internal audit annual report 2015-16 - east ayrshiredocs.east-ayrshire.gov.uk/crpadmmin/2012...
TRANSCRIPT
1
EAST AYRSHIRE COUNCIL
GOVERNANCE & SCRUTINY COMMITTEE 19 May 2016
INTERNAL AUDIT ANNUAL REPORT 2015/16
Report by the Chief Auditor
1. PURPOSE OF REPORT
2. This Annual Report shows performance against the revised 2015/16
Internal Audit Plan which was approved by Governance & Scrutiny on 19
November 2015 and demonstrates compliance with PSIAS.
3. COMPLIANCE WITH THE PUBLIC SECTOR INTERNAL AUDIT
STANDARDS (PSIAS)
4. In order to demonstrate compliance with the Public Sector Internal Audit
Standards (PSIAS) the Chief Auditor is required to:
Report periodically to senior management and Committee on the Internal
Audit activity and performance relative to its plan. Reporting must include
progress achieved against plan and a summary of the significant audit
findings for that year (Standard 2060). Refer to Appendices 1 and 1(a).
Submit an annual confirmation with regard to the organisational
independence of the internal audit activity (Standard 1110). Refer to
paragraph 5.
Submit the results of the quality assurance and improvement programme
(Standard 1320). Refer to Appendix 2 for the annual self-assessment.
Deliver an annual internal audit opinion and report that can be used by the
organisation to inform its governance statement. The annual internal audit
opinion must conclude on the overall adequacy and effectiveness of the
organisation’s framework of governance, risk management and control.
The annual opinion is the primary output of the internal audit team and
sufficient work must be carried out to support that opinion; however the
plan does not necessarily require to be fully completed. The annual report
must incorporate the opinion; a summary of the work that supports the
opinion; and a statement on conformance with the Public Sector Internal
Audit Standards and the results of the quality assurance and improvement
programme (Standard 2450). This is demonstrated at Appendices 1, 1(a),
2 and 3.
5. PSIAS Standard 1110 requires that the Chief Auditor reports to a level within the organisation that allows the internal audit activity to fulfil its responsibilities. The Chief Auditor must confirm to Committee, at least annually, the organisational independence of the internal audit activity. This requirement is further defined in the PSIAS as being met when the
2
Chief Auditor reports functionally to Committee – this continues to be the case in East Ayrshire. In addition the Chief Auditor continues to report directly to the Chief Executive. The Chief Auditor recently confirmed these arrangements in the 2016/17 Audit Plan which was considered by Committee on 21 April 2016 and confirms here that these arrangements were in place during 2015/16.
6. As Members are aware Audit Scotland recently issued their annual review of Internal Audit confirming that we continue to operate in accordance with the PSIAS. That review was considered by Committee on 24 March 2016.
7. In 2010 CIPFA published The Role of the Head of Internal Audit in Public Service Organisations setting out a principles based framework which applies across the UK public sector. The role of the Chief Auditor in East Ayrshire Council also follows the principles set out in that statement.
8. The PSIAS is supported by the Chartered Institute of Public Finance and Accountancy (CIPFA) Local Government Application Note for the United Kingdom Public Sector Internal Audit Standards (April 2013), referred to here as the “CIPFA Application Note”.
9. PSIAS REQUIREMENT FOR COMMITTEE
10. Appendix 2 the PSIAS Action Plan reflects updates following our third internal self-assessment. As part of that assessment we have identified one additional action (Action Point 14) with regard to evidencing one of the obligations of Committee under Standard 1110 requiring Committee to seek reassurance from management and the Chief Auditor as to whether there are any inappropriate scope or resource limitations.
11. Committee obtains reassurance in this regard through the various reports submitted by the Chief Auditor namely the Audit Plan, Mid-Year Review, External Audit Review of Internal Audit and the Internal Audit Annual Report as well as one to one updates with the Chair. For avoidance of doubt there are no scope limitations in the work of Internal Audit with the Chief Auditor also given delegated powers by Committee to change the Audit Plan as required in line with PSIAS requirements and that established arrangements are in place to ensure adequate resources are allocated to deliver a programme of work sufficient to provide an annual opinion and that these arrangements are subject to annual scrutiny by External Audit. This position was considered and agreed with the Executive Management Team in their consideration of this report on 25 April 2016.
12. To further formalise this process we have included a recommendation in this report for Committee to confirm that they have sought and obtained reassurance in this regard. We will continue to include this recommendation in future annual reports and in Annual Audit Plans.
13. INTERNAL CONTROL
14. In order to ensure the proper conduct of its business, the Council has a
responsibility to develop, implement and maintain systems of internal
3
control. The framework of internal controls, financial and otherwise,
includes governance and risk management arrangements established by
management in order to carry out the business of the authority in an
orderly and efficient manner. A sound control system will help safeguard
assets, ensure records are reliable, promote operational efficiency and
ensure adherence to policy and procedures.
15. It is primarily the responsibility of management to establish an appropriate
and sound system of internal controls, and to monitor the continuing
effectiveness of that system. The Council’s control framework includes
regular management information, Financial Regulations, Accounting Policy
Bulletins (APBs), Fraud Awareness Bulletins, Risk Registers, standing
orders, administrative procedures, management supervision and a system
of delegation and accountability.
16. AUDIT APPROACH
17. Internal Audit has an important role to play in assisting the Council to
discharge its governance responsibilities. The responsibilities and duties of
Internal Audit and those charged with governance are set out in the
Financial Regulations of the Council.
18. Audit reports are presented to senior management and include
recommendations that, when implemented, will further improve the control
environment. Since August 2008, audit assignment reports have been
available to Elected Members through the Elected Member Portal on the
Council’s intranet. This development is designed to further strengthen the
Council’s scrutiny function.
19. East Ayrshire Council, in common with all other councils, faces significant
budgetary pressures, leading to refocusing of resources and redesign of
existing service models which is addressed through a well-established
Transformation Strategy. Internal Audit contributes to this agenda, by
helping services implement effective internal controls; identify opportunities
for greater efficiency and generally by providing an advisory role working
with management.
20. The Internal Audit section works closely with the Council’s External
Auditors to ensure optimum use of audit resources, and with the other
Ayrshire Council audit sections and the wider internal audit community, to
further strengthen the quality, efficiency and effectiveness of the audit
service.
21. A number of whistleblowing allegations have been investigated by Internal
Audit during 2015/16 with some work ongoing. Where we received
sufficient information to carry out an investigation, action was taken in all
cases in close liaison with management and in line with the Council’s
Whistleblowing policy; work will be reported in accordance with Council
policy.
4
22. RESOURCES
23. When the 2015/16 Internal Audit plan was approved by Committee on 23
April 2015 it was anticipated that 950 days would be available. This was
revised to 870 days at Mid-Year.
24. As Members are aware plan days are days spent delivering assignments
estimated after deducting “non-chargeable” hours such as team
management, plan development and reporting to and attending
Committee.
25. Actual days against planned days is a key indicator reported through the
CIPFA Directors of Finance Annual Performance Indicators exercise.
Thanks to efficiencies and additional hours worked actual audit days
delivered in 2015/16 were 1,015 an increase of 17% over the planned
days. This includes 80 outsourced computer audit days against a
projection of 77 days.
PLAN ACHIEVEMENT
26. We have carried out planned work on all but four of the audit plan
assignments for 2015/16 and also carried out additional unplanned work.
Two planned assignments (SAFFRON and Social Work Stores) are being
carried forward into 2016/17 along with two follow up assignments (Music
Tuition Fees and Vehicle Tracking). This does not impact on our ability to
produce an annual opinion.
27. A total of 93 audit outputs have been produced in the year including
planned assignments, follow-up reviews, investigations and advisory work.
For advisory work even where activity involves a number of actions such
as attending monthly Project Board meetings this activity has been
counted as one output for the entire assignment.
28. Audit work during 2015/16, including reports currently being finalised, has
resulted in 180 audit recommendations covering a range of work across all
services, and these, when implemented, will help to further strengthen the
control environment and assist best value objectives in all of the areas
examined.
29. Work has been carried out across the wide range of planned audit activity,
in key priority areas, including coverage of core financial systems, anti-
fraud and regularity, self-evaluation, procurement and contract audit,
external funding, efficiency and performance, investigations, stores and
inventories, advisory work, follow-up audits and computer audit.
30. In summary, the work carried out allows the Chief Auditor to present an annual opinion and for Audit Scotland to place reliance on our work as planned.
5
31. KEY OUTCOMES
32. The primary outcomes of Internal Audit link with Community Planning
objectives in a number of key areas, including sound corporate
governance, performance improvements and best value.
33. Details of work carried out in year are presented in Appendix 1 and
Appendix 1(a).
34. Internal Audit has continued to be involved with Transformation Strategy
work streams including the East Ayrshire Leisure Trust for which we act as
Internal Audit; Social Work Self Directed Services and the Integration Joint
Board for which we also act as Internal Audit.
35. PSIAS QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME
AND STATEMENT OF CONFORMANCE WITH PSIAS
36. The PSIAS (Standard 1300) requires that internal assessments and
external assessments of Internal Audit are carried out. Internal
assessments include ongoing monitoring of the performance of the internal
audit activity - ongoing monitoring is an integral part of the day-to-day
supervision, review and measurement of the internal audit activity - and
periodic self-assessments or assessments by other persons within the
organisation with sufficient knowledge of internal audit practices.
37. As noted in the Internal Audit Charter it was agreed that we use the CIPFA
Application Note to carry out our annual self-assessments. The PSIAS
requires an external assessment to be conducted at least once every five
years by a qualified, independent assessor or assessment team from
outside the organisation. Year five is 2017/18; the details on how this will
be addressed will be finalised and agreed closer to that time.
38. The PSIAS requires the Chief Auditor to submit the results of the quality
assurance and improvement programme to Committee (Standard 1320). In
2013/14 a comprehensive self-assessment was carried out using the
CIPFA Application Note which contains 345 questions in a checklist format.
The self-assessment reflects our work for all clients including the East
Ayrshire Leisure Trust and the IJB. The first Action Plan was presented to
Committee with the 2013/14 Annual Report with no significant issues
raised. In 2014/15 we carried out a follow-up review of those action points
with an update presented to Committee. There were no issues arising from
that update.
39. In 2015/16 we completed a second comprehensive self-assessment using the CIPFA Application Note carried out by two different members of the team from the 2013/14 exercise. Some housekeeping issues were noted and one key action was added to the Action Plan in respect of Committee’s obligation under the PSIAS to seek reassurance from management and the Chief Auditor as to whether there are any inappropriate scope or resource limitations. This is dealt with above in sections 9 to 12 and is subject to a specific recommendation.
6
40. These exercises demonstrate that overall we conform to the requirements
of the PSIAS, which is consistent with the conclusion by Audit Scotland in
their Annual Review of Internal Audit considered by Committee each year
and most recently for 2015/16 on 24 March 2016.
41. ANNUAL REPORT AND OPINION
42. In line with PSIAS Standard 2450, Appendices 1 and 1(a) provide more
information on the audit work carried out in 2015/16 which supports the
annual opinion presented at Appendix 3.
43. Due to the earlier timetable for preparation of the Council’s unaudited
financial statements a summary of the Chief Auditor’s opinion has already
been considered by Committee in the Annual Governance Statement of
Assurance on 21 April 2016. That summary opinion is consistent with the
statements made in this report.
44. On the basis of Internal Audit work carried out East Ayrshire Council’s
established internal control procedures were generally found to operate as
intended to meet management’s requirements for the individual systems
reviewed by Internal Audit. Internal Audit opinions for individual
assignments ranged from limited to reasonable through to sound
assurance with a small number of reports currently being finalised and this
is detailed in Appendix 1. Overall on the basis of selective testing of key
controls, it can be concluded that controls were generally operating as
expected during the period under review. A number of recommendations
have been made by Internal Audit to further improve controls through
action plans developed with management to address improvements.
45. The Internal Audit Annual Statement on the Adequacy of Internal Control is
contained within Appendix 3 of this report. Our overall opinion, based on
the work carried out, continues to be that reasonable assurance can be
placed upon the adequacy and effectiveness of the Council’s internal
control systems in the year to 31 March 2016. This is consistent with the
opinion given in previous years.
46. The assurance is based on a rolling programme of work comprised of year
on year sampling of internal controls. The programme of work is laid out in
annual risk-based audit plans. As such it should be noted that the
assurance expressed in the Internal Audit Annual Statement can never be
absolute. The most that Internal Audit can provide in the Annual Statement
is reasonable assurance based on the work performed. Individual jobs can
result in findings of “sound assurance” or “sound assurance in most areas”
but not the wider Annual Statement. This is similar to the scope of external
7
audit work in the context of the Council’s financial statements which aims
to give reasonable assurance on the statements.
47. Audit reports are available to Elected Members via the Elected Member
portal on the intranet and are posted following receipt of client responses
to each recommendation. Occasionally, as Members will be aware, there
may be circumstances, relating to other processes, where access to
reports will be delayed until outstanding issues have been resolved. From
time to time work is carried out which contributes to a larger piece of work
led by management. That work will be reported in Mid-Year and Annual
Progress Reports as appropriate but will not result in a separate audit
report.
48. FINANCIAL/RISK IMPLICATIONS
49. The Council’s Financial Regulations and Standing Orders set out
responsibilities for governance. The Council has adopted a Local Code of
Corporate Governance modelled on the CIPFA/SOLACE framework for
Corporate Governance in Local Government. The Code is reviewed
annually.
50. RECOMMENDATIONS
51. Governance and Scrutiny is asked to:
(i) note the contents of the Internal Audit Annual Report for 2015/16
including the summary of work carried out at Appendices 1 and
1(a), the improvement action plan at Appendix 2 produced as a
result of our annual self-assessment and the Internal Audit
Annual Statement on the Adequacy of the Internal Control
Environment at Appendix 3.
(ii) Confirm that Committee has sought and obtained reassurance
from management and the Chief Auditor that there is no
inappropriate scope or resource limitations as laid out in sections
9 to 12.
Eilidh Mackay
Chief Auditor
May 2016
LIST OF BACKGROUND PAPERS
1. CIPFA The Role of the Head of Internal Audit In Public Service Organisations
(2010)
2. Public Sector Internal Audit Standards (PSIAS) 2012
8
3. Chartered Institute of Public Finance and Accountancy (CIPFA) Local
Government Application Note for the United Kingdom Public Sector Internal
Audit Standards (PSIAS) (April 2013)
4. East Ayrshire Community Plan
5. East Ayrshire Council Financial Regulations
6. Governance and Scrutiny Committee, 7 November 2013, Public Sector Internal Audit standards (PSIAS) and Revised Internal Audit Charter
7. Governance and Scrutiny Committee, 29 May 2014, Internal Audit Annual Report 2013/14
8. Governance and Scrutiny Committee, 23 April 2015, Internal Audit Plan 2015/16
9. Governance and Scrutiny Committee, 21 May 2015, Internal Audit Annual Report 2014/15
10. Governance and Scrutiny Committee, 19 November 2015, Internal Audit Mid-Year Progress Report and Revised Internal Audit Plan 2015/16
11. Governance and Scrutiny Committee, 24 March 2016, Audit Scotland Local Scrutiny Plan 2016/17
12. Governance and Scrutiny Committee, 24 March 2016, Audit Scotland Annual Audit Plan 2015/16
13. Governance and Scrutiny Committee, 24 March 2016, Audit Scotland Review of Internal Audit 2015/16
14. Governance and Scrutiny Committee, 24 March 2016, Corporate Procurement Strategy 2014-2019 Action Plan Update
15. Governance and Scrutiny Committee, 21 April 2016, Local Code of Corporate
Governance
16. Governance and Scrutiny Committee, 21 April 2016, Internal Audit Plan 2016/17
Any person wishing further information should contact Eilidh Mackay, Chief Auditor,
Telephone: (01563) 57 8111
Implementation Officer: Eilidh Mackay, Chief Auditor
9
Appendix 1
EAST AYRSHIRE COUNCIL
INTERNAL AUDIT ANNUAL REPORT 2015/16
SUMMARY OF PERFORMANCE AND AUDIT FINDINGS
1. PLAN ACHIEVEMENT
2. In line with PSIAS requirements this Appendix provides a summary of the
work that supports the Chief Auditor’s annual opinion. Appendix 1(a)
further summaries progress against each item in the plan.
3. Appendix 1(a) adopts a traffic light type approach:
Green items are completed, this means that all fieldwork is complete
and findings have been discussed with senior officers with reports
either finalised or in the process of being finalised.
Amber items are work-in-progress. In most cases this reflects multi-
annual exercises.
Blue items are the two items deferred at the time of the Mid-Year
Review.
4. A Service Grouping analysis of actual days delivered is laid out in Table 1.
Actual days by type of audit activity are presented in Table 2.
Table 1: Analysis by Service Grouping Actual Days
Council Wide
(including Strategic Anti-Fraud work, ICSA,
CorVu Development, Performance Indicators,
Small Advisory assignments)
132
Economy and Skills 249
Safer Communities 395
Chief Governance Officer 88
Health and Social Care (EAC Activities) 83
East Ayrshire Integration Joint Board (IJB) 25
East Ayrshire Leisure Trust (EALT) 25
Internal Audit Development 18
Total days 1,015
10
Table 2: Type of Audit Activity Actual
Days
Comments
Investigations: Defalcations and
financial irregularities.
185 Unplanned work higher than
anticipated.
Systems Review Audits including
Core Financial Systems: Assessment
of effectiveness of the systems of
internal control.
244 All planned work achieved with
the exception of SAFFRON
which is carried forward to
2016/17.
Procurement & Contract Audit:
Compliance with best practice in
procurement including the Council’s
Standing Orders Relating to Contracts.
92 All planned work achieved.
Efficiency and Performance Audit:
Audit support for efficient government,
cost reduction, best value and improved
outcomes. Review of performance
management and performance
indicators.
45 All planned work achieved.
Anti-Fraud including Regularity Audit 96 All planned work achieved with
the exception of Social Work
stores. Includes Continuous
Auditing and HAS Stores.
Advisory Services: Client requests for
internal controls advice
51 All planned work achieved.
Internal Control Self-Assessment
(ICSA)
16 All planned work achieved.
Computer Audit: Compliance with best
practice in information and
communications technology.
93 All planned work achieved.
Includes 80 days of outsourced
resource.
External Funding Audit: Compliance
with Following the Public Pound
Guidance (FTPP).
Cross-
Cutting
Cross-cutting work includes the
Leisure Trust and Community
Councils.
Follow Up Audits: Review of
implementation of previous
recommendations
87 17 assignments carried out
covering 104 recommendations.
Two assignments carried
forward to 2016/17.
Internal Audit Development:
PSIAS self-assessment and team
development
18 All planned work achieved.
East Ayrshire Leisure Trust 25 As agreed with EALT
East Ayrshire Integration Joint Board 25 As agreed with IJB
Plan Completion Contingency 38
TOTAL DAYS 1,015
11
5. As well as having good client relationships with management where issues
are discussed on a regular basis, Internal Audit also regularly carries out
client satisfaction surveys using Post Audit Appraisal (PAA)
questionnaires. In 2013/14, as part of our continuous improvement, we
improved the format of the questionnaires which have now been in use for
three years.
6. We use two different PAA questionnaires, one covering audits such as
systems reviews, stores, inventories, regularity and anti-fraud (i.e. “non-
investigations”). The other PAA questionnaire relates to investigations.
Both questionnaires include a number of positive statements and the
clients score each statement as follows: strongly agree, agree, disagree
and strongly disagree.
7. The questionnaire relating to the “non-investigation” type audits includes a
total of 10 positive statements, five relating to the auditors that have
undertaken the job and five relating to the output of the audit.
8. For PAA’s received in the last two years for non-investigation type work
clients have “strongly agreed” to the positive statements in 120 instances
and “agreed” in 49 instances with no disagrees.
9. The PAA’s relating to investigations include a total of seven positive
statements, two relating to timeliness of audit response and actions, two
relating to the staff who undertook the audit and three relating to the report.
10. As investigations are few and can be prolonged we have two PAAs in the
last two years. Clients have “strongly agreed” to the positive statements in
one instance and “agreed” in 13 with no disagrees.
11. OUTPUTS
12. Background
13. The findings arising from audit assignments have been discussed with
appropriate officers of the Council and action plans have either been put in
place or are being put in place.
14. As Members are aware Internal Audit assignments conclude with an
overall assessment of the controls under review drawn from a list
summarised below:
sound assurance / sound assurance in most areas – objectives of
internal control have been met in all/almost all areas within the scope
of the audit; non-compliance has only been identified in low risk or
medium risk areas;
12
reasonable assurance - objectives of internal control have been met in
the majority of areas; some weaknesses have been identified in
medium risk areas;
limited assurance – the control objectives have not been fully achieved;
control weaknesses have been identified in some high risk areas.
no assurance – the control objectives have not been met; significant
non-compliance and/or control weaknesses have been identified.
In some cases where we have a number of distinct areas under review
within the one assignment we may conclude in different levels of
assurance for each distinct area as appropriate to give a more
balanced view of findings.
15. Appendix 1(a) provides a summary of the outcomes against the revised
Internal Audit Plan approved by Committee on 19 November 2015.
16. As Members are aware the Internal Audit Plan is risk based and therefore
work is carried out in areas at the higher end of the risk spectrum.
17. Specific Assignments – Audit Findings 18. Core Financial Systems 19. Our work on core financial system has generally resulted in very positive
outcomes. 20. As Members are aware Audit Scotland will rely on our work on both the
General Ledger and Payroll for their audit of the statutory accounts for 2015/16.
21. The scope of the General Ledger assignment (assignment 1) was as
follows:
Verify processing and application controls adopted in the system and
verify that these are operating effectively to satisfy Audit Scotland
expected controls;
With particular emphasis on testing of coding structures and feeders to
ensure accuracy of the core data within the system for financial reporting
purposes.
22. Our overall assessment is that Sound Assurance can be taken from the
controls operating in most areas within the scope of the assignment.
23. The scope of the Payroll assignment (assignment 2) covered the three
smaller payrolls – Members, Fortnightly and Weekly with specific
objectives as follows:
13
Verify processing and application controls adopted in the system and
verify that these are operating effectively to satisfy the key Audit Scotland
expected controls;
Test standing data (for weekly paid, fortnightly paid and Members),
including creation of new start records, removal of leaver records, and
processing of transfers.
24. Since the introduction of the new CHRIS21 payroll system in 2012 we have
audited the payrolls for four-weekly employees and teachers’ who are paid monthly which represent approximately 99% of payroll value and concluded in reasonable assurance for both.
25. The three smaller payrolls examined by this audit feature separate and
distinct processes and our conclusions are correspondingly varied. Compared with teachers’ monthly payroll and four-weekly employees’ payroll, the scope of this audit is relatively small; the number of payees, in total, is only around 90 at any given time and represents approximately 1% of total payroll value. This provides context for the issues raised by this audit.
26. Our overall assessment for this recent audit is that:
Sound assurance can be taken from the Members’ payroll;
Reasonable assurance can be taken from the fortnightly payroll; this is
a relatively new payroll created to accommodate employees transferred
from South Ayrshire Council to the Ayrshire Roads Alliance (ARA) with
only 31 employees at the time of the audit;
Weekly payroll is a relatively new and very small payroll. At the time of
the audit the weekly payroll consisted of 30 trainees receiving £75 each
per week. We concluded in limited assurance for the weekly payroll as
key procedures and controls implemented by an operational Service
still required to be reviewed by the Head of HR; HR had relatively
recently taken on responsibility for this payroll with trainees previously
paid through Creditors. The Depute Chief Executive (Safer
Communities) has advised that this action is underway and we will
follow up by testing in the usual way.
27. Our payroll work is complemented by our advisory work this year on
Continuous Auditing (assignment 11).We have completed our assignment
to provide advice to Payroll on the introduction of Continuous Auditing to
assist in deterring and detecting fraud and error. We assisted with the
development of appropriate reports to capture exceptions for investigation
by the service, the development of robust audit trails to demonstrate action
taken to investigate these exceptions by the service and to develop skills
within the service in sampling and evidencing.
28. Follow up work was also carried out this year on recommendations made
last year for two additional core financial systems – Creditors and Non-Domestic Rates.
14
29. The original Creditors report in 2014/15 resulted in sound assurance with
three recommendations made. Follow up testing during 2015/16 indicated that all three had been fully implemented.
30. The original Non-Domestic Rates report in 2014/15 resulted in reasonable
assurance with nine recommendations made. Follow up testing during 2015/16 indicated that eight had been fully implemented and one partially implemented representing a high level of implementation. A Client Assurance Statement was received to confirm the implementation timetable for the one partially implemented recommendation.
31. It should also be noted that the East Ayrshire Leisure Trust which utilises
support services from the Council benefits from relevant recommendations made with regard to the core financial systems where the same internal controls are applied.
32. Efficiency and Performance 33. Work was carried out to review four 2014/15 Performance Indicators
(assignment 3).
CORPASSET1: Proportion of operational buildings that are suitable for their current use;
CORP3b: Equal Opportunities;
CORP4: Cost per dwelling of collecting Council Tax; and
CORP7: Percentage of income due from Council Tax received by the end of the year.
34. Four recommendations were made and will be followed up at the beginning
of 2016/17 to support the 2015/16 indicators exercise. In summary during
the audit an adjustment was proposed to one indicator (CORP3b) and
another indicator was re-calculated (CORPASSET1). At the conclusion of
the audit all four indicators were considered reliable.
35. We are pleased to note that we were recently advised by our colleagues in
the PPP Unit that our work on Performance Indicators in 2015/16 was used
to inform revised guidance recently issued by the Improvement Service.
36. Procurement Commercial Improvement Programme
37. Preparatory work was carried out on the Procurement Commercial
Improvement Programme (PCIP) previously known as the Procurement
Capability Assessment (PCA) (assignment 4). Internal Audit is scored as
part of the wider assessment. The PCIP is subject to national scheduling
and has been rescheduled into 2016/17. Audit Scotland would have placed
reliance on this area; however the rescheduling does not have a significant
impact on their annual plan. The Chief Governance Officer updated
Committee in this area on 24 March 2016.
15
38. Investigations
39. Time spent on investigative work (assignment 5) was 185 days compared
to the contingency of 150 days. Work was carried out on 12 investigations
in year including some from prior years.
40. Investigations tend to be complex and of a sensitive nature and are dealt
with in the main by senior members of the team with 107 days from the
Chief Auditor.
41. Controls issues have been identified but are not deemed to significantly
impact on the overall annual assurance for the Council at this time.
42. As Members will be aware while investigations are with the Police, or
where disciplinary action or other appropriate action is pending, relevant
audit reports are not placed on the Member’s portal.
43. Follow-up Review Audits
44. Internal Audit has undertaken follow-up work (assignments 6 and 41) on
17 previous audit assignments during 2015/16 covering 104
recommendations. Two additional assignments were carried out for the
East Ayrshire Leisure Trust with no significant issues arising.
45. The 17 assignments covered a wide range of Council activity including
Creditors, Non-Domestic Rates, Debt Recovery, National Fraud Initiative,
Performance Indicators, Waste Management, Commercial Uplifts,
Monitoring arrangements in respect of the Leisure Trust, Inventory
Inspections, Ross Court, Social Work Mileage Claims, Education
Establishment Funds, Mobile Phones Contract, External Funding –
Community Councils, Supply of Major Housing Components, Loudoun
Academy and the PPP Schools Project.
46. This work involves testing by Internal Audit of the implementation of
recommendations. For the 17 assignments 77% of recommendations had
been fully or sufficiently implemented by the time of follow-up with 13%
partially implemented.
47. In 2014/15 we tested 13 previous audit assignments covering 92
recommendations. For the 13 assignments 90% of recommendations had
been fully or sufficiently implemented by the time of follow-up; with 10%
partially implemented which was consistent with the three year average at
that time.
48. In 2015/16 one assignment with 11 recommendations for which the follow
up report is currently being finalised with the Head of Service shows a low
level of implementation which has reduced the overall implementation
score in year. The Service has indicated they are taking immediate action
to resolve the position.
16
49. Overall our findings from follow up work continue to show that generally
there is management commitment to act where control improvement
opportunities are identified, and that staff understand and accept the need
for systems to be robust and reliable.
50. We had also planned to carry out follow up on Music Tuition Fees and
Vehicle Tracking in year. Due to timing and prioritisation issues both
assignments have been carried forward to 2016/17. It should be noted that
although the Vehicle Tracking follow up was not carried out we supported
Transport in the specification of a tender for a new tracking system. We
also supported the Education service in implementing recommendations
with regard to Music Tuition Fees.
51. As Members are aware where agreed audit recommendations have not
been fully implemented by the time of the audit follow-up, management is
asked to sign a Client Assurance Statement (CAS) confirming that any
outstanding actions will be implemented, and confirm the timescales
involved. At the end of each financial year internal audit contact the
relevant Chief Officer requesting an update on progress with regard to the
CAS.
52. Anti-fraud Contingency
53. The Council’s Corporate Risk Register, regularly reported to Committee as
part of East Ayrshire Performs continues to reflect the risk of fraud and
misappropriation of council resources with new attacks still noted as
increasingly likely. The audit plan continues to be informed by this risk and
includes a programme of regularity audits (assignments 32-36 below)
and is a cross-cutting theme across all work.
54. Strategic anti-fraud work has been carried out by the Chief Auditor
(assignment 7) including support to the Corporate Information
Governance Group (CIGG); this has included a review of a large sample of
the new Information Governance policies and procedures supported by our
outsourced Computer Audit partner with 77 continuous improvement
suggestions raised through a number of Internal Audit briefing papers and
adopted by the group. No significant issues were identified.
55. The Chief Auditor is a permanent member of the Strategic Anti-Fraud
Steering Group along with the Head of Finance and ICT and the Chief
Governance Officer. The inclusion of Internal Audit in these groups
facilitates ongoing risk assessment and enhances client relationships.
Internal Audit is the keeper of the corporate Fraud Log in line with the Anti-
Fraud Policy.
56. The Chief Auditor continues to work closely with the Head of Finance and
ICT and the Chief Governance Officer to consider continuous improvement
in respect of counter fraud arrangements including consideration of the
17
most recent CIPFA Code of Practice on Managing the Risk of Fraud and
Corruption and the associated CIPFA Counter Fraud Assessment Tool.
57. During the year the Strategic Anti-Fraud Steering Group hosted a meeting
with a representative of the National Anti-Fraud Network (NAFN). As
Members may be aware NAFN is hosted by Tameside Metropolitan
Borough Council and Brighton and Hove City Council. It is the largest
shared service in the country managed by, and for the benefit of its
members. Membership is open to any organisation which has responsibility
for managing public funds/assets. Currently 87% of UK local authorities are
members.
58. The Council is a longstanding member of NAFN benefitting from services
for a number of years. The establishment of the national Single Fraud
Investigation Service (SIFS) within the DWP has led to NAFN reviewing its
services to local authorities and in turn to us ensuring we continue to make
best use of these services.
59. We also continue to work with colleagues in Finance to deter attacks on
our Creditors system. This has included participation since June 2014 in a
scheme hosted by NAFN working as a contact point to the banking sector
with the objective of closing down recipient bank accounts used by
potential or actual fraudsters. The scheme was promoted through the
Chief Auditors’ network.
60. In previous years we have sampled changes to Creditor bank accounts
with no significant issues found in East Ayrshire. To ensure ongoing
assurance we will resume this work in 2016/17.
61. We also continue to work as appropriate with the Council’s Local Authority
Liaison Officer (LALO) from Police Scotland and with the Police Public
Sector Counter Corruption Unit. The Audit Manager attended the first
cohort of a Public Sector Investigators’ Course held at the Police College
with the Chief Auditor attending the second cohort in November 2014.
62. This year we participated, with Finance and ICT colleagues, in social
media investigation and research training being offered through the Chief
Auditors’ network and delivered by CIPFA. Open source information
available through social media is a source used during investigations. We
can also access additional consented data through NAFN.
63. The Scottish Local Authority Investigators Group (SLAIG) has recently
become a sub-group of the Scottish Local Authority Chief Internal Auditors’
Group (SLACIAG). SLAIG traditionally focussed on housing benefit fraud
and following the national changes in this area has embraced wider
18
counter fraud areas. Information from SLAIG was used to inform the
2016/17 Internal Audit plan.
64. Internal Control Self-Assessment
65. Internal Audit continues to develop and support the Internal Controls Self-
Assessment (ICSA) toolkits (assignment 8) to support management in
promoting compliance with internal controls. The toolkit covers all relevant
locations totalling over 200 agreed with the Corporate Management Team
in October 2011. The programme of work was completed by the agreed
deadline of March 2014. Internal Audit continues to provide ongoing
support and provides annual reports to senior management. The ICSA
tools continue to be used by the East Ayrshire Leisure Trust with ongoing
development support from Internal Audit to ensure relevance for EALT.
66. Small Advisory
67. Internal Audit has contributed to the improvement of controls within
services by co-operating with staff on a number of issues resourced
through the Small Advisory contingency (assignment 9).
68. A total of 35 small advisory assignments were delivered with time spent
ranging from minutes to a number of days with topics ranging from
community councils honoraria, community councils accounts, stocktaking,
unit costing, community asset transfer, national consultation exercises,
revision of policies and procedures and the new Education on-line
payments facility ParentPay.
69. Performance Management System
70. We have finalised an exercise (assignment 10) to create new functionality
to include internal audit recommendations from 2015/16 within the CorVu
electronic performance system which will provide both internal audit and
management with enhanced monitoring of implementation of
recommendations. The position will continue to be monitored to ensure
effectiveness.
71. Continuous Auditing
72. Details of work carried out with payroll in 2015/16 (assignment 11) are laid
out in Section 27.
73. Internal Audit Continuous Development
74. Continuous development (assignment 12) embraces a number of actions
including team development days, development of working practices,
training and PSIAS internal self-assessment.
19
75. During 2014/15 we considered our data analysis tools and as a result
upgraded our IDEA software. Subsequently in 2014/15 and 2015/16 pan-
Ayrshire IDEA training was arranged and hosted by South Ayrshire Council
with initial and intermediate training attended by our Senior Auditor and
Audit Manager. This approach has resulted in cheaper training costs, an
enhanced pan-Ayrshire support network and improved data analysis which
has already been utilised for a number of assignments including the
Scottish Housing Quality Standard, Performance Indicators, General
Ledger and Continuous Auditing in Payroll.
76. Current Tenant Arrears
77. The scope of this audit (assignment 13) was as follows:
Assessing the effectiveness of the systems of internal control in
respect of current rent arrears;
Ascertaining the system controls in place and documenting the
process within Orchard for managing rent arrears;
Considering the controls in place within the system to separate
arrears caused by the under-occupancy charge.
78. Consideration was also given to the impact of Universal Credit which was
introduced in East Ayrshire during the conclusion of the audit.
79. The report is currently being finalised and a clearance meeting has been
held to discuss findings with the Head of Service. Our assessment is that
reasonable assurance can be taken from the controls operating in most
areas within the scope of the assignment.
80. Scottish Housing Quality Standard
81. Internal Audit has concluded work on the Scottish Housing Quality
Standard (SHQS). This assignment (assignment 14) began in 2014/15
and was concluded in early 2015/16. The objective of the assignment was
to assess the adequacy and effectiveness of the Council’s arrangements
for reporting the level of compliance with the SHQS by confirming that:
all relevant data has been correctly captured; and
the Council’s database accurately reports compliance with the
standard.
82. Sound assurance can be taken from the controls operating in most areas
within the scope of this assignment.
20
83. Housing Asset Services – recovery from owners
84. The scope of this assignment (assignment 15) included:
Review of arrangements for planned common repairs and ensure
these are adequate and in line with both the Council’s obligations
and Housing Revenue Account (HRA) eligibility;
Review of arrangements for factoring fees, to ensure systems are in
place to issue all bills and maximise income;
85. We concluded that reasonable assurance can be taken from the controls
operating in respect of the areas of factoring included within the scope of
this assignment; however only limited assurance can be taken from the
controls operating in some of the areas examined in relation to the process
of income recovery from owners for common repairs undertaken. The
service responded immediately to implement corrective actions and
Internal Audit is supporting that process.
86. SAFFRON System
87. Initial work was undertaken in 2015/16 to collect background information
on SAFFRON (assignment 16) used by Onsite to manage procurement,
invoicing, stock control and income control of meals money. We initially
considered SAFFRON as part of income control during the Schools Meals
Income assignment in 2014/15. Due to the pressures of higher priority
work completion of this assignment, with the agreement of the Head of
Service, was postponed until 2016/17. Other time critical work was carried
out in this area during 2015/16 with particular regard to advising on the
new online ParentPay system which includes a facility for parents to pay
for school meals. That advisory work continues into 2016/17 as well as the
finalisation of the SAFFRON assignment.
88. Children and Young People (Scotland) Act 2014 – Named Persons
89. Advisory work was started during 2015/16 and will continue into 2016/17 at
least until the “go live” in August 2016.
90. The fieldwork is being supported by our outsourced delivery partner and
includes an element of computer audit. During March 2016 a short life
group was set up following Internal Audit advice to co-ordinate not only
audit advice but also additional input from the Information Governance
Officer, ICT Security Manager and Legal.
91. Ayrshire Roads Alliance – TRIPS
92. We are advising the Ayrshire Roads Alliance (ARA) on the development of
a bespoke procurement software package – Transparent Road
Infrastructure Procurement Software (TRIPS) (assignment 18) which is
21
being developed from the current procurement package used by the three
Ayrshire authorities to be expanded to include West Lothian and Falkirk
Councils. This exercise considers internal audit recommendations
previously made for the Roads Minor Works contract and this work
continues into 2016/17.
93. Transport
94. We are also advising Transport on the further development of the system
for spare parts (assignment 19). Again this work considers previous
internal audit recommendations and continues into 2016/17.
95. Assignment 20 with regard to a compliance audit of vehicles and drivers
was deferred at Mid-Year in 2015/16 after management confirmed that
scrutiny would be carried out by the Freight Transport Association (FTA).
This assignment was reconsidered for the 2016/17 plan and was still
deemed to be at the lower end of the risk spectrum due to management
action.
96. Computer Audit
97. Work was carried out on six computer audit assignments by our
outsourced delivery partner under the supervision of the Chief Auditor.
Work on new Information Governance policies and on Named Persons is
referred to above.
98. The schools management system SEEMiS (assignments 21 and 22) was
subject to testing in year with colleagues from Education and ICT. The
scope assessed:
Best practice requirements for management and control of an IT
application;
Issues identified by another Council and reported to the Scottish Local
Authority Chief Internal Auditors Group (SLACIAG) in 2014 including
System Administration, User Access, Password Security, Audit Trails
and Contractual Arrangements;
Any relevant issues raised by South Lanarkshire Council Internal Audit
in their capacity as internal auditors for the SEEMIS Group LLP.
99. It was concluded that reasonable assurance can be placed on the controls
operating in the areas around user account management in SEEMiS
although there is scope for improvement in these. However, there was
limited assurance regarding the security of user access with regard to
password control. Education advised that they immediately took action to
improve password control in line with the audit recommendation. It should
be noted that no breaches of user access were identified.
22
100. Advisory work was also carried out on the Use of Mobile Devices in
Schools (assignments 23 and 24). A briefing paper has been produced
concluding that the Council has followed a robust process in relation to the
introduction of iPads within schools and that there has been a clear focus
on ensuring that all relevant risks have been identified, assessed and
responded to. It is also recognised that the very nature of this initiative
cannot be free of risks. However it was noted that risks have been or are
being mitigated as far as possible in a mature approach with the Council
recognising that there is a need to ensure the devices support learning and
education whilst providing appropriate security protection for pupils.
101. The briefing paper includes three recommendations. Advisory work
tends to be time critical with quick briefing papers issued during the
assignment for immediate impact. In this case the three recommendations
lend themselves to follow up work in 2016/17 and that is our proposed
action.
102. Testing was also carried of arrangements for Software Licensing
(assignments 25 and 26). The scope of that work included assessment of
the following:
Controls to prevent installation of unauthorised software on all Council
ICT assets;
Controls in place in relation to the procurement, management and
recording of licences;
Records of purchased software and processes to review the renewal of
licence maintenance agreements;
Arrangements to ensure that appropriate licences are held for all installed
software.
The findings have been discussed with the Head of Service and the report
is being finalised indicating that reasonable assurance can be placed on
the controls operating in areas around procurement as well as restrictions
on the ability to install software. Testing indicates that limited assurance
can be placed over the reconciliation of software licences; it should
however be noted that prior to the audit the Service identified the need for
continuous improvement in this area and was already piloting tools to
improve processes.
103. Work was also carried out to test application controls for the Open
Revenues system used by Revenue and Benefits (assignments 27 and
28). The system is used for administration of council tax, non-domestic
rates and housing benefits.
104. The scope of the Open Revenues assignment included:
23
Best Practice requirements for logical access to the system, and
confirmation that logical access security is compliant with Council
policy.
The adequacy of system access controls including their ability to
ensure segregation of duties
105. The assignment concluded that there is reasonable assurance
regarding logical access controls for the Open Revenues application.
106. Contract Audit
107. As Members are aware our planned work on Asbestos Contracts
(assignment 30) was deferred at Mid-Year during 2015/16 and was not
deemed to be at the higher end of the risk spectrum for the 2016/17 plan
due to management action.
108. Also as reported at Mid-Year we allocated the Contract Audit
Contingency (assignment 31) to a review of the contract relating to Multi-
Functional Devices which provide a number of facilities including printing.
109. This has been an unexpectedly complex audit partly due to the fact that
one of the main employees involved in administering the contract had left
the Council. The report is finalised indicating that limited assurance can be
taken from the current operation of internal controls; the control objectives
have not been fully met.
110. The audit confirmed that the project started well in terms of set up,
initial strategic management of the contract, and prices agreed with Canon;
and compared with 2012, the Council is now in a much stronger position,
having obtained a relative wealth of information on its print requirements,
established inter-Service arrangements, and changed printing practices
across the Council.
111. Internal Audit acknowledges and welcomes the efforts made by the
Service since the audit to improve control and secure improved value from
the contract.
112. Regularity Assignments
113. Regularity work (assignments 32-36) allows us to carry out a number of
smaller assignments to test compliance with policies and procedures
across the Council and plays an important part in the Council’s anti-fraud
strategy. This work includes unannounced visits.
24
114. As Members are aware one regularity assignment (Grants Committee)
was deferred at Mid-Year and has now been included in the 2016/17 audit
plan.
115. Internal Audit has undertaken four regularity reviews in areas across
the Council:
Payments in Customer Service Centres - sound assurance in most
areas examined.
Risk Management (Insurance Claims) - sound assurance can be taken
from the controls implemented in most areas under review.
Housing Asset Services (HAS) – Stores – unannounced visit – report
being finalised indicating reasonable assurance.
Schools – Education Establishment Funds (“School Funds”) –
unannounced visits to 14 Primary Schools – the report is being finalised
and a clearance meeting has been held with the Head of Education.
The report indicates limited assurance. Prior to finalisation of the report
action was immediately taken by the Depute Chief Executive and Chief
Financial Officer (Economy and Skills) to address the issues arising.
116. Health and Social Care (EAC)
117. Significant work has been carried out within Health and Social Care
(assignments 37-41). This is an increasingly complex area and involves
work on a multi-annual basis in many areas.
118. Work continues on Homecare Advisory with the Audit Manager
supporting the delivery of training as well as generally assisting with the
implementation of previous Internal Audit Recommendations.
119. The Audit Manager also continues to support Self-Directed Services in
an advisory capacity including the design and development of internal
controls as well as testing control arrangements. That control testing
continues into 2016/17 when we anticipate concluding a report.
120. Due to the impact of unplanned work the Social Work Stores
assignment has been carried forward into 2016/17.
121. Social Work follow up assignments are referred to in Section 44.
122. Following the Public Pound (FTPP)
123. For 2015/16 FTPP activity reflects a cross-cutting theme including work
carried out for the Leisure Trust and IJB as well as follow up work for
Community Councils and small advisory work relating to community asset
transfer and other community council related topics. Scheduled work on
Grants Committee procedures has been deferred to 2016/17.
25
124. Integration Joint Board (IJB)
125. As Committee is aware the Council’s Chief Auditor was appointed as
the IJB Chief Internal Auditor during 2015/16.
126. The Chief Auditor and Audit Manager continue to support the IJB Audit
and Performance Committee. This also involves working with colleagues in
the other Ayrshire Councils and NHS Ayrshire and Arran to ensure
exchange of experience and benchmarking.
127. During 2015/16 governance arrangements for the IJB were reviewed
with no significant issues arising.
128. The Financial Regulations for the IJB state that the IJB Chief Internal
Auditor will submit an annual audit report to the IJB in respect of IJB
activity and as a minimum that annual audit report and related IJB Chief
Internal Auditor’s opinion will be reported to the audit committees of
NHSAAA and the Governance and Scrutiny Committee of the Council.
That report is currently scheduled for the IJB Audit and Performance
Committee on 2 August 2016 and a verbal update of work carried out to
date will be made to Governance and Scrutiny Committee on 19 May 2016
with a copy of the report to follow in due course.
129. All IJB work was carried out within the 25 days allocation.
130. East Ayrshire Leisure Trust (EALT)
131. We also continue to work as the Internal Auditors of the EALT. No
significant issues have arisen from our work to date in 2015/16 with one
larger assignment ongoing. Our EALT work provides additional value and
assurance for the Council.
132. As Members are aware the Council’s funding agreement with the EALT
allows for where issues arise that are deemed to be of interest to the
Council, these will be reported to the Chief Executive and where
appropriate to elected Members.
26
SUMMARY OF PERFORMANCE
133. We continue to show an excellent level of performance against a
challenging plan in challenging circumstances against a backdrop of
significant changes including the introduction of Health and Social Care
Integration and a number of complex assignments including investigations.
Staff have worked hard to achieve this level of performance.
134. We have carried out work on all planned audit assignments for 2015/16
with the exception of SAFFRON and Social Work Stores and two follow up
assignments all of which have been carried forward to 2016/17. Additional
work was required in priority areas including investigations with 1,015 days
delivered against a plan of 870 days.
135. A total of 180 recommendations have been made in 2015/16, which
when implemented will support the continuous improvement of the control
environment.
136. Internal Audit has also undertaken follow-up work on a number of
previous audit assignments, with a view to establishing progress on the
implementation of audit control recommendations. This work revealed that
generally an established pattern continues with agreed actions
substantially implemented by the time of the audit follow up. In total 104
recommendations were covered through this follow-up work.
137. Performance against the 2015/16 Internal Audit Plan is summarised in
Appendix 1(a); the updated performance action plan, arising from our self-
assessment against the PSIAS, is presented in Appendix 2 and the Annual
Opinion at Appendix 3.
END
27
Appendix 1(a)
INTERNAL AUDIT PLAN 2015/16 – PROGRESS REPORT
Progress against plan and summary of audit findings
IA Job Ref A. East Ayrshire Council Type of Activity Comments
Ongoing Commitments :
1 Core Financial System – General Ledger Systems Review Completed.
Sound Assurance.
2 Core Financial System - Payroll
(Members/Fortnightly/Weekly)
Systems Review Completed.
Members – sound assurance. Fortnightly – reasonable assurance.
Weekly – limited assurance (no material impact).
3 2014/15 Performance Indicators Efficiency & Performance Completed.
At completion of audit all four indicators under review were
found to be reliable.
4 Procurement Commercial Improvement
Programme (PCIP)
Procurement & Contract
Audit
Timetable out-with IA control. Preparation carried out. Work
rescheduled into 2016/17.
5 Investigations Contingency Investigations / Anti-Fraud See Appendix 1
6 Follow Up Assignment excluding Social
Work and EALT
Follow Up See Appendix 1
7 Anti-Fraud Contingency Anti-Fraud See Appendix 1
8 Internal Control Self-Assessment (ICSA) Regularity/ Anti-Fraud See Appendix 1
9 Small advisory Advisory See Appendix 1
10 Performance Management System -
integration of Internal Audit
Recommendations into CorVu.
Efficiency & Performance Arrangements established in 2015/16 to upload Internal Audit
recommendations.
11 Continuous Auditing - ongoing support
and development
Advisory / Regularity / Anti-
Fraud
Completed. Work carried out to support the establishment of
Continuous Auditing within Payroll.
12 Internal Audit continuous development IA development Completed. Included PSIAS self-assessment and staff
development sessions with Organisational Development.
28
IA Job Ref A. East Ayrshire Council Type of Activity Comments
Items Deferred from 2014/15 plan:
13 Current Tenant Arrears Systems Review Completed. Reasonable Assurance.
14 Scottish Housing Quality Standard
(finalisation of work begun in 2014/15)
Systems Review Completed. Sound assurance.
Items from 2015/16 Risk Assessment:
15 Housing Asset Services - recovery from
owners
Systems Review Completed. Reasonable assurance in respect of factoring.
Limited assurance with regard to recovery in respect of common
repairs.
16 SAFFRON system Systems Review Carried over to 2016/17 plan.
17 Children and Young People (Scotland)
Act 2014 - Named Person Service -
establishment of new processes
Advisory Work ongoing into 2016/17. Planned work completed in
2015/16.
18 Ayrshire Roads Alliance - TRIPS Advisory Work ongoing into 2016/17. Planned work completed in
2015/16.
19 Transport - implementation of new
computerised system for spare parts
Advisory Work ongoing into 2016/17. Planned work completed in
2015/16.
20 Transport - compliance audit - vehicles
and drivers
Systems Review / Regularity Deferred and re-considered for 2016/17 plan. Management
action including utilising the FTA resulted in this area being at the
lower end of the risk spectrum.
Computer Audit:
21 SEEMIS - IT security (OUTSOURCED) Computer Audit Completed. Reasonable assurance in areas around user account
management. Limited assurance in respect of password control
although no breaches were identified.
22 SEEMIS - IT security (EAC RESOURCE) Computer Audit See above
23 Use of Mobile Devices in Schools
(OUTSOURCED)
Computer Audit Advisory Completed. Work concluded that the Council has followed a
robust process with risks identified, assessed and responded to
in a mature approach.
24 Use of Mobile Devices in Schools
(EAC RESOURCE)
Computer Audit Advisory See above
29
IA Job Ref A. East Ayrshire Council Type of Activity Comments
25 Software Licensing (OUTSOURCED) Computer Audit Completed. Reasonable assurance in respect of controls
operating in areas around procurement as well as restrictions on
the ability to install software. Limited assurance over the
reconciliation of software licenses.
26 Software Licensing (EAC RESOURCE) Computer Audit See above
27 OpenRevenues - application controls
(OUTSOURCED)
Computer Audit Completed. Reasonable assurance.
28 OpenRevenues - application controls
(EAC RESOURCE)
Computer Audit See above
29 Computer Audit Contingency – used to
support finalisation of review of
Information Governance policies and
procedures
Computer Audit Completed. No significant issues identified.
Contract Audit:
30 Asbestos contract Procurement & Contract
Audit
Deferred and re-considered for 2016/17 plan. Management
action indicated that this area is at the lower end of the risk
spectrum.
31 Contract Audit Contingency – utilised for
Multi-Functional Devices contract
Procurement & Contract
Audit
Completed. Limited assurance.
32-36 Regularity assignments (various) Regularity Four assignments completed.
a. Payments in Customer Contact Centres – Sound
assurance
b. Risk Management (Insurance Claims) – Sound assurance
c. HAS Stores – Reasonable assurance
d. Schools Education Establishment Funds – Limited
assurance
30
IA Job Ref A. East Ayrshire Council Type of Activity Comments
Health and Social Care (EAC activities):
37 Homecare Advisory and Testing of
Recommendations
Advisory / Follow Up Completed planned work in 2015/16. Work ongoing into
2016/17.
38 Self-Directed Services Advisory Advisory Completed planned work in 2015/16. Work ongoing into
2016/17.
39 Self-Directed Services Testing Regularity / Anti-Fraud Completed planned work in 2015/16. Work ongoing into
2016/17.
40 Social Work Stores Regularity / Anti-Fraud Work ongoing into 2016/17.
41 Social Work Follow Up Assignment Follow Up Completed. See Follow Ups in Appendix 1.
42 General Contingency (EAC) Contingency Utilised to complete 2014/15 assignments
IA Job Ref B. East Ayrshire Integration Joint Board
(IJB)
Type of Activity Comments
43-44 INTEGRATION JOINT BOARD Risk based Audit Plan agreed
with IJB Audit and
Performance Committee.
Completed. Internal Audit carried out a review of governance
arrangements, reasonable assurance.
IA Job Ref C. East Ayrshire Leisure Trust (EALT) Type of Activity Comments
45-48 EAST AYRSHIRE LEISURE TRUST Risk based Audit Plan agreed
with EALT Performance and
Audit Committee.
Completed. Various assignments. No significant issues arising to
date, one larger assignment being completed.
31
Appendix 2
PSIAS Self-Assessment Update
Action Point Key Actions
Original Deadline Work Done - Annual Update Assessment
Further Action
Required? Revised Deadline
Update On Items From Prior Years
1 Results of annual self-assessment to be
reported to Committee in the Annual Report
May-14 Fully Implemented from Year 1 Fully
implemented
No further action
required N/A
2 WP 120 (Audit Brief) template to be
reviewed and revised to better highlight areas included in the audit.
Jun-14 Template revised and issued to
all staff in July 2014. Fully
implemented
No further action
required N/A
3
Continuous improvement of working practices - process to be fully adopted whereby the audit brief is approved by all clients via email system. Approval
emails to be retained on file to evidence agreement.
Jun-14
Process changes notified to all staff in July 2014. A small
number of clients prefer to print and sign and this will be
respected.
Sufficiently implemented
No further action
required N/A
4
Continuous improvement of working practices - Auditor Date Sheet to be used where appropriate to monitor
performance against target and ensure communications are made in a timely
fashion. Delays to be notified to review auditor asap to ensure client can be
notified of any delays in a timely fashion. Where target has not been met, this
should be justifiable by the lead auditor.
Jun-14
Auditor Date Sheets are now being more widely used and have been used to monitor
progress against plan.
Fully implemented
No further action
required N/A
32
Action Point Key Actions
Original Deadline Work Done - Annual Update Assessment
Further Action
Required? Revised Deadline
5
Aim to appoint temporary computer auditor to cover secondment of
substantive computer auditor to Energy Team (now made permanent)
Sep-14 Computer Audit resources successfully tendered in
2014/15; 2015/16 and 2016/17
Fully implemented
No further action
required N/A
6
Audit planning process to be reviewed to ensure consideration of national and local issues and risks continues to be
robust.
Jan-15 This has been considered
during annual planning round by the Chief Auditor
Fully implemented
No further action
required N/A
7 Consider at next planning round the
contribution that IA can make to EAC's ethics-related objectives.
Jan-15
This has been considered by the Chief Auditor during the
planning process with the Chief Governance Officer
Fully implemented
No further action
required N/A
8
Consider at next planning round follow up results during the year to identify if
we can target specific areas where recommendations have not been fully or
sufficiently implemented.
Jan-15 This was considered annually during the planning round by
the Audit Manager
Fully implemented
No further action
required N/A
9
Audit manual to be reviewed and updated for PSIAS requirements.
Thereafter, audit manual to be reviewed and updated on a regular basis.
Mar-15 Audit manual has been updated
for PSIAS. Sufficiently
implemented
Under continuous
review N/A
10 Review Council's risk management
arrangements, including risk registers Mar-15
Risk management arrangements and risk registers
considered during annual planning round and mid-year review with advice offered on
continuous improvement of risk registers during the 2016/17
planning round.
Sufficiently implemented
No further action
required Ongoing
33
Action Point Key Actions
Original Deadline Work Done - Annual Update Assessment
Further Action
Required? Revised Deadline
11
Internal Audit Charter references to parties external to the organisation to be reviewed as part of the annual review to
ensure still "fit for purpose".
Apr-15
Charter reviewed by Chief Auditor and identified as being fit for purpose as reflected in IA Annual Report in May 2015 and
May 2016
Fully implemented
No further action
required Ongoing
12
Consideration of additional performance targets for Annual Report (also refer to Scottish Local Authority Chief Internal
Auditors' Group SLACIAG consideration of this topic).
May-15
Internal Audit continues to report against the established CIPFA Directors of Finance
Performance Indicators (% of planned days delivered and
cost of Internal Audit). SLACIAG has not issued any further direction on additional
indicators.
Sufficiently implemented
No further action
required
As and when
SLACIAG
issue further
direction.
13 Consider the resourcing of the external assessment of PSIAS compliance (i.e.
the five year external assessment). TBC
Year 5 is 2017/18 and a recommendation will be brought
to Committee in due course.
Not implemented
Under review
TBC
Key Item Identified During 2015/16 Self-Assessment
14
Committee to formally seek reassurance from management and the Chief Auditor
as to whether there are any inappropriate scope or resource
limitations (standard 1110)
May-16
Incorporated in IA Annual Report 19 May 2016. To be stated in future Audit Plans,
Mid-Year Reviews and Annual Reports.
Fully implemented
No further action
required ongoing
34
Appendix 3
INTERNAL AUDIT ANNUAL STATEMENT
ON THE ADEQUACY OF THE INTERNAL CONTROL ENVIRONMENT
As Chief Auditor of East Ayrshire Council, and in line with the Public Sector Internal
Audit Standards (PSIAS), I present my annual statement on the overall adequacy
and effectiveness of the Council’s framework of governance, risk management and
control for the year ended 31 March 2016.
Responsibilities of management and Internal Audit in relation to the internal
control environment
It is the responsibility of the Council’s senior management to establish an appropriate
and sound system of internal controls; including governance and risk management
arrangements; and to monitor the continuing effectiveness of that system. It is the
responsibility of the Chief Auditor to provide an annual assessment of the robustness
of the internal control environment based on the work of the Internal Audit section.
Internal controls
The main objectives of the Council’s internal control systems are to:
ensure adherence to management policies in order to achieve objectives;
safeguard assets;
ensure the relevance, reliability and integrity of information, so ensuring as far as
possible the completeness and accuracy of records; and
ensure compliance with statutory requirements.
The system of internal controls cannot provide absolute assurance that control
weaknesses or irregularities do not exist or that there is no risk of material errors,
losses, fraud or breach of laws or regulations. Accordingly, the Council is continually
seeking to improve the effectiveness of its systems of internal control.
Internal Audit
Internal Audit is an independent appraisal function established by the Council for the
review of the internal control environment as a service to the organisation. It
objectively examines, evaluates and reports on the adequacy of internal control as a
contribution to the proper, economic, efficient and effective use of the Council’s
resources. During 2015/16 the Internal Audit section operated in accordance with the
Public Sector Internal Audit Standards (PSIAS), supported by the Chartered Institute
of Public Finance and Accountancy (CIPFA) Local Government Application Note for
the United Kingdom Public Sector Internal Audit Standards. This is evidenced
through Audit Scotland’s annual review of Internal Audit and no significant findings
arising from our quality assurance and improvement programme demonstrated
through the results of our internal self-assessment.
35
Internal Audit activity during the year was based on the planned work programme
contained in the Annual Audit Plan approved by the Governance and Scrutiny
Committee on 23 April 2015, and revised following a scheduled mid-year review on
19 November 2015. Audit plans are prepared following full consultation with the Chief
Executive, the Proper Officers, the Chair of the Governance and Scrutiny Committee
and External Audit and approved by Committee in line with PSIAS requirements.
Internal Audit reports are presented to the relevant senior officers and include
appropriate recommendations and agreed actions which, when implemented, will
improve the overall control environment. As part of Internal Audit monitoring
procedures, copies of audit assignment reports, including follow-ups, are presented
to the Chief Executive, the Proper Finance Officer, the Chief Governance Officer and
the Council’s External Auditor. Copies of audit reports are also made available to
Elected Members via the Council’s intranet.
Internal Audit routinely undertakes follow-up work on all major audit assignments in
order to assess progress on the implementation of audit recommendations. Where
agreed audit recommendations have not been fully implemented by the time of the
audit follow-up, the appropriate senior officer is asked to sign a Client Assurance
Statement (CAS) confirming that any outstanding actions will be implemented, and
the timescales involved with Internal Audit thereafter checking the status of each
CAS with the relevant Chief Officer.
Basis of Opinion
The assurance is based on a rolling programme of work comprised of year on year
sampling of internal controls. The programme of work is laid out in annual risk-based
audit plans. As such it should be noted that the assurance expressed in the Internal
Audit Annual Statement can never be absolute. The most that Internal Audit can
provide in the Annual Statement is reasonable assurance based on the work
performed. Individual jobs can result in findings of “sound assurance” or “sound
assurance in most areas” but not the wider Annual Statement.
Our evaluation of the control environment in 2015/16 is informed by a number of
sources:
the audit work undertaken by Internal Audit during the year to 31 March 2016;
the audit work undertaken by Internal Audit in previous years;
audit follow up work to assess implementation of agreed actions;
findings/conclusions arising from work carried out by the Council’s External Auditors; and
knowledge of the Council’s governance, risk management and performance framework.
36
Opinion
We have carried out work on the overwhelming majority of planned audit
assignments for 2015/16 with four exceptions and carried out additional unplanned
work.
Core financial systems reviews have been completed year on year with continuing
good results.
The General Ledger review was completed in year and found sound assurance.
Since the introduction of a new payroll system in 2012 we have in 2012/13 and
2013/14 audited the payrolls for four-weekly and teachers’ which represent
approximately 99% of payroll value and concluded in reasonable assurance for both.
The three smaller Payrolls (Members’/ Fortnightly/ Weekly) which represent
approximately 1% of payroll value were examined in year finding sound, reasonable
and limited assurance respectively with no material errors found. At the time of the
audit the weekly payroll consisted of only 30 trainees each receiving £75 per week.
We concluded in limited assurance for this weekly payroll as key procedures and
controls implemented by an operational Service still required to be reviewed by the
Head of HR; HR had relatively recently taken on responsibility for this payroll with
trainees previously paid through Creditors. The Depute Chief Executive (Safer
Communities) has advised that this action is underway and we will follow up by
testing in the usual way.
Our payroll audit this year concludes audit review of all five payrolls in the new
payroll system over the last four years, including follow-up reviews of four-weekly and
teachers’, and generally our audits have concluded that reasonable assurance can
be taken from the controls in place at the time of the audits.
In addition two follow up review audits were carried out across Creditors with 100%
of recommendations fully implemented and Non-Domestic Rates with eight
recommendations fully implemented and one partially implemented.
Other planned assignments drawn from the risk based audit plan have also been
completed on systems reviews, anti-fraud and regularity, self-evaluation,
procurement and contract audit, efficiency and performance audit and computer audit
with work resulting in opinions ranging from sound to reasonable through to limited
assurance. Advisory work has also been carried out across a number of areas. The
agreed actions arising from all of this work, when implemented, will further strengthen
the framework of controls.
We have also undertaken a number of investigations resulting in improvement
actions being agreed with management.
Internal Audit has undertaken follow up work on a number of previous audit
assignments, with a view to establishing progress on the implementation of audit
37
control recommendations. This work revealed that agreed actions had been
substantially implemented by the time of the audit visit. This is consistent with
findings in previous years. Where audit recommendations have not been fully
implemented the further action required is agreed with the service. Internal Audit is
satisfied that generally there is management commitment to act where control
improvement opportunities are identified, and that staff understand and accept the
need for systems to be robust and reliable.
We have also considered the current view of the Local Area Network (LAN) with
regard to risk. The Professor Lorne Crerar 2007 review of systems of regulation,
audit and inspection in Scotland delivered shared risk assessments, lighter touch
external regulation and more reliance on self-evaluation. The scrutiny bodies
operating in East Ayrshire Council have collaborated to put in place a Local Scrutiny
Plan 2016/17 issued by Audit Scotland and considered by the Governance and
Scrutiny Committee on 24 March 2016. The Local Scrutiny Plan is based on a shared
risk assessment undertaken by the Local Area Network (LAN) comprising
representatives of all the scrutiny bodies who engage with the Council in addition to
Audit Scotland and including the Scottish Housing Regulator (SHR), the Care
Inspectorate and Healthcare Improvement Scotland and Education Scotland. The
Local Scrutiny Plan concluded that there are no scrutiny risks at East Ayrshire
Council which warrant any specific additional scrutiny work in 2016/17.
On the basis of Internal Audit work completed in 2015/16, East Ayrshire Council’s
established internal control procedures were generally found to operate as intended
to meet management’s requirements for the individual systems reviewed by Internal
Audit. On the basis of selective testing of key controls, it can be concluded that, in
the main, controls were generally operating as expected during the period under
review. A number of recommendations have been made by Internal Audit to further
improve controls through action plans developed with management to address
improvements.
Our overall opinion, based on the work carried out, and in line with PSIAS
requirements is that reasonable assurance can be placed upon the adequacy and
effectiveness of the Council’s framework of governance, risk management and
control in the year to 31 March 2016. The objectives of internal control have been
substantiality met. This is consistent with our opinion in previous years.
Eilidh Mackay
Chief Auditor
May 2016