Agendas, reports and minutes

Minutes of Meeting of the Audit and Scrutiny Committee held in the Council Chamber, Council Headquarters, Glenurquhart Road, Inverness on Thursday, 27 March 2014 at 10.30am.

Present:

Mrs M Davidson, Mr B Fernie, Dr D Alston, Mr D Bremner, Mrs C Caddick, Mr A Christie, Mr B Clark, Dr I Cockburn, Mr J Ford, Mr K Gowans , Mr A Henderson, Ms L MacDonald, Mr D Mackay, Mr G MacKenzie, Mr A MacKinnon, Mr B Murphy, Mr A Rhind, Mr J Rosie, Ms G Ross, Ms K Stephen (substitute), Mr J Stone

Officials in Attendance:

Mr D Yule, Director of Finance
Mr N Rose, Head of Internal Audit and Risk Management
Miss D Sutherland, Audit and Risk Manager
Ms F Palin, Head of Social Care
Mr D Beaton, Computer Auditor, Finance Service
Mr B Murison, Income and Recovery Manager, Finance Service
Mr K Fox, ICT Operations Manager
Miss J MacLennan, Democratic Services Manager
Miss C Maragh, Administrative Assistant

Also in attendance:

Mr S Boyle, Assistant Director, Audit Scotland
Ms M Bruce, Senior Audit Manager, Audit Scotland

An asterisk in the margin denotes a recommendation to the Council.  
All decisions with no marking in the margin are delegated to Committee.

Mrs M Davidson in the Chair

1.  Apologies for Absence
Leisgeulan

Apologies for absence were intimated on behalf of Mr R Balfour, Mrs H Carmichael, Mr D Hendry and Mr G Rimell.

2.  Declarations of Interest
Foillseachaidhean Com-pàirt

The Committee NOTED the following declaration of interest:-

Item 3(v) – Mr A Christie (Non-Financial)

3.  Internal Audit Reviews and Progress Report
Ath-bhreithneachaidhean In-sgrùdaidh agus Aithisg Adhartais

There had been circulated Report No. AS-1-14 (510kb pdf) dated 18 March 2014 by the Head of Internal Audit and Risk Management which summarised the final reports issued since the date of the last meeting, together with details of work in progress and other information relevant to the operation of the Internal Audit Section.

In regard to the operation of the Internal Audit Section, it was confirmed that, during the period covered by the report, the Section had been involved in a variety of  work, including Irregularity/Fraud Investigations, Grant Claims, Work for other Organisations, Boards and Committees, Advice, Assurance and Other Work, Computer Audit and the Scrutiny Working Group. In relation to the Scrutiny Working Group, it was advised that scrutiny training had been arranged for Members and would take place on 9 May 2014. In this regard, it was suggested that it would be appropriate to consider at a future meeting whether improvements could be made to the Council’s scrutiny arrangements.  

Information was also provided on staffing resources, vacancies, training and progress against the Audit Plan. In this latter regard, it was confirmed that delays in completing the restructuring of the Section had impacted upon the ability to deliver the Audit Plan for the current year and a net total of 6 reviews were to be carried forward to the 2014/15 Plan. Further amendments to the 2013/14 Plan which had  arisen through a combination of factors included further vacancies and delays in recruiting, audit reviews exceeding the allocated time budget and the need for reviews being overtaken by events.

During discussion, Members welcomed the confirmation that the Audit Team would be fully resourced following the restructuring.

With regard to finalising and auctioning draft audit reports, thanks were conveyed to the former Chief Executive for the action which he had taken in response to previous concerns raised by the Committee on the implementation of actions arising from audits. However, it was recognised that there was still a need for response times to be improved upon by Services wherever possible.      

The final reports were presented as follows:-        

(i)  Housing and Property – Compliance with the Carbon Reduction Commitment Energy Efficiency (CRCEES) Scheme 2012/13
(Full Assurance)

The objectives of the review had been to ensure that there were appropriate arrangements in place to produce accurate and timely Carbon Reduction Commitment monitoring and evaluation reports, adequate processes and procedures in place to forecast, measure and record anticipated CO2 emission output with the appropriate carbon cost allowances being obtained by the required date, adequate processes and procedures in place to record, measure and report CO2 emission output within the Council's responsibility and to ensure that the management agreed actions arising from the previous audit report had been satisfactorily implemented.

In terms of the main findings, it was confirmed that effective procedures were in place surrounding CRCEES registration and the timely submission of annual compliance reports.  In addition, there were appropriate mechanisms in place to acquire the requisite amount of CO2 allowances within the designated time period.

In all, one recommendation had been made at low grade which was due to be implemented by 30 April 2014.

(ii)  ICT Services – Data Handling and Security Audit
(Substantial Assurance)

The objectives of the review had been to ensure that an assessment and management of risk was carried out, external environmental controls were satisfactory, personnel access to sites was controlled and internal environmental controls within the data centre sites were satisfactory.

In terms of the main findings, there had been overall assurance for the purpose built Stevenage data centre and no areas of security weakness had been identified. In respect of the Inverness sites, some areas of good practice had been found despite not having certification of assurance to the ISO27001 standard and not being purpose built.

In all, eight recommendations had been made – seven of which had been classified as medium priority and one as low priority – three had agreed actions completed and the remaining five were due to be resolved by April 2015.

(iii)  Finance – Access and Authorisation Controls (Pecos and Accounts Payable)
(Substantial Assurance)

The objectives of the review had been to ensure that appropriate corporate and systems-specific policies were in place which guided users and defined the levels of access controls, access control procedures were in accordance with the requirements of IT Security Standard ISO27002 guidance on access controls and the Council’s Financial Regulations (with the procedures in place ensuring that access to information and information processing was controlled on the basis of business and security requirements), authorisation controls ensured that transactions were only approved by Officers who had been granted authorisation rights and an appropriate audit trail was retained which recorded authorisations as required.

In terms of the main findings, controls tested for areas relating to policies, procedures and audit trail had all been substantially achieved.

In all, six recommendations had been made – all which had been classified as medium priority – one had been completed, two were due to be completed by the end of March 2014, two were to be resolved by the end of August 2014 and the final recommendation was due to be implemented by the end of March 2015.

(iv)  Finance – Travel and Subsistence - Travel Desk Arrangements
(Substantial Assurance)

The objectives of the review had been to ensure that Travel Desk procedures were available for all staff and promoted consistent arrangements, there was documentary evidence to support expenditure, the most cost-effective options had been selected where possible and assessed the benefit or absence of formal contracts in place (and where the most cost effective option had not been used, the reasons for doing so had been recorded), the Travel Desk services were used by all Council Services and Members and the Travel Desk was delivering its intended benefits.

In terms of the main findings, it was considered that the move to SharePoint for processing travel requests for the majority of Council Officers should provide even greater control over the travel request procedure. Although some travel requests would still use the older Excel based forms due to technical (IT) issues, where the move to SharePoint had resolved the issues found during the audit, the Travel Desk would be mindful of the findings in the report when processing these forms.

There had also been a reduction in the costs and the amount of travelling undertaken and an improvement in the single point of control that the Travel Desk had created.

In all, six recommendations had been made – five of which had been classified as medium priority and one as low priority – all of which were due to be resolved by May 2014.

(v)  Finance – Housing Benefit and Council Tax Benefit Payments 2012/13
(Substantial Assurance)

Declaration of Interest –

Mr A Christie declared a non-financial interest in this item on the grounds of being General Manager of Inverness, Badenoch and Strathspey Citizens Advice Bureau but, having applied the test outlined in Paragraphs 5.2 and 5.3 of the Councillors’ Code of Conduct, concluded that his interest did not preclude his involvement in the discussion.

The objectives of the review had been to ensure that Housing and Council Tax Benefits had been awarded to claimants in compliance with their entitlements for the year 2012/13, benefit awards had been accurately recorded in the appropriate system and the financial ledger and the system parameters in relation to Housing Benefits for 2013/14 had been correctly uprated in accordance with DWP circular HB/CTB A2/2013 (Revised).

In terms of the main findings, it had been recognised that the Benefits team was faced with diverse and onerous challenges as a result of the need to make complex benefit determinations on a daily basis and to deal with constantly evolving legislation. However, the findings had shown that the benefit claims examined had been calculated correctly and the one error which had been identified had related to the classification of an overpayment on a subsidy claim rather than an error in the calculation of benefit entitlement. (This error had been corrected in time and there had been no financial loss to the Council as a result).

In all, four recommendations had been made – one which had been classified as high priority, two as medium priority and one as low priority – three of these actions had been completed with the low grade action due to be addressed by 31 March 2014.

(vi)  Finance – Debtors
(Reasonable Assurance)

The objectives of the review had been to ensure that there was an adequate control framework over access to and operation of the Accounts Receivable (AR) system, Services were only provided to approved customers within approved credit limits, income was properly captured for all chargeable goods and services and recorded in the AR ledger in a consistent and timely manner and was complete, accurate and valid, all payments received from valid customers were promptly processed and accurately recorded in the AR ledger, debt management, arrears follow up procedures and bad debt write offs were properly controlled, cancellations, adjustments and credit notes were properly controlled, outputs from the AR ledger were complete, accurate and valid and produced in a consistent and appropriate format in a timely manner and data within the AR system was protected against loss, corruption or system failure.

In terms of the main findings, it had been found that the receipt of income payments from Council customers was being processed on the AR ledger accurately and invoices were being raised for chargeable services provided. However, the time taken to raise invoices and the necessary budget holder approval of credit notes required to be addressed. In addition, the use of exception reports in proactive debt collection was not being carried out due to staff shortages and the potential impact on the Council required to be investigated. The reconciliations of the AR system also required to be carried out in a timely manner.  

In all, seven recommendations had been made – four of which had been classified as medium priority and three as low priority – two recommendations had been completed, two were being carried out on an on-going basis, with the remaining three due to be resolved by June 2014.

During discussion, it was suggested that the situation with regard to the raising of invoices and the approval of credit notes should be kept under constant review in order to monitor improvements wherever necessary.  

(vii)  Planning and Development – LEADER Programme 2012/13
(Reasonable Assurance)

The objectives of the review had been to ensure that the obligations in the Service Level Agreement had been adhered to, Highland LEADER projects were eligible and had been assessed by the Highland Local Action Group (LAG) accurately and the agreed actions arising from the previous audit report had been satisfactorily implemented by Management.

In terms of the main findings, it was confirmed that the review of the LEADER project files, informed by the previous audit findings, was still on-going and had found some individual project issues regarding the eligibility check which required to be reviewed. In that regard, the audit opinion of Reasonable Assurance had been given as the project files were still open to interpretation in their current state and also because less reliance could now be placed on the Scottish Government’s Technical Guidance which had been downgraded in the previous year to an aide memoire for the EU Regulations and relevant legislation. As such, LEADER projects were complex and each project differed in scope. Whilst there were set procedures and process in place to assess projects, this work remained subjective and therefore open to interpretation. However, the issues identified in the report would inform the file review process.  

In all, five recommendations had been made – all of which had been classified as medium priority – the majority of which would be completed by March 2014, with the final outstanding recommendation due to be resolved by August 2014.

During discussion, it was suggested that it would be helpful if there was some certainty in future surrounding the various processes related to the LEADER projects as there was some concern that this had not necessarily been the case in the past when differing advice and information had been provided over time.  

The Committee otherwise NOTED the current work of the Internal Audit Section as detailed in the report, the final reports issued since the date of the last meeting and the adjustments to the 2013/14 Audit Plan.

4.  Internal Audit Plan 2014/15  
Plana In-Sgrùdaidh 2014/15

There had been circulated Report No. AS-2-14 (67kb pdf) dated 17 March 2014 by the Head of Internal Audit and Risk Management which provided details of and sought approval for the Internal Audit Section’s Plan for the financial year 2014/15 which had been attached as Appendix 1 to the report.

During a summary of the report, and in terms of the audit planning process, it was reported that meetings had been held with the Chief Executive and all Service Directors in January and February of the current year in order to discuss and agree their audit priorities. This process had also involved review of the individual Service and the Corporate Risk Registers in order to consider whether any of these risks should be subject to audit activity. Consideration had also been given to new developments and the associated risks faced by the Council and a number of new systems/processes, such as the Council’s new Website information and the process for making online payments. New Resource Link processes and operation of the new Property Management system had also been included in the Plan.

In addition to the above, a meeting had also been held with Audit Scotland to discuss their expectations as to the level of Internal Audit coverage of the main financial systems. In this respect, a three year rolling plan for the review of the main financial systems had previously been agreed and the audits originally planned for 2014/15 had been incorporated into the current year’s plan. Time had also been allowed for work associated with the provision of the Head of Internal Audit & Risk Management’s annual opinion which appeared within the Annual Report and the Council’s governance statement.     

There had been two follow-up audits included in the plan (Administration of Fuel Cards and Corporate Internet Use) and in addition to this time had been allowed for the regular ‘action tracking’ of audit recommendations for those audits which were not subject to a full follow-up review.

Time had also been allowed for audits in progress from the 2013/14 Plan which would not be completed by the year-end, the programme of scrutiny reviews and any fraud and irregularity investigations which might arise during the year, with resources having been calculated on the basis of the staff in post and an assumption that any new staff appointed would start in early May.

The Committee APPROVED the Audit Plan for 2014/15 as circulated.

5.  Risk Management Arrangements   
Fios às ùr mu Ullachaidhean Rianachd Cunnairt

There had been circulated Report No. AS-3-14 (31kb pdf) dated 17 March 2014 the Head of Internal Audit and Risk Management which provided an update on progress in reviewing the Council’s Risk Management arrangements.

During a summary of the report, it was confirmed that Risk Management training had been provided for Members on 14 February 2014 and the opportunity had been taken to consult with the Members in attendance as to their view of the present process and to get a view as to the detail they wished to see in future reports. In this regard, the Head of Internal Audit and Risk Management referred to specific reporting improvements which had been identified and which would be discussed with the Chair of the Committee with a view to incorporating such improvements within the report on Corporate and Cross Cutting Risks which was to be presented to the June Committee.    

In terms of proposed changes, a plan had been agreed between the Head of Internal Audit and Risk Management and the Audit and Risk Manager as to the changes required over the forthcoming year and this consisted of a review of the Corporate and Cross Cutting Risk process by 30 June 2014, establishing a Corporate Risk Management Group which would encompass all risks including ICT and major projects by 30 September 2014, revision of the Council’s Risk Management Strategy by 31 December 2014 and improving the robustness of the process for recording and monitoring Service risks, including ICT and project risks by 31 March 2014.

The Committee NOTED the planned changes to the Risk Management process as detailed in the report.

6.  Audit Scotland National Reports and Other Reports
Aithisgean Nàiseanta Sgrùdadh Alba

There had been circulated Report No. AS-4-14 (44kb pdf) dated 7 March 2014 by the Head of Internal Audit and Risk Management which provided details of the most recent National and other Reports issued by Audit Scotland and the action taken within the Council to address the report findings.

In this regard, it was confirmed that three reports had been issued and considered by the relevant Strategic Committees as follows:-
•    Charging for Services: Are You Getting It Right? (presented to the Finance, Housing and Resources Committee on 27 November 2013);
•    Housing Benefit Risk Assessment  (presented to the Finance, Housing and Resources Committee on 27 November 2013); and
•    Scotland’s Public Sector Workforce (presented to the Finance, Housing and Resources Committee on 9 February 2014)
The respective Committee Minutes had also been circulated for information.

The Committee NOTED the action being taken by the Finance, Housing and Resources Committee to address the respective report findings as detailed in the report.

7.  External Audit Reports      
Aithisgean Sgrùdaidh bhon Taobh A-muigh

There had been circulated Report No. AS/5/14 by the Council’s External Auditors (Audit Scotland) which summarised the External Audit reports issued since the last meeting as follows:-  

(a)  The Highland Council’s Annual Audit Plan 2013/14
(411kb pdf)

During a summary of the report, reference was made to the summary of planned audit activity which included an audit of the financial statements and provision of an opinion on whether they gave a true and fair view of the financial position of the Council as at 31 March 2014 and its income and expenditure for the year and whether the accounts had been properly prepared, an audit of the financial statements and provision of an opinion for the charitable trusts where the Local Authority was the sole trustee, reporting the findings of the shared risk assessment process in an Assurance and Improvement Plan Update, a review and assessment of the Council’s governance and performance arrangements in a number of key areas (including key financial controls, the adequacy of internal audit, best value, statutory performance indicators, corporate governance and the arrangements for the prevention and detection of fraud), provision of an opinion on a number of grant claims and returns, review of National Fraud Initiative arrangements and review of the local impact of national performance audits (including Health Inequalities in Scotland, Arms-Length External Organisations and Major Capital Investments in Councils).

Reference was also made to Audit Issues and Risks (including financial management and sustainability, accounting for charitable trusts, accounts presentation and disclosure, information management, risk management and welfare reform) and Fees and Resources.          

During discussion, and with specific reference to the section in the report which dealt with Accounting for Charitable Trusts, it was suggested that an update should be provided for the next meeting on the current position and specifically to confirm whether all existing charitable trusts identified by the Council had now been included in the application to the Office of Scottish Charities Regulator.

(b)  Assurance on Internal Controls 2012/13 (162kb pdf)

It was confirmed that Audit Scotland’s Code of Audit Practice required them to assess the systems of internal control put in place by management and in carrying out this work to assess whether the Council had systems in place for recording and processing transactions which provided a sound basis for the preparation of financial statements and the effective management of its assets and interests, had systems of internal control which provided an adequate means of preventing or detecting material misstatement, error, fraud or corruption and complied with established policies, procedures, laws and regulations. In this regard, a review of the Internal Audit Section had been undertaken and it had been concluded that it operated in accordance with the CIPFA Code of Practice for Internal Audit in Local Government and reliance was able to be placed on those areas of internal audit work which had been set out in the Annual Audit Plan.

Information had been presented within the report which summarised the key systems tested during 2012/13, including those where Audit Scotland had placed formal reliance on internal audit work to avoid duplication of work, such as Trade Receivables, Non Domestic Rates, Council Tax and Housing Rents. It was also confirmed at the meeting that Benefits should also be included in this category.

Further, assurance had been able to be taken from the work undertaken by Internal Audit in relation to Integrating Care in the Highlands and the Security and Integrity of Council Data held at Fujitsu’s Data Centre.

A few areas had been identified where it was considered that further improvements could be made and these had been summarised in Appendix A to the report.             

The Committee NOTED the terms of the reports as circulated.

8.  Exclusion of the Public
Às-dùnadh a’Phobaill

The Committee RESOLVED that, under Section 50A(4) of the Local Government (Scotland) Act 1973, the public should be excluded from the meeting for the following item on the grounds that it involved the likely disclosure of exempt information as defined in Paragraphs 6 and 9 of Part 1 of Schedule 7A of the Act.

9.  Internal Audit Reviews and Progress Report
Ath-bhreithneachaidhean In-sgrùdaidh agus Aithisg Adhartais

There had been circulated to Members only Report No. AS/6/13 dated 18 March 2014 by the Head of Internal Audit and Risk Management which summarised the final (confidential) reports issued since the date of the last meeting as follows:-

(a)  Chief Executive’s Service – Information Security
(b)  Health and Social Care – Children and Families Team - System Weaknesses Report

The Committee NOTED the terms of the reports as circulated.

The meeting ended at 11.15 am.