Minutes:
The Committee considered the Internal Audit plan for 2023/24 and the Internal Audit Charter. The plan was developed to reflect the key risks and the Council’s strategic objectives. It was an annual plan to help with planning further ahead and it was not a fixed plan, but a flexible one to allow for any new risks or projects that arise. Any changes would be reflected through the progress reports. The plan had been reported to Senior Management Team and Corporate Management Team.
The Internal Audit Charter was a requirement under the Internal Audit Standards and the Public Sector Internal Audit Standards. It was required to define the roles and responsibilities of the Internal Audit service, previously presented as part of the 5-year Internal Audit strategy last year. This Charter had been updated but there were no significant changes.
Members asked officers how they prioritised with fewer resources. Officers noted that they started with key risk areas; looked through the corporate risk register and directorate risk registers; looked at other sources of assurance to avoid duplicating work that, for example, External Audit or Counter Fraud were looking at. Officers met with each of the directorates and asked what their priorities were and how the service could support them. There was an outsourced provider (Mazars) who could assist where necessary.
Members asked officers how they could be confident in being told what needed to be audited. Officers noted they referred to KPIs and monitoring reports. Officers also noted objective setting and the risk registers. External factors such as the private sector and other authorities were noted as a guide on areas to audit or things to be aware of.
Members noted new data projects and new technology, and asked how this would change ways of working or what impact this had. Officers noted that there was more data available and more of a focus on data analytics. There were fewer manual processes and less manual testing of those processes. There was more auditing of the accuracy of the data and data quality reviews, which had IT elements. Telecare was noted in terms of keeping, storing, sharing and accessing data.
Members asked about the high, medium and low risks and how officers planned to get the high risks down. Officers noted the risk registers which were managed by the different directorates. The risks on the risk registers had action plans with a view to reducing the risks. If something was listed as high risk, it should be looked into more regularly. In terms of the risk ratings within the plan, that was an internal rating when looking at areas to review.
Members asked about follow ups on old risks and where these fit into the plan alongside new risks. Officers noted that the follow up process was separate. If a review identified any high or medium recommendations, these would be followed up as they became due. If it were a no assurance item, this would be followed up. If actions were not being taken, another formal audit could be undertaken. There was a process of verification of actions taken.
Members asked if follow up reports would be provided at future Committees. Officers noted that there was a backlog, but that follow ups would be presented as part of the annual report at the next meeting, and a summary brought to subsequent meetings.
The Chairman noted the comprehensive plan and commended the inclusion of climate action. The Chairman asked about the challenges of an aging workforce. Officers noted that they were looking into this. The Chairman noted that the number of days spent on grant claims had gone up, and asked if this was simply because there were more grant claims. Officers confirmed that this was the case. The Chairman noted that there had been less time spent on ad-hoc consultancy. Officers noted there were still consultancy reviews taking place, but the days shown was more for one-off requests rather than a detailed review. The Chairman asked if timeliness was a challenge. Officers noted that receiving information from management before the start of the audit would lead to a more structured plan. KPIs for management had been included, and management were aware of this.
RESOLVED: That the Audit Committee:
Supporting documents: