PAPER E
AUDIT PANEL - 25 NOVEMBER 2003
INTERNAL
AUDIT PROGRESS REPORT
CHIEF INTERNAL AUDITOR
This report is to provide the Panel with a summary of Internal Audit activity completed since the last report of 25th June 2003. The Panel is invited to note the contents of the report and to seek clarification of any issues arising from audits undertaken.
BACKGROUND
In keeping with good corporate governance practice and open and accountable government, a Panel of elected members should have oversight of the activities of the Internal Audit Service for the following purposes:
v The Panel should monitor Internal Audit’s performance, both in terms of the quality and quantity of its work;
v The Panel should satisfy itself that Internal Audit has devoted its attention to the appropriate issues;
v The Panel should consider the results of Internal Audit reviews to ensure that any significant findings are addressed, including control weaknesses and to ascertain whether, in the opinion of the Chief Internal Auditor, adequate and satisfactory responses have been given by the Authority’s management;
v The Panel should recommend, if necessary, that further attention should be given to some of the issues raised;
To facilitate this process, attached as appendix A are synopses and summaries of audit work performed since 25th June this year. The Panel should also refer to the audit plan approved at the February 2003 meeting.
Audit resources have also been bolstered by employing a contractor to provide ICT audit during the period (funded by savings from delayed appointments). This has proved to be a particularly useful initiative with the main purpose of introducing the appropriate skills (ICT audit is a particularly technical area of internal audit). So far the contractor has produced four pieces of work on:
v ICT operations
v Unix security – Previously reported
v ICT audit plan
v ICT maintenance
It is intended to repeat this useful “mixed economy” approach within this financial year, when and if resources permit.
The Panel may also be interested to know that the team’s statistics and performance data have been submitted once again to the IPF (an off-shoot of CIPFA) Benchmarking Club. The initial results of this will be available in August and reported to the Panel in due course. Although some improvement will be noticeable from the previous year, the full impact of recent changes will take time to filter through and significant improvement will not be noticeable until next year.
Overall therefore, the team is in a better position now to deliver the approved audit plan and should be able to provide an improving service year on year.
FINANCIAL, LEGAL, CRIME AND DISORDER IMPLICATIONS
There are no significant financial or legal implications of this report , given that it is a progress report on the Internal Audit function. The Panel is reminded that the Council is required by statute (the Accounts and Audit Regulations) to have an adequate and effective Internal Audit function.
APPENDIX A
1. Review of the Learning Disabilities Service in
the Social Services and Housing Directorate.
This audit was carried out as part of the 2003-04 Audit Plan agreed by the Audit Committee on 24 February 2003. The overall objective was to provide assurance to management that arrangements in place will facilitate continuous service improvements .The audit was carried out by interviewing relevant officers and carrying out testing on selected areas to determine the level of compliance with Council policies and procedures.
The Isle of Wight Social Services and Housing Directorate works alongside the Health Authority to provide a joint service for people with learning disabilities. There have been vacancies at senior management level that have affected strategic planning for the service, and the implementation of the national strategy for people with learning disabilities “Valuing People” has been subject to delays.
We made twelve recommendations for system improvements, all of which were accepted by management.
2. Review of the Education Welfare Service in
the Education and Community Development Directorate.
This audit was carried out as part of the 2003-04 Audit Plan agreed by the Audit Committee on 24 February 2003. The overall objective was to provide assurance to management that arrangements in place will facilitate continuous service improvements .The audit was carried out by interviewing relevant officers and staff in schools, and carrying out testing on selected areas to determine the level of compliance with Council policies and procedures.
The Education Welfare Service was devolved to the schools for two years, but in January 2003 it was re-centralised. As such, the necessary plans policies and procedures are either not in place or not up to date. The Service Manager is aware of this, and is in the process of addressing this issue.
We made 20 recommendations for system improvements, 19 of which were accepted by management.
Our initial review of this area concludes that there is an urgent case for the immediate strengthening of the system of internal control. Primarily, the review concludes that the authority faces a number of material risks to the proper stewardship of public funds and to its reputation without the appropriate mitigation strategies in place.
Fundamentally, the authority does not have the policies, plans or processes to guide the identification, assessment, management and monitoring of partnerships. It does not have the appropriate management information to measure the effectiveness of the partnerships that it has entered into, nor the means to benchmark performance. Accordingly it is very likely that not all the potential benefits from Partnerships are being realised.
Without the proper records of the authorities involvement in all current partnership arrangements, and the lack of control over the initiation of new partnerships, the extent of the authority’s liabilities cannot be determined.
Some partnerships are well defined and well managed. Some have not considered basic requirements like insurance. The scale of the difference is further evidence that there is a genuine need for guidance. However, there is also an excellent opportunity to share and develop best practice. Building a network of practitioners across the authority is one of our recommendations.
Idealistically, partnerships are assets and thinking of partnerships as assets is a mark of the maturity of the model that we should be striving to achieve.
Summary of Recommendations
The recommendations made focus on the creation of the proper system of internal control to manage the material strategic and operational risks that have been identified. The key recommendations are:
The Way Forward
The findings of this initial review were presented to the Directors’ Group on 4th September 2003. It was agreed to set up, effectively, a working group to propose the best way forward. The recommended definition of Partnership was approved, and this is the first step in the key process of identifying the partnerships that the authority has entered into, for the purposes of performing the gap analysis to highlight areas within individual partnerships that need to be addressed. This work and the development of a new, best practice led partnership initiation process are core to phase two of this review. Subsequent reports will be taken back to the Directors’ Group and will be presented to the Audit Panel.
4. Review of ICT Maintenance
ICT Maintenance are responsible for carrying out operations designated by ICT Management to ensure the Council’s ICT services are available to users and are secure and reliable. This review examined specific areas to ensure that reliance can be placed on the ICT Maintenance areas.
A number of the risks identified in the original brief were reviewed by the ICT Operations Management audit which examined the high level processes and procedures in place for the ICT operations area. A number of operational weaknesses were identified and recommendations made where appropriate. In order to maximise resources and to ensure that this review adds value to ICT Management, only those areas not previously reviewed were examined during the course of this audit, namely, user support arrangements, software change control and system maintenance. The review identified a number of minor control weaknesses, and also identified 8 significant areas of control weakness which are detailed below: -
The findings were discussed with relevant staff, and appropriate recommendations were made to resolve the control issues. These have all been agreed with the staff, and target dates have been set for the control weaknesses to be resolved.
ICT Operations are responsible for a range of services that provide management with assurance that the information held is secure, accurate and reliable. This review examined specific areas to ensure that reliance can be placed on the ICT Operations service, concentrating on the documentation, reporting and management processes in place to ensure that the ICT department is managed effectively and that the department is able to progress towards meeting their ICT objectives.
This audit concentrated on the operations management activities of the ICT services to ensure that the service is being provided to an acceptable level. The following were within the scope of this review:
· The controls established, documented and monitored by management to effectively manage and minimise the risks identified during the planning stage of this audit;
·
Management reporting supporting the management
controls;
· Senior management support and buy-in to the management controls;
· Management controls in place for use of telecommunications equipment;
· Management of Virus detection software across the Council, for file servers, desktop PCs and laptops;
· Control and issue of standards and policy documents;
· Physical security and environmental controls;
· Compliance with authorised and legitimate software;
· Change management;
· System management;
· Access controls and authorisation;
· Backup procedures.
The
review identified a number of minor control weaknesses, and also identified 15
significant areas of control weakness that are detailed below: -
1. There are
no documented processes or procedures for managing the virus scanners
2. The server room plans may be too elaborate in
relation to the level of risk the Council face or the location of the server
room.
3.
The Sandown Civic
Centre server room has unsatisfactory physical security and environmental
controls.
4.
There is no high-level
change control process to ensure that changes are approved and managed.
5.
There are software
management proposals which require implementation.
6.
High-level
documentation is not supported by lower level planning or monitoring.
7.
There are no written
procedures for controlling the issuing, use or changing of privileged
passwords.
8.
There is no monitoring
of privilege password use carried out.
9.
District Audit have
carried out a review of the Data Protection arrangements at the Council and
made recommendations where appropriate.
10. Privileged access, such as Administrator, is created
on the basis of verbal consent.
11. The leavers process is not operating effectively.
12. There is no ICT Security Policy.
13. The Network is operating at capacity and does not
have inbuilt resilience and redundancy.
14. There are no individual system disaster recovery
plans.
15. Internal Audit was unable to obtain any documentation
regarding the telephone system.
The findings were discussed with relevant staff, and appropriate recommendations were made to resolve the control issues. These have all been agreed with the staff, and target dates have been set for the control weaknesses to be resolved. There is one area where target dates could not be set, which involves telecommunications controls. These recommendations will be dealt with under the new call centre implementation as part of GAGS, and the responsible post- holder, the Customer Services Manager, is not yet in post. These recommendations will be included in the audit follow up.
The audit was carried out as part of the 2003-04 Audit Plan agreed by the Audit Committee on 24 February 2003. The overall objectives were to provide assurance to management that the Council’s Highways maintenance Service is operating in accordance with policies and procedures implemented following the Best Value Review and that risks identified relating to the achievement of service objectives are subject to an appropriate risk mitigation strategy.
Several recommendations have been made that will hopefully improve the management information available and ensure that limited resources are deployed effectively. The need to make staff aware of the requirements of Standing orders as to Contracts has also been highlighted and this has been addressed with a meeting between the Compliance and Risk Manager and the Head of Highways and Transportation.
Five recommendations were made in total, all of which were agreed by management.
Financial Regulations require that the Chief Financial Officer is afforded the opportunity to examine every contract final account. During this quarter seven final accounts relating to Education Construction projects and two relating to Highways works were examined and passed for payment.
A workshop was held with new officers within the Highways Department to make them aware of the requirements of a final account audit and to allow them the opportunity to ask questions.
An auditor is also a member of the Education Partnering Project Team and during this quarter has been involved in evaluating prospective partners for the project , both Contractors and Consultants. From this evaluation a short list has been drawn up and tenders will be invited.
The Audit section is also responsible for carrying out financial evaluation of prospective contractors and suppliers and during this period evaluations were undertaken for the IT Department, Revenue Services , Fire and Rescue and Engineering.
During this period full audits have been carried out at one High School, one Middle School and one Primary School. In addition audit reviews have taken place at four Middle Schools and eighteen Primary Schools. Reports have been issued to each school, with copies to Education Finance and the relevant Link Inspector.
Within the schools the administration and general management were found to be satisfactory. The main areas of concern commented on included
Ø Failure to review scheme of management delegation on a regular basis
Ø Failure to update the register of business interests annually
Ø Failure to review Committee Terms of Reference annually
Ø Delays in the production and/or audit of school fund accounts
All recommendations were accepted by the schools.
We are currently involved in a number of projects and we are planning our involvement in a number of others. Our work is largely in providing formal assurance services in the role of Project Assurer, a role defined under the Prince2 project management methodology. We currently undertake this for the Customer Relationship Management (CRM) System development and the e PIPS project.
We are currently planning to undertake this role for the following projects:
We have retained a “watching brief” over the GAGS programme and we have retained our seat on the GAGS Programme Board. The work on GAGS is, at this stage, confined to advising and assisting on the management of risk. If the programme proceeds next year then we plan to provide a full range of assurer services together with some targeted audit work on areas like the business case, benefit realisation and the impact on the technical infrastructure.
Our work is geared towards the management of risk, as the means of increasing the likelihood of successful deliveries, a direction that is consistent with the new Risk Based Approach adopted within Internal Audit. In fact, many of the tools we now use on mainstream audits were piloted with projects first.
To date we have taken formal assurance checkpoints on the CRM project twice and we can report that the project remains on track. We have advised the project manager that equal emphasis needs to be placed on the “house-keeping” activities associated with the project, equal to the effort to deliver the system. This has reiterated our findings of an earlier audit of Project Management that project managers need additional support in the form of central project support staff.
The Way Forward
The role of assurer defined in the Prince2 methodology is the best way we have found of engaging with a project and because the role is defined the expectations of the project team are successfully managed. The aspect of the work we often need to do on a project that is not explicitly covered within the role of assurer is the evaluation of the controls being built or changed as a deliverable of the project. However, as assurer we are an accepted team member and in a better position to make this contribution than we would otherwise be. One of our goals is to integrate our mainstream audit toolkit into the toolkit of the project manager so that we can promote the concept of self-audit on projects. This will also assist in the embedding of risk management in the culture of the organisation.
The objective of this audit was to provide assurance to management that the
Council’s Benefits Service was operating in accordance with policies,
procedures and the DWP Housing Benefit/Council Tax Benefit Performance
Standards and that appropriate controls were in place. From the findings of the audit, twenty one
recommendations were made. Twelve have already been implemented or procedures have
been put into place to resolve the issues and an action plan has been
agreed with the Revenues & Benefits Manager to
implement the rest.
A change in management structure has been put in place and the new
Principal Revenues Officer recently appointed
will be responsible for several of the issues raised in the audit report
and also in the findings of the Benefit Fraud Inspectorate. There are also measures in place to tackle
the backlog of benefit claims.
BACKGROUND PAPERS USED IN THE PREPARATION OF THIS REPORT
Audit planning files:
Audit performance reports
Project files
Contact Point : Ged Richardson, Chief Internal Auditor on 823683 – E Mail: [email protected]
Paul Wilkinson
Chief Financial Officer