PAPER B
AUDIT PANEL – 25
JUNE 2003
INTERNAL
AUDIT PROGRESS REPORT
RISK AND COMPLIANCE MANAGER
This report is to provide the Panel with a summary of Internal Audit activity since the beginning of the year. The Panel is invited to note the contents of the report and to seek clarification of any issues arising from audits undertaken.
BACKGROUND
In keeping with good corporate governance practice and open and accountable government, a Panel of elected members should have oversight of the activities of the Internal Audit Service for the following purposes:
v The Panel should monitor Internal Audit’s performance, both in terms of the quality and quantity of its work;
v The Panel should satisfy itself that Internal Audit has devoted its attention to the appropriate issues;
v The Panel should consider the results of Internal Audit reviews to ensure that any significant findings are addressed, including control weaknesses and to ascertain whether, in the opinion of the Chief Internal Auditor, adequate and satisfactory responses have been given by the Authority’s management;
v The Panel should recommend, if necessary, that further attention should be given to some of the issues raised;
To facilitate this process, attached as appendix A are synopses and summaries of audit work performed since 1st January this year,
RELEVANT PLANS, POLICIES, STRATEGIES AND PERFORMANCE INDICATORS
The Panel should refer to the Audit Plan approved at its last meeting. Since that meeting, the team has been successful in recruiting two new staff (one of which was within the existing establishment, the other the result of a successful budget bid). The first of these has been in post since April, providing a welcome boost to internal audit resources. The second recruit will begin in August. These recruitments mark the first stage of a transitional period for the team which has involved restructuring of the team and the appointment of a new Chief Internal Auditor whose appointment is intended to re-focus the team and to improve the teams rating in any future CPA.
Audit resources have also been bolstered by employing a contractor to provide ICT audit during the period (funded by savings from delayed appointments). This has proved to be a particularly useful initiative with the main purpose of introducing the appropriate skills (ICT audit is a particularly technical area of internal audit). So far the contractor has produced four pieces of work on:
v ICT operations
v Unix security
v ICT audit plan
v ICT maintenance
It is intended to repeat this useful “mixed economy” approach within this financial year, when and if resources permit.
The Panel may also be interested to know that the team’s statistics and performance data have been submitted once again to the IPF (an off-shoot of CIPFA) Benchmarking Club. The initial results of this will be available in August and reported to the Panel in due course. Although some improvement will be noticeable from the previous year, the full impact of recent changes
will take time to filter through and significant improvement will not be noticeable until next year.
Overall therefore, the team is in a better position now to deliver the approved audit plan and should be able to provide an improving service year on year.
There are no significant financial or legal implications of this report, given that it is a progress report on the Internal Audit function. The Panel is reminded that the Council is required by statute (the Accounts and Audit Regulations) to have an adequate and effective Internal Audit function.
The Panel is invited to comment on the recent work of Internal Audit and to make any recommendations as to the focus and emphasis of its future projects.
BACKGROUND PAPERS USED IN THE PREPARATION OF THIS REPORT
Audit planning files:
Audit performance reports
Project files
Contact Point : Bob Streets,
Risk and Compliance Manager, F 3622
[email protected].uk
Or Ged Richardson, Chief Internal Auditor
3683, [email protected]
BOB STREETS Compliance & Risk Manager |
GED RICHARDSON Chief Internal Auditor |
APPENDIX
A
SUMMARY OF INTERNAL AUDIT ACTIVITY –
JANUARY TO JUNE 2003
1. Review
of Banking Arrangements
This audit was carried out as part of the 2003-04 Audit Plan agreed by
the Audit Committee on 24 February 2003. The overall objective was to provide
assurance to management that the arrangements for banking services are
operating in accordance with the contract, that the extension to the contract
had been properly negotiated and that arrangements were in hand to re-tender
this service with a contract commencement date of April 2004. The audit was
carried out by interviewing relevant officers and carrying out testing on
selected areas to determine the level of compliance with Council policies and
procedures.
In general assurance can be given to
management that systems in place are operating satisfactorily. Assurance could
not be given that performance measurement of the existing contract was
satisfactory. Performance measurement objectives were defined in the tender
documentation by the current contractor, but it would appear that these have
never been formally used. However, on the day to day banking arrangements the
Loans & Investment Technician is exercising adequate control over the bank
accounts and charges made by the bank. Management have been advised to evaluate
these statistics and consider whether they are relevant in their current format
prior to the new contract specification being drawn up.
One recommendation has been made to
improve the management information available. This has been accepted by management.
2. Review
of Unix Operating System
The Isle of Wight Council has a number of Unix systems, running critical services. Unix is an operating system which controls the programmes for the Council’s main financial systems. This review examined the configuration of these Unix systems, to determine whether they maintain the confidentiality, integrity and availability of the information and applications they hold.
This audit concentrated on the Unix environment, and in particular the IBM AIX ‘J40a’ system which is the platform for Personnel and Payroll applications. The following were within the scope of this review:
· Management of the system;
·
System administration, access controls and network
security;
· System documentation and monitoring.
The review examined the effectiveness of management controls identified to ensure that they are working adequately to safeguard the interests of the Council.
The review identified a number of minor control weaknesses, which required action to be taken. These were discussed with relevant staff, and appropriate recommendations made to resolve the control issues. These recommendations have all been agreed with the staff involved and target dates have been set within which the control weaknesses should be resolved.
3. Review of ICT Project Management
Given the previous concerns that the Council has had in connection with ICT Project management, this review has sought to provide an independent assurance that the authority now has robust arrangements for managing ICT projects, and that these arrangements are being consistently implemented throughout the authority. The approach has been to examine the current practice of ICT project management within the Council, whilst taking account of the significant progress that has been made since the ICT Best Value review, and to evaluate the Council’s approach against the attributes of a sound project management system.
The work undertaken comprised a number of interviews with staff relevant to specific projects, and was supported by a questionnaire, which evaluated the level of risk within each project. The areas examined included strategy, methodology, management and reporting, resources and skills, risks and controls, benefits and post implementation review (PIR).
Additional interviews were held with the Head of ICT (now the Head of Organisational Development), and the ICT Service Development Manager. These two key roles within the Council, and the CICT department, play a crucial role in the development and rollout of robust project management.
The review identified a number of minor control weaknesses, and also identified 16 significant points which are detailed below: -
v The Council has yet to corporately
adopt a recognized project management methodology.
v
National
initiatives such as e-government will continue to place extreme pressure on
limited resources across the Council.
v The importance of the contract documentation is key, particularly as many of the Council’s current and future projects are significant, involving large sums.
v The Council does not have a strategic group responsible for overview and monitoring of ICT.
v There is no regular or formally documented process where priorities and status of all the projects currently running are summarised in a manner that would enable progress to be monitored and issues to be highlighted.
v The Council does not have a dedicated project support office, which would offer support to project managers, project boards, etc, in terms of documents to be used and methodologies, ensuring the advice is consistent across the board.
v The role of programme management provides co-ordination between ICT projects which are related either by being part of a larger objective, eg e-government, or by a defined deadline, eg within the 2002/03 financial year.
v The Head of ICT has recognised that there is a need for staff experienced in programme management.
v The Council has few officers accredited in PRINCE2 project management methodology. Existing practices are varied between departments.
v The ICT Service Development Manager and Commissioning Officer are involved in a number of projects as project board and/ or team member. A considerable amount of their time is spent offering advice to project managers on the day-to-day running of projects. The ICT Service Development Manager acknowledges that this is a drain on the resources of his team, leaving limited time to manage the overall project function, including setting up template documents and guidance notes to move towards PRINCE2.
v The Head of ICT has recently presented to Directors Group a Ten Year ICT Investment Plan. The plan discusses funding requirements for the next 10 years, and with relation to projects, specifically details the need to address the ‘project support for service level projects and this will be progressed subject to the provision of long term funding for additional staff.’
v In accordance with PRINCE2, Project Assurance is the responsibility of each Project Board member, and although this role can be delegated, it must be independent of the Project Manager. The Council does not have a project assurance role within its current methodology.
v In accordance with PRINCE2, in the Project Initiation
Document the quality approach for the whole project is defined in the Project
Quality Plan.
v The Head of ICT confirmed that quality assurance is a key area within project management and that it is essential the authority is able to do this well. The ICT 10 year Investment Plan includes provision for a post within the ICT Department of Quality Assurance /Standards.
v The service development section currently uses a
quality review technique for measuring quality within project management, which
requires all parties involved to sign off the product being reviewed.
v Quality assurance needs to be carried out for relevant processes within each project, as part of a quality review, which compares actual products to the product descriptions.
The findings were discussed with relevant staff, and appropriate recommendations were made to resolve the control issues. 11 out of 12 recommendations have been agreed with the staff, and target dates have been set for the control weaknesses to be resolved. There is one recommendation that has been partly agreed and actioned.
During this period full audits have been carried out at two High Schools, one Middle School and three Primary Schools. A report has been issued to each school, along with copies to Education Finance and the Inspectors section.
Within the schools the administration and general management were found to be satisfactory.
Areas commented on included
Ø Failure to review the scheme of management delegation on a regular basis.
Ø Failure to update the register of business interest for Governors annually
Ø The large amount of non order invoices paid in some schools.
Ø Inventory records within school out of date and /or not subject to checks.
All the recommendations in the audit reports were accepted by the schools.
During the final quarter of 2002/03, a significant amount of time was invested in completing the Audit Risk register (the results of which the Panel saw at its last meeting). This played a part in the development of the Council’s Internal Audit Plan. The Plan was also the result of extensive consultation with Heads of Service about their perceived risks and the developing issues within their service areas. Both the Risk register and the Audit Plan should be considered as key management documents which:
The Audit team has also been involved for the first time in helping the Council to improve the quality of its Performance indicators. The Panel will know that last year, the Council’s indicators were severely criticised by the external auditors – mainly on the basis that they could not in many instances be substantiated by robust data collection systems. This year, internal Audit has joined with the Policy team in an effort to ‘head off’ any such criticism this year. This has involved testing the quality of the Council’s systems used to record data and discussions with data coordinators/ collectors to establish their state of readiness for this year’s external audit. The conclusion has so far been, that whilst some significant improvement has been made in some areas, there is still the likelihood that some indicators will be ‘qualified’ this year.
The team has also been involved in the
review of the Council’s Procurement which is currently underway. The reflects
the historic involvement of Audit in the contracting and tendering process, and
its role as ‘gate-keeper’ of the Council’s procurement rules (for example,
Contract Standing Orders). It also reflects the connection that the team now
has with the Purchasing Advice Office, in that they are both part of the ‘Compliance’
function. The Review which is being managed by a Project team (officers) and
being overseen by an Appraisal Group (members), will culminate in a report and
improvement plan in towards the end of 2003.
The Team has also been involved in
developing an initiative to introduce the concept of ‘ Partnering’ into the
Council’s procurement process. Again this stems largely from internal audit’s
role in writing the rule book for procurement. The Council’s Executive will
consider the benefits of using a pilot scheme to introduce Partnering at its
meeting on 18 June, and if approved, work will begin on using it for the
Schools’ building programme in late 2004. The team’s involvement is necessary
because partnering represents a fundamental change in the way in which the
Council engages contractors, designers (and indeed the whole supply chain)
which requires careful management to realise the full benefits of partnering.
9. Fraudulent Cheque Alterations
Since January this year, the council
has been exposed to three potential losses through the presentation of council
cheques which had been intercepted and altered by changing the payee details
and inflating the amounts payable compared with the original valid cheques. In
all cases, the finance departments cheque reconciliation process identified the
bogus cheques the day after presentation and so, through liaison with our
bankers, stops were able to be put on the cheques during the clearing process
so that no money has been lost. Officers are continuing to be extra vigilant in
order to identify any further attempts to defraud at the earliest opportunity
so that no losses occur in the future.
10. Core Financial
Systems Work In Progress
Significant systems reviews of the
Payroll and Housing Benefit Systems have been completed and draft reports have
been submitted to management for consultation. There are no significant
deficiencies identified during these reviews. Synopses of these audits will be
submitted to a future meeting of the Audit Panel.