Internal Audit Report - Quarterly Review

Transcription

1 OFFICIAL Internal Audit Report - Quarterly Review Audit Committee Date: 28 July 2017 Submitted By: Chief Finance and Procurement Officer Agenda Item: 5 Purpose To present the Internal Audit report (April to June 2017) to Members Recommendations That Members note the content of the report. Summary To provide a summary of the audit activity for the period April to June 2017 and to report the findings to the Committee. Local Government (Access to information) Act 1972 Exemption Category: Contact Officer: Nil Alison Wood Chief Finance & Procurement Officer T: E: alison.wood@westyorksfire.gov.uk Background papers open to inspection: None Annexes: Internal Audit Report April to June

2 1 Information 1.1 This Committee has the responsibility for monitoring the work of internal audit. In order to facilitate this, Internal Audit provide a quarterly report of its progress which includes a summary of the work completed and an assessment of the level of assurance provided by the systems examined. This report covers the period from April to June On completion of each audit the Auditors provide an assessment of the level of assurance that the control systems in place provide. There are four rankings as detailed below. :- Substantial assurance Adequate assurance Limited assurance No assurance More details of how these classifications are measured are provided in the attached appendix. This report includes a detailed explanation of action which has been taken on any audits which are ranked as providing either limited assurance or no assurance. 2 Audit Work 2.1 There has been one audit of other financial systems and risks, and one business risk audit, both of which demonstrated substantial assurance. Details of each of these audits including the basis of the classification are in the attached appendix. There has also been a special investigation into the procurement of the Premises Risk Database which resulted in limited assurance. 2.2 The report also provides details of work currently in progress 3 Audit Performance 2016/2017 Section 10 of the attached appendix compares current audit performance in the current financial year with the previous year. 4 Recommendations 4.1 Members are asked to note the contents of this report. Internal Audit Report - Quarterly Review Page 2 of 2 10

3 INTERNAL AUDIT QUARTERLY REPORT April to June 2017 Simon Straker: Audit Manager 1 11

4 ABOUT THIS REPORT This report contains information about the work of the Authority's Internal Audit provided by Kirklees Council. The 2017/18 Audit Plan as approved by this Committee earlier in the year includes 16 pieces of work covering a variety of cyclical audits which meet the expectations of the external auditor and address some of the major risks identified by the Authority. For ease of reference the audits are categorised as follows: 1. Summary 2. Major and Special Investigations 3. Key Financial Systems 4. Other Financial Systems & Risks 5. Locations and Departments 6. Business Controls 7. Follow Up Audits 8. Recommendation Implementation 9. Advice, Consultancy & Other Work 10. Internal Audit s Performance Investigation summaries may be included as a separate appendix depending upon the findings. When reports have been agreed and finalised with the Director concerned and an Action Plan drawn up to implement improvements, the findings are shown in the text. Incomplete audits are shown as Work in Progress together with the status reached: these will be reported in detail in a subsequent report once finalised. Good practice suggests that the Authority's management and the Audit Committee should receive an audit opinion reached at the time of an audit based upon the management of risk concerning the activity and the operation of financial and other controls. At the first meeting of the Audit Committee, Members resolved to adopt an arrangement relating to the level of assurance that each audit provides. As agreed with the Audit Committee, the report has been expanded to include details of the key recommendations applicable to each audit that does not result in a formal follow up visit and the action taken by management regarding their implementation. The final section of the report concerns Internal Audit s own performance. There is a need to be mindful that with the relatively small numbers of audits included in the plan, percentages can give a slightly misleading impression. There is a paucity of qualitative measures of the effectiveness of internal audit, the main one being client satisfaction surveys following the completion of an audit for which the return rate is relatively low. It is the practice of Internal Audit to undertake follow up audits to ensure that agreed actions have been undertaken. Any audits that produce less than "adequate assurance" will be followed up, together with a sample of the remainder and a new opinion will be expressed about the level of assurance that can be derived from action taken by management to address the weaknesses identified. 2 12

5 1. SUMMARY The final audit from 2016/17 Audit Plan on managing the risk of Supply Chain Failure was completed in April and produced a Substantial Assurance opinion. The Annual Report of Internal Audit 2016/17 summarises the outturn position and overall positive opinion on the Authority s risk management, governance and internal control environment. Three audits have been completed so far in 2017/18, including an unplanned investigation requested by the Director of Service Support and Chief Finance & Procurement Officer into the ongoing procurement and payment for IT software by Fire Safety. This review concluded with a Limited Assurance opinion. Both of the planned audits concluded with a substantial assurance opinion reflecting that the two risk areas are being well managed. There are no outstanding key recommendations from audit work in the previous year. 3 13

6 2. SPECIAL INVESTIGATIONS & REVIEWS Director of Service Support Fire Safety Software Procurement An investigation was undertaken at the request of the Director of Service Support and Chief Finance & Procurement Officer into the means of procuring and paying for work and services associated with the Premises Risk Database (PRD) as part of a larger review into the supply of this application. The PRD is used by Fire Protection as a fire safety database to store and hold premises information and to calculate compliance scores in line with the Health & Safety Executive Enforcement Management Model. It was procured originally in The system is also used by Operational Crews to hold data which has been collected through Operational Risk Visits and to calculate the revisit schedule based on the last assessment. The significance of (and reliance placed upon) the PRD has grown substantially since the initial procurement of a bespoke database. This has since resulted in the Authority incurring expenditure in excess of 280k in the intervening years, 130k of which has been on annual maintenance charges, and 152k on modifications/upgrades to the database. Procurement arrangements associated with this supply have not been fully compliant with CSOs and FPRs. The original categorisation of the supply as a proprietary article was inappropriate and contrary to the CSO definition. This initial decision was the basis that further approvals to incur expenditure used as the competition exemption. Therefore the initial guise of being a proprietary article has perpetuated the continued use and reliance on a sole supplier to maintain and modify the bespoke database, and in doing so this has enabled this particular supplier to have a significant advantage over any other suppliers by a unique knowledge of the database and of the Authority s requirements. Contrary to CSOs, evidence could not be provided to support/certify the grounds for making the purchase a proprietary article, albeit in 1999, or for the later procurement decisions which were made on this basis. In addition, no information could be provided to indicate how the relationship between the Authority and this supplier initially commenced. The initial annual maintenance cost of 24k over a 3 year contract should have meant the procurement was the subject of competition by obtaining a minimum of three written quotations. In addition, the original contract document has not been subject to review with price increases having taken effect without evidence of any formal written approval. 14 4

7 Various officers, past and present, have been involved in procurement decisions associated with this database. Meeting minutes indicate that there has been transparency over the years since the introduction of the database, with regards to reporting to senior management of upgrades & modifications and for gaining the authorisation to incur expenditure, indeed officers have highlighted a high level of satisfaction in terms of value for money with the functionality of the PRD, and the support provided by the supplier. However, poor contract management arrangements and a lack of clear responsibility and involvement of the IT department, has led to the perpetuation of bad practice resulting in areas of non-compliance to CSOs/FPRs. Unsurprisingly, a Limited Assurance opinion was allocated. The actions identified by the Authority in a wider review in relation to the future management of the PRD supply are appropriate and will largely address the non-compliance issues identified in this investigation. Management have agreed the audit recommendations made and an Action Plan has been compiled to monitor implementation, including future procurement by competition in accordance with CSOs which will be prioritised as part of the current ICT strategy programme and consideration of the appropriateness of any further action against individual officers. 3. KEY FINANCIAL SYSTEMS None during this period. 5 15

8 4. OTHER FINANCIAL SYSTEMS & RISKS This category relates to smaller scale and / or lower risk activities reviewed periodically to ensure a full coverage of the Authority s activities. System / Risk Findings Audit Opinion Director of Service Support Local Government Transparency Code The Authority is complying with the mandatory requirements of the Code in the majority of cases and in some cases the mandatory requirements are being exceeded. Sample testing was undertaken on contract data identified some anomalies, although this was likely due to the data extract method skewing the output rather than inaccuracy. This should be reviewed to identify if this occurs elsewhere within the file. The format and ease of access was found to be as recommended by the Code. The majority of data provided was compliant with a few exceptions which can be easily rectified. Timeliness of reported data was in line with the LGTC guidance. The exception to this was expenditure payments which were last published to Quarter 2 (30 September 2016). This data is provided by Kirklees Council and some omissions had been noted in the Quarter 3 data, therefore the Authority has opted not to publish further data until the matter has been rectified by the Council. Discussions are ongoing to rectify this problem. Substantial Assurance 6 16

9 5. LOCATION & DEPARTMENT AUDITS This category relates to smaller scale and / or lower risk establishments reviewed periodically to ensure a full coverage of the Authority s activity in accordance with the Audit Strategy, routine station audits have ceased. None in this period. 6. BUSINESS RISK AUDITS This category of audits reflects the revised Audit Strategy to incorporate coverage of the controls and management actions to respond to the major risks to the Authority s objectives as codified in the Corporate Risk Matrix. Risk Findings Audit Opinion Director of Service Support Supply Chain Failure (2016/17 Plan) The controls in place to manage this risk were found to be operating effectively and the audit found good practice by procuring officers in ensuring the suitability of suppliers and contractors to the Authority. Some revisions and amendments to Contract Standing Orders were identified, such as the option or requirement for a performance bond and for specialist IT software providers the authority should ensure an appropriate cryptographic key (escrow agreement) is held by a third party to safeguard business continuity. A number of revisions are proposed to Contract Standing Orders in the review of the Constitution report to the Annual Meeting. Substantial Assurance 7 17

10 Director of Service Delivery (Not meeting) Service Delivery Standards Robust arrangements are in place to monitor (and report) the impact of IRMP changes on actual response times against the RBPA. Formal reporting arrangements are in place at various levels across the Authority which includes Management Team and Full Authority meetings. Performance against the RBPA is reported both in terms of percentage of incidents which have met RBPA, and average response times across each risk category. There is a risk that reliance on just average response times could reflect more favourably achievement against the RBPA. However, this is mitigated by the monitoring arrangements that are in place which involves detailed scrutiny of all incidents which have not met their target response times. In addition to the internal monitoring arrangements, the Authority commissioned an independent assessment by external consultants to provide a retrospective critique on the impact of IRMP interventions, and whether the original impact studies and predictions have proved to be correct. The outcome of this review is positive, in that out of the 17 interventions, 15 can be fully supported by the statistical data, with 2 being partially supported. Substantial Assurance 7. FOLLOW UP AUDITS Any audits that result in a less than adequate assurance opinion are followed up usually within six months, depending upon the timescale for implementing the agreed recommendations. Additionally, a sample of other audits is followed up periodically too. None during this period. 8. REVIEW OF KEY RECOMMENDATIONS No key recommendations were outstanding other than those in follow up audit. 8 18

11 9. ADVICE, CONSULTANCY & OTHER WORK System Comments Director of Service Delivery Joint Control & Command Project Continued support to the Project Board in its attempts to move forward and complete user acceptance testing with the supplier and commence the contractual period of steady state prior to moving to the maintenance period. Director of Service Support Emergency Services Mobile Communications Project (ESMCP) Internal Audit have been requested to provide ongoing assurance about the financial probity, governance and control of risk arising from the delivery of the project by 2018, both as regards WYFRA and within the Yorkshire & Humber region as a whole. The terms of reference have been agreed by the Project Board. 9 19

12 10 INTERNAL AUDIT S PERFORMANCE 2017/18 Performance Indicators 15/16 Actual 16/17 Actual 17/18 Target 17/18 Actual Audits completed within the planned time allowance 85% 88% 80% 100% Draft reports issued within 10 days of fieldwork completion 90% 100% 90% 100% Client satisfaction in post audit questionnaires 100% 100% 90% n/a Chargeable audit days QA compliance sample checks percentage pass Planned Audits Completed Planned Audits in Progress Unplanned Work Completed Unplanned Work in Progress

13 2017/18 AUDIT PLAN DELIVERY Planned audits Transparency Code Service Delivery Standards Income Collection Asbestos & Other Uninsured Claims (Operational) Payroll & e-procurement Follow ups IRMP Implementation to manage reduced government grant Status Finalised Finalised Provisional Q2 Provisional Q2 Provisional Q2 Provisional Q2 Procurement Rule Compliance & VFM Capital Plan Delivery Recruitment & Selection Cyber Security Threat Partnerships Major CBRNE attack within West Yorkshire Data Protection Compliance Loss of Critical ICT systems, software or infrastructure Future Authority Governance Arrangements Members Allowances Unplanned audits Fire Safety IT Software Procurement Status Finalised 11 21

14 OFFICIAL Abridged Performance Management Report Audit Committee Date: 28 July 2017 Submitted By: Chief Legal and Governance Officer Agenda Item: 6 Purpose To inform members of the Authority s performance against Key Performance Indicators where targets are not being achieved Recommendations That members note the report Summary The Performance Management and Activity Report which is presented to the Full Authority outlines the Authority s performance against key performance indicators thereby enabling the Authority to measure, monitor and evaluate performance against targets. This report highlights the key performance indicators where targets are not being achieved. The report also includes details of applications, authorisations and rejections under the Regulation of Investigatory Powers Act (RIPA) 2000 Local Government (Access to information) Act 1972 Exemption Category: None Contact Officer: Background papers open to inspection: None Alison Davey Corporate Services Manager alison.davey@westyorksfire.gov.uk T: Annexes: Abridged Performance Management Report 23

15 1 Introduction 1.1 The Performance Management and Activity Report, which is presented to each Full Authority meeting outlines the Authority s performance against key performance indicators thereby enabling the Authority to measure, monitor and evaluate performance against targets. These are detailed in three categories as shown below: o o o Key Performance Indicators Service Delivery Indicators Corporate Health Indicators 1.2 The Performance Management and Activity Report is monitored bi-monthly by Management Team and by the Full Authority at each meeting. 1.3 A traffic light system is used to provide a clear visual indicator of performance against each specific target and comparison is made with the same period the previous year to indicate whether performance has improved, remained the same or deteriorated. 2 Information 2.1 The attached report highlights the key performance indicators where the targets are not being achieved. 2.2 Information regarding reasons why performance is not at the required level, together with actions being taken to address this, is provided within the report. 2.3 The report also includes details of the applications, authorisations and rejections under the Regulation of Investigatory Powers Act (RIPA) Financial Implications 3.1 There are no financial implications arising from this report. 4 Human Resources and Diversity Implications 4.1 Measurement against key indicators on human resources and diversity are included in the Performance Management Report. 5 Health and Safety Implications 5.1 There are no health and safety implications associated with this report. 6 Service Plan Links 6.1 This report links to all the Service Plan priorities. 7 Conclusions 7.1 That Members note the report. Abridged Performance Management Report Page 2 of 2 24

16 Performance Management and Activity Report (Abridged) 2016/17 Period covered: 1 April March 2017 Date Issued: 29 June

17 Table of Contents 1. Introduction/Summary 2 2. Service Delivery Targets 3 3. Service Delivery Indicators Overview 4 4. Service Delivery Indicators WYFRS not achieving target 9 5. Regulation of Investigatory Powers Act (RIPA) Introduction/Summary The purpose of this report is to provide information regarding the performance of West Yorkshire Fire and Rescue Service against selected performance indicators for which performance has decreased compared with the same period the previous year. The first section provides a summary of performance against all performance indicators detailed within the full Performance Management and Activity Report which is presented to each Full Authority Committee meeting. In this report, appropriate and progressive monthly statistics have been utilised to identify trends in performance, with corresponding information regarding the action being taken to address areas of under-performance. All data, unless specified, is for the reporting period 1 April 31 March A traffic light system has been employed to provide straightforward visual indication of performance against each specific indicator. If further data is available following the last Performance Management Report presented to the Full Authority, this has been included to show the performance trend. 26

18 2. Service Delivery Targets Not achieving target (by more than 10%) Satisfactory performance (within 10% of target) Achieving or exceeding target Actual Data (2009/10) Three Year Average Target (2013/16) Actual Data to date (2016/17) Performance Against Three Year Average (2016/17) End of Year Projection (2016/17) Arson % 6150 Actual Rescues % 721 Total Activity % Dwelling Fires % 1181 Non-Domestic Building Fires % 502 Prevalence of False Alarms % Fire-Related Injuries % 215 Road Traffic Collisions % 574 No. of Operational Risk Visits % 3858 Malicious False Alarms % 347 No. of Home Fire Safety Check Points %

19 3. Service Delivery Indicators Overview Indicates a worse performance compared to the same period last year (by more than 10%) Indicates a worse performance compared to the same period last year (up to 10%) Indicates a similar or better performance compared to the same period last year Description To Date Same Period Accidental Dwelling Fires (per 10,000 dwellings) Compared to Last Year Number of deaths arising from accidental fires in dwellings (per 100,000 population) Number of Deaths arising from Accidental Fires in Dwellings

20 Description Number of Injuries arising from accidental fires in dwellings (per 100,000 population) Performance To Date Performance Same Period (a) Number of Serious Injuries(per 100,000 population) (b) Number of Slight Injuries (per 100,000 population) Performance Compared to Last Year The percentage of dwelling fires attended where there was a working smoke alarm which activated The percentage of dwelling fires attended where a working smoke alarm was correctly fitted but did not activate The percentage of dwelling fires attended where a smoke alarm, because it was faulty or incorrectly sited, did not activate The percentage of dwelling fires attended where no smoke alarm was fitted 55.1% 54.9% 17.7% 17.8% 5.6% 5.6% 21.8% 21.7% Percentage of Dwelling Fires Attended where there was a Working Smoke Alarm 80.0% 70.0% Working Smoke Alarm which Activated 60.0% 50.0% Working Smoke Alarm was Correctly Fitted but did not Activate 40.0% 30.0% 20.0% 10.0% 0.0% 2008/ / / / / / / / /17 29

21 Description Number of calls to malicious false alarms (per 1000 population) attended Performance To Date Performance Same Period Performance Compared to Last Year False alarms caused by automatic fire detection equipment (per 1000 non-domestic properties) False alarms caused by automatic fire detection equipment (per 1000 domestic properties)

22 Description Fires in non-domestic premises (per 1000 non-domestic premises) Performance To Date Performance Same Period Performance Compared to Last Year Number of Primary Fires (per 100,000 population) Number of Fire Casualties excluding Precautionary Checks (per 100,000 population)

23 Description Arson Incidents All Deliberate Fires (per 10,000 population) Performance To Date Performance Same Period Performance Compared to Last Year Arson Incidents Deliberate Primary Fires (per 10,000 population) Arson Incidents Deliberate Secondary Fires (per 10,000 population)

24 4. Service Delivery Indicators WYFRS not achieving target Description To 30 Apr To 31 May To 30 Jun Cumulative Year to Date Performance To 31 Jul To 31 Aug To 30 Sep To 31 Oct To 30 Nov To 31 Dec To 31 Jan To 28 Feb To 31 Mar Performance in Fires in Non-Domestic Premises (per 1,000 premises) 0.52 (41) 1.14 (90) 1.58 (125) 2.17 (171) 2.75 (217) 3.25 (256) 3.78 (298) 4.41 (348) 5.01 (395) 5.48 (432) 5.90 (465) 6.40 (505) 5.64 (445) to 31 March 2016 Comments: The increase in non-domestic building fires is of concern with 60 more fires in non-domestic buildings compared to the previous year. There has been significant concern around the number of prison fires with 118 fires in secure accommodation over the reporting period. This equates to 23% of total nondomestic fires. Prisons are regulated in terms of fire by the Crown Premises Fire Inspection Group, which is part of the Home Office rather than by WYFRS. The most significant concern is Wetherby YOI and we have now seconded a Watch Manager to work with Wetherby YOI for 2 days per week and initial findings appear positive in terms of the joint learning around how fires are being started and how the sources of ignition can be removed. Description To 30 Apr To 31 May To 30 Jun Cumulative Year to Date Performance To 31 Jul To 31 Aug To 30 Sep To 31 Oct To 30 Nov To 31 Dec To 31 Jan To 28 Feb To 31 Mar Performance in Arson Incidents Deliberate Primary Fires (per 10,000 population) 0.54 (122) 1.18 (268) 1.76 (399) 2.45 (554) 3.22 (730) 3.88 (878) 4.72 (1069) 5.43 (1230) 6.02 (1362) 6.58 (1489) 7.13 (1614) 7.64 (1731) 6.19 (1402) to 31 March 2017 Comments: Arson continues to be a specific problem, relating largely to vehicle fires, which account for 1020 (59%) of the total figure with a notable number within non domestic, specifically in prison buildings. We continue to work with the Police in all districts to better understand the issues around an increase in vehicle fires, many of which appear to be gang-related. There is also some additional work to be promoted in the new Safer Communities Strategy around arson prevention working with schools to develop longer term relationships in areas of high arson rates to generate better relations with children and young people living in areas where we experience a high rate of deliberate primary fires. 33 Page 9 of 12 Performance Management Report

25 Description To 30 Apr To 31 May To 30 Jun Cumulative Year to Date Performance To 31 Jul To 31 Aug To 30 Sep To 31 Oct To 30 Nov To 31 Dec To 31 Jan To 28 Feb To 31 Mar Performance in Number of Primary Fires (per 100,000 population) (301) (603) (887) (1214) (1578) (1875) (2220) (2549) (2843) (3099) (3351) (3632) (3228) to 31 March 2017 Comments: 40% of the primary fires attended in the reporting period were vehicle fires, 32% were dwelling fires and 21% were non-domestic building fires. Clearly, the significant increase in vehicle fires over recent years needs to be addressed through partnership working with the Police and other relevant agencies. A detailed analysis of arson incidents across the districts has been sent to the District Command teams for them to better understand where they are experiencing issues to allow them to engage with partners in the development of prevention plans to address these issues. The information provided to districts contains details of where vehicle fires are occurring to allow them to better understand trends and work in partnership to address high risk areas. 34 Page 10 of 12 Performance Management Report

26 5. Regulation of Investigatory Powers Act (RIPA) 2000 The Regulation of Investigatory Powers Act (RIPA) 2000 regulates the use of the powers to conduct covert surveillance by public bodies including West Yorkshire Fire and Rescue Authority. The Authority adheres to procedures based on the Codes of Practice produced by the Home Office. Annual returns are submitted to the Office of Surveillance Commissioners and the Interception of Communications Commissioners Office. The annual number of applications, authorisations and rejections are stated in the Annual Corporate Health Report which is submitted to the Full Authority Annual General meeting. A breakdown for this period is stated below. Period: 1 April 2016 to 31 March 2017 Applications Authorisations Rejections Directed Surveillance Covert Human Intelligence Sources Disclosure of Communications Data Page 11 of Performance Management Report

27 West Yorkshire Fire and Rescue Service Oakroyd Hall Birkenshaw Bradford BD11 2DY Page 12 of Performance Management Report

28 OFFICIAL 07 - Internal Audit Annual Report Audit Committee Date: 28 July 2017 Submitted By: Chief Finance and Procurement Officer Agenda Item: 7 Purpose To seek Members endorsement of the Chief Finance & Procurement Officer s conclusion as to the effectiveness of the system of internal audit. To note the audit opinion on risk management and the internal control environment during Local Government (Access to information) Act 1972 Exemption Category: Contact Officer: Nil Alison Wood - Chief Finance & Procurement Officer T: E: alison.wood@westyorksfire.gov.uk Simon Straker Internal Audit Manager T: E: simon.straker@kirklees.gov.uk Background papers open to inspection: Annual Report of Internal Audit 2016/17 Annual Governance Statement 2016/17 Internal Audit Plan 2016/17 Quarterly Reports of Internal Audit 2016/17 Audit Strategy & Charter Annexes: 1 Summary of Audit Coverage 2016/17 2. Internal Audit PSIAS Compliance Action Plan 4 Internal Audit Plan 2017/18 37

29 Recommendations Members endorse the Chief Finance & Procurement Officer s conclusion as to the effectiveness of the system of internal audit. Members note the audit opinion on governance, risk management arrangements and the internal control environment in 2016/17, thereby providing assurance to the compilation process for the Annual Governance Statement 2016/17. Summary The Chief Finance & Procurement Officer concludes the Authority s systems of internal audit are effective. This report concludes that the Authority's governance, risk management arrangements and internal control environment were effective and robust during the financial year to 31 March Page 1 of 10 38

30 ANNUAL REPORT OF INTERNAL AUDIT 2016/17 1. Introduction 1.1 This report provides an assessment of the adequacy and effectiveness of the Authority's governance, risk management system and internal control environment during the year, particularly in support of the Annual Governance Statement. 1.2 The assessment is drawn from the matters included in the Quarterly Reports to the Committee during the year on the audit opinions reached on the level of assurance concerning each of the risks, systems or process controls examined. 1.3 Each planned audit performed during the year concluded with at least an Adequate Assurance opinion, with exception to the audit of payroll processing which produced a Limited Assurance one. Over half of the audits concluded with a Substantial Assurance opinion, which is the highest available. An unplanned review of a procurement exercise also produced a Limited Assurance opinion. 1.4 The report also reviews compliance with the Public Sector Internal Audit Standards (PSIAS), the performance of the internal audit function against its performance indicators and quality assurance process and delivery of the 2016/17 Audit Plan. The Chief Finance & Procurement Officer has used this data in formulating her assessment of the Authority s system of internal audit to conclude the degree of reliance that can be placed on its work and opinion on the internal control environment. 2. Operational Information 2.1 The scope of activity is established by the Financial Procedure Rules, the Audit Strategy & Charter (as updated following Committee approval recently) and statements of operating practice. 2.2 Subject to matters raised in this report (see 4.4), the internal audit activity during 2016/17 was performed in conformance with the requirements of the PSIAS. 2.3 In line with the Audit Strategy, assurance about the control environment is obtained by the maintenance and delivery of a risk based audit plan. Planned work during 2016/17 targeted areas of significant risk and where most value could be added, particularly on wider business and governance controls. This is necessary to support the requirements of the Accounts & Audit Regulations 2015 to "conduct a review of the effectiveness of the system of internal control" annually and to formulate an Annual Governance Statement that accompanies the Statement of Accounts. 2.4 Areas of significant risk are determined by the Authority through its risk management process and in particular the Corporate Risk Matrix. Review of this area accounted for approximately 50% of available audit resources, the remaining 50% continued to relate to the review of key financial systems and processes. 2.5 Each audit concludes with an opinion about the level of assurance derived on the adequacy and effectiveness of the system, process or location concerned at the time of the audit, based upon the management of risk and the adequacy and operation of financial 07 - Internal Audit Annual Report Page 2 of 10 39

31 and other controls. The approach involves the follow up of any activities about which less than "Adequate Assurance" is given, as a means of seeking to ensure that the work carried out by Internal Audit maximises the chances of improving the Authority's control environment. 2.6 The Audit Committee has previously agreed definitions of the different levels of assurance given and how these are derived from audit recommendations. Implementation of the agreed recommendations by management should provide for a satisfactory degree of control in all cases. 2.7 The outcome of individual audits is summarised quarterly and reported to the Audit Committee for consideration. These reports also include action taken by management regarding the implementation of any agreed key recommendations. 3. Summary of Audit Outcomes in 2016/ The agreed Audit Plan for 2016/17 included 160 days of planned work in the following main areas: financial system and process audits, main business and governance risks and controls, follow up audits, and ongoing project assurance to the Joint Command & Control and the Emergency Services Mobile Communication Project Boards Liaison with the Chief Finance & Procurement Officer throughout the year ensures that internal audit work undertaken continues to focus on the high risk areas and is reflective of any new developments or particular areas of concern so as to ensure the most appropriate use of internal audit resources. Appendix 1 provides a summary of the audits undertaken. At this point it is only appropriate to record the positive working relationship with the recently retired Chief Finance & Procurement Officer, Mr Maren, which has existed for many years and to look forward to this continuing with his successor. 3.2 Key financial systems, creditor payments and bank reconciliation produced positive assurance opinions, whereas payroll processing produced a limited assurance one due to reductions in input checking undertaken. Management have since confirmed the previous level of checking has been re-instated. 3.3 The Authority s risk management arrangements have been considered in individual pieces of audit work, whereby management activity to address particular business risks, as recorded on the Corporate Risk Matrix, has been assessed. These audits all concluded with positive assurance opinions and conclusions that management controls to address the key risks to the Authority were robust and operating effectively. Where appropriate, management has agreed recommendations to further enhance the control environment. 3.4 The outcomes of the National Fraud Initiative 2016/17 demonstrated the effectiveness of system controls in preventing fraud and corruption in the Authority s business and governance. 40 Page 3 of 10

32 3.5 Follow-up audits were carried out to assess the degree of implementation of recommendations agreed by management after the original audits had produced Limited Assurance opinions of Building Repairs & Maintenance (two audits) Charging for Unwanted Fire Signals This work provided assurance that management are effective in implementing agreed actions as each produced a positive opinion. 3.6 As part of the continuing support to the Joint Command and Control Project with South Yorkshire FRA, Internal Audit has undertaken a number of pieces of assurance work linked mainly to the payment milestones in the contract. Processes to test and evidence satisfactory completion of tasks and delivery of functionality have been found to be robust. A similar approach has been agreed as regards the Mobile Services Communication Project. 3.7 Towards the end of the year an unplanned review was undertaken of the circumstances of an abortive procurement of Microsoft Licences which produced a Limited Assurance opinion. In any event, the exercise was cancelled as it had not followed EU Procurement Rules but it also demonstrated configuration weakness in the Delta e-procurement system which enabled one individual to undertake all aspects of the process, contrary to Contract Standing Orders. This shortcoming was rectified shortly afterwards. 3.8 In accordance with our commitment to provide help, assistance and add value, questions and issues raised by managers have been resolved, particularly in relation to advice/approval for authorisation of contracting matters, and to evaluation of potential suppliers. In addition, the Audit Plan is designed to be sufficiently flexible to accommodate any ad hoc requests for audit reviews. 4. Effectiveness of the System of Internal Audit 4.1 The Internal Audit function is included in the Financial Services Service Level Agreement with Kirklees Council. The latest available benchmarking information from CIPFA showed internal audit operations have been at approximately the lower quartile of costs (based on m gross expenditure) compared with Metropolitan and Unitary authorities, a position supported by data gathered by the previous Chief Finance & Procurement Officer from the other metropolitan fire authorities. 4.2 The Accounts & Audit Regulations 2015 also require authorities to conduct an annual review of the effectiveness of their system of internal audit, so as to ensure the opinion of the Head of Internal Audit on the internal control environment can be relied upon as a key source of evidence in compiling the Annual Governance Statement. 4.3 PSIAS include a requirement for annual self-assessment reviews and an external assessment of compliance every 5 years. At the last meeting of the Committee, Members agreed to fulfil this requirement as part of a regional mutual peer review approach, whereby Wakefield MDC will be asked to undertake the assessment of Kirklees Council 41 Page 4 of 10

33 later in A report detailing the approach and terms of reference will be tabled at a future meeting. 4.4 A self-assessment against the PSIAS requirements was carried out in March 2017 which concluded that overall the Authority s audit arrangements are compliant. The recommendations and intended actions resulting from the review are shown in Appendix 2 of this report. Subject to these matters, there are no non-conformances that need to be reported. 4.5 A summary of the performance in delivering the 2016/17 Plan as reported to the Audit Committee during the year is shown overleaf: Performance Indicators 16/17 Target 16/17 Actual Audits completed within the planned time allowance Draft reports issued within 10 days of fieldwork completion Client satisfaction in returned post audit questionnaires 80% 88% 90% 100% 90% 100% Chargeable audit days (cumulative) QA compliance sample checks pass rate 90% 100% Planned Audits Completed Unplanned Audits Completed A positive working relationship has continued with KPMG colleagues (the Authority s external auditor), to maximise the use of audit resources and ensure our mutual roles are fulfilled, albeit that the nature of the relationship has changed now. KPMG does not routinely place reliance on internal audit financial systems work due to a different approach to risk and materiality than their predecessor. This may impact upon the future internal audit approach to systems with a high impact but low likelihood of error. 4.7 Members may wish to endorse the positive opinion of the system of internal audit reached by the Chief Finance & Procurement Officer. 42 Page 5 of 10

34 5. Internal Audit in 2017/ In 2017/18 Internal Audit will continue to strive to reliably achieve planned audit work and to address Authority priorities and activities that will add value for the organisation. Audit work in the coming year will continue to be mindful of the ongoing period of austerity across the public sector and the consequent increased risks, including fraud and corruption. 5.2 In addition, we will continue to develop the approach to organisational and business controls encompassed in the revised Audit Strategy to focus on areas of highest risk and thus to contribute to the level of assurance required by the Chief Fire Officer / Chief Executive, Chair of the Authority and Chief Finance & Procurement Officer in order to sign off the Annual Governance Statement. 5.3 Planned audit work built into the agreed 2017/18 Internal Audit Plan includes key financial control audits in relation to income, procurement and capital expenditure plan, review of controls to manage key business risks and follow up audits. 5.4 The summary Audit Plan for 2017/18 as approved at the last meeting of the Committee is attached for information at Appendix Conclusion and Governance, Risk Management & Internal Control Opinion 6.1 This report has summarised the main activities of Internal Audit during 2016/17, detailed information on which has been provided to this Committee during the year. 6.2 Audit work during 2016/17 provided sufficient evidence to demonstrate that overall the system of internal audit is effective and has been undertaken in compliance with the PSIAS. 6.3 A review of the Authority s framework of governance, risk management and internal control has provided sufficient evidence and assurance that each is robust and effective and that in the small number of occasions where it has been necessary, management have taken/agreed appropriate action to address weaknesses. 6.4 Overall, the Authority has a sound control environment and no items of significance have been identified that merit consideration for inclusion in the Annual Governance Statement for 2016/ Recommendations 7.1 Members endorse the Chief Finance & Procurement Officer s conclusion as to the effectiveness of the system of internal audit. 7.2 Members note the positive audit opinion on governance and risk management arrangements and the internal control environment, thereby providing assurance to the compilation process for the 2016/17 Annual Governance Statement. 43 Page 6 of 10

35 Appendix 1 Summary of Audit Coverage 2016/17 Audit Report Status Assurance Opinion Financial Systems & Risks SAP Payroll SAP Creditor Payments Bank Reconciliation Finalised Finalised Finalised Limited Adequate Substantial Other Financial Systems & Risks Mobile Devices Contract Delta e-procurement System Lease Car Scheme Absence Management Corporate Governance Finalised Finalised Finalised Finalised Adequate Adequate Substantial Adequate National Fraud Initiative 2016/17 Finalised Substantial Business Risk Management Misuse of Information Assets Vehicle Accident Negligent Fire Safety Work Stress Supply Chain Failure Follow up Audits Responsive Repairs Management (follow up & second follow up) Unwanted Fire Signal Charging Unplanned Audits Finalised Finalised Finalised Finalised Finalised Finalised Finalised Finalised Adequate Substantial Substantial Substantial Substantial Adequate Substantial Substantial Procurement of Microsoft Licences Finalised Limited Project Risk Assurance Joint Command & Control Contract Emergency Services Mobile Communication Ongoing Ongoing 44 Page 7 of 10

36 Appendix 2 PSIAS Compliance Self-Assessment - Action Plan 2017/18 Issue (PSIAStandard) Action Timescale Current arrangements do not routinely evidence a full range of stakeholder feedback on a structured basis (3.4) Explore options to collect feedback information in a structured way with the CFPO September 2017 The audit planning process should be more closely linked to the overall organisational assurance framework (4.1) Discuss compilation of a strategic assurance map with Management Board reflecting the key business risks and incorporate fully into compilation of the 2018/19 audit plan March 2018 Compliance with the document retentions policy should be verified (4.4) Partial checks of audit files have been undertaken during the year but more work is needed in 2017/18 to verify full compliance September Page 8 of 10

37 Appendix 3 - INTERNAL AUDIT PLAN 2017/18 Key Financial Systems Income Collection Procurement Capital Plan Delivery Other Systems Recruitment & Selection Cyber Security Threat Partnership Governance Data Protection Compliance Business Risks & Controls Risk 1 IRMP Implementation to manage reduced government grant Risk 10 Major CBRNE attack within West Yorkshire Risk 18 Asbestos & Other Uninsured Claims (Operational) Risk 23 Loss of Critical ICT systems, software or infrastructure Risk 25 Future Authority Governance Arrangements Risk 32 Failure to meet Service Delivery Standards Follow Up Audits Payroll processing Delta e-procurement system Contingency Joint Command & Control Project - Assurance to Board Emergency Services Mobile Communications Project Assurance to Board Total Days per SLA Page 9 of 10

38 OFFICIAL Annual Governance Statement Audit Committee Date: 28 July 2017 Submitted By: Chief Finance and Procurement Officer Agenda Item: 8 Purpose To present the Annual Governance Statement of the Authority for approval. Recommendations That the Annual Governance Statement be approved. Summary This report presents the Annual Governance Statement of the Authority for approval and inclusion in the Statement of Accounts. Local Government (Access to information) Act 1972 Exemption Category: Contact Officer: Nil 35T Background papers open to inspection: 35T Annexes: 35T 47

39 1 Introduction 1.1 The Authority is required to include its Annual Governance Statement within its statement of accounts. 1.2 The purpose of the Annual Governance Statement is to set out the formal procedures for governance within the Authority, and to report upon their effectiveness and to identify any significant issues. Although it forms part of the statement of accounts document it relates to the overall governance of the Authority rather than just the financial systems. The statement is prepared by the Chief Executive and his Management Board and is signed by the Chief Executive, the Chair of the Authority and the Chief Finance & Procurement Officer. 1.3 Although the original statement is signed in June it remains a live document which can changed prior to final approval as part of the statement of accounts. In the current year there has been one small change relating to the update on the function of the Human Resources directorate. 2 The Form of the Statement 2.1 The statement is split into five sections which explain how the system of governance work and what procedures and policies are in place to ensure that the systems remain effective. Detailed below is a brief explanation of each of the sections. i) Scope of responsibility and Code of Corporate Governance Provides a definition of corporate governance which is the requirement the Authority has to conduct its business lawfully and in accordance with proper standards linked to the Nolan principles of Standards in Public Life. ii) iii) iv) The Purpose of the Governance Framework provides a brief explanation of the purpose of the Governance Framework along with an assurance that the framework has been in place for the whole of the financial year The Governance Framework provides a detailed explanation of the core elements that make up the governance framework within West Yorkshire Fire & Rescue Authority and how they contribute to it achieving its ambition of Making West Yorkshire Safer. Review of Effectiveness - The Authority has a responsibility to review the effectiveness of the systems of governance annually. Included within this section is a self-assessment of the effectiveness of the governance structure and the means by which it is measured. It concludes with an assurance from the Management Board that it considers the current systems to be effective. v) Significant Governance Issues The final section identifies the key areas of challenge to the systems of governance that the review of the governance has identified. Not surprisingly these issues are related to the uncertainty over the future funding of the Authority the specific issues included are:- 1. Grant loss 2. Police and Crime Act Pay increases Annual Governance Statement Page 2 of 3 48

40 This process of self-assessment provides the Authority with the evidence to support Managements conclusion that it is continuing to provide a high quality service with the resources available. Statement of Assurance The Authority is required to produce an annual Statement of Assurance as part of the Fire and Rescue National Framework for England. The purpose of the statement is to provide independent assurance to communities and the Government that the service is being delivered efficiently and effectively. Whilst the Fire and Rescue National Framework sets out the Government s priorities and objectives for fire and rescue authorities in England, it does not prescribe operational matters as these are determined locally by fire and rescue authorities. This Statement of Assurance provides assurance that WYFRA is providing an efficient, effective and value for money service to the community of West Yorkshire in its financial, governance and operational matters. Conclusion Overall, the Authority and its Management Board conclude that the systems and procedures provide effective systems of management control enabling the Authority to provide and efficient, effective and economic service to the public of West Yorkshire. 3 Recommendation 3.1 Members are asked to approve the Annual Governance statement for inclusion within the 2016/17 Annual Statement of Accounts. 49 Page 3 of 3