PAPER D

 

AUDIT PANEL - 9 MARCH  2004

 

INTERNAL AUDIT PROGRESS REPORT

 

REPORT OF THE CHIEF INTERNAL AUDITOR

 

 

PURPOSE

 

This report is to provide the Panel with a summary of Internal Audit activity completed since the last report of 25th November 2003; to apprise the Panel of progress in developing a new strategic audit plan and to inform the Panel of legislative changes affecting the panel’s responsibilities. The Panel is invited to note the contents of the report and to seek clarification of any issues arising from audits undertaken.

 

BACKGROUND 

 

In keeping with good corporate governance practice, a Panel of elected members should have oversight of the activities of the Internal Audit Service for the following purposes:

 

v      The Panel should monitor Internal Audit’s performance, both in terms of the quality and quantity of its work;

v      The Panel should satisfy itself that Internal Audit has devoted its attention to the appropriate issues;

v      The Panel should consider the results of Internal Audit reviews to ensure that any significant findings are addressed, including control weaknesses and to ascertain whether, in the opinion of the Chief Internal Auditor, adequate and satisfactory responses have been given by the Authority’s management;

v      The Panel should recommend, if necessary, that further attention should be given to some of the issues raised;

 

To facilitate this process, attached as appendix A are synopses and summaries of audit work completed since 25th November this year. The Panel should also refer to the audit plan approved at the February 2003 meeting.

 

Audit resources have also been bolstered by employing a contractor to provide ICT audit during the period (funded by savings from delayed appointments). This has proved to be a particularly useful initiative with the main purpose of introducing the appropriate skills (ICT audit is a particularly technical area of internal audit). So far the contractor has produced five pieces of work on:

 

v      ICT operations

v      Unix security

v      ICT audit plan

v      ICT maintenance

v      ICT E Mail System – synopsis included within this report.

 

It is intended to repeat this useful “mixed economy” approach in future financial years, when and if resources permit.

DEVELOPMENT OF A REVISED STRATEGIC AUDIT PLAN

 

The strategic audit plan is in the process of being revised to bring it into line with the changing scope of internal audit coverage in local government. The main changes surround the requirement to audit the authority’s overall corporate governance arrangements and the authority’s treatment of the key strategic and service risks threatening the achievement of corporate objectives.

 

It was hoped to be able to bring the revised plan to this meeting but unavoidable delays in identifying all strategic risks have meant that the revised plan cannot be completed until March when it will be subject to consultation with officers. The revised plan will be brought to the June meeting of the Panel.

 

LEGISLATIVE CHANGES

 

The Office of the Deputy Prime Minister has revised the Accounts and Audit  Regulations effective from 1st April 2003. The revised regulations require that the Council include within its published accounts for financial years 2003/04 onwards, a Statement of Internal Control (SIC). The implications of this change only became clear in January of this year when CIPFA published guidance on what authorities would need to do to comply with the new Regulations.

 

The CIPFA guidance advises that the SIC should inform readers of the published accounts as to the level of assurance that can be derived from the Council’s system of internal control. This is being interpreted as meaning that the Council’s overall arrangements for corporate governance and risk management will need to be evaluated annually and an assessment of the level of assurance that can be placed on these arrangements reported publicly in the SIC. 

 

The sources of assurance will include:

 

v      departmental managements’ self assessment of their risk management performance

v      internal audit

v      external audit

v      other inspectorates

v      The Audit Panel

 

The SIC has to be signed by the Chief Executive and the most senior member of the Council.

 

The mechanisms for evaluating and delivering assurance are currently being considered and the Audit Panel will be informed of the overall process and the Panel’s own contribution at the next meeting in June.

 

The evaluation of the SIC will form an important part of the Audit Commission’s audit of the Council’s accounts. Therefore, it is important that the Council’s arrangements in respect of corporate governance and risk management can be shown to be robust.

 

FINANCIAL, LEGAL, CRIME AND DISORDER IMPLICATIONS

 

There are no significant financial or legal implications of this report , given that it is a progress report on the Internal Audit function. The Panel is reminded that the Council is required by statute (the Accounts and Audit Regulations) to have an adequate and effective Internal Audit function.


APPENDIX A

 

1.      ICT E MAIL SYSTEM

 

The Isle of Wight Council operates an e-mail system as a communication tool, provided through Microsoft Exchange Server and a Microsoft Outlook client. The service enables receipt of electronic mail from any Council location, its retention, generation of reply and the facility to transmit to any other Council or third party location.

 

There is a need to access the Exchange Server to review system files, mailbox controls and to test the system security features.

 

The review identified a number of minor control weaknesses, and also identified 1 significant area of control weakness which is detailed below: -

 

It was reported that the Tumbleweed server, which manages external content filtering, is not backed up. However, a spare machine is maintained to ensure that the services provided by this server could be replaced in an emergency.

 

Risk: - Without a backup being taken it would not be possible to restore the current configuration if required.

 

The findings were discussed with relevant staff, and appropriate recommendations were made to resolve the control issues. These have all been agreed with the staff, and target dates have been set for the control weaknesses to be resolved.

 

2.      WASTE MANAGEMENT REPORT

 

The audit was carried out as part of the 2003-04 Audit Plan agreed by the Audit Committee on 24 February 2003. The overall objectives were to provide assurance to management that the Council’s Integrated Waste Management Service is operating as prescribed in contract documentation and that risks identified in operating the service are subject to an effective risk mitigation programme.

 

The service is operating successfully and has a robust risk mitigation strategy that effectively transfers most of the risks involved to the service provider. Inspection of the contractor is robust and there is a high level of awareness within the department of new legislation and proposed changes to service requirements.

 

3.      CONTRACT AUDIT

 

Financial Regulations require that the Chief Financial Officer is afforded the opportunity to examine every contract final account. During this quarter nine final accounts relating to Education construction projects, Highways works and other construction projects were examined and passed for payment as there were no significant issues arising from our examination. These were as follows:-

 

Gurnard Primary – Extension to form entrance

St Helens Primary – New reception

Cowes Primary – Music suite

Carisbrooke High – Autistic resource centre

Yarmouth bridge Phase 3

Church Lane Ryde – Retaining wall

Kite Hill Wootton – Pedestrian refuge

Blacklands Bridge

Cothey Bottom Heritage centre

 

The Audit section is also responsible for carrying out financial evaluation of prospective contractors and suppliers and during this period evaluations were undertaken for the IT Department and Revenues Services.

 

An auditor is also a member of the Education Partnering Project Team and during this quarter has been involved in further evaluation of the short-listed Contractors and Consultants who have submitted tenders. The tenders are being evaluated on the basis of cost, quality and their ability to enter into a partnering arrangement.

 

4.      PROJECT AUDITS

 

We are currently involved in a large number of projects.  Our work is largely in providing formal assurance services in the role of “Project Assurer”, a role defined under the Prince2 project management methodology.  We currently undertake this for:

 

GAGS related projects:

Customer Relationship Management (CRM)

DIP/EDM

Business Process Re-engineering

Front Office Working

 

eGovernment related projects:

eProcurement

ePIPS

Other:

ACCISS replacement project (SWIFT) – see below for more details

 

We have retained a “watching brief” over the GAGS programme and we have retained our seat on the GAGS Programme Board.  The work on GAGS is, at this stage, confined to advising and assisting on the management of risk, issues, dependency and change.  Following the Programme Board on Thursday 26th February 2004 we will be re-issuing our audit plan for GAGS.

 

Since the last report we have issued three, one-page assurance/audit reports on the ACCISS replacement project.  Generally we consider the project to be “on-track” to deliver the stated benefits.

 

The Way Forward

 

The role of assurer defined in the Prince2 methodology is the best way we have found of engaging with a project and because the role is defined the expectations of the project team are successfully managed.  The aspect of the work we often need to do on a project that is not explicitly covered within the role of assurer is the evaluation of the controls being built or changed as a deliverable of the project.  However, as assurer we are an accepted team member and in a better position to make this contribution than we would otherwise be.  One of our goals is to integrate our mainstream audit toolkit into the toolkit of the project manager so that we can promote the concept of self-audit on projects.  This will also assist in the embedding of risk management in the culture of the organisation.  To this end we are working with members of staff in other departments, notably the Best Value Unit and ICT to develop the appropriate toolkit and training.

 

5.      PRINTING PROCUREMENT

 

At the request of the Resources Select Committee, Internal Audit has been examining the way in which the Council procures its printing requirements. The Committee had previously expressed its concern that the Council’s policy which requires printing to be sourced through the Council’s own Print Unit had not been followed. The corollary to that was that the Council might not always receive value for money when meeting its printing requirements.

 

 Analysis undertaken as part of audit’s examination appeared to indicate that, despite the concerns raised by the Select Committee, there appeared to be even more work being done outside than in previous years. Further work was then undertaken to identify a sample of items and this was used to compare the price paid externally with the cost if produced ‘in-house’. The results indicated that in around 25% of cases the in-house option would have been more cost-effective.

 

The Portfolio holder for Resources has now requested that the Head of Corporate Policy develops and implements a protocol which requires all spending departments to consult with the Council’s Print Unit Manager, who will advise on the most appropriate and cost-effective source for printed material, whether that is in-house or externally sourced. A further report will be provided to the Resources Select Committee in August.

 

6.      MEMBERS ALLOWANCES

 

This audit was carried out as part of the 2003-04 Audit Plan agreed by the Audit Committee on 24 February 2003. The overall objective was to provide assurance to management that the arrangements for making payments to members are in accordance with guidelines and regulations.

 

Assurance could not be given that payments are made in accordance with established procedures and recommendations have been made to improve the system to include the verification and authorisation of claims by Committee Services, to give consideration to revising the method of reimbursing members for travel and subsistence to reflect the varying responsibilities of members and thirdly to ensure guidance issued to members by way of the Members Handbook reflects the modern decision making structure adopted by the Authority. Additionally a recommendation has been made and implemented to improve the quality of management information”

 

7.      THE LEARNING CENTRE

 

An audit review of the Learning Centre was included in the 2003/2004 internal audit plan. This audit was conducted using our new risk based methodology involving a facilitated workshop to identify and prioritise key risks, and to determine the effectiveness of existing control arrangements to manage the key risks facing this function. Attached as Appendix B is a summary report using our SPA or single page assurance report formatted as agreed at the last Audit Panel meeting in October.

 

8.      ACCISS REPLACEMENT PROJECT

 

Attached as appendices C and D are two further SPAs showing the status of this project in December 2003 and February 2004.

 

 

 

 

9.      SCHOOL VISITS

 

During the period full audits have been carried out in two Middle Schools and four Primary Schools. In addition audit reviews have taken place at one High School, seven Middle Schools, twenty two Primary Schools and both Special Schools. This leaves only three Schools still to be visited by audit this year and appointments for these have been arranged. Reports have been issued to each school with copies sent to Education Finance and the relevant Link Inspector.

 

Overall the administration and general management within the schools were found to be satisfactory, however the audits visits raised a number of control weaknesses, which were common to many of the schools.  These included


Failure to review the scheme of delegation on a regular basis

Failure to review Committee Terms of Reference annually

Failure to maintain the inventory and to carry out an annual check

Delays in the production and/or audit of school fund accounts

Copy of the approved budget not filed with the relevant Governors minutes.


During the course of an audit at one of the Middle Schools, invoices were noted for electrical works within the school.  On further investigation it was noted that the contractor used was not on the Council approved list of Contractors as held by Property Services. In these circumstances a member of the Property Services Team should have inspected the works. This did not happen which raises a number of issues regarding contractor competence and public liability insurance cover.

 

10.  RISK ASSESSMENT WORKSHOPS

 

The section has been assisting the Insurance and Risk Management Unit to run risk assessment workshops with Departmental Management Teams. The purpose of the workshops is to identify further strategic risks facing the authority to re-fresh the corporate risk register. This process will be completed by early March 2004.

 

11.  WORK IN PROGRESS

 

The following projects are in progress and should be completed by the end of the financial year:

 

v      Industrial Sites

v      County Transport

v      Dinosaur Isle

v      Wight Leisure Cash Recording

v      Wight Leisure “One Card” Scheme

v      Payroll

v      Council Tax

v      Pension Benefits

v      Revenues and Benefits Computer Systems

v      Social Services Establishments

v      The Children and Families Community Team

v      Rights of Way

 

APPENDIX B

 

 

 

SPA REF

THE LEARNING CENTRE

Overall Rating*

2003/001

date

10-Nov-03

Claire Shand

 

roll up based on the orm.atrix for objectives 1 to 7

 

 

 

 

 

 

KP Group

 

 

STATUS

HEADLINE

1

Development of the Objectives

 

 

The key area of o/s work is specifically relating the Service's objectives to the Corporate objectives

2

Development of the Objectives' PI

 

 

The mechanism to adjust performance to achieve continuous improvement needs to be trialed

3

Current Objectives' Performance Trend

 

 

The first set of full measurements need to be taken

4

Status for the Risks

 

 

The majority of key risks scored RED

5

Current Risk Performance Trend

 

 

The regular review of the RIF's needs to commence

6

Development of the Risk Treatment Action Plans

 

 

Additional actions identified need to be implemented

7

Current performance of the RTAP's

 

 

L

The setting of targets and measuring performance is outstanding

8

RTAPs' performance trend

 

 

No measurements have been taken

9

Quality of Management Information

 

The gap analysis between the MI available and the MI needed has not yet been undertaken

10

Review Processes

 

 

 

The review of performance based on revised PI's is not yet possible

11

Response Processes

 

Trigger points need to be established and the procedure written for escalation

12

Overall Rating*

 

 

 

Improvement plan tasks need to be assigned

 

 

 

 

 

 

 

 

 

KEY ISSUES

 

 

 

 

Ref

Description

DUE DATE

Action

Owner

Status

1

Availability of resources

 

Utilise technology better in delivery of the service

CS

2

The need to demonstrate value creation

 

Develop benefit realisation model

CS

 

 

 

 

 

 

 

 

 

KEY RISKS

 

 

 

 

Ref

Description

DUE DATE

Action

Owner

Status

1

Staff/managers/senior managers are not aware of the evaluation outcomes following training creating a lack of understanding of the value created (risk 31)

12mth

Pre-define value and measure outcomes with better, regular communication

CS

2

Failure to support other areas to achieve their objectives and therefore the corporate objectives (risk 43)

12mth

Get involved in service planning earlier and create better feedback loops

CS

 

 

 

 

 

 

 

 

 

IN BOUND KEY DEPENDENCIES

 

 

 

 

Ref

Description

DUE DATE

Action

Owner

Status

1

The PDP process

12mth

Develop benefit realisation model

CS

2

Service Planning

12mth

Get involved in service planning earlier and create better feedback loops

CS

OUT BOUND KEY DEPENDENCIES

 

 

 

 

Ref

Description

DUE DATE

Action

Owner

Status

1

Providing the framework for learning/training and development

12mth

Better information required to understand priorities

CS

2

Designing and providing courses and events to met identified needs

12mth

Pre-define value and measure outcomes with better, regular communication

CS

 

 

 

 

 

 

 

 

 

OVERALL COMMENTARY

 

 

 

 

The challenge for the Learning Centre is to understand needs and provide solutions that create demonstrable value.  There is a need to embrace technology, not only the demands for training in the face of new technology but also how to deliver training via applied technology solutions/different channels.  The key aspect of the operation of the service thats needs to be improved is the capture, collation and interpretation of feedback from all stakeholders.  An innovative approach to creating some capacity within the team is also required, and the concept of the "first aiders" (a network of specialist internal course/content providers) needs to be seriously pursued.  The impact of partnerships needs to be understood, both the opportunities of the partners/partnerships that the authority is currently engaged with and those in the future.  The early participation of the Learning Centre in the lifecycle of service planning is key to understanding the priorities, needs and requirements of all areas and this is a key driver for the development of the model for benefit realisation (at all levels of the authority).

Prepared by

 

Ken May

 

APPENDIX C

 

 

SPA REF

ACCISS Replacement Project

Overall RAG

a

ACCISS002

date

23-Dec-03

David Shambrook

Overall Trend*

stat

*TREND - IMP=improving, STAT = static, DET = deteriorating

Key Performance Scores

 

 

 

IND

KP Group

RAG

TREND*

HEADLINE

1

Plan & Resources

a

stat

The development of the plans is becoming a priority

2

Progress

a

stat

Developed plans will support monitoring and the management of tolerances

3

Deliverables

a

stat

Developed plans will ensure all deliverables are identified

4

Testing

a

n/a

Piloting in progress to test environment

5

Quality

a

stat

Some aspects need tightening up particularly the reviews

6

Issues

a

stat

 

7

Risk

g

imp

 

8

Change

a

stat

Developed plans will assist in the management of change

9

Dependency

a

stat

The interdependency with GAGS needs to be managed

10

Interfaces

g

stat

 

11

Migration

g

stat

 

12

Implementation

r

stat

The first assessment of Go/No Go criteria is now due

 

 

 

 

 

 

 

 

KEY ISSUES

 

 

 

Ref

Description

Action

Owner

TREND*

1

Communication paths need to be clarified, particularly in light of the changes in the Board

Reissue the job descriptions for the key roles and obtain fomal acknowledgement

DS

n/a

2

Business case does not include the PSA targets, therefore no review of the impact of the programme on those targets and the consequential risk to the funding

Update the business case

DS

n/a

 

 

 

 

 

 

 

 

KEY RISKS

 

 

 

Ref

Description

Action

Owner

TREND*

1

Risk that we cannot implement the cultural change to realise the benefits of the system

Communication/visioning - keeping everyone involved and informed

GG

a

2

The risk of sacrificing quality in light of fixed end dates and budgets without contingency

Examine scope and identify the opportunity to build in contingency and reinforce the change control process

DS

a

 

 

 

 

 

 

 

 

 

 

IN BOUND KEY DEPENDENCIES

 

 

 

Ref

Description

Action

Owner

TREND*

1

Anite's Swift Product

Liaison and piloting of the product

DS

g

2

Health sector partner

Liaison and inclusive decision making

GG

a

3

Thin client rollout

Testing and piloting.  Clarity required around requirements.

KD

a

OUT BOUND KEY DEPENDENCIES

 

 

 

Ref

Description

Action

Owner

TREND*

1

Single assessment process

to be rated next time

 

 

2

Identification, referral and tracking

to be rated next time

 

 

3

Secure shared environment

to be rated next time

 

 

 

 

 

 

 

 

 

 

OVERALL COMMENTARY

 

 

 

The key task of developing plans is crucial to other activities: (a) Full and complete plans will ensure that all deliverables have been identified and will ensure that resourcing is appropriate, (b) Developed plans will allow tolerances and any resulting exceptions to be managed more effectively, particularly Cost/Budget tolerances.  The other key aspect of the project that needs to be addressed is the specification of the Quality Standards and the reviews of Quality achieved.  Once Plan and Quality issues have been addressed, the viability of the project in terms of meeting objectives can be critically tested and then thought can be given to the method of realising benefit and monitoring those benefits.  In many respects the project is similar to the GAGS programme and the key similarity is the visioning and the cultural change required to realise many benefits.  It is suggested that the project forges stronger links with the GAGS programme to ensure maximum benefit from the work being done on Vision and Benefit Realisation.

Prepared by

Ken May

 

 

APPENDIX D

 

 

SPA REF

ACCISS Replacement Project

Overall RAG

a

ACCISS003

date

09-Feb-04

David Shambrook

Overall Trend*

imp

*TREND - IMP=improving, STAT = static, DET = deteriorating

Key Performance Scores

 

 

 

IND

KP Group

RAG

TREND*

HEADLINE

1

Plan & Resources

a

stat

 

2

Progress

a

stat

 

3

Deliverables

a

stat

 

4

Testing

n/r

n/a

Development of the UAT plans and data to be a priority

5

Quality

r

det

Formal reviews and sign off are needed to underpin the achievement of objectives

6

Issues

a

stat

 

7

Risk

a

stat

 

8

Change

g

imp

Process efficiency savings are realisable

9

Dependency

a

stat

The interdependency with GAGS needs to be managed

10

Interfaces

g

stat

 

11

Migration

g

stat

 

12

Implementation

r

det

The assessment of Go/No Go criteria is now overdue

 

 

 

 

 

 

 

 

KEY ISSUES

 

 

 

Ref

Description

Action

Owner

TREND*

1

Acceptance of the roles and responsibilities by members of the board

Prince2 session to be run for key members

DS/JC

det

2

Business case does not include the PSA targets or any firm benefit data, therefore no review of the impact of the programme on those targets and the consequential risk to the funding

Update the business case

DS

det

 

 

 

 

 

 

 

 

 

KEY RISKS

 

 

 

Ref

Description

Action

Owner

TREND*

1

Risk that we cannot implement the cultural change to realise the benefits of the system

Communication/visioning - keeping everyone involved and informed

GG

a

2

The risk of sacrificing quality in light of fixed end dates and budgets without contingency

Examine scope and identify the opportunity to build in contingency and reinforce the change control process

DS

a

 

 

 

 

 

 

 

 

IN BOUND KEY DEPENDENCIES

 

 

 

Ref

Description

Action

Owner

TREND*

1

Anite's Swift Product

Liaison and piloting of the product

DS

g

2

Health sector partner

Liaison and inclusive decision making

GG

a

3

Thin client rollout

Testing and piloting.

KD

a

OUT BOUND KEY DEPENDENCIES

 

 

 

Ref

Description

Action

Owner

TREND*

1

Single assessment process

to be rated next time

 

 

2

Identification, referral and tracking

to be rated next time

 

 

3

Secure shared environment

to be rated next time

 

 

 

 

 

 

 

 

 

 

OVERALL COMMENTARY

 

 

 

In overall terms, the project score has improved and is very near the benchmark for a proejct of this type (at this stage).  There is a risk, however, that the hard work to date to enforce certain disciplines will be lost if key members of the Board do not accept the roles and responsibilities that are part and parcel of the Prince2 methodology.  We are expecting the session on Prince2 that is being co-ordinated by John Clack to increase awareness of the importance of the tasks that need to be done.  We are aware of the visioning exercises that are due to start next week and with this in mind would suggest a more formal degree of liaison with the GAGS programme particularly the DIP project and the Business Process Re-engineering project, both of which could provide valuable guidance and experience in key areas.  We say again that the key elements/criteria that need to be in place for launch are identified and under-pin the acceptance criteria that are used to judge the Quality of the key deliverables - this would also guide User Acceptance Testing.

Prepared by

Ken May