Agenda item

This report summarises the activity of Internal Audit for the financial year 2024-25, including an update on work completed since the previous updated provided in December 2024.

The report also provides the annual audit opinion, provided by the Deputy Director Organisational Assurance and Resilience (Head of Internal Audit), on the adequacy and effectiveness of the Council’s framework for governance, risk management and control, which is used to support the Council’s Annual Governance Statement.

Darren Armstrong (Deputy Director Organisational Assurance and Resilience) introduced a report from the Corporate Director Finance & Resources which outlined the activity undertaken by Internal Audit during 2024-25 (and work undertaken since the previous update in December 2024) and included the Annual Audit opinion provided by the Deputy Director Organisational Assurance and Resilience (as Head of Internal Audit) on the adequacy and effectiveness of the Council’s framework for governance, risk management and internal control used to support the Annual Governance Statement.

In considering the Internal Audit Annual Report (as detailed within Appendix 1 of the report) the Committee noted the following key points:

• There had been no actual or perceived threats to the independence and objectivity of the Internal Audit function in relation to the work carried out to deliver the 2024-25 internal audit plan. The Head of Internal Audit and all internal auditors had continued to receive unrestricted access to senior management, officers and all information and records necessary to undertake their work.  This was supported by the internal audit function having also received an External Quality Assessment (EQA) during 2022-23, which identified no concerns regarding to the independence or objectivity of the function.

• The summary relating to delivery of the internal audit plan during 2024-25 contained within section 4 of the Annual Report attached as Appendix A to the report. This had included the conclusion and issuing of 51 separate audit reports which was felt to represent a notable achievement given that the team had operated at approximately 75% capacity for most of the year with the team praised for their dedication and hard work.  In terms of outcome, this activity had led to a total of 122 findings being raised, comprising 39 classified as high risk, 56 medium risk, and 21 low risk and with all recommendations being accepted by management.
• Section 5a within the Audit Plan detailed the core assurance work undertaken during 2024-25 focussed around the Council’s sore systems and controls based on a rolling three-year cyclical plan.  This had included the completion of 13 core assurance audits (representing 100% of the planned work for 2024-25). These audits had generated 52 findings, with 14 classified as high risk, 24 as medium risk, and 14 as low risk. The outcomes had included nine opinions of moderate assurance and four opinions of limited assurance with all recommendations having been accepted by management.  Section 5b of the Annual Report provided a summary of the outcomes from each core assurance audit, while section 5c provided a headline summary of the key findings.

• Under the agile risk focussed element of the Internal Audit Plan, the team had adopted a more fluid, flexible, and adaptive approach to providing assurance on emerging risks and issues.  As part of the agile risk-based work undertaken during 2024-25 10 audits had been completed, with 6 providing moderate assurance and 4 providing limited assurance opinions.  This work had generated 50 findings, comprising 17 classified as high risk, 26 as medium risk, and 7 low risk findings.  Section 6b of the Annual Report provided a summary of the outcomes from each risk-based audit, while section 6c provided a headline summary of the key findings.
• The summary of consultancy and advisory and School Audit activity delivered by the audit function during 2024-25 as detailed within sections 7 and 8 of the Annual Report.
• The outline of follow up activity undertaken during 2024-25 in relation to previous audit reviews as detailed within section 9a of the Annual Report.  The Committee was advised that 150 actions had been followed up during 2024-25 including 42 classified as high risk, 86 as medium risk and 22 as low risk and with the rate of implementation within original timescale having increased from 46% in the previous year to 67% during 2024-25.  While this had remained short of the 75% target, it the Committee noted this represented a marked improvement and positive upward trend.  The Annual Report also included an outline of actions partially or still to be implemented.
• As detailed within section 10 of the Annual Report, the Head of Internal Audit had been satisfied that the work undertaken by Internal Audit during 2024-25, as well as wider governance arrangements, had enabled a “reasonable assurance” audit opinion to be provided on the Council’s control framework, risk management and governance arrangements.  In noting the basis of the opinion provided, which had been primarily supported by internal audit activity undertaken during 2024-25 the Committee were also advised of the limitations identified given it was not possible for the Plan to address all risks facing the Council and represented the deployment of a limited audit resource. In addition, it was recognised that the assurance provided could never be absolute given the difficulty in internal audit being able to identify and address all issues and weaknesses that may exist and the responsibility for maintaining adequate and appropriate systems of control residing with management as opposed to internal audit.  In outlining the basis of the opinion the Committee were also advised of the other sources of assurance which had been considered which included the Corporate Peer Challenge, External Audit Annual Report, Procurement Peer Review, counter fraud activity and assessment of the Council’s framework of governance against the Delivering Good Governance in Local Government guidance.
• In determining the annual opinion, the Head of Internal Audit had considered which key themes from audit work undertaken in 2024-25 could be enhanced in the future to better support the Council’s governance, risk management and internal control frameworks. The areas of improvement identified as a result had been detailed within section 10 of the Annual Report and included:

o   The rate of implementation of audit recommendations/actions within original timescales;

o   The need to continue addressing “second line” gaps in control identified at departmental and operational level including compliance issues identified as a result of the Council’s self-referral to the Regulator for Social Housing

o   The need to review delivery of the recommendations made by External Audit and through the Corporate Peer Challenge in relation to strengthening the Council’s financial resilience and sustainability.

·       The continued compliance of the Internal Audit function with the Public Sector Internal Audit Standards and quality assurance improvement programme along with outline of key performance indicators, as detailed within section 11 of the Annual Report.

The Chair thanked Darren Armstrong for the report along with the internal audit team for their work over the year recognising the level of activity undertaken and outcomes achieved within the resource available before inviting comments on the outline provided of the Internal Audit Annual Report, with the following issues raised by the Committee:

• In seeking assurance regarding independence of the core assurance audit completed on the Council’s insurance arrangements given this function fell within the remit of the Deputy Director Organisational Assurance and Resilience, confirmation was provided that that appropriate procedures had been in place to ensure that the audit was conducted independently.  This had involved PWC as the internal audit co-sourced partner undertaking the audit work with the findings reported directly to the Corporate Director Finance & Resources.

• In noting the range of common audit findings which would have either a direct or indirect impact on the Council’s procurement arrangements and wider performance management framework (including policies and procedures and documentation) and may assist in the strategic procurement review currently being undertaken, details were sought on how these could be used to inform the process.   In response, Darren Armstrong advised that discussions had already taken place regarding coordination with the procurement review, including how best relevant audit findings could feed into the process and how internal audit could provide assurance over progress moving forward.

Concern was also highlighted at the potential risk in relation to the number of open purchase orders identified as part of the core assurance audit on procurement.  In recognising the inherent risk this posed in terms of data accuracy and integrity, as well as increased risks of inappropriate expenditure and fraud members were advised of the recommendation that as best practice, long-standing purchase orders should be closed to prevent prolonged risk of inappropriate or unauthorized expenditure.

• In recognising that a high number if audit findings also related to data management and compliance issues, members felt it may be useful to consider a wider review of data quality culture across the Council, which Darren Armstrong advised could be fed into the improvement activity already identified as part of the Head of Audit Opinion regarding second line controls.  In view of the identification of data quality and integrity as a theme across core and risk focussed audit activity in terms of gaps and weaknesses in the Council’s second line of defence, members also felt it may be useful to consider the potential scope for a more cross cutting review of the arrangements in place across individual departments to ensure the necessary oversight has been embedded and was being monitored across the Council as a whole.

• Further clarification was sought on the implementation of follow up actions within original target dates.  Whilst recognising and welcoming the improvement in performance outlined with the report and action being taken to address actions arising from audits that remained partially or not implemented (particularly in relation to second line gaps in control) further details were sought on how performance in this area could be further enhanced moving forward.  In response, members were advised of the measures in place to support and remind departments of the importance that needed to be placed at an operational level on the implementation of audit actions based on realistic achievable target dates and enhanced engagement and monitoring at departmental level to ensure issues with non-implementation of actions were highlighted and addressed prior to escalation to the Council Management Team, Brent Assurance Board and ultimately (should it be identified as required) utilising the powers available to the Audit & Standards Advisory Committee.

Members also sought further details on benchmarking undertaken in relation to performance on the target for implementation of follow up actions.  Whilst noting that the 75% target had been agreed as part of the Audit Plan it was recognised that some slippage would be inevitable given the capacity of resources available and multiple competing priorities.  However, the Council maintained a 100% target for all actions being implemented, with a staged process monitoring actions through original target dates, revised target dates, and then overdue status for those requiring more scrutiny and internal audit continuing to work closely with management to monitor implementation of recommendations and actions arising from individual audit reviews, including thorough follow-up review.  In addition to the overall improvement identified, members were also advised that the rate of High risk actions implemented within original target dates has also risen from 48% in 2023-24 to 64% in 2024-25 with clear support provided at a corporate level and work ongoing (as an identified area of improvement) to further increase the rate of implementation, within original target dates, to the target of 75%.

• Highlighting the importance attached to the improvement activity identified in relation to the Council’s Financial Sustainability arrangements, further details were sought on the role of internal audit in supporting this process.  In response, members were advised that internal audit had recently completed a Financial Resilience and Sustainability Consultancy/Advisory review using subject matter experts from PWC.  The main aim was to evaluate the Council’s ability to maintain robust financial health in a volatile environment with the review including a self-assessment by the finance team against CIPFA criteria and a workshop to validate and refine the insights provided.  The outcome of this process had identified a number of key finding and suggested areas for consideration including best practice from across the local government sector that would be followed up in order to assess how they had been translated into the resulting action plan and could be used as a basis for providing further assurance.  Minesh Patel (as Corporate Director of Finance & Resources) advised members that the review had been a useful process in supporting development of the action plan to address the Council’s financial resilience as part the wider Medium Term Financial Strategy.

·       In response to further details being sought on the findings identified within the core assurance audit on the General Ledger relating to discrepancies in the process for provisioning and revoking staff access to the system members were advised that further details would need to be sought from the relevant department on the specific checks and security arrangements in place.  As further assurance, confirmation was provided that all audit findings had been accepted by management with a response due to be provided as part of the next interim update on progress against the Audit Plan for the Committee.

With nor further issues raised, the Chaired once again thanked Darren Armstrong and the Internal Audit team for the work undertaken to deliver the Plan whilst also recognising the ongoing challenges and risks identified involving not only core assurance activity but also identified through the more agile risk based approach and Council’s Strategic Risk Register, including the ongoing focus on issues relating to the second line of defence and implementation of audit findings.

Having commended and welcomed the update provided the Committee RESOLVED to note:

(1)  the outcomes of the internal audit work completed in 2024-25.

(2)  the Annual Internal Audit opinion on the adequacy and effectiveness of the Council’s framework for governance, risk management and control.