The purpose of this report is to provide the
Head of Internal Audit’s Annual Report and Opinion for the
financial year 2021-22. The report summarises the work undertaken
by Internal Audit during the year, the key conclusions that can be
drawn from this, and the overall opinion on the
organisation’s governance, risk and internal control
The Committee considered the report of the Head of Internal Audit which provided the Annual Report and Opinion for the financial year 2021-22. The report summarised the work undertaken by Internal Audit during the year, the key conclusions that could be drawn from this, and the overall opinion on the organisation’s governance, risk and internal control environment.
Laura Williams, Head of Internal Audit, advised that this was one of the most important reports of the year. It summarised all the work undertaken during the year, drew the key conclusions from that work and provided an overall opinion of the organisation’s governance, risk and internal control environment.
There had been 50 pieces of work completed by Internal Audit during the year, and these had been used to inform the annual opinion. There were additional pieces of work that had been completed which were more around advice and guidance and those had also been taken on board as part of the opinion.
The report summarised those reports and outcomes and gave information as to how the opinions and recommendations broke down. All of those pieces of work had been reported to the Committee during the year. The only ones which would not have been seen were those which had been completed late last year or early this year, and these were included in the Internal Audit Update report on the agenda for this meeting.
The single report covered the Combined Authority and Merseytravel and it recognised that there was a blended system of internal control, governance and risk management across the two organisations. However, in terms of the overall opinion for the year on each organisation, these had been delivered separately and it was noted that they were the same across both the Combined Authority and Merseytravel – ie that there was an adequate overall opinion for both organisations and a good capacity for improvement rating again for both organisations. An opinion of “adequate” is the highest rating that can be given, and this arises from due professional scepticism and alsothat Internal Audit can not review every single control or be aware of every single risk or piece of governance or procedure.
The report set out the key elements that arose from the annual review of governance and synergies would be seen between those findings and the Annual Governance Statement (AGS) as the work is one of the feeder pieces of work upon which the AGS was based.
Laura Williams concluded that it was a positive report and it did reflect the considerable progress that had been made across the organisation. She drew attention to section 7 of the report (pages 84 and 85) which set out the opinions, the work that was still to be done and the areas which still needed to be developed. It would also be necessary to continue to develop the organisation’s risk management arrangements..
Councillor David Burgess-Joyce referred to a question that he had asked previously as to whether there was any work ongoing in respect of paperwork taken home by staff during the pandemic which would then be in the public domain and could cause embarrassment. Laura Williams responded that this report was in respect of financial year 2021/22 and the culmination of that work. There was a piece of work around information governance in the current year’s Internal Audit Plan, but that the Monitoring Officer might wish to comment in respect of work her team was doing in that area. Jill Coule stated that there were two things that had been done in this regard. It had been an issue which had been raised in the Information Management Group and in September it was proposed that an Information Management report would be brought to the Committee which would contain more detail. The Information Management Group oversaw the information handling practices and activities of the organisation and the profile of this issue had been raised and that sensitivity had been distributed across the organisation to make sure colleagues were aware. Secondly, the Information Management training was being refreshed and it would be picked up in that new training package as the current training package pre-dated the pandemic.
Councillor David Burgess-Joyce asked whether there had been any opportunities for amnesty. Jill Coule confirmed that information risk was an important responsibility within the organisation. It was felt that there was not a need to do an amnesty as there had not been a large number of data protection breaches within the organisation. It was important to treat that type of information appropriately but the Combined Authority did not have the same volume of information or staff dealing with that information so the propensity of a breach was a little less than it would be for a Council. However, it was still a risk of concern and therefore it was necessary to ensure that the authority’s practices and activities were as sharp as they could be.
Councillor Graham Morgan referred to the fraud, bribery and corruption section of the report. It was good to see that in 2021/22 there had been no notifications of suspected fraud, bribery or corruption. He noted that there was a recommendation in the report to make staff more aware and to give them more confidence to report fraud. The report noted that the Head of Internal Audit had discussed it with ELT and SLT and he asked for an update on that. Laura Williams responded that there was a question around if concerns were not coming forward was that because they did not exist or was there a reluctance to report them. A number of things had been done which included a learning package which had been pushed out to all staff with a 72% completion rate. Conversations had also taken place with colleagues around the responsibility of managers. Further work is ongoing in ensuring there is adequate fraud awareness across the organisation. There would also be a clear focus on whistle blowing as these were high priority issues and it was important to raise the profile.
Jean Gleave noted that on page 8 of the report there was a list of items that had had to be removed from the plan for various reasons. She referred to the one on Business Continuity Management and queried whether work would carry on that in follow up because obviously following on from the pandemic it was probably a key area or was it something that would be put back into the audit plan at the right time. Laura Williams confirmed that she had been involved in the discussions around this and when undertaking the follow up work it was clear that there were a number of actions to be taken forward but it had not been an opportune time to do that work. From a broader perspective work had been undertaken with that team to develop a view on what those recommendations would look like in implementation. From an audit perspective there would be a clear continuation of that piece of work, and it was not something that would be lost. There were two elements to that – one was picking up on the thread of the recommendations which had been made previously but also some of those recommendations had arisen from a particular point in time and were pandemic related. There were probably some new elements that would come into play as the business continuity arrangements were tested and looking at the different threats that might be more relevant at the moment. It was certainly the intention to follow up on the piece of work that had been planned but also looking at those new risks and threats as well and the authority’s robustness to deal with those. She had been assured that progress had been really positive and in the Corporate Risk Register there were a number of actions that had actually been completed in respect of this area. She stated she would report back when this piece of work had been completed.
Jean Gleave referred to the work around Seacombe Landing Stage and queried whether that would be follow up work and also the impact on that for other capital projects. Was that something that assurance was being sought on from across the organisation as it was a significant area and the only one with a major reputational risk. Laura Williams agreed that it was the only major report during last year and obviously that had been taken seriously as an organisation but also from an audit perspective. It was important that the weaknesses that came up through that audit were not being replicated in other parts of the business and therefore a very detailed response had been provided to those recommendations from the department. The Seacombe issues would be followed up specifically but the Authority was about to embark on other similar projects and it would be necessary for the organisation to put in place a strong level of control to ensure that they were managed effectively so the same situation would not arise again.
Jean Gleave referred to page 81 of the agenda and in particular paragraph 5.5 which talked about development in governance and there was a list there against the principles. Having looked at the Annual Governance Statement she queried whether these were areas for development that had been drawn out of the Annual Governance Statement or whether these were separate. Laura Williams responded that this was one of the feeder documents to the Annual Governance Statement so all of the findings from the governance review had gone forward for consideration and each of the core principles had been broken down in the statement. Not all of them would be there as they might be worded differently but all of the points had been picked up as part of that process. There was a clear synergy between the work that Internal Audit did and what ended up in the statement.
Jean Gleave noted that completion of the plan had been reported this year and there was a list of areas which had been taken out of the plan. Also attached to the report was the work that CIPFA had done. She asked whether Laura Williams was comfortable with the level of resource and expertise within the team over the last year and going forward. Laura Williams responded that generally she was comfortable with the level of resource in the team. One of the points that came out of the Public Sector Internal Audit Assessment was the need to move away from the grants processing function and someone was being trained to take over that work and in the next couple of weeks that person would be handed over to a different team which would be a great step forward in freeing up some resource and taking back independence in that area. There were other changes in the team which meant there was an opportunity to look at the structure. New funding streams were also coming along but that also placed some strain on the service in being able to provide the audit and assurance functions that were required for our own purposes as well as from the perspective of Government. Thought was being given about what to do with the structure in terms of making best use of that vacant post to make sure that the resources available were used to the best effect. Additional resources would always be welcomed but the report was based on an adequate level of resource.
RESOLVED - That the report be noted.