Final Protocol for Capita LBB Assurance Group IA CAFT and Risk January 2
-
Upload
roger-tichborne -
Category
Documents
-
view
6 -
download
0
description
Transcript of Final Protocol for Capita LBB Assurance Group IA CAFT and Risk January 2
28/01/2014 Page 1 of 48
Protocol for Joint Working between LBB
Assurance Group and Capita
In relation to CSG and RE Services
28/01/2014 Page 2 of 48
Version control
Version Date Author(s) Summary of Changes
V1 28/1/14 LBB Assurance –
various
Capita - various
28/01/2014 Page 3 of 48
Contents
1. Introduction .................................................................................................................................. 5
2. Internal Audit ............................................................................................................................... 6
2.1. Respective roles of auditors ..................................................................................................... 6
2.2. LBB Risk-based Audit Programme ............................................................................................ 7
2.3. Areas where LBB Assurance are likely to place reliance on Capita Internal Audit................... 9
2.3.1. Transferred Services ............................................................................................................ 9
2.3.2. Wider Assurance – Governance Standards ......................................................................... 9
2.3.3. Follow-up of previous recommendations ........................................................................... 9
3. Anti-Fraud ...................................................................................................................................10
4. Risk Management .....................................................................................................................14
5. Liaison Meetings.......................................................................................................................15
6. Appendix A – Contact Details ...............................................................................................18
7. Appendix B – Transferred Services .....................................................................................19
8. Appendix C – Risk Escalation ...............................................................................................20
9. Appendix D: Contract Clauses, Definitions & Policy List ..............................................21
9.1. Contract Clauses .....................................................................................................................21
9.2. Definitions - Governance Standard ........................................................................................21
9.3. Governance Standards Compliance checklist ........................................................................22
9.3.1 CSG Governance Standards – extract* .............................................................................. 23
9.3.2. Re Governance Standards – extract*. DRAFT – subject to finalisation ............................. 34
9.4. Definitions – Assurance and priority ratings ..........................................................................41
9.4.1. LBB Assurance: .................................................................................................................. 41
9.4.2. Capita: ................................................................................................................................ 41
9.5. Policy List ................................................................................................................................42
10. Appendix E – Annual Timetable of Activity .......................................................................43
10.1. Planning ..................................................................................................................................43
10.1.1. LBB Assurance.................................................................................................................... 43
10.1.2. Capita ................................................................................................................................. 43
10.2. Reporting and Meeting Dates ................................................................................................43
10.2.1. LBB ..................................................................................................................................... 43
28/01/2014 Page 4 of 48
10.2.2. Capita ................................................................................................................................. 44
11. Appendix F – Documents Checklist ....................................................................................44
12. Appendix G: Internal Audit Decision Tree .........................................................................46
13. Appendix H: CAFT Decision Tree ........................................................................................47
28/01/2014 Page 5 of 48
1. Introduction
The London Borough of Barnet’s (LBB) Operational Assurance (referred to herein as ‘LBB
Assurance’) function sits within the Assurance Group. It consists of Internal Audit, Anti-Fraud
and Risk Assurance and is responsible for ensuring coverage of the core aspects of the
Council’s governance and control environment in order to support achievement of the Council’s
overall objectives. The functions are summarised as follows:
Internal Audit will provide independent and objective assurance to the Council, its
Members, the Strategic Commissioning Board (including the Chief Operating Officer) to
support them in discharging their responsibilities under S151 of the Local Government
Act 1972, relating to the proper administration of the Council’s financial affairs.
The Anti-Fraud strategy and team demonstrates the Council’s commitment to a zero
tolerance approach to fraud, corruption or bribery and works to prevent, detect and
deter fraud within the Council whilst actively pursuing fraudsters and seeking redress.
Risk Assurance is responsible for delivering a robust risk assurance function through
the risk management framework that ensures the Council meets the highest standards
of risk management.
This protocol seeks to set out the proposed working relationship between LBB Assurance and
Capita for internal audit, anti-fraud and risk management. The objective of this protocol is to
provide a framework which will optimise the benefits of the relationship between LBB
Assurance and Capita, whilst enabling chief officers within the Council to discharge their
respective responsibilities. It sets out how both parties will work together to provide information
and to deliver the essence of the contractual agreement in practical terms.
The protocol aims to:
clarify the respective roles of LBB Assurance and Capita1
highlight areas where LBB Assurance are likely to require assurance from Capita; and
establish a framework for co-operation in the planning, conduct and reporting of Internal
Audit, Anti-Fraud and Risk Management.
Overall the protocol should promote an effective working relationship, within the bounds of the
respective roles of both parties, maximising benefit and minimising effort and duplication across
both organisations.
This protocol covers all aspects of contract clauses in relation to internal audit, anti-fraud and
risk management arrangements and will be reviewed annually in April, in order to include LBB’s
provisional Audit Committee dates for the coming year.
1 The respective roles of LBB and Capita are viewed within the context of the contract that has been
signed between LBB as a whole (as opposed to the LBB Assurance Group). Regarding the transferred
services (see Appendix B) roles can be defined as follows:
RACI Assessment* (R) Responsible (A) Accountable (C) Consult (I) Inform
Capita LBB Client LBB Assurance
R A C, I
28/01/2014 Page 6 of 48
The following sections provide more detail on the assurance expectation within each function
and the forum in which activities will be coordinated and information shared.
2. Internal Audit
Included within the contract are clauses to ensure the provision of information relating to
internal audits carried out on services provided on the behalf of LBB. This includes information
about the intended annual plan of audit activity, any limited or no assurances included within
quarterly summary reports and the annual audit opinions.
Additionally, the Public Sector Internal Audit Standards (PSIAS) require that the chief internal
auditor must “include in the risk-based plan the approach to using other sources of assurance
and any work required to place reliance upon those other sources”.
2.1. Respective roles of auditors
The following table outlines the respective roles of LBB Assurance and Capita. The roles and
objectives are different but complementary. There are therefore benefits to be gained from
working together.
LBB Assurance Capita
Internal Audit is defined in the Public Sector
Internal Audit Standards (PSIAS) as “an
independent, objective assurance and
consulting activity designed to add value and
improve an organisation’s operations. It helps
an organisation accomplish its objectives by
bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management, control and governance
processes.” Internal Audit must have a
Charter that accords with the requirements of
the PSIAS.
The key output from Internal Audit is the
annual opinion on the Council's control
environment which should be reported to the
Audit Committee
Capita Group Internal Audit (GIA) is an
independent function within Capita. Its role
per the GIA Charter is to review the
adequacy and effectiveness of the
organisation’s governance, processes,
controls and risk management in
implementing agreed strategies across the
whole of the group’s activities. It provides
the Board, the Group Audit Committee and
all levels of management with an objective
opinion on the results of its reviews. The
Chartered Institute of Internal Auditors
publishes a ‘Definition of Internal Auditing’,
a ‘Code of Ethics’ and ‘Standards’ which
are recognised as mandatory for the GIA
function.
GIA’s overall objective is to provide
independent assurance to the Capita plc
Board and management on the
effectiveness of risk management and
controls over all of the group’s activities.
Internal Audit’s strategy and plan is risk-
based, is agreed between Internal Audit and
management and is approved by the Audit
Committee. To remain independent and
objective the work of Internal Audit cannot be
directed by other parties
The Director, GIA is responsible for the
development of a risk based plan to
determine the priorities of the internal audit
activity, consistent with the group’s goals,
risk management framework and risk
appetite. This is approved by the Group
Audit Committee. GIA is independent of
the activities which it reviews to enable the
unbiased judgements essential to its
28/01/2014 Page 7 of 48
proper conduct and facilitate impartial
advice to management.
Internal Audit reports to the Audit Committee
on a quarterly basis
GIA reports to the Group Audit Committee
on a quarterly basis.
Internal Audit provides assurance as follows:
substantial, satisfactory, limited, no
Please see Appendix D for the basis of these
ratings
GIA provides assurance as follows:
Satisfactory, Improvement Required,
Significant Improvement Required,
Unsatisfactory
Please see Appendix D for the basis of
these ratings
LBB financial year ends on 31st March Capita Group financial year ends on 31st
December
Re Financial year ends on 31st March
2.2. LBB Risk-based Audit Programme
Capita has its own Internal Audit function and therefore LBB does not anticipate undertaking a
risk-based audit programme involving Capita staff unless:
Capita do not undertake internal audit reviews that provide assurance over Transferred
Services (see Appendix B), specifically the Barnet business-arm and therefore LBB
transactions;
An audit is planned that has a scope involving both LBB and Capita employees;
LBB has concerns in respect of the Transferred services; or
LBB is unable to rely on the audits and work completed by Capita’s internal auditors.
Refer to Appendix G for the audit contract clauses decision tree.
Any audits undertaken by LBB will be discussed with the LBB Commercial team also to ensure
transparency over any potential impact to the contract.
Contract clauses 28.5.2 (CSG) / 36.5.2 (Re) and 28.6.1 (CSG) / 36.6.2 (Re) state the
timeframes within which Capita must provide certain information to LBB Assurance. This
information and the deadlines are summarised in the table below:
Required information Deadlines
Consult with the Authority prior to finalising its Annual Internal Audit
Plan
Date not stated -
suggest September
Submit its own Annual IA Plan By the end of April
in each contract
year – suggest
earlier i.e. once
formally approved
Submit IA reports – reports that provide assurance over Transferred Submit within 15
28/01/2014 Page 8 of 48
Services, including any Governance reviews completed Business Days of
the agreed
quarterly date
Limited or no assurance submitted
Submit within 5
working days
(CSG)
Submit
immediately (Re)
Undertake audits of all IPR used in the performance of the Services Submit yearly
Provide the Authority (and / or its agents or representatives) with all
reasonable co-operation and assistance in relation to each audit being
undertaken by LBB
Within two (2)
Business Days
(unless agreed
otherwise by the
parties acting
reasonably) (CSG)
On demand (Re)
LBB Assurance will undertake a programme of work to assess whether it can rely on the audits
undertaken by Capita’s internal auditors. A provisional list of the evidence that will be gathered
to inform this view has been included at Appendix F.
This will be an annual review to be completed by the end of LBB’s quarter 2 to ensure that if
there are issues it will be possible to undertake the risk-based audits required within quarters 3
and 4.
Where clause 28.5.4 (CSG) / 36.5.4 (Re) is invoked, whereby Capita must bear the cost of any
audit work undertaken by LBB Assurance, the charges will be as follows:
Core (non-specialist) audits: £359 per day
Specialist (IT, Projects and Programmes etc) audits: £513 per day
These charges will be subject to review on an annual basis.
Schools audits
LBB will continue to carry out its rolling programme of schools internal audits. Liaison
arrangements with the Schools Finance Service Manager (now part of CSG) will remain as they
were before the service was transferred to Capita. LBB will continue to provide the Schools
Finance Service Manager with copies of all final internal audit reports issued regarding schools
in the borough.
28/01/2014 Page 9 of 48
2.3. Areas where LBB Assurance are likely to place reliance on Capita Internal Audit
2.3.1. Transferred Services
LBB Assurance will seek to take assurance from any Capita Internal Audit work over LBB
transactions specifically for the services being conducted on the Council’s behalf. These are
listed within Appendix B for the respective contracts with Capita.
The council assurance function will retain responsibility for the exercise of powers under the
joint employment arrangements within Re, the associated Scheme of delegation, and also for
audits relating to managed contracts, for example highways network management contracts.
The Parties agree that during the annual planning cycle, they will review any proposed audits
which may address part of the processes relating to these retained council activities, and in so
far as appropriate and agreed one of the audit functions will review the end to end process. For
example, if Capita Internal Audit propose an audit of Re managing agent activity, the Council
may determine that it would be appropriate as part of that audit for Capita to also review
Council retained activities, such as policy setting and authorisations, in which event Capita and
the Council assurance team will review the scope of the proposed audit to assess whether it
would be appropriate to incorporate a review of these retained activities.
Any actions identified relating to a retained function will be sent in draft to the LBB Commercial
team and Assurance team prior to finalising the report, and implementation of those actions will
be monitored by the LBB Assurance team.
2.3.2. Wider Assurance – Governance Standards
LBB Assurance will also be looking for assurance over general controls impacting on the
service provided. This will involve review of any Governance audits undertaken by Capita and a
review of the agreed Governance Standards compliance – see Appendix D section 9.3
Governance Standards.
2.3.3. Follow-up of previous recommendations
The following tables outlines the respective responsibilities as it relates to the follow-up of LBB audit recommendations
LBB Assurance Capita
To provide Capita with copies of the most
recent Internal Audit reports relating to the
transferred services (see Appendix B).
To follow-up any Priority 1 recommendations
that were made by LBB Assurance.
To follow up on any transferred Priority 2
and Priority 3 recommendations made by
LBB Assurance when the area is next
under review.
28/01/2014 Page 10 of 48
3. Anti-Fraud
Under Section 151 of the Local Government Act 1972 the Council has a statutory obligation to
ensure the protection of public funds and to have an effective system of prevention and
detection of fraud and corruption.
Within the Council structure the Corporate Anti-Fraud Team (CAFT) sits within the Assurance
Group, and is a dedicated independent, objective activity designed to add value and improve
the Council’s operations. It helps the Council achieve its objectives by bringing a systematic,
disciplined approach to investigation, evaluating and improving the effectiveness of fraud
prevention and detection and the subsequent prosecution of individuals and organisations
where appropriate.
Capita has a dedicated anti-fraud function which sits at group level and has responsibility for
the investigation of staff fraud within each of the Capita business services.
Capita has a dedicated anti-fraud function which sits at group level and has responsibilities
which include the investigation of staff fraud within each of the Capita business services.
The Capita Group Fraud Policy is the minimum standard for all contracts involving Capita staff,
this may be supplemented by but not reduced by the LBB Fraud Policy.
Capita employees are required to undertake mandated Fraud Awareness training.
Capita Group employs a Head of Special & Fraud Investigations; this is a fully qualified and
accredited counter fraud specialist role.
All potential or actual incidents will be reported to the group function who will liaise with the
local business management to ensure each report is correctly investigated.
The Capita Group Fraud Investigation function provides advice, support and investigation
services to the business management as required by each incident. Each incident is assessed
and the appropriate plan instituted to achieve a positive result for any investigation.
In accordance with the agreed liaison as set out in Table 2; Notifications Capita Group will liaise
with LBB CAFT and agree on necessary disciplinary action, possibility of reporting the incident
to the police and or any regulatory authorities or legal action as appropriate to each case
involving Capita staff in relation to either a LBB provided service or fraud matter involving LBB
public funds.
Monthly reports for significant investigations are made to the Director Group Risk and
Compliance who reports to the Capita Group Executive and Capita Audit Committee.
The Capita business will maintain an incident log and in conjunction with Capita group fraud will
provide regular updates on progress of investigations as agreed within this protocol
LBB will provide Capita local management and the Capita Head of Special & Fraud
Investigations with a regular update on all investigations with potential Capita, Capita staff or
Capita processing involvement or implications.
Both LBB and Capita have a zero tolerance approach to fraud and other irregularity committed
against those services contracted out on behalf of the LBB and that both organisations will work
28/01/2014 Page 11 of 48
together in order to support this approach and ultimately protect the public purse through the
following contractual and agreed working arrangements.
Included within the Capita contract are clauses to ensure the provision of information relating to
the prevention of Fraud and Bribery in relation to the services contracted out on behalf of LBB.
This protocol aims to clarify those clauses into agreed working arrangements.
It is acknowledged within this protocol that the sole responsibility for third party / external fraud
investigations relating to LBB Housing Benefit, National Non Domestic Rates and Council Tax
Benefit, Council Tax Support and Disabled Blue Badge lies with the Council’s CAFT. It is
agreed that all referrals relating to any of these services should be directed in the first instance
to the Councils CAFT and not to Capita Group Fraud.
LBB Fraud Policies
The contract states (CSG - 45.1.1, Re – 53.1.1) that the service provider (Capita) is required to
certify in writing to the Council that it will take ‘all reasonable steps to act in accordance with the
Council’s Counter Fraud Framework and Financial Regulations (part 4) to prevent Fraud by
service users, staff and the service provider in connection with the receipt of monies from the
authority.’
As stipulated within the contract (CSG - 45.1.5 (b), Re – 53.1.6 (b)) LBB will look to seek this
assurance from each of the services contracted out on behalf of the LBB on annual basis by
certification from Capita in writing on an annual basis.
The schedule of policies attached to each contract (Schedule 22 for CSG and Schedule 33 for
Re) of which Capita must comply includes the counter fraud framework. The contract also
states under section 45.1.6 that it will comply with the Council’s anti-bribery policy. This policy
is included with the Council’s counter fraud framework.
Counter Fraud Framework - 2013
- Counter Fraud Framework Introduction - Fraud Policy Statement and Procedure - Bribery Policy Statement and Procedure - Prosecution Policy statement - Anti-Money Laundering Policy Statement and Procedure - Whistleblowing Policy Statement and Procedure - Regulation of Investigatory Powers (RIPA) Act 2000 Policy Statement and Procedure
(directed surveillance)
Whistleblowing
It is agreed within this protocol that Capita staff should utilise the Council’s Whistleblowing
Policy (under 2.3 or 4.1 of the policy) in relation to reporting a matter in accordance with the
policy relating to a CSG or Re service. However it is also acknowledged that Capita staff may
also choose to report such matters under their equivalent Capita ‘Speak up’ Policy. Any
referrals received under the relevant LBB or Capita policy will be notified to the relevant parties
in accordance with the agreed notification timescales detailed within table 2. It is agreed that it
is Capita’s responsibility to actively promote and raise awareness of this within Capita in
accordance with principles of openness and transparency and joint commitment to protect
public funds.
28/01/2014 Page 12 of 48
Contract Clauses
Refer to Appendix H for the fraud contract clauses decision tree.
Contract clause 45.1.8 states that the service provider must respond ‘promptly’ to the
Authority’s enquires. It is agreed within this protocol that LBB and Capita will deem any
enquiries to fall within two categories of urgent and standard and for the purpose of this
protocol would define then as follows:
Category Definition Agreed response
timescale
Urgent The information is critical to an investigation where
any delay could compromise the ability to take legal
action or create an unacceptable risk of loss / harm
to the Council.
Within 24 hours
Standard The information that is required to identify the level
of criminal activity where the continued risk of loss /
harm to the Council is deemed to be medium to low.
Within 5 days
Table 1 definitions
Prevention & Detection
The primary responsibility for the awareness, prevention, detection and deterrence of fraud,
corruption, bribery or money laundering activity lies with the individual services contracted out
on behalf of LBB and not with Capita Group fraud service nor the Council or the Councils
CAFT. The relevant Director’s / Head of service responsibility within Capita includes ensuring
that Capita staff (and partners and subcontractors) are aware of both the implications of fraud,
bribery and money laundering and the risks of fraud, bribery and money laundering across their
service area. LBB will seek assurances from Capita around this responsibility from each of the
services (CSG and Re) within the annual compliance statement.
Internal Fraud relating to a LBB provided service – Reporting, Notification, Investigation
and sanction process
The primary responsibility for the investigation of any suspected fraud, corruption, bribery or
money laundering activity found in a service area lies with both Capita group fraud and the
Council’s CAFT.
Capita group fraud currently operates a staged assessment process of referrals that are
passed to them, and in line with this process both LBB CAFT and Capita have agreed to adopt
the following approach in relation to referrals that are received either Capita group fraud and
related to either the CSG or Re services.
Referral Definition Agreed reporting process and
timescale
Stage 1 Fact finding stage – Capita Monthly report to CAFT
28/01/2014 Page 13 of 48
Stage 2 Requires further investigation Urgent - within
24 hours
Standard -
within 5 days
Stage 3 Requires sanction action (e.g.
disciplinary action/police
intervention/legal action)
A joint assessment of action and
responsibility between Capita and
LBB CAFT on an individual case by
case basis.
Whistleblowing Referral rec’d under Council’s
‘Whistleblowing Policy’ or Capita
‘Speak up’ policy relating to CSG
or Re services.
Urgent - within 24
hours
Standard -
within 5 days
Table 2 Notifications
Retained Council Information Systems / Council data / Access to provided LBB Services
data
The Council’s financial regulations (part 4) state that all CAFT Investigation Officers shall have
authority to:
‘have unrestricted access to, search, and remove any and all records, documents and
correspondence, including electronically held correspondence, documents and records’.
In order to support this requirement Capita will ensure that the CAFT officers have direct
access (high level) to all requested IS systems holding LBB data, including the relevant Capita
systems (and future replacements), and will continue to provide training and support on those
systems to CAFT officers.
All access to systems for CAFT officers will be approved by either the Assistant Director of
Assurance or CAFT Counter Fraud Managers.
Current systems include (but not exclusively limited to):
Incase
Civica
SAP (plus new replacement)
Saffron
Sword fish
Diraq
Wisdom
CM (contact Manger)
Web based systems like:
LOCTA
Equifax
28/01/2014 Page 14 of 48
Call Credit
In relation to LBB retained organisation investigation Capita will provide nominated staff to
provide high level support to CAFT relating to investigations that CAFT may be conducting.
This support normally relates to (but not exclusively) access to LBB staff email / outlook,
including deleted items and recovery of deleted items, files, documents, as well as internet
usage data.
Any such requests will be deemed for CAFT officers will be approved by either the Assistant
Director of Assurance or CAFT Counter Fraud Managers, in writing and be categorised in
accordance with the agreed definitions and reporting timescales within this protocol of ‘urgent’
or ‘standard’.
4. Risk Management
The Council’s primary responsibilities when commissioning services and working in
partnerships is to ensure that the partnership has effective risk management procedures and to
provide assurance that the risks are being identified, prioritised and appropriately managed.
The purpose of risk management in this context is as follows:
To ensure proper identification and understanding of risks associated with a commissioned service including delivery risks, joint risks and retained risks
To support clear allocation of responsibilities for managing and monitoring risk
To agree the risk appetite for management of risks amongst all partners
To align the response to identified risks with corporate priorities
To provide a framework for information sharing regarding risks and performance management
The contract (clause 28.5.2 CSG, 36.5.2 Re) states the contractor ‘shall operate a sound
system of internal control’ including appropriate risk management processes. As per schedule
22 of the contract the service provider should comply with section 4.2 of the Council’s Risk
Management Policy with the providers overall risk management arrangements in an equivalent
policy to be approved by the Council. In order for the Council to maintain its responsibilities for
overseeing the management of risks a collaborative approach for managing, monitoring and
reporting on risk (key or joint) must be agreed. Outlined below are relevant policy and
procedure excerpts from section 4.2 of the Council’s Risk Management Policy.
Currently, Capita has a commitment to use the JCAD system and scoring for all Corporate
Programmes projects; operational risks will be managed according to Capita’s risk
management policy 2which has been reviewed by the Council.
Risk allocation and responsibility
In general it is expected that most risk will clearly be allocated to either the Council or Capita,
however a small number of risks may be joint risks, i.e. a shared risk where both parties have a
role in managing the risk.. Joint risks will be recorded in the Council’s risk management system
2 Capital Non-Financial Service Division Risk Management Policy and Process V2 (July 11)
28/01/2014 Page 15 of 48
(JCAD) with the responsibilities and actions of each party clearly defined. The principles on
how a joint risk will be managed are as follows:
LBB Contract manager will be assigned the risk and facilitate the management and
monitoring of the risk.
The actions tab, in JCAD, will be used to assign and manage activity to individuals
3rd party access to JCAD should be limited and will be considered on a case by case
basis3.
Monitoring Risks
Risks should be managed and monitored regularly as part of business as usual and escalated
whenever required including new emerging risks that would score 12 or more and/or any
serious risk incidents that occur (see Appendix C). Over the course of the service contract it is
likely that the risk profile will evolve therefore provision is made through this protocol to build a
relationship with an open dialog and develop an effective approach, based on common
understanding of risks management (processes and terminology) and of the objectives of the
partnership.
Quarterly contract performance reporting will include risks wholly owned by LBB, joint risks and
significant operational risks (with a rating of 12 or more using LBB’s scoring methodology). The
full LBB risk register (including any risks rated below 12) will be appended to the performance
summary.
Section 4.2 of the Councils Risk Management Policy describes the requirement for an outline
plan for risk management strategy in the forthcoming year. This requirement will be satisfied as
part of liaisons meetings (section 5) where changes to and the effectiveness of risk
management arrangements will be discussed.
5. Liaison Meetings
To ensure effective co-operation between LBB Assurance Group and Capita quarterly liaison meetings will be held for planning, to review programmes of work and discuss other issues of mutual interest. Exceptional meetings will be arranged as appropriate for specific issues or events, e.g. Audit Committee.
The following are examples of areas the liaison meetings will cover by function:
Function Description Expectation
Audit Capita internal audit
plan
Capita will ‘consult with the Authority prior to
finalising’ its Internal Audit annual plan to ensure
that an appropriate level of assurance is available
over the risk areas affecting LBB’s operations.
(Contract clause 28.5.2 (b) CSG / 36.5.2 (b) Re)
Audit Quarterly reporting In order to meet LBB Assurance quarterly reporting
3 3
rd party access is still being investigated so this statement is assuming access is possible and agreed by LBB.
28/01/2014 Page 16 of 48
and Audit Committee deadlines liaison meetings will need to occur at the
most appropriate times during the year.
Capita attendance at Audit Committees may be
required if issues are being reported that involve
Capita in its role as being responsible for delivery of
services on the Council’s behalf.
Audit LBB Assurance and
reliance on Capita
Internal Audit work
During the ‘External Assurance’ work programme if,
in LBB Assurance Group’s judgement, it is unable
to rely on the work undertaken by Capita’s internal
auditors, LBB Assurance shall carry out a risk-
based audit programme in relation to the services
that are being provided by Capita on behalf of the
Council.
Audit External audit’s review
of Capita Internal
Audit’s work
LBB Assurance should be informed of the outcome
of Capita’s external auditors’ review of Capita’s
internal audit service. Any issues or reports
regarding this review should be shared with LBB
Assurance as soon as they are finalised.
Audit Audit Scoping and
ToR
An opportunity to discuss any audits being
undertaken that are of relevance to either party.
If appropriate, LBB Assurance will involve Capita in
any scoping meetings, when agreeing the terms of
reference for the review, during the fieldwork, and
when agreeing the final report.
Audit Compliance,
performance against
audit contract clauses
For audit related clauses – opportunity to discuss
any referrals that LBB Assurance have had to make
to the partnership manager regarding information
not being provided by Capita in line with
requirements.
For other clauses – opportunity to discuss any
concerns raised by the partnership manager or as a
result of audits that have been undertaken.
Risk Risk Management Changes to and the effectiveness of risk
management arrangements. This will be in addition
to the general Corporate Performance Reporting
and contractual Service Performance Reporting
which is managed with the commercial team within
the LBB.
CAFT Anti-Fraud For Fraud related clause – opportunity to discuss
any referrals that have been made in accordance
with the agreed notification process as well as any
relevant on-going anti-fraud or policy compliance
issues.
Table 3: Liaison Meetings
28/01/2014 Page 17 of 48
A timetable of activity is appended to this protocol outlining key dates and meetings for the first
year, with due regard for the dates that Capita Internal Audit quarterly reports will be available,
Audit Committee and Strategic Commissioning Board Assurance dates and how the protocol
will dovetail into these.
Additionally there is a list of documents in Appendix F which will be required initially, upon
finalising the protocol, and on-going.
Effective, timely information sharing is essential; the two parties shall communicate promptly to
the other any significant concerns / exceptions / breaches arising that it is felt should be dealt
with other than through the usual reporting and liaison arrangements set out in this protocol.
When sharing any information both the Freedom of Information Act and the Data Protection Act
requirements shall be observed by both parties. It is recognised that there should not be a need
within the relationship to share personal data unless appropriate to the requirements of both
parties and subject to the controls set out by the Council’s Information Sharing Policy.
28/01/2014 Page 18 of 48
6. Appendix A – Contact Details
London Borough of Barnet Assurance Group
North London Business Park, 1st Floor Building 2
Oakleigh Road South, London N11 1NP
Director of Assurance Maryellen Salter
[email protected] 02083593167
Assurance Assistant Director Clair Green
020 8359 7791
Head of Internal Audit (Chief Internal Auditor)
Caroline Glitre [email protected]
020 8359 3721
Risk Assurance Manager
Courtney Davis [email protected]
020 8359 4901
Counter-Fraud Manager
Declan Khan [email protected]
020 8359 3721
External Auditor Grant Thornton UK LLP
Paul Hughes [email protected]
020 7728 2256
Capita [71 Victoria Street, London, SW1H 0XA]
Finance Director (Audit Liaison Lead - CSG)
Tom Evans [email protected]
07824 868650
Commercial Director (Audit Liaison Lead – Re)
Mike Eastwood [email protected]
07557 287247
Director, Group Internal Audit (HoIA opinion)
Clive Smith [email protected]
07917 307988
Director, Group Internal Audit - Non-FS Divisions
Moyra Armstrong [email protected]
07917 307991
28/01/2014 Page 19 of 48
Group Director of Risk & Fraud
Chris Terry [email protected]
07736 599761
Head of Anti-Fraud & Special Investigations
Debbie Morris [email protected]
07733 361432
Internal Audit Manager (who will be undertaking reviews of LBB
transactions) TBC
External Auditor KPMG
Any liaison of discussions with Capita Auditors should be directed via Tom Evans
7. Appendix B – Transferred Services
CSG Re
Customer Services; Estates; Finance; Human Resources, Payroll and
Pensions; IT Infrastructure and Support; Procurement; Revenues and Benefits; and Corporate Programmes
Planning and Development Management;
Building Control; Land Charges; Environmental Health; Trading Standards and Licensing; Cemetery and Crematorium; Highways; Strategic Planning; and Regeneration
28/01/2014 Page 20 of 48
8. Appendix C – Risk Escalation
Strategic
Commissioning
Board (SCB)
Cabinet
Resource
Committee
Commercial
Contract
Manager
Risk Identified
Delivery Board
Risk
Assurance
Audit
Committee
Approves SCB Risk Register to be
published
Key:
OversightEscalation Decision
Operations
Board
28/01/2014 Page 21 of 48
9. Appendix D: Contract Clauses, Definitions & Policy List
9.1. Contract Clauses
The CSG contract clauses that underpin this protocol are as follows:
28 Service Provider’s Records and Audit [Authority Policy Clause]
45 Termination on Corrupt Gifts and Fraud [Authority Policy Clause]
See these clauses of the CSG contract via the link below:
http://www.barnet.gov.uk/downloads/download/1241/csg_main_contract
Please note that the corresponding clause numbers within the Re contract are 36and 53
respectively and can be seen via the link below:
http://www.barnet.gov.uk/downloads/download/1267/drs_main_contract
9.2. Definitions - Governance Standard
Capita will, in line with contract clause 28.5.1 (CSG) / 36.5.1 (Re), comply with this Governance Standard definition, and will provide a compliance statement by January of each year. This is in order to inform LBB’s Annual Governance Statement and by providing this in January it will allow for any additional audit work to be completed, if required, by LBB by the end of March.
It is expected that Capita will meet the governance standards required to support LBB’s Chief Finance Officer’s responsibilities as per the Council’s constitution.
In broad terms, Capita’s control framework will need to meet control objectives including:
Anti-Fraud
Asset Management
Audit & Assurance Framework
Business Continuity
Data Quality
Equalities
Financial Management
Governance
Health, Safety & Wellbeing
Information Management & Governance
Partnerships
People Management
Performance Management
Procurement & Contracts Management
Project Management
28/01/2014 Page 22 of 48
Risk & Issue Management
The compliance checklist can be found below at 9.3.1 and 9.3.2.
* the spreadsheet that will be completed and returned to LBB Assurance includes further detail
to support the self-assessment of whether the controls in place are effective.
9.3. Governance Standards Compliance checklist
28/01/2014 Page 23 of 48
Responsible Person:
Question Assessment Notes
1.00 Internal Audit
1.01 Audit arrangements are in line with section 2 of the protocol
2.00 Anti-Fraud
2.01 Anti-Fraud arrangements are in line with section 3 of the protocol
3.00 Risk Management
3.01 Risk management arrangements are in line with section 4 of the protocol
4.00 Performance Management & Data Quality
4.01 There is a Performance Management Framework in place that has been approved by the Council and there is evidence of this approval
As required by the contract Schedule 22
4.02 Baselines set for performance indicators are supported by robust data sets
4.03 Performance against contractual PIs, KPIs and Super KPIs is regularly monitored and reviewed by senior personnel
4.04
The delivery unit complies with the Council's Data Quality policy and can evidence checks of this compliance
As required by the contract Schedule 22
4.05
Systems and processes are fit for purpose and adequate and effective controls are in place during the input, reporting and output of data
Controls are in place to ensure the performance data reported to the Council meets the Council's Data Quality requirements of:
4.06 Accuracy – data is without errors, and adheres precisely to any applicable definition.
9.3.1 CSG Governance Standards – extract*
28/01/2014 Page 24 of 48
4.07 Reliability – data reflects stable and consistent collection and capture processes across collection points and over time. These processes should minimise manual intervention and maximise the automation of data collection and manipulation.
4.08 Timeliness – data is captured as quickly as possible after the event or activity, and is used in a timely fashion.
4.09 Relevance – data is applicable to the issue and provides the answers needed
4.10 Completeness – data collected and captured comprises of all necessary elements
4.11 A clear audit trail – a documented process for obtaining and using the data, which is understood by all involved in producing the data, and is accessible to those who rely on the data or have an interest in it. Clear and complete audit trails must be maintained to demonstrate accuracy for all data used for decision-making.
4.00 People Management
4.01 All relevant staff are aware of the responsibilities under the Council's HR regulations and have been adequately trained to discharge those responsibilities
As required by the contract Schedule 22 - HR Regulations are part of the Council's constitution
Click here for HR regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8923/UHRRegulations.doc.pdf
4.02 HR policies and procedures are in place and are updated in line with legislative or other required changes
4.03 Changes to HR policies and procedures for LBB are approved by the Council
4.04 HR Business Partners are fully aware of HR policies and procedures, and communicate these to officers across the Council
28/01/2014 Page 25 of 48
4.05 HR Business Partners provide support to officers across the Council to facilitate the correct application of HR policies and procedures
4.06 HR Business Partners provide officers across the Council with the data, access to systems or reports they need to manage performance within their delivery unit
4.07 Safer Recruitment - corporate pre-employment checks and agreed recruitment protocols are being followed. On-going Safeguarding checks are undertaken for current employees
4.08 Organisational structures which reflect the composition of the Council's workforce and current vacancies are up to date and accurate.
4.09 Roles & Responsibilities across the Council are clearly defined and supported by up to date job descriptions
5.00 Financial Management
5.01 All relevant staff are aware of the responsibilities under part four of the Council's financial regulations and have been adequately trained to discharge those responsibilities
As required by the contract Schedule 22 - Financial Regulations are part of the Council's constitution
Click here for Financial regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8919/RAmendedFinancialRegulations030513.doc.pdf
5.02 Financial Management policies and procedures are in place and are updated in line with legislative or other required changes
5.03 Changes to Financial Management policies and procedures for LBB are approved by the Council
5.04 Finance Business Partners are fully aware of Financial Management policies and procedures, and communicate these to officers across the Council
28/01/2014 Page 26 of 48
5.05 Finance Business Partners provide support to officers across the Council to facilitate the correct application of Finance policies and procedures
5.06 Finance Business Partners provide officers across the Council with the data, access to systems or reports they need to manage delivery unit budgets
5.07 The Key Financial System services below, which CSG provides on the Council's behalf, have been audited by Capita Internal Audit within the past 12 months.
Where this is not the case, please confirm what assurance you have obtained over risk and key controls for those systems. See links to separate tabs for:
5.08 Treasury Management
5.09 Pension Fund Management
5.10 Payroll
5.11 Cashbook
5.12 Fixed Assets
5.13 Income and Debt Management
5.14 Accounts Payable
5.15 Financial transactions within the finance service are processed through SAP (until replacement finance system introduced in April 2014), or written approval has been obtained via the Customer Services and Information Management Board agreeing to the use of other systems.
5.16 Reconciliations are undertaken between the systems that feed into the Annual accounts (e.g. Housing Benefit, Council Tax, NNDR) and the main accounting system.
5.17 Any issues identified through the reconciliation process are addressed in a timely manner.
5.18 IT general and application controls over the general ledger are designed and operating effectively, as assessed by External Audit
5.19 Staff ensure that adequate procedures are in place to maintain proper accounting records and entries in them are properly authorised.
28/01/2014 Page 27 of 48
5.20
There is a timetable in existence to support the closure of the Council's annual accounts. This includes key milestones and appropriate liaison with external audit.
6.00 Asset Management
6.01 All relevant staff are aware of the responsibilities under parts 4 (Financial Management including Capital) and 5.6 (Assets) of the Council's financial regulations and have been adequately trained to discharge those responsibilities
As required by the contract Schedule 22 - Financial Regulations are part of the Council's constitution
Click here for Financial regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8919/RAmendedFinancialRegulations030513.doc.pdf
6.02
All relevant staff are aware of the responsibilities under the Council's Management of Asset, Property and Land Rules and have been adequately trained to discharge those responsibilities
Click here for The Management of Asset, Property and Land Rules (revised May 2013): http://barnet.moderngov.co.uk/documents/s8922/TAssetsPropertyandLandRulesv1020130320.doc.pdf
As required by the contract Schedule 22 - The Management of Asset, Property and Land Rules are part of the Council's constitution
Asset Management policies and procedures are in place and are updated in line with legislative or other required changes
Changes to Asset Management policies and procedures for LBB are approved by the Council
28/01/2014 Page 28 of 48
Estates staff are fully aware of Asset Management policies and procedures, and communicate these to officers across the Council as required
Estates staff provide support as required to officers across the Council to facilitate the correct application of Asset Management policies and procedures
Estates staff provide officers across the Council with any data, access to systems or reports they need to manage delivery unit assets
The Fixed Asset Register is up to date and systems to support this aim are adequate
Rent reviews are processed in a timely fashion through SAP (until replacement finance system introduced in April 2014) to ensure rent data is complete and accurate
There are clear links between the CSG Estates function and the CSG Finance function and respective roles and responsibilities are clear
8.00 Governance
8.01 The service provider has corporate governance arrangements in place that are in line with the recommendations of the Cadbury report
http://www.icaew.com/en/library/subject-gateways/corporate-governance/codes-and-reports/cadbury-
report
8.02 Staff conduct themselves in line with the Nolan principles of public life i.e. Selflessness, Integrity, Objectivity, Accountability, Openness, Honesty, Leadership
http://www.public-standards.gov.uk/
28/01/2014 Page 29 of 48
8.03 All relevant staff are aware of the Council's decision making processes, as defined in the Constitution Part 1 and Article 12, and adhere to these processes:
As required by the contract Schedule 22 - Decision making processes are part of the Council's constitution
Click here for Part 1 of the Constitution (revised May 2013): http://barnet.moderngov.co.uk/documents/s8895/Part%201%20-%20Decision%20Making.pdf
Click here for Article 12 of the Constitution (revised May 2013) http://barnet.moderngov.co.uk/documents/s8907/HArticle12DecisionMaking.doc.pdf
8.04 Assurances are obtained that the Constitutional decision making processes are being followed.
8.05 There is a staff Code of Conduct / Code of Ethics in place and staff adherence to these requirements is monitored.
8.06 Anti-Bribery arrangements are in place and the Council's Bribery Policy Statement and Procedure are complied with. As required by the contract Schedule 22
8.07 Legislation - The impact of new legislation on the delivery unit is considered in a formal and structured way and the response clearly documented.
8.08 Equalities - The delivery unit complies with an Equalities Policy which the Council has approved As required by the contract Schedule 22
8.09 Equalities - The Equalities duty is complied with i.e. the duty to consult
9.00 Procurement & contracts management
28/01/2014 Page 30 of 48
9.01 All procurement undertaken on behalf of the Council is done so in accordance with the requirements of the Council's Contract Procedure Rules
As required by the contract Schedule 22 - Contract Procedure Rules are part of the Council's constitution
Click here for Contract Procedure Rules (CPRs) (revised May 2013): http://barnet.moderngov.co.uk/documents/s8920/SContractProcedureRulesFinal130513.doc.pdf
9.02 The Code of Procurement Practice, including the '10 essentials that must be followed when carrying out Procurement', is understood and adhered to by staff undertaking procurement activities on behalf of the Council
As required by the contract Schedule 22 - the Code of Procurement Practice is part of the Council's constitution
Click here for the Code of Procurement Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8921/S2ProcurementCodeofPracticeRevisionv06100313.doc.pdf
9.03 Procurement policies and procedures are in place and are updated in line with legislative or other required changes
9.04 Changes to Procurement policies and procedures for LBB are approved by the Council
9.05 Procurement Business Partners are fully aware of Procurement policies and procedures, and communicate these to officers across the Council
28/01/2014 Page 31 of 48
9.06 Procurement Business Partners provide support to officers across the Council to facilitate the correct application of Procurement policies and procedures and best practice regarding contract management
9.07 Procurement Business Partners provide officers across the Council with the data, access to systems or reports they need to manage delivery unit contracts
9.08 Conflicts of interest are effectively managed when letting contracts. There is Monitoring and Control of the Conflict of Interest Protocol and Register (Sch 31) and staff compliance with this.
9.09 Supply chain risks are considered and controls are in place to mitigate these risks
9.10 All contracts and consultancy arrangements clearly identify the key deliverables, SLAs and performance monitoring processes that demonstrate that the Council receives best value
9.11 All contracts are recorded on a central Contracts Register by the Procurement function of CSG. This is kept fully up to date.
9.12 There is a clear contract renewal process and this is undertaken in a timely manner.
10.00
Information Management & Governance
10.01
Processes are in place to ensure staff are aware of their responsibilities in dealing with personal data and work in accordance with the Data Protection Act.
10.02
Data loss breaches are reported for assessment and dealt with appropriately in line with the Council's Data Protection Incident Reporting Procedure.
As required by the contract Schedule 22
10.03
Procedures are in place to review all records in line with DPA and the Council's Information Management Policy. As required by the contract Schedule 22
28/01/2014 Page 32 of 48
10.04
Staff are aware of and adhere to the Information Governance Framework policies that should be complied with under the contract schedule 'Authority's Policies'. Where the service provider should have an equivalent policy to be approved by the Council, this approval can be evidenced
As required by the contract Schedule 22
11.00
Project Management
11.01
All key projects in the delivery unit have been identified and Corporate Programmes are aware
11.02
There is a Project Management policy in place which is in line with the One Barnet Project Toolkit and best practice, for example the Prince II methodology.
11.03
The Project Management policy is kept up to date in line with best practice
11.04
Key documents outlined in the Council's One Barnet's project methodology are in place, for example a business case. These are reviewed, agreed and signed off by relevant project members and stakeholders.
11.05
Project Management outputs e.g. Business Cases are fit for purpose and can be relied upon by decision makers
11.06
Checks are made that the Project Management policy is being applied consistently in practice
12.00
Partnerships
12.01
Partnership working with other Delivery Units and other public sector bodies is effective; the cross-cutting strategic KPIs within the contract are met
13.00
Business Continuity Plans
13.01
Delivery Unit has an up-to-date BC plan(s) including a list of all key contacts covering key / critical staff, partners and suppliers.
13.02
All staff are aware of the plan and how to respond in the event the plan is activated.
13.03
These BC plans have recently been tested/exercised.
28/01/2014 Page 33 of 48
14.00
Health, Safety and Wellbeing
14.01
Risk Assessments of work activities and premises are carried out and the plan is risk-based.
14.02
Premises audits are completed and the schedule is risk-based.
14.03
Health & Safety policies and procedures are in place and are updated in line with legislative or other required changes
14.04
Where the service provider should have equivalent Health & Safety policies to be approved by the Council, this approval can be evidenced
As required by the contract Schedule 22
14.05
Changes to Health & Safety policies and procedures for LBB are approved by the Council
15.00
Other significant Internal Control Issues
15.01
Apart from the issues raised above, are there any significant control or other matters arising in your Delivery Unit which could adversely affect the signing of the Council's Annual Governance Statement (AGS)? E.g. Fraudulent activity, major overspends, European contract non-compliance; non-compliance with any other policies, laws or regulations. Please provide details below and assess as per the above questions.
28/01/2014 Page 34 of 48
Responsible Person:
Question Assessmen
t Notes
1.00 Internal Audit
1.01 Audit arrangements are in line with section 2 of the protocol
2.00 Anti-Fraud
2.01 Anti-Fraud arrangements are in line with section 3 of the protocol
3.00 Risk Management
3.01 Risk management arrangements are in line with section 4 of the protocol
4.00 Performance Management & Data Quality
4.01 There is a Performance Management Framework in place that has been approved by the Council and there is evidence of this approval
As required by the contract Schedule 33 - Authority's Policies
4.02 Baselines set for performance indicators are supported by robust data sets
4.03 Performance against contractual PIs, KPIs and Super KPIs is regularly monitored and reviewed by senior personnel
9.3.2. Re Governance Standards – extract*. DRAFT – subject to finalisation
28/01/2014 Page 35 of 48
4.04
The delivery unit complies with the Council's Data Quality policy and can evidence checks of this compliance
As required by the contract Schedule 33
4.05
Systems and processes are fit for purpose and adequate and effective controls are in place during the input, reporting and output of data
Controls are in place to ensure the performance data reported to the Council meets the Council's Data Quality requirements of:
4.06 Accuracy – data is without errors, and adheres precisely to any applicable definition.
4.07 Reliability – data reflects stable and consistent collection and capture processes across collection points and over time. These processes should minimise manual intervention and maximise the automation of data collection and manipulation.
4.08 Timeliness – data is captured as quickly as possible after the event or activity, and is used in a timely fashion.
4.09 Relevance – data is applicable to the issue and provides the answers needed
4.10 Completeness – data collected and captured comprises of all necessary elements
4.11 A clear audit trail – a documented process for obtaining and using the data, which is understood by all involved in producing the data, and is accessible to those who rely on the data or have an interest in it. Clear and complete audit trails must be maintained to demonstrate accuracy for all data used for decision-making.
5.00 Asset Management
28/01/2014 Page 36 of 48
5.01 Asset Management policies and procedures are in place and are updated in line with legislative or other required changes
5.02 The Fixed Asset Register is up to date and systems to support this aim are adequate
6.00 Governance
6.01 All relevant staff are aware of the Council's decision making processes, as defined in the Constitution Part 1 and Article 12, and adhere to these processes:
As required by the contract Schedule 33 - Decision making processes are part of the Council's constitution
Click here for Part 1 of the Constitution (revised May 2013): http://barnet.moderngov.co.uk/documents/s8895/Part%201%20-%20Decision%20Making.pdf
28/01/2014 Page 37 of 48
Click here for Article 12 of the Constitution (revised May 2013) http://barnet.moderngov.co.uk/documents/s8907/HArticle12DecisionMaking.doc.pdf
6.02 There is a staff Code of Conduct / Code of Ethics in place and staff adherence to these requirements is monitored.
6.03 Anti-Bribery arrangements are in place and the Council's Bribery Policy Statement and Procedure are complied with. As required by the contract Schedule 33
6.04 There is an up to date Scheme of Delegation in place for the delivery unit and this is adhered to.
6.05 Planning - all relevant staff are aware of the requirements of the Council's Members' Planning Code of Practice.
Click here for Members' Planning Code of Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8925/WMembersPlanningCodeofPractice.doc.pdf
6.06 Licensing - all relevant staff are aware of the requirements of the Council's Members' Planning Code of Practice.
Click here for Members' Planning Code of Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8925/WMembersPlanningCodeofPractice.doc.pdf
6.07 Legislation - The impact of new legislation on the delivery unit is considered in a formal and structured way and the response clearly documented.
6.08 Equalities - The delivery unit complies with an Equalities Policy which the Council has approved As required by the
28/01/2014 Page 38 of 48
contract Schedule 33
6.09 Equalities - The Equalities duty is complied with i.e. the duty to consult
7.00 Procurement & contracts management
7.01 Internal Audit can provide assurance over the Procurement and Contract Management of the delivery unit
7.02 Procurement policies and procedures are in place and are updated in line with legislative or other required changes
7.03 Conflicts of interest are effectively managed when letting contracts. There is Monitoring and Control of the Conflict of Interest Protocol and Register (Sch 28) and staff compliance with this.
7.04 Supply chain risks are considered and controls are in place to mitigate these risks
7.05 All contracts and consultancy arrangements clearly identify the key deliverables, SLAs and performance monitoring processes that demonstrate that the JV receives best value
7.06 There is a clear contract renewal process and this is undertaken in a timely manner.
8.00 Information Management & Governance
8.01
Processes are in place to ensure staff are aware of their responsibilities in dealing with personal data and work in accordance with the Data Protection Act.
8.02
Data loss breaches are reported for assessment and dealt with appropriately in line with the Council's Data Protection Incident Reporting Procedure.
As required by the contract Schedule 33
8.03
Procedures are in place to review all records in line with DPA and the Council's Information Management Policy. As required by the contract Schedule 33
8.04
Staff are aware of and adhere to the Information Governance Framework policies that should be complied with under the contract schedule 'Authority's Policies'. Where the service provider should have an equivalent policy to be approved by the Council, this approval can be evidenced
As required by the contract Schedule 33
28/01/2014 Page 39 of 48
9.00 Project Management
9.01 All key projects in the delivery unit have been identified and Corporate Programmes made aware
9.02 There is a Project Management policy in place which is in line with the One Barnet Project Toolkit or best practice, for example Prince II.
9.03 The Project Management policy is kept up to date in line with best practice
9.04 Key documents outlined in the Council's One Barnet's project methodology are in place, for example a business case. These are reviewed, agreed and signed off by relevant project members and stakeholders.
9.05 Project Management outputs e.g. Business Cases are fit for purpose and can be relied upon by decision makers
9.06 Checks are made that the Project Management policy is being applied consistently in practice
10.00 Partnerships
10.01
Partnership working with other Delivery Units and other public sector bodies is effective; the cross-cutting strategic KPIs within the contract are met
11.00 Business Continuity Plans
11.01 Delivery Unit has an up-to-date BC plan(s) including a list of all key contacts covering key / critical staff, partners and suppliers.
11.02 All staff are aware of the plan and how to respond in the event the plan is activated.
12.03 These BC plans have recently been tested/exercised.
13.00 Health, Safety and Wellbeing
13.01 Risk Assessments of work activities and premises are carried out and the plan is risk-based.
13.02 Premises audits are completed and the schedule is risk-based.
13.03 Health & Safety policies and procedures are in place and are updated in line with legislative or other required changes
28/01/2014 Page 40 of 48
13.04
Where the service provider should have equivalent Health & Safety policies to be approved by the Council, this approval can be evidenced
As required by the contract Schedule 33
13.05 Changes to Health & Safety policies and procedures for LBB are approved by the Council
14.00 Other significant Internal Control Issues
14.01 Apart from the issues raised above, are there any significant control or other matters arising in your Delivery Unit which could adversely affect the signing of the Council's Annual Governance Statement (AGS)? E.g Fraudulent activity, major overspends, European contract non-compliance; non-compliance with any other policies, laws or regulations. Please provide details below and assess as per the above questions.
28/01/2014 Page 41 of 48
9.4. Definitions – Assurance and priority ratings
9.4.1. LBB Assurance:
The following is a guide to the assurance levels given:
Substantial
Assurance
There is a sound system of internal control designed to achieve the system objectives.
The control processes tested are being consistently applied.
Satisfactory
Assurance
While there is a basically sound system of internal control, there are weaknesses, which put some of the client’s objectives at risk.
There is evidence that the level of non-compliance with some
of the control processes may put some of the system
objectives at risk.
Limited Assurance Weaknesses in the system of internal controls are such as to put the client’s objectives at risk.
The level of non-compliance puts the system objectives at
risk.
No Assurance Control processes are generally weak leaving the
processes/systems open to significant error or abuse.
Significant non-compliance with basic control processes leaves
the processes/systems open to error or abuse.
Priorities assigned to recommendations are based on the following criteria:
High – Fundamental issue where action is considered imperative to ensure that the
Council is not exposed to high risks; also covers breaches of legislation and policies
and procedures. Action to be effected within 1 to 3 months.
Medium – Significant issue where action is considered necessary to avoid exposure to
significant risk. Action to be effected within 3 to 6 months.
Low – Issue that merits attention/where action is considered desirable. Action usually to
be effected within 6 months to 1 year.
9.4.2. Capita:
Audit Classification
The following are descriptions of audit classifications used:
Satisfactory: No high risk weaknesses were identified in the system and no significant areas of non-
compliance with policy or procedures were noted. Improvements may have been advised to improve or
strengthen existing controls.
28/01/2014 Page 42 of 48
Improvement Required: There are medium risk weaknesses in control that, although individually do not
pose a high risk, when taken together indicate a control environment that requires attention.
Significant Improvement Required: There are one or more high risk weaknesses in control, or several
medium risk weaknesses, that expose the Business Unit to a high level of overall risk requiring prompt
action.
Unsatisfactory: There are one or more critical weaknesses in control, or several high risk weaknesses,
exposing the Business Unit to a very high overall level of risk.
Risk Ratings
Each reported finding is assigned a risk rating of Critical, High, Medium or Low as follows:
Critical: Critical control weakness requiring immediate action as it exposes the Business to a very high
risk of imminent significant financial loss, reputational, or severe legal/regulatory sanctions.
High: Control weakness requiring prompt action as it exposes the Business to a high risk of significant
financial loss, reputational damage, or severe legal/regulatory sanctions.
Medium: Control weakness that should be addressed as it exposes the Business to some risk of
financial loss, reputational damage, or legal/regulatory sanction.
Low: Basic internal controls are adequate but improvements could be made to bring procedures in line
with current industry best practice.
9.5. Policy List
See Schedule 22 (CSG): Authorities Policies via the link below
http://www.barnet.gov.uk/downloads/download/1241/csg_main_contract
See Schedule 33 (Re): Authorities Policies via the link below
http://www.barnet.gov.uk/downloads/download/1272/schedules_5-33
28/01/2014 Page 43 of 48
10. Appendix E – Annual Timetable of Activity
The annual timetable of activity amalgamates both LBB’s and Capita’s key planning, reporting
and meeting dates in an effort to coordinate activities, schedule liaison meetings and create a
forward plan of assurance deliverables (see Table 3 Liaison Meetings). The annual timetable of
activity will be produced in quarter one and be the basis of the first liaison meeting of each
year.
The following outlines key information required for developing the timetable.
10.1. Planning
10.1.1. LBB Assurance
Audit & CAFT planning cycle Risk based planning – January 2014 to
March 2014
Internal Audit and Anti-Fraud Strategy &
Annual Plan and Risk Management
Approach
Goes to Audit Committee April 2014
Risk Management Framework Goes to Audit Committee April 2014
Annual Audit Opinion Goes to Audit Committee July 2014
CAFT Annual Report Goes to Audit Committee July 2014
Annual Governance Statement Goes to Audit Committee July 2014
10.1.2. Capita
Annual Audit Planning Risk based planning – August to October
2013
GIA Annual Plan 2014 Presented to Group Audit Committee
November 2013
Risk Management Framework
Annual Audit Opinion Goes to Audit Committee May 2014
10.2. Reporting and Meeting Dates
10.2.1. LBB
The primary LBB Assurance meetings are Strategic Commissioning Board (SCB) Assurance
and Audit Committee. The calendar of Council meetings, including Audit Committee, is agreed
at Full Council in May. SCB Assurance meets bi-monthly.
28/01/2014 Page 44 of 48
Standard clearance and circulation is 10 working days for reports.
The following table outlines the key remaining dates in this financial year. For the purposes of
clearing LBB Assurance quarterly reports for Audit Committee, these are first taken to SCB
Assurance therefore the corresponding Quarter that will be reported to each meeting has been
included.
LBB Quarter to be
reported
SCB Assurance Audit Committee
Q2
Thursday 24 October
Q3 Tuesday 26th November
Tuesday 28 January
Tuesday 21st January
Q4 Tuesday 18th March
Tuesday 29 April
10.2.2. Capita
Group Audit and Risk Committee
February 25th 2014
May 27th 2014
July 22nd
2014
November 25th 2014
[Timetable to be produced, needs to consider audit annual planning cycle – start and end
dates, LBB Assurance receiving Capita finalised plan, LBB Assurance receiving Capita HoIA
opinion etc]
11. Appendix F – Documents Checklist
Documents required at time of agreeing protocol
1. Capita draft 2014 Internal Audit plan relating to services delivered to Barnet
28/01/2014 Page 45 of 48
2. Capita Risk Management Policy 3. Capita Fraud Policy 4. Capita Bribery Policy 5. Capita Anti-Money Laundering Policy 6. Capita Whistle Blowing Policy
Documents required to inform LBB Assurance assessment of reliance on Capita
internal audit
7. Capita Internal Audit Terms of Reference / Charter 8. Capita Internal Audit latest reporting of performance against audit plan 9. Capita Internal Audit accreditation and quality reports (e.g. ISO standards) if
applicable 10. Latest Capita Internal Audit review of compliance with Internal Audit Standards 11. Latest Capita Annual Report (LBB Assurance will be seeking assurance from the
Governance section for example), usually published in April 12. Other documents as agreed between the parties
On-going documents required
1. Internal Audit quarterly reports on LBB services (within 15 days of agreed quarterly date i.e. 1st April, 1st July, 1st October, 1st January)
2. Internal Audit quarterly reporting of progress against audit plan (if separate to quarterly report)
3. Annual Head of Internal Audit Opinion 4. Internal Audit annual plan 5. Other documents as agreed between the parties
28/01/2014 Page 46 of 48
12. Appendix G: Internal Audit Decision Tree
Internal Control Environment Assurance
Governance Standard Compliance Statement
Received by March each year
No
Accuracy test: Cross reference against client
side. Internal control environment sound?
Concern re: control environment or services -
Invoke 28.6.1
Escalate to contract manager Does provider
have their own internal audit
function? (28.5.2a)
Audit Plan Consulted Submitted – 28.5.2 band c
Raise concernsVia 28.6.1
Yes
No
Yes
Note: consider timing with client side
Assurances received regarding adequacy of
internal control environment
No YesInforms HoIA
opinion
Yes NoCarry out risk based
audit programme based on 28.5.4
Yes
No
Can audit plan be relied on for wider assurance? (Assessed via External Assurance framework)
Escalate to contract manager
Does audit plan provide sufficient coverage on
LBB transactions?
Informs HoIA opinion
Yes
No
Relevant internal audit reports submitted (25.5.2
d, e, f)
Yes
Concerns over sufficiency or accuracy
No
Yes
Informs HoIA opinion
Raise concernsConcerns rectified?
Yes
NoRisk based audit
via 28.5.4 (a)
Clauses Key (note the clause numbers here refer to the CSG contract):
28.5.2:
A: Establishing its own internal audit function B: Consultation with the Authority prior to finalising its
Annual Internal Audit Plan C: Submit its own Annual IA Plan by the end of April in
each contract year D: Submit IA reports within 15 Business Days of the
agreed quarterly date E: Limited or no assurance submitted within 5 working
days F: Undertake yearly audits of all IPR used in the
performance of the Services
28.5.4:Risk-based audit - Capita bears cost – longer timeframe
A: The Service Provider doesn’t have an internal audit service
B: The Service Provider has an internal audit service but the Authority's internal audit service is unable to rely on the audits and work carried out by the Service Provider’s internal audit service
28.6.1 – Audit - Bear respective costs – shorter timeframe
The Authority or its appointed Auditor may, upon no less than two Business Days, notice where the Authority has concerns in respect of the Services, and ten Business Days notice in all other circumstances.
28th November 2013Date: 28/11/13
28/01/2014 Page 47 of 48
13. Appendix H: CAFT Decision Tree
Notify the Authority directly
The Authority has the power to audit books,
records and any relevant documents
under clause 45.1.8.The
End of process; recommendations to be made
45.1.10 – rules of termination
Fraud is suspected. –
see 45.1.2
Fraud is known to have been
committed. See 45.1.7
All loss is recovered
under clause 45.1.3
The Service Provider must
give any reasonable
assistance to any
investigation undertaken by the Authority –
see 45.1.5.a
Loss is not recovered
Final termination –
see 45.1.12
The Authority has the power to terminate the contract if there has been a breach of
45.1.4. Power to terminate agreement
is stated under 45.1.9
See 45.1.11End process;
recommendations to be made
Verify that the Service
Provider, or a related party,
agent or shareholder, has breached clause 45.1.4
Escalate to Contract Manager
28/01/2014 Page 48 of 48
CAFT Decision Tree Clauses