Agenda item

The purpose of this progress report is to inform Members of the work completed by Internal Audit between 1 October 2023 and 31 December 2023.

The current annual plan for Internal Audit is contained within the Internal Audit Strategy and Annual Plan 2023-24, which was approved by this Committee on 8 March 2023.

Witnesses:  

David John, Audit Manager

Paul Evans, Director of Law and Governance, and Monitoring Officer

Simon White, Audit Manager - Counter Fraud

Paul Fielding, IT Audit Manager

Key points raised in the discussion:

1.    The Audit Manager outlined the breakdown of the twenty completed assignments in the last quarter, the level of assurance was fairly high. He referred to the two Partial Assurance audits: Schools Alliance for Excellence (SAfE) Contract and Unofficial School Funds (USFs). Regarding the SAfE Contract there were no issues with the quality of the service being delivered, the issues were around internal contract management processes and due to Covid-19, an insufficient level of input from procurement. The service had been responsive in agreeing actions to address the weaknesses identified, a follow up audit would take place in next year's plan. Regarding USFs, the audit had been scheduled in response to the £500,000 fraud case at Hinchley Wood Primary School, to ensure that the process set out in the Schools Finance Manual is transparent, robust, and followed good practice. The problem was the low level of assurance to the Council that schools had got the funds properly under control and that schools finance colleagues know what the balances being held were and how they were examined. Actions had been agreed and once schools are up to speed with that guidance, a follow up audit would be undertaken late in the next financial year.

2.    The Audit Manager highlighted the Surrey Fire & Rescue Service (SFRS) Contract Management Arrangements Follow-Up audit which had an upgraded opinion from Partial to Reasonable Assurance. SFRS had been responsive to the agreed actions and the area would be kept under review.

3.    The Audit Manager noted that nine schools audits had been undertaken in the quarter, one had Partial Assurance although there was no fundamental weaknesses of grave concern just a cumulative level of findings within the control environment.

4.    The Audit Manager noted that the performance of the Productivity and Process Efficiency aspect delivered by the Internal Audit Service was rated at Amber with a delivery of 67.5% for the Audit Plan - completion to draft report stage indicator against the 90% target, the service was striving to meet that by the end of March.

5.    A Committee member welcomed the USFs audit being carried out as there was a reputational risk in terms of the Council not knowing the balances held by schools. Being an examiner himself, he was not totally surprised by some of the findings and it would take time to embed the changes, it was important that inspection certificates are provided to the Council as well as the details about how much money has been held as it varied by school. The Audit Manager agreed regarding the reputational risk, noting the time and effort that went into the fraud case against a Council employee concerning Hinchley Wood Primary School, employees should be clear about what they should do and that the processes are fit for purpose. He noted the governor and bursar briefings to communicate messages widely, as well as the bulletin and talking to people to identify the key risks.

6.    A Committee member welcomed that all except one of the school audits were given Reasonable Assurance. Referring to common themes being identified in paragraph 1.42, he would prefer that the wording ‘encouraged’ be changed to ‘required’ in the first bullet point: ‘School staff should be encouraged to declare any relevant interests’, if that was in line with the Council’s Constitution. The Audit Manager agreed noting that he would make sure to reword that appropriately going forward. The Director - Law and Governance, and Monitoring Officer noted that the Council’s Officer Code of Conduct requires officers to declare interests, he would confirm if it applied to school staff. The Audit Manager - Counter Fraud noted that the leadership group and business managers could have an influence on a decision-making process so would be required to make a declaration, whereas teachers for example without that influence on procurement would be encouraged to declare interests.

7.    A Committee member referred to the SAfE Contract audit key findings around contract monitoring where there seemed to be little control or assurance, he asked for detail on contract segmentation. The Audit Manager noted that contract segmentation was a tool endorsed by the procurement team to break down the contracts into specific areas such as cost, quality and delivery and then to put in place proportionate management and oversight into the areas that need it the most. The Committee member noted that as it was implied that it originated from the Council’s procurement team, the fact that it was not in place was a concern since the SAfE Contract was established in 2019. The Audit Manager understood that it was not a mandated approach, it was a tool that helped contract managers, in this case the services were unaware that they could use the tool.

8.    Regarding the SAfE Contract audit key findings, the Committee member sought clarity on the secure transfer of data between the Council and the provider, why was Partial Assurance provided if data was being transferred insecurely and what would the reputational impact be to the Council. The Audit Manager referred to the finding that the transmission of data between the supplier and the Council was challenging due to the supplier not having a commercial email address, however all sensitive data is uploaded to the data sharing platform: Nexus, which is operated by the Department for Education. Once the service addresses that through a revised communications protocol with the supplier, the risk of a data breach was minimal and commercially sensitive information was protected.

9.    A Committee member referred to the USFs noting concern about the Partial Assurance opinion given, and the three actions for management; asked whether the Council has adequate control over schools in this area, or whether its role was to encourage better practice and was there a good practice guide. The Audit Manager noted that the Council sets out the framework for how the fund should be administered, the responsibility for its governance was the schools’ through their Governing Board. The Council had sought to improve the framework set out in the Schools Finance Manual, but relied on that being followed by the schools and governors for example asking to see the inspection certificate; work was underway to relay that message.

10.  The Committee member noted concern that school governors might put themselves at risk for example around the funding of a project in a local school where the contractor used is related to a staff member or a parent. Regarding the risks around collusion, the Council set out the requirement to declare an interest for those in a decision-making leadership role; using known contractors was legitimate so long as the decision-making process was transparent and was ratified by independent people such as the chair of governors.

11.  Responding to the Chairman, the Audit Manager clarified that the USFs accounts were donations that schools receive whether from parents or from a school fete for example. A Committee member noted that local charities such as the Henry Smith Charity or local villages with large trust funds might for example make a significant donation to a school. Her concern was around ensuring that schools have the ability and resources to be accountable for spending USFs and to be transparent, and whether the governance process was robust and governors were properly aware of their responsibilities and what documents they should be requesting.

12.  The Chairman asked whether examiners would be asked to formally follow the Schools Finance Manual as part of the recommendations. The Audit Manager confirmed that a section of the Schools Finance Manual would be redrafted and communicated to schools over the next few months to be effective from the new academic year, evidence of compliance would be gathered subsequently. He noted that the approach must be proportionate to the size of the fund.

13.  Responding to the Chairman, a Committee member explained that he had not dealt with the Schools Finance Manual himself as that was followed by the School Business Manager and any issues that came up during the year they would liaise with him for example on how best to handle donations within the USF. The Audit Manager responded to the Chairman around whether School Business Managers or governors were required to confirm that they had followed the Schools Finance Manual, noting that Internal Audit would determine the best approach to ensure it gets the right level of assurance when it does the follow up. Assurance was also provided via the schools audit programme through inspection certificates. He stressed that many school bursars do follow the Schools Finance Manual, it was just not providing the right level of assurance.

14.  Responding to the Vice-Chairman, a Committee member who had been a governor a while ago noted that governors were offered training as they were responsible for the decisions taken at their school. The chairs work hard overseeing the school and the bigger the school the larger the financial responsibility.

15.  A Committee member referred to the Surrey Fire & Rescue Service (SFRS) Contract Management Arrangements Follow-Up audit where the opinion had improved to Reasonable Assurance over the controls, sought confirmation that the three high priority actions had been implemented; if that was the case why was that assurance level not higher. The Audit Manager explained that within the follow-up audit, Internal Audit checks that all agreed actions have been implemented including the high and medium priority actions, it did not give Substantial Assurance because it did not look across all contract managers and contracts, and there was residual training to do for the people managing the less significant contracts.

16.  A Committee member referred to the SFRS Customer Relationship Management (CRM) System and asked whether SFRS was using the Council’s project management governance framework or its own. The IT Audit Manager noted that the procurement of the system was not covered by the audit, the audit looked at the governance around the project and the implementation of the system.Regarding the identification of the areas for improvement, the Committee member asked whether SFRS was following the Council's Risk Management Strategy. The IT Audit Manager assumed that SFRS was following that strategy as it formed part of the Council, the finding was that although the project had a risk register with risks highlighted in line with the Council's risk management framework, in some cases the responsible officers nor mitigations were being recorded.

17.  A Committee member referred to the Adult Social Care (ASC) Data Handling audit whereby an area for improvement was to identify a responsible officer to delete data held digitally at the end of its retention period, he deduced that the Council might be holding data past its retention period, was there an action plan and did that impact the Council’s General Data Protection Regulation (GDPR) responsibilities. The IT Audit Manager understood that there was a project underway looking at the deletion and holding of records, a lot of the ASC records had significant retention periods, he could not comment on retention periods about certain files and whether the Council was holding those past GDPR legislation. The Chairman requested that written responses be provided to the questions asked in key points 16 and 17.

RESOLVED:

That the Committee noted the report.

Actions/further information to be provided:

1.    A7/24 - The Audit Manager will in future reports reword ‘encouraged’ to ‘required’ regarding school staff declaring any relevant interests.

2.    A8/24 - The Director - Law and Governance, and Monitoring Officer will confirm whether the Council’s Officer Code of Conduct applied to school staff. 

3.    A9/24 - The IT Audit Manager will provide written responses to the questions asked in key points 16 and 17 concerning the SFRS Customer Relationship Management (CRM) System and Adult Social Care (ASC) Data Handling audit.