th september 2016 report of: head of internal audit shared

Report to: Audit Committee, 15th September 2016

Report of: Head of Internal Audit Shared Service

Subject: INTERNAL AUDIT PROGRESS REPORT TO 31ST JULY 2016

1. Recommendation

1.1 That the Committee note the report.

2. Background

2.1 To provide an update on Internal Audit’s progress towards meeting its objectives as set out in the audit plan for 2016/2017 as approved by the Audit Committee on 17th March 2016 and for the Committee to note the summary results of residual audits from 2015/16.

2.2 The Council is required under Regulation 5 of the Accounts and Audit Regulations 2015 to “undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance”.

3. Summary of Activity:3.1 Progress in regard to the 2016-17 Internal Audit Plan

3.2 Steady progress has been made in regard to the 2016/17 plan with the following audit being finalised:

Safeguarding

and, the following progressing to draft report stage Home Improvement Agency Guildhall Management Houses in Multi Occupation

Confirmation of their assurance and summary detail of the outturns will be provided for committee perusal when they have been finalised.

3.3 2016/17 summary details

3.4 Safeguarding

3.5 The review was a ‘critical friend’ and found the following areas where the system was working well: The Council has formally documented its Safeguarding Policy and procedures

and these are made accessible to office based staff and Members via the intranet and Shareportal. The Safeguarding Policy includes named designated Safeguarding Advisers to act as safeguarding leads.

The Council provides a number of e-learning courses on Safeguarding to employees and members through the Learning Lounge.

The Council’s website contains a page on safeguarding which covers how to report incidents and has links to the Worcestershire Safeguarding Children Board and to Children’s Social Care.

The Council has formally documented its Recruitment Policy and Procedures including those that relate to safeguarding.

The Council has completed and submitted a ‘Section 11 Audit’ covering 2015-16 as required by the Worcestershire Safeguarding Children Board. There is no structured or complete record of the evidence used for the completion of the Council’s self assessment of its arrangements under section 11 of the Children’s Act 2004.

The review found the following areas of the system where controls could be strengthened: Policy and training accessibility Safeguarding Training Relevance of Safeguarding Training Monitoring of compliance by Third Parties Resources

The audit also included a review of the 2015-16 section 11 self assessment submitted by the Council to the Worcestershire Safeguarding Children Board on 01st March 2016. The review took the form of discussions with management concerning the responses included in the self assessment and the supporting evidence available to support these responses.

An action plan has been developed to address the challenges identified in the review and has been presented to the Worcestershire Safeguarding Children’s Board.

Type of audit: Critical FriendAssurance: N/aReport issued: 5th August 2016

3.6 Residual 2015/16 Audits summary details

3.7 Work on the following audits has been finalised and the outturn reported in summary form for information.

3.8 Community Safety (CCTV Contract)

3.9 The review found there were clearly identified weaknesses in the design and inconsistent application of controls in many of the areas reviewed.

3.10 The review found the following area of the system was working well: CCTV Cameras are being maintained to a satisfactory standard at a low

cost to the Council.

3.11 The review found the following areas of the system where controls could be strengthened:

Invoicing of CCTV Maintenance work outside the core contract by the contractor.

Provision of Weekly Performance Monitoring reports by the contractor.

Internal Monitoring of the Contract including the delegated responsibilities for council staff.

Type of audit: Full system auditAssurance: LimitedReport issued: 17th March 2016

3.12 Treasury Management

3.13 The review found there was a generally sound system of internal control in place.

3.14 The review found the following areas of the system were working well: Monthly reconciliations are being appropriately performed and authorised

by a senior officer. Interest is being paid and received on a timely basis. Investments made are being appropriately authorised and in accordance

with the approved Counterparty list All Borrowings and investments have been made with financial institutions

in line with the council's current Treasury Management Strategy and procedures.


Investments of all available funds to enable the most interest to be received for the Council

The ‘Logotech’ system does not require forced password changes on a regular basis.

Type of audit: Full system auditAssurance: SignificantReport issued: 17th March 2016

3.16 Cemetery and Crematorium

3.17 The review found weaknesses in the design of controls in the area reviewed.

3.18 The review found the following areas of the system were working well: There is hard copy documentation that can be viewed if errors/variances

are identified. As far as possible the Officers do ensure separation of duties and carry out

their own reconciliations between income expected and income received. No cash is accepted as payment at the crematorium office.

3.19 The review found the following areas of the system where controls required strengthening:

All Officers have the same access rights to the system. There is no link between the finance system of the Council and the

cemeteries and crematorium administration system. Controls around the financial aspect of the system have been developed

overtime and are based on manual controls rather than controls within the BACAS system (cemeteries and crematorium administration system) itself.

Type of audit: Limited scope auditAssurance: LimitedReport issued: 8th April 2016

3.20 Website Security

3.21 The review identified weaknesses in the design and inconsistent application of controls in many of the areas reviewed.

3.22 The review found the following areas of the system were working well: All users are provided with training before they are given access to the

system. A robust audit trail exists that logs all changes within the system Website content is secure and users unable to amend documents and

repost them onto the Councils Website.


Information published on the website of a sensitive nature and content should have been redacted prior to upload.

Password modification on a periodic basis is currently not required in order to access and update the website.

Issues identified within the ‘Siteimprove’ reports are not being reviewed on a timely basis thus the website may contain inappropriate material.

A system is not in place to monitor and track the actions taken to address issues.

Periodic checks are not undertaken to ensure access to the website is only applicable to current staff.

A manual / user guidance document for website use has not been produced.

Type of audit: Limited scope auditAssurance: LimitedReport issued: 2nd March 2016

3.24 Council Tax

3.25 The review found there was generally a sound system of internal control in place for the:

• property database which is accurate and consistent with the Valuation Office records ensuring accurate billing in the year.

• appropriate controls in regard to refunds issued.• monthly reported performance figures being provided by Civica are

accurate.• regular reconciliations from the Council Tax system to feeder systems

(e.g. Daily Cash Balancing reconciliations from Academy to individual council cash receipting systems).

3.26 The review found the following areas of the system where controls could be

strengthened:• Unallocated payments remain in the suspense account which date back

many years.

• The current filing system for the inspection of properties is unstructured.

Type of audit: Full system auditAssurance: SignificantReport issued: 27th April 2016

3.27 NNDR

3.28 The review found there was generally a sound system of internal control in place for the:

• regular reconciliations from the NNDR system to feeder systems.• property database which is consistent with the Valuation Office (VO)

records ensuring accurate billing in the year.• appropriate controls in regard to refunds issued.• write offs which are carried out in accordance with agreed procedures.

3.29 The review found the following areas of the system where controls could be

strengthened:• large amounts are present in suspense accounts• there is not an evidenced control in place monitoring the upload to the

Valuation Office. • no form available for review for a number of businesses being awarded

discretionary and mandatory reliefs.


3.30 Benefits

3.31 The review found there was generally a sound system of control in place for the:• processing of all new benefit claims and event changes;• classification and recovery of overpayments;• processing of discretionary housing payments;• monitoring of performance• maintenance of supporting records

3.32 The following area was identified as an improvement area:• Ledger reconciliations had not been carried out for several months and

this appeared to coincide with the departure of an experienced member of staff.

3.33 It was noted that some key performance indicator targets were not being met e.g. KPI B02 (percentage of housing benefit overpayments collected) but these are being closely monitored via the South Worcestershire Shared Services Partnership Joint Committee.


3.34 Main Ledger

3.35 The review found there was generally a sound system of internal control in place.

3.36 The review found the following areas of the system were working well: Reconciliations are being performed on a regular basis and differences are

investigated and cleared Suspense accounts are being cleared on a timely basis VAT Returns are completed using a sound methodology Access to the system is restricted


The Purchase Card users Guide is still in draft

There were no ‘high’ or ‘medium’ priority recommendations reported.


3.38 Debtors

3.39 The review found there was generally a sound system of internal control in place.

3.40 The review found the following areas of the system were working well: Invoices are raised in a timely manner and in line with approved fees and

charges Debts are proactively chased Access to the system is appropriate to an officers role Write offs are undertaken in line with the current debt write off policy


Full audit trail of suppressed invoices on the system Controls around refunds


3.42 Creditors

3.43 The review found a generally sound system of internal control in place and although there are still instances of purchase orders being raised after the date of the invoice this is being monitored and where necessary the Debtors/Creditors Supervisor is working on a one to one basis with the service to try and reduce this.

3.44 The review found the following areas of the system were working well: Expenditure is accurately recorded in the main ledger including the VAT

element

The raising and amending of new/existing creditors records Access to the system is appropriate to an officers roles and responsibilities Payments are in accordance with internal and external regulations


Notation on the system

Type of audit: Full system auditAssurance: SignificantReport issued: 31st March 2016

3.46 Worcester Regulatory Services

3.47 The audit was a “Critical Friend” review of the implementation of a time recording system within Worcestershire Regulatory Services as a basis for the charging of fees for its Services. The review appraised, gathered evidence, and analysed data to support and challenge the Time Recording system. This included the review of the existing arrangements and proposed enhancements in areas including system specification, policies, coding structures, fee earnings, performance measurement, data base accuracy and dog patrol.

Type of audit: Critical FriendAssurance: N/aReport issued: 6th June 2016

3.48 ICT

3.49 The review found there was generally a sound system of internal control in place for: • suitable security systems which are in place to minimise the risk of

unauthorised access to the network.• regular monitoring of potential security risks from network

vulnerabilities, and timely actions taken to address the highest priority issues.

• ensuring suitable network controls are in place for user access, council owned devices, and for third-party devices accessing the network.

• suitable change management procedures in place, with an action plan for improving the process to ensure compliance with these defined procedures.

3.50 The ICT service generally has good processes in place for monitoring and managing network access issues and cyber-security concerns on an on-going basis. At the time of the audit the service was going through a restructuring process. One element of this was to create a role responsible for monitoring change management actions, to ensure compliance with defined procedures.


• The lack of regular testing undertaken on ICT Business Continuity plans, including robust testing of back-up files to ensure continued reliability and integrity of the data.

• The need for a programme of continuous awareness training for all staff members on IT related security risks.

3.52 One cyber-security incident that affected systems was noted during the year, involving a Council staff member downloading a virus from a malicious spam email link. This was addressed in a reasonable timeframe by ICT staff, but identified a need for enhancing staff awareness of potential IT risks and challenges in the current working environment.

Type of audit: Full system auditAssurance: SignificantReport issued: 5th May 2016

Two further audits to be finalised include Mind the Gap and Community Activity. The outturn from these will be reported as soon as the management response has been agreed.

4. National Fraud Initiative (NFI)

4.1 The NFI exercise continues with the matched data file entries being investigated. Internal audit over sees the process with the actual record checking taking place in the service areas. This year will see a substantial upload of data between October and December in regard to the NFI. Preparations for this have already commenced to ensure a smooth delivery of the required data sets.

5. Accounts Panel 2016/17

5.1 The Internal Audit Service facilitated the Accounts Panel meeting which took place on the 5th August 2016. A number of responses to queries on invoices raised at the 12th February 2016 were fed back. The Panel did not identify any further queries to investigate.

6. Follow Up Audits

6.1 Follow up audit work has been undertaken on areas including Planning Enforcement, Performance Reporting Revenues and Benefits, Depot, and Economic Development, the results of which are compiled on an on-going basis and provided in summary form for information at Appendix 4. Any material exceptions arising from audit ‘follow up’ are reported to Audit Committee. There are currently no exceptions to report and review of implementation is continuing.

7. Audit Days

7.1 Appendix 1 shows the progress that has been made since 1st April 2016 towards delivering the Internal Audit Plan set for the year. As at 31st July 2016 a total of 151 days had been delivered against a target of 340 days for 2016/17.

7.2 Appendix 2 shows the performance indicators for the service. These indicators were agreed by Audit Committee on the 17th March 2016.

7.3 Appendix 3 shows the ‘high’ and ‘medium’ priority recommendations which have been reported.

7.4 Appendix 4 provides the Committee with audit report ‘Follow Up’ actions that have been undertaken to monitor audit recommendation implementation progress by management.

Ward(s): N/AContact Officer: Andy Bromage. Telephone: 01905 722051 Email: [email protected] Papers: None

APPENDIX 1

Delivery against Internal Audit Plan for 2016/17as at 31st July 2016

Audit Area AUDIT DAYS USED TO 31/07/16

Original2016/17 Planned

Days

Forecasted days to the

30th September

2016Core Financial Systems(See note 1) 23 120 49Corporate Audits 18 27 21Other Systems Audits (See note 2) 78 121 90Sub Total 119 268 160

Audit Management Meetings 15 30 15Corporate Meetings / Reading 13 20 10Annual Plans and Reports 3 12 6

Audit Committee support 1 10 5Other chargeable 0 0 Sub Total (chargeable) 32 72 36

Total 151 340 196

Audit days used are rounded to the nearest whole.

Note 1: Core Financial Systems are audited predominantly in quarters 3 and 4 in order to maximise the assurance provided for Annual Governance Statement and Statement of Accounts but not interfere with year end.

Note 2: A number of the budgets in this section are ‘on demand’ (e.g. consultancy, investigations) so the requirements can fluctuate throughout the quarters.

23

18

78

49

21

90

120

27

121

0 20 40 60 80 100 120 140

Core Financial Systems(See note

1)

Corporate Audits

Other Systems Audits (See note

2)

Audit Plan Days 16/17

Forecasted Days to 30/09/16

Comparison of Audit Days by Category

340

196151

0

50

100

150

200

250

300

350

400

Audit Plan Days 16/17Forecasted Delivery to 30/09/16Actual Days Delivered to 31/07/16

Comparison of Audit Day Delivery

Comparison of Days Total Budget-v-Forecasted-v-Actual

AUDI

T DA

Y CO

UN

T

15

13

3

1

0

15

10

6

5

0

30

20

12

10

0

0 10 20 30

Audit Management Meetings

Corporate Meetings / Reading

Annual Plans and Reports

Audit Committee support

Other chargeable

Audit Plan Days 16/17Forecasted Days to 30/09/16Audit Days Used to 31/07/16

Comparison of Non Audit Days by Category

NUMBER OF DAYS

CATE

GO

RY

Appendix 2Performance against Key Performance Indicators 2016-2017The success or otherwise of the Internal Audit Shared Service will be measured against some of the following key performance indicators for 2016/17 i.e. KPI 3 to 6 inclusive. Other key performance indicators link to overall governance requirements of Worcester City Council.

* Service productivity is down due to the arrival of three new auditors in the first quarter. This will increase as the year progresses and they settle in.WIASS operates within, and conforms to, the Public Sector Internal Audit Standards 2013.

KPI Trend requirement

2013/14 Year End Position

2014/15 Year End Position

2015/16Year End Position

2016/17Position as at 31st July

2016

Frequency of

Reporting

1 No. of ‘high’ priority recommendations

Downward 14 1 4 Nil to report as at 31st July

Quarterly

2 No. of moderate or below assurances

Downward 10 4 5 Nil to report as at 31st July

Quarterly

3 No. of customers who assess the service as ‘excellent’

Upward 3 3(11 issued

9 returned in total)

3 x Excellent6 x Good

1 (11 issued

2 returned in total

1 x Excellent1 x Good)

Nil to report as at 31st July

Quarterly

4 No. of audits achieved during the year

Per target Target = 18 (minimum)

Delivered21

Target = 17 (minimum)

Delivered21

Target = 15(minimum)

Delivered18

Target = 15(minimum)Delivered to

date 1 final and3 in draft

Quarterly

5 Percentage of plan delivered 100% of the agreed annual

plan

N/A N/A 99% 44% Quarterly

6 Service Productivity Positive direction year on year

(Annual target 74%)

N/A N/A 81% *56% Quarterly

APPENDIX 3‘HIGH’ AND ‘MEDIUM’ PRIORITY RECOMMENDATIONS

Audit: CCTVSummary: Full system audit on one of the main safety control measures of the Community Safety system, the CCTV Maintenance Contract and covered the procedures in placeAssurance: LimitedRef. Priority Finding Risk Recommendation Management Response and Action

Plan1 High Contract Monitoring

The responsibility for managing/monitoring the CCTV Maintenance contract was not clearly delegated to staff with clear instructions.

Inadequate managing of the contract of the council may lead to reputational damage or financial loss to the council.

The responsibility for managing/monitoring future contract performance should be clearly delegated to appropriate officer(s) with clearly defined responsibilities.

Responsible Manager:

Monitoring responsibility allocated to the Community Safety Project Officer and Line managed by the Business Community Services Manager.

Implementation date:

Responsibility has been allocated and the monitoring will be on going.

2 High Contract Management

The audit highlighted that the council management and the contractor had a difference of opinion on what extra work could be

The council may be paying too much, which may lead to reputational damage.

The Council must ensure that all contracts clearly state what the service being provided is but more importantly those services that are out of scope and would incur additional costs.


This has now been resolved.

Processes have been introduced and this is now running smoothly with invoices matching internally raised

charged.Where additional charges have been incurred the prices charged should be agreed with the charges within the contract.

orders.

All repair works are authorised prior to commencement to avoid any potential for dispute.


Implemented

Audit: Treasury ManagementSummary: A full system auditAssurance: Significant Ref. Priority Finding Risk Recommendation Management Response and Action

Plan1 Medium Account Management

The average daily closing balance in the HSBC current account from April 2015 to June 2015 totalled £4.6m. The HSBC current account does not earn any interest.

To address this from the middle of July 2015 £2m is being transferred daily to a HSBC Deposit Account earning interest of 0.35% (when there are sufficient funds).

However, testing in August 2015 highlighted that £2m was the maximum amount invested even when there were much larger cleared balances available at the end of the day.

The Council may not be obtaining all interest available to it which may result in reputational damage.

Ensure the Council maximises its investment interest.

Consideration to be given to increasing the current £2 million limit being transferred daily to the HSBC Deposit Account. Instead of the standard £2 million, the amount transferred to this deposit account to depend on the overall balance available in the HSBC current account.


The council has no overdraft facility in place on its current account, therefore a positive balance needs to remain at the end of each working day otherwise there will be a risk of bank charges. With interest rates having been so low during the past 6 years, higher balances have remained in the current account with little l effect on investment returns. It should be noted that the daily interest on each £1m invested at 0.35%, the current rate, is just £9 less bank charges if a transfer between banks is required.

However it is accepted that further can be done to reduce daily cleared balances and ensure that the council is achieving a greater return on its surplus monies. It was approved by Council last year

The remainder of the closing balance was held in the HSBC current account, which does not earn any interest.

that instant access Money Market Funds with Ignis, Blackrock and Federated could be opened to create more options to place short term monies.


Implement opening of Money Market Funds – by end of January 2016.

Continue to place money in the HSBC deposit account up to a limit of £4m based on a weekly review of the major payments and receipts expected in that week – implement immediately.

Audit: Cemetery and Crematorium 2015/16Summary: Limited Scope Audit concentrated on the financial transactions of the cemeteries and crematorium for the financial year 2014/15Assurance: LimitedRef. Priority Finding Risk Recommendation Management Response and Action

Plan1 High System Interfacing

The Cemeteries and Crematorium administration system (BACAS) and the Finance system of the Council are not interfaced.

The two systems are therefore run independently of each other.

Although it should be noted that burials and cremations fees are raised through the Councils debtors system.

Inefficiencies developed over time through additional controls to ensure that the finance system reflects the income recorded within the Cemeteries and Crematorium administration system to prevent possible financial loss and reputation damage.

To review the Cemeteries and Crematorium system to see if there is the possibility of interfacing it with the Financial System of the Council.

This will mean that there will be less need to rely on the manual controls outside of the Cemeteries and Crematorium system and ensure accurate recording of all financial transactions within the Councils financial system.


A member of the Finance team will undertake a review of the BACAS system to identify the most effective controls and the possibility of an interface with the finance systems.

This will include potential system upgrades and appropriate training of the officers concerned.

Implementation date:October 2016

2 Medium System Access

Full access to the cemeteries and crematorium administration system is provided to those officers that need to use the system in order to carry out their day to day duties.

Potential for loss of integrity within the system if the data becomes corrupted.

That a review of the cemeteries and crematorium administration system is undertaken to see if it is possible to grant different access rights in line with an officers roles and responsibilities.


Access rights for the various members of the team will be considered as part of the review of the BACAS system

Implementation date:October 2016

Audit: Website Data Security 2015/16Summary: Limited Scope Audit concentrating on procedures in placeAssurance: LimitedRef. Priority Finding Risk Recommendation Management Response and Action

Plan1 High Website Content

A review of the Website identified that various personal information had been inadvertently uploaded and published.

Of 232 pages viewed, issues were identified in relation to information being published that should have been blanked out on 13/232 pages i.e. 6%.

Issues identified included: – signatures of members of the public, Council Staff, Premises owners.Emails addresses of Police Officers andPhone numbers for individuals applying for licenses.

Potential for the inappropriate uploaded data to be used in a fraudulent manner leading to counter claims, reputation damage, Data Protection breaches and Information Commissioner investigations.

To remove signatures, phone numbers, email addresses from any documentation that is published onto the Website. Historical content should be reviewed and censored and new content vetted to ensure the information is not included.


Democratic and Electoral Services Manager

Implementation date:1 April 2016

All agendas/reports prior to 2012 will be unpublished. The minutes will remain published. Should an Officer wish to view any documents they will need to contact Committee Administration as the two Democratic Services Administrators action their own Committees.

Planning agendas/reports after 2012: The Democratic Services Administrator is confident that this does not contain personal information, however random checks will be carried out.

Licensing agendas/reports after 2012: The Democratic Service Administrator

to check and remove any personal data.

Council Summons after 2012: Democratic and Electoral Services Manager to check and remove any personal data.

2 Medium User Profiles

Users with permission to publish data onto the Website are able to access all areas not just the content they would require to update based on their role in the Authority.

Members of Staff are able to access and potentially interfere / edit Website pages that are unrelated to their job profile thus potentially undermining the credibility of the data

To restrict user access to predetermined areas based on job role / requirements.


Communications and PR Team Manager

Implementation date:1 May 2016

The current upgrade of the content management system, Liferay, to 6.2 will allow this restriction on users to be introduced.

3 Medium User Passwords

The Website Developer issues all users with a user ID logon and password. The password has no predetermined requirements and also the system does not prompt the password to be changed at any point.

Potential for unauthorised access if passwords are compromised thus compromising the website.

All new users should change their password once they first access the system then on set periodic intervals and work to corporate password standards.




The Liferay 6.2 upgrade will allow periodic password changes to be rolled out.

4 Medium User Accounts

The IT Service issue permissions to individuals without the knowledge of the communications team who oversee the website.

Unauthorised access to the system could be granted potentially undermining the

Develop a system to facilitate the disabling of accounts on a timely basis once users are no longer employed by the Authority. Undertake checks on a periodic basis to ensure the profiles


Communications and PR Team Manager / ICT Manager

Implementation date: 1st April 2016

The responsibility falls on IT to remove this access. The Communications team will be informed of leavers through official channels by the Worcester HR team. Web users however include personnel who are based in other Services such as Worcester Regulatory Services who use a separate HR function.

integrity of the website and content.

(contractor and full time staff) are current and active users and ensure Communications are made aware of new user requirements.

Two categories of users are being referred to here. ICT may provide access to the websites to third party organisations who are working with ICT on either resolving support issues or providing enhancements to the web sites. Once this work is complete their access will be removed.

The ICT responsibility is already in place and implemented.

The second category of user are contributors from other organisations or shared services. These are authorised by the Communications Team and it is their responsibility to revoke access when staff leave. The Communications and PR Team Manager noted that user accounts would be reviewed every six months to check for dormant accounts.

5 Medium Exception Reporting

The ‘Siteimprove’ report checks for the number of broken links and also spelling mistakes. The report is run automatically every 5 days. A review of three reports dated 21st November, 26 November and the 1st December noted that misspellings in each report totalled 48 so this would indicate they have not been reviewed / investigated.

The Website contains issues that are not resolved which could potentially prevent accessibility and reduce the experience of the customer leading to reputation damage and undermining the website’s creditability.

To review and remedy the ‘Siteimprove’ reports in a timely manner to ensure the website content is accurate and fit for purpose thus maximising the customer experience and creating a professional impression when they use it.



Implementation date:1 March 2016

The SiteImprove reports will be acted upon on a weekly basis

6 Medium Content Checking

A report to monitor the use of inappropriate language including swear words is not currently in operation

The Council’s reputation would be at risk and potentially resource would be wasted dealing with potential complainants

Enhance the ‘Siteimprove’ report to facilitate a further check on inappropriate or unacceptable language so if there was an instance it could be removed immediately.



Implementation date:1 June 2016

Investigations have shown that neither Liferay nor SiteImprove offer a solution for this issue. Further investigation is to be carried out, including consideration of the cost of commissioning a third party solution

7 Medium Customer Feedback

A facility currently allows users to provide feedback (negative or positive). The comments are reviewed initially by the Communications Team. If the query is unable to be dealt with then it is forwarded onto the responsible individual. Once the issue has been forwarded to the relevant individual no records are maintained to check if it has been resolved and if it was dealt with in a timely manner.

Website issues are not resolved on a timely basis potentially leading to criticism and complaint in regard to the website.

An action monitoring tool / log to be devised to track each issue through to completion. Target completion dates to be introduced on a priority rating system to monitor the timeliness of completing actions.



Implementation date:1 April 2016

The Web Developer Officer is developing a system to record and track issues as they are raised.

8 Medium Content Review

There is not a facility that will monitor web pages that

Staff are not updating

Create and run a report that identifies web pages that have not had its



have been updated over a long period of time.

information and therefore website content may not accurate thus detracting from the customer experience

content changed over a specific period. Send a prompt to the user to ensure that the pages they are responsible for remain up-to-date and fit for purpose.


Automatic prompts to alert web authors to review their pages will be introduced, with regularity to be agreed between Communications and PR Team Managerand ICT.

9 Medium Data Breach Guidance

In the event of a data breach it was noted that discussions on the facts of the case would take place between relevant parties (Transformation Manager,) however no procedure existed. In the event of a data breach incidents are not recorded or logged.

There is the potential for staff lack data protection awareness and knowledge thus resulting in increased risk for the Council if inappropriate material is displayed on the website

Introduce guidance for Staff so they are aware of the process to deal with any data breaches. This could include who to contact in the event of a data breach.

Log all incident details and the record the action /outcome.


Legal Services Manager and Strategy and Transformation Service Manager Recommendation

Implementation date:Accepted, and Will be implemented in Q1 16/17

Audit: Sundry DebtorsSummary: A full system auditAssurance: Significant 1 Medium Suppressed Invoices

Testing of suppressed invoices found that 2 out of the 5 items tested did not always have regular communication notes uploaded to the Financial system.

Reputational damage if suppressed debts are not resolved or there is continuous chasing of customers to resolve the issue.

To remind the Debtors team that the comments box should be filled in for suppressed debts.

If communication has occurred this should be uploaded to the Financial system to provide a clear audit trail of the reasoning for the suppression and the last time communication was


Agreed:

Debtors and Creditors Supervisor to discuss with debtors team via the one to ones.


undertaken to resolve the issue. 30th April 2016

2 Medium Debtor account details

A general check of the debtors’ accounts found that there are some debtors that have more than one account set up even thought each account has the same post code.

In addition to this there is no separation of duties in regard to debtors’ refunds as the officers responsible for the refunds on the creditors system can also undertake transactions on the debtors system.

Although it should be noted that no instances were identified where refunds were made incorrectly.

Risk of financial loss if refunds are undertaken for debts that are raised on another account.

Resources permitting to undertake a systems housekeeping exercise to block debtors’ accounts where more than one exists for the same customer.

To remind the debtors team the importance of the postcode check when setting up a new debtors account.

To ensure that refunds are authorised/undertaken by the Debtors/Creditors Supervisor.


Creditors and Debtors Supervisor


Review of duplicate debtors accounts by 30th June 2016.Investigate authorisation of refunds to identify any system changes required and benefits of making changes by 30th June 2016.

Audit: CreditorsSummary: A full system auditAssurance: Significant 1 Medium Invoice notes

Testing of invoices in dispute found that there is not always sufficient information placed on the system regarding why the invoice is in dispute or what action has been undertaken to resolve the issue.

Invoices could potentially be paid in error leading to financial loss and reputation damage

To remind the creditors team of the importance of placing notes on the system regarding all disputed invoices.

This will not only help with resilience should a member of staff be off long term it will also provide a more professional outlook when contacted by


Creditors and Debtors Supervisor to discuss via one to ones


30th April 2016

creditors to discuss the issue and save time.

Audit: Council TaxSummary: Full system audit in regard to the Council Tax system administered by Civica.Assurance: Significant 1 Medium Inspections

A review of all exemptions and discounts (apart from those reviewed in the 6 months prior to the review) has been commenced by the Senior Revenues Officer but this is currently on-going and is still to be completed. The review has thus far only identified minimal issues.

Audit testing in 2015-16 further highlighted disability reliefs are not being routinely reviewed.

Inspections used to be carried out based on automated review dates generated by the system, but are now and will continue to be assessed on a risk basis.

Prolonged entitlement to discounts and exemptions potentially resulting in a financial loss to the relevant authority, and reputational damage to the partnership.

Complete the review of all the exemptions and the discounts and continue to formally risk assess them to determine high risk areas and incorporate into future inspections.

Responsible Manager:Service Delivery Manager -Deb Goldfinch

Management Response:1 - A review of exemptions and discounts is already underway, as we continually review our processes in all areas of the business. Disability reliefs are reviewed on a risk basis and there is no evidence to suggest this is not working and leaving the authority at risk.

2 – Consideration will be given to the best way to undertake a Disability relief review – taking into account system restrictions and previous issues in carrying out this review.

Implementation date:1 & 2 – May 2016

Audit: NNDRSummary: Full system audit in regard to the NNDR system administered by Civica.Assurance: Significant 1 Medium Incorrect Award of

Mandatory reliefIncorrect classification of properties resulting

Review of all schools in receipt of mandatory reliefs owned by neighbouring councils to ensure the

Responsible Manager:Service Delivery Manager - Deb Goldfinch

Testing highlighted there was a school which had been erroneously in receipt of mandatory relief but was owned by Worcestershire County Council.

in financial loss to the Authority.

mandatory relief has been given correctly and that this was an isolated case.

Management Response:All school mandatory reliefs have been reviewed. No further errors were identified.

Implementation date:Completed

Audit: ICTSummary: A full system auditAssurance: Significant 1 Medium Awareness Training:

An ICT e-learning course is available for Malvern and Wychavon staff, which identifies the basics of computer and electronic data security. There is no similar training programme for Worcester staff.

At the time of the audit work, testing showed that the majority of Malvern staff have completed this training, whereas very few Wychavon staff have completed the e-learning course, i.e. 110 completed courses for Malvern of approximately 170 staff, and 10 of approximately 235 staff for Wychavon. Differences are due to a recent drive for Malvern staff to complete certain e-learning courses, whilst this same course is not currently

Lack of staff understanding of the risks associated with electronic data security, potentially resulting in breaches of the Data Protection Act, which could lead to fines and reputational damage for the authority.

Increased risk of virus or malware infecting systems, resulting in data loss or corruption.

To consider the requirement of staff to complete the e-learning training course as part of the induction process, and to also consider current staff completing the e-learning programme.

There should be consideration for developing a general e-learning programme to use at all three partner sites.

Management Response:HR will explore the options to make the ICT e-learning course mandatory for new starters at Wychavon District Council and Malvern Hills District Council, and review requirements for current employees.

Responsible Manager:HR Services Manager – WDC/ MHDC

Implementation Date:On-going for new startersReview and action for existing employees by 31/10/16

Management Response:The need to provide online training on IT Security for staff at Worcester City Council will be reviewed, including what content would be of benefit to staff.

There will also be consideration on how completion of this course could be monitored, and the potential of including this as part of the induction process.

mandatory at Wychavon.

In addition, at the time of the audit work there is no similar e-learning course in place for staff at Worcester City Council.

There should also be consideration for reviewing the ICT Security Policy, including the development of a document which summarises the key points to be aware of regarding ICT security.

Responsible Manager:OD Team Leader – WCC Human Resources

Implementation Date:November 2016

Management Response:ICT will undertake to review the ICT Security Policy and produce a summarised document. This will be reviewed to see whether its contents can be developed as an e-learning course.

Responsible Manager:ICT Service Manager

Implementation Date:31/10/2016

2 Medium Unauthorised Network Access:

There is no specific protocol in place for addressing specific types of malicious attack on the network for ICT staff to follow or specific criteria against which the issue can be assessed.

The service Business Continuity Plan does not make specific reference to the process of managing issues caused by malicious activity, e.g. Denial of Service attacks or viruses

Lack of defined protocol potentially resulting in an inconsistent approach for responding to critical incidences resulting in wasted time and resource

To apply a pragmatic approach to determine a protocol for assessing and addressing issues affecting the security of the network, including processes for managing critical issues that result in the enactment of the Business Continuity Plan for restoring systems and databases.

Management Response:ICT will undertake to develop a protocol for dealing with malicious attacks on the network. A clearly defined workflow will be developed and staff trained on its contents.



loaded onto the network.3 Medium Back Ups:

Reviews into system back-ups, including the frequency and format of the process, are on-going for ensuring business needs are being met.

Procedure notes are being developed for documenting key back-up processes, but further work is required to ensure sufficient resilience within the team for managing the process.

It should be noted that there are on-going developments concerning the network infrastructure which will have an impact on the nature and frequency of the process.

Potential lack of resilience in systems, resulting in extended downtime which could lead to service interruption and reputational damage for the authority.

To report the progress of the action plan to the Management Board to ensure the work is completed in a timely manner.

Management Response:Progress on implementation of the business continuity and resilient infrastructure is reported at ICT management board meetings. Work is progressing on producing a comprehensive programme and project plans.



4 Medium Business Continuity:

Business Continuity procedures have not been tested to ensure they are adequate for the needs of the partner authorities, including detailed testing of back-up files for all systems managed by the ICT team, to ensure integrity of stored data.

Further amendments are required to the plan to incorporate changes in the

Potential for inadequate system restoration procedures and/ or undeliverable expectations affecting front-line and back office services, resulting in reputational damage and financial implications should payment systems be affected.

Update the plan to reflect the changed working arrangements with MHDC and WDC and then arrange testing of the ICT Business Continuity procedures and back-ups to ensure service resilience across all partners.

Obtain feedback from the test to use as a continual learning process and ensure that the expectations of staff in all partner authorities match the priorities of the ICT service as agreed by the Management Board.

Management Response:ICT Business Continuity plan under constant review. Full test will not be possible until work to centralise production servers at Pershore and Business Continuity servers at Malvern has been completed. At which point full test will be arranged.



shared working arrangements for Malvern Hills and Wychavon staff and their respective systems.

Audit: BenefitsSummary: Full system audit in regard to the Benefits system administered by Civica.Assurance: Significant 1 High Ledger Reconciliations

Audit testing confirmed that whilst reconciliations are being carried out within ACADEMY, the last reconciliation with the ledger (Wychavon DC) was carried out in September 2015.

Potential errors not promptly identified and investigated leading to financial error

Reconciliations with the ledger should be carried out monthly.

To minimise the impact of the loss of experienced staff, procedure notes should be produced to provide a clear understanding of what reconciliations should be performed and by when

Responsible Manager:Service Delivery Manager (MH)

Management ResponseIt is recognised that the process has fallen behind since the loss of a key member of staff – who used to conduct these specific reconciliations.

Unfortunately, the process was not documented clearly and has not been kept up to date.

However, the System’s team has recently expanded and additional experience has been added address issues such as this. The initial object will now been to bring the ledger reconciliations up to date and an appropriate level of documentation will be created.

We will therefore be reviewing all reconciliations before the 16/17 year to decide:i) If they are actually necessary –

who uses the results and for what purpose

ii) If needed, who should do them – this reconciliation is to ensure

accuracy of the ledger and so arguably should be the responsibility of the Finance service and not the Systems Team.

iii) If we continue do some reconciliation work, are there more efficient ways to do them. E.g. the Civica Automation software. (some reconciliations are performed currently via this process)

Implementation date:A target implementation date of 29th April is set to complete this process.

end

APPENDIX 4Audit Report Follow Up Programme.

Audit Year

Date Final Audit Report Issued Service Area

Assurance Number of High, Medium and Low priority Recommendations FOLLOW UP

1st 2nd 3rd

High and Medium Priorities 6mths after final report issued as long as implementation date has passed

High and Medium Priorities still outstanding 3mths after previous follow up as long as implementation date has passed

2014/15Planning Enforcement

2014/15

5th January 2015

Development Services Manager

Moderate There are 4 medium recommendations. One relating to lack of clear audit trail, another relating to recordings on paper not advertised online, another relating to lack of regular monitoring and one relating to lack of detail in the complaints department.

"There is sufficient evidence to support that one medium priority level recommendation has now been implemented. However, the other three recommendations are still to be fully implemented. The new 'Poem' browser version has still to be fully tested and as yet not fully operational whilst IT issues have delayed the launch of the electronic

The remaining recommendations have now been implemented to a stage where there is no longer any substantial risk to the Council. The recommendations cannot be fully implemented until new enforcement notices are issued.

Audit Year



1st 2nd 3rdregister for Planning Enforcement notices.

Economic Development

2014/15

25th February 2015

Economic Development

Moderate There were 2 medium recommendations, one relates to documents could not easily be found. The other relates to weaknesses in two different schemes.

From the explanations received and the evidence provided/sought Internal Audit considers that although progress has been made in their implementation, neither of the recommendation have been fully implemented.

The follow-up in May 2016 found that the 2 'medium' priority recommendations in relation to a structured approach and monitoring had been implemented as far as practical at this moment in time and that the risk to the Council had been sufficiently reduced. No further follow ups are required.

Depot 2014/15

22nd May 2015

Cleaner and Greener City - Service Manager and Operations Manager - Service Delivery

Critical friend

Action Plans were agreed and a progress feedback will be sought in line with agreed implementation dates.

An initial follow up was undertaken in January 16 to ascertain the current position regarding the agreed Management Action Plans. The follow-up found

Audit Year



1st 2nd 3rdthat some progress had been made however resources were being diverted to other high priority areas. At this stage as there are no risks to the council from non completion of the action plan no further follow-up is planned.

Performance Reporting Revs and Bens

2014/15

4th August 2015

Civica Partnership Director (Revenues and Benefits) and Service Delivery Manager (Revenues and Benefits)

Significant 1 'medium' priority recommendation relating to Accuracy of Reported Collection Rate Data.

Followed up in February 2016 as part of main Revs & Bens review. Testing confirmed that figures recorded by Civica agreed with those reported to the Joint Board. No further follow up required but on going monitoring will continue via the Revs and Bens audit.

2015/16Treasury Management

2015/16

17th March 2016

Head of Financial Services

Significant 1 medium & 2 low; Closing balances figure (M), Treasury

With 2016/17 TM audit ~ Q2

Audit Year



1st 2nd 3rdRecovery Plan (L) and User access security (L)

CCTV 2015/16

17th March 2016

Head of Cleaner and Greener Service

Limited 2 'high' priority recommendations were made in relation to contract monitoring and clarity of the contract details.

Due to theses being 'high' priority the recommendation relating to the clarity within the contract has been implemented and responsibility for monitoring the contract has now been assigned. No further follow-ups are required.

ICT 2015/16

27th July 2016

ICT Shared Service Manager

Significant 4 medium: training, malicious attack protocol, system back ups, and business continuity.

With 2016/17 ICT audit ~ Q4

Cemeteries and Crematorium

2015/16

8th April 2016

Deputy Director Cleaner and Greener Services

Limited 1 'high' and 1 'medium' priority recommendations were made in relation to system interfaces and

This audit has been included in the 2016/17 audit plan as a follow-up to be undertaken in

Feb-17

Audit Year



1st 2nd 3rdsystems access. quarter 4

Website Security

2015/16

2nd March 2016

Deputy Director Governance and Communications and PR Manager

Limited 1 'high' and 8 'medium' priority recommendations were made in relation to Publishing of private information, access rights, password changes, disabling of accounts, review of reports, additional reports, tracking of feedback, keeping information up to date and protocol for data breaches.

Sep-16

Regulatory 2015/16

08/06/2016 Head of Regulatory Services

Critical Review

Time recording challenges in relation to Systems Specification, Policies & Guidance, Coding Structure, Fee Earners, Performance

Progress meeting Dec 16

Audit Year



1st 2nd 3rdMeasurement and Database Accuracy.

end

Conclusion:IA considers, overall, progress is being made by the respective managers and services with regard to the implementation of their action plans against reported Internal Audit recommendations. Although there are a number of audits whereby work continues it is considered that there are legitimate reasons why this is the case (for example continuing development, or proposed system changes) or, non material risk items. Core financial audits will be followed up as part of the annual audits. It should be noted that there are no exceptions which expose the Council to increased risk considered material enough to be reported to Audit Committee.

th september 2016 report of: head of internal audit shared

Documents