Annual report on Internal Audit Activity 2011 2012

Audit Committee

Date: 29th June 2012 Agenda No:

Title of Report: Annual Report on Internal Audit (IA) Activity 2011/2012

Purpose of Report: To provide the Committee with an annual report on Internal Audit Activity which fully meets the Head of Internal Audit’s annual reporting requirements, as set out in the CIPFA Code of Practice for Internal Audit in Local Government in the UK 2006.

Recommendations: It is recommended that the Committee:

1. Assesses, from the activities undertaken by Internal Audit and the Committee itself, relating to requesting and receiving progress reports from management relating to ‘limited assurance’ reports, that it can take reasonable assurance that the internal control environment, comprising risk management, control and governance is operating effectively;

2. Notes and ensures the performance of internal audit meets the required standards; and

3. Have regard to this report when considering the Annual Governance Statement.

Officer (s) Contact: Theresa Mortimer; Finance Manager; Internal Audit, Risk Management and Insurance Services. Tel: 01452 427013 [email protected]

Mark Spilsbury; Head of Finance. Tel: 01452 426127 [email protected]

Key Risks Failure to deliver an effective Internal Audit Service will prevent an independent, objective assurance opinion to be provided to those charged with governance that the key risks associated with the achievement of the Council’s objectives are being adequately controlled.

Report Content 1. Introduction 2. Responsibilities 3. Purpose of this report 4. Internal Audit’s Opinion on the Council’s Internal Control

Environment 5. Summary of IA’s Activity undertaken compared to that planned 6. Summary of IA’s Activity undertaken which informed our opinion 7. Summary of additional Audit Activity 8. Internal Audit Performance Appendix 1: End of year progress report 2011/2012 including audit

assurance opinions Appendix 2: Completed Internal Audit Activity during the period April –

June 2012 relating to 2011/2012 Planned Activity

internalaudit

ANNUAL REPORT ON INTERNAL AUDIT ACTIVITY

2011/2012

Gloucestershire County Council

1

(1) Introduction

All local authorities must make proper provision for internal audit in line with the 1972 Local Government Act (S151) and the Accounts and Audit (England) Regulations 2011. The latter states that authorities must “maintain an adequate and effective system of internal audit of its accounting records and of its system of internal control, comprising risk management, control and governance, in accordance with the proper practices in relation to internal control”. Within Gloucestershire County Council the Internal Audit function, which sits within Strategic Finance, carries out the work required to satisfy this legislative requirement and reports its findings and conclusions to management and to this Committee.

The guidance accompanying the Regulations recognises the “CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006” as representing “proper internal audit practices”. The Code defines the way in which the Internal Audit Service should be established and undertakes its functions.

(2) Responsibilities

Management are responsible for establishing and maintaining appropriate risk management processes, control systems (financial and non financial) and governance arrangements. Internal Audit plays a key role in providing independent assurance and advising the organisation that these arrangements are in place and operating effectively.

Internal Audit is not the only source of assurance for the Council. There are a range of external audit and inspection agencies as well as management processes which also provide assurance and these are set out in the Council’s Code of Corporate Governance and its Annual Governance Statement.

(3) Purpose of this Report

One of the key requirements of the Code is that the Head of Internal Audit should provide an annual report to those charged with governance, timed to support the Annual Governance Statement. The content of the report is prescribed by the Code which specifically requires Internal Audit to:

provide an opinion on the overall adequacy and effectiveness of the organisation’s internal control environment and discloses any qualifications to that opinion, together with the reasons for the qualification;

compare the actual work undertaken with the planned work, and presents a summary of the audit activity undertaken from which the opinion was derived, drawing attention to any issues of particular relevance;

summarise the performance of the internal audit function against its performance measures and targets; and

comment on compliance with the standards of the CIPFA Code of Practice for Internal Audit in Local Government in the UK 2006.

2

When considering this report, the Committee may also wish to have regard to the quarterly interim Internal Audit progress reports presented to the Committee and the Annual Report on Risk Management Activity 2011/2012.

(4) Internal Audit’s Opinion on the Council’s Internal Control Environment

In providing our opinion it should be noted that assurance can never be absolute. The most that Internal Audit can provide is a reasonable assurance that there are no major weaknesses in risk management arrangements, control processes and governance.

The matters raised in this report, and our quarterly reports are only those that were identified during our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that may exist or represent all of the improvements required.

We are satisfied that, based on the internal audit activity undertaken during 2011/12 and management’s actions taken in response to that activity, enhanced by the work of other external review agencies, sufficient evidence is available to allow us to draw a reasonable conclusion as to the adequacy and effectiveness of Gloucestershire County Council’s overall internal control environment.

In our opinion, for the 12 months ended 31 March 2012, Gloucestershire County Council has an adequate overall control environment, to enable the achievement of the Council’s outcomes and objectives.

(4a) Scope of the Internal Audit Opinion

In arriving at our opinion, we have taken into account:

The results of all internal audit activity undertaken during the year ended 31st March 2012 and whether our high and medium priority recommendations have been accepted by management and, if not, the consequent risk;

The effects of any material changes in the organisation’s objectives or activities;

Matters arising from internal audit quarterly progress reports or other assurance providers to the Audit Committee;

Whether or not any limitations have been placed on the scope of internal audit activity; and

Whether there have been any resource constraints imposed on internal audit which may have impacted on our ability to meet the full internal audit needs of the organisation.

3

(4b) Limitations to the scope of our activity

There have been no limitations to the scope of our activity or resource constraints imposed on internal audit which have impacted on our ability to meet the full internal audit needs of the Council.

(5) Summary of Internal Audit Activity undertaken compared to that planned

The underlying principle to the 2011/2012 plan is risk and as such, audit resources were directed to areas which represented ‘in year risk’. Since the original risk based plan was approved in April 2011 by the Committee, a number of additional audit activities have proved necessary and some of the planned audits were no longer required. Variations to the plan are required if the plan is to adequately reflect the ongoing changing risk profile of the Council.

The net effect is that although the work undertaken was slightly different to that originally planned we are pleased to report that we achieved our target of 80% of the revised plan.

The pie charts below summarises the percentage of planned audits per category of activity i.e. fundamental financial systems, governance, IT audit etc compared with the percentage of actual audits completed per category of review.

The two key areas of change to highlight relate to: the increase in consultancy and advice provided by Internal Audit to support the Interim Director of Operations within Adult Services and the Members Scrutiny Task Group for External Care which has also provided assurances to the Health, Community and Care Overview and Scrutiny Committee and the Budget and Performance Overview and Scrutiny Committee; and an increase in special investigations and irregularity work.

Further information, regarding these two areas of activity are provided below at paragraph 7.

The majority of staff resources have been taken from the operational risk category to enable resources to be focused to these high risk areas.

.

5

(6) Summary of Internal Audit Activity undertaken which informed our opinion

The schedule provided at Appendix 1 contains a list of all of the audit activity undertaken during 2011/2012, which includes, where relevant, the assurance opinions on the effectiveness of risk management arrangements and control processes in place to manage those risks and the dates where a summary of the activities outcomes has been presented to the Audit Committee. Explanations of the meaning of these opinions are shown below.

In addition, please refer to Appendix 2 which provides the summary of audits started in 2011/12 and undertaken during the period April–June 2012 i.e. those audits in the 2011/12 plan, not previously reported to this Committee.

Assurance levels

Risk Identification Maturity

Control Environment

Substantial

Risk Managed Service area fully aware of the risks relating to the area under review and the impact that these may have on service delivery, other directorates, finance, reputation, legal, the environment client/customer/partners, and staff. All key risks are accurately reported and monitored in line with the Corporate Risk Management Strategy.

System Adequacy – Robust

framework of controls ensures that there is a high likelihood of objectives being achieved

Control Application – Controls are

applied continuously or with minor lapses

Adequate

Risk Aware Service area has an awareness of the risks relating to the area under review and the impact that these may have on service delivery, other directorates, finance, reputation, legal, the environment, client/customer/partners, and staff, however some key risks are not being accurately reported and monitored in line with the Corporate Risk Management Strategy.

System Adequacy – Sufficient

framework of key controls for objectives to be achieved but, control framework could be stronger

Control Application – Controls are

applied but with some lapses

Limited

Risk Naïve Due to an absence of accurately and regularly reporting and monitoring of the key risks in line with the Corporate Risk Management Strategy, the service area has not demonstrated an adequate awareness of the risks relating to the area under review and the impact that these may have on service delivery, other directorates, finance, reputation, legal, the environment, client/customer/partners and staff.

System Adequacy – Risk of

objectives not being achieved due to the absence of key internal controls

Control Application –

Significant breakdown in the application of control

6

(6a) Internal Audit Assurance Opinions on Risk and Control

The pie charts provided below show the summary of the risk and control assurance opinions provided within each category of opinion i.e. substantial, adequate and limited.

(6b) Limited Control Assurance Opinions

Where audit activity record that a limited assurance opinion on control has been provided, the Audit Committee requests Senior Management attendance to the next meeting of the Committee to provide an update as to their actions taken to address the risks and associated recommendations identified by Internal Audit.

(6c) Audit Activity where a Limited Assurance Opinion has been provided on Control

During 2011/2012 only one audit review provided a limited assurance opinion on control, which related to ineffective systems and processes operating within the Integrated Transport Unit (ITU) – Home to School Transport Service. As a result of this review, it was reported to the January 2012 Audit Committee that in excess of £15k had been received back from contractors who had overcharged the Council. Since then arrangements have been agreed with contractors for the repayment of a further £17k. In addition, a referral was made to the Police, following which the defendant pleaded guilty to fraud, and the Council have been awarded £3,500 in respect of fraudulent claims, by a parent, for home to school travel expenses. Senior Management have provided updates to the Committee on actions taken to address the weaknesses highlighted and Internal Audit continues to advise the ITU on the implementation of the recommendations.

(6d) Adequate Control Assurance Opinions

Where audit activity record that an adequate assurance opinion on control has been provided where recommendations have been made to reflect some control weaknesses have been identified, the Committee can take assurance that improvement actions have been agreed with management to address these.

7

(6e) Internal Audit Recommendations

During 2011/2012 Internal audit made, in total, 151 recommendations to improve the control environment, 31 of these being high priority recommendations (100% of these being accepted by management) and 120 being medium priority recommendations (98% accepted by management).

The Committee can take assurance that all high priority recommendations will remain under review by internal audit, by obtaining regular management updates, until the required action has been fully completed.

(6f) Risk Assurance Opinions

There were no limited assurance opinions on risk during 2011/2012. However, where limited assurance opinions on risk are provided the relevant reports are given to the Risk Champions to ensure that the risks highlighted by Internal Audit are placed on the relevant risk registers. The monitoring of the implementation of the recommendations is then owned by the relevant manager and helps to further embed risk management into the day to day management, risk monitoring and reporting processes.

In addition, the Corporate Risk Management Team is provided with the Internal Audit reports where a limited assurance opinion is provided, to enable their prioritisation of risk management support.

(6g) Risk Management Arrangements (to be considered alongside the Annual Report on Risk Management Activity 2011/2012)

Risk Management arrangements were independently reviewed as part of the Use of Resources assessment undertaken by the Audit Commission. At the last review, the Audit Commission concluded that ‘GCC has demonstrated it has strong and effective arrangements for risk management in place and ensures risk management is embedded in its business processes, including strategic and financial planning and performance management. In addition, the management of risk is continuous, and it is alert to new and emerging risk being evident at both a corporate and a project level’.

In addition, during 2010/2011, 90% of the audited areas rated the effectiveness of the risk management arrangements as substantial (45%) or adequate (45%) with 10% obtaining a limited assurance opinion.

However, during 2011/2012, 100 % of the audited areas rated the effectiveness of risk management arrangements as substantial (51%) or adequate (49%) with no limited assurance opinions provided. This evidences that risk management continues to be further embedded into the Council’s business activities.

Internal Audit also undertake, on a rotational basis, reviews on the effectiveness of risk management arrangements, operating across all service areas, looking at the Strategic and Operational Performance/Business Plans and associated Risk Registers, to ensure that actions recorded to mitigate risks are in place and operating as intended.

8

This year, Internal Audit reviewed the arrangements operating within Strategic Finance and gave substantial assurance.

These internal and external assessments, coupled with the external recognition received for the numerous risk management initiatives undertaken over past years, the detailed risk based assurance statements obtained from all Directors (Commissioning and Operations) as part of the formulation of the Annual Governance Statement, has led Internal Audit to conclude that robust risk management arrangements operate within the authority.

(6h) Governance Arrangements Gloucestershire County Council has responsibility for conducting, at least annually, a review of the effectiveness of its governance framework including the system of internal control.

In undertaking this review GCC has :-

Set out the key documents and processes which incorporate its governance system;

Sought independent assurances from external assessments where available;

Obtained detailed risk based assurance statements from Directors (Commissioning and Operations), countersigned by either the Chief Executive, Deputy Chief Executive or Chief Operating Officer depending on line management responsibilities covering all areas of the business, to confirm that adequate governance arrangements are in place in relation to:

o Service delivery;

o Key partnerships;

o Risk management and internal control;

o Performance management;

o Financial management;

o Adherence to laws, regulations, rules and procedures;

o Human resources issues;

o Management of natural resources;

o Asset management; and

o Information governance.

We can confirm that this process is consistent with the Delivering Good Governance in Local Government: Briefing Note published by CIPFA.

One key issue to note is that Council commissioned an independent review of the Cotswold Water Park (CWP) in 2011/12, examining areas such as governance arrangements, adherence to policies and decision making processes. This is known as the ‘Garbutt Review’. The findings of the review have been considered by this Committee on 12th March. The recommendations, which include Mr Garbutt’s suggestions for the future course of the County Council’s relationship with CWP as well as matters concerning the general governance of the Council, have now been incorporated into an action plan that will be overseen by the Audit Committee. A plan has been developed which outlines the schedule of progress reporting to this Committee.

9

(7) Summary of additional Audit Activity

(7a) Special Investigations/Counter Fraud Activities

The Counter Fraud Team within Internal Audit received 14 new referrals in 2011/12 although we were also involved in 7 cases which were referred in previous years. 6 of the cases referred in 2011/12 are continuing to be investigated in 2012/13.

Of the 7 cases brought forward, three cases involved referrals to the General Teaching Council (GTC), one involved an employment hearing tribunal and another was a referral to the Police. Consequently these cases involved a lot of input from Internal Audit, especially the Counter Fraud Team.

One referral which was towards the end of 2010/11 and carried into 2011/12 formed part of a large review into home to school transport. The outcome of this review has been summarised above at paragraph 6c.

Of the cases brought forward, the Police investigation resulted in a guilty verdict and an award of £4,200 to the Council, two Headteachers were found guilty of unprofessional conduct by the GTC and an employee dismissal was upheld at the employment tribunal.

Internal Audit is also involved with two other referrals to the Police, which relate to potential financial mismanagement within an Adult Opportunity Centre and an Extended Hours Club attached to a school, which are ongoing, and another case relating to a care home at which GCC clients were placed, which has subsequently been referred to the Police by another authority.

Internal Audit has also been involved in other investigations/reviews which have not necessarily resulted in sanctions but in major procedural changes. One of these reviews, the Garbutt Review, involved a significant amount of input by Internal Audit.

Other counter fraud work involved a long term lease of a property used by the Council, and the failure to bring about a break of the lease, looking at Headteachers’ pay, and a complaint in respect of pensions.

National Fraud Initiative (NFI)

Internal Audit has continued to support the National Fraud Initiative (NFI) which is a biennial data matching exercise administered by the Audit Commission.

We made the initial data submission to the Audit Commission which resulted in the matches being supplied to Gloucestershire County Council at the end of January 2011. Most recommended matches were investigated by either internal audit or the appropriate service area.

The NFI exercise did not result in any major concerns, however 5 employees were highlighted that appeared to be off sick whilst working for another employer, these involved 1 or 2 days per individual. The information was provided to the relevant service areas to review and take action as deemed necessary. There was one case of a pension overpayment to a deceased pensioner (under £1,000 involved) and some matches between payroll and creditor payments.

10

Of the matches between payroll and creditors, two cases involved schools and the procurement of contract services from either someone employed at the school or a close relative of someone who worked at the school. Both schools were told of the possible problem but both declared they were aware of the situation and were happy that no irregularity had occurred. However, both agreed to implement changes to procedures to ensure there was a clear audit trail of procurement and that the persons involved with the contractors were not part of that process.

There were also in excess of 800 matches with blue badges and deceased persons. This does not necessarily mean that those badges are being used fraudulently, but since the issue of the badge the person had died. It was checked that no badge had been applied for after death. The data was passed to the Council’s blue badge team to ensure that fraudulent renewal applications were not received in the future in respect of these persons.

Matches between the Department for Work and Pensions (DWP) deceased data and community and adult care provision were investigated but it was established that no overpayments had been made, despite the data on the Council’s Electronic Social Care record (ERIC) system not always showing that the service user was deceased. These cases were highlighted to management to ensure that the Council’s database was reflecting the true position of these service users. There are however some matches that are still in the process of being checked.

To ensure effective outcomes, the Counter Fraud Team continues to fully collaborate with the following external agencies/assurance providers:

Various Police Forces as necessary; Other Local Authorities on National Fraud Initiative work; Audit Commission; and Local NHS Counter Fraud Specialists.

The Committee can take assurance that the Statutory Officers Group, comprising the Chief Executive, Director Strategic Finance (s151 Officer) and the Monitoring Officer are fully briefed on all such activity, monitor progress to date and approve all police referrals.

(7b) Key Consulting Activity

Adult Services External Care Budget

The Adult Services external care budget significantly overspent in 2009/10 and 2010/11 and in spite of a number of measures introduced to help to bring the budget back into line, the budget continued to be under pressure in 2011/12. However, these pressures were effectively dealt with during 2011/12, resulting in an end of year under spend position.

Internal Audit has supported management in undertaking ongoing consultancy work during 2011/12.

The review work has contributed to the work plan of the Interim Director of Operations within Adult Services and the Scrutiny Members Task Group for External Care, and provided assurances, as to actions being taken by management, to the Health and Wellbeing Overview and Scrutiny Committee and the Budget and Performance Overview and Scrutiny Committee and Cabinet.

11

The focus of the two reviews has been aimed at establishing if there are any key drivers that could explain the pressures being placed upon the external care budget, and to establish whether in the assessment of an individual’s care needs there are common standards being applied which result in value for money without compromising the quality of the care package provided.

It is important to note that there has been rapid change within this service area over the period of our review work, however, senior management within Adult Services have acknowledged that the issues emanating from the review work need to be fully addressed within the new systems and processes for the future delivery of care services.

The findings from the two reviews undertaken have highlighted a number of areas where improvements to the current arrangements are required and we have made a number of fundamental recommendations aimed at strengthening the risk management and internal control environment and in achieving better value for money.

Key findings from the first review undertaken were reported to the September 2011 Audit Committee, and those emanating from the second review are included within this report.

(8) Internal Audit Performance

Annual Review of the Effectiveness of Internal Audit

The Accounts and Audit (England) Regulations 2011 require relevant bodies ‘to conduct an annual review of the effectiveness of its internal audit’.

This process is also part of the wider annual review of the effectiveness of the internal control system, and significantly contributes towards the overall controls assurance gathering processes and ultimately the publication of the Annual Governance Statement.

The Accounts and Audit Regulations also states that internal audit should conform to ‘proper practices’ and it is advised that proper practice for internal audit is set out in the Code of Practice for Internal Audit in Local Government in the UK published in 2006 by the Chartered Institute of Public Finance and Accountancy (CIPFA).

To meet the above requirements a self assessment of the Internal Audit Service was undertaken by Internal Audit, benchmarking the service against this proper practice.

The Code consists of 11 standards (summarised below) which set out how the internal audit service should perform its functions, against which an annual assessment should be undertaken.

12

Standard Criteria

The Scope of Internal Audit

Deals with formal terms of reference, coverage/scope of the internal control environment and defining audit’s role in relation to fraud and corruption and consultancy work.

Independence Deals with overall organisational independence as well as auditors own independence and objectivity.

Ethics Sets minimum standards for the performance and conduct of all internal auditors under the four main principles of integrity, objectivity, competence and confidentiality.

Audit Committees Deals with the relationship between Internal Audit and the Audit Committee.

Relationships Sets out the principles of good relationships with management, other internal auditors, external auditors, other regulators and inspectors and elected members.

Staffing, Training & CPD

Deals with staff resources, skills, competencies and training.

Audit Strategy and Planning

Deals with the requirement to produce a strategy document and annual audit plan.

Undertaking Audit Work

Deals with risk based internal auditing, the processes to be carried out in individual audit assignments, incl. planning, fieldwork and quality control.

Due Professional Care

Deals with auditor competence, responsibilities, and diligence.

Reporting Sets out the principles of reporting on audit assignments, identifying risk exposure, follow up and escalation procedures and providing an annual opinion on the control environment.

Performance, Quality and Effectiveness

Sets out the need for an audit manual and establishing quality and performance measures.

13

Internal Audit Self Assessment against the Code of Practice

The Code of Practice contains a checklist (containing around 190 detailed questions), which has been used by Internal Audit as the basis for the self assessment. (The detailed self assessment, running to 50 pages is available on request).

The self assessment against the Code of Practice has identified that the internal audit service fully meets the requirements of the Code.

However, due to collaborate working between the Chartered Institute of Public Finance and Accountancy (CIPFA) and the Chartered Institute of Internal Auditors (CIIA), a board has been developed called the Internal Auditors Standards Advisory Board (IASAB) which is tasked with the development of a revised Code of Practice for UK wide public sector bodies, which includes Local Authorities.

It is anticipated that the new code will be effective from April 2013. To ensure we continue to meet the required professional standards, Internal Audit will undertake a self assessment against this new code and revise the Internal Audit Strategy and implement any changes, as required.

Internal Audit Self Assessment – Action identified to enable continued improvement Improvement Area Action Required / Taken Internal Audit will undertake a self assessment against the new Code of Practice for Local Authorities and revise the Internal Audit Strategy and implement any key changes, as required.

Self assessment to be undertaken following release of the new Code during the later part of 2012/2013.

The revised self assessment and Audit Strategy to be presented to the Audit Committee for Approval in June 2013.

Customer Satisfaction Survey results 2011/12

At the close of each audit review a customer satisfaction questionnaire is sent out to the Service Manager or nominated officer. The aim of the questionnaire is to gauge satisfaction against areas such as timeliness, quality and professionalism. For each question, within each of the categories as detailed below, customers are asked to rate the service between excellent, good, fair and poor. A target of 80% was set where overall, audit was assessed as good or better. The latest results as summarised below, shows that the target has been exceeded, with the highest score of 92.3% reflecting Internal Audit as being a positive support to their service.

14

In addition, the following positive comments have been received from our customers:

‘The auditor handed me a complete evidential package which required no further work on my part. She has conducted an extremely thorough investigation and gathered all of the evidence necessary to support a prosecution at court. The auditor has obtained statements from other staff members, which are of a very high standard and produced all of the necessary exhibits. I have been very impressed with the quality of her work’. (Gloucestershire Police)

‘Shorter report with less description of process and background information’ (Internal Audit has taken action to reduce the length of reports).

‘The opportunity to meet regularly with the auditor to discuss and resolve issues, particularly towards the end of the process, was welcome’.

‘The auditor worked well with all involved and was especially flexible in meeting the challenges in doing this review for the first time’.

‘Dates of audits planned ensured there was minimal disruption’.

‘The audit gave the ability to discuss best practices seen in other establishments’.

‘The feeling that the process was there to help us to improve and acknowledge progress made was refreshing’.

‘I would just like to say thank you as I have found the audit process useful and reassuring’.

‘Personal positive feedback to an auditor thanking for the support provided to a Members Task Group’.

‘Audit is a daunting prospect and I appreciated the positive and constructive approach’.

‘Cooperative nature of the audit and the fair way that the findings were communicated’.

End of year progress report 2011/2012 including audit assurance opinions Appendix 1

Activity Status Control Assurance

Risk Assurance Reported to Audit

Committee

Comments

A - Strategic FinanceSupplier A - Consolidated invoices Final Report issued Adequate Adequate 29/06/2012

Management of LGPS Final Report issued Adequate Adequate 28/06/2011

Capital Programme Management Final Report issued Substantial Adequate 28/06/2011

Activity

Pensions Bank Reconciliation Final Report issued Substantial Substantial 19/01/2012

Bank Reconciliation Final Report issued Substantial Substantial 19/01/2012

Key Controls Review Final Report issued Substantial Substantial 29/06/2012

Major Systems Review - Payroll Draft Report Issued

Debtors System - Income Collection Audit in progress Carried forward to 2012/13

VAT - General Audit Cancelled Not Applicable Not Applicable N/A

Monitoring arrangements for receipt of Government Grants Final Report issued Adequate Adequate 29/06/2012

Audit of Purchase Card System Audit in progress Carried forward to 2012/13

B - GovernanceMtC projects - Effectiveness of Governance arrangements Final Report issued Adequate Substantial 29/06/2012

Compliance with Financial Regulations Draft Report Issued

Impact on controls of new ways of working, including lean reviews Consultancy & Advice Not Applicable Not Applicable 29/06/2012

CRB processes in high risk areas Audit in progress Carried forward to 2012/13

Review of Governance arrangements in respect of Commissioning Cancelled Not Applicable Not Applicable N/A

Code of Ethics and Business Principles Planned Carried forward to 2012/13

C - CommissioningTraffic Signals - Tender for updating LEDS Final Report issued Not Applicable Not Applicable 26/09/2011 Review of complaint from unsuccessful tenderer

Residual Waste Project Final Report issued Adequate Substantial 19/01/2012

Major Contract - Order of St John Audit in progress Replaced by consultancy (See 7b)

Fire Service PFI Cancelled Not Applicable Not Applicable N/A

Transport for Social Care (Childrens' Services) Cancelled Not Applicable Not Applicable N/Ap ( ) pp pp

Pupil Referral service Planned Carried forward to 2012/13

Gloucester Language Immersion Centre Cancelled Not Applicable Not Applicable N/A

Contracts - Landfill Cancelled Not Applicable Not Applicable N/A

Major Contracts - Brandon Trust Planned Replaced by consultancy (See 7b)

Risk transfer and insurance cover in major contracts Cancelled Not Applicable Not Applicable N/A

D - Service DeliveryConcessionary Fares Final Report issued Adequate Substantial 19/01/2012y p q

Direct Payments - Children with Disabilities Final Report issued Adequate Adequate 19/01/2012

School Deficit Budgets - Follow up Final Report issued Substantial Substantial 29/06/2012

Direct Payments - Adults Audit in progress

Non payment of service user contributions/ write offs - Follow up Cancelled Not Applicable Not Applicable N/A

Home Care Contracts Planned Carried forward to 2012/13

External Care Review Follow up Planned Replaced by consultancy (See 7b)

Capital receipts/disposal of properties Draft Report issued Carried forward to 2012/13p p p p p p

Discretionary payments to foster carers Audit in progress

Retained Fire Fighters Fees Cancelled Not Applicable Not Applicable N/A

Mobile phone - monitoring usage Consultancy & Advice Not Applicable Not Applicable 19/01/2012

Compliance with general social care best practice - Social Work Taskforce - caseload management

Planned Replaced by consultancy (See 7b)

Implementation of Putting People First programme Planned Replaced by consultancy (See 7b)

Top up payments to Adults Final Report issued Substantial Substantial 29/06/2012

BT landlines Draft Report Issued

15




Committee

CommentsActivity

Fire & Rescue workshops Cancelled Not Applicable Not Applicable N/A

Supporting Active Communities - small grant scheme Cancelled Not Applicable Not Applicable N/A

Schools Audit Programme Final reports issued Adequate Not Applicable 29/06/2012

E - Partnership/ shared servicespManagement review of recycling credit claims from district councils Final Report issued Adequate Substantial 26/09/2011

Review of Partnerships/Shared Services/Third Party Governance arrangements

Cancelled Not Applicable Not Applicable N/A

Information Management Shared Services (Childrens' Services) Final Report issued Adequate Substantial 29/06/2012

F – Corporate Value for Money ReviewsAppeals process Final Report issued Adequate Substantial 26/09/2011

G – Internal Audit CertificationC / f S / /Carbon emissions data energy / fuel emissons Final Report issued Adequate Substantial 26/09/2011

CRC - Energy Efficiency Scheme Final Report issued Adequate Substantial 26/09/2011

City Employment and Skills Plan Grant Claim 2011_12 Final Report issued Not Applicable Not Applicable 19/01/2012

Stroke Care Grant Cancelled Not Applicable Not Applicable N/A

Former LSC funding of further education Final report issued Not Applicable Not Applicable 29/06/2012


Gloucester Heritage Link Scheme Final Report issued Not Applicable Not Applicable 19/01/2012


H - Irregularity workITU Home to school transport investigation Final Report issued Limited Adequate 26/09/2011

Fraud investigation detection Ongoing Not Applicable Not Applicable 29/06/2012

National Fraud Initiative Complete Not Applicable Not Applicable 29/06/2012

I- Information SystemsSupplier B Data Network Service Final Report issued Adequate Adequate 29/06/2012

Liquid Logic Final Report issued Adequate Adequate 29/06/2012

Transactional Website Final Report issued Substantial Substantial 29/06/2012

Adult Social Services Information Management Systems - ERIC Final Report issued Adequate Adequate 29/06/2012

IT Change Management Final Report issued Adequate Adequate 19/01/2012

Back up and restoration of systems applications, and data including ICT BCM arrangements

Cancelled Not Applicable Not Applicable N/A

Information Management / Security consultancy Cancelled Not Applicable Not Applicable N/A

Penetration testing vulnerability scanning and internal health check Cancelled Not Applicable Not Applicable N/APenetration testing, vulnerability scanning and internal health check Cancelled Not Applicable Not Applicable N/A

Secure disposal of hardware/confidential waste Cancelled Not Applicable Not Applicable N/A

User Information Security Review Cancelled Not Applicable Not Applicable N/A

J – Emerging Risks / including carry forwards from 2010/11 planVER Pensions Final Report issued Adequate Adequate 26/09/2011

Treasury management Final Report issued Adequate Adequate 28/06/2011

LAA - Performance targets stretch targets/indicators Final Report issued Adequate Adequate 28/06/2011

Debtor rite offs o er £5k Final Report iss ed Adeq ate Adeq ate 19/01/2012Debtor write-offs over £5k Final Report issued Adequate Adequate 19/01/2012

Asset Management Final Report issued Adequate Adequate 26/09/2011

Engineering Contract Final Report issued Adequate Substantial 28/06/2011

Cash Receipting Process Final Report issued Adequate Substantial 26/09/2011

Transport Services - follow up Final Report issued Adequate Substantial 26/09/2011

Panel spend - cost pressures (new) Final Report issued Not Applicable Not Applicable 26/09/2011 Consultancy

Budget Monitoring Processes / working group (new) Final Report issued Not Applicable Not Applicable 19/01/2012 Consultancy

St ff S A t A dit iStaff Severance Agreements Audit in progress

16




Committee

CommentsActivity

RM - Managers' Actions - Strategic Finance Final Report issued Substantial Substantial 29/06/2012

RM - Managers' Actions - HR Draft Report Issued

Audit System and Processes review Ongoing Not Applicable Not Applicable N/A New Audit Management System development and implementation

Accounts and Audit Regulations Review of the Effectiveness of Internal Audit Ongoing Not Applicable Not Applicable 29/06/2012

Creditors Final Report issued Adequate Substantial 28/06/2011

Fixed Asset - Property Valuations Final Report issued Adequate Adequate 28/06/2011 Carried frorward from previous year

Deprivation of capital and disregarded properties Ongoing

Gloucester Panel Spend Final Report issued Not Applicable Not Applicable 29/06/2012 Consultancy

Fostering write-offs over £5k Final Report issued Adequate Adequate 29/06/2012

17

Appendix 2

18

Completed Internal Audit Activity during the period April – June 2012 Summary of Adequate Assurance Opinions on Control

Service Area: Strategic Finance Audit Activity: Consolidated Invoices – Supplier A

Scope

Supplier A are contracted to place advertising and public notices in media publications as instructed by Gloucestershire County Council (GCC). To streamline the payment process GCC is billed on a monthly basis through a consolidated invoice and electronic data files to detail the charges incurred. The objectives of this audit were to review the procurement process and to evaluate the processes in place for placing notices with Supplier A and ensuring the accuracy of payments.

Risk Assurance - Adequate

Control Assurance - Adequate

Key findings

That the contract works well with regular communication between the officers placing notices for GCC and their contacts at Supplier A.

The procurement was undertaken by HR in an effective manner and the processes complied with the Council’s Contract Standing Orders and EU legislation. Appropriate records were held to support the evaluation and selection of the preferred supplier.

Invoices were being sent direct to Payments and Income and therefore were not being reviewed for reasonableness by the contract lead officer in HR prior to being paid.

Despite limited checking taking place by GCC staff, we found that the majority of the individual costs did reflect what was originally quoted. However, in order to enable budget holders to verify expenditure, the process of confirming costs and gaining authorisation to proceed with the order could be improved.

At present there is an informal agreement whereby Supplier A retain 4% of the value of Public Notices placed for future reinvestment with them in social media activities and social branding by HR.

HR has responded positively by taking the following action:

Invoices are now initially received by the lead contract officer in HR. This officer reviews the invoice for reasonableness prior to authorising it to be paid by Payments and Income.

A copy of the management information received with the invoice is now sent to all officers who have placed an order and to the respective budget holders, which will enable an increased check of the individual payments to be made.

Appendix 2

19

To formalise the arrangements and ensure transparency, a variation to contract is being completed to cover the reinvestment fund, which in future will be sent to GCC on a monthly basis and will no longer be held informally by Supplier A.

Service Area: Strategic Finance Audit Activity: Monitoring arrangements for the receipt of government grants

Scope

This audit reviewed the systems in place with regard to the receipt of government grants to ensure that we were fully aware of monies due and that all income was received.



Key Findings

Through discussions with finance staff in both capital and financial accounting it was ascertained that each section retains their own records of income due and there are processes in place to follow up outstanding grants.

Details are kept of grants that need to be signed off by the Section 151 Officer, as well as ones that require audit certification.

One best practice point was made relating to the details that are required by the income section of Financial Administration, to ensure that when the income is received, it can be coded correctly.

Service Area: Enabling and Transition Audit Activity: Meeting the Challenge - Review of the effectiveness of general and

financial governance arrangements

Scope

In August 2010 the Council (in response to planned cuts in funding from central government) launched the Meeting the Challenge (MtC) programme which has been designed to contribute to the £114m of savings that need to be made over a four year period commencing from April 2011.

The objectives of the audit were as follows:

To ensure that robust governance arrangements are in place for managing the MtC programme as a whole, and that project managers are adopting the GCC minimum standards that are required to be followed within their projects/programmes; and

To ensure that robust financial governance arrangements are in place and that the projects within the overall programme have delivered, are delivering, or will deliver the target savings.

Appendix 2

20

Risk Assurance - Substantial

Control Assurance – Adequate

Key findings

For the general governance arrangements our principal conclusion is that during a period of significant change for the Authority the governance framework developed and implemented for the MtC programme is in line with national guidance and has proved effective. Our key findings were:

The governance framework has been well designed to fit in/around the ‘old’ directorate set-up and the challenge was to tailor this to reflect the Council’s revised structure under the New Operating Model (NOM);

That the Portfolio Office/MtC team and HR have played key roles in supporting the MtC programme through early engagement with the project managers and providing guidance and advice at the initial scoping and planning phase. Whilst good support has also been provided by Legal Services this is less structured with the onus on the project manager to make the first move. In order to ensure that all legal risks are identified and evaluated the Operational Board to consider whether a more formal approach should be considered;

During the first year of the MtC programme the Portfolio Office/MtC team has performed a Quality Assurance (QA) role on the information entered into the VERTO programme management system by the project managers and has coordinated the reporting arrangements to the Operational Board and Steering Group. Under the NOM arrangements there was a need to review roles and responsibilities, to clarify the QA and challenge role of the MtC team and new portfolio office to avoid duplication;

Overall project managers have adopted many principles of the required minimum standards within their projects, albeit they are not always fully documenting these as required;

There is a need to strengthen the change control process through the Project Sponsor/Manager submitting a detailed report to the Operational Board to enable an informed decision to be made and to understand why this project has effectively failed to deliver the expected savings; and

A need to strengthen the risk management arrangements within the MtC programme and to review and enhance the reports received by the Operational Board to cover cumulative risks facing the programme as a whole and not just project risks in isolation.

For the financial governance arrangements our principal conclusion is that the forecast savings figures that are being reported appear to be reasonable and confirm the messages that the 2011/12 savings will be achieved. Our key findings were:

Appendix 2

21

The savings targets are well communicated and well understood by all parties concerned. The nature of the projects is also understood and monitoring systems are in place to confirm whether the projects will deliver the target savings;

On the whole, financial reporting systems are robust and consistent messages are being given in terms of whether the savings targets will be achieved or whether there is any slippage;

Inconsistencies in project references and the reporting of actual and forecast savings were identified across the various financial reporting systems (the ‘MTFS and MtC savings’ spreadsheet, VERTO and the Quarterly Performance report). Protocols for recording financial information should be developed, communicated and monitored to bring about improvements in this area. Management has responded positively that measures are in place to address this immediately;

Actual savings to date were the most difficult figures to verify because of the way that the MtC projects are monitored within the core business SAP cost centres. The actual savings for the projects could not always be traced through to SAP. The Finance Officers and Project Managers have to rely on other systems to identify actual savings figures for recording on the Finance spreadsheet and on VERTO. Management has agreed to review the recording of actual savings at the end of 2012/13 due to the overall budget being reconfigured between Commissioning and Delivery;

All the transactional data for the projects is recorded within SAP cost centres. There is provision for the cost centres to be recorded on VERTO but this is not being used in the main. A review of the cost centres across all the projects could be a useful way to identify if any savings are being duplicated. Management has responded that it would now be timely to add cost centre information to VERTO to facilitate the reconciliation of savings; and

Overarching reconciliations should be undertaken to ensure that financial information that is recorded on the different systems is consistent and reported accordingly. Management has responded positively that measures are in place to address this immediately.

Appendix 2

22

Service Area: Enabling and Transition Audit Activity: Supplier B - Data Circuits Billing

Scope

To assess the effectiveness of the systems and processes in place to ensure accuracy and completeness of information held on the XAssets database (i.e. inventory of ICT assets), with regards to GCC data circuits;

To ascertain the effectiveness of the systems for recording data circuits which are no longer in use, ensuring they reflect the correct credit management arrangements;

To ascertain the level of GCC ICT team monitoring arrangements to ensure that this element of the XAssets database is kept up-to-date;

To establish the time periods for billing and assess the effectiveness of the budget monitoring arrangements; and

To ensure that the impact of the new module, for the XAssets database has been considered and the revisions are reflected in the budget monitoring and data circuits management arrangements.



Key findings

No high priority recommendations were made; the general areas in which we asked for recommendations to be considered were:-

The risk of additional data circuit invoices being paid in error after the circuit has been ceased and the final invoice has been settled;

The risk of continuing to pay invoices on a data circuit that is no longer in use but has not been reported as such to ICT;

The need to ensure that there are adequate separation of duties with the systems and processes of the use of the new database module;

Formalisation of the reporting process from ‘Solarwinds’ (i.e. software to monitor traffic flows on data circuits), via the ICT Support Team, of circuits identified with no ‘traffic’, possibly denoting a dormant circuit;

Formalisation of the authorisation financial levels above which the Technical Administrator needs to refer any discrepancies between the expected invoice fee and the actual invoice fee; and

The benefits of ensuring consistency of annotated information on the ‘pink slips’, attached to the invoices for payment processing.

Management responded positively to all recommendations made.

Appendix 2

23

Service Area: Information Systems Audit Activity: Liquid Logic

Scope

In November 2011 the Council purchased a computer system, Liquid Logic, to provide a consolidated database to manage all children’s services both education and welfare, to replace the previous Capita application. This audit reviewed the controls in place to manage the risks to information assets owned by Children and Families specifically focussing on system development and data security controls.



Key findings

Effective information management relies heavily on the Council and individuals understanding the risks associated with the data and implementing controls to restrict access to authorised officers. Our findings conclude that:-

The Liquid Logic application was implemented in accordance with the Council’s project management process;

Information security management has been implemented in accordance with standards and accords with ‘good practice;

All officers attend training before accessing the application or associated data; and

An administration team is in place to support the users.

Four areas of improvement have been identified within existing processes which when implemented, could further reduce the risk of unauthorised access to the IT system. These improvement areas are as follows:

Documentation of administration processes should be completed;

Documentation of operational processes should be completed;

The format of passwords requires review; and

System administrators are not always informed when officers change their job role and no longer require access to the application.

None of these improvement areas were considered fundamental and Management responded positively to all recommendations made.

Appendix 2

24

Service Area: Information Systems Audit Activity: ERIC

Scope

To review the information security management process in place within Adult Services, specifically information held within the in-house developed ERIC IT system. Focusing on the controls in place over system development, expansion of use to partner organisations and data security controls.



Key findings

We found that overall; information security management has been implemented in accordance with standards and accords with ‘good practice’. Our key findings conclude that:-

The ERIC application incorporates effective access restrictions;

The Council’s change management process is used for applying changes to the application;

All officers must attend training before accessing data;

Management monitor use of the application;

An applications support team supports the users; and

All access to data, read or change, is recorded in audit logs.

Four areas of improvement were identified, which are as follows:

The Applications Support Team are not routinely informed when officers change their job role and no longer require access to the application;

The procedures and process documentation for the administration of ERIC are not available;

Data access is not routinely reviewed to ensure access is necessary and reasonable; and

Data owners are not informed when their data has been entered by clerical staff to enable them to check the data has been entered correctly.

None of these improvement areas were considered fundamental and Management responded positively to all recommendations made.

Appendix 2

25

Service Area: Children and Families Audit Activity: Schools

Scope

The Council’s Chief Financial Officer (S151 Officer) is required to submit an annual return confirming that there is a system of audit in place for Local Authority maintained schools which gives adequate assurance over their standards of financial management and the regularity and propriety of their spending. Whilst Internal Audit provides independent assurance as to the effectiveness of these financial management arrangements within the schools audited, the S151 Officer also gains assurance from other providers, such as the Schools Finance Team within Strategic Finance.

Risk Assurance - N/A

Control Assurance - Adequate (for all 8 schools)

Key findings

Internal Audit’s activity within schools is prioritised based on risk and as such, eight primary schools were visited during 2011/12. Individual reports were issued to each school visited.

Whilst no high priority recommendations were made at any of the schools visited, common themes across all eight schools, were identified. In response, Internal Audit issued a newsletter to all schools, highlighting these ‘financial risk’ areas and recommending mitigating action that can be taken by the schools, these included:

Failure to plan ahead for future income and expenditure which could result in unplanned overspends against budgets;

Reconciliation of school fund bank accounts not being completed and accounts not being audited; and

Lack of evidence to show that best value has been obtained when purchasing goods/supplies.

Service Area: Children and Families

Audit Activity: Joint NHS/GCC Looked After Children Audit : Information Sharing

Scope

The Care Quality Commission and OFSTED published a report in January 2011 that, amongst other things, identified improvements that were required in relation to the data that is held for Looked After Children. As a result, this audit was requested to provide assurance that the necessary improvements are being made.

Appendix 2

26

The audit focused on the following three areas:

Undertaking a sample file review of the Health Plans and Care Plans that are held on GCC’s new Liquid Logic system;

Holding a focus group to establish whether the Social Workers have received sufficient training to interpret the health assessment information from the NHS and to create quality and time bound Health Plans and Care Plans on Liquid Logic; and

To review the IT governance arrangements in place for information sharing between the two organisations.



Key findings

The file review demonstrated that the health assessments are being carried out in the main and sent to GCC. There was less evidence of the health assessment form (Part C) being available for review on Liquid Logic. The reason for this seemed to be as a result of administrative and process issues within GCC. However, in only 25% of the sample files that were reviewed, had the information from Part C been properly translated into a Health Plan/Care Plan. Very strict criteria were applied when making these judgements but this still shows that insufficient improvements have been made in the quality of the Health Plans that are recorded on Liquid Logic. As a result, the current system of internal file audits should be maintained until such time as improvements can be identified. The results of the internal file audits should be analysed in order to determine what improvement actions and training is required. This has been agreed.

The focus group that was held was a useful means of determining the reasons for the above shortcomings. Although training on the new Liquid Logic system has been provided, it was agreed that further refresher training is required. It was also agreed that further practice improvement sessions should be organised where examples of good practice and required systems and procedures could be shared. This should result in better quality Health Plans being produced and systems and procedures being more consistently applied.

For the IT governance arrangements, high level and second level overarching agreements are in place and have been signed. The second level agreements are in the process of being updated onto the new template.

Both the NHS and GCC understand the risks associated with data transfer in relation to the health assessment information. Current IT constraints have resulted in a convoluted and time consuming system being put in place but this has been necessary to mitigate against the risks. Both parties recognise that more efficient IT systems are required to streamline the process and work is being done to achieve this.

Appendix 2

27

Service Area: Children and Families

Audit Activity: Fostering and Residence Order Write Offs over £5,000

Scope

At the request of the previous Group Director: Business Management, we carried out a review of write-offs with a view to examining whether systems had been improved to prevent or reduce the number of future write-offs. This report only relates to fostering allowance debts. A separate report has been issued in respect of Community Care debts written off.



Key findings

The procedure is that debts recommended for write-off are passed to the Finance Manager, Tax, Control and Pensions within Strategic Finance who writes a short summary of why it is being recommended for write-off and sends this to the Director; Strategic Finance for approval.

We reviewed one fostering overpayment write-off and two ongoing fostering allowance debts over the last 18 months, to question the reasons for the write-offs, actions taken to improve systems and whether system improvements had in fact been implemented.

Based on those cases we reviewed there were a number of inherent problems within the fostering system which may explain why a fostering overpayment may occur:

Inadequate exchange of information between the fostering social worker and the child’s social worker which may result in the fostering social worker not being aware that the child social worker has not sent in the change sheet;

The fostering social workers only have electronic read access on the Capita system and therefore they do not tend to use it; and

No interface/link between the Capita and Fostering Payments system.

The following important developments will hopefully address some of these issues:

The development of a stand-alone system that will provide an interface between a new system being introduced from November 2011 and the Fostering Payments system; and

Requirement for the fostering social worker to link with the child’s social worker, to know each child’s plan, and who the key professionals are supporting the child.

In addition we have agreed for the following action to be taken to improve controls:

Social workers to be reminded about updating the system and completing the change sheets promptly and sending them to Care Services Finance Team; team managers to monitor that this is happening at supervision meetings;

Appendix 2

28

Fostering social workers to inform Care Services Finance Team when a placement has ended; Care Services Finance Team to request a change sheet from the child’s Social Worker, if one has not already been completed;

Annual social care review of residence order allowances in addition to the existing annual FAB assessment;

Reminding carers of their responsibility including notifying the County Council when a placement has ended;

Carry out a post-implementation review 6 months after the new system has been introduced; the new case recording system was introduced in November 2011 but the new payment system has yet to be introduced;

Fostering and adoption team managers to check SAP for invoice credits during budget monitoring;

The Principal Accounting Technician – Strategic Finance will highlight fostering and adoption debts on the aged debt report and send the report to the Fostering and Adoption Service Manager monthly;

The Principal Accounting Technician – Strategic Finance to send in-house Foster Placement report to Social Care and Children in Care Teams monthly; teams will be asked to check that placements are current; and

Prompt dealing of debts by team managers, referred by Care Services Finance Team for further recovery action instructions.

Management responded positively to recommendations made.

Appendix 2

29

Summary of Substantial Assurance Opinions on Control Service Area: Strategic Finance

Audit Activity: Key Controls - Payroll

Scope

Internal Audit works with the Audit Commission on an annual basis to identify key financial systems where Internal Audit will provide the assurance that the Audit Commission requires to enable them to sign off the annual accounts.

For 2011/12 Internal Audit agreed to carry out testing in the areas of Payroll and General Ledger (journals).


Control Assurance - Substantial

Key findings

This audit covered the Payroll area only and the audit included a review of the following standing data on SAP:

Tax rates;

NI;

Superannuation; and

Pay scales.

All of the tables in SAP that contain the standing payroll data were reviewed. The sources of information and the systems in place to upload and test all the data were also reviewed. All the rates that were held in the SAP tables for 2011/12 were correct. No recommendations were made.

Appendix 2

30

Service Area: Strategic Finance Audit Activity: Risk Management

Scope

It is a requirement that Internal Audit review, on an annual basis, the effectiveness of risk management arrangements operating within the Council. During 2011/2012, Internal Audit examined these arrangements within a selection of service areas which were previously under the umbrella of Business Management. Internal Audit selected five of these eight service areas for review. This review focused on the effectiveness of managing risk within Strategic Finance and covered the following areas:

Identification and assessment of risks;

Mitigating controls;

Risk registers;

Risk monitoring and review arrangements; and

Management of risk mitigation actions.


Control Assurance – Substantial

Key findings

Based on our audit review we have concluded that risks are well managed, are monitored frequently and officers are quick to respond to factors which influence risk ratings. We made only one recommendation (not high priority) which is summarised below:

The consequences section for 3 of the 10 financial strategic risks in Performance Plus (Corporate performance and risk reporting database) was not completed and we recommended that this section should be completed for all Financial Strategic Risks to demonstrate that the consequences of the risks crystallising have been assessed.

Management has agreed to implement this recommendation with immediate effect.

Appendix 2

31

Service Area: Information Systems Audit Activity: Transactional Website

Scope

This audit reviewed the governance and management arrangements in place to ensure the underlying ICT transactional website application was developed and implemented using sound project controls and would ensure compliance with Payment Card Industry Data Security Standard (PCI DSS). Specifically the audit examined the following project management control objectives:

Governance arrangements for the ICT project were defined and implemented;

The project was closely monitored and co-ordinated within the ICT programme of work;

The ICT project was managed in line with good practice (e.g. PRINCE2); and

The key IT controls for the Electronic Payments complies with the requirements PCI DSS.

Risk Assurance - substantial

Control Assurance - substantial

Key findings

We found that the underlying technology and project methods used to develop the Transactional Website accords with ‘good practice’ and that:

Effective governance arrangements were defined and implemented;

The Council produced and used project management guidance;

The project was owned, directed and managed by appropriately qualified officers;

Training was provided where required;

A project initiation document and a project plan were developed and documented; and

The software used for taking card payments is a PCI DSS compliant product and the Council have implemented various security controls e.g. firewalls.

We found no areas of weakness and therefore no recommendations were made.

Appendix 2

32

Service Area: Children and Families Audit Activity: Schools’ Deficit Budget – Follow-up

Scope

Although schools’ deficits were regularly monitored and reported to management and the Schools’ Forum, the arrangements in place were not preventing the deficits from increasing. As a consequence of the on-going increases, an initial audit was undertaken to review the central systems in place for monitoring and controlling school deficit budgets. This audit provided a progress update on the implementation of the recommendations that were made following the initial audit. This audit did not review the effectiveness of the new measures that have been put in place.



Key findings

The original recommendations covered the following areas:

Replacing the £10,000 threshold for a Licensed Deficit Agreement (LDA) with an appropriate percentage figure that considers the size of the deficit in relation to the school’s income;

Implementing a process for signing off recovery plans and LDAs;

Sending letters for deficits that are less than the agreed threshold to the Chair of Governors as well as the Headteachers and copying them to the Challenge and Development team;

Developing a process for the on-going monitoring of school deficit budgets;

Giving serious consideration to the level of support and challenge which is needed in the above areas with regular scheduled meetings being arranged with schools;

The development of structured reports that can be presented to senior management and the Schools Forum on a regular basis; and

Giving serious consideration to providing further funding from the Dedicated Schools Grant (DSG) to facilitate the provision of the support and challenge necessary to prevent a major problem in this area going forward.

All of the above recommendations have either all been implemented or alternative solutions have been put in place. No further recommendations have been made.

Appendix 2

33

Service Area: Adult Services Audit Activity: Local Authority Top-Up Payments (Transition from Children’s to Adult

Services)

Scope

In November 2010, the Children and Young People Overview and Scrutiny Committee identified issues around the transition process from Children’s to Adult Services. Taking the Committee’s concerns on board and in order to carry out a more detailed piece of work on the transition pathway, a Members’ Task Group was formed. The Task Group, through a series of meetings with key stakeholders involved in the transition process, produced a report with recommendations entitled ‘Transition from Children’s Services to Adult Life for Disabled Young People in Gloucestershire’ aimed at improving the current transition pathway that will enable young people to make the transition into adult life in a way that is based on good practice, with a person centred approach that leads them into as independent a life as possible.

This review examined the framework in place for achieving the delivery of the recommendations emanating from this report, along with the progress made to date.



Key findings

In addition to meetings with the project manager, Internal Audit also reviewed a selection of the supporting documentation pertaining to the management of the project. It was established that although still in its infancy, the project has a robust project management framework in place to achieve the recommendations raised in the report.

Whilst no formal recommendations were made, Internal Audit did highlight that whilst the project objectives are being delivered and managed in line with GCC standards some of the key documentation produced to date is still in draft format which will require formal sign-off to fully adhere to best practice standards.

Summary of Consulting Activity and/or Support Provided Where No Opinions Are Provided Service Area: Enabling and Transition

Audit Activity: LEAN

Scope

LEAN process reviews, undertaken as part of the Meeting the Challenge (MtC) Programme, concentrate on streamlining processes and procedures, eliminating unnecessary tasks and thereby delivering efficiencies. This review allowed Internal Audit to input to these reviews to ensure that key controls which mitigate key risk exposures are not taken out of systems.

Internal Audit focused on the process reviews that took place across the Council throughout the 2011/12 year.

Appendix 2

34

Key findings

Internal Audit and the MtC Project Managers shared information as to the work that was undertaken by both teams during the course of the year. The list of reviews was added to as new projects were identified. Internal Audit aimed to be proactively involved and to be available to offer advice on controls as and when new projects emerged.

Internal Audit was invited to attend key workshops and other meetings. All reviews were undertaken on the basis of discussion of systems operation with staff and a review of documentary evidence. None of the meetings resulted in more detailed review work being required within service areas where change systems were being introduced.

Service Area: Strategic Finance

Audit Activity: Sixth Form Funding (Former Learning and Skills Council (LSC) Funding)

Scope

In accordance with the requirements of the Joint Audit Code of Practice between Local Authorities and the Young People’s Learning Agency (YPLA), it is the responsibility of Local Authorities to put in place arrangements that allow Local Authorities’ Chief Financial Officers to make a grant return and use of funds statement to the YPLA. The YPLA provided guidance to Local Authorities on how to fulfil their assurance responsibilities. Internal Audit’s role was to ensure that the assurance arrangements had been carried out to an acceptable standard.

Key findings

The following areas were reviewed by Internal Audit which provided sufficient assurance that the funding had been used for the purposes intended:

Risk assessment – this was used to select the sample of schools with sixth forms. Any schools that converted to an Academy part way through 2011/12 were included in the population as the YPLA confirmed that Local Authorities had responsibility for the funding up to the point of conversion. Out of a total population of 17 schools, 4 schools were audited which is an adequate 24% sample. The risk factors used for the risk assessment were considered appropriate for a sixth form funding audit. The scoring applied to the risk factors seemed reasonable. The schools that were selected for the sample were based on the highest risk scores.

Accompanied visits - Internal Audit accompanied the School Sixth Form Auditor within Children and Families on all of the school visits. The rationale for this was to provide assurance that the visits were being conducted in accordance with the guidance that had been provided by the YPLA. The findings identified some minor discrepancies in the census data and qualifications data but nothing that materially affected the funding.

Appendix 2

35

Service Area: Adult Services

Audit Activity: External Care Budget– Cost Pressures

Internal Audit has been commissioned by Adult Services to support management in undertaking further investigative work and analysis focused within the practices being operated within the one locality to see how this compared to a comparator locality, and whether there are any significant differences that are driving costs. The focus of the review covered a range of areas including:

Screening of referrals;

Financial analysis;

A detailed review of a sample of cases;

Analysis of caseload management;

Management/monitoring of placements for long term care; and

Analysis of hospital discharge cases

Key findings The key findings have highlighted a number of areas where improvements to the current arrangements are required. Internal Audit has therefore made a number of recommendations that will need to be considered by management alongside the national change agenda for the transformation of adult social care. These are aimed at achieving better value for money; improved management information; improved contract monitoring and contract compliance; defining roles and responsibilities of professionals within multi disciplines; standardising systems and processes; managing the public’s and professional’s expectations; exploring greater collaboration with partners/support services and strengthening the internal control environment.

All recommendations have been accepted by management. Some of the management responses are that consideration will be given to the actions required as part of the changing agenda for social care.

Annual report on Internal Audit Activity 2011 2012

Documents

Transcript of Annual report on Internal Audit Activity 2011 2012