PURPOSE

1. This report is to provide the Committee with a summary of Internal Audit activity completed since the last outcomes report to the Committee in December 2006.

2. The Committee is invited to note the contents of the report and to seek clarification of any issues arising from audits undertaken.

OUTCOMES

3. Whilst this report is to provide the Committee with information and does not require a decision, the outcome of the report is to demonstrate to all stakeholders that assurances regarding the Council’s system of internal control are considered and challenged at the highest levels within the Council.

BACKGROUND

3. In keeping with good corporate governance practice, a Committee of elected members should have oversight of the activities of the Internal Audit Service for the following purposes:

4. The Committee should monitor Internal Audit’s performance, both in terms of the quality and quantity of its work;

5. The Committee should satisfy itself that Internal Audit has devoted its attention to the appropriate issues;

6. The Committee should consider the results of Internal Audit reviews to ensure that any significant findings are addressed, including control weaknesses and to ascertain whether, in the opinion of the Chief Internal Auditor, adequate and satisfactory responses have been given by the Authority’s management;

7. The Committee should recommend, if necessary, that further attention should be given to some of the issues raised;

8. To facilitate this process, attached as Appendix 1, are reports of significant audit work completed since the December 2006 report to the Audit Committee.

STRATEGIC CONTEXT

9. The work of internal audit services is concerned with providing assurances that the Council’s system of internal control is adequate and effective in supporting the delivery of the Council’s strategic objectives. As such, it makes an important contribution to the Council’s governance arrangements.

CONSULTATION

10. The internal audit reports attached as appendix 1 have been subject to detailed consultation with senior and operational managers within the services audited. Gaining the commitment of management is an important feature of Internal Audit’s work. The Committee’s attention will be drawn to those occasions when agreement cannot be reached on an exception basis.

FINANCIAL/BUDGET IMPLICATIONS

11. There are no direct financial implications arising from this report but some of the attached audit reports may have identified financial and budgetary issues needing to be addressed by management.

LEGAL IMPLICATIONS

12. Some of the attached audit reports may have identified legal issues needing to be addressed by management.

13. The Council has a statutory duty under the Accounts and Audit Regulations (amended) 2006 to have an adequate and effective Internal Audit service in place.

RISK MANAGEMENT

14. This entire report is concerned with assessing the adequacy and effectiveness of the Council’s arrangements for controlling risk.

15. The main risk associated with this reporting process is that unless it is performed well, it will weaken the effectiveness of the Committee’s work.

BACKGROUND PAPERS

16. Audit project files held by the Chief Internal Auditor

APPENDIX 1

A: OVERALL RISK MANAGEMENT ARRANGEMENTS – EMERGENCY PLANNING/BUSINESS CONTINUITY 2006/07

EXECUTIVE SUMMARY

1 INTRODUCTION

1.1 The IW Council is committed to embedding Risk Management into its policies and procedures. The recent IW Council CPA report stated that the Council was “underdeveloped” in relation to Risk Management. Over a period of two years Audit Services has carried out an assessment of Risk Management within each Directorate. The intention of this audit is to establish the extent to which Risk Management has been embedded within the Emergency Planning & Business Continuity section and to comment on the quality of Risk Registers produced; the extent to which Risk Management had been cascaded down within the service, and the actions taken in respect of control measures identified for individual risks.

2 OBJECTIVE

2.1 To establish the extent to which Risk Mitigation Strategies have been adopted, implemented and monitored in respect of risks identified in service risk registers.

3 PROCESS

3.1 The Risk Register for Emergency Planning & Business Continuity was obtained from the Risk Management section

3.2 Interviews were held with the Business Continuity Officer to ascertain the following:

· How the register was created,

· When and how the register was or is to be reviewed

· Who is responsible for monitoring individual risks

· That control measures identified are being implemented and monitored.

4. OVERALL CONCLUSION – Emergency Planning / Business Continuity

Whilst the risks identified by the service appear relevant and complete there had been no regular review of either emerging risks nor the effectiveness of the control measures that have been implemented. Since the draft audit report was issued to management actions have been taken to update the register for Emergency Planning / Business Continuity.

Partial assurance can be given to management that risks are being effectively managed by the section.

5. ACKNOWLEDGEMENTS

I would like to take this opportunity to thank the staff within Emergency Planning and Business Continuity, for their assistance in the completion of this audit.

B: OVERALL RISK MANAGEMENT ARRANGEMENTS – FIRE & RESCUE SERVICE 2006/07

EXECUTIVE SUMMARY

1 INTRODUCTION

1.1 The IW Council is committed to embedding Risk Management into its policies and procedures. The recent IW Council CPA report stated that the Council was “underdeveloped” in relation to Risk Management. Over a period of two years Audit Services has carried out an assessment of Risk Management within each Directorate. The intention of this audit is to establish the extent to which Risk Management has been embedded within the Fire & Rescue Service and to comment on the quality of Risk Registers produced; the extent to which Risk Management had been cascaded down within the service, and the actions taken in respect of control measures identified for individual risks.

2 OBJECTIVE

2.1 To establish the extent to which Risk Mitigation Strategies have been adopted, implemented monitored in respect of risks identified in service risk registers.

3 PROCESS

3.1 The Risk Register for Fire & Rescue was obtained from the Risk Management section

3.2 Interviews were held with the acting Risk Champion to ascertain the following:

· How the register was created, what input was obtained from the Senior Management Team.

· When and how the register was or is to be reviewed

· Who is responsible for monitoring individual risks

· That control measures identified are being implemented and monitored.

Interviews were then held with individual risk owners to:

· identify actions taken in respect of stated control measures, and

· discussions were held to assess the relevance and accuracy of scores given to individual risks and the effectiveness of control measures used.

· Evidence was obtained to confirm that actions were being carried out

4. OVERALL CONCLUSION – Fire and Rescue

4.1 It is the intention that in future audits we will be reviewing that;

· Performance measures to be in place to evaluate the effectiveness of identified control measures

· We will check the quality of information used in the completion of performance indicators and to ensure that risk registers are used effectively in the management of the service.

4.2 Recommendations have been made in respect of the following:

· The percentage completed figures in respect of control measures has, in the majority of cases, not been completed. This should be reviewed as a matter of urgency to ensure the correct score has been given to each risk and to enable relevant monitoring of the progress and effectiveness of individual control measures.

· That progress made in the implementation of control measures is regularly reported at senior management meetings.

As part of the audit, testing was undertaken to confirm the effectiveness of a sample of control measures, two minor recommendations have been made as a result of our findings.

Within the Fire and Rescue Service the development of risk registers has been used as an effective management tool and has assisted service planning ensuring that priority has been given to areas of highest risk. The Fire and Rescue Service has a good understanding of Risk Management at senior level. Individual officers had detailed knowledge of their own risks and understood and agreed with the need for effective Risk Management, however no evidence could be provided that demonstrated that adequate discussion of risk was made at senior level meetings.

Partial assurance can be given the risks are being effectively managed by the service.

5. ACKNOWLEDGEMENTS

5.1 I would like to take this opportunity to thank the staff within Fire & Rescue, for their assistance in the completion of this audit.

C PAYROLL SYSTEM

EXECUTIVE SUMMARY

1 INTRODUCTION

1.1 The current audit of the Council’s Payroll Services was carried out as part of the annual Audit Plan. The Payroll Section carries out the administration of the system and there have been no significant changes to the system since the last audit carried out in 2005.

1.2 There are at any one time between six thousand five hundred and seven thousand live employees on the payroll. This figure includes some supply staff that may not work every month and also some outside bodies. Each month the system pays 6000+ salaries together with the weekly wages, which vary between 150 and 250 depending upon the season.

2 OBJECTIVES

2.1 To provide assurance to management that the internal control framework surrounding Payroll Services is performing in an adequate and effective manner.

2.2 In accordance with the “system based auditing control matrices” published by CIPFA standard tests were conducted on:

New employees

Special deductions from pay

Basic pay

Re-grading

Timesheets (wages)

Overtime

Sick pay

Exception reports

BACS payments

Cheque payments

Inland Revenue returns

Leavers

3 SIGNIFICANT FINDINGS

3.1 We established 24 key control objectives based upon the above system. Where appropriate officers were interviewed and tests carried out to confirm that policies and procedures exist and also that they are complied with, to enable objectives to be met.

3.2 As one would expect with a long standing stable system such as this and with a relatively low turnover of key staff, few problems were found, with 18 of the key control objectives being found satisfactory. Findings related to the other 6 objectives are as follows.

3.3 A random selection of ten new employees was chosen and tests carried out to confirm that new employees are bona fide. Nine of them were correctly dealt with however one of the ten had been in post for four months and had not produced the required documentation relating to the right to live and work in the UK. The documents had been requested and the request followed up shortly after but since then had not been chased. It is important that in all cases proof is obtained as it gives the employer a statutory defence against conviction for employing an illegal worker. There is concern that if documents are not received early on, following up is not as rigorous as it should be.

3.4 A sample of wages timesheets including overtime claims was selected at random and in the majority of cases these were checked and found to be satisfactory. However in one area time sheets were being completed on behalf of the employee by the authorised signatory, who then certified the timesheets for payment. This does not comply with the Council’s Financial Procedures as there is no separation of duties. The employee must complete and sign their own timesheet and overtime claim and the authorised signatory must then verify the hours claimed and certify them for payment.

3.5 The vast majority of staff are paid by BACS and one of the current controls is that the BACS transmission is limited each month to £7M. This figure was set in May 2004. The most recent payment checked during the audit was March 2006 which was over £6.5M and consideration should be given to raising this limit to provide more leeway.

3.6 A few of the staff are paid by cheque and two issues arose regarding these payments. When ICT have printed the cheques they are passed back to Creditor Payments but are not counted to ensure that they tie up with the cheque control register. A printout is received from Payroll some time later and this is reconciled to the cheque control register. If there was a discrepancy it would be difficult to resolve as by the time the list arrives the cheques would have already been posted. We have therefore recommended that the cheques are counted as soon as they arrive from ICT and reconciled to the cheque control register.

3.7 The second issue relating to cheques concerned replacement cheques where the original was lost, damaged etc. The PIPS system records only the original cheque number and there is no audit trail to link the replacement cheque to the original. A course of action has been agreed to provide this link.

3.8 The last finding related to the small number of people who are paid through the invoice payroll. If these people are regarded as employees, they may be entitled to contractual statutory rights such as holiday and redundancy pay and there position regarding this needs to be investigated. Human Resources are aware of the issues involved and are currently evaluating the implications.

4 OVERALL CONCLUSION

4.1 Assurance can be given to management that the Council’s Payroll system is operating effectively and that the controls currently in place are sound and operating satisfactorily.

5 ACKNOWLEDGEMENTS

5.1 I would like to take this opportunity to thank the staff in Payroll Services, Human Resources and Financial Services for their co-operation and assistance in carrying out this audit review.

D. GERSHON SAVINGS

EXECUTIVE SUMMARY

1 Introduction

1.1 Gershon savings are about efficiency, which is not about cuts but is about raising productivity and enhancing value for money. Efficiency gains accrue when projects:

· Reduce inputs for the same outputs

· Reduce prices for the same outputs

· Get greater outputs or improved quality for the same inputs; or

· Get more outputs or improved quality in return for an increase in resources that is proportionately less than the increase in output or quality.

2 Audit Objectives

· To give management assurance that adequate documentation supports the Annual Efficiency Statement (AES) to the Department for Communities and Local Government (DCLG).

· To give assurance to management that overall management arrangements are satisfactory

· To give assurance to management that efficiency gains incorporate accepted definitions.

· To give assurance to management that the Isle of Wight Council is set to achieve the required efficiency targets as expressed by the DCLG.

· To give assurance to management that procedures are evidenced regarding Governance and Scrutiny arrangements in line with best practice.

3 Significant Findings

· Best Practice has not been followed in that the Leader, Chief Executive and Finance Director must see and approve the statement, and evidence should be available to prove this prior to sending to the Government Department.

4 Overall Conclusion

Assurance can be given to management that procedures and controls in place regarding the audit objectives are satisfactory. The only area of concern relate to those issues raised in the significant findings.

5 Acknowledgements

We would like to take this opportunity to thank the programme lead and finance staff for their assistance in this audit.

E. BANKLINE 2006-07

EXECUTIVE SUMMARY

1 INTRODUCTION

1.1 A review of the Council’s Bankline system was carried out as part of the 2006‑07 Audit Plan. The purpose of this audit is to seek and give assurance to management that effective controls and procedures are in place to prevent mis-appropriation of Council funds, and that transactions are carried out in strict accordance with Council policy.

1.2 The Financial Services Section is responsible for the administration of this system and there have been no changes to the system since the last review was carried out in 2005-06.

1.3 Part of Treasury Management’s role is to temporarily invest surplus funds held in the main account to recognised financial institutions such as Banks, Building Societies and Local Authorities to produce the maximum return. The system used for these transactions is Bankline, which allows instantaneous transference of funds between accounts.

1.4 Bankline is also used for other specific types of payment such as:

Foreign payments Precepts as they have to be paid on specific days Payments to the Inland Revenue Payments to Teachers Pensions Employee pension lump sums

2 SUMMARY OF FINDINGS

2.1 The Bankline system is a direct link to the Council’s bankers NatWest (Formerly National Westminster) The system has been in place for a number of years and is well established with a sound control framework in place.

2.2 Testing was carried out to confirm that when temporary advances are made the Treasury Management’s policies are adhered to. Checks included officer authorisation, calculation of interest, independent officer checks, reconciliation to bank statements and repayment of advances and interest back to the relevant codes in FIDO.

2.3 A random sample of other payments was tested to confirm that all payments had been checked, authorised and allocated to the correct cost centres. Payments were checked back to FIDO.

2.4 The selection of the institutions used to invest funds in both the short and long term were examined, including credit rating checks. This confirmed that the Council is investing in appropriately credit rated parties and complying with the Treasury Management Strategy.

2.5 Following the testing we can confirm that the existing control framework is sufficiently robust.

3 OVERALL CONCLUSION

3.1 The Bankline system for the investment of the Council’s surplus funds is well established with a sound control framework in place. The officers involved in the process have been in position for a number of years and are fully aware of their responsibilities. Written procedures are in place and testing confirmed that these are being followed by staff.

3.2 We are able to give assurance that the controls and procedures currently in place are sufficiently robust to acceptably minimise the risk of mis-appropriation of Council funds.

3.3 There are no recommendations made.

4 ACKNOWLEDGEMENTS

4.1 I would like to take this opportunity to thank the Loans and Investment Technician for the co-operation and assistance in carrying out this review.

F. LEISURE CENTRES & THEATRES AUDIT 2006-07

EXECUTIVE SUMMARY

1 Introduction

1.1 The current audit of Leisure Centres and Theatres was carried out as part of the 2006-07 Audit Plan.

1.2 The premises visited during the audit were:

Medina Leisure Centre

Medina Theatre

Waterside Pool

Ryde Theatre

Westridge Centre

Shanklin Theatre

1.3 Local Authority leisure centres throughout the country are subsidised. The Heights, Medina Leisure Centre and Waterside Pool are compared to other facilities through benchmarking via the Association for Public Service Excellence (APSE). Facilities of a similar size are grouped together and performance indicators such as ‘subsidy per head, ‘staff costs’ etc are compared. The facilities on the Isle of Wight compare favourably with others in their group, often being in the top quartile.

1.4 Theatres are also subsidised but to a lesser degree

2 Summary of Findings

2.1 There is no separation of duties in the cashing up and banking procedure at Ryde Theatre. This has been recognised and steps are being taken to ensure a proper separation of duties is in place in accordance with the council’s financial procedures.

2.2 All the establishments have a certain amount of stock such as drinks and confectionery and the leisure centres also have sports equipment. It is common practise for the establishments to count stock for re-ordering purposes only with no reconciliation between actual stocks and stocks sold.

2.3 There were discrepancies noted between the year end cash certificates and actual monies held on site in two of the establishments. The year end certificates in both had not been signed by the on-site managers.

2.4 Eleven recommendations have been made, four of which are common to more than one establishment. The majority of the recommendations are of a minor administrative nature.

3 Overall Conclusion

3.1 The Leisure Centres and Theatres are generally operating effectively and offer an extensive and varied programme to provide interest and opportunities for all groups and individuals within the community. There is a sound framework of controls in most areas and the recommendations set out in the attached action plans will further strengthen this framework.

4 Acknowledgements

4.1 I would like to take this opportunity to thank all staff involved in the Leisure Facilities and Theatres for their co-operation and assistance in carrying out this audit.

G. ICT AUDIT- MANAGE OPERATIONS DS13

EXECUTIVE SUMMARY

1 Introduction

1.1 This audit was carried out as part of the 2006-07 Audit Plan. The purpose of the audit is to provide assurance to Management that there are adequate controls and procedures in place to ensure the effective running of the Isle of Wight Council’s IT Operations function according to best practice as defined by COBIT Version 4.

1.2 The Isle of Wight Council runs an Active Directory based network with four domains and 3347 users. To provide the services which these users require over 120 distinct systems are deployed.

1.3 The IT Infrastructure Team was established in July 2006 as part of the IT Department’s ongoing ITIL/ITSM* implementation.

1.4 The team is made up of seven full time staff, one part time and a manager. The Infrastructure Team are responsible for:

· Day to day management of telephony systems.

· Day to day management of network and servers.

1.5 The Infrastructure Supervisor is responsible for leading the implementation of ITIL within the Infrastructure Team.

1.6 While telecoms are also covered by the Infrastructure Team there is a dedicated Telecoms Project Manager currently reporting to the Business Transformation Manager running a Strategic Telecoms Project. The key objective of the Strategic Telecoms Project is to realise cost efficiencies, provide business continuity, identify spend to save initiatives and identify and lead the role out of new technology across the organisation. The Telecoms Manager works closely with the Infrastructure Supervisor on a day to day basis. Three members of the Infrastructure Team have an extensive telecoms background.

1.7 The audit was carried out by interviewing relevant officers, reference to relevant documentation and checking for compliance against industry best practice as defined by version 4 of COBIT the de facto standard for IT Governance worldwide.

2 Summary of Significant Findings

2.1 The new Infrastructure Supervisor has inherited a large remit spanning the work previously covered by three distinct teams. Although significant work is underway to improve the level of compliance in this area progress is being hampered by a large backlog of planned work.

2.2 The situation is exacerbated by an over reliance on the skills of specific individuals, lack of training for key network technologies, lack of test environments/infrastructure, lack of redundancy for key servers/systems and a general lack of existing formal procedures and comprehensive inventories on which to build.

2.3 It is also unfortunate that the formation of this new team has coincided with a number of key items of network infrastructure either reaching or nearing capacity leading to frequent performance lag and unscheduled outages forcing the Infrastructure Team to spend much of their time reacting to issues as and when they occur rather than carrying out tasks in a planned and structured manner in order to support operations.

2.4 Key areas which need to be addressed as a matter of urgency:

· Clearing of backlog to realise benefits of new technologies already purchased but not yet rolled out.

· Replacement of network infrastructure at or nearing capacity at a level to allow for reasonable future growth in demand.

· Identification of single points of failure in both data and voice infrastructure. Redundancy to be added where possible or alternative mitigation strategies to be implemented.

· Training to be provided for at least two members of the Infrastructure Team for each key item of network infrastructure.

· Establishment of a regular planned maintenance window for key items of infrastructure.

3 Overall Conclusion

13.1	Operations Procedures and Instructions	partially compliant
13.2	Job Scheduling	partially compliant
13.3	IT Infrastructure Monitoring	partially compliant
13.4	Sensitive Documents and output Devices	not compliant
13.5	Preventative Maintenance for Hardware	not compliant

3.1 With the formal adoption of an ITIL based approach defining best practice; its ongoing implementation; the adoption of COBIT as the council’s IT governance framework; the creation of the Infrastructure Team and the proposals which have already been put forward by the new Infrastructure Supervisor potentially significant improvements are possible in a relatively short timeframe. However many of the improvements are reliant on significant expenditure in order to clear the current backlog of planned work and provide the network capacity in order to prevent performance degradation and unplanned outages.

4 Acknowledgements

4.1 I would like to take this opportunity to thank all staff involved in IT Operations for their co-operation and assistance in carrying out this review.

· ITIL/ITSM – Information Technology Infrastructure Library is the de-facto standard for Information Technology Service Management. It defines how an effective Information Technology Department should run.