11 Internal Audit Annual Assurance Report...

LONDON BOROUGH OF SOUTHWARK

The annual report to the Audit and Governance Committee on the work of internal audit and anti fraud for the year 2010/11

Presented at the Audit and Governance Committee meeting: 4th July 2011

Appendix 1

London Borough of Southwark Internal Audit and Anti-Fraud Annual Report

1

CONTENTS

Section Page

1 Executive Summary 2

2 Internal Audit 4

3 Anti-Fraud 11

Appendix A Progress report to the Audit and Governance Committee on the work of Internal Audit for the 2010/11 plan completed since the last Audit & Governance Committee meeting

14

Appendix B Context 27

Appendix C High rated recommendations partly implemented 29


2

1. EXECUTIVE SUMMARY

1.1 INTRODUCTION

This report summarises the work of internal audit and anti fraud for the financial year 2010/11.

The Council’s internal audit contractor, RSM Tenon, currently undertakes the majority of audit work, although to complement this arrangement there is also a small in-house provision.

Following the first full year of the new internal audit contract with RSM Tenon, we are pleased to report improvements to the service. For the first time in a number of years, all internal audit reports were completed to draft before the 31st March. Annual surveys of the Audit & Governance Committee Members and Chief Officers also received positive comments, with average responses from both meeting the target of four out of five.

The corporate anti-fraud service is provided by Deloitte through the Croydon shared services framework.

The CIPFA Code of Audit Practice and the Institute of Internal Auditors (IIA) Auditing Standards require that the Head of Internal Audit provides a written report to the S151 Officer timed to inform the organisation’s annual governance statement. As such, this report also presents the annual opinion in respect of the adequacy and effectiveness of the organisation’s system of internal control. The opinions provided within the report are based upon work completed by both contractors and the in-house team.

1.2 INTERNAL AUDIT

The Head of Audit is of the view that sufficient internal audit work has been undertaken during 2010/11 to enable him to draw a reasonable conclusion on the adequacy and effectiveness of Southwark Council’s risk, control and governance arrangements for the year.

For the year ended 31 March 2011, based on the work undertaken, the Head of Audit’s opinion regarding the adequacy and effectiveness of Southwark’s arrangements for governance, risk management and control is as follows:

Overall the Council’s systems for governance, risk management and control are considered to be largely adequate and effective, with areas for improvement.


3

1.3 FRAUD

The key achievements in relation to anti-fraud work across the Council for 2010/11 were:

• The Council’s fraud teams have achieved 233 sanctions during the financial year, which includes prosecutions, administrative penalties, official cautions and property recoveries.

• The Council conducted a review of single persons discount (SPD) council tax fraud and as a result, £175,000 worth of SPD cases have been progressed in the 2010/11 financial year.


4

2. INTERNAL AUDIT

2.1 INTRODUCTION

The following section sets out the internal audit assurance for the year 1 April 2010 – 31 March 2011.

2.2 THE ROLE OF INTERNAL AUDIT

The role of internal audit is to provide management with an objective assessment of the adequacy and effectiveness of internal control, risk management and governance arrangements. Internal audit is therefore a key part of the London Borough of Southwark’s assurance cycle and if used properly can inform and update the organisation’s risk profile. Internal audit is just one of the sources of assurance available to the Council and Audit & Governance Committee.

Exhibit A: The Assurance Cycle. © RSM Tenon


5

The definition of internal audit, as described in CIPFA’s Code of Practice for Internal Audit in Local Government in the United Kingdom, is set out below:

� Internal audit is an assurance function that primarily provides an independent and objective opinion to the organisation on the control environment comprising risk management, control and governance by evaluating its effectiveness in achieving the organisation’s objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources.

� Whilst internal audit “primarily” provides an independent and objective opinion to the organisation on the control environment, it may also undertake other, non-assurance work at the request of the organisation subject to the availability of skills and resources. This can include consultancy work; indeed, Internal Audit intrinsically delivers consultancy services when making recommendations for improvement arising from assurance work, and fraud-related work.

2.3 GOVERNANCE STATEMENT

Under Regulation 4[3] of the Accounts and Audit Regulations 2011, authorities are required to publish an Annual Governance Statement. Authorities publish an annual governance statement in line with the CIPFA/SOLACE Good Governance Framework to meet that statutory requirement.

The assignment opinions that the internal audit service provides to the organisation during the year are part of the framework or assurances that assist the Council in preparing an informed governance statement.

2.4 SCOPE OF THIS REPORT

The Council’s current internal audit service is provided by RSM Tenon.

This report brings the outcomes of the internal audit work conducted by RSM Tenon and the in-house team together in one consolidated report for the year 2010/11.

2.5 CONTEXT

The internal audit service provides the Council, through the Audit & Governance Committee, with an opinion on the adequacy and effectiveness of the organisation’s governance, risk management and control arrangements. In giving an opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide to the Council is a reasonable assurance that there are no major weaknesses in risk management, governance and control processes.

The matters raised in this report are only those which arose during the internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. This report is prepared solely for the use of the London Borough of Southwark, its Members and its senior management team. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose.


6

2.6 INTERNAL AUDIT ASSURANCE STATEMENT (HEAD OF INTERNAL AUDIT’S OPINION)

For the year ended 31 March 2011, based on the work undertaken, the Head of Audit’s opinion regarding the adequacy and effectiveness of Southwark’s arrangements for governance, risk management and control is as follows:

Overall the Council’s systems for governance, risk management and control are considered to be largely adequate and effective, with areas for improvement. This is a positive opinion.

Governance

Within the Council this is largely adequate and effective. The work of the internal audit section has, however, identified areas where financial governance in particular could be improved, for example, Environment Enforcement and Mental Health, in respect of the monitoring of the pooled budget. Recommendations have been made to address these issues and management is taking action to implement them.

Risk Management

Risk management processes are now well established within the Council. There is, however, further scope to enhance these processes and RSM Tenon are working with the Council to further embed risk management at the Council. During the year, the corporate risk manager took responsibility for the corporate insurance team and continues to link the services and enhance the wider risk management arena.

Control

Overall the Council has sound systems of control. There were, however, a number of internal audit reports issued during the year, which have shown specific systems to require improvement. These are all being addressed by officers responsible for the management of these systems. Non-compliance with existing controls resulting in ‘High’ priority recommendations was identified in a number of reviews, including Council tax and Benefits, Commercial Properties, Client Monies and Enforcement (as above). In all areas management have accepted recommendations to improve the current level of control.


7

The Head of Audit has based his opinion upon the following areas of work and the assurance levels achieved which have been completed during 2010/11. This is based upon the regular progress reports already presented to the Committee, along with the progress report for work completed since the last Committee meeting, as attached at appendix A.

The results of the above table are not dissimilar to other organisations of a similar size and complexity to Southwark Council. As can be seen from the table above, the majority of non-schools reports, 71% have received an amber/green assurance or higher. The number of reports with amber/red or red assurance represents 29% which is largely in line with 2009/10 (26%). Although there still remains scope for improvement, management have accepted all recommendations made during the year and action plans are in place for their implementation. The progress made in the implementation of the recommendations will be monitored through the internal audit follow-up process and will be reported to the Audit and Governance Committee as part of the quarterly progress report.

Managed Audits

There were two areas which received a green assurance, being Treasury Management and Assets. One managed audit was rated as red. This related to the review of Revenues and Benefits; the specific areas that attracted high level recommendations were in Council Tax and related to timeliness of enforcement action, debt recovery and debt monitoring processes. The management for this area accepted all recommendations made and have verbally confirmed progress in these areas.

Corporate Audits

There were four reports which received a green assurance, being Construction Industry Scheme, Corporate Governance – Members Induction, Budget Setting and Allocations to the Housing Revenue Account. Only one corporate audit received a rating of red, Commercial Properties. The overriding finding of the review was that the commercial property database was not utilised to its

Audit Area

Totals

Managed Audit

1

3

2

2

8

Corporate Audit

1

4

3

4

12

Departmental 4

3

5

4

16

Information Technology

-

-

8

1

9

Schools -

2

6

4

12

Total

6

12

24

15

57


8

full capability, with numerous separate Excel spread sheets used rather than the system. As such there is a risk of inaccuracies in the data held and a duplication of effort due to substitute recording methods.

Departmental Audits

Four reports received a green rating, these were Rent Setting, Cashiers and Cash Handling, the Tenant Management Initiatives Team and Community Engagement. Four areas received a red rating: Client Monies, where high priority recommendations were raised around the payment of invoices, Environment Enforcement, where the audit highlighted control weaknesses leading to a high number of medium level recommendations around documentation retention and compliance with local/Council policies, Mental Health, where it was found that there were gaps in the information received from the provider on spend, and in the associated contract monitoring, and Debt Collection (Health and Community Services, where it was recommended that a full review of client debt should be undertaken, and that any bad debts should be written off in accordance with financial procedures.


It is noted, that the IT audits for this year have seen significant improvement over previous years’ findings. Nine reports have been finalised; of these all nine received positive opinions with eight amber/green opinions and one green opinion. The common recommendations running through the audits relate to systems access, user profiles and development of robust policies on system use.

2.7 SCOPE OF THE INTERNAL AUDIT OPINION

In arriving at our opinion, the Head of Audit has taken into account:

� The results of all internal audits undertaken for the year to 31 March 2011;

� The results of follow-up action taken in respect of audits from previous years;

� The effects of any material changes in the organisation’s objectives or activities;

� Matters arising from previous reports or other assurance providers to the Audit and Governance Committee and/or Corporate Management Team.


9

2.8 FOLLOW-UP OF RECOMMENDATIONS

All recommendations rated high and medium are followed up on a regular basis. During 2010/11, 215 recommendations were followed up. 111 recommendations were found to have been fully implemented and 60 partly implemented. 30 had not been implemented, three had been superseded and 11 were not yet due. At the time of the initial follow-up work, 15 high rated recommendations were found not to have been fully implemented. We can now report that, of those 15, 12 have been fully implemented and three have been partially implemented. Those recommendations partly implemented, and their current status, are shown in Appendix C.

2.9 KEY PERFORMANCE INDICATORS

The following table identifies performance against key performance indicators during the year.

Performance

Performance Target

% of audits from the plan completed to draft report stage by 31 March

100% 100%

% of returned audit satisfaction survey forms achieving an overall score of ‘adequate’ or above

80% 80%

% of high recommendations implemented by agreed implementation date

65% 80%

The KPI in respect of the completion of the plan to draft report stage by 31st March represents a significant achievement and progress of the service over previous years. This achievement marks the first full year of the contract with RSM Tenon. The Head of Audit wishes to expresses his thanks to the RSM Tenon Team and In-House team for their efforts in achieving this target.

As reported in the regular progress reports, the implementation rates for recommendations has been identified as an area for improvement. There has been some improvements during the year and an action plan has now been set out to help continue with this in to 2011/12.

In addition the core Key Performance Indicators reported to the Committee as part of our regular progress reports, we also have two annual performance indicators:

Performance

(Out of 5)

Performance Target (Out

of 5)

Annual Chief Officer satisfaction surveys achieving an overall average score of four or above

4.0 4

Annual Audit & Governance Committee members satisfaction surveys achieving an overall average score of four or above.

4.1 4


10

We are pleased to have met the targets in these areas, but will continue to look to improve the service. The Audit and Governance Committee were particularly positive about the effectiveness of Internal Audit with an average score of 4.6 out of 5. As part of the feedback, some specific comments were received in respect of reporting, and these areas will be reviewed as part of the continuous improvement programme.

2.10 THE REVIEW OF THE EFFECTIVENESS OF INTERNAL AUDIT

A follow-up review was undertaken of the initial peer review undertaken in 2009/10 with the City of London Corporation. This review focused on the one recommendation raised, covering the requirement for a code of ethics for internal auditors to be included in the Internal Audit Manual. The review found that the recommendation raised has been actioned and confirmed that Internal Audit complies with the CIPFA Code of Practice for Internal Audit.


11

3. ANTI-FRAUD

3.1 INTRODUCTION

This report provides details of the proactive and reactive anti-fraud work conducted during 2010/11 and a strategic fraud update for the proactive work planned for 2011/12.

3.2 REACTIVE ANTI-FRAUD WORK

2010/11 has seen the number of referrals reach 318 for the year including referrals through the Southwark website, fraud hotline email address, phone and by letter. Cases of suspected benefits fraud or housing fraud are referred on to the relevant teams.

The following table shows the number of cases that have resulted in a successful sanction for each of the three anti-fraud teams for 2011/12. A sanction can include, for example, cases of recovered tenancies, a benefits caution, administrative penalty or prosecution.

Anti-Fraud Team Number of Sanctions 1 April 2010 to date

Corporate Anti-Fraud Team

19

Housing Investigations Team

55

Benefits Investigations Team

159

Total 233

3.3 AUDIT COMMISSION BRIEFING

The Fraud Briefing Report 2010 by the Audit Commission provides a benchmark of the anti-fraud service against other authorities, and assists in showing how the council is tackling fraud, as provided separately.

Overall, the report considers the performance of the council in anti-fraud work to be strong. It is noted that the report is based upon the annual survey return to the Audit Commission for 2009/10, and as such developments have already been made in some areas, for example in council tax single person discounts, as noted in the report. In addition a new system of recording cases currently being implemented will help us to identify work in areas such as procurement, which will ensure in the future that such cases are appropriately categorised and recorded, across corporate fraud, benefits fraud and tenancy fraud.


12

3.4 STRATEGIC FRAUD UPDATE

In May 2010, the Department for Communities and Local Government published a ten point blueprint, compiled by the National Fraud Authority to assist local government in fighting fraud.

The corporate anti-fraud team will review and incorporate these tips where appropriate into the anti-fraud strategy and pro-active plan to ensure our focus is aligned to the national model.

Below are the suggested headings along with current actions to address each point:

Area to Consider Action

1. Measure exposure to fraud risk; Fraud risks are reviewed at least annually as part of the internal audit planning process. A review is currently underway of key factors identified in this list.

2. More aggressively pursue a preventative strategy;

Addressed in the medium term resources strategy: New systems are being developed around data matching and analytics of emerging frauds.

3. Make better use of data analytics and credit reference agency checks to prevent fraud;

As above.

4. Adopt tried and tested methods for tackling fraud in risk areas - such as blue badge scheme misuse;

Included within the current review of the pro-active plan.

5. Follow best practice to drive down Housing Tenancy and Single Person Discount fraud;

Additional detection methods are included within the current review of the pro-active plan and in line with the Audit Commissions “Protecting the Public Purse”.

6. Pay particular attention to high risk areas such as procurement and grant awards;

As above. Audits within these areas are inclusive of consideration of the Council’s exposure to specific fraud risks.

7. Work in partnership with service providers to tackle organised fraud across local services;

A Police Officer is seconded from New Scotland Yard, and partnership arrangement in place with the UK Borders Agency to ensure cross cutting investigations with service providers.


13

8. Maintain specialist fraud investigative teams;

The council has three dedicated fraud teams to counter corporate, housing and benefits fraud.

9. Vet staff to a high standard to stop organised criminals infiltrating key departments;

Currently in discussion with Human Resources.

10. Implement national counter fraud standards developed by the Chartered Institute of Public Finance and Accountancy.

CIPFA’s Red Book 2, managing the risk of fraud has been adopted and implemented.


14

APPENDIX A - PROGRESS REPORT TO THE AUDIT AND GOVERNANCE COMMITTEE ON THE WORK OF INTERNAL AUDIT FOR THE 2010/11 PLAN COMPLETED SINCE THE LAST AUDIT & GOVERNANCE COMMITTEE MEETING

1. INTRODUCTION

This report summarises the work of internal audit completed since the last Audit & Governance Committee meeting (relating to the 2010/11 internal audit plan).

2. INTERNAL AUDIT

2.1 WORK COMPLETED

The following sections set out the Internal Audit assurance for the reports finalised in the period.

2.2 SUMMARY

The following table sets out the areas of work and the assurance levels achieved for the period:


15

Audit Area

Totals

Corporate Audit

1

0

1

4

6

Environment and Housing

1

1

0

0

2

Managed Audit

0

3

2

1

6


0

0

3

0

3

Children’s Services

0

0

1

0

1

Health and Community Services

1 0 0 0 1

Total

3

4

7

5

19

The progress made in the implementation of the recommendations will be monitored through the internal audit follow-up process and will be reported to the Audit and Governance Committee as part of the periodic progress report.


16

Corporate

A) Corporate Governance – Member Induction

Overall Opinion

Recommendations Raised

HIGH MEDIUM LOW

0 1 4

Overview:

This audit looked at the Member induction process to assess whether Members had been provided sufficient training to enable them to undertake their duties to the best of their ability. In addition, a review was undertaken of Members’ gifts and hospitalities and declaration of any interest.

The key finding from this review was around the maintenance of the Members web pages a recommendation was made that pages should be updated every six months and a ‘nil return’ reported if appropriate, the recommendation was made so to demonstrate that the web was being updated on a regular basis. This was particularly important for gifts and hospitality and declaration of interests.

All recommendations were agreed; three have been implemented and the two remaining are not yet due and will therefore be followed up prior to the next quarterly report.

B) Budget Control

Overall Opinion


HIGH MEDIUM LOW

0 0 2

Overview:

This audit reviewed the systems and controls in place to monitor departmental budgets and for providing narrative to explain adverse/unexpected variances for the Corporate Management Team and Cabinet to review. The low recommendations raised in this report related to the lack of adherence to corporate procedures around budget virements and raising of purchase orders, and recording of budget holder information on SAP.

Management have agreed that implementation of both recommendations will be complete by the end of June 2011.


17

C) Commercial Properties

Overall Opinion


HIGH MEDIUM LOW

2 3 4

Overview:

This audit focused on controls in place to manage the Council’s commercial property portfolio. This included monitoring of rental income (including accounts in arrears), new leases and lease terminations, disposal of properties, rent setting and management of void properties.

Our findings highlighted control weaknesses leading to high or medium recommendations in the majority of areas reviewed. The overriding finding of the review was that the commercial property database was not utilised to its full capability. The team maintain numerous separate excel spread sheets which they update in precedence to the system and as such there is a risk of inaccuracies as well as a potential duplication of effort due to substitute recording methods.

The audit included a review on the progress made in implementing the 18 recommendations made in the previous audit report (2009/10). Insufficient progress has been made to implement the medium and low level recommendations and as such they were reiterated in this report.

Management have agreed all recommendations and that implementation will be complete by the end of July 2011

D) Allocations to the Housing Revenue Account

Overall Opinion


HIGH MEDIUM LOW

0 0 0

Overview:

This audit reviewed the systems and controls in place with respect to recharging costs to the Housing Revenue Account. It has been found that, whilst there were previously concerns over the frequency and timeliness of communication regarding recharges to the HRA, these have been addressed through quarterly meetings between the Head of Housing Finance and the relevant parties. It was identified that these meetings were not being formally recorded and a suggestion was made, and accepted, to this effect.


18

E) Budget Setting

Overall Opinion


HIGH MEDIUM LOW

0 0 1

Overview:

This audit reviewed the controls in that ensure the Council has a robust system in place to set departmental budgets which reflect the funding allocation cuts documented in the Grant Settlement, and that adequate reviews and challenges are taken to justify the savings proposals. The review identified that there is an adequate budget planning timetable/framework in place which outlines the key processes involved in the budget setting process. Whilst deadlines have not been adhered to this year this is as a consequence of the Grant Settlement which was announced late in the financial year (13 December);

Budget options compiled by the cost centre managers highlighted that comprehensive budget working papers, background research, rationale and commentary support savings proposals. One low recommendation was made stating that finance managers should make available adequate resources to carry out all budget setting related tasks. This recommendation will be implemented in June 2011.

F) Use and Monitoring of Temporary Staff

Overall Opinion


HIGH MEDIUM LOW

0 1 0

Overview: This review considered the way in which temporary staff are used to fulfil vacant posts in conjunction with how their work is monitored. For the most part, controls were in place and operating effectively. One medium recommendation has been raised concerning the need to maintain all business cases for temporary staff that have been employed to the Council. This was accepted for implementation by 1 October 2011 as it is linked to a wider re-designing of the process due to the introduction of the Agency Workers Regulations on this date.


19

Environment and Housing

A) Compliance with Investigation Processes and Efficiency - Housing Management and Housing Special Investigations Team

Overall Opinion


HIGH MEDIUM LOW

3 6 1

Overview:

At the time that this audit was commenced, the Housing Special Investigations Team sat outside of Housing Management. The service, has however, now moved in to the new Housing Department. This audit looked at how the Housing Special Investigations Team refer suspicions of tenancy sub-letting to the Special Investigation Team and the processes in place for investigating sub-letting. At the time of the audit, one of the main issues raised was in relation to a lack of adherence to the Service Level Agreement in place between Housing Management and the Special Investigations Team, including the omission of operational processes and ineffective investigation procedures, together with limited management review of actions.

In addition, findings were noted around the structure of case files and filing procedures which are not robust. Management have agreed to implement all recommendations, with the majority having an agreed implementation date of September 2011.

B) Enforcement

Overall Opinion


HIGH MEDIUM LOW

0 14 4

Overview:

This audit focussed on controls in place over those Environmental Enforcement activities exposed to potential financial risk. This included income from Fixed Penalty Notices (FPNs), procurement, expenses claims, seizure of public property and security of assets. Our findings highlighted control weaknesses leading to a high number of medium level recommendations in all of the areas reviewed and due to a lack of retained documentation we were not able to provide assurance that either local or Council policies were being fully adhered to. In addition, at the request of management, we also reviewed security and usage procedures for surveillance equipment owned by the team. Findings demonstrated that the team did not include a number of items of surveillance equipment on their register and that security of these assets is poor. As such, they cannot


20

ensure that use of the surveillance equipment is controlled, which represents a risk of unauthorised surveillance.. Management have agreed to implement all recommendations made in the report with the latest implementation date being July 2011.

Managed Audits

A) Main Accounting System

Overall Opinion


HIGH MEDIUM LOW

2 2 1

Overview:

This audit focused on the Council’s main control accounts and the General Ledger Journal Protocol (journal protocol) as agreed by Senior Finance Managers in September 2009. The overriding finding of the review was that the new journal protocol has been effectively designed and allows greater flexibility to individual teams based on core principles and an appropriate level of control. However, testing demonstrated that these basic principles set out by the protocol had not been adhered to across the Council. As such the Council may be exposed to an increased level of risk of error or misappropriation. All recommendations made in the report were accepted by management with the latest implementation date being September 2011

B) National Non Domestic Rates (NNDR)

Overall Opinion


HIGH MEDIUM LOW

4 4 2

Overview:

This audit reviewed the systems and controls in place within the NNDR function to ensure revenue is correctly identified, received and accounted for. Progress has been made in improving data and document management following the issues identified prior to the transition in-house. There are still some improvements that could be made in order to ensure that records are complete, and that systems facilitate adequate debt recovery and account management.


21

There is a potential for a broad review of information and communication flows throughout the organisation in relation to commercial property databases. Management have agreed to implement all recommendations made in the report. The majority of recommendations are due to be completed by the end of June 2011. However, two recommendations, one high and one medium have agreed implementation dates of October 2011due to the complexity of the required actions.

C) Payroll & Pensions

Overall Opinion


HIGH MEDIUM LOW

2 4 1

Overview:

This audit reviewed the payments to employees and pension recipients. Testing demonstrated that employees are correctly and promptly set up on the payroll once notification is received by the Payroll team and that payments were accurately calculated. Clear procedures are in place for each stage of the payroll run.

Control weaknesses were found around payroll records for fixed term contracts and prompt notification of leavers (both of which carry a risk of overpayments), support of the employee self-service / manager self-service (ESS/MSS) functions and use of the system for reporting. Management agreed to implement all recommendations by the end of June 2011.

D) Assets

Overall Opinion


HIGH MEDIUM LOW

0 1 2

Overview:

This audit reviewed the design of the control framework in place to ensure that all fixed assets are identified, disposed and accounted for correctly. The majority of procedures to bring the fixed asset register up to date are conducted as part of the year end process. We have made recommendations around updating the fixed asset register during the financial period and reducing the burden on resources as part of the year end process, which have already been implemented. The design of the procedures should mean that Southwark is well placed to ensure the register captures all information accurately, allowing financial statements to be produced accordingly.


22

E) Housing Rents

Overall Opinion


HIGH MEDIUM LOW

0 3 3

Overview:

This audit focussed on the controls in place over the Council’s Housing Rents processes. Minor control weaknesses were identified relating to the authorisation of amendments to rent figures and monitoring credit balances on tenants’ accounts. It was also noted that although processes in place are generally well designed to mitigate potential risks these are not always formally documented which could lead to errors in the absence of key staff. Management have accepted all recommendations within the report with the latest implementation due date of September 2011.

F) Other Income

Overall Opinion


HIGH MEDIUM LOW

3 4 8

Overview: This audit was undertaken as part of the 2010/11 plan and focussed on controls in place to manage central income from sources other than NNDR, Council Tax, parking and rents, as well as specific focussed testing on income controls at the borough’s Libraries and Early Years Centres. A high level review of controls in place to manage the Council’s Payment Card Industry Data Security Standard (PCIDSS) requirements was also undertaken. Controls in place to manage income at the Early Years Centres were generally found to be designed and operating effectively and only minor recommendations have been made in this area. Two significant control weaknesses were identified during the review of Libraries. These related to the use of non-standard invoices and to procedures for banking income.

Centrally controls were found to be operating effectively overall. No concerns regarding the validity of transactions within SAP have been raised as a result of sample testing. The single high level recommendation made in this area relates to retention of authorisation documentation by teams when requesting that credit notes be raised.


23

Information Technology Audits

A) Windows Security

Overall Opinion


HIGH MEDIUM LOW

0 4 4

Overview:

The objective of this review was to assess the Council’s arrangements in place for the management of Windows security, including server (Active Security) and desktop configuration and adequacy of and compliance with policies. Overall, it was found that there is an adequate level of compliance with controls implemented by management to manage the risks of unauthorised access to the network. All recommendations made in the report were agreed with management and all medium recommendations are due to have been implemented by July 2011 at the latest.

B) IT Disaster Recovery

Overall Opinion


HIGH MEDIUM LOW

0 3 1

Overview:

The objective of this review was to assess the Council’s arrangements in place for the management of the recovery of IT systems. While this audit resulted in no high priority recommendations, it was noted that the Council has not yet fully linked the Disaster Recovery controls completely to the business impact analyses produced by the Business Continuity Steering Group. This increases the risk that the Council will not recover their IT infrastructure in complete accordance with the stated needs of the Council’s departments. There is also a recognised single point of failure with only one connection from the Southwark IT network to the recovery site, which increases the risk of services not being available to users attempting to work from Southwark buildings after a disaster event. Whilst overall there is an adequate level of compliance with the controls implemented by management, a number of recommendations were made where existing controls should be improved or additional controls should be implemented. Management have implemented all recommendations made in the report.


24

C) Data Security – Cyclical Assurance

Overall Opinion


HIGH MEDIUM LOW

0 3 3

Overview:

This audit assessed the access controls in place to ensure the confidentiality and integrity of data in three systems; Acolaid (system to handle planning applications), Confirm (management of street assets) and Talis (library management). The audit resulted in three medium priority recommendations to strengthen controls in the following areas:

• Include additional password control requirements in the corporate level Access Control Policy;

• enforce compliance with the user access management policies and procedures; and

• identify and implement security monitoring requirements. All recommendations were accepted by management and have been implemented.

Children’s Services

A) Southwark Schools for the Future – Programme Governance and Communication

Overall Opinion


HIGH MEDIUM LOW

1 0 2

Overview:

This audit was undertaken in order to evaluate the adequacy of programme governance and communication processes to ensure the objectives of the Southwark Schools for the Future programme are achieved. It was confirmed that adequate processes and procedures had been developed by management to manage and monitor the delivery of the Southwark Schools for the Future programme. An effective joint approach is undertaken by the Council and the Local Education Partnership, known as 4Futures, to report the achievement of objectives to key stakeholders including the responsible monitoring body, the Strategic Partnering Board. Whilst appropriate governance structures are in place, attention needs to be paid to ensuring that change control requests submitted by the main contractor comply with the Council’s Change Control Protocol. A high rated recommendation has been raised in relation to this matter.

Low level recommendations were raised around having a risk register for the overall programme and undertaking a Lessons Learned exercise for Phase One. Management have agreed to implement all


25

recommendations made in the report, with the high rated recommendation due for completion in June 2011 and the low rated recommendations due for completion in October 2011.

Health and Community Services

A) Mental Health

Overall Opinion


HIGH MEDIUM LOW

7 2 0

Overview:

This audit was undertaken as part of the 2010/11 plan and looked at the controls in place for the monitoring of the pooled budget and arrangements for assessments and recharges. Controls were not adequate to ensure that SLAM and the Primary Care Trust were providing the Council with appropriate cost analysis and assessment information. There is a lack of information being provided on care cost for block placements and contracts. However, spot care provision is being adequately monitored and is clearly linked into CareFirst with payments being made correctly to care providers.

The quality of contract monitoring has improved in this financial year and the Council has demonstrated that improvements have been made in the monitoring of performance.

2.3 FOLLOW-UP WORK

Overall 39 recommendations were followed up. 24 (62%) recommendations were found to be fully implemented and six (15%) partly implemented. Four (10%) had not been implemented. One (3%) had been superseded and four (10%) were not yet due for implementation, including one rated high made in the Licensing audit.

One recommendation, rated high, had not been fully implemented. This was in the Approved List audit and related to choosing suppliers from the approved list in strict rotation. The approved list team are undertaking a series of briefings, on the guidance issued, with all appropriate officers to further enhance compliance with procedures.

Whilst there remains a risk to the Council until all recommendations are fully implemented, work is ongoing and there is no indication that it will not be completed.

We continue to monitor the implementation of high rated audit recommendations and are looking for all such recommendations to be implemented within three months of the report date wherever possible.

The following table shows the status of recommendations followed up.


26

Name of Audit Dept Date Report finalised

Recommendations made Status (Where Followed Up) Outstanding (i.e. not yet fully implemented or superseded)

High Med Low Total Imple-mented

In progress

Super- seded

Not yet due

High Medium Low TOTAL

Departmental Cash Handling – Fleet Management

DCE/Env

Jan 2011

0 2 5 7 1 2 0 0 0 2 4 6

Payments to Foster Carers and Adopters

CS Nov 2011

1 4 1 6 5 1 0 0 0 1 0 1

Cash Handling DCE July 2010

0 0 4 4 4 0 0 0 0 0 0 0

Approved List Corp Sept 2010

3 2 0 5 2 2 1 0 1 1 0 2

Treasury Management

Mgd Nov 2010

0 0 0 4 4 0 0 0 0 0 0 0

Corporate Governance – Member Induction

Corp Mar 2011

0 1 4 5 3 0 0 2 0 1 1 2

Licensing Env Feb 2011

1 4 3 8 5 1 0 2 1 2 0 3


27

APPENDIX B - CONTEXT

The internal audit service provides the Council, through the Audit & Governance Committee, with an opinion on the adequacy and effectiveness of the organisation’s governance, risk management and control arrangements. In giving our opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide to the Council is a reasonable assurance that there are no major weaknesses in risk management, governance and control processes.

The matters raised in this report are only those which arose during the internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. This report is prepared solely for the use of the Council of the London Borough of Southwark and its senior management team. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose.

The opinions that can be given in a report are:

Graphic Opinion

Taking account of the issues identified, the Council cannot take assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied or effective.

Action needs to be taken to ensure this risk is managed.

Taking account of the issues identified, whilst the Council can take some assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective, action needs to be taken to ensure this risk is managed.

Taking account of the issues identified, the Council can take reasonable assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.

However we have identified issues that, if not addressed, increase the likelihood of the risk materialising.

Taking account of the issues identified, the Council can take substantial assurance that the controls upon which the organisation relies to manage this risk are suitably designed, consistently applied and effective.


28

The priorities of the recommendations made are:

Priority Description

High

Medium

Low

Recommendations are prioritised to reflect our assessment of risk associated with the control weaknesses.

Suggestion These are not formal recommendations that affect our overall opinion, but used to highlight a suggestion or idea that management may want to consider.


29

APPENDIX C – HIGH RATED RECOMMENDATIONS PARTLY IMPLEMENTED

Recommendation Original implementation date

Current status

Housing Management Contracts

Valid contracts should be in place with all of the Council's providers of housing services.

March 2010 Partly Implemented

Significant progress has been made in this area to date. Of the three contracts specified in the original report, one is being brought back in house, one has been awarded and contracts signed, and one is going through procurement at the moment.

Markets

The Markets Office should continue to develop the database to make it fit for purpose and should set a deadline by which it is to be fully implemented. This development process should include an investigation into ways in which the accuracy of data could be improved, for example using hand-held machines to update the database so that information does not have to be entered twice. Once developed the database must be capable of holding the following information and undertaking the following reports: - updated fees and charges; - licence expiry dates; - licences due to expire; - variances between SAP and database data; - other exception reporting. When officers are satisfied the database is fit for purpose information should only be retained in one place.

January 2011

Partly Implemented The majority of fees and charges are on the system together with some other reporting, but more has still to be added or updated.


30

Recommendation Original implementation date

Current status

Section 31 and Pooled Budgets

Where contracts are not available, a plan should be developed to mitigate any identified risks arising for the Council from signed contracts not being available - particularly in terms of a financial or legal perspective. This may involve retrieval of contract information, either from archiving or the providers themselves, or the development of new written agreements.

March 2011 Partly Implemented The section’s focus has been on carrying out reviews and renegotiating existing placements and agreeing new contracts and moving people out of residential care. This issue has not been prioritised. New central broker team will be able to address this.

11 Internal Audit Annual Assurance Report...

Documents

Transcript of 11 Internal Audit Annual Assurance Report...