28/01/2014 Page 1 of 48

Protocol for Joint Working between LBB

Assurance Group and Capita

In relation to CSG and RE Services

28/01/2014 Page 2 of 48

Version control

Version Date Author(s) Summary of Changes

V1 28/1/14 LBB Assurance –

various

Capita - various

28/01/2014 Page 3 of 48

Contents

1. Introduction .................................................................................................................................. 5

2. Internal Audit ............................................................................................................................... 6

2.1. Respective roles of auditors ..................................................................................................... 6

2.2. LBB Risk-based Audit Programme ............................................................................................ 7

2.3. Areas where LBB Assurance are likely to place reliance on Capita Internal Audit................... 9

2.3.1. Transferred Services ............................................................................................................ 9

2.3.2. Wider Assurance – Governance Standards ......................................................................... 9

2.3.3. Follow-up of previous recommendations ........................................................................... 9

3. Anti-Fraud ...................................................................................................................................10

4. Risk Management .....................................................................................................................14

5. Liaison Meetings.......................................................................................................................15

6. Appendix A – Contact Details ...............................................................................................18

7. Appendix B – Transferred Services .....................................................................................19

8. Appendix C – Risk Escalation ...............................................................................................20

9. Appendix D: Contract Clauses, Definitions & Policy List ..............................................21

9.1. Contract Clauses .....................................................................................................................21

9.2. Definitions - Governance Standard ........................................................................................21

9.3. Governance Standards Compliance checklist ........................................................................22

9.3.1 CSG Governance Standards – extract* .............................................................................. 23

9.3.2. Re Governance Standards – extract*. DRAFT – subject to finalisation ............................. 34

9.4. Definitions – Assurance and priority ratings ..........................................................................41

9.4.1. LBB Assurance: .................................................................................................................. 41

9.4.2. Capita: ................................................................................................................................ 41

9.5. Policy List ................................................................................................................................42

10. Appendix E – Annual Timetable of Activity .......................................................................43

10.1. Planning ..................................................................................................................................43

10.1.1. LBB Assurance.................................................................................................................... 43

10.1.2. Capita ................................................................................................................................. 43

10.2. Reporting and Meeting Dates ................................................................................................43

10.2.1. LBB ..................................................................................................................................... 43

28/01/2014 Page 4 of 48

10.2.2. Capita ................................................................................................................................. 44

11. Appendix F – Documents Checklist ....................................................................................44

12. Appendix G: Internal Audit Decision Tree .........................................................................46

13. Appendix H: CAFT Decision Tree ........................................................................................47

28/01/2014 Page 5 of 48

1. Introduction

The London Borough of Barnet’s (LBB) Operational Assurance (referred to herein as ‘LBB

Assurance’) function sits within the Assurance Group. It consists of Internal Audit, Anti-Fraud

and Risk Assurance and is responsible for ensuring coverage of the core aspects of the

Council’s governance and control environment in order to support achievement of the Council’s

overall objectives. The functions are summarised as follows:

Internal Audit will provide independent and objective assurance to the Council, its

Members, the Strategic Commissioning Board (including the Chief Operating Officer) to

support them in discharging their responsibilities under S151 of the Local Government

Act 1972, relating to the proper administration of the Council’s financial affairs.

The Anti-Fraud strategy and team demonstrates the Council’s commitment to a zero

tolerance approach to fraud, corruption or bribery and works to prevent, detect and

deter fraud within the Council whilst actively pursuing fraudsters and seeking redress.

Risk Assurance is responsible for delivering a robust risk assurance function through

the risk management framework that ensures the Council meets the highest standards

of risk management.

This protocol seeks to set out the proposed working relationship between LBB Assurance and

Capita for internal audit, anti-fraud and risk management. The objective of this protocol is to

provide a framework which will optimise the benefits of the relationship between LBB

Assurance and Capita, whilst enabling chief officers within the Council to discharge their

respective responsibilities. It sets out how both parties will work together to provide information

and to deliver the essence of the contractual agreement in practical terms.

The protocol aims to:

clarify the respective roles of LBB Assurance and Capita1

highlight areas where LBB Assurance are likely to require assurance from Capita; and

establish a framework for co-operation in the planning, conduct and reporting of Internal

Audit, Anti-Fraud and Risk Management.

Overall the protocol should promote an effective working relationship, within the bounds of the

respective roles of both parties, maximising benefit and minimising effort and duplication across

both organisations.

This protocol covers all aspects of contract clauses in relation to internal audit, anti-fraud and

risk management arrangements and will be reviewed annually in April, in order to include LBB’s

provisional Audit Committee dates for the coming year.

1 The respective roles of LBB and Capita are viewed within the context of the contract that has been

signed between LBB as a whole (as opposed to the LBB Assurance Group). Regarding the transferred

services (see Appendix B) roles can be defined as follows:

RACI Assessment* (R) Responsible (A) Accountable (C) Consult (I) Inform

Capita LBB Client LBB Assurance

R A C, I

28/01/2014 Page 6 of 48

The following sections provide more detail on the assurance expectation within each function

and the forum in which activities will be coordinated and information shared.

2. Internal Audit

Included within the contract are clauses to ensure the provision of information relating to

internal audits carried out on services provided on the behalf of LBB. This includes information

about the intended annual plan of audit activity, any limited or no assurances included within

quarterly summary reports and the annual audit opinions.

Additionally, the Public Sector Internal Audit Standards (PSIAS) require that the chief internal

auditor must “include in the risk-based plan the approach to using other sources of assurance

and any work required to place reliance upon those other sources”.

2.1. Respective roles of auditors

The following table outlines the respective roles of LBB Assurance and Capita. The roles and

objectives are different but complementary. There are therefore benefits to be gained from

working together.

LBB Assurance Capita

Internal Audit is defined in the Public Sector

Internal Audit Standards (PSIAS) as “an

independent, objective assurance and

consulting activity designed to add value and

improve an organisation’s operations. It helps

an organisation accomplish its objectives by

bringing a systematic, disciplined approach

to evaluate and improve the effectiveness of

risk management, control and governance

processes.” Internal Audit must have a

Charter that accords with the requirements of

the PSIAS.

The key output from Internal Audit is the

annual opinion on the Council's control

environment which should be reported to the

Audit Committee

Capita Group Internal Audit (GIA) is an

independent function within Capita. Its role

per the GIA Charter is to review the

adequacy and effectiveness of the

organisation’s governance, processes,

controls and risk management in

implementing agreed strategies across the

whole of the group’s activities. It provides

the Board, the Group Audit Committee and

all levels of management with an objective

opinion on the results of its reviews. The

Chartered Institute of Internal Auditors

publishes a ‘Definition of Internal Auditing’,

a ‘Code of Ethics’ and ‘Standards’ which

are recognised as mandatory for the GIA

function.

GIA’s overall objective is to provide

independent assurance to the Capita plc

Board and management on the

effectiveness of risk management and

controls over all of the group’s activities.

Internal Audit’s strategy and plan is risk-

based, is agreed between Internal Audit and

management and is approved by the Audit

Committee. To remain independent and

objective the work of Internal Audit cannot be

directed by other parties

The Director, GIA is responsible for the

development of a risk based plan to

determine the priorities of the internal audit

activity, consistent with the group’s goals,

risk management framework and risk

appetite. This is approved by the Group

Audit Committee. GIA is independent of

the activities which it reviews to enable the

unbiased judgements essential to its

28/01/2014 Page 7 of 48

proper conduct and facilitate impartial

advice to management.

Internal Audit reports to the Audit Committee

on a quarterly basis

GIA reports to the Group Audit Committee

on a quarterly basis.

Internal Audit provides assurance as follows:

substantial, satisfactory, limited, no

Please see Appendix D for the basis of these

ratings

GIA provides assurance as follows:

Satisfactory, Improvement Required,

Significant Improvement Required,

Unsatisfactory

Please see Appendix D for the basis of

these ratings

LBB financial year ends on 31st March Capita Group financial year ends on 31st

December

Re Financial year ends on 31st March

2.2. LBB Risk-based Audit Programme

Capita has its own Internal Audit function and therefore LBB does not anticipate undertaking a

risk-based audit programme involving Capita staff unless:

Capita do not undertake internal audit reviews that provide assurance over Transferred

Services (see Appendix B), specifically the Barnet business-arm and therefore LBB

transactions;

An audit is planned that has a scope involving both LBB and Capita employees;

LBB has concerns in respect of the Transferred services; or

LBB is unable to rely on the audits and work completed by Capita’s internal auditors.

Refer to Appendix G for the audit contract clauses decision tree.

Any audits undertaken by LBB will be discussed with the LBB Commercial team also to ensure

transparency over any potential impact to the contract.

Contract clauses 28.5.2 (CSG) / 36.5.2 (Re) and 28.6.1 (CSG) / 36.6.2 (Re) state the

timeframes within which Capita must provide certain information to LBB Assurance. This

information and the deadlines are summarised in the table below:

Required information Deadlines

Consult with the Authority prior to finalising its Annual Internal Audit

Plan

Date not stated -

suggest September

Submit its own Annual IA Plan By the end of April

in each contract

year – suggest

earlier i.e. once

formally approved

Submit IA reports – reports that provide assurance over Transferred Submit within 15

28/01/2014 Page 8 of 48

Services, including any Governance reviews completed Business Days of

the agreed

quarterly date

Limited or no assurance submitted

Submit within 5

working days

(CSG)

Submit

immediately (Re)

Undertake audits of all IPR used in the performance of the Services Submit yearly

Provide the Authority (and / or its agents or representatives) with all

reasonable co-operation and assistance in relation to each audit being

undertaken by LBB

Within two (2)

Business Days

(unless agreed

otherwise by the

parties acting

reasonably) (CSG)

On demand (Re)

LBB Assurance will undertake a programme of work to assess whether it can rely on the audits

undertaken by Capita’s internal auditors. A provisional list of the evidence that will be gathered

to inform this view has been included at Appendix F.

This will be an annual review to be completed by the end of LBB’s quarter 2 to ensure that if

there are issues it will be possible to undertake the risk-based audits required within quarters 3

and 4.

Where clause 28.5.4 (CSG) / 36.5.4 (Re) is invoked, whereby Capita must bear the cost of any

audit work undertaken by LBB Assurance, the charges will be as follows:

Core (non-specialist) audits: £359 per day

Specialist (IT, Projects and Programmes etc) audits: £513 per day

These charges will be subject to review on an annual basis.

Schools audits

LBB will continue to carry out its rolling programme of schools internal audits. Liaison

arrangements with the Schools Finance Service Manager (now part of CSG) will remain as they

were before the service was transferred to Capita. LBB will continue to provide the Schools

Finance Service Manager with copies of all final internal audit reports issued regarding schools

in the borough.

28/01/2014 Page 9 of 48

2.3. Areas where LBB Assurance are likely to place reliance on Capita Internal Audit

2.3.1. Transferred Services

LBB Assurance will seek to take assurance from any Capita Internal Audit work over LBB

transactions specifically for the services being conducted on the Council’s behalf. These are

listed within Appendix B for the respective contracts with Capita.

The council assurance function will retain responsibility for the exercise of powers under the

joint employment arrangements within Re, the associated Scheme of delegation, and also for

audits relating to managed contracts, for example highways network management contracts.

The Parties agree that during the annual planning cycle, they will review any proposed audits

which may address part of the processes relating to these retained council activities, and in so

far as appropriate and agreed one of the audit functions will review the end to end process. For

example, if Capita Internal Audit propose an audit of Re managing agent activity, the Council

may determine that it would be appropriate as part of that audit for Capita to also review

Council retained activities, such as policy setting and authorisations, in which event Capita and

the Council assurance team will review the scope of the proposed audit to assess whether it

would be appropriate to incorporate a review of these retained activities.

Any actions identified relating to a retained function will be sent in draft to the LBB Commercial

team and Assurance team prior to finalising the report, and implementation of those actions will

be monitored by the LBB Assurance team.

2.3.2. Wider Assurance – Governance Standards

LBB Assurance will also be looking for assurance over general controls impacting on the

service provided. This will involve review of any Governance audits undertaken by Capita and a

review of the agreed Governance Standards compliance – see Appendix D section 9.3

Governance Standards.

2.3.3. Follow-up of previous recommendations

The following tables outlines the respective responsibilities as it relates to the follow-up of LBB audit recommendations

LBB Assurance Capita

To provide Capita with copies of the most

recent Internal Audit reports relating to the

transferred services (see Appendix B).

To follow-up any Priority 1 recommendations

that were made by LBB Assurance.

To follow up on any transferred Priority 2

and Priority 3 recommendations made by

LBB Assurance when the area is next

under review.

28/01/2014 Page 10 of 48

3. Anti-Fraud

Under Section 151 of the Local Government Act 1972 the Council has a statutory obligation to

ensure the protection of public funds and to have an effective system of prevention and

detection of fraud and corruption.

Within the Council structure the Corporate Anti-Fraud Team (CAFT) sits within the Assurance

Group, and is a dedicated independent, objective activity designed to add value and improve

the Council’s operations. It helps the Council achieve its objectives by bringing a systematic,

disciplined approach to investigation, evaluating and improving the effectiveness of fraud

prevention and detection and the subsequent prosecution of individuals and organisations

where appropriate.

Capita has a dedicated anti-fraud function which sits at group level and has responsibility for

the investigation of staff fraud within each of the Capita business services.

Capita has a dedicated anti-fraud function which sits at group level and has responsibilities

which include the investigation of staff fraud within each of the Capita business services.

The Capita Group Fraud Policy is the minimum standard for all contracts involving Capita staff,

this may be supplemented by but not reduced by the LBB Fraud Policy.

Capita employees are required to undertake mandated Fraud Awareness training.

Capita Group employs a Head of Special & Fraud Investigations; this is a fully qualified and

accredited counter fraud specialist role.

All potential or actual incidents will be reported to the group function who will liaise with the

local business management to ensure each report is correctly investigated.

The Capita Group Fraud Investigation function provides advice, support and investigation

services to the business management as required by each incident. Each incident is assessed

and the appropriate plan instituted to achieve a positive result for any investigation.

In accordance with the agreed liaison as set out in Table 2; Notifications Capita Group will liaise

with LBB CAFT and agree on necessary disciplinary action, possibility of reporting the incident

to the police and or any regulatory authorities or legal action as appropriate to each case

involving Capita staff in relation to either a LBB provided service or fraud matter involving LBB

public funds.

Monthly reports for significant investigations are made to the Director Group Risk and

Compliance who reports to the Capita Group Executive and Capita Audit Committee.

The Capita business will maintain an incident log and in conjunction with Capita group fraud will

provide regular updates on progress of investigations as agreed within this protocol

LBB will provide Capita local management and the Capita Head of Special & Fraud

Investigations with a regular update on all investigations with potential Capita, Capita staff or

Capita processing involvement or implications.

Both LBB and Capita have a zero tolerance approach to fraud and other irregularity committed

against those services contracted out on behalf of the LBB and that both organisations will work

28/01/2014 Page 11 of 48

together in order to support this approach and ultimately protect the public purse through the

following contractual and agreed working arrangements.

Included within the Capita contract are clauses to ensure the provision of information relating to

the prevention of Fraud and Bribery in relation to the services contracted out on behalf of LBB.

This protocol aims to clarify those clauses into agreed working arrangements.

It is acknowledged within this protocol that the sole responsibility for third party / external fraud

investigations relating to LBB Housing Benefit, National Non Domestic Rates and Council Tax

Benefit, Council Tax Support and Disabled Blue Badge lies with the Council’s CAFT. It is

agreed that all referrals relating to any of these services should be directed in the first instance

to the Councils CAFT and not to Capita Group Fraud.

LBB Fraud Policies

The contract states (CSG - 45.1.1, Re – 53.1.1) that the service provider (Capita) is required to

certify in writing to the Council that it will take ‘all reasonable steps to act in accordance with the

Council’s Counter Fraud Framework and Financial Regulations (part 4) to prevent Fraud by

service users, staff and the service provider in connection with the receipt of monies from the

authority.’

As stipulated within the contract (CSG - 45.1.5 (b), Re – 53.1.6 (b)) LBB will look to seek this

assurance from each of the services contracted out on behalf of the LBB on annual basis by

certification from Capita in writing on an annual basis.

The schedule of policies attached to each contract (Schedule 22 for CSG and Schedule 33 for

Re) of which Capita must comply includes the counter fraud framework. The contract also

states under section 45.1.6 that it will comply with the Council’s anti-bribery policy. This policy

is included with the Council’s counter fraud framework.

Counter Fraud Framework - 2013

- Counter Fraud Framework Introduction - Fraud Policy Statement and Procedure - Bribery Policy Statement and Procedure - Prosecution Policy statement - Anti-Money Laundering Policy Statement and Procedure - Whistleblowing Policy Statement and Procedure - Regulation of Investigatory Powers (RIPA) Act 2000 Policy Statement and Procedure

(directed surveillance)

Whistleblowing

It is agreed within this protocol that Capita staff should utilise the Council’s Whistleblowing

Policy (under 2.3 or 4.1 of the policy) in relation to reporting a matter in accordance with the

policy relating to a CSG or Re service. However it is also acknowledged that Capita staff may

also choose to report such matters under their equivalent Capita ‘Speak up’ Policy. Any

referrals received under the relevant LBB or Capita policy will be notified to the relevant parties

in accordance with the agreed notification timescales detailed within table 2. It is agreed that it

is Capita’s responsibility to actively promote and raise awareness of this within Capita in

accordance with principles of openness and transparency and joint commitment to protect

public funds.

28/01/2014 Page 12 of 48

Contract Clauses

Refer to Appendix H for the fraud contract clauses decision tree.

Contract clause 45.1.8 states that the service provider must respond ‘promptly’ to the

Authority’s enquires. It is agreed within this protocol that LBB and Capita will deem any

enquiries to fall within two categories of urgent and standard and for the purpose of this

protocol would define then as follows:

Category Definition Agreed response

timescale

Urgent The information is critical to an investigation where

any delay could compromise the ability to take legal

action or create an unacceptable risk of loss / harm

to the Council.

Within 24 hours

Standard The information that is required to identify the level

of criminal activity where the continued risk of loss /

harm to the Council is deemed to be medium to low.

Within 5 days

Table 1 definitions

Prevention & Detection

The primary responsibility for the awareness, prevention, detection and deterrence of fraud,

corruption, bribery or money laundering activity lies with the individual services contracted out

on behalf of LBB and not with Capita Group fraud service nor the Council or the Councils

CAFT. The relevant Director’s / Head of service responsibility within Capita includes ensuring

that Capita staff (and partners and subcontractors) are aware of both the implications of fraud,

bribery and money laundering and the risks of fraud, bribery and money laundering across their

service area. LBB will seek assurances from Capita around this responsibility from each of the

services (CSG and Re) within the annual compliance statement.

Internal Fraud relating to a LBB provided service – Reporting, Notification, Investigation

and sanction process

The primary responsibility for the investigation of any suspected fraud, corruption, bribery or

money laundering activity found in a service area lies with both Capita group fraud and the

Council’s CAFT.

Capita group fraud currently operates a staged assessment process of referrals that are

passed to them, and in line with this process both LBB CAFT and Capita have agreed to adopt

the following approach in relation to referrals that are received either Capita group fraud and

related to either the CSG or Re services.

Referral Definition Agreed reporting process and

timescale

Stage 1 Fact finding stage – Capita Monthly report to CAFT

28/01/2014 Page 13 of 48

Stage 2 Requires further investigation Urgent - within

24 hours

Standard -

within 5 days

Stage 3 Requires sanction action (e.g.

disciplinary action/police

intervention/legal action)

A joint assessment of action and

responsibility between Capita and

LBB CAFT on an individual case by

case basis.

Whistleblowing Referral rec’d under Council’s

‘Whistleblowing Policy’ or Capita

‘Speak up’ policy relating to CSG

or Re services.

Urgent - within 24

hours

Standard -

within 5 days

Table 2 Notifications

Retained Council Information Systems / Council data / Access to provided LBB Services

data

The Council’s financial regulations (part 4) state that all CAFT Investigation Officers shall have

authority to:

‘have unrestricted access to, search, and remove any and all records, documents and

correspondence, including electronically held correspondence, documents and records’.

In order to support this requirement Capita will ensure that the CAFT officers have direct

access (high level) to all requested IS systems holding LBB data, including the relevant Capita

systems (and future replacements), and will continue to provide training and support on those

systems to CAFT officers.

All access to systems for CAFT officers will be approved by either the Assistant Director of

Assurance or CAFT Counter Fraud Managers.

Current systems include (but not exclusively limited to):

Incase

Civica

SAP (plus new replacement)

Saffron

Sword fish

Diraq

Wisdom

CM (contact Manger)

Web based systems like:

LOCTA

Equifax

28/01/2014 Page 14 of 48

Call Credit

In relation to LBB retained organisation investigation Capita will provide nominated staff to

provide high level support to CAFT relating to investigations that CAFT may be conducting.

This support normally relates to (but not exclusively) access to LBB staff email / outlook,

including deleted items and recovery of deleted items, files, documents, as well as internet

usage data.

Any such requests will be deemed for CAFT officers will be approved by either the Assistant

Director of Assurance or CAFT Counter Fraud Managers, in writing and be categorised in

accordance with the agreed definitions and reporting timescales within this protocol of ‘urgent’

or ‘standard’.

4. Risk Management

The Council’s primary responsibilities when commissioning services and working in

partnerships is to ensure that the partnership has effective risk management procedures and to

provide assurance that the risks are being identified, prioritised and appropriately managed.

The purpose of risk management in this context is as follows:

To ensure proper identification and understanding of risks associated with a commissioned service including delivery risks, joint risks and retained risks

To support clear allocation of responsibilities for managing and monitoring risk

To agree the risk appetite for management of risks amongst all partners

To align the response to identified risks with corporate priorities

To provide a framework for information sharing regarding risks and performance management

The contract (clause 28.5.2 CSG, 36.5.2 Re) states the contractor ‘shall operate a sound

system of internal control’ including appropriate risk management processes. As per schedule

22 of the contract the service provider should comply with section 4.2 of the Council’s Risk

Management Policy with the providers overall risk management arrangements in an equivalent

policy to be approved by the Council. In order for the Council to maintain its responsibilities for

overseeing the management of risks a collaborative approach for managing, monitoring and

reporting on risk (key or joint) must be agreed. Outlined below are relevant policy and

procedure excerpts from section 4.2 of the Council’s Risk Management Policy.

Currently, Capita has a commitment to use the JCAD system and scoring for all Corporate

Programmes projects; operational risks will be managed according to Capita’s risk

management policy 2which has been reviewed by the Council.

Risk allocation and responsibility

In general it is expected that most risk will clearly be allocated to either the Council or Capita,

however a small number of risks may be joint risks, i.e. a shared risk where both parties have a

role in managing the risk.. Joint risks will be recorded in the Council’s risk management system

2 Capital Non-Financial Service Division Risk Management Policy and Process V2 (July 11)

28/01/2014 Page 15 of 48

(JCAD) with the responsibilities and actions of each party clearly defined. The principles on

how a joint risk will be managed are as follows:

LBB Contract manager will be assigned the risk and facilitate the management and

monitoring of the risk.

The actions tab, in JCAD, will be used to assign and manage activity to individuals

3rd party access to JCAD should be limited and will be considered on a case by case

basis3.

Monitoring Risks

Risks should be managed and monitored regularly as part of business as usual and escalated

whenever required including new emerging risks that would score 12 or more and/or any

serious risk incidents that occur (see Appendix C). Over the course of the service contract it is

likely that the risk profile will evolve therefore provision is made through this protocol to build a

relationship with an open dialog and develop an effective approach, based on common

understanding of risks management (processes and terminology) and of the objectives of the

partnership.

Quarterly contract performance reporting will include risks wholly owned by LBB, joint risks and

significant operational risks (with a rating of 12 or more using LBB’s scoring methodology). The

full LBB risk register (including any risks rated below 12) will be appended to the performance

summary.

Section 4.2 of the Councils Risk Management Policy describes the requirement for an outline

plan for risk management strategy in the forthcoming year. This requirement will be satisfied as

part of liaisons meetings (section 5) where changes to and the effectiveness of risk

management arrangements will be discussed.

5. Liaison Meetings

To ensure effective co-operation between LBB Assurance Group and Capita quarterly liaison meetings will be held for planning, to review programmes of work and discuss other issues of mutual interest. Exceptional meetings will be arranged as appropriate for specific issues or events, e.g. Audit Committee.

The following are examples of areas the liaison meetings will cover by function:

Function Description Expectation

Audit Capita internal audit

plan

Capita will ‘consult with the Authority prior to

finalising’ its Internal Audit annual plan to ensure

that an appropriate level of assurance is available

over the risk areas affecting LBB’s operations.

(Contract clause 28.5.2 (b) CSG / 36.5.2 (b) Re)

Audit Quarterly reporting In order to meet LBB Assurance quarterly reporting

3 3

rd party access is still being investigated so this statement is assuming access is possible and agreed by LBB.

28/01/2014 Page 16 of 48

and Audit Committee deadlines liaison meetings will need to occur at the

most appropriate times during the year.

Capita attendance at Audit Committees may be

required if issues are being reported that involve

Capita in its role as being responsible for delivery of

services on the Council’s behalf.

Audit LBB Assurance and

reliance on Capita

Internal Audit work

During the ‘External Assurance’ work programme if,

in LBB Assurance Group’s judgement, it is unable

to rely on the work undertaken by Capita’s internal

auditors, LBB Assurance shall carry out a risk-

based audit programme in relation to the services

that are being provided by Capita on behalf of the

Council.

Audit External audit’s review

of Capita Internal

Audit’s work

LBB Assurance should be informed of the outcome

of Capita’s external auditors’ review of Capita’s

internal audit service. Any issues or reports

regarding this review should be shared with LBB

Assurance as soon as they are finalised.

Audit Audit Scoping and

ToR

An opportunity to discuss any audits being

undertaken that are of relevance to either party.

If appropriate, LBB Assurance will involve Capita in

any scoping meetings, when agreeing the terms of

reference for the review, during the fieldwork, and

when agreeing the final report.

Audit Compliance,

performance against

audit contract clauses

For audit related clauses – opportunity to discuss

any referrals that LBB Assurance have had to make

to the partnership manager regarding information

not being provided by Capita in line with

requirements.

For other clauses – opportunity to discuss any

concerns raised by the partnership manager or as a

result of audits that have been undertaken.

Risk Risk Management Changes to and the effectiveness of risk

management arrangements. This will be in addition

to the general Corporate Performance Reporting

and contractual Service Performance Reporting

which is managed with the commercial team within

the LBB.

CAFT Anti-Fraud For Fraud related clause – opportunity to discuss

any referrals that have been made in accordance

with the agreed notification process as well as any

relevant on-going anti-fraud or policy compliance

issues.

Table 3: Liaison Meetings

28/01/2014 Page 17 of 48

A timetable of activity is appended to this protocol outlining key dates and meetings for the first

year, with due regard for the dates that Capita Internal Audit quarterly reports will be available,

Audit Committee and Strategic Commissioning Board Assurance dates and how the protocol

will dovetail into these.

Additionally there is a list of documents in Appendix F which will be required initially, upon

finalising the protocol, and on-going.

Effective, timely information sharing is essential; the two parties shall communicate promptly to

the other any significant concerns / exceptions / breaches arising that it is felt should be dealt

with other than through the usual reporting and liaison arrangements set out in this protocol.

When sharing any information both the Freedom of Information Act and the Data Protection Act

requirements shall be observed by both parties. It is recognised that there should not be a need

within the relationship to share personal data unless appropriate to the requirements of both

parties and subject to the controls set out by the Council’s Information Sharing Policy.

28/01/2014 Page 18 of 48

6. Appendix A – Contact Details

London Borough of Barnet Assurance Group

North London Business Park, 1st Floor Building 2

Oakleigh Road South, London N11 1NP

Director of Assurance Maryellen Salter

maryellen.salter@barnet.gov.uk 02083593167

Assurance Assistant Director Clair Green

clair.green@barnet.gov.uk

020 8359 7791

Head of Internal Audit (Chief Internal Auditor)

Caroline Glitre caroline.glitre@barnet.gov.uk

020 8359 3721

Risk Assurance Manager

Courtney Davis courtney.davis@barnet.gov.uk

020 8359 4901

Counter-Fraud Manager

Declan Khan declan.khan@barnet.gov.uk

020 8359 3721

External Auditor Grant Thornton UK LLP

Paul Hughes paul.hughes@uk.gt.com

020 7728 2256

Capita [71 Victoria Street, London, SW1H 0XA]

Finance Director (Audit Liaison Lead - CSG)

Tom Evans tom.evans@capita.co.uk

07824 868650

Commercial Director (Audit Liaison Lead – Re)

Mike Eastwood mike.eastwood@capita.co.uk

07557 287247

Director, Group Internal Audit (HoIA opinion)

Clive Smith clive.smith@capita.co.uk

07917 307988

Director, Group Internal Audit - Non-FS Divisions

Moyra Armstrong moyra.armstrong@capita.co.uk

07917 307991

28/01/2014 Page 19 of 48

Group Director of Risk & Fraud

Chris Terry chris.terry@capita.co.uk

07736 599761

Head of Anti-Fraud & Special Investigations

Debbie Morris debbie.morris@capita.co.uk

07733 361432

Internal Audit Manager (who will be undertaking reviews of LBB

transactions) TBC

External Auditor KPMG

Any liaison of discussions with Capita Auditors should be directed via Tom Evans

7. Appendix B – Transferred Services

CSG Re

Customer Services; Estates; Finance; Human Resources, Payroll and

Pensions; IT Infrastructure and Support; Procurement; Revenues and Benefits; and Corporate Programmes

Planning and Development Management;

Building Control; Land Charges; Environmental Health; Trading Standards and Licensing; Cemetery and Crematorium; Highways; Strategic Planning; and Regeneration

28/01/2014 Page 20 of 48

8. Appendix C – Risk Escalation

Strategic

Commissioning

Board (SCB)

Cabinet

Resource

Committee

Commercial

Contract

Manager

Risk Identified

Delivery Board

Risk

Assurance

Audit

Committee

Approves SCB Risk Register to be

published

Key:

OversightEscalation Decision

Operations

Board

28/01/2014 Page 21 of 48

9. Appendix D: Contract Clauses, Definitions & Policy List

9.1. Contract Clauses

The CSG contract clauses that underpin this protocol are as follows:

28 Service Provider’s Records and Audit [Authority Policy Clause]

45 Termination on Corrupt Gifts and Fraud [Authority Policy Clause]

See these clauses of the CSG contract via the link below:

http://www.barnet.gov.uk/downloads/download/1241/csg_main_contract

Please note that the corresponding clause numbers within the Re contract are 36and 53

respectively and can be seen via the link below:

http://www.barnet.gov.uk/downloads/download/1267/drs_main_contract

9.2. Definitions - Governance Standard

Capita will, in line with contract clause 28.5.1 (CSG) / 36.5.1 (Re), comply with this Governance Standard definition, and will provide a compliance statement by January of each year. This is in order to inform LBB’s Annual Governance Statement and by providing this in January it will allow for any additional audit work to be completed, if required, by LBB by the end of March.

It is expected that Capita will meet the governance standards required to support LBB’s Chief Finance Officer’s responsibilities as per the Council’s constitution.

In broad terms, Capita’s control framework will need to meet control objectives including:

Anti-Fraud

Asset Management

Audit & Assurance Framework

Business Continuity

Data Quality

Equalities

Financial Management

Governance

Health, Safety & Wellbeing

Information Management & Governance

Partnerships

People Management

Performance Management

Procurement & Contracts Management

Project Management

28/01/2014 Page 22 of 48

Risk & Issue Management

The compliance checklist can be found below at 9.3.1 and 9.3.2.

* the spreadsheet that will be completed and returned to LBB Assurance includes further detail

to support the self-assessment of whether the controls in place are effective.

9.3. Governance Standards Compliance checklist

28/01/2014 Page 23 of 48

Responsible Person:

Question Assessment Notes

1.00 Internal Audit

1.01 Audit arrangements are in line with section 2 of the protocol

2.00 Anti-Fraud

2.01 Anti-Fraud arrangements are in line with section 3 of the protocol

3.00 Risk Management

3.01 Risk management arrangements are in line with section 4 of the protocol

4.00 Performance Management & Data Quality

4.01 There is a Performance Management Framework in place that has been approved by the Council and there is evidence of this approval

As required by the contract Schedule 22

4.02 Baselines set for performance indicators are supported by robust data sets

4.03 Performance against contractual PIs, KPIs and Super KPIs is regularly monitored and reviewed by senior personnel

4.04

The delivery unit complies with the Council's Data Quality policy and can evidence checks of this compliance

As required by the contract Schedule 22

4.05

Systems and processes are fit for purpose and adequate and effective controls are in place during the input, reporting and output of data

Controls are in place to ensure the performance data reported to the Council meets the Council's Data Quality requirements of:

4.06 Accuracy – data is without errors, and adheres precisely to any applicable definition.

9.3.1 CSG Governance Standards – extract*

28/01/2014 Page 24 of 48

4.07 Reliability – data reflects stable and consistent collection and capture processes across collection points and over time. These processes should minimise manual intervention and maximise the automation of data collection and manipulation.

4.08 Timeliness – data is captured as quickly as possible after the event or activity, and is used in a timely fashion.

4.09 Relevance – data is applicable to the issue and provides the answers needed

4.10 Completeness – data collected and captured comprises of all necessary elements

4.11 A clear audit trail – a documented process for obtaining and using the data, which is understood by all involved in producing the data, and is accessible to those who rely on the data or have an interest in it. Clear and complete audit trails must be maintained to demonstrate accuracy for all data used for decision-making.

4.00 People Management

4.01 All relevant staff are aware of the responsibilities under the Council's HR regulations and have been adequately trained to discharge those responsibilities

As required by the contract Schedule 22 - HR Regulations are part of the Council's constitution

Click here for HR regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8923/UHRRegulations.doc.pdf

4.02 HR policies and procedures are in place and are updated in line with legislative or other required changes

4.03 Changes to HR policies and procedures for LBB are approved by the Council

4.04 HR Business Partners are fully aware of HR policies and procedures, and communicate these to officers across the Council

28/01/2014 Page 25 of 48

4.05 HR Business Partners provide support to officers across the Council to facilitate the correct application of HR policies and procedures

4.06 HR Business Partners provide officers across the Council with the data, access to systems or reports they need to manage performance within their delivery unit

4.07 Safer Recruitment - corporate pre-employment checks and agreed recruitment protocols are being followed. On-going Safeguarding checks are undertaken for current employees

4.08 Organisational structures which reflect the composition of the Council's workforce and current vacancies are up to date and accurate.

4.09 Roles & Responsibilities across the Council are clearly defined and supported by up to date job descriptions

5.00 Financial Management

5.01 All relevant staff are aware of the responsibilities under part four of the Council's financial regulations and have been adequately trained to discharge those responsibilities

As required by the contract Schedule 22 - Financial Regulations are part of the Council's constitution

Click here for Financial regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8919/RAmendedFinancialRegulations030513.doc.pdf

5.02 Financial Management policies and procedures are in place and are updated in line with legislative or other required changes

5.03 Changes to Financial Management policies and procedures for LBB are approved by the Council

5.04 Finance Business Partners are fully aware of Financial Management policies and procedures, and communicate these to officers across the Council

28/01/2014 Page 26 of 48

5.05 Finance Business Partners provide support to officers across the Council to facilitate the correct application of Finance policies and procedures

5.06 Finance Business Partners provide officers across the Council with the data, access to systems or reports they need to manage delivery unit budgets

5.07 The Key Financial System services below, which CSG provides on the Council's behalf, have been audited by Capita Internal Audit within the past 12 months.

Where this is not the case, please confirm what assurance you have obtained over risk and key controls for those systems. See links to separate tabs for:

5.08 Treasury Management

5.09 Pension Fund Management

5.10 Payroll

5.11 Cashbook

5.12 Fixed Assets

5.13 Income and Debt Management

5.14 Accounts Payable

5.15 Financial transactions within the finance service are processed through SAP (until replacement finance system introduced in April 2014), or written approval has been obtained via the Customer Services and Information Management Board agreeing to the use of other systems.

5.16 Reconciliations are undertaken between the systems that feed into the Annual accounts (e.g. Housing Benefit, Council Tax, NNDR) and the main accounting system.

5.17 Any issues identified through the reconciliation process are addressed in a timely manner.

5.18 IT general and application controls over the general ledger are designed and operating effectively, as assessed by External Audit

5.19 Staff ensure that adequate procedures are in place to maintain proper accounting records and entries in them are properly authorised.

28/01/2014 Page 27 of 48

5.20

There is a timetable in existence to support the closure of the Council's annual accounts. This includes key milestones and appropriate liaison with external audit.

6.00 Asset Management

6.01 All relevant staff are aware of the responsibilities under parts 4 (Financial Management including Capital) and 5.6 (Assets) of the Council's financial regulations and have been adequately trained to discharge those responsibilities

As required by the contract Schedule 22 - Financial Regulations are part of the Council's constitution

Click here for Financial regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8919/RAmendedFinancialRegulations030513.doc.pdf

6.02

All relevant staff are aware of the responsibilities under the Council's Management of Asset, Property and Land Rules and have been adequately trained to discharge those responsibilities

Click here for The Management of Asset, Property and Land Rules (revised May 2013): http://barnet.moderngov.co.uk/documents/s8922/TAssetsPropertyandLandRulesv1020130320.doc.pdf

As required by the contract Schedule 22 - The Management of Asset, Property and Land Rules are part of the Council's constitution

Asset Management policies and procedures are in place and are updated in line with legislative or other required changes

Changes to Asset Management policies and procedures for LBB are approved by the Council

28/01/2014 Page 28 of 48

Estates staff are fully aware of Asset Management policies and procedures, and communicate these to officers across the Council as required

Estates staff provide support as required to officers across the Council to facilitate the correct application of Asset Management policies and procedures

Estates staff provide officers across the Council with any data, access to systems or reports they need to manage delivery unit assets

The Fixed Asset Register is up to date and systems to support this aim are adequate

Rent reviews are processed in a timely fashion through SAP (until replacement finance system introduced in April 2014) to ensure rent data is complete and accurate

There are clear links between the CSG Estates function and the CSG Finance function and respective roles and responsibilities are clear

8.00 Governance

8.01 The service provider has corporate governance arrangements in place that are in line with the recommendations of the Cadbury report

http://www.icaew.com/en/library/subject-gateways/corporate-governance/codes-and-reports/cadbury-

report

8.02 Staff conduct themselves in line with the Nolan principles of public life i.e. Selflessness, Integrity, Objectivity, Accountability, Openness, Honesty, Leadership

http://www.public-standards.gov.uk/

28/01/2014 Page 29 of 48

8.03 All relevant staff are aware of the Council's decision making processes, as defined in the Constitution Part 1 and Article 12, and adhere to these processes:

As required by the contract Schedule 22 - Decision making processes are part of the Council's constitution

Click here for Part 1 of the Constitution (revised May 2013): http://barnet.moderngov.co.uk/documents/s8895/Part%201%20-%20Decision%20Making.pdf

Click here for Article 12 of the Constitution (revised May 2013) http://barnet.moderngov.co.uk/documents/s8907/HArticle12DecisionMaking.doc.pdf

8.04 Assurances are obtained that the Constitutional decision making processes are being followed.

8.05 There is a staff Code of Conduct / Code of Ethics in place and staff adherence to these requirements is monitored.

8.06 Anti-Bribery arrangements are in place and the Council's Bribery Policy Statement and Procedure are complied with. As required by the contract Schedule 22

8.07 Legislation - The impact of new legislation on the delivery unit is considered in a formal and structured way and the response clearly documented.

8.08 Equalities - The delivery unit complies with an Equalities Policy which the Council has approved As required by the contract Schedule 22

8.09 Equalities - The Equalities duty is complied with i.e. the duty to consult

9.00 Procurement & contracts management

28/01/2014 Page 30 of 48

9.01 All procurement undertaken on behalf of the Council is done so in accordance with the requirements of the Council's Contract Procedure Rules

As required by the contract Schedule 22 - Contract Procedure Rules are part of the Council's constitution

Click here for Contract Procedure Rules (CPRs) (revised May 2013): http://barnet.moderngov.co.uk/documents/s8920/SContractProcedureRulesFinal130513.doc.pdf

9.02 The Code of Procurement Practice, including the '10 essentials that must be followed when carrying out Procurement', is understood and adhered to by staff undertaking procurement activities on behalf of the Council

As required by the contract Schedule 22 - the Code of Procurement Practice is part of the Council's constitution

Click here for the Code of Procurement Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8921/S2ProcurementCodeofPracticeRevisionv06100313.doc.pdf

9.03 Procurement policies and procedures are in place and are updated in line with legislative or other required changes

9.04 Changes to Procurement policies and procedures for LBB are approved by the Council

9.05 Procurement Business Partners are fully aware of Procurement policies and procedures, and communicate these to officers across the Council

28/01/2014 Page 31 of 48

9.06 Procurement Business Partners provide support to officers across the Council to facilitate the correct application of Procurement policies and procedures and best practice regarding contract management

9.07 Procurement Business Partners provide officers across the Council with the data, access to systems or reports they need to manage delivery unit contracts

9.08 Conflicts of interest are effectively managed when letting contracts. There is Monitoring and Control of the Conflict of Interest Protocol and Register (Sch 31) and staff compliance with this.

9.09 Supply chain risks are considered and controls are in place to mitigate these risks

9.10 All contracts and consultancy arrangements clearly identify the key deliverables, SLAs and performance monitoring processes that demonstrate that the Council receives best value

9.11 All contracts are recorded on a central Contracts Register by the Procurement function of CSG. This is kept fully up to date.

9.12 There is a clear contract renewal process and this is undertaken in a timely manner.

10.00

Information Management & Governance

10.01

Processes are in place to ensure staff are aware of their responsibilities in dealing with personal data and work in accordance with the Data Protection Act.

10.02

Data loss breaches are reported for assessment and dealt with appropriately in line with the Council's Data Protection Incident Reporting Procedure.

As required by the contract Schedule 22

10.03

Procedures are in place to review all records in line with DPA and the Council's Information Management Policy. As required by the contract Schedule 22

28/01/2014 Page 32 of 48

10.04

Staff are aware of and adhere to the Information Governance Framework policies that should be complied with under the contract schedule 'Authority's Policies'. Where the service provider should have an equivalent policy to be approved by the Council, this approval can be evidenced

As required by the contract Schedule 22

11.00

Project Management

11.01

All key projects in the delivery unit have been identified and Corporate Programmes are aware

11.02

There is a Project Management policy in place which is in line with the One Barnet Project Toolkit and best practice, for example the Prince II methodology.

11.03

The Project Management policy is kept up to date in line with best practice

11.04

Key documents outlined in the Council's One Barnet's project methodology are in place, for example a business case. These are reviewed, agreed and signed off by relevant project members and stakeholders.

11.05

Project Management outputs e.g. Business Cases are fit for purpose and can be relied upon by decision makers

11.06

Checks are made that the Project Management policy is being applied consistently in practice

12.00

Partnerships

12.01

Partnership working with other Delivery Units and other public sector bodies is effective; the cross-cutting strategic KPIs within the contract are met

13.00

Business Continuity Plans

13.01

Delivery Unit has an up-to-date BC plan(s) including a list of all key contacts covering key / critical staff, partners and suppliers.

13.02

All staff are aware of the plan and how to respond in the event the plan is activated.

13.03

These BC plans have recently been tested/exercised.

28/01/2014 Page 33 of 48

14.00

Health, Safety and Wellbeing

14.01

Risk Assessments of work activities and premises are carried out and the plan is risk-based.

14.02

Premises audits are completed and the schedule is risk-based.

14.03

Health & Safety policies and procedures are in place and are updated in line with legislative or other required changes

14.04

Where the service provider should have equivalent Health & Safety policies to be approved by the Council, this approval can be evidenced

As required by the contract Schedule 22

14.05

Changes to Health & Safety policies and procedures for LBB are approved by the Council

15.00

Other significant Internal Control Issues

15.01

Apart from the issues raised above, are there any significant control or other matters arising in your Delivery Unit which could adversely affect the signing of the Council's Annual Governance Statement (AGS)? E.g. Fraudulent activity, major overspends, European contract non-compliance; non-compliance with any other policies, laws or regulations. Please provide details below and assess as per the above questions.

28/01/2014 Page 34 of 48

Responsible Person:

Question Assessmen

t Notes

1.00 Internal Audit

1.01 Audit arrangements are in line with section 2 of the protocol

2.00 Anti-Fraud

2.01 Anti-Fraud arrangements are in line with section 3 of the protocol

3.00 Risk Management

3.01 Risk management arrangements are in line with section 4 of the protocol

4.00 Performance Management & Data Quality

4.01 There is a Performance Management Framework in place that has been approved by the Council and there is evidence of this approval

As required by the contract Schedule 33 - Authority's Policies

4.02 Baselines set for performance indicators are supported by robust data sets

4.03 Performance against contractual PIs, KPIs and Super KPIs is regularly monitored and reviewed by senior personnel

9.3.2. Re Governance Standards – extract*. DRAFT – subject to finalisation

28/01/2014 Page 35 of 48

4.04

The delivery unit complies with the Council's Data Quality policy and can evidence checks of this compliance

As required by the contract Schedule 33

4.05

Systems and processes are fit for purpose and adequate and effective controls are in place during the input, reporting and output of data

Controls are in place to ensure the performance data reported to the Council meets the Council's Data Quality requirements of:

4.06 Accuracy – data is without errors, and adheres precisely to any applicable definition.

4.07 Reliability – data reflects stable and consistent collection and capture processes across collection points and over time. These processes should minimise manual intervention and maximise the automation of data collection and manipulation.

4.08 Timeliness – data is captured as quickly as possible after the event or activity, and is used in a timely fashion.

4.09 Relevance – data is applicable to the issue and provides the answers needed

4.10 Completeness – data collected and captured comprises of all necessary elements

4.11 A clear audit trail – a documented process for obtaining and using the data, which is understood by all involved in producing the data, and is accessible to those who rely on the data or have an interest in it. Clear and complete audit trails must be maintained to demonstrate accuracy for all data used for decision-making.

5.00 Asset Management

28/01/2014 Page 36 of 48

5.01 Asset Management policies and procedures are in place and are updated in line with legislative or other required changes

5.02 The Fixed Asset Register is up to date and systems to support this aim are adequate

6.00 Governance

6.01 All relevant staff are aware of the Council's decision making processes, as defined in the Constitution Part 1 and Article 12, and adhere to these processes:

As required by the contract Schedule 33 - Decision making processes are part of the Council's constitution

Click here for Part 1 of the Constitution (revised May 2013): http://barnet.moderngov.co.uk/documents/s8895/Part%201%20-%20Decision%20Making.pdf

28/01/2014 Page 37 of 48

Click here for Article 12 of the Constitution (revised May 2013) http://barnet.moderngov.co.uk/documents/s8907/HArticle12DecisionMaking.doc.pdf

6.02 There is a staff Code of Conduct / Code of Ethics in place and staff adherence to these requirements is monitored.

6.03 Anti-Bribery arrangements are in place and the Council's Bribery Policy Statement and Procedure are complied with. As required by the contract Schedule 33

6.04 There is an up to date Scheme of Delegation in place for the delivery unit and this is adhered to.

6.05 Planning - all relevant staff are aware of the requirements of the Council's Members' Planning Code of Practice.

Click here for Members' Planning Code of Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8925/WMembersPlanningCodeofPractice.doc.pdf

6.06 Licensing - all relevant staff are aware of the requirements of the Council's Members' Planning Code of Practice.

Click here for Members' Planning Code of Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8925/WMembersPlanningCodeofPractice.doc.pdf

6.07 Legislation - The impact of new legislation on the delivery unit is considered in a formal and structured way and the response clearly documented.

6.08 Equalities - The delivery unit complies with an Equalities Policy which the Council has approved As required by the

28/01/2014 Page 38 of 48

contract Schedule 33

6.09 Equalities - The Equalities duty is complied with i.e. the duty to consult

7.00 Procurement & contracts management

7.01 Internal Audit can provide assurance over the Procurement and Contract Management of the delivery unit

7.02 Procurement policies and procedures are in place and are updated in line with legislative or other required changes

7.03 Conflicts of interest are effectively managed when letting contracts. There is Monitoring and Control of the Conflict of Interest Protocol and Register (Sch 28) and staff compliance with this.

7.04 Supply chain risks are considered and controls are in place to mitigate these risks

7.05 All contracts and consultancy arrangements clearly identify the key deliverables, SLAs and performance monitoring processes that demonstrate that the JV receives best value

7.06 There is a clear contract renewal process and this is undertaken in a timely manner.

8.00 Information Management & Governance

8.01

Processes are in place to ensure staff are aware of their responsibilities in dealing with personal data and work in accordance with the Data Protection Act.

8.02

Data loss breaches are reported for assessment and dealt with appropriately in line with the Council's Data Protection Incident Reporting Procedure.

As required by the contract Schedule 33

8.03

Procedures are in place to review all records in line with DPA and the Council's Information Management Policy. As required by the contract Schedule 33

8.04

Staff are aware of and adhere to the Information Governance Framework policies that should be complied with under the contract schedule 'Authority's Policies'. Where the service provider should have an equivalent policy to be approved by the Council, this approval can be evidenced

As required by the contract Schedule 33

28/01/2014 Page 39 of 48

9.00 Project Management

9.01 All key projects in the delivery unit have been identified and Corporate Programmes made aware

9.02 There is a Project Management policy in place which is in line with the One Barnet Project Toolkit or best practice, for example Prince II.

9.03 The Project Management policy is kept up to date in line with best practice

9.04 Key documents outlined in the Council's One Barnet's project methodology are in place, for example a business case. These are reviewed, agreed and signed off by relevant project members and stakeholders.

9.05 Project Management outputs e.g. Business Cases are fit for purpose and can be relied upon by decision makers

9.06 Checks are made that the Project Management policy is being applied consistently in practice

10.00 Partnerships

10.01

Partnership working with other Delivery Units and other public sector bodies is effective; the cross-cutting strategic KPIs within the contract are met

11.00 Business Continuity Plans

11.01 Delivery Unit has an up-to-date BC plan(s) including a list of all key contacts covering key / critical staff, partners and suppliers.

11.02 All staff are aware of the plan and how to respond in the event the plan is activated.

12.03 These BC plans have recently been tested/exercised.

13.00 Health, Safety and Wellbeing

13.01 Risk Assessments of work activities and premises are carried out and the plan is risk-based.

13.02 Premises audits are completed and the schedule is risk-based.

13.03 Health & Safety policies and procedures are in place and are updated in line with legislative or other required changes

28/01/2014 Page 40 of 48

13.04

Where the service provider should have equivalent Health & Safety policies to be approved by the Council, this approval can be evidenced

As required by the contract Schedule 33

13.05 Changes to Health & Safety policies and procedures for LBB are approved by the Council

14.00 Other significant Internal Control Issues

14.01 Apart from the issues raised above, are there any significant control or other matters arising in your Delivery Unit which could adversely affect the signing of the Council's Annual Governance Statement (AGS)? E.g Fraudulent activity, major overspends, European contract non-compliance; non-compliance with any other policies, laws or regulations. Please provide details below and assess as per the above questions.

28/01/2014 Page 41 of 48

9.4. Definitions – Assurance and priority ratings

9.4.1. LBB Assurance:

The following is a guide to the assurance levels given:

Substantial

Assurance

There is a sound system of internal control designed to achieve the system objectives.

The control processes tested are being consistently applied.

Satisfactory

Assurance

While there is a basically sound system of internal control, there are weaknesses, which put some of the client’s objectives at risk.

There is evidence that the level of non-compliance with some

of the control processes may put some of the system

objectives at risk.

Limited Assurance Weaknesses in the system of internal controls are such as to put the client’s objectives at risk.

The level of non-compliance puts the system objectives at

risk.

No Assurance Control processes are generally weak leaving the

processes/systems open to significant error or abuse.

Significant non-compliance with basic control processes leaves

the processes/systems open to error or abuse.

Priorities assigned to recommendations are based on the following criteria:

High – Fundamental issue where action is considered imperative to ensure that the

Council is not exposed to high risks; also covers breaches of legislation and policies

and procedures. Action to be effected within 1 to 3 months.

Medium – Significant issue where action is considered necessary to avoid exposure to

significant risk. Action to be effected within 3 to 6 months.

Low – Issue that merits attention/where action is considered desirable. Action usually to

be effected within 6 months to 1 year.

9.4.2. Capita:

Audit Classification

The following are descriptions of audit classifications used:

Satisfactory: No high risk weaknesses were identified in the system and no significant areas of non-

compliance with policy or procedures were noted. Improvements may have been advised to improve or

strengthen existing controls.

28/01/2014 Page 42 of 48

Improvement Required: There are medium risk weaknesses in control that, although individually do not

pose a high risk, when taken together indicate a control environment that requires attention.

Significant Improvement Required: There are one or more high risk weaknesses in control, or several

medium risk weaknesses, that expose the Business Unit to a high level of overall risk requiring prompt

action.

Unsatisfactory: There are one or more critical weaknesses in control, or several high risk weaknesses,

exposing the Business Unit to a very high overall level of risk.

Risk Ratings

Each reported finding is assigned a risk rating of Critical, High, Medium or Low as follows:

Critical: Critical control weakness requiring immediate action as it exposes the Business to a very high

risk of imminent significant financial loss, reputational, or severe legal/regulatory sanctions.

High: Control weakness requiring prompt action as it exposes the Business to a high risk of significant

financial loss, reputational damage, or severe legal/regulatory sanctions.

Medium: Control weakness that should be addressed as it exposes the Business to some risk of

financial loss, reputational damage, or legal/regulatory sanction.

Low: Basic internal controls are adequate but improvements could be made to bring procedures in line

with current industry best practice.

9.5. Policy List

See Schedule 22 (CSG): Authorities Policies via the link below

http://www.barnet.gov.uk/downloads/download/1241/csg_main_contract

See Schedule 33 (Re): Authorities Policies via the link below

http://www.barnet.gov.uk/downloads/download/1272/schedules_5-33

28/01/2014 Page 43 of 48

10. Appendix E – Annual Timetable of Activity

The annual timetable of activity amalgamates both LBB’s and Capita’s key planning, reporting

and meeting dates in an effort to coordinate activities, schedule liaison meetings and create a

forward plan of assurance deliverables (see Table 3 Liaison Meetings). The annual timetable of

activity will be produced in quarter one and be the basis of the first liaison meeting of each

year.

The following outlines key information required for developing the timetable.

10.1. Planning

10.1.1. LBB Assurance

Audit & CAFT planning cycle Risk based planning – January 2014 to

March 2014

Internal Audit and Anti-Fraud Strategy &

Annual Plan and Risk Management

Approach

Goes to Audit Committee April 2014

Risk Management Framework Goes to Audit Committee April 2014

Annual Audit Opinion Goes to Audit Committee July 2014

CAFT Annual Report Goes to Audit Committee July 2014

Annual Governance Statement Goes to Audit Committee July 2014

10.1.2. Capita

Annual Audit Planning Risk based planning – August to October

2013

GIA Annual Plan 2014 Presented to Group Audit Committee

November 2013

Risk Management Framework

Annual Audit Opinion Goes to Audit Committee May 2014

10.2. Reporting and Meeting Dates

10.2.1. LBB

The primary LBB Assurance meetings are Strategic Commissioning Board (SCB) Assurance

and Audit Committee. The calendar of Council meetings, including Audit Committee, is agreed

at Full Council in May. SCB Assurance meets bi-monthly.

28/01/2014 Page 44 of 48

Standard clearance and circulation is 10 working days for reports.

The following table outlines the key remaining dates in this financial year. For the purposes of

clearing LBB Assurance quarterly reports for Audit Committee, these are first taken to SCB

Assurance therefore the corresponding Quarter that will be reported to each meeting has been

included.

LBB Quarter to be

reported

SCB Assurance Audit Committee

Q2

Thursday 24 October

Q3 Tuesday 26th November

Tuesday 28 January

Tuesday 21st January

Q4 Tuesday 18th March

Tuesday 29 April

10.2.2. Capita

Group Audit and Risk Committee

February 25th 2014

May 27th 2014

July 22nd

2014

November 25th 2014

[Timetable to be produced, needs to consider audit annual planning cycle – start and end

dates, LBB Assurance receiving Capita finalised plan, LBB Assurance receiving Capita HoIA

opinion etc]

11. Appendix F – Documents Checklist

Documents required at time of agreeing protocol

1. Capita draft 2014 Internal Audit plan relating to services delivered to Barnet

28/01/2014 Page 45 of 48

2. Capita Risk Management Policy 3. Capita Fraud Policy 4. Capita Bribery Policy 5. Capita Anti-Money Laundering Policy 6. Capita Whistle Blowing Policy

Documents required to inform LBB Assurance assessment of reliance on Capita

internal audit

7. Capita Internal Audit Terms of Reference / Charter 8. Capita Internal Audit latest reporting of performance against audit plan 9. Capita Internal Audit accreditation and quality reports (e.g. ISO standards) if

applicable 10. Latest Capita Internal Audit review of compliance with Internal Audit Standards 11. Latest Capita Annual Report (LBB Assurance will be seeking assurance from the

Governance section for example), usually published in April 12. Other documents as agreed between the parties

On-going documents required

1. Internal Audit quarterly reports on LBB services (within 15 days of agreed quarterly date i.e. 1st April, 1st July, 1st October, 1st January)

2. Internal Audit quarterly reporting of progress against audit plan (if separate to quarterly report)

3. Annual Head of Internal Audit Opinion 4. Internal Audit annual plan 5. Other documents as agreed between the parties

28/01/2014 Page 46 of 48

12. Appendix G: Internal Audit Decision Tree

Internal Control Environment Assurance

Governance Standard Compliance Statement

Received by March each year

No

Accuracy test: Cross reference against client

side. Internal control environment sound?

Concern re: control environment or services -

Invoke 28.6.1

Escalate to contract manager Does provider

have their own internal audit

function? (28.5.2a)

Audit Plan Consulted Submitted – 28.5.2 band c

Raise concernsVia 28.6.1

Yes

No

Yes

Note: consider timing with client side

Assurances received regarding adequacy of

internal control environment

No YesInforms HoIA

opinion

Yes NoCarry out risk based

audit programme based on 28.5.4

Yes

No

Can audit plan be relied on for wider assurance? (Assessed via External Assurance framework)

Escalate to contract manager

Does audit plan provide sufficient coverage on

LBB transactions?

Informs HoIA opinion

Yes

No

Relevant internal audit reports submitted (25.5.2

d, e, f)

Yes

Concerns over sufficiency or accuracy

No

Yes

Informs HoIA opinion

Raise concernsConcerns rectified?

Yes

NoRisk based audit

via 28.5.4 (a)

Clauses Key (note the clause numbers here refer to the CSG contract):

28.5.2:

A: Establishing its own internal audit function B: Consultation with the Authority prior to finalising its

Annual Internal Audit Plan C: Submit its own Annual IA Plan by the end of April in

each contract year D: Submit IA reports within 15 Business Days of the

agreed quarterly date E: Limited or no assurance submitted within 5 working

days F: Undertake yearly audits of all IPR used in the

performance of the Services

28.5.4:Risk-based audit - Capita bears cost – longer timeframe

A: The Service Provider doesn’t have an internal audit service

B: The Service Provider has an internal audit service but the Authority's internal audit service is unable to rely on the audits and work carried out by the Service Provider’s internal audit service

28.6.1 – Audit - Bear respective costs – shorter timeframe

The Authority or its appointed Auditor may, upon no less than two Business Days, notice where the Authority has concerns in respect of the Services, and ten Business Days notice in all other circumstances.

28th November 2013Date: 28/11/13

28/01/2014 Page 47 of 48

13. Appendix H: CAFT Decision Tree

Notify the Authority directly

The Authority has the power to audit books,

records and any relevant documents

under clause 45.1.8.The

End of process; recommendations to be made

45.1.10 – rules of termination

Fraud is suspected. –

see 45.1.2

Fraud is known to have been

committed. See 45.1.7

All loss is recovered

under clause 45.1.3

The Service Provider must

give any reasonable

assistance to any

investigation undertaken by the Authority –

see 45.1.5.a

Loss is not recovered

Final termination –

see 45.1.12

The Authority has the power to terminate the contract if there has been a breach of

45.1.4. Power to terminate agreement

is stated under 45.1.9

See 45.1.11End process;

recommendations to be made

Verify that the Service

Provider, or a related party,

agent or shareholder, has breached clause 45.1.4

Escalate to Contract Manager

28/01/2014 Page 48 of 48

CAFT Decision Tree Clauses