PAPER F
AUDIT
PANEL - 29 JULY 2004
REPORT OF THE CHIEF INTERNAL AUDITOR
This report is to provide the Panel with a summary of Internal Audit activity completed since the last report of 9th March 2004.
|
ACTION
REQUIRED BY AUDIT PANEL : The Panel is invited to note
the contents of the report and to seek clarification of any issues arising
from audits undertaken. |
BACKGROUND
In keeping with good corporate governance practice, a Panel of elected members should have oversight of the activities of the Internal Audit Service for the following purposes:
v The Panel should monitor Internal Audit’s performance, both in terms of the quality and quantity of its work;
v The Panel should satisfy itself that Internal Audit has devoted its attention to the appropriate issues;
v The Panel should consider the results of Internal Audit reviews to ensure that any significant findings are addressed, including control weaknesses and to ascertain whether, in the opinion of the Chief Internal Auditor, adequate and satisfactory responses have been given by the Authority’s management;
v The Panel should recommend, if necessary, that further attention should be given to some of the issues raised;
To facilitate this process, attached as appendix A are synopses and summaries of audit work completed since 9th March this year. The Panel should also refer to the audit plan approved at the February 2003 meeting.
RELEVANT PLANS, POLICIES, STATEGIES AND PERFORMANCE INDICATORS
None
CONSULTATION PROCESSES
None
FINANCIAL, LEGAL, CRIME AND DISORDER IMPLICATIONS
There are no significant financial or legal implications of this report , given that it is a progress report on the Internal Audit function. The Panel is reminded that the Council is required by statute (the Accounts and Audit Regulations) to have an adequate and effective Internal Audit function.
APPENDICES ATTACHED
Appendix A - synopses and summaries of audit work completed since 9th March this year
BACKGROUND PAPERS USED IN THE PREPARATION OF THIS REPORT
Audit project files held by G Richardson – ext 3683
Contact Point : G Richardson, Chief Internal Auditor ( 823683
GED RICHARDSON
Chief Internal Auditor
APPENDIX A
1.
Treasury Management
The
overall objective of this audit was to provide assurance to management that
effective controls and procedures are in place to ensure that short term
lending of Council funds is carried out in accordance with Council policy and
to prevent any misuse of those funds.
Overall
the system in place for short term lending of funds is sound with effective
controls and procedures in place. However, one major area of weakness was
noted. This related to the verification of the borrowers bank details prior to
the actual transfer of the funds. It is possible with the present system for
incorrect details to be entered into the system.
An
additional control has been recommended which will increase the security in
this area. Three further recommendations that are of a minor nature and refer
to the administration of the section have also been made.
2.
Main Accounting System
This
audit was carried out as part of the 2003-04 Audit Plan agreed by the Audit
Panel on 24 February 2003. The overall objective was to provide assurance to
management that the Council’s Main Accounting System is operating in accordance
with existing controls and that they are adequate to ensure the integrity of
the Authority’s Financial Management System. The audit was carried out by interviewing
relevant officers and carrying
out testing on selected areas to determine the level of compliance with Council
policies and procedures.
In general assurance can be given to
management that systems in place are operating satisfactorily. One recommendation
has been made to improve the management information available. This has been
accepted by management.
3.
Children and Families Community Team – Social
Services Department
The audit
was carried out as part of the 2003-04 Audit Plan agreed by the Audit Panel on
24 February 2003. The overall objectives were to provide assurance to
management that the objectives of the service are being met and that
appropriate risk mitigation strategies are in place and operating
satisfactorily.
During
the audit a workshop was held in which the Service Team’s objectives were
defined. A risk register based upon those objectives was compiled and risk
mitigation
strategies are in place. Many of the
risk identified related to resourcing, performance
management and relationships with other stakeholders and a number of
initiatives and strategies have been put in place to address them, such as:
a) The introduction of the
Local Prevention Strategy;
b) Recruitment
and Retention Strategy which has seen the vacancy level drop form 24% to 1%;
c) Increased
emphasis on team development and relevant training;
d) Successful
introduction of multi agency working at the St James Centre, showing staff it
can work.
Assurance can therefore be given that the objectives of the
service are being met and as
a result no recommendations were made
to Management.
4.
Wight Leisure One Card
An audit of the basic controls
operating in respect of One Card was performed in February-April 2004. One card
is a card that allows the freedom to participate in a number of sports and
leisure activities with the advantage of unlimited use giving a discount on
normal charges. There are approximately 22,000 current card holders.
This audit was not included in the
annual audit plan for 2003-2004 as it was anticipated that Wight Leisure would
be externalised. However once it became questionable whether externalisation
would take place, the plan was amended to incorporate some coverage of Wight
Leisure activities.
We found a number of areas of
weakness in the financial control arrangements mainly of a minor nature. One
area we regarded as having a fairly significant risk was:
· The lack of a documented procedure for disaster
recovery in case of a catastrophe at the Quay Street Office with regards to the
ability of the flex computer system and operational logistics to be supported
until return to normal operation.
We made 11 recommendations
for improvements in internal control all of which have been accepted by management.
5.
Wight Leisure Cash Receipting Arrangements
An audit of the basic financial
controls operating over income in a sample of Wight Leisure establishments was
performed in February 2004. Total income from the four centres in the financial
year 2003/04 amounted to some
£1.38m. This audit was not included in the annual audit plan for 2003-2004 as
it was anticipated that Wight Leisure would be externalised. However once it
became questionable whether externalisation would take place, the plan was
amended to incorporate some coverage of Wight Leisure activities.
We found a number of areas of
weakness in the financial control arrangements mainly of a minor nature. One
area we regarded as having a fairly significant control risk (albeit the
potential losses would not be material) was at one Leisure Centre. The issues were:
· When Antiques Fairs are promoted there was no
system to ensure that all admission income collected was properly brought into
account as tickets sold were not reconciled to cash received.
· The ad-hoc sales of refreshments outside the
café area did not operate a proper till system. We noted that the only figures
recorded were cash received and not the z readings (audit roll), which would
allow identification of over or under cash receipts.
We made 14
recommendations for improvements in internal control all of which have been
accepted by management.
6.
Payroll
The overall objective of this audit
was to provide assurance to management that the internal control system
governing the payroll operation is performing in an adequate and effective
manner.
Our main findings were that in
general the payroll services department is operating satisfactorily. However
there were a number of issues tangential
to payroll that gave cause for concern. These were:
1.It
has not been possible to ascertain whether a payroll local agreement operating
within Wight Leisure had been properly authorized;
2.Problems
were identified in the administration of pay honoraria where honoraria have
been granted in questionable circumstances;
3.Problems
were identified with respect to the recovery of debts from former employees for
car loans and relocation expenses.
We made seventeen recommendations
for system improvements all of which have been accepted by management.
The audit
was carried out as part of the 2003-04 Audit Plan agreed by the Audit Panel on
24 February 2003. The overall objectives were to provide assurance to
management that the objectives of the service are being met and that
appropriate risk mitigation strategies are in place and operating
satisfactorily.
Assurance
can be given that this is the case, and no recommendations have been made to management as a result of
this audit.
The audit
was carried out as part of the 2003-04 Audit Plan agreed by the Audit Panel on
24 February 2003. The overall objectives were to provide assurance to
management that the objectives of the service are being met and that
appropriate risk mitigation strategies are in place and operating
satisfactorily.
In
general assurance can be given that this is the case. However the quality of
management information is poor and too much reliance is placed on the knowledge
and experience of one officer. The main recommendation arising from this report
is that some form of administrative support be afforded to the Principal Estates
Surveyor, at least in the short term, to improve information held and to
properly document decisions made. Other recommendations have been made to
improve the quality of management information, to improve checks carried out on
prospective tenants and reduce the likelihood of costs not being recovered at
Garden Estate Ventnor. All our recommendations have /have not been accepted by
management.
The audit
was carried out as part of the 2003-04 Audit Plan agreed by the Audit Panel on
24 February 2003. The overall objectives were to provide assurance to
management that the objectives of the service are being met and that
appropriate risk mitigation strategies are in place and operating
satisfactorily.
There are
no major areas of concern arising from this audit, and assurance can be given
to management that the Rights of Way Section is operating in accordance with
the current regulations and that risk mitigation strategies are operating
satisfactorily. Risks identified as being within the control of the section are
being managed well. Where identified risks are outside of the control of the
section action has been taken by the Countryside Access Manager to raise the
profile of these risks.
A lack of
resources has been identified as one of the key risks facing the section in the
future and a bid for extra funding is within the service plan. Senior
Management need to be aware that should additional funding not be made
available or that the workload within the section is not reduced then there is an increased likelihood that
the section cannot meet its statutory
obligations. Where this is the case at present work has been prioritised and
obligations fulfilled on a basis of need. Defence against litigation has been
historically easy to mount due to diligent monitoring processes but any
reduction in the services ability to meet statutory requirements increases the
risk of being unable to defend against claims.
The audit
was carried out as part of the 2003-04 Audit Plan agreed by the Audit Panel on
24 February 2003. The overall objectives were to provide assurance to
management that the Dinosaur Isle is operating in accordance with the Council’s
policies and procedures and that risks identified relating to the achievement of
service objectives are subject to an appropriate risk mitigation strategy.
The main
concerns arising from this review were how to successfully manage the
conflicting objectives of being a centre of scientific excellence whilst at the
same time maximising income from casual visitors whilst facing severe financial
constraints. Eight recommendations have been made which in addition to
addressing the above issue will also improve the budget monitoring process and
ensure limited resources are deployed effectively. The need for a revised and
updated business plan has been highlighted.
All the
recommendations were agreed by management.
11.
Schools Audits
All
schools received an audit visit during 2003/04. Full audits were carried out in
two High Schools, three Middle Schools and four Primary schools. The remaining
primary (42), Middle (11), High (3 ) and Special (2) schools were subject to an
audit review. Reports have been issued to each school with copies sent to
Education Finance and the relevant Link Inspector.
In the
majority of schools the administration and general management were found to
be satisfactory or good, however the
audit visits raised a number of weaknesses which were common to many of the
schools. These included :
·
Failure to review the Scheme of Management
Delegation on a regular basis.
·
Failure to review Committee Terms of Reference
annually
·
Failure to complete and /or review annually the
Register of Business Interests
·
Failure to maintain the inventory and to carry out
annual checks.
·
Delays in the production and/or audit of school fund
accounts.
All the
recommendations in the audit reports were accepted by the schools. Checks will
be carried out during audit visits in 2004/05 to ensure that the
recommendations have been implemented.
12.
Greater Access to Greater Services
(GAGS) – General
We
continue to support the GAGS programme in a number of ways, primarily providing
risk management and assurances services consistent with the Prince2 project
management methodology. We continue to
attend the Programme Board meetings and “host” the GAGS Programme Risk
Register, facilitating regular updates of the register. We have been instrumental in improving
programme controls, for example, the management of risk and the formulation of
the approach to benefit realisation. We
have recently put together the first edition of the Lessons Learned Log for the
programme.
We
continue to support the CRM project and provide risk management and assurances
services. We attend the Project Board
and our one-page project assurance reports issued in the last review period
appear below. We have also been
involved in the testing of Phase 2 of the CRM system and we are planning our
testing of Phase 3. We “host” the CRM
Risk Register, facilitating regular updates of the register. We act as facilitators for the CRM Working
Group, the forum that is responsible for the future direction of the
system. Our involvement ensures
appropriate consideration is given to controls and risks, including more
recently advice on the legislative considerations of proposed functionality to
register and authenticate customers contacting the authority and the sharing of
customer data.
We
continue to support the DIP project and provide risk management and assurances
services. We attend the Project Board
and our one-page project assurance reports issued in the last review period
appear below. Latterly we have worked
closely with the project manager to drive out a system for recording,
monitoring and tracking project benefits – a set of protocols and templates we
have shared with other projects. We
“host” the DIP Risk Register, facilitating regular updates of the register.
Our
current activity is to specify the control objectives for the e-Procurement
system ahead of the selection of a solution.
We have been involved in an advisory capacity in the selection of new
BACS transmission software.
We
continue to support the ACCISS replacement project in a number of ways,
primarily providing risk management and assurances services consistent with the
Prince2 project management methodology.
We continue to attend the Project Board meetings and our one-page
project assurance reports issued in the last review period appear below. Latterly we have orked closely with the
project manager to develop a system for assessing the operational preparedness
of SWIFT (Launch Criteria assessments) for launch in September as an additional
risk management strategy. We are
currently reviewing the business case for the selection of the alternative
system for Supporting People
In March 2004 we conducted a pilot audit as part of our rollout of a new ICT audit framework (COBIT). This also allowed us to pilot our risk-based approach on an ICT entity. The entity selected was “Ensuring Systems Security”, an audit in the 2004/5 plan and we used this entity because it had been subject to external review – our review results were therefore seen in part as validating that external review result. Our approach is fundamentally driven by the identification of risks that would prevent the achievement of objectives and the driving out of improvement plans to manage the risks identified. The bulk of the work is conducted in a workshop with key stakeholders. The pilot, whilst confirming the results of previous reviews also identified a number of key actions to improve the administrations of users access rights. Our one-page audit report appears below. The overall rating for this entity was AMBER – additional actions recommended, one implemented, will improve control and ensure that identified risks are managed to an acceptable level.
At the
request of management we have facilitated the redrafting of our acceptable use
policies (Communication Policy) and this now includes the protocols for
undertaking computer forensic investigations where that is deemed
necessary. That policy is currently
awaiting approval by the Portfolio Holder under delegated powers.
As a
consequence of our work on the systems security audit we also collaborated
further with ICT management to draft a “Risk Bid” for the funds to conduct
specialised security testing. We are
currently preparing the Directors’ Group paper and the Testing Proposal for the
purposes of tendering for the service.
Penetration testing is specialised testing of our web-based
infrastructure and applications. It is
designed to identify security weaknesses.
We were
recently invited to join the Information Management Group. This participation will enable us to pursue
a body of audit work to test the Council’s compliance with the Data Protection
Act and its preparedness for the implementation of the Freedom of Information
Act in January 2005.
On the 25th
June we conducted the second risk based ICT audit defined under our new ICT
Audit framework. The documentation is
currently being drafted in readiness for review by key stakeholders. At this time it can be reported that the
current overall result will be RED – this is defined as – “a significant threat
exists to the achievement of objectives”.
We are currently working on the risk treatment action plans to manage
the risks identified. These will be
dependent on better alignment between the respective business and ICT
strategies, going forward.
In June
we started a body of work to review the Council’s business continuity recovery
plans, building on the work conducted by Marsh. This work aligns with the Directors’ Group report currently being
drafted by the Chief Fire Officer. Our
concern, one shared by the Chief Fire Officer, is that we have no adequate
processes in place to maintain the service recovery plans we have put in
place. Additionally, without further
work, the plans will remain incomplete and inconsistent in a number of areas.
We are
currently working with the Libraries, Museums and Archives Manager in an
advisory capacity to produce the appropriate project documentation for a number
of projects and we are providing risk registers and will help with developing
risk mitigation strategies.
We are
currently working with the Head of Democratic & Legal Services to draft a
governance structure for the recently merged Drug Action Team and Crime &
Disorder Partnership (“Safer Communities Partnership”). We are due to present on that to the Safer
Communities Board on 28th July 2004.
We are
currently working with colleagues from Policy, ICT and the Learning Centre to
construct a training programme and a best practice guide for project management
as part of the CPA Improvement Plan.
We are
currently working with colleagues to prepare a “risk profile” report to
facilitate the strategic decisions to be taken in respect of the re-integration
of Wight Leisure.