Agenda item

Officers presented the Head of Internal Audit’s Annual Opinion on the internal controls, governance and risk management arrangements operating within the Council during the financial year 2021/22.

The main headline of the report was noted to be the work undertaken by internal audit and external regulators; following this work, Officers were in a position to provide reasonable assurance that there were no significant weaknesses in the overall control environment operating across the Council. However, it was noted that the current risk management policy was not fully adhered to during the previous financial year. Members were assured that risks were managed in the usual way, and that the issues were around the reporting and updating of the risks; there was currently work ongoing to revise the policy, which will be taken to the appropriate Committees in due course.

Officers stressed that in giving the annual opinion, at no time can they provide absolute assurance; every system that operated within the authority could not be tested every year, therefore Officers could only provide reasonable assurance to the Committee based on the work undertaken.

Reference was made to Appendix One contained within the circulated report, which provided details of the achievement against the internal audit plan; as stated in the body of the report, a considerable number of days were lost last year due to sickness within the team. It was noted that a revised plan was brought to a previous meeting of the Committee, which removed some of the lower risk areas, which allowed Officers to concentrate on the higher risk areas.

It was mentioned that Appendix 2 of the circulated report provided details of the Internal Audit Team’s ongoing quality assurance and improvement plan.

Members asked for further information in regards to the risk management policy not being fully adhered to. Officers explained that the policy was due to be reviewed on a 3 year basis, with the review date set for 2021; that review was delayed slightly, however there was now good progress being made on the review. It was noted that there were delays in the reporting of the risks and updated position to the appropriate Committee; Officers weren’t able to adhere to the reporting frequency due to a number of reasons including a change in administration and a delay in meetings taking place. Members were informed that the Council had strengthened the personnel dealing with the risk management policy, which should equate to a significant improvement going forward.

Reference was made to the CRM (Customer Relationship Management) system solution that had previously been discussed in the Governance and Audit Committee training session. It was asked if progress had been made in implementing the digital solution. Officers highlighted that work had been undertaken to move the strategic risk register onto a Microsoft Excel based solution; it was ready to be implemented, following discussions in the Corporate Directors Group and a future meeting of the Governance and Audit Committee.

Following on from the above, it was queried if some elements of the CRM system would be digital, as well as those which were on Microsoft Excel. It was explained that the operational risks, which were held on accountable manager level, were included on the CRM system; the strategic risks were being maintained on an Excel spreadsheet for the time being.

The circulated report detailed that a total of 42 formal audit reports were issued, and only one audit resulted in a limited assurance rating. It was asked if this meant that 41 reports were positive. Officers confirmed that the 41 reports would have either had a substantial assurance or a reasonable assurance rating.

A question was asked in relation to quality assurance, and details relating to the last time a quality assurance assessment was carried out on the team. It was confirmed that 2018 was the last time a quality assurance was carried out on the team; they were due to be externally assessed again early in the new calendar year. The Committee was informed that it would be carried out by way of peer review, with the other participating Authorities in Wales; Neath Port Talbot Council would be required to carry out a review on Caerphilly County Borough Council, and colleagues in Conwy Council will be carrying out the review on Neath Port Talbot Council.

In addition to the above, Officers clarified that the Council followed the public sector internal audit standards, and their external assessment template, when an external review was being carried out. It was noted that each Council was responsible for filling out a self-assessment to determine if the Council complied, partially complied or did not comply; this assessment would then be reviewed by the Council carrying out the external review, and they will ask for documentary evidence to support the assertions that were made in the self-assessment.

Members were informed that previously, the Council undertaking the review held conversations with a range of people in order to feed into the review; including the Chairperson and Vice Chairperson of the Committee, the Section 151 Officer and External Auditors. It was confirmed that a formal report will be written and brought to the Governance and Audit Committee, once the review was complete.