Internal Audit Progress Report 2024-25
December 2024
New Forest District Council
Contents:
|
1. |
Role of Internal Audit |
3 |
|
2. |
Purpose of report |
4 |
|
3. |
Performance dashboard |
5 |
|
4. |
Analysis of ‘Live’ audit reviews |
6-8 |
|
5. |
Executive summaries ‘Limited’ and ‘No’ assurance opinions |
9-10 |
|
6. |
Planning and resourcing |
10 |
|
7. |
Rolling work programme |
11-13 |
|
Annex 1 |
Adjustments to the plan |
14-15 |
|
|
|
|
1. Role of Internal Audit
The requirement for an internal audit function in local government is detailed within the Accounts and Audit (England) Regulations 2015, which states that a relevant body must:
‘Undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.’
The standards for ‘proper practices’ are laid down in the Public Sector Internal Audit Standards [the Standards – updated 2017].
The role of internal audit is best summarised through its definition within the Standards, as an:
‘Independent, objective assurance and consulting activity designed to add value and improve an organisations’ operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes’.
New Forest District Council is responsible for establishing and maintaining appropriate risk management processes, control systems, accounting records and governance arrangements. Internal audit plays a vital role in advising the Council that these arrangements are in place and operating effectively.
The Council’s response to internal audit activity should lead to the strengthening of the control environment and, therefore, contribute to the achievement of the organisations’ objectives.
2. Purpose of report
In accordance with proper internal audit practices (Public Sector Internal Audit Standards), and the Internal Audit Charter the Chief Internal Auditor is required to provide a written status report to ‘Senior Management’ and ‘the Board’, summarising:
· The status of ‘live’ internal audit reports;
· an update on progress against the annual audit plan;
· a summary of internal audit performance, planning and resourcing issues; and
· a summary of significant issues that impact on the Chief Internal Auditor’s annual opinion.
Internal audit reviews culminate in an opinion on the assurance that can be placed on the effectiveness of the framework of risk management, control and governance designed to support the achievement of management objectives of the service area under review. The assurance opinions are categorised as follows:
|
Substantial |
A sound system of governance, risk management and control exists, with internal controls operating effectively and being consistently applied to support the achievement of objectives in the area audited. |
|
Reasonable |
There is a generally sound system of governance, risk management and control in place. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of objectives in the area audited. |
|
Limited |
Significant gaps, weaknesses or non-compliance were identified. Improvement is required to the system of governance, risk management and control to effectively manage risks to the achievement of objectives in the area audited. |
|
No |
Immediate action is required to address fundamental gaps, weaknesses or non-compliance identified. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of objectives in the area audited. |
3. Performance dashboard
|
Compliance with Public Sector Internal Audit Standards An External Quality Assessment of the Southern Internal Audit Partnership was undertaken by the Institute of Internal Auditors (IIA) in September 2020. The report concluded: ‘The mandatory elements of the International Professional Practices Framework (IPPF) include the Definition of Internal Auditing, Code of Ethics, Core Principles and International Standards. There are 64 fundamental principles to achieve with 118 points of recommended practice. We assess against the principles. It is our view that the Southern Internal Audit Partnership conforms to all 64 of these principles. We have also reviewed SIAP conformance with the Public Sector Internal Audit Standards (PSIAS) and Local Government Application Note (LGAN). We are pleased to report that SIAP conform with all relevant, associated elements.’
|
4. Analysis of ‘Live’ audit reviews
|
Audit Review |
Report Date |
Audit Sponsor |
Assurance Opinion |
Total Management Action(s) |
Not Yet Due |
Complete |
Overdue |
||||||
|
|
|
|
|
|
|
L |
M |
H |
|||||
|
Fleet Management (follow-up phase 2) |
May 23 |
SM (W&T) |
Reasonable |
9 |
0 |
7 |
|
2 |
|
||||
|
Engineering Works |
Aug 23 |
SM (C) |
Limited |
10 |
0 |
7 |
1 |
1 |
1 |
||||
|
Commercial Activities – Appletree Holdings |
Oct 23 |
SM (E&V) |
Substantial |
1 |
1 |
0 |
|
|
|
||||
|
NNDR * |
Nov 23 |
SM (CSR&B) |
Reasonable |
4 |
0 |
4 |
|
|
|
||||
|
Open Spaces and Playground Safety Checks |
Dec 23 |
G&SM |
Limited |
12 |
0 |
7 |
|
3 |
2 |
||||
|
Housing Asset Management – Electrical Safety Checks |
Feb 24 |
SM (HM) |
Reasonable |
8 |
0 |
6 |
2 |
|
|
||||
|
Business Continuity |
Mar 24 |
SM (E&R) |
Reasonable |
2 |
2 |
0 |
|
|
|
||||
|
Transformation Programme – Governance Arrangements |
May 24 |
ADT |
Reasonable |
3 |
0 |
0 |
|
3 |
|
||||
|
Corporate Governance Framework – Fraud Framework |
May 24 |
SM (CSR&B) |
Reasonable |
5 |
0 |
2 |
3 |
|
|
||||
|
Accounts Payable |
Jun 24 |
FIN |
Reasonable |
5 |
1 |
3 |
|
1 |
|
||||
|
Animal Welfare Licencing |
Jun 24 |
SM (E&R) |
Reasonable |
6 |
1 |
5 |
|
|
|
||||
|
Community Infrastructure Levy - Expenditure Framework * |
Jun 24 |
SM (DM) |
Substantial |
1 |
0 |
1 |
|
|
|
||||
|
Housing Rent Reconciliations |
Jul 24 |
SM (HO) |
Reasonable |
5 |
0 |
0 |
|
|
5 |
||||
|
Housing Allocations * |
Jul 24 |
SM (HO) |
Reasonable |
1 |
0 |
1 |
|
|
|
||||
|
Parking and Enforcement |
Aug 24 |
EE&AM |
Reasonable |
7 |
1 |
6 |
|
|
|
||||
|
Health and Safety |
Nov 24 |
SM (HR) |
Reasonable |
6 |
3 |
3 |
|
|
|
||||
|
Contract Management – Leisure Contract |
Nov 24 |
SDCR&T |
Substantial |
1 |
1 |
0 |
|
|
|
||||
|
Budget Planning/Setting |
Dec 24 |
ADFIN |
Substantial |
3 |
2 |
1 |
|
|
|
||||
|
Risk Management |
Dec 24 |
ADFIN |
Limited |
14 |
8 |
6 |
|
|
|
||||
|
HR – Recruitment/Statutory Responsibilities |
Dec 24 |
SM (HR) |
Substantial |
2 |
2 |
0 |
|
|
|
||||
|
Total |
6 |
10 |
8 |
||||||||||
* Denotes audits where all actions have been completed since the last progress report
Update on the overdue actions
Fleet Management – A tender has been completed for fuel cards and integrated reporting for both bunkered fuel and fuel cards will be incorporated as part of the mobilisation. Resourcing continues to be an issue to enable the production of monthly performance dashboards for the Team.
Engineering works – update to follow although as previously reported, progress continues to be made to address all the issues identified including developing/trialling the job recording and reporting system with longer term developments to be included within the Transformation programme. Revised anticipated implementation dates to 30 June 2025 have been provided.
Open spaces – update to follow although one further medium priority action has been confirmed as complete. Previous updates confirmed that alternative IT Solutions are being investigated/developed (reference Engineering works) to improve inspection scheduling, prioritising actions, information recording and performance information; and that a review has commenced to risk assess/RAG rate all play equipment to inform the methodology/frequency for inspections which will be formalised within new/revised Policies which are under development.
Electrical safety. As previously reported, the Team reviewing of all of the Council’s housing suite of strategies and policies in order of priority and have appointed a Housing Policy Officer to support this ongoing work however there continues to be a significant shift in social housing regulations which will have an impact upon the policy updates. Revised anticipated implementation dates to April 2025 have been provided.
Transformation Programme – Governance Arrangements - update to follow although all it has been confirmed that actions will be addressed as part of the mobilisation and implementation plan for the programme with anticipated implementation dates of 31/12/2024.
Fraud Framework – All actions to update the relevant policies have been completed with anticipated approval of the updated policies at the March 2025 Audit Committee.
Accounts Payable – An action to implement a quarterly review of invoices paid without a purchase order has proven to be more complex than initially anticipated and further work is needed to address underlying processes.
Housing Rent Reconciliations. The Team, including the Assistant Director – Housing are actively working with the supplier with addressing the issues identified regarding annual rent uplift calculations / system reconciliations and progress continues to be made although, as previously reported, resolutions are proving more complex than initially anticipated. It is anticipated to have all actions addressed before the end of the financial year.
|
Audit Sponsor |
|
Audit Sponsor |
|
|
Chief Executive |
CX |
Assistant Director Place Development |
ADPD |
|
Communications Manager |
CM |
Service Manager (Development Management) |
SM (DM) |
|
Strategic Director Housing & Communities |
SDH&C |
Service Manager (Policy & Strategy) |
SM (P&S) |
|
Assistant Director Housing |
ADH |
Building Control Manager |
BCM |
|
Service Manager (Housing Maintenance) |
SM (HM) |
Climate Change Manager |
CCM |
|
Service Manager (Housing Options, Rents Support and Private Sector Housing) |
SM (HO) |
Strategic Director Corporate Resources & Transformation |
SDCR&T |
|
Service Manager (Strategy & Development) |
SM (S&D) |
Service Manager (Estates & Valuation) |
SM (E&V) |
|
Greener Housing Development Manager |
GHDM |
Service Manager (Customer Services, Revenues & Benefits) |
SM (CSR&B) |
|
Anti-Social Behaviour Manager |
ASBM |
Assistant Director Finance |
ADFIN |
|
Tenant Engagement Manager |
TEM |
Strategic Procurement Manager |
SPM |
|
Rent, Accounting & Home Ownership Manager |
RA&HOM |
Assistant Director Transformation |
ADT |
|
Service Manager (Estate Management & Support) |
SM (EM&S) |
Service Manager (Human Resources) |
SM (HR) |
|
Service Manager (Environmental & Regulation) |
SM (E&R) |
ICT Operations Manager |
ICTOM |
|
Strategic Director Place, Operations & Sustainability |
SDPOS |
Data Development & Delivery Manager |
DDDM |
|
Assistant Director Place Operations |
ADPO |
Transformation & Improvement Manager |
T&IM |
|
Service Manager (Waste & Transport) |
SM (W&T) |
Assistant Director Governance & Monitoring Officer |
ADG&MO |
|
Service Manager (Coastal) |
SM (C) |
Service Manager (Democratic & Support Services) |
SM (D&SS) |
|
Environment Enforcement & Amenities Manager |
EE&AM |
Information Governance & Complaints Manager |
IG&CM |
|
Grounds & Streetscene Manager |
G&SM |
|
|
5. Executive Summaries of reports published concluding a ‘Limited’ or ‘No’ assurance opinion
|
Risk Management |
|
Audit Sponsor |
Assurance opinion |
Management Actions |
|
Assistant Director - Finance |
|
|
|
Summary of key observations: Whilst the Council has a current Risk Management Policy which includes the strategic aims of the Policy and details on the risk management framework and its workings, we noted the Policy did not refer to the respective responsibilities for the creation and maintenance of the Service Risk Registers; refer to the Council’s risk tolerance/appetite; did not mention the requirement for inherent and residual risk scores in the Strategic Risk Register; or the process for escalation of significant risks to the Strategic Risk Register outside the normal six-month reporting cycle. Reporting to the Executive Management Team (EMT) and, separately, to the Audit Committee is taking place at least every six months. The audit found however, that the Risk Management framework was not fully embedded, including integration with the Performance Management Framework and at the time of review, a plan or timetable to assist in the identification and achievement of deliverables to support the framework roll out had not been documented. Upon identification of new or escalated significant/strategic risks, they are reflected in adjustments to the Strategic Risk Register and we noted one risk that was added to the Strategic Risk Register in the preceding 12 months which had been approved by Cabinet. A review of the Strategic Risk Register found it included a description of each individual risk called “current circumstance” and found them to be an appropriate explanation of the risk details however we found that the wording of some controls could be open to misinterpretation, in particular whether a control is in place or in development. A timetable exists for meetings with owners of the Service Risk Registers, and we were provided with evidence that the meetings had taken place and that they were documented. We found however that although several Service Risk Registers had been drafted, their format and content had not been standardised. In addition, at the time of review, only five Service Risk Registers were available from a full population of 28 (although some rationalisation may be planned). While ‘Introduction to Risk Management’ training is offered, it did not include certain areas such as: the different types of risk ratings (inherent, residual etc); an explanation of the significance of internal controls; clear articulation of mitigation plans; and the existence of Service Risk Registers. We were advised the only record of the Risk Management training undertaken was in the Outlook calendar of the Insurance and Risk Officer. Following the audit, to address the issues identified, we have been informed that: · A summary action plan to address the initial observations, and ensure actions will be completed on an on-going basis in line with the Policy / framework, has been developed; · The Risk Management Policy and Strategic Risk Register have been updated and will be taken to the January 2025 Audit Committee for consideration; · Service Risk Registers, aligned to the format of the Strategic Risk Register, are now in place across the Council; · Risk management training will be updated to reflect the updates to the Policy / Framework and a ‘system log‘ of training provided will be implemented by 31/03/2025. · To date, six of the 14 actions identified have been confirmed as completed with the remaining actions addressed once the revised Policy has been considered/adopted and log of training implemented by the end of March 2025.
|
6. Planning & Resourcing
The Internal Audit Plan for 2024-25 was agreed by EMT and approved by the Audit Committee in March 2024. The audit plan remains fluid to provide a responsive service that reacts to the changing needs of the Council. Progress against the plan is detailed within section 7.
7. Rolling Work Programme
|
Audit Review |
Sponsor |
Scoping |
Terms of reference |
Fieldwork |
Draft Report |
Final Report |
Assurance Opinion |
Comment |
|
2023-24 Audits (included within the annual report and opinion) |
||||||||
|
Procurement |
SPM |
ü |
ü |
ü |
May 24 |
Jun 24 |
Reasonable |
|
|
Accounts Payable |
FIN |
ü |
ü |
ü |
May 24 |
Jun 24 |
Reasonable |
|
|
Homelessness – Prevention and Relief |
SM (HO) |
ü |
ü |
ü |
Mar 24 |
May 24 |
Reasonable |
|
|
Animal Welfare Licencing |
SM (E&R) |
ü |
ü |
ü |
May 24 |
Jun 24 |
Reasonable |
|
|
2024-25 Audits |
|
|
|
|
|
|
|
|
|
Corporate / Governance Framework |
|
|
|
|
|
|
|
|
|
Corporate Plan / Performance Management |
ADT |
ü |
|
|
|
|
|
Q4 – Initial scoping booked |
|
Transformation Programme |
ADT |
|
|
|
|
|
|
Q4 |
|
Corporate Governance Framework – Fraud Framework |
SM (CSR&B) |
ü |
ü |
ü |
May 24 |
May 24 |
Reasonable |
|
|
Corporate Governance Framework |
ADG&MO |
ü |
ü |
ü |
|
|
|
|
|
Budget Planning/Setting |
ADFIN |
ü |
ü |
ü |
Nov 24 |
Dec 24 |
Substantial |
|
|
Partnership Working – Town and Parish Councils |
ADPO |
ü |
ü |
ü |
|
|
|
|
|
Information Governance – Data Retention/Records Management |
IG&CM |
ü |
ü |
ü |
|
|
|
Fieldwork Complete. Close meeting held. |
|
Emergency Planning |
SM (E&R) |
ü |
|
|
|
|
|
Q4 – Initial scoping booked |
|
Contract Management – Leisure Contract |
SDCR&T |
ü |
ü |
ü |
Oct 24 |
Nov 24 |
Substantial |
|
|
Health and Safety |
SM (HR) |
ü |
ü |
ü |
Aug 24 |
Nov 24 |
Reasonable |
|
|
Risk Management |
ADFIN |
ü |
ü |
ü |
Jun 24 |
Dec 24 |
Limited |
|
|
Human Resources |
|
|
|
|
|
|
|
|
|
HR – Recruitment/Statutory Responsibilities |
SM (HR) |
ü |
ü |
ü |
Dec 24 |
Dec 24 |
Substantial |
|
|
Core Financial Systems |
|
|
|
|
|
|
|
|
|
Housing Benefits |
SM (CSR&B) |
ü |
ü |
ü |
|
|
|
|
|
Payroll and Expenses |
SM (HR) |
ü |
ü |
ü |
|
|
|
|
|
Treasury Management |
ADFIN |
ü |
ü |
|
|
|
|
|
|
Information Technology |
|
|
|
|
|
|
|
|
|
IT – Contract Management |
ICTOM |
ü |
ü |
ü |
Jul 24 |
Jul 24 |
Substantial |
|
|
IT – Application Lifecycle Management |
ICTOM |
|
|
|
|
|
|
Q4 |
|
IT – Project Delivery |
ICTOM |
ü |
ü |
ü |
|
|
|
|
|
IT – Firewall Management and Monitoring |
ICTOM |
|
|
|
|
|
|
Q4 |
|
Portfolio Themes |
|
|
|
|
|
|
|
|
|
Housing Management – Right to Buy |
SM (HO) |
ü |
ü |
ü |
|
|
|
|
|
Housing Allocations |
SM (HO) |
ü |
ü |
ü |
Jun 24 |
Jul 24 |
Reasonable |
|
|
Housing Rent Reconciliations |
SM (HO) |
ü |
ü |
ü |
Jun 24 |
Jul 24 |
Reasonable |
|
|
Housing Asset Management – Lift Inspections |
SM (HM) |
ü |
ü |
ü |
|
|
|
|
|
Housing Asset Management – Gas Safety |
SM (HM) |
|
|
|
|
|
|
Q4 |
|
Housing Asset Management – Asbestos |
SM (HM) |
ü |
ü |
ü |
|
|
|
|
|
Housing Enforcement |
SM (HO) |
ü |
ü |
ü |
|
|
|
|
|
Community Infrastructure Levy Expenditure Framework |
SM (DM) |
ü |
ü |
ü |
May 24 |
Jun 24 |
Substantial |
|
|
Planning/Development Management |
SM (DM) |
ü |
|
|
|
|
|
Q4. Scoping booked |
|
Environmental Health - Local Air Pollution Prevention and Control (LAPPC) |
SM (E&R) |
ü |
ü |
ü |
|
|
|
|
|
Licencing |
SM (E&R) |
ü |
|
|
|
|
|
Q4. Scoping booked |
|
Parking and Enforcement |
EE&AM |
ü |
ü |
ü |
Jul 24 |
Aug 24 |
Reasonable |
|
|
Environmental Enforcement - Clean Streets |
EE&AM |
ü |
ü |
ü |
Dec 24 |
|
|
|
|
Cemeteries |
G&SM |
ü |
ü |
ü |
|
|
|
|
|
Keyhaven – Income & PCard Expenditure |
SM (C) |
ü |
|
|
|
|
|
Initially scoped. |
Annex 1 - Adjustments to the plan
|
Audit reviews added to the plan (included in rolling work programme above) |
Comment |
|
Corporate Governance Framework – Fraud Framework * |
Brought forward from 2023/24 as work in progress |
|
Information Governance – Data Retention/Records Management * |
Brought forward from 2023/24 as work in progress & combined with 2024/25 review. |
|
Contract Management – Leisure Contract * |
Brought forward from 2023/24 as work in progress |
|
Health and Safety * |
Brought forward from 2023/24 as work in progress |
|
Risk Management * |
Brought forward from 2023/24 as work in progress |
|
IT – Contract Management * |
Brought forward from 2023/24 as work in progress |
|
Housing Allocations * |
Brought forward from 2023/24 as work in progress |
|
Housing Rent Reconciliations * |
Brought forward from 2023/24 as work in progress |
|
Community Infrastructure Levy Expenditure Framework * |
Brought forward from 2023/24 as work in progress |
|
Parking and Enforcement * |
Brought forward from 2023/24 as work in progress |
|
Clean Streets – Enforcement * |
Brought forward from 2023/24 as work in progress |
|
Keyhaven – Income & PCard Expenditure *** |
Direct request from the Management Team to review specific areas of activity. |
|
Audit reviews removed from the plan (excluded from rolling work programme) |
Comment |
|
Environmental Services – New Waste Strategy ** |
Proposed by the Council as no longer required as the programme board now have the required level of assurance on this project. |
|
Housing Asset Management – Voids *** |
There is currently a project underway to review the end-to-end process with managing voids therefore it is proposed to defer the audit until the project has been completed and any corresponding changes to the process have been implemented and become embedded. |
|
Building Control *** |
The Building Safety Regulator will be undertaking a full audit of the Building Control Service during December 2024 – January 2025 therefore it is proposed to defer the review for 18 months to enable the Service to implement (if applicable) the findings from the Regulator’s audit. |
|
Programme & Project Management *** |
It is proposed to combine this review with the Transformation Programme audit due to prevent duplication. |
|
Asset Management (Corporate Estate) *** |
The Council commissioned Mace to review the current operating model and approach to strategic asset management within the Estates, Valuations & Facilities Management Team and have recommended a roadmap for implementation over the next 12 months therefore it is proposed to defer the audit whilst the Service action the recommendations. |
* Agreed July 2024
** Agreed October 2024
*** Proposed January 2025