Agenda item

This report outlines the work undertaken by Internal Audit as at end of October 2024.

Darren Armstrong (Deputy Director of Organisational Assurance and Resilience) introduced the report, outlining the work undertaken by the Internal Audit function as at the end of October 2024.

In highlighting the role of the report in providing assurance that the Council had a sound framework of governance, risk management and internal control in place supported by a summary of Internal Audit activity, updating on the performance of the function, highlighting areas where high priority recommendations had been made and commenting on the level of implementation of audit recommendations by management, the following key issues were highlighted:

·             The report reflected adoption of the new method towards audit planning for 2024-25, moving away from the previously used ‘annual plan’ approach and towards a less rigid and more flexible process which would still provide assurance over areas of inherent risk, core systems and processes regarding key foundations to Council governance and control frameworks but was now based on the following areas - Core Assurance, an Agile Risk-based Plan, Consultancy and Advice & Follow-up Activity with the current Plan having been agreed by the Committee in March 2024.

·             The summary provided within section 3.3 of the report relating to delivery of the 2024-25 Internal Audit Plan including progress (as detailed within Appendix 1 of the report) in relation to the Core Assurance Plan and development of the Agile Risk-Based plan listing the potential high risk and high assurance audit areas prioritised for activity during the remainder of the year.

·             The summary of risks and issues identified in relation to individual audit reviews as detailed within section 3.4 and Appendix 2 of the report.  As a result of the work undertaken as part of the 2024-25 Plan a total of 43 issues had been raised with a breakdown by risk category having been detailed in section 3.4.4 of the report alongside a comparison with previous years.  The initial Internal; Audit Progress report provided for the Committee in September 2024 had included a summary of completed work against the agreed plan with details of any critical, high or medium risk issues raised, alongside the responses and actions agreed by management/auditees. For audits completed since then, a summary of issues identified (high and medium risk) and agreed with management had been provided within Appendix 2 of the report.

·             The summary of follow-up outcomes and activity, as detailed within section 3.5 of the report, from planned audit work in relation to implementation of agreed actions.  Between 1 April and 31 October 2024, seven follow-up reviews had been completed (with 14 in progress) relating to work carried out in 2023-24 with 31 actions implemented as agreed and further details on the detailed within Appendix 3 of the report.

·             Whilst Internal Audit continued to review implementation of recommendations with management, in line with usual practice, will the ability to report any instances of persistent non-implementation to the Committee further details on the monitoring undertaken in relation to outstanding and overdue audit actions which had failed to meet their original and revised target dates were summarised in section 3.6 and 3.7 of the report.  As at 31 October 2024, a total of 77 audit actions had been implemented and closed with half having been implemented within their original target dates but a third not implemented until they had been reported on the overdue list.  In terms of actions not implemented within their revised target dates or where management had persistently failed to engage in the follow up process 51 actions were currently identified as overdue of which 16 had been classified as high risk with details on each of the overdue actions outlined in Appendix 4 of the report.

·             The outline of the Internal Audit Quality Assurance and Improvement Programme and progress in terms of delivery to date, as set out in section 3.8 of the report.

Having thanked Darren Armstrong for presenting the report the Chair then invited comments from the Committee, which are summarised below:

·             In commending the quality of the report provided, members began by highlighting concern in relation to the current level of outstanding and overdue audit actions which had been identified, especially in relation to those actions identified as high risk and sought further details on the reasons (including whether these involved any organisational culture or resource capacity issues) and action being taken in response.  The trend in terms of the increase in time taken by management to respond to the follow up audit process was also highlighted as a concern, given the resource implications identified in having to seek responses or follow up in cases where responses lacked sufficient evidence to support implementation of the action having been completed.  In recognising the concerns identified, David Ewart (as Chair) and Councillor Chan (as Vice-Chair) advised these had been shared with the Chief Executive and at senior management level across the Council with a commitment having been received in relation to the robust management action and ongoing monitoring required to address performance.

Outlining the process taken by Internal Audit to review implementation of recommendations with management Darren Armstrong confirmed that where actions are found to remain partially or not implemented at follow-up, revised target dates would be agreed with management with the outstanding actions monitored and reported via departmental ‘action trackers’ monitored through Departmental Management Teams and the ability for any instances of persistent non-implementation of recommendations to be reported to the Committee.  In noting the Committee’s focus on the monitoring of outstanding and overdue audit actions the following specific follow up actions were agreed:

Whilst recognising the balance being sought in seeking to robustly hold management to account for the delivery of audit actions and approach towards delivery of a modern audit function the Committee advised that, given the concerns highlighted, they would be keen to ensure ongoing monitoring of the position (including engagement of the Brent Assurance Board) as part of future updates to the Committee on delivery of the Audit Plan.  In addition, members (whilst noting this would involve an element of self-reporting) also requested that action/risk owner and manager(s) should be required to include details within the future schedule (included as Appendix 4 of the report) of High & Medium Risk overdue actions of the reasons/cause for the delay in implementation of agreed actions to enable trends to be monitored linked to the Council’s strategic and departmental risk management arrangements.  In cases of specific non engagement in the audit process or where the risk identified in ongoing non implementation of the action was identified as critical, it was agreed that the risk owner/manager would be formally required to attend the Committee.  In noting that the non implementation of actions relating to one audit included within Appendix 4 of the report had been identified as close to critical it was agreed that should meaningful engagement not be achieved prior to the next meeting, the relevant management representatives should also be required to attend the next Committee in order provide an update.

·             In response to a query relating to the two high risk/high assurance need audits on which management responses were awaited (referred to in section 3.3.1 of the report, members were advised these related to the Procurement and Discretionary Housing Payment audits included within the Agile Risk-Based Plan.  Confirmation was also provided that progress remained on track to complete delivery of at least 90% of the Internal Audit Plan by 31 March 2025 which it was noted would enable  the Head of Internal Audit to provide an informed and evidence-based opinion as to the effectiveness of the Council’s governance, risk management and control framework.

·             In response to concerns raised in relation to the outcome of the Parks and Open Space invoicing process listed as a review completed as part of the Internal Audit consultancy and advice activity confirmation was provided that the issue raised had been addressed as part of the review.

·             In noting the update provide in relation to school audits further assurance was sought regarding the current number of reviews in progress (2) as means of monitoring the key governance arrangements and financial management controls in place within individual schools across the borough as a whole.  Highlighting that the allocation of resource available to support this area of activity remained under review Darren Armstrong took the opportunity to outline the more targeted approach to use of available resources involving the introduction of hybrid model to manage clusters of schools based on the development of a School Key Financial Controls Self-Assessment to identify schools that may need further assurance and also provide schools with an understanding of the key financial controls that should be in place.

·             Further details were sought on the Key Performance Indicator (KP8) relating to the percentage of audit satisfaction surveys rated as “good or better” designed  to measure performance of the internal audit service, which was noted as being off target with 67% (compared to the target of 100%) being rated on that basis.  In response, members were advised that it had only been possible to assess performance on the basis of the three completed satisfaction surveys which had been returned which was recognised as a low return rate.  Whilst a useful indicator the need to recognise that satisfaction levels could also reflect the outcome rather than way in which the audit process had been conducted with a range other measures therefore also used to assess performance and satisfaction on a more holistic basis, including requests for consultancy and advice and follow up audits from the service.

·             Clarification was also sought in relation to the basis on which the findings and issues raised by Internal Audit (along with resulting recommendations and actions) were graded in terms of the associated level of risk, which members were advised involved an assessment of the impact of the findings based on the categorisation detailed within section 3.4.3 of the report, as a new approach introduced within the 2024-25 Internal Audit Plan to provide a clear outline of the risk based approach towards audit activity.  The new approach had been incorporated into the Agile Risk Based Plan which members were reminded had been designed to provide greater flexibility in terms of addressing emerging risks and priorities with the Plan including a list of audit areas determined via a range of different methods including risk assessment, assurance mapping, and consultation with senior management and designed to guide internal activity outside of the core assurance work based on the level of assessed risk and assurance.  As further clarification, members were advised that the risk rating related to the impact of the specific finding on operational performance of the authority assessed once the audit process had been completed with members noting the work undertaken with management to confirm the actions identified and timescale for completion.  Reference was also made to the list of the potential audit areas identified as part of the rolling internal audit risk assessment included within Appendix 1 of the report  as a means of ensuring priority given to those areas with the highest assurance need.

·             Specific comments were also highlighted by members in relation to the following audit activity detailed with appendices report:

Ø   the scope of control testing processes to be included as part of the General Ledger audit (including , which it was noted would be fed back as part of the ongoing audit review on which a further update would be provided as part of the next Internal Audit Plan Progress report;

Ø   Outcome of the Audit on Temporary Accommodation in relation to the percentage of home visits identified as not being conducted, which members were advised represented an example of management having sought internal audit support and of the agile risked based approach now being adopted.  The findings identified in relation to core controls were not subject to a follow up review on which a further update would be included part of the next Internal Audit Plan Progress report;

Ø   the scope of follow up audit activity in response to the IT Application NEC Revenue & Benefit audit, on which members were advised further details would need to be sought from the relevant risk owner following the meeting.

As no further issues were raised the Chair once again thanked Darren Armstrong for the report and progress update provided and as a result of their consideration the Committee RESOLVED to note the Internal Audit Interim report 2024-25 alongside the concerns highlighted in related to the current level of outstanding and overdue audit actions and need identified, as a result, for ongoing monitoring (also involving senior management through the Brent Assurance Board) as part of future updates to the Committee on delivery of the Audit Plan.

Members also confirmed that, if identified as necessary, risk owners would be required to attend the Committee, in cases where they had consistently failed to engage in the audit process or where the risk identified in relation to ongoing non implementation of the action was identified as critical.