Internal Audit Annual Report 2023/24

Internal Audit Progress Report 2023/24

Report by: BDO

Published: May 2024

 

Contents

1. Summary of 2023/24 Work
2. Review of 2023/24 Work
3. Summary of Findings
4. Added Value
5. Key Themes
6. Background to Annual Opinion
7. Key Performance Indicators (KPIs)
8. Appendix 1: Opinion and Recommendation Significance

 

Summary of 2023/24 Work

This report summarises our work for Rushcliffe Borough Council (the Council) as part of the delivery
of the 2023-24 Internal Audit Plan, with an overview of the effectiveness of the controls in place
across the areas covered. The following reports have been issued for this financial year:

• Country Parks Income
• Fleet Management
• Fraud Report
• Governance of Partnerships Arrangements
• Grant Management Controls
• Main Financial Systems
• Markets – Income
• Reconciliations
• Rushcliffe Oaks – Crematorium Income
• E-Financials System Controls.

We have detailed the opinions of each report and key findings on pages five to 10. Our internal audit work for the period from April 2023 to March 2024 was carried out in accordance with the internal audit plan approved by management and the Governance Scrutiny Group (GSG). The plan was based upon discussions held with management and was constructed in such a way as to gain a level of
assurance on the main financial and other key operational and strategic systems. There were no restrictions placed upon the scope of our audit and our work complied with Public Sector Internal Audit Standards.

Head of Internal Audit Opinion

The role of internal audit is to provide an opinion to Full Council, through the GSG, on the adequacy and effectiveness of the internal control system to ensure the achievement of the organisation’s objectives in the areas reviewed. Our Annual Report provides our overall opinion on the adequacy and effectiveness of the organisation’s risk management, control and governance processes, within the scope of work undertaken by our firm as outsourced providers of the internal audit service. It also summarises the activities of internal audit for the period. The basis for forming our opinion is as follows:

• We have reached an overall opinion of Substantial assurance, which is the highest level of assurance that we can provide. This is consistent with the opinion provided in 2022-23. Across all ten of the reviews we completed (excluding the Fraud Report as this was an advisory review) we provided Substantial assurance over the control design, the control effectiveness, or both. The
  Council had a sound system of internal control and controls were regularly applied.
• We have issued three Medium recommendations to date in 2023-24 and no High findings, reflecting limited control weaknesses in controls. This remained stable to the previous year, demonstrating the Council’s positive culture for maintaining effective controls.
• Recommendations have been implemented in a timely manner. All reconciliations for 2022-23 have been fully implemented and 2023-24 recommendations that have fallen due have been completed. To support an ongoing process of implementing controls, we directly update the follow up tracker on a Council-managed Teams drive so that updates on the implementation of
  recommendations can be provided with supporting evidence throughout the year.
• The Council was subject to the Local Government Association’s peer review challenge in January 2024 which identified that the Executive Management Team (EMT) was strong, supportive and approachable. The report, presented to Cabinet on 17 April 2024, highlighted the positive collaboration that the Council has with other partners in the sector to deliver its objectives and the strong governance and culture from the leadership. An action plan has been developed for how the Council will respond to each  recommendation in the report, demonstrating a good culture for improvement.
• An unqualified opinion was provided by External Audit for the accounts to the year-ended 31 March 2023. This is a significant challenge across the local government sector, with many councils’ accounts having not been audited since 2021-22 or before. This supports our view on the overall control environment, specifically around financial management. We conducted a review on Main Financial Systems and on access controls to the E-Financials System where we provided Substantial assurance over the design and effectiveness of controls.

 

Review of 2023/24 Work

Report Issued - Country Parks Income 

Recommendations and Significance

• High - 0
• Medium - 1
• Low - 2

Overall Report Conclusions (See Appendix 1)

• Design - Moderate
• Operational Effectiveness - Substantial

Conclusion and Summary of Key Findings

Conclusion

We provided Moderate assurance over the management of income (including cash) from Rushcliffe Country Park. There were gaps identified in the control design, particularly the lack of a separation of duties in the cash counting process and receipts not being provided for each booking on the ranger-led activities. While no issues were identified around misappropriation of cash, these control gaps could leave the Council more vulnerable to theft or loss of cash being undetected. Albeit, the values of cash and cheques collected
at the Country Park was relatively low (£6,494 between April and November 2023) and we noted through our follow up process that a separation of duties has now been implemented and is documented. Appropriate security arrangements were in place at the Country Park for storing cash before it was banked.

Non-cash transactions for the concession contracts for rent of the café, hot food and ice creams at the Rushcliffe Country Park (for £48,390 per annum) was charged correctly and paid in a timely manner. This was also the case for car park income collected from
Broxtowe Borough Council.

Findings

• Cash was only counted and transported to the Rushcliffe Arena by one officer which could leave the Council more vulnerable to theft or loss of cash. Although, no instances were identified during our review.
• Receipts were not provided to customers for ranger-led activities and therefore there was not a clear audit trail for the amount of income received from these activities.
• The cash taking procedure note did not contain robust details on the process for banking cash, potentially leading to  inconsistencies in the process if it were to be administered by different officers.

 

Report Issued - Fleet Management

Recommendations and Significance

• High - 0
• Medium - 1
• Low - 1

Overall Report Conclusions (See Appendix 1)

• Design - Moderate
• Operational Effectiveness - Substantial

Conclusion and Summary of Key Findings

Conclusion

We conclude that the Council have a Moderate design of controls and Substantial effectiveness of controls for Fleet Management.

This covered its compliance with statutory vehicle maintenance and servicing and the transition to a zero-carbon emission fleet.

The Moderate opinion on the control design was drive by the Medium finding for the completion of driver checks for agency drivers and the gap in a policy for formal escalation for drivers that receive points on their licence. Drivers employed directly by the Council were subject to quarterly checks on DAVIS, which mitigates the risk around ineligible drivers operating the Council’s vehicles. Furthermore, there were adequate controls to monitor and ensure that vehicles had statutory maintenance and service checks and to maintain compliance with the O-Licence, to operate heavy vehicles.

The fleet of vehicles contributes to 25% of the Council’s carbon emissions. Therefore, as part of the Carbon Reduction Action Plan, it has set a target of net-zero emissions from its vehicles. Progress has been made towards this target, through feasibility studies into transitioning the fleet to hydro-vegetated oil (HVO) fuels or electrifying the fleet. However, due to the size of the Borough and current market supply of electric 32-tonne refuse vehicles, this could lead to operational challenges if the Council purchased these. Our review did recognise the positive work taken so far towards meeting the climate objectives.

Findings

• The Council did not undertake periodic checks of agency drivers on the DAVIS Licence
  Check System (or through an alternative method) and a policy was not in place to
  formally outline the process for escalating driving licence points with staff.
• Since declaring a climate emergency in 2019, which recognises that the fleet of vehicles contribute to 25% of the Council’s emissions, action has been taken to convert 21 vehicles to HVO fuels (including its refuse vehicles which contribute to 80% of the fleet’s carbon emissions) and it has commissioned reviews around the feasibility of electrifying its vehicles. However, further action and monitoring of the transition to zero emission vehicles is required to achieve the target set out in the Climate Change Strategy of net zero emissions by 2030.

 

Report Issued - Governance of Partnerships Arrangements 

Recommendations and Significance

• High - 0
• Medium - 1
• Low - 1

Overall Report Conclusions (See Appendix 1)

• Design - Substantial
• Operational Effectiveness - Substantial

Conclusion and Summary of Key Findings

As part of this audit, we reviewed the following partnerships: the East Midlands Building Consultancy (EMBC), South Nottinghamshire Community Safety Partnership (SNCSP), South Notts Place-Based Partnership (SNPBP) and the Joint Waste Management Committee. Our review assessed the Council’s governance arrangements for these partnerships.

Conclusion

We concluded that the Council had a Substantial design and effectiveness of controls for it management and governance of these partnerships. There were strong levels of senior buy-in, with meetings attended by Portfolio Holders, Directors and/or Service Managers,
demonstrating a robust approach to commitment and cooperation with partners on shared priorities. Furthermore, the partnership meetings were regular with good participation from the Council on strategic and operational matters.

Each partnership had a clear and concise remit which, except for the SNCSP, had been approved by all partners. The EMBC followed a more formal approach with a signed partnership agreement, as each party had formal obligations, whereas the other partnerships were more focused on cooperation for shared outcomes.

Findings

• The terms of reference for the SNCSP had not been formally approved by all partners, providing a lack of clarity over each  partners understanding and commitment to the agreed roles and responsibilities, and desired outcomes of the partnership.

 

Report Issued - Fraud Report

Advisory report - No instances or allegations of fraud were identified in 2022-23.

 

Report Issued - Grant Management Controls

Recommendations and Significance

• High - 0
• Medium - 0
• Low - 2

Overall Report Conclusions (See Appendix 1)

• Design - Substantial
• Operational Effectiveness - Substantial

Conclusion and Summary of Key Findings

We provided assurance over the controls in place to support the management of the grant,tested by a walk through of processes and a review of a sample of claims for the LAD3 grant. Our role was not to provide assurance over the accuracy of claims and compliance with the LAD3 grant conditions.

Conclusion

We concluded that there was a Substantial design and effectiveness of controls for the LAD3 grant management. Our walk through of grant management and administration processes identified that there was a sound system of internal control designed to ensure
that grants were provided to eligible properties and that appropriate assessments were undertaken by qualified assessors.

This was supported by the effective use of the Perci System which allowed the Council to maintain effective oversight of the progress of projects. Critically, our sample testing of properties in receipt of grant funding found that in all instances a PAS Assessment Report
had been undertaken in advance of the work and the property had been issued a new EPC certificate rating post-completion of the work. Additionally, applications to the scheme were evaluated by representatives from E.ON, the Nottingham Energy Partnership and the
Council to ensure that funds were allocated to eligible properties with lower energy ratings. All properties from our sample test had an EPC D or EPC E rating before the upgrades were done.

There were some issues identified from our review, notably that a purchase order had not been raised following the allocation of additional funding from the Midlands Net Zero Hub to the Council. This resulted in the final invoice of £424,493 having not been paid to E.ON at the date of our fieldwork (8 December 2023). There were also limited fraud prevention controls in place at the start of the scheme, which may have contributed to a potential fraud incident whereby a subcontractor requested and received payment from an occupier directly, in addition to funding through the grant.

Findings

• Preventative fraud measures were not in place to mitigate the risk of subcontractors charging occupiers despite them being in receipt of the grant. This happened in one instance and was only detected due to the occupier reporting the incident to E.ON.
• There was an outstanding payment for LAD3/HUG1 grant work to E.ON for £424,493 due to the final invoice exceeding the original purchase order. Subsequent purchase orders did not appear to have been raised for additional grant funding provided to the Council.

Report Issued - Main Financial Systems

Recommendations and Significance

• High - 0
• Medium - 0
• Low - 1

Overall Report Conclusions (See Appendix 1)

• Design - Substantial
• Operational Effectiveness - Substantial

Conclusion and Summary of Key Findings

Main financial systems are a cyclical audit and therefore, we agree with the Director of Finance and Corporate Resources and the Service Manager - Finance the area of focus each year. This year the focus of the review was on the Council’s treasury management arrangements, including compliance with statutory requirements.

Conclusion

We provided the Council with Substantial assurance for the design and effectiveness of controls in place to support the management of its treasury function, underpinned by robust reporting on the performance and position of its investments. The Council had been
reporting its treasury management activity quarterly to the Governance Scrutiny Group since 2022-23, despite the Prudential Code only mandating this frequency of reporting from April 2023, reflecting the transparent approach. The Council did not have any borrowings at the time of our review as its capital investment programme was funded from its cash reserves.

Across its treasury processes, whether it be daily investments or reconciliations, a separation of duties was embedded; albeit records were not retained for the approval of reconciliations. The investment appraisal process was more mature than other local authorities, with formulas built into the investment cashflow spreadsheet to identify which funds provide higher returns and whether investments would be within the counterparty limits.

Similarly, there was robust oversight of treasury risks, through the Treasury Group and the Governance Scrutiny Group.

Findings

• Evidence for the review and approval of the reconciliations between the investment cashflows spreadsheet, counterparty bank statements and the E-Financials System were not retained and accessible during our review. We were informed that these were usually held in Microsoft Teams chats between the preparer and the reviewer.

 

Report Issued - Markets Income

Recommendations and Significance

• High - 0
• Medium - 0
• Low - 1

Overall Report Conclusions (See Appendix 1)

• Design - Substantial
• Operational Effectiveness - Substantial

Conclusion and Summary of Key Findings

Conclusion

We concluded that the Council had a Substantial design and effectiveness of controls to manage its market income, with a focus on the Bingham Market. Rural Retailers manage the weekly market days, including collecting and banking cash from stall holders for the spots. Other income was charged accurately and collected promptly for licence agreements for cafés and ice cream vans at the markets.

Roles and responsibilities for collecting and banking cash were well understood, with proportionate security and checking arrangements based on the amount of cash collected, in accordance with the Council’s insurance requirements. Furthermore, we observed the cash collection at Bingham Market on 10 August 2023 and noted that these processes were followed. There was one low significance finding raised over the unexplained overpayment variances on two occasions at the market. However, these exceptions were low value.

Findings

Records of cash collected from market traders did not agree to the banking receipts in two instances (£7 and £9 overpayments). Furthermore, cash was not provided to the Markets Manager in envelopes leading to challenges in tracing who the receipts relate to.

 

Report Issued - Reconciliations

Recommendations and Significance

• High - 0
• Medium - 1
• Low - 2

Overall Report Conclusions (See Appendix 1)

• Design - Substantial
• Operational Effectiveness - Moderate

Conclusion and Summary of Key Findings

Conclusion

We provided Substantial assurance over the design of controls and Moderate assurance over the effectiveness of controls for the Council’s management of reconciliations between the E-Financials System and third-party systems, and the reconciliation of control accounts.

We raised a Medium finding for the timing of the reconciliations which were often performed in three to five-monthly blocks rather than monthly, leading to delays in the potential detection and addressing of errors.

Each reconciliation was supported by a reconciliation procedure note to explain the process. Reconciliations were the responsibility of the System Owner, with support from Finance Business Partners as part of the monthly closedown process. However, reliance was often placed on the Finance Business Partners resulting in a lack of evidence a separation of duties between the preparer and approver of the reconciliations. Although we were informed that these were generally applied. 

Findings

Most of the third-party system reconciliations were not performed monthly by the System Owner. Rather, they were prepared in blocks of three to five months which could lead to delays in identifying and addressing variances.

Variances on the licensing system reconciliations (between Uniform and E-Financials) were not investigated as they were considered immaterial. While this is reasonable, the Council had not defined ‘immaterial’ in terms of the value of variances and not reconciling immaterial variances could lead to a failure to identify reporting errors or fraud.

There was a lack of evidence retained for a separation of duties between the officers preparing and reviewing the reconciliations.

Report Issued - Rushcliffe Oaks Crematorium Income 

Recommendations and Significance

• High - 0
• Medium - 0
• Low - 2

Overall Report Conclusions (See Appendix 1)

• Design - Substantial
• Operational Effectiveness - Substantial

Conclusion and Summary of Key Findings

Conclusion

We provided Substantial assurance over both the design and effectiveness of controls. While the Crematorium has not achieved its financial objectives for 2023-24, this was due to overestimates in the initial income in the business case (due to original assumptions
being distorted by the impact of Covid).

The processes in place to accurately charge, and collect income from customers were adequate, as confirmed by our sample testing of invoices issued to customers. There were also appropriate debt recovery activities in place for overdue invoices, leading to low levels of overdue debts. The Council has also conducted a range of marketing activities to promote the Crematorium before and since it opened in April 2023.

Adequate processes were in place to reconcile income received on the PlotBox System and the E-Financials System, to confirm the accuracy of income received.

Findings

Across our sample of 10 invoices issued to funeral directors, we identified that these were often paid later than the agreed credit terms, with one invoice paid 140 days late. Albeit, invoices were eventually paid and the Crematorium only had five aged debts at the end of January 2024, which is reasonably low.

Income collection performance for the Crematorium was not reported on Pentana or to the Development and Economic Growth Portfolio Clinic.

Report Issued - E-Financials System Controls

Recommendations and Significance

• High - 0
• Medium - 0
• Low - 3

Overall Report Conclusions (See Appendix 1)

• Design - Substantial
• Operational Effectiveness - Substantial

Conclusion and Summary of Key Findings

Conclusion

We provided Substantial assurance for both the design and effectiveness of controls. We have raised three low priority recommendations to improve the Council’s arrangements for the E-Financials system.

We have concluded substantial assurance over the design of the controls as there is generally a sound system of internal control designed to achieve system objectives, with some exceptions. These relate to the lack of scrutiny of the one privileged account which
has an authorisation limit.

We have concluded substantial assurance over the effectiveness of the controls as a small number of exceptions were identified during the review. These relate to the lack of review of activity on the dual access role and customer changes during the financial year.

 

Findings

During our review, the following areas of improvement were identified:

• The one privileged user account with an approval limit (i.e. has dual access) belonging to the Systems and Performance Officer for Finance is not regularly checked to determine whether any approvals of their own requisitions have been conducted. We confirmed however that there had been no adverse activity during the year by the user (Finding 1 – Low).
• Changes to customer data within the E-Financials system are not subject a systems report of amendments, although any amendments are required to be confirmed by a second member of staff and manual monthly checks on amendments are performed (Finding 2 – Low).
• Although a user access review is required to be conducted on an annual basis to confirm approval limits, this has not been  conducted yet for the 2023/24 financial year (Finding 3 – Low).

 

Summary of Findings

Recommendations and Assurance

Recommendations

2021/22

• High - 0
• Medium - 12
• Low - 14

2022/23

• High - 0
• Medium - 10
• Low - 20

2023/24

• High - 0
• Medium - 3
• Low - 15

In 2023/24 there were three medium level and 15 low level recommendations made. This is a decrease in both the number of medium and low level recommendations from the prior year. 

 

Control Design

2021/22

• High - 0
• Medium - 4
• Low - 5

2022/23

• High - 0
• Medium - 3
• Low - 6

2023/24

• High - 0
• Medium - 2
• Low - 7

In 2023/24 there were six reports issued with substantial assurance and two reports issued with moderate assurance over design of controls.

This is a similar performance to the prior year, with a slight decrease in the number of moderate assurance opinions provided.

 

Operational Effectiveness

2021/22

• High - 0
• Medium - 5
• Low - 4

2022/23

• High - 0
• Medium - 3
• Low - 6

2023/24

• High - 0
• Medium - 1
• Low - 6

In 2023/24 there were seven reports with substantial assurance over the operational effectiveness of controls and one report with a moderate.

This is a decrease in the amount of moderate assurance opinions on operational effectiveness given as compared with the prior year.

 

Added Value

Use of Specialists

We used fraud specialists and carried out work on the Annual Fraud Report. Additionally, specialist IT staff were deployed for the E-Financials System review.

Flexibility

We applied flexibility throughout the delivery of our Internal Audit Plan. For instance, we were requested to deliver the Grant Management Controls review within two weeks to provide assurance over the controls before the Council submitted its return to the
Midlands Net Zero Hub for the management of its LAD3 grant.

Sector Updates

For each Governance Scrutiny Group meeting, we provided our Sector Update on issues impacting the local government sector,
including updates on the Autumn Statement and the Best Value Framework. We also participated in the Local Government
Association Peer Challenge exercise.

 

Key Themes

People

The Council welcomed our internal audits and provided us with strong
levels of time and support during our reviews, whether delivered
remotely or in-person. This demonstrates the organisation's positive
approach towards internal audit and enhancing internal controls. Our
reviews covered a range of service areas, demonstrating positive
engagement with internal audit across the Council.

Income Collection

Several reviews focused on income collection for the Markets, Rushcliffe Country Park and Rushcliffe Oaks Crematorium. Overall there were effective controls in place to support the accurate charging and timely recovery of income.

Climate Change

Climate change is a prominent topic across the public sector, with many local authorities (including the Council) declaring a climate emergency. This was covered as part of the Fleet Management review where we identified good progress towards reducing carbon emissions from the Council's fleet. We have further reviews on climate change planned for 2024/25.

Systems and Processes

The Council has effective systems in place and processes were well followed, hence a continued high number of Substantial control
effectiveness opinions. In particular, there were appropriate access controls to the E-Financials System and there were reasonable controls for reconciliations with third-party systems, maintaining the assurance over the integrity of financial data.

Background to Annual Opinion

Introduction

Our role as internal auditors to Rushcliffe Borough Council (the Council) is to provide an opinion to the Council, through the Governance Scrutiny Group, on the adequacy and effectiveness of the internal control system to ensure the achievement of the organisation’s objectives in the areas reviewed. Our approach, as set out in the firm’s Internal Audit Manual, is to help the organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Our internal audit work for the 12-month period from April 2023 to March 2024 was carried out in accordance with the internal audit plan approved by the Executive Management Team and the Governance Scrutiny Group, adjusted during the year for any emerging risk issues. The plan was based upon discussions held with management and was constructed in such a way as to gain a level of assurance on the main financial and management systems reviewed. There were no restrictions placed upon the scope of our audit and our work complied with Public Sector Internal Audit Standards.

The annual report from internal audit provides an overall opinion on the adequacy and effectiveness of the organisation’s risk management, control and governance processes, within the scope of work undertaken by our firm as outsourced providers of the internal audit service. It also summarises the activities of internal audit for the period.

Audit Approach

We have reviewed the control policies and procedures employed by the Council to manage risks in business areas identified by management set out in the 2023-24 Internal Audit Annual Plan. This report is made solely in relation to those business areas and risks reviewed in the year and does not relate to any of the other operations of the organisation. Our approach complies with best professional practice, in particular, Public Sector Internal Audit Standards, the Chartered Institute of Internal Auditors’ Position Statement on Risk Based Internal Auditing.

We discharge our role, as detailed within the audit planning documents agreed with the Council’s management for each review, by:

• Considering the risks that have been identified by management as being associated with the processes under review.
• Reviewing the written policies and procedures and holding discussions with management to identify process controls.
• Evaluating the risk management activities and controls established by management to address the risks it is seeking to manage.
• Performing walk through tests to determine whether the expected risk management activities and controls are in place.
• Performing compliance tests (where appropriate) to determine that the risk management activities and controls have operated as expected during the period.

The opinion provided on page 3 of this report is based on historical information and the projection of any information or conclusions contained in our opinion to any future periods is subject to the risk that changes may alter its validity.

Reporting Mechanisms and Practices

Our initial draft reports are sent to the key contact responsible for the area under review to gather management responses. In every instance there is an opportunity to discuss the draft report in detail. Therefore, any issues or concerns can be discussed with  management before finalisation of the reports. All reports are also shared with the Executive Management Team member responsible for
the area to obtain their approval of the management responses, to ensure there is senior ownership and agreement to the recommendations and implementation dates.

Our method of operating with the Governance Scrutiny Group is to agree reports with management and then present and discuss the matters arising at the Governance Scrutiny Group meetings.

Management actions on our recommendations

Management were engaged with the internal audit process and provided considerable time to us during the fieldwork phases of our reviews, in most cases providing audit evidence promptly and allowing the reviews to proceed in a timely manner, including  opportunities to discuss findings and recommendations prior to the issue of draft internal audit reports. Management responses to draft
reports were broadly in line with the requested time period, with detailed responses on the actions to be implemented.

Recommendations Follow-up

Implementation of recommendations is a key determinant of our annual opinion. If recommendations are not implemented in a timely manner then weaknesses in control and governance frameworks will remain in place. Furthermore, an unwillingness or inability to implement recommendations reflects poorly on management’s commitment to the maintenance of a robust control environment. 

Recommendations were generally implemented in line with the initial due date agreed with management. Furthermore, responses to our follow up requests were provided in a timely manner, allowing sufficient time for evidence to be reviewed for completed  recommendations. We have been set up on the Council’s Microsoft Teams Channel to provide ongoing updates on the completion of
recommendations and direct access to evidence. This has further improved the completion of recommendations. All recommendations from 2022-23 and before have been fully implemented, with progress made towards the implementation of 2023-24 recommendations. This demonstrates a positive commitment to a robust control environment.

Relationship with External Audit

All our final reports are available to the external auditors through the Governance Scrutiny Group papers and are available on request. Our files are also available to external audit should they wish to review working papers to place reliance on the work of internal audit.

Report by BDO LLP to Rushcliffe Borough Council

As the internal auditors of the Rushcliffe Borough Council (the Council) we are required to provide the Audit Committee, and the Executive Management Team with an opinion on the adequacy and effectiveness of risk management, governance and internal control processes, as well as arrangements to promote value for money.

In giving our opinion it should be noted that assurance can never be absolute. The internal audit service provides the Council with Substantial assurance that there are no major weaknesses in the internal control system for the areas reviewed in 2023-24. Therefore,
the statement of assurance is not a guarantee that all aspects of the internal control system are adequate and effective. The statement of assurance should confirm that, based on the evidence of the audits conducted, there are no signs of material weaknesses in the framework of control.

In assessing the level of assurance to be given, we have taken into account:

• All internal audits undertaken by BDO LLP during 2023-24.
• Any follow-up action taken in respect of audits from previous periods for these audit areas.
• Whether any significant recommendations have not been accepted by management and the consequent risks.
• The effects of any significant changes in the organisation’s objectives or systems.
• Matters arising from previous internal audit reports to the Council.
• Any limitations which may have been placed on the scope of internal audit – no restrictions were placed on our work.

 

Key Performance Indicators

Quality Assurance

The auditor attends the necessary, meetings as agreed between the parties at the start of the contract

KPI

All meetings attended including Governance Scrutiny Group meetings, pre-meetings, individual audit meetings and contract reviews
have been attended by either the Partner or Audit Manager. Additionally scoping and closing meetings were attended by the Audit Manager.

RAG Rating - Green

 

Quality Assurance

Positive result from any external review

KPI

Following an External Quality Assessment by the Institute of Internal Auditors in May 2021, BDO were found to ‘generally conform’ (the highest rating) to the International Professional Practice Framework and Public Sector Internal Audit Standards.

RAG Rating - Green

 

Quality Assurance

Quality of Work

KPI

We have received four survey responses for audits completed in 2023-24 with an average score of 4.5/5 for the overall audit experience. We also received an average score of 4.5/5 for the added value from our reports and the constructiveness of our  recommendations. We continue to send out feedback surveys when issuing our final reports.

RAG Rating - Green

 

Quality Assurance

Completion of audit plan

KPI

We have completed the full audit plan for 2023-24 plus advisory work on the Fraud Report. We were flexible throughout the year, using
contingency days to complete a review of Grant Management Controls at short notice to provide assurance to the Director of Finance and Corporate Resources over controls in place to administer the LAD3 grants ahead of their submission to the Midlands Net Zero Hub in
December 2023.

RAG Rating - Green

 

Appendix 1

Annual Opinion Definition

Substantial (Green) - Fully meets expectations

Our audit work provides assurance that the arrangements should deliver the objectives and risk management aims of the organisation in the areas under review. There is only a small risk of failure or non-compliance.

Moderate (Amber) - Significantly meets expectations

Our audit work provides assurance that the arrangements should deliver the objectives and risk management aims of the organisation in the areas under review. There is some risk of failure or non-compliance.

Limited (Red) - Partly meets expectations

Our audit work provides assurance that the arrangements will deliver only some of the key objectives and risk management aims of the organisation in the areas under review. There is a significant risk of failure or non-compliance.

No (Dark Red) - Does not meet expectations

Our audit work provides little assurance. The arrangements will not deliver the key objectives and risk management aims of the organisation in the areas under review. There is an almost certain risk of failure or non-compliance.

 

Report Opinion Significance Definition

Level of Assurance = Substantial (Green)

Design Opinion: Appropriate procedures and controls in place to mitigate the key risks.

Findings from review: There is a sound system of internal control designed to achieve system objectives.

Effectiveness Opinion: No, or only minor, exceptions found in testing of the procedures and controls.

Findings: The controls that are in place are being consistently applied.

 

Level of Assurance = Moderate (Amber)

Design Opinion: In the main, there are appropriate procedures and controls in place to mitigate the key risks reviewed, albeit with some that are not fully effective.

Findings from review: Generally, a sound system of internal control designed to achieve system objectives with some exceptions.

Effectiveness Opinion: A small number of exceptions found in testing of the procedures and controls.

Findings: Evidence of noncompliance with some controls that may put some of the system objectives at risk.

 

Level of Assurance = Limited (Red)

Design Opinion: A number of significant gaps identified in the procedures and controls in key areas. Where practical, efforts should be made to address in-year.

Findings from review: System of internal controls is weakened with system objectives at risk of not being achieved.

Effectiveness Opinion: A number of reoccurring exceptions found in testing of the procedures and controls. Where practical, efforts should be made to address in-year.

Findings: Non-compliance with key procedures and controls places the system objectives at risk.

 

Level of Assurance = No (Dark Red)

Design Opinion: For all risk areas there are significant gaps in the procedures and controls. Failure to address in-year affects the quality of the organisation’s overall internal control framework.

Findings from review: Poor system of internal control.

Effectiveness Due to absence of effective controls and procedures, no reliance can be placed on their operation. Failure to address in-year affects the quality of the organisation’s overall internal control framework.

Findings: Non-compliance and/or compliance with inadequate controls.

 

Recommendation Significance Definition

High (Red)

A weakness where there is substantial risk of loss, fraud, impropriety, poor value for money, or failure to achieve organisational objectives. Such risk could lead to an adverse impact on the business. Remedial action must be taken urgently.

Medium (Amber)

A weakness in control which, although not fundamental, relates to shortcomings which expose individual business systems to a less immediate level of threatening risk or poor value for money. Such a risk could impact on operational objectives and should be of concern to senior management and requires prompt specific action.

Low (Green)

Areas that individually have no significant impact, but where management would benefit from improved controls and/or have the opportunity to achieve greater effectiveness and/or efficiency.