Agenda item

The purpose of this progress report is to inform Members of the work completed by Internal Audit between 1 July 2024 and 30 September 2024.

The current annual plan for Internal Audit is contained within the Internal Audit Strategy and Annual Plan 2024-25, which was approved by this Committee on 13 March 2024.

Speakers:

David John, Audit Manager

Russell Banks, Chief Internal Auditor

Andy Brown, Deputy Chief Executive and Executive Director - Resources

Simon White, Audit Manager - Counter Fraud

Mark Winton, Audit Manager - IT

Key points raised in the discussion:

1.    The Audit Manager noted that over half the opinions were of Reasonable Assurance. However, the work around MySurrey particularly audits on the payroll and pension enrolment, and the user access and security review audits, were of Minimal Assurance; the integrations work was Partial Assurance. Whilst putting in place a new ERP system was complex, the audits were a year after go-live so finding weaknesses in the control environment was a concern.  

2.    The Audit Manager noted that the MySurrey Stabilisation Board sought to address the weaknesses, Internal Audit sat on that board and all the audit reports concerning MySurrey were fed into that board’s programme of work; was positive about the progress made. Follow-up work on the MySurrey integrations work would start in quarter 3, work had started on accounts payable, more work was underway around the actions concerning accounts receivable. Quarter 4 was the aim for the follow up of the key actions regarding payroll, and user access and security.

3.    The Audit Manager noted that having been an auditor for thirty years, he had never done an audit of Minimal Assurance on the corporate payroll system. However, the opinion was on the process and not the people, he commended the Head of HR Operations and his payroll team for ensuring that most staff were paid correctly throughout the whole period.

4.    The Audit Manager noted that Internal Audit was around 2% below delivery on the KPI regarding completion of the audit plan. Some audits did not go out as planned as more time had been spent doing other audits such as payroll. The audit plan was under review and priority was being given to follow up work on lower assurance opinions concerning MySurrey, and on service areas previously reported to the Committee. That might mean that some audits are deferred from the current audit plan to next year's.

5.    The Chairman noted that having done many payroll audits himself, such an opinion was rare; he commended the payroll team for its work.

6.    A Committee member referred to the non-opinion advisory pieces of work and asked what was done to ensure independence. The Chief Internal Auditor explained that those pieces of work focused on governance, risk management and internal control, and so were Internal Audit activities. The delivery method was different, it was real time. For example, Internal Audit attends the MySurrey Stabilisation Board as an independent advisor, and not as a decision-maker.

7.    A Committee member asked whether the Council was trying to claim back money from Unit 4 concerning MySurrey and the problems faced. The Deputy Chief Executive and Executive Director - Resources noted that commercial perspective would be looked at by the MySurrey Stabilisation Board. He noted that when entering a contract, the engagement rules from a legal perspective must be followed, trying to build a legal case to recover money and finding where fault lies would be difficult and would raise legal issues, the Council continues to have an open dialogue with Unit 4.

8.    A Committee member noted that the report was littered with Minimal and Partial Assurance audits which was concerning. Regarding the Minimal Assurance reports highlighted at the last Committee meeting concerning MySurrey, asked when there would be follow up audits for those and for the Surrey Fire and Rescue Service Partial Assurance report, and Partial Assurance reports from schools. The Audit Manager stressed that reports of a lower assurance opinion such as Partial or Minimal would have a follow up audit and the findings would be reported to the Committee, the timing depended on the dates for the agreed actions to be implemented.

9.    A Committee member referred to the on-street parking arrangements audit and asked how that contract was awarded as part of the tender process when NSL at the outset of the contract was understaffed with civil enforcement officers and had to recruit. He assumed that NSL would have provided evidence that it could fulfil the staffing requirements. The Audit Manager would provide a written response and noted that there were issues around TUPE and complications in the process of how long it took to get staff where they needed to be. He noted that NSL was the largest supplier in the field so was unsure whether any other competitive bid would have been better in terms of resourcing.

10.  The Audit Manager - Counter Fraud added that in the list of irregularities reviewed, there was a whistleblowing case around parking enforcement relating to that mobilisation stage and some of the issues were attributable to recruitment. There was a significant increase in the civil enforcement officers needed, the investigation work found that NSL borrowed enforcement officers from their existing contracts and it recruited more as the contract progressed.

11.  A Committee member referred to the payroll and the pensions enrolment work, asking whether Internal Audit was satisfied with the robustness of the manual controls that operated within payroll. He asked whether it was Internal Audit’s decision to do the pensions enrolment audit or whether management requested it. The Audit Manager clarified that whilst the manual controls do the job they need to do, those made the process clunky and inefficient but put in place a stronger control environment. The payroll audit was split out due to capacity issues, the audits however were collated into the same opinion as it was part of the same work around corporate payroll.

12.  A Committee member referred to the MySurrey user access and security review and asked whether any of the breaches identified had to be escalated. The Chief Internal Auditor explained that the data breaches were identified before the audit was undertaken, which prompted Internal Audit to conduct the review.The Audit Manager - IT explained that the breaches went through the normal data protection officer process who was aware of those and would have made the decision about whether to escalate to the Information Commissioner's Office. He would follow up whether any breaches had been escalated.

RESOLVED:

Noted the report and considered two further actions required in its response to issues raised.

Actions/further information to be provided:

1.    A44/24 - Regarding the on-street parking arrangements audit, the Audit Manager will provide a written response concerning how that contract was awarded as part of the tender process when NSL at the outset of the contract was understaffed with civil enforcement officers and had to recruit.

2.    A45/24 - The Audit Manager - IT will follow up whether any breaches had been escalated regarding the MySurrey user access and security review.