The purpose of this progress report is to inform members of the work completed by Internal Audit between 1 April 2023 and 30 June 2023.
Minutes:
Item 8 was taken before item 6.
Witnesses:
David John - Audit Manager
Paul Fielding - IT Audit Manager
Russell Banks - Orbis Chief Internal Auditor
David Mody - Head of Strategic Risk
Anna D’Alessandro - Director of Corporate Finance and Commercial
Key points raised in the discussion:
1. The Audit Manager highlighted that twenty-four audits had been completed, including three Partial Assurance opinions (two were schools) and no Minimal Assurance opinions. He noted the breadth of the assurance work which demonstrated that the Annual Audit Plan 2023/24 was responsive to the Council’s strategic priorities, additional unplanned audits had also been undertaken. No audits had been removed from the audit plan and the contingency budget enabled new audits to be added so that emerging risks could be addressed. There was a healthy relationship between the Council’s management team and Internal Audit.
2. A Committee member noted that Cyber Security had a Reasonable Assurance opinion and asked whether there was any risk of a cyber security failure in the future. The Audit Manager noted that it was a massive risk and was escalating given international tensions. The IT Audit Manager added that the Cyber Security audit looked at the Council’s response and resilience, looking at access control, information governance and data storage. Cyber was a fast moving, evolving threat and the teams were constantly working towards increasing the Council’s resilience.
3. As a supplementary question the Committee member noted that there was little information about what might occur in local government in terms of a cyber-attack. She asked how the Council’s staff were made aware of the problems that might arise and what type of cyber-attack would be likely. The Orbis Chief Internal Auditor noted that Internal Audit carried out specific pieces of work in relation to cyber, as well as other IT related audits that had a cyber security element to those. Individual services managed the awareness to the relevant risks internally. He noted that it would be difficult for the Council to prevent against a cyber-attack from a foreign power given the technology and expertise, therefore the focus was on the Council’s response via its business continuity arrangements; the Head of Strategic Risk noted that was why cyber-attacks were a top corporate risk. The Audit Manager highlighted an online article about the effects of a recent cyber-attack by a private hacking group on Hackney Council which cost them £12 million.
4. A Committee member referred to section 3: Action Tracking whereby the Committee received updates on high priority actions, he asked whether medium and low priority actions were tracked and how it was known that they were being completed. He asked whether follow-up audits on high priority actions were guaranteed. The Orbis Chief Internal Auditor noted that Internal Audit balanced its resources by tracking high priority actions only, it reported its findings and agreed a responsible owner and timescale; management had the responsibility for maintaining the control environment. The expectation was that services and teams had their own arrangements for tracking and implementing their medium and low priority actions. Internal Audit’s policy was that it would follow up audit opinions that resulted in either Partial or Minimal Assurance, continuing to do so until they reached at least Reasonable Assurance. In some cases, follow up work was conducted for high-risk areas given Reasonable Assurance. The implementation of high, medium and low priority actions was reviewed in follow-up audits.
5. As a supplementary question the Committee member asked how the Council was assured that management tracked and followed up the medium and low priority actions within the individual services and teams. The Orbis Chief Internal Auditor noted that action tracking and assurance of implementation arrangements varied between directorates. He noted that the audit plan contained audits selected based on risk, whilst some areas such as financial systems were audited regularly.
6. As a supplementary question the Committee member asked whether there was a consolidated register of medium and low priority actions so Internal Audit could receive confirmation of completed actions. The Audit Manager explained that in the run up to preparing the annual report, his team went through the list of medium and low priority actions and checked with the responsible officers that they had been implemented; there was also periodic sampling of actions. In the last two years Internal Audit had not found anything to notify the Committee about.
7. As a supplementary question the Committee member queried why if individual services and teams were responsible for completing the medium and low priority actions they did not report back to Internal Audit on their completion rather than Internal Audit having to chase. The Orbis Chief Internal Auditor would consider that suggestion, he noted that currently Internal Audit was considering undertaking work looking at how each individual directorate managed its monitoring of the completion of medium and lows priority actions. Internal Audit would rather seek to be assured that each directorate had their own arrangements in place for satisfying themselves that their medium and low priority actions were being implemented. The Vice-Chairman added that ownership by the directorates was healthy.
8. A Committee member referred to Appendix A, paragraph 1.55 asking for clarification on any payment exceeding £100,000 only requiring approval from just one senior officer, he presumed that referred to the payment rather than the approval. The Director of Corporate Finance and Commercial explained that it was the final release of the approval of the BACS (Bankers' Automated Clearing Services) run, not the approval of the payment; there were many controls in place over payments.
9. A Committee member asked whether the Internal Audit team was fully staffed. The Orbis Chief Internal Auditor noted that the team had ongoing vacancies, there had been several internal promotions and arrangements were in place to cover a retiring member of staff, two new members of staff would join in October and they had recently engaged a new agency contractor to provide some support. Further recruitment would be undertaken later in the year and whilst there was a risk of not being able to fill the vacancies, the agency contractor was in place. The team was investing heavily on staff training and qualifications concerning entry level staff.
10. As a supplementary question the Committee member asked how the continuing vacancy situation impacted Internal Audit’s ability to complete the audit plan. The Orbis Chief Internal Auditor explained that the target was to deliver 90% of the audit plan and to deliver 90% of the planned audit days to each of the Orbis clients; falling below that the Committee would be notified. That target was met last year despite the vacancies, the team was hopeful of meeting those targets again this year. Whilst delivering 100% was the ultimate target, resourcing was a national challenge. The Orbis partnership smoothed the impact of those resourcing challenges, at peak points partners put in additional resources to help one another to address specific challenges faced - such as implementing MySurrey.
11. The Chairman asked when the Surrey Pension Fund Banking Controls interim follow-up audit would be completed. The Audit Manager hoped that opinion could be given by the end of the financial year, the issues primarily revolved around the interface between that system and MySurrey, that was being worked upon.
12. The Chairman referred to the Pendell Camp Paperwork noting that the tenancy documentation had gone missing and asked what action had been taken, particularly if that might affect the planning decision. The Audit Manager noted that Internal Audit looked at how it had gone missing, Legal Services was looking at the potential consequences and the next steps.
13. A Committee member referred to Birmingham City Council’s recent bankruptcy in part due to the expense of settling equal pay claims, she recalled from previous year's accounts that Surrey County Council had made provision for that, and she asked whether that was correct. The Strategic Finance Business Partner noted that there had been a provision several years ago and she would follow that up.
RESOLVED:
That the Committee noted the report.
Actions/further information to be provided:
1. A20/23 - The Orbis Chief Internal Auditor will consider the suggestion around individual services and teams which were responsible for completing the medium and low priority actions, reporting back to Internal Audit on their completion rather than Internal Audit having to chase.
2. A21/23 - The Strategic Finance Business Partner will provide a response on the Council’s provision made several years ago in its accounts around equal pay claims.
Supporting documents: