To consider a report from the Group Audit Manager.
Members considered a report from the Group Audit Manager which summarised progress on audit work included within the 2021/22 audit work plan and an update of the completion of outstanding 2020/21 work.
The Audit Manager began by highlighting the audits completed as part of the 2021/22 audit plan. It was explained to members that 6 audits had been completed in respect of the 2021/22 audit plan, in addition there had been one risk-based assurance review completed for 2021/22. This related to ‘Trading Standards’ and it was given ‘Substantial’ assurance.
One piece of consultancy / advisory work had also been completed to review the arrangements that management had put in place, at April 2021, in order to provide assurance that the Lateral Flow Testing (LFT) Community Testing Programme, had been carried out appropriately. The key focus of Internal Audit on that occasion had been to provide a forward look and make recommendations on how to improve and enhance current arrangements.
There were 4 audit reviews that had not been expected to be at draft report stage or finalised in 2020/21 and so were rolled forward into the 2021/22 audit plan. However, they had been progressed and were in the Head of Internal Audit Opinion in 2020/21. They all received ‘Reasonable’ assurance and related to:
o Community Development Centres (CDC) – Governance arrangements
o Child and Family Support Services contract management
o Managing Construction Health & Safety compliance - Building Construction
o Managing Construction Health & Safety compliance - Highways and Construction
The Audit Manager explained that in addition to those 6 reviews, 2 further audit reviews were finalised in the period. They had been expected to have been finalised in 2020/21 so were not included in the 2021/22 audit plan. They related to Data Protection Compliance (Partial) and Schools deficit recovery plans (Reasonable). These were included in the 2020/21 Head of Internal Audit Opinion.
The Audit Manager then provided a summary of the other work completed by Internal Audit during the period. He stated that the service had undertaken significantly more work over the last year relating to certifying grant claims due to the increase in various funding streams from the Government to support the Council’s response to the Coronavirus pandemic. In addition, Internal Audit had produced a presentation as part of their bid for the provision of internal audit services to the Police and Crime Commissioner for Cumbria (and the Chief Constable for Cumbria Constabulary) from 1 April 2022. The current Cumbria Shared Internal Audit Service agreement would come to an end on 31 March 2022 and the PCC for Cumbria had undertaken an exercise to procure internal audit services for itself and the Chief Constable from 1 April 2022. Although the council’s proposal was seen as a safe, compliant and professional it was unfortunately not successful and therefore the current shared service arrangement would cease on 31 March 2022.
Members heard that there were also 6 reviews at draft report stage as well as the two reviews relating to High Needs Block (Partial) and Operator’s Licence (Reasonable) which would contribute to the assurance rating for 2021/22.
The Audit Manager explained that the overall position on plan progress for 2021/22 reflected a total of 57 planned reviews with 10 (18%) completed to at least draft stage with a further 19 (33%) having started / fieldwork stage.
It was explained to members that when drafting the 2021/22 plan, 115 days of unallocated time relating specifically to the ‘People’ and ‘Corporate, Customer & Community Services’ Directorates had been included. This reflected the fact that key directorate staff had to prioritise responding to the COVID-19 pandemic at that time.
As a result, the 2021/22 audit plan would need to remain fluid in light of any ongoing impact of COVID-19 and the work required as part of local government re-organisation. The Internal Audit team would continue to closely monitor progress towards the delivery of the 2021/22 audit plan and provide the Committee with an update at its meeting on 3 December 2021 including any changes to the plan and any potential impact on the delivery of the 2021/22 Head of Internal Audit Opinion.
A Member raised concerns relating to a finding in the Data Protection Compliance audit review which had identified that members had not received regular enough training on data protection compliance requirements. The Executive Director – Corporate, Customer and Community Services explained that as the director responsible she took the audit findings very seriously. It was explained to members that the recommendations set out in the audit report had now received significant discussion and the clear actions required were now embedded into the Legal and Democratic Services service plan. Specific data compliance issues and member training plans would be picked up by relevant groups within the Council such as the Member Development Group.
A discussion then took place regarding the accessibility of the full audit report to both members of the Committee as well as members of the public. A Member was concerned that the summary only set out the findings from the audit but did not include any details of what action management had agreed or any timescale for this. It was clarified that full audit reports were available to members of the Committee on request and that the summaries provided within the Internal Audit Progress Report set out to condense the findings and reflect the key outcomes and recommendations.
The Director of Finance (s151 Officer) stated that the recommendations made by Internal Audit are implemented and monitored by the relevant Directorate and this was a vital part of the effectiveness of any audit. The Audit Manager then explained that if an audit review results in a ‘partial’ or ‘limited’ assurance opinion, then a follow up audit would be carried out - usually within 6 months or at a time when all the agreed actions were planned to be completed. A summary of findings from follow-up reviews are always brought back to the Audit and Assurance Committee and this would apply for this audit.
It was AGREED that the full audit report on Data Protection Compliance be shared with the Committee
The question was raised regarding whether Internal Audit Reports which had received ‘limited/partial’ assurance opinions should be included in full as part of the agenda papers. The Chair commented on the importance of finding a balance between providing enough information so as to provide assurance and providing an excess of information. The Director of Finance (s151 Officer) confirmed she would review this issue so as to decide upon a path going forward.
Members asked for clarity on the scope of the Information Asset Register and that a full asset list be made to support the process of Local Government Reorganisation. It was AGREED that further details regarding the scope of assets included as part of the Information Asset Register be circulated to the Committee before the next meeting.
The Chair commended the Internal Audit team for their flexibility of approach to the annual plan, in particular through the COVID-19 pandemic. The Chair stated that achieving sufficiency of coverage whilst remaining sensitive to the needs of the directorates must have been challenging and was commendable.
1) members note the progress and the outcomes of internal audit work,
2) members note the ending of the Cumbria Internal Audit Shared Service on 31 March 2022.