at the time the final audit report is issued, and managers are then required to provide progress reports as recommendations approach their agreed implementation date. At the end of the reporting period, the Deloitte auditors then visit services to confirm there is supporting evidence to demonstrate the completion of audit recommendations and undertake some selective review work to verify that appropriate action has been initiated by management. 63 Audit Committee 18 June 2013 2. Overall Position 2.1. The number of outstanding recommendations, listed per audit, is identified at Appendix J to this report. A summary of the current, and previously reported positions, is shown in the table below: Status of Recommendations for the period 1 October 20111 to 31 March 2012 High Medium Low Total % Complete 1 15 13 29 34.9 Partly Implemented 0 11 1 12 14.5 Outstanding 0 26 16 42 50.6 1 52 30 83 Unable to confirm status Total Status of Recommendation for the period 1 April to 30 September 2012 High Medium Low Total % Complete 0 25 6 31 43.0 Partly Implemented 0 8 2 10 13.9 Outstanding 0 12 6 18 25.0 Unable to confirm status 0 7 6 13 18.1 Total 0 52 20 72 Status of Recommendation for the period 1 October 2012 to 31 March 2013 High Medium Low Total % 0 48 24 72 85.7 Outstanding 0 10 1 11 13.1 Unable to confirm status 0 1 0 1 1.2 Total 0 59 25 84 Complete Partly Implemented 64 Audit Committee 18 June 2013 Key: H – High priority: A fundamental weakness in the system that puts the Council at risk. To be addressed as a matter of urgency, within a 3-month time frame wherever possible, or, to put in place compensating controls to mitigate the risk identified until such a time as full implementation of the recommendation can be achieved. M – Medium priority: A weakness within the system that leaves the system open to risk. To be resolved within a 4 - 6 month timescale. L – Low priority: Desirable improvement to the system. To be introduced within a 7 - 9 month period. 2.2. Members attention is drawn to the following findings made in the course of our latest audit follow up exercise: We would usually provide additional details to the Committee in respect of high priority recommendations. However, on this occasion there were no agreed actions carrying a high priority rating which warranted implementation during the second 6 months of the year. The cumulative position for completed recommendations during 2012/13 is 103 and as acknowledged in the table at paragraph 2.1; there has been a marked increase in the percentage of completed recommendations over the financial year. Between April and September 2012, 31 (43%) had been completed, and in the second half of the year, the number of finalised agreed actions had risen by a further 72 (85.7%). There has also been a significant reduction in the number of recommendations remaining outstanding during the year; in the first 6 months of 2012/13, 18 agreed actions (25%) were reported to Committee as outstanding, and this position has further improved in the 6-months leading up to year end, with the figure dropping to 11 (13.1%) which fall into this outstanding category. We have established that 10 of the 11 recommendations carry a medium priority rating, whilst the remaining one has a low priority rating. Appendix J contains more information about the service areas where these recommendations still need to be progressed. Committee’s attention is additionally drawn to the fact that there has been a considerable improvement in responses received from management such that we only had 1 recommendation, where we were unable to confirm its status. The item identified here related to a medium priority recommendation attaching to Waste Management (Audit No.NN/12/03). It is finally important to note that of the 55 recommendations agreed with management following completion of 2012/13 audit assignments, 36 of these are not yet due for implementation, see Appendix J for the audit areas to which these relate. The recommendations are split between 1 high priority, 22 medium priority and 13 low priority. As mentioned although the dates set for their completion have not been reached but, until they are actioned, they represent wide ranging weaknesses in the control environment (one of which is at a significant level) which leave the authority open to risk. 65 Audit Committee 18 June 2013 3. Conclusion 3.1 Good progress is being made in relation to the completion of agreed Internal Audit recommendations. 4. Recommendation 4.1 It is recommended that the Committee notes management action taken to date regarding the implementation of audit recommendations. Appendices attached to this report: Appendix J: Summary of Agreed Internal Audit Recommendations as at 31 March 2013 66 Summary of Agreed Audit Recommendations at 31 March 2013 Reference Description Assurance Level NN0901 NN0911 NN0912 NN1002 NN1009 NN1016 NN1017 NN1101 NN1102 NN1103 Corporate Governance and Risk Management Council Tax and NNDR Housing and Council Tax Benefits Partnerships Tourism and Economic Development Housing and Council Tax Benefits Sundry Debtors Environmental Health Private Sector Housing Ethical Governance Adequate Adequate Adequate Limited Adequate Adequate Adequate Adequate Adequate Adequate NN1104 NN1107 NN1108 NN1111 Conveyancing, Data Protection, FOI, and Gifts and Hospitality Council Tax and NNDR Exchequer Services Corporate Governance and Risk Management Adequate Adequate Adequate Adequate NN1112 NN1118 NN1202 NN1203 NN1205 NN1206 NN1208 NN1209 NN1210 NN1212 NN1213 NN1218 NN1301 NN1302 NN1303 NN1304 NN1305 NN1306 NN1307 NN1308 NN1309 NN1310 NN1311 Development Management, Building Control and Land Charges Fraud Investigation Affordable Housing Waste Management Contract Accountancy Services Car Parking and Markets Sundry Debtors Sports Halls/Centres Corporate Governance Work to Support the Annual Governance Statement Parks and Open Spaces Electoral Registration Property Services and Coastal Protection Strategic Housing and Homelessness Corporate Policy, Planning and Performance Management Procurement Partnerships Leisure Complexes Council Tax and NNDR Payroll and HR Housing and Council Tax Benefits Exchequer Services Work to Support the Annual Governance Statement Corporate Governance and Risk Management Adequate Not applicable Good Limited Adequate Limited Limited Adequate Adequate Not applicable Adequate Good Adequate Adequate Adequate Adequate Adequate Adequate Limited Adequate Limited Adequate Not applicable Good Adequate NN1312 SYSTEMS AUDIT TOTALS NN0917 NN1020 NN1021 NN1022 NN1116 NN1117 NN1214 NN1215 NN1216 NN1217 NN1220 NN1313 NN1314 NN1315 NN1316 Cedar eFinancials Application CIVICA Document Imaging Application Audit IT Security, Procurement and End User Controls Audit CIVICA Revenues and Benefits Application Audit Network Infrastructure, Security and Telecommunications Business Continuity Data Consistency Content Management Payroll and HR Application Remote Access Cash Receipting Project Management DR, Backup and Server Room Controls ABS eFinancials Application COMPUTER AUDIT TOTALS Completed - April - September 2012 H M L Completed October 2012 - March 2013 H M L H Outstanding M Appendix J L Unable to confirm status H M L 1 1 1 4 1 1 3 1 1 1 1 2 1 1 1 1 1 1 3 1 1 1 1 4 1 2 1 1 1 4 1 3 1 2 2 1 1 1 2 1 2 2 1 2 3 1 1 2 1 1 3 Total Outstanding Not yet due to be implemented H M L 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 4 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 4 0 0 0 1 0 0 1 0 0 0 0 4 2 1 8 4 5 3 2 1 0 0 0 Adequate Adequate Adequate Adequate Adequate Limited Limited Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate 13 5 0 1 28 23 0 8 1 0 1 0 1 1 1 3 3 3 2 7 2 1 1 1 1 2 1 4 0 12 1 0 20 1 67 0 2 10 1 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 0 Total Audit Recommendations to be actioned 2 2 1 2 1 6 1 4 1 2 2 3 1 2 3 18 12 41 1 0 0 0 0 0 1 0 1 0 0 0 0 0 4 1 1 7 2 4 0 4 Corporate Risk Register June 2013 Audit Committee 18 June 2013 Corporate Risk Register June 2013 (Updated following PRMB May 2013) (references eg (CC) 077 – refer to TEN system) No 1. Cause of risk Existing controls 2. Description of risk or potential event Central government funding (uncertainties) 1. Uncertainty about the Council receiving adequate funding from central government through the Formula Grant and/or other targeted funding stream. 2. Uncertainty around funding streams creates difficulties in financial planning for the medium to long term. The freezing of Council Tax has meant a focus on tax base growth for Council Tax Income growth. The new Local Government funding regimes including localised Council tax and retained business rates increases a further uncertainty in terms of year on year funding. 3. The Corporate Plan may not be delivered to the identified timescales. The level of service currently provided would be at risk especially some of the discretionary service areas. Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening 015(CR) Score (with controls) (CC)077 - Policy work Impact x Likelihood = Total Corporate Objective / Service Priority Officer Delivering the Vision Karen Sly – Head of Finance (CC)083 - Project Management Plans (CC)078 - Lobbying Central Government (CC)082 - Budget Process / Budget Monitoring The Localised Council Tax Support Scheme for 2013/14 was approved in January 2013 and came into operation in April 2013. Further discussion/approval of the scheme for 2014/15 will need to take place during the second quarter of 2013/14 to enable a scheme to be recommended and approved for implementation in April 2014. New – Utilisation of the New Homes Bonus grant within the base budget from 2014/15 (reported to Full Council May 2013) (CC)088 Regular monitoring system of the impact of the business rates retention and the localised council tax support system compared to the government start-up funding methodology. (CC)079 - Medium Term Financial Strategy/update (CC)081 - Corporate Planning / Service Planning Target Score 5x5=25 68 4x3=12 1 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Coastal Erosion - (the effects of) 1. Lack of Government funding to maintain coast defences and / or to support local compensation claims 2. Coastal erosion and blight of coastal settlements through loss of public and private infrastructure and assets. The Council has devoted significant resources to pursuing sustainable answers to coastal management issues. There is a considerable Health and Safety context here which serves to increase the reputational risk for the Council at the same time. 3. Increased coastal erosion through loss of defences presents a reputational risk to the authority in the eyes of local communities and direct loss of Council owned assets / infrastructure which are fundamental to the district's tourism offer and therefore the economic wellbeing of the district. Loss of confidence in respect of business investment and residential property market; blight of properties in erosion zone; direct loss of Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening 002(CR) Score (with controls) (CC)002 - The Pathfinder Project Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer Coast, Countryside and Built Heritage Brian Farrow Coastal Engineer (CC)004 - Shoreline Management Plan (SMP). SMP6 adopted and approved by the Environment Agency. Post Adoption procedures are now nearing completion. (CC)005 - Repairs & Maintenance Programme (revenue budgets) (CC) 011 - Cromer Sea Defence Works (CC)006 Procurement practices Coast monitoring (CC)012 - Coastal Monitoring 5x4=20 (CC)008 – Health & Safety checking and monitoring – Implemented Control of coastal management schemes through procurement and regular checking. 4x3=12 (CC)010 - DEFRA funding of capital schemes Implemented 69 2 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Score (with controls) Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer tourism assets and infrastructure promenades, beach chalets, cafés, public toilets, car parks etc.; loss of tourism income / employment. 003(CR) Transformation Agenda (CC)015 - Strategies 1. It is clear that there is urgency about change in local government driven by the current financial pressures and the ambition to ignite community engagement. Authorities need to ensure they are positioned to respond to the changes and challenges facing them. (CC)016 - Reporting New legislation and consultation 2. The risk is that in moving to a new agenda so quickly there is no basic framework within which the new arrangements can be undertaken. 3. Vision and action may not be fully supported by a sound assessment and a solid understanding of policy implications at national and local level. Further discussions/ consideration of options around shared services IT transformation work that is currently being undertaken. (CC)017 - Network development (CC)018 - Maintain technical competence 3x4=12 Financial strategy workstreams that are ongoing 2x4=8 Delivering the Vision Sheila Oxtoby Chief Executive (CC)014 - Training, learning & policy initiatives Implemented 70 3 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Localised Council Tax Support Scheme (was Council Tax Benefit replacement) 1. The new localised council tax support scheme which came into operation in April 2013, the funding for the scheme has been reduced and whilst there are some projections (of individuals) within the scheme some households will be required to pay Council Tax when they have been previously entitled to 100% benefit. 2. Under the Local Government Finance Act each Local Authority is required to implement a localised system of Council Tax support, this replaced the previous Council Tax Benefit system. Fundamentally this has shifted the risk from national to Local Government. Each billing authority was required to develop a scheme for its area. Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening 012(CR) Score (with controls) (CC)061 - Software provider contact Impact x Likelihood = Total Corporate Objective / Service Priority Officer Early decision making required for the 2014/15 scheme including impact on Parish Councils funding. (CC)062 - Establish working groups (CC)087 - County Wide working group – to be reconvened. CC)063 - Discussions with County Council /Police (CC)064 - Staff Training Target Score 5x4=20 (CC)065 - Networking (CC)086 - LCTS Member working group – Implemented. 5x3=15 Delivering the Vision Louise Wolsey Revenue and Benefits Services Manager 3. For 2013/14 there is transitional funding for local schemes that meet Government prescribed criteria, the scheme for NNDC for 2013/14 meets this criteria. As the funding is only 71 4 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Score (with controls) Impact x Likelihood = Total 3. Consequence of risk happening Action (to achieve target score) and Date for action to be completed Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer transitional there is still a risk associated with implementing a fully funded scheme in 2014/15. This will require further work during 2013/14. Furthermore collection of council tax will impact on all authorities (not just NNDC as the billing authority), whilst some element of the impact on the collection fund has been taken into account in the 2013/14 budget, the full extent will depend on the actual performance in the year. 004(CR) The Localism Act - (ineffective implementation) (CC)020 - Establish a working party 1. Lack of detailed preparation (CC)019 - The development of best practice – Implemented 2. This new act contains a number of new initiatives which will be implemented over the medium term. The "general power of competence" provides the Council with certain freedoms but issues such as charging, commercial service companies, standards, annual pay policy, are combined with Council Tax referenda requirements. In planning the Act introduces the "Community Right to N/A N/A Delivering the Vision Sheila Oxtoby Chief Executive The Localism agenda is being embraced and embedded within the authority and is therefore no longer considered to be one 72 5 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Build" and the Community Infrastructure Levy. And for housing services requirements include the ability to offer private tenancies to homeless people and a complaints procedure focused on the Independent Housing Ombudsman. The Open Public Services White Paper (July 2011) puts the Localism Act into a wider context and longer time frame. Score (with controls) Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer of the high risks. Delivery of Localism remains a priority within the Corporate Plan, examples of this are the Big Society Fund. It is important that the immediate requirements of the Act are in place by 31/03/2012. 3. The initiatives in this legislation may be ill considered and piecemeal. 005(CR) Organisational Restructuring (potential instability) 1. The ineffective management of change. 2. Following the changes at strategic level and the emergence of the new Corporate Leadership and Management Teams, Heads of Service will be reviewing their areas to ensure that structures are aligned to service (CC)021 - Effective staff communication – regular updates, briefing and CE update emails. Implement the outcomes of the Planning Peer Review Individual staff support 4x4=16 (CC)022 - Effective Member engagement Review by Joint Staff Consultative Committee 2 x 4 =8 Delivering the Vision Sheila Oxtoby Chief Executive Learning and Development Programme (CC)024 - Monitor the 73 6 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Score (with controls) Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening delivery and organisational priorities. impact 3. A lack of understanding of the proposals, low staff morale and resistance to any changes proposed. (CC)025 - Provide team building activity Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer (CC)026 - Provide training/mentoring (CC)023 - Strengthen the Communications Strategy Implemented Pay & Grading Review - (impact) 006(CR) 1. Now that the pay and grading review has been completed the authority is now moving to the normal job evaluation scheme and the associated backlog with job evaluation. 2. There is a risk of low staff morale due to the legacy of pay and grading. 3. Impact on the overall financial position and on staff morale/ increase in turnover of staff. There may potentially (CC)022 - Effective Member engagement Individual staff support (CC)027 - Revisit job evaluation scores (CC)029 - Obtain professional advice Review by Joint Staff Consultative Committee 4x4=16 (CC)030 - Pay and Grading Appeals process Learning and Development Programme Re-launch of job evaluation scheme including programme of panels 3x3=9 Delivering the Vision Julie Cooke Head of Organisational Development (CC)031 - Work with 74 7 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening be a significant impact on staff morale as a result of this process (which may lead to staff losses). Score (with controls) Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer staff and trades Union representatives (CC)028 - Resource effectively – Implemented (CC)055 - Enhance Housing Association delivery, Local Investment Strategy proposes provision of loan to assist with lack of / cost of finance. Housing Delivery 010(CR) 1. A combination of lack of developer confidence because of recession / weak financial markets and pressure on public finances meaning reduced availability of grant funding for affordable housing provision. Inability to secure planning permission for provision of affordable housing (CC)048 - Use of capital 2. A challenge over the Council's ability to provide a target number of affordable homes (CC)050 - Local Investment Plan 3. Increased housing need and reputational risk in non-delivery of key corporate priority. (CC)051 - Local Development Framework (LDF) policies (CC)049 - Partnership work with Registered Providers 4x4=16 Identified partner to work with Council and Housing Associations to bring forward affordable (and market) housing schemes in a way which reduces upfront costs to Housing Associations. First phase of schemes identified. 4x2=8 Housing and Infrastructure Nicola Turner Housing Team Leader Strategy (CC)056 - Development plan - affordable housing provision. (CC)052 - Internal planning protocol Ongoing forward 75 8 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Score (with controls) Impact x Likelihood = Total 3. Consequence of risk happening (CC)054 Housing Strategy discussion document (2010) Shared Services plans - (failure to complete) (CC)057 - Project Management Group 1. A combination of the potential for an incomplete implementation, in addition for Revenues and Benefits service, this project is being undertaken against a back cloth of the Coalition Government's intention to introduce Universal Credit from 2014 and the detailed changes in the shape and detail of Council Tax support and the Business rates retention scheme (CC)058 - Improved staff communication (CC)059 - Formulation of a detailed plan Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer development plan needs attention to ensure ongoing pipeline of affordable housing schemes. New Housing Development Officer post (1 year fixed term contract) recruited to and post holder starts on 3 June 2013. Post will be responsible for developing a new pipeline of affordable housing schemes. (CC)053 - Increased Focus – Implemented 011(CR) Action (to achieve target score) and Date for action to be completed Further discussions/ consideration of options around shared services (links to Transformation Agenda risk also. 4x4=16 (CC)060 - Dedicated risk assessment completed Consideration of shared service proposals and business cases. 4x2=8 Delivering the Vision Steve Blatch, Corporate Director 2. A failure to fully implement shared 76 9 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Score (with controls) Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer services proposals could occur 3. Reputational damage, reduce staff morale, financial impact to current and ongoing budgets. Property assets - (the condition of)/ Asset Management (CC)009 - Effective team resourcing (CC)001 - Work on repairs and maintenance schedules 1. A lack of investment and sound decision-making. (CC)013 - Asset Management Plan 2. Deteriorating property assets may lead to a loss of revenue and possible legal liability. (CC)003 - The introduction of a property risk assessment and inspection regime Condition surveys continue to be carried out with full reports being written and forward maintenance plan compiled. 001(CR 3. The Council does not achieve value for money from its investment and/or possible legal liabilities either directly or through its leasing arrangements. 4x3=12 This scenario is detrimental to the local tourism economy as well as damaging to local communities contributing to a lack of community pride and possible increase in vandalism. The capital tied up in assets cannot be released to 77 (CC)007 - Implement asset management software – The software is now being used regularly by some of the team and is gaining momentum slowly. There are a few glitches with the systems speed and interface with efinancials but this risk is diminishing as the cleansing/build up of data continues. 3x3=9 Delivering the Vision Duncan Ellis – Head of Assets and Leisure 10 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Score (with controls) Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Target Score Corporate Objective / Service Priority Officer 2x3=6 Delivering the Vision Karen Sly Head of Finance 3x1=3 Delivering the Vision Karen Sly, Head of Finance Impact x Likelihood = Total support wider Council initiatives and income streams are not maximised. Partnership/s - (potential failure) 1. Failure to engage appropriately and/or commit resources 2. The organisation is involved in a number of key partnerships which may have the potential to become ineffective. There is a need to engage appropriately with and commit resources (staff, finances, actions) to key partnership structures. 3. Failure of partnerships to deliver stated objectives / outcomes Non-delivery of key outcomes leading to reputational risk to Council. (CC)032 - Revise and improve The Partnership Framework (CC)034 - Complete the Partnership Register (CC)036 - Annual review process of partnership operations. (CC)033 - Monitor (CC)035 - Clarify Members' roles 3x3=9 (CC) NEW – Regular review of Outside bodies and no new partnerships entered into unless reported through Cabinet. Procurement - (lack of value for money) 009(CR) 1. The current financial climate, recent resourcing issues causing an absence of a focus for this work, together with a reduction in the available accountancy 3x3=9 78 (CC)047 - A procurement evaluation. To re-evaluate the current procurement arrangements, strengthen the procurement tool kit and provide a greater degree of self-service. 11 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Impact x Likelihood = Total 3. Consequence of risk happening resources going forward increases the risk of a lack of continuous improvement in this area. 2. Following the development of the procurement toolkit and the large scale exercise for Waste procurement there has been an absence of focus on procurement which has led to a risk that the Council will not achieve value for money procuring the goods and services it uses. 3. The Council may not achieve value for money Score (with controls) Action (to achieve target score) and Date for action to be completed Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer (CC)043 Procurement Strategy, (CC)044 Procurement Framework, (CC)045 - Joint procurement protocol, (CC)046 - Advice for external suppliers. Information - (loss of) 008(CR) 1. Lax security - Information may be lost, mislaid or stolen Increased use of mobile technology such as I Pads etc. 2. There exists an inherent potential for the loss of organisational information at any security level. ICT is responsible for ensuring electronic data is secure (in conjunction with system owners who control access to their databases), (CC)037 - Information Management Strategy, (CC)039 - ICT Security Policy 4x2=8 4x1=4 Delivering the Vision Helen Mitchell ICT Manager (CC)040 - ICT Monitoring, (CC)042 - Code of 79 12 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening 3. Information may be inappropriately used. Fraud or data corruption may occur. Systems may suffer damage. The Council's reputation may be harmed. Score (with controls) Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer Connection compliance (CC)038 - Implement data security protocols on mobile devices (CC)041 - Data Protection training Implemented 013(CR) Operational disruption - (significant event) 1. Both the National and Community Risk Registers have more information regarding the risk of specific events (e.g. Pandemic) occurring. (CC)066 - Response & Recovery Planning 4x2=8 2. Any Internal or external event that has a significant impact on the ability of the Council to deliver services. (CC)067 - Continuity Planning 3. a) Loss of staff for 'usual' service delivery b) Loss of premises c) Loss of key partners/suppliers d) Loss of infrastructure services (CC)085 – Corporate Business Continuity key role training - 80 (CC)068 - Complete critical services' BCPs – On track. All Critical services now have carried out Business Impact analyses except Revenues and Benefits which is now at draft stage. All critical services have plans except Revenues and Benefits. The Civil Contingencies Manager is continuing to work with the manager concerned and work is under way to complete the documentation. All plans are expected to be in place 4x2=8 Delivering the Vision Richard Cook - Civil Contingenc ies Manager, Steve Hems Head of Environme ntal Health 13 Corporate Risk Register June 2013 No 1. Cause of risk Audit Committee 18 June 2013 Existing controls 2. Description of risk or potential event Score (with controls) Action (to achieve target score) and Date for action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Implemented Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer by June 2013. A reduction in the ability of the Council to deliver services, possibly at a time of increased demand from the community. Next Review – July 2013, including format of presentation. 81 14 Audit 18 June 2013 Agenda Item No____12_______ Business Continuity Summary: Six monthly update on business continuity planning, the progress made to date, ability to respond to any disruptive events that have recently occurred and the outline of future objectives. Conclusions: Recommendations: That members note the contents of the report. Cabinet member(s): Ward(s) affected: All All Contact Officer, telephone number, Richard Cook 01263 516269 and e-mail: richard.cook@north-norfolk.gov.uk 1. Introduction Part of the Civil Contingencies team’s (CCT) role is to ensure that the Authority has a robust and effective business continuity plan (BCP) in place. As reported previously CCT are working with Service Managers to ensure that all relevant plans are up to date and appropriate. 2. Team Business Continuity Plans All teams should produce a Business Impact Assessment (BIA), this will allow an analysis of the team to be carried out and give an indication that a team delivers a critical service or not. Below is a table that sets out the latest position of team BC plans: 82 Audit 18 June 2013 The Column below shows teams with BC Plans in place The Column below shows teams with no BC plans Planned completion dates HR Benefits (draft) 1st week June13 Housing (Strategy & Options) Electoral Services End May 2013 CLT Environmental Health (EP, Comm, Licensing & CCT) Finance Payroll Environmental Services (Waste) IT Property Services BIA & Plan Customer Services Web & Comms Non Critical Services Non Critical Services Sustainability Leisure (Draft) End July 13 Reprographics Economic Development 1st week June Policy and Performance Legal (now in draft) End of May 13 Building Control Democratic Service End of May 13 Planning A spread sheet is being produced as part of the analysis of all the BC documentation and this will allow the authority to see what staffing levels, equipment and specific functions will be required at each period of the disruption. This information will allow for a more strategic view to be taken with the BC planning in the event of an incident. 3. Business Continuity Working Group (BCWG) The BCWG still continues to meet and is ensuring that business continuity is embedded within the organisation. During these meeting the group continue to refine and to carry out on-going review of the top level Business Continuity Plan. 83 Audit 4. 18 June 2013 Disruptive Events On 18th January the Crisis Management Group (CMG) met to plan for the potential disruptive weather that was predicted. The CMG put into place a strategy that ensured that we were able to deliver the authorities critical services. This was the first use of the new business continuity plan. The CMG meeting was successful as it was attended by the key managers who were able to make the decisions to control the event. The contingency plan put into place allowed non-critical staff to travel home within day light hours, whilst ensuring that critical service could still be maintained. It should be noted that very good levels of staff flexibility helped with the management and service delivery during this disrupted event. After the event the Civil Contingencies Manager conducted a structured reflective debrief exercise with service managers and the lesson identified have been investigated. Any improvements and will be implemented to allow an enhanced BC response in the future. The report can be seen at Appendix K to this briefing note. 5. Corporate BC Plan The NNDC Corporate BC Plan has been revised and is ready for issue and is just awaiting sign off by CLT. The plan and the staff action cards have now been simplified with flow diagrams. The Civil Contingencies Manager has undertaken one to one training on all the action cards with the relevant Managers and the critical members of staff. This has served as the initial training requirement for the new plan. In addition a consultant has been procured to deliver business continuity training in June. This will be aimed at service managers so they will be able to deliver BC training to all their staff during their own team briefings. 6. Disaster Recovery (DR) and Work Action Recovery (WAR) Site The disaster recovery suite is now in place within the Fakenham Connect building and work will continue with setting up the Work Action Recovery site once the IT work load has reduced. It is anticipated that this work will be completed by September 2013 providing the funding has been secured. 84 APPENDIX K Business Continuity - Snow and Ice Friday 18th Jan 2013 Reflective Debrief Summary Managers were asked to record three things that did not work well and need to be reviewed/followed up, these are summarised here. Messages about the weather were sent from 3 or more sources although helpful it could have led to mixed messages being sent out. Home working capabilities was underestimated. Could have had issues if an emergency HHSRS or fire inspection was required. Customer services phones were diverted to CEx’s PA. Was the BCP evoked to late, if earlier this may have helped a more co-ordinated approach Enhanced car share scheme Issues around reception phone, not equipment. Fakenham DR/WAR could have helped if it was in place. Not enough staff to cover Customer Services phones. Kier stood down whilst Customer services at NNDC was still in. Managers were asked to record three positive things relating to the response that worked well, these are summarised here. Team BC plans worked well Liked travel and weather links that were put onto the intranet pages Staff understood the importance to get into work Internal communications was satisfactory Staff were flexible and worked late if required Good support from CMG Senior management checked what staff had got into work CMG meet and put in place a procedure to reduce the staffing levels to allow staff to travel during daylight. The Authority delivered its essential services. BC plan for waste collection was put into place and the media and public information worked well. Members were kept informed. Team plans worked well. Managers were asked to record what three things they would change/implement to improve the response to a flooding emergency in Wells, these are summarised here: Home working Levels Better internal staff communications Work Action Recovery site would have helped Better use of staff and x training if required Despite good media coverage in the local media and on NNDC website a lot of residents seemed unaware of the scale of disruption and how it would affect 85 APPENDIX K them. I would like to look at technology solutions to enhance communications abilities e.g Twitter/social networking and Text messaging Look at ways to improve real time communications with residents Run a similar de-brief exercise with Kier to look at ways to improve their processes and response. Positive Learning Managers were asked to record what the most significant thing they have learnt from taking part in the exercise and identify future use of that learning. The most significant thing I have learnt from this event is…. I can use this positively in the future by…. Home working levels To reduce save staff travelling levels. Internal messages for all staff To ensure a co-ordinated message being sent out to all staff. How the WAR/DR site could have helped to improve service and staff safety Staff living in the west of the district could have worked out of the Fakenham office and reduced travelling to the Cromer offices. Flexibility to move staff to busy areas During BC events some teams will become busier and will need their staff levels to be reinforced form less busy service areas. Control and understanding of telephone systems To allow phones to be transferred to staffed work areas. General Comments: Overall the BC plan worked well and the Authority was able to deliver is critical functions. Staff proved to be flexible and helpfully. Civil Contingencies Manager Summary Overall I think that the Authority coped well with the poor weather conditions that were experienced on the 18th January 2013. The Business Continuity Plan was invoked and the Crisis Management Group (CMG) met the day before the predicted disruption. CMG put into place a strategy that ensured that we were able to deliver the authorities critical services. This was the first use of the new business continuity plan and the correct managers were available and able to make the decisions for the CMG meeting. The contingency plan also allowed non-critical staff to travel home within day light hours. It should be noted that very good levels of staff flexibility helped with the management and service delivery during this disrupted event. 86 APPENDIX K Below is a table detailing lessons learnt: Action point Ensure a co-ordinated approach to messages being given to all staff Home working levels not at expected levels Issued with shortage of correctly trained staff Who CMG/CLT and CCM Customer Services phones CCM/IT Manager & Customer Service Manager Enhanced car share scheme All team managers and CCM DR/WAR site could have helped in this case CCM/IT Manager and Property Services Manager Contractor staff stood down without informing customer services. Not all members of the public were aware of the disruption to the waste collection service Run structured debrief with Kier the waste contractor ES officer and CCM to discuss CCM/IT Manager All service managers/CCM ES officer Progress / Completed Staff message will be put on the intranet, this was implemented during this disruption On-going progress with CCm & IT Check that team BCP reflect need for additionally trained staff i.e. HHSRS ( speak to Hof EH) Arrange a meeting to discuss a way forward. All managers to be aware to inform CMG of potential staff shortages. Managers to look to make this part of their team BC plan. Corporately this could be delivered via the intranet? This project is underway and is a priority task for the IT manager. It will bring major benefits to the authority with all types of BC incidents Will form part of the structured de-brief with Kier staff ES officer to discuss this issue with media team. Possible use or social Media Arrange a date for CCM to facilitate this with Kier and ES team/ Customer services ES officer and CCM Richard Cook Civil Contingencies Manager 87 Agenda item 13 MINUTES FROM IT STRATEGY GROUP MEETING 26 MARCH 2013 NICK BAKER’S OFFICE Present: Nick Baker (NB) Estelle Packham (EP) Helen Mitchell (HM) Cllr Tom FitzPatrick (TFP) Steve Hems (SH) Jeanette Wilson (Minutes)(JW) Actions 1. Apologies None received 2. Introduction NB introduced the draft IT Strategy and confirmed that this has been condensed down. We are now at a point where we need to move forward with a longer term strategy and identify IT priorities and vision separately to the more operational work contained in this document. The strategy contains the main areas that will benefit the Council in terms of supporting and delivering already planned service and corporate improvements 3. Existing Strategy Draft HM went through the strategy in detail and confirmed that this will need to be agreed at CLT level but with broad agreement across the Council. The following priorities were briefly discussed: Customer Services Corporate Systems Exploit and improving existing IT assets and systems – o HM was asked to change this to read - Maximise the use of the functionality and capability of the system Enable flexible/mobile/ working Maximise efficiencies whilst maintaining the right level of service Reliable IT Service IT investment strategy 4. Current workplan HM went through the IT workplan both current and future as of February 2013 and highlighted the following tasks: 88 HM Office moves – only doing essential office moves which are around telephony and Electoral Registration with Customer Services during August Democratic Services system (workflow and documents) – this project has aggressive timescales. Initial demo and scoping meeting took place last week with officers. HM was reminded that Members need to be included in any future demos once a decision has been made on systems Mobile telephones – o 1) make sure we have appropriate guidance and the right phones etc o 2) members equipment – ipads for Members has been agreed and HM to order a further 7 for those members who have yet to receive one Twitter – A corporate approach to social media messages is required for the authority to ensure quality control New Housing Allocations scheme – Agreement has been reached to extend the contract with the current supplier. EP to make sure Lisa Grice reports this back to the Housing Delivery Board M3 DMS – negotiated as part of the new contract OPEN Revenues additional modules – Negotiation with Civica needs to take place, as the contract states we still have to pay even if not implemented by 31 May Integrated Payroll, Personnel and Recruitment System Procurement Northgate contract with Payroll runs out in June, and a way forward is being discussed 5. Staff Structure HM/EP will be presenting a plan to CLT shortly for a mini restructure in the IT team 6. HM/EP Longer Term Work Extra resource is required to facilitate the longer term workplan and to buy in some help on an “invest to save” basis 7. Any other business The workplan has been circulated to Heads of Service for comment and HM has been liaising with service areas to gain their buy-in 8. Date of next meeting JW to schedule a meeting for early May 89 JW