Back to top arrow icon Back to top
  1. Home
  2. Agenda item
 Menu

Agenda item

Internal Audit Annual Report 2022/23

Decision:

RESOLVED: To consider the performance indicators presented in Appendix 1, the Risk Management Scorecard in Appendix 2 and the current capital monitoring update in Appendix 3.

Minutes:

9.1    The Corporate Head of Audit, Anti-Fraud and Risk Management introduced the report and confirmed the conclusion was that the Council’s control framework was ‘adequate’ and remained robust, despite recent challenges.

 

9.2  Significantly more Audit reviews were undertaken during 2022/23 than in the previous year; 41 reviews compared to 29 reviews.  As a result significantly more recommendations arose from the Audits; 140 compared to 56.  However, the implementation of high priority recommendations was lower, 90% compared to 96%, though this was still within the bounds of the key performance indicator (KPI).  For medium priority recommendations it was 84%, compared to 92%.  This was in part a result of the increased productivity of the team, in relation to undertaking Audit work, which had taken resources from chasing progress on implementation.  More implementation may have taken place than the figures might have indicated.

 

9.3  Most of the Audit work undertaken had resulted in a positive Audit opinion of either ‘reasonable’ or ‘significant’ assurances for the services reviewed.  There was one ‘no assurance’ Audit, which related to a tenant management organisation (TMO), and within the course of the year the follow-up review had been completed and the TMO had moved to ‘reasonable’ assurance.  Overall levels of assurance had been within the parameters of recent years.

 

9.4  The Corporate Head of Audit, Anti-Fraud and Risk Management noted that 22 Audits from the 2021/22 Audit plan had been postponed or cancelled.  This was in part because many services still had interim arrangements in place following the cyberattack.  In those service areas it would not have been unreasonable to think that assurance levels might be lower. 

 

9.5  The recovery from the cyberattack had also impeded the planned ICT Audit programme, due to the service’s necessary focus on recovery.  The service had also undergone a considerable restructure in-year.  Audits were now underway and one was close to completion.  The expected result of that Audit indicated a positive outcome.

 

9.6  The committee was also asked to note that Audit work undertaken year-to-year was different, with different services being risk assessed in different years.  In addition, the work that the team undertook was in accordance with the public sector internal audit standard and Committee members were aware that the Council’s internal Audit service was being reviewed to ensure they were compliant with required standards.  This external review, which should happen every five years, had not taken place since 2016.  That delay was a result of both the cyberattack and the Covid pandemic.  On that measure alone the service was not compliant, but internal assessments had been undertaken since 2016, and the most recent assessment in February/March 2023 indicated that the service was compliant with expected standards in all other meaningful ways.

 

9.7  Appendix 8 to the report contained the draft Annual Governance Statement 2022/23, and this would accompany the Council’s accounts when they were submitted to the Committee later in the year.

 

9.8  Members of the Committee asked for details about the deferred reports; about high priority recommendations; whether residents are included in the Audit process; about what is referred to by the term ‘draft; and, whether the repairs backlog included damp and mould.

 

9.9  The Director of Financial Management and the Corporate Head of Audit, Anti-Fraud and Risk Management responded and confirmed that;

 

·  Audits that had been delayed had been brought forward into this year’s Audit plan, and that the Committee’s role would be to ask about particular Audits that were being consistently delayed, when that happened;

·  that concerns about a lack of implementation related to recommendations appear when there is no feedback from service areas, but every Audit report agreed recommendations with a timeline for implementation allowing for tracking of performance;

·  the Audit process is based on an informed analysis of risk;

·  the internal control statement involved a fundamental review of internal control systems carried out within directorates and signed off by Group Directors, which included a lot of evidence provided by resident engagement and feedback;

·  ‘draft’ Audits had reached a stage when the Audit conclusions had been prepared, but before a service area had commented and agreed recommendations and associated timescales;

·  the repairs backlog Audit had focused on the backlog that developed as a result of the Covid pandemic, and would not have included the work related to damp and mould as that work would not have been in scope, but would likely be part of a future Audit.

 

RESOLVED: 1. To comment upon and note this report of Internal Audit’s performance and opinion of the Council’s framework of governance, risk management and internal control.

2.  Approve the updated Internal Audit Charter and Strategy.

Supporting documents: