Agenda item

To consider the Internal Audit Strategy and Audit Plan for the period 2018/19.

To consider any Advance Questions submitted.

The Committee considered a report on the Council’s Internal Audit Strategy and Internal Audit Plan for 2018/19. The Chairman reminded Members that the Overview and Scrutiny Committee was the audit committee for the Council.

The Committee considered and discussed the report, the Internal Audit Strategy and the Internal Audit Plan for 2018/19. There were a number of questions and comments on the report, relating to the following topics:

·        Strategic Risk SR1 – Financial sustainability and commercial service development. It was confirmed that the review of this risk initially scheduled for 2017/18 had been deferred to 2018/19.

·        Strategic Risk SR7 – Cyber security. It was queried if an additional audit of cyber security processes would be advisable, given recent media reports of related concerns. The Committee was advised that the Council maintained an ongoing cyber security programme, but that an additional audit of these processes was not judged to be required at this time due to the assurance provided by the thorough review in 2016/17. It was noted that an element of the Council’s IT arrangements was subject to review on a rotating annual basis.

·        Strategic Risk SR8 – The UK’s exit from the European Union. Members were advised that no audit was proposed in relation to this risk as the uncertain impact of the event and lack of directly associated advance actions meant that there were no clear processes to audit. It was noted that the uncertainty in this area was reflected in the Council’s planning, where possible.

·        Strategic Risk SR10 – Recycling credits. Members were advised that no audit was proposed in relation to this risk as negotiations regarding recycling credits were currently ongoing and the Council was aware of the risk.

·        Strategic Risk SR11 – Data protection. A query was raised regarding the relevance of the new General Data Protection Regulations (GDPR) to the Council and the proportionality of the Council’s response to the regulation. It was confirmed that the regulations were relevant to Council, due to both their legislative requirements and the Council’s duty to protect its residents and vulnerable individuals within the borough, whose data was protected by the regulations. The Committee was advised that the Council’s response to the regulations was considered to be proportionate.

·        Actions in the event of issues being identified by internal audits. The Committee was advised that in the event of issues being identified by an internal audit a remediation plan would be implemented. It was noted that completed internal audit reports were available on the e-Members room, and that any areas identified to have significant concerns would be brought to the attention of the Committee.

·         The audit service providers. It was confirmed that the current audit service providers were an established provider of audit services with sufficient expertise to address the wide range of matters handled by the Council.

·         Fees for the internal audit service, and associated deed of variation. It was identified that a contractual deed of variation has been signed due to an extension of the contracted period. It was noted that the Council’s internal audit service was procured via a consortium, which would be undertaking a procurement process in the near future.

·         Financial processes and fraud avoidance. The Committee was advised that there was a regular audit of the Council’s financial processes, which included consideration of fraud avoidance. It was noted that this was also considered as part of the Council’s annual external audit process.

·         Building control services. It was confirmed that an internal audit of the southern building control partnership had been undertaken in 2017/18 and that the Council was awaiting the report, following its agreement by the auditors and Tandridge District Council (as the lead authority in the partnership).

·         Additional internal audit areas. There were a number of suggested areas for additional internal audits. These included: Leisure centre contract arrangements, new debt recovery processes, council commercial activity processes, green spaces, fleet maintenance. It was identified that the new debt recovery processes were an extension of existing practices, and were therefore covered under the existing audit programme.

It was noted that any additional items in the audit plan would likely require the new items to replace existing items, due to the limits of the capacity of the contracted audit service. The Committee supported a proposal to remove the dog warden back office functions and planning & S106/CIL compliance & income audits from the plan.

The Committee was supportive of a future internal audit regarding the leisure centre contract arrangements. The Committee was supportive of an internal audit regarding the Council’s commercial activity processes and it was agreed that this would added to the internal audit plan for the forthcoming 2018/19 municipal year.

RESOLVED that the Internal Audit Strategy and Internal Audit Plan 2018/19 be endorsed, with the modifications supported by the Committee.