AUDIT COMMITTEE - - Charnwood Borough Council COMMITTEE – 28TH November 2017 Report of the Head of...

AUDIT COMMITTEE – 28TH November 2017

Report of the Head of Strategic Support

Part A

ITEM 07 INTERNAL AUDIT PROGRESS REPORT Purpose of Report The report summarises the status of the 2017-18 Audit Plan and also outlines the key findings from final audit reports and follow-up work completed since the previous progress report considered by the Audit Committee at the meeting held 5th September 2017. Recommendation The Committee notes the report. Reason To ensure the Committee is kept informed of progress against the approved Internal Audit plan.

Policy Justification and Previous Decisions The Accounts and Audit Regulations 2015 state (Regulation 5 (1)) that the relevant authority must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance. Implementation Timetable including Future Decisions Reports will continue to be submitted to the Committee on a quarterly basis. Report Implications The following implications have been identified for this report. Financial Implications None Risk Management There are no specific risks associated with this decision.

1

Background Papers: None. Officers to contact: Adrian Ward, 01509 634573 [email protected] Shirley Lomas. 01509 634806 [email protected]

2

mailto:[email protected]

mailto:[email protected]

Part B 1. Progress against the 2017/18 Audit Plan Appendix A summarises progress against the 2017/18 Audit Plan as at 10th November 2017. General audit work: Progress continues to be made with planned work and a number of audits are either in progress nearing completion or have been completed. All planned work is scheduled to be completed by 31st March 2017. One audit completed during the reporting period, Environmental Services Contract Monitoring, has received a Limited assurance rating and is also rated as high corporate significance. The Limited assurance rating is primarily due to overpayments to the Contractor which go back to 2012/13 and amount to c£300k. Further detail is provided in Appendix B of this report. Since the issue of the final audit report the Cleansing & Open Spaces team have revisited the contractual amounts due to the contractor and reconciled these to payments made; there is an indication that the level of overpayment may be reduced but this has not yet been verified. The Strategic Director of Neighbourhoods and Community Wellbeing and the Head of Cleansing and Open Spaces will be in attendance at the Committee meeting to provide an update to the Committee. ICT Audit: As approved by the Committee at the meeting held on 5th September 2017 two IT audits, Change Management and Key ICT Controls, have been added to the Audit Plan. Work has commenced on the Change Management review and the Key ICT Controls audit is scheduled to be completed in Quarter 4. 2. Final Audit Reports Issued The following final audit reports have been issued since the last update report to the Committee. Further detail in respect of these audits is attached in Appendix B, including a background section, the executive summary, and the agreed action plan listing recommendations made and the management responses.

Audit Field Work Completed

Draft Report Issued

Final Report Issued

Current Level of

Assurance

Previous Audit

Level of Assurance

Corporate Significance

Environmental Services Contract Monitoring 2017/18

July 17 – Sept 17

Sep17 Oct 17 Limited Substantial High

Charnwood Lifeline 2017/18

Aug 17 – Oct 17

Oct 17 Nov 17 Moderate N/A – pre 2007

High

Management of Open Spaces Contract Monitoring

Aug 17 – Oct 17

Oct 17 Nov 17 Moderate Moderate High

3

Audit Field Work Completed

Draft Report Issued

Final Report Issued

Current Level of

Assurance

Previous Audit

Level of Assurance


2017/18

4. ICT Audit Two final audit reports have been issued since the last update report to the Committee. Further detail in respect of these audits is attached in Appendix B, including a background section, the executive summary, and the agreed action plan listing recommendations made and the management responses. Audit Field Work

Completed Draft

Report Issued

Final Report Issued

Current Level of

Assurance

Previous Audit

Level of Assurance


Key ICT Controls 2016/17

Feb – Apr 17

Apr 17

Revised

June 17

Oct 17 Substantial Substantial High

Software Compliance 2016/17

Feb – Apr 17

Jun 17 Oct 17 Moderate N/A Medium

5. Follow Up of Recommendations The table below summarizes the follow-up status of recommendations which were due to be implemented during the period July 2017 to September 2017. One medium and two low priority recommendations have not been implemented by the agreed action dates. Further details are available at Appendix D. In respect of the recommendations relating to the Payment Card Industry Data Security Standard (PCI DSS) audit, when following up the recommendations due for implementation in October 2017 the Head of Customer Experience informed Internal Audit that a project to review PCI DSS requirements and to ensure compliance is to commence in the New Year. The recommendations arising from the audit will be addressed through the project and revised dates for the implementation of the recommendation will be agreed.

Priority Level

Implemented Not Implemented

No Further Action

July - September 2017.

High

0 0 0

Medium

8 1 0

Low

7 2 0

Percentages 83% 17% 0%

4

6. Special Investigations There have been no special investigations undertaken during the reporting period. 7. Performance Indicators for Internal Audit The following summary outlines the results against the local performance indicators for Internal Audit for 2017/18.

Indicator Target Result Notes

Percentage of clients that rated the performance of Internal Audit as good or excellent.

90% (Annual)

N/A The annual survey of Heads of Service will be undertaken in April 2018.

Percentage of the agreed 2017/18 Internal Audit plan delivered (as at 10.11.17).

90% (55% pro

rata)

42%* *Includes allocated time for contingency etc.

Percentage of agreed recommendations arising from internal audit reviews implemented by the agreed date (as at 30.9.17)

80% 86% April 2017– September 2017 (19/22 recommendations)

Appendices Appendix A – Summary of progress against the 2017/18 Audit Plan (as at the 10th November 2017) Appendix B – Summary of Final Audit Reports Issued Appendix C – Summary of Final IT Audit Reports Issued Appendix D – Follow Ups: Recommendations Not Implemented By the Agreed Date

as at 30th September 2017

5

Appendix A

PROGRESS AGAINST THE 2017/18 AUDIT PLAN (as at 10th November 2017)

2017/18 Audit Plan Plan Days

Spent Days

Status Assurance Level


Key Financial Systems

Full Systems Audit

Treasury Management 8.00 0.00 Scheduled for completion in Quarters 3 and 4

Income Collection 10.00 0.00

Housing Benefits & CTS 15.00 0.00

Housing Rents 12.00 0.00

Targeted Testing:

Accountancy & Budgetary Control

3.00

0.00

Payroll 3.00 0.00

Capital Accounting 2.00 0.00

Creditors 3.00 0.00

Council Tax 3.00 0.00

Non Domestic Rates 2.00 0.00

Debtors 3.00 0.00

Quarterly Testing:

Treasury Management 1.00 0.50 Ongoing N/A

Bank Reconciliation 2.00 1.00 Ongoing N/A

67.00 1.50

Strategic & Service Risk Audits

Anti-fraud including NFI 20.00 11.00 Ongoing

Homelessness 0.00 0.25 Deferred to 2018/19

Data Protection/ Information Security

10.00 0.00 Scheduled for Quarter 3

Markets & Fairs 12.00 1.00 Scoping/ Planning

Environmental Services Contract Monitoring

15.00 15.00 Completed Limited High

Open Spaces Contract Monitoring

12.00 12.00 Completed Moderate High

Section 106 Agreements 12.00 12.00 Draft Report

Elections 12.00 10.25 In Progress

Temporary staff/ consultants/external legal fees

12.00 3.00 In Progress

Governance & Ethics 10.00 10.00 Completed Moderate High

Planned & Cyclical Maintenance

10.00 0.50 Scoping/ Planning

Gas Servicing Contract 5.00 0.00 Scheduled for Quarter 4

Warden Services 7.00 0.00 Scheduled for Quarter 4

6

2017/18 Audit Plan Plan Days

Spent Days

Status Assurance Level


Asset Management (Property Services)

7.00 5.50 In Progress

HR Contract 7.00 7.00 Completed Moderate High

Safeguarding 5.00 0.25 Scheduled for Quarter 4

Lifeline 5.00 5.00 Completed Moderate High

Members Allowances 5.00 0.75 Scoping/ Planning

Business Continuity 5.00 0.00 Scheduled for Quarter 4

171.00 93.50

IT Audit (Non-technical)

Change Management 15.00 2.75 In Progress

Key ICT Controls 10.00 0.00 Scheduled for Quarter 4

25.00 2.75

Externally Resourced Audits

Health & Safety TBC

Risk Management TBC

Insurance TBC

Other Work

Recommendations - Follow Ups

20.00 8.00 Ongoing

Ad Hoc Investigations/ Contingency 10.00 10.00

Allowance to complete 2016/17 Audits

10.00 10.00

40.00 28.00

TOTAL – Audit Plan (not including proposed IT audits)

303.00 125.75*

*Including work in progress, and the planned number of days when an audit reaches the final report stage.

7

8

Appendix B SUMMARY OF FINAL AUDIT REPORTS ISSUED Environmental Services Contract 2017/18

1. Background

The Council currently has in place a contract for collection of refuse, recycling and garden waste that is combined with street cleaning operations to form the Environmental Services contract. The contract was awarded to Serco Plc and commenced on the 1st August 2009. It was originally awarded for a period of seven years and eight months with the option to extend for a further seven years. With the contract due to expire on 31st March 2017, Cabinet agreed an extension to the existing Environmental Services contract for a period of approximately three years, until the end of June 2020. It was considered that the extension would ensure continuity of services and provide savings for each year of the contract extension period. The contract cost for 2017/18 is £4,999,986.74. The contract is monitored by staff within the Cleansing and Open Spaces service of the Neighbourhoods and Community Wellbeing Directorate.

2. Executive Summary

2.1 Overview

ASSURANCE RATING – LIMITED ASSURANCE

CORPORATE SIGNIFICANCE – HIGH

Assurance

Internal Audit can only give limited assurance to those charged with governance. There are significant weaknesses in the internal control environment in respect of ensuring payments due under the terms of contract are accurate and made

8

9

appropriately. The weaknesses have led to incorrect calculations of the annual contract price and year end variations resulting in overpayments being made for each contract year since 2012/13 to date. Although audit testing did identify that there are measures in place to ensure that the risks associated with contract management and performance monitoring are being effectively managed, due to the significant financial implications of the identified weaknesses, the overall assurance level has been assessed as limited.

Corporate Significance The area reviewed has been rated as being of HIGH corporate significance, on the basis of:

General risk of financial loss greater than £100,000

Service failures would have significant impact on customers

Risk of serious reputational damage (national press/TV) 2.2 Key Findings

We are pleased to report that the procedures in place incorporate the following examples of good practice:

There is a signed contract and also a signed deed of variation which relates to the extended contract period. These are held by Legal Services and electronic copies maintained by the service.

Monthly Contract Management meetings and performance meetings are held with representatives from Council and the contractor, the meetings are minuted and any actions arising are documented and followed up at subsequent meetings.

Adequate arrangements are in place for monitoring the contractor’s performance against agreed Key Performance Indicators (KPIs) and all KPIs identified in the contract are included in the monitoring process.

Expected levels of service and standards are adequately defined and agreed and there is a failure criteria/scoring system that is applied consistently.

Substandard performance is identified, is followed up with the contractor and appropriate action taken and recorded.

Concerns and complaints are captured on LAGAN, the Council’s Customer Relationship Management System (CRM) and are dealt with in accordance with the Council’s Corporate Complaints Policy.

Adequate arrangements are in place to ensure financial penalties are enforced and income due from penalties is being collected.

9

10

However, from the work undertaken during the review, we have also identified the following areas where there is scope for improvement to ensure that the system operates more effectively and efficiently:

In accordance with the contract, contract management meetings are required to be held on a monthly basis. Audit review identified that no agenda or minutes were available for the June 2016 contract management meeting and there was no record in the minutes of the following meeting as to whether the meeting had been cancelled or postponed. The Contracts Manager confirmed that on rare occasions meetings do have to be postponed due to unforeseen circumstances.

The Programme Manager verifies a sample of information from the performance reports produced by the contractor and cross references to internal data and details on LAGAN. Any issues are captured in the minutes of the performance meetings however no evidence is retained of the sample of cases selected and verified to internal data; only details of exceptions are recorded.

The performance reports received from the contractor include failures relating to Street Cleansing Tasks (Tasks 15 to 24), although there is monitoring of these Tasks in respect of the Key Performance Indicators (KPIs) there is no verification of the contractor’s reported failures for these Tasks back to internal data or inspection results. Therefore full reliance is placed on the contractor’s data when monitoring performance failures for street cleansing and determining whether thresholds have been exceeded and penalties should be applied.

For each of the household waste collection service and household recycling collection service additional payments are due for every block of 500 additional properties. For garden waste collection service the additional payments are due for every block of 100 additional properties. The unit prices for each 500 or 100 block of properties were stated in the contract and the incremental increases are adjusted for indexation each year.

The additional properties price increase is calculated each year using a spreadsheet. The annual price is increased to take into consideration the number of additional properties added during the preceding year. Review and testing of the calculations for additional properties for waste, recycling and for garden waste collection services identified various errors, some which go back a number of years and therefore have had a knock on effect on the price calculations for subsequent years and also impact on the calculation of the annual variation for increases throughout each year.

10

11

Due to the complexity of the spreadsheet calculations, these were reviewed in detail as part of the audit testing and the figures from the start of the contract were re-calculated. The audit calculations indicate that the net overpayment on total annual variations from the start of the contract amounts to £47,021.76 with the error first impacting on the 2012/13 figures. For the annual contract price calculations, the total net overpayment since the start of the contract amounts to £253,760.33.

Although adequate procedures are in place for issuing variations and payments are authorised, testing identified inaccuracies in the calculations of variation payments. The majority of these relate to the variations arising from the addition of properties for recycling and waste collection services and additional subscribers for garden waste collection services arising throughout the year as detailed above. Minor errors were also identified during testing for three out of a sample of ten other 2016/17 variation payments. These resulted in a net underpayment of £377.20.

For two of the ten Variation Orders (VOs) tested, incorrect details were shown on the actual VO. For one the service start date was incorrectly stated and for another the unit price had been rounded up to the nearest pound and the calculation of area multiplied by rate was incorrectly stated. However, for both of these the correct amounts had actually been paid.

3. Action Plan

Observation Risk Recommendation Priority Response/Agreed

Action Officer

Responsible Action Date

1. Audit review identified that no agenda or minutes were available for the June 2016 contract management meeting and there was no record in the minutes of the following meeting as to whether the

Inadequate governance arrangements leading to an inability to demonstrate compliance with contractual requirements.

1. To ensure good governance arrangements are in place, if a meeting is cancelled or postponed this should be captured in the minutes of the next scheduled meeting together with the reasons for cancellation.

Low Meetings rarely get postponed or cancelled due to sickness, holiday or other commitments. From now on a note of any rescheduled or postponed meetings will be captured as part of the following meeting to reflect this.

Contract Manager

October 2017

11

12

Observation Risk Recommendation Priority Response/Agreed Action

Officer Responsible

Action Date

meeting had been cancelled or postponed.

2. The Programme Manager verifies a sample of information from the performance reports produced by the contractor and cross references to internal data and details on LAGAN. However no evidence is retained of the sample of cases selected and verified to internal data; only details of exceptions are recorded.

Lack of audit trail to demonstrate effective performance monitoring in respect of Local Performance Indicators.

2. Evidence should be retained of the sample of cases selected from the contractor’s performance data that is verified to internal data as part of the monitoring of Local Performance Indicators (LPIs).

Low Since September 2017 the cases used as samples for cross-checking are recorded and minuted as part of the Performance meeting to ensure data quality and effective performance monitoring. Action complete.

N/A

3. The performance reports received from the contractor include failures relating to Street Cleansing Tasks (Tasks 15 to 24); there is no

Inadequate performance monitoring arrangements leading to a lack of verification of performance failures and

3. Processes should be established for verification of the contractor’s reported failures on Street Cleansing Tasks.

Medium Contractor now provides the individual transect data to allow checking to take place. Frequently areas are brought up to contract standard before Council Officers have the opportunity to

N/A

12

13


Officer Responsible

Action Date

verification of the contractor’s reported failures for these Tasks back to internal data or inspection results.

appropriate financial penalties not being enforced.

inspect Additionally, independent street cleansing inspections are carried out monthly as part of the KPIs monitoring. Action complete.

4. Review and testing of the calculations for additional properties for waste, recycling and for garden waste collection services identified various errors, some which go back a number of years and therefore have had a knock on effect on the price calculations for subsequent years and also impact on the calculation of the annual variation for increases

Inadequate arrangements to ensure that all payments due under the terms of contract are calculated correctly and made appropriately leading to over payments being made.

4.1 The annual price calculations and the annual variation calculations need to be checked for each contract year (since the commencement of the contract) against the recalculated figures and then compared to actual amounts paid to confirm the value of the total overpayments and then appropriate action needs to be taken to recover the overpaid amount from the contractor.

4.2 Procedures should

High 4.1 In progress, all invoices and credit notes from previous contract years reconciled against subscriber numbers (garden waste) and number of properties (refuse and recycling) Once the outcome of the reconciliation exercise is completed, negotiations will take place in order to recover overpaid sums. 4.2 Once the end of

Programme Manager and Head of Cleansing and Open Spaces Programme

November 2017 April 2018

13

14


Officer Responsible

Action Date

throughout each year. The audit calculations indicate that the net overpayment on total annual variations from the start of the contract amounts to £47,021.76 with the error first impacting on the 2012/13 figures. For the annual contract price calculations, the total net overpayment since the start of the contract amounts to £253,760.33.

be put in place to ensure that the annual price and end of year variation calculations are checked for accuracy by the Head of Cleansing and Open Spaces, prior to the orders being raised and the invoices being paid.

year calculations for additional properties and subscribers are completed at year end by the Programme Manger they will be scrutinised and signed off by the Head of Service prior to authorisation of any payments

Manager and Head of Cleansing and Open Spaces

5. Testing identified inaccuracies in the calculations of variation payments. The majority of these relate to the variations arising from the addition of properties for recycling and waste

Inadequate arrangements to ensure that all variation payments due under the terms of contract are calculated correctly and made

5. As per recommendation 4.1 above, appropriate action should be taken to recover the net overpaid amount for the annual variation for 2016/17 from the contractor. The recalculated amount should incorporate the

Medium 5. All variations for 2016/17 will be reconciled against payments made. Any overpayments will be included in the negotiations to recover overpaid sums.

Programme Manager and Head of Cleansing and Open Spaces

November 2017

14

15


Officer Responsible

Action Date

collection services and additional subscribers for garden waste collection services arising throughout the year (as detailed above). Minor errors were also identified during testing for three out of a sample of ten other 2016/17 variation payments.

appropriately leading to inaccurate or over payments being made.

net underpayment of £377.20 that is attributable to the inaccurate calculations for the three VOs identified during audit testing.

6. For two of the ten Variation Orders (VOs) tested, incorrect details were shown on the actual VO. For one the service start date was incorrectly stated and for another the unit price had been rounded up to the nearest pound and the calculation of area multiplied by rate was incorrectly stated.

Inaccuracies in the information recorded on agreed variation documentation resulting in discrepancies between details in the contract, authorised documentation and payment calculations.

6. The details stated on the actual VO documents should be checked prior to authorisation to ensure that they are accurate.

Low 6. New Variation orders to be signed off by the Programme Manager and Contract Manager before being actioned

Contract Manager and Programme Manager.

October 2017

15

16

Charnwood Lifeline 2017/18

1. Background

Charnwood Lifeline is an emergency response service which provides 24 hours a day, 7 days a week support to vulnerable or elderly residents. The service is available to anyone who would like that extra reassurance or assistance in case of an emergency. Private residents are given a wearable pendant and lifeline alarm unit, to be activated in the event of an emergency but this service is also accessed by residents in our sheltered accommodation, as all flats are fitted with a warden call system which is linked to the Control Centre. The Control Centre is based in Victoria Place, Loughborough and the management of the Lifeline Service falls under the responsibility of Landlord Services; within the Housing, Planning & Regeneration and Regulatory Services Directorate. The expected budgeted income for 2017/18 is £157,900.


2.1 Overview

Assurance

ASSURANCE RATING – MODERATE ASSURANCE


Internal Audit can give moderate assurance to those charged with governance. Whilst there are no serious weaknesses in the internal control environment within the areas reviewed, there is a need to further enhance controls and to improve the arrangements for managing risks.

Based upon the work undertaken, the procedures in place for the collection and recording of income and handling of complaints are satisfactory. However when the Sheltered Housing Warden and Lifeline Services were reviewed in July 2015 in preparation for funding received under the Supporting People regime ceasing, one of the key risks identified was in relation to actual income being

16

17

lower than estimated. In the Cabinet report produced following the review, two actions were identified to manage the risk i.e. regular monitoring of income and marketing of the service. Our work has found that no formal monitoring is undertaken on income levels and although a communications and marketing plan was produced this was closed in July 2017 with some tasks outstanding. There is currently no marketing plan in place.

In addition, it was found that training records were inconsistent and incomplete in some cases and safeguarding training was not up to date for all employees.

Corporate Significance The area reviewed has been rated as being of high corporate significance, on the basis of:


Risk of serious reputational damage (national press/TV)

Major health and safety risk (serious injury or death)

2.2 Key Findings


There are satisfactory procedures in place for the collection and recording of income.

Appropriate corrective action is taken following the receipt of a complaint to prevent the incident reoccurring.

Complaints were dealt with in accordance with the policy and were acknowledged promptly. There is sufficient information available to controllers to ensure callers receive the appropriate care or support.

Connections and Disconnections monitoring data is presented to the Landlord Services Management Team. However, from the work undertaken during the review, we have also identified the following areas where there is scope for improvement to ensure that the system operates more effectively and efficiently:

Only 2 out of 9 officers have current safeguarding training (required every 3 years) to the appropriate level.

The recent communications and marketing plan was not completed and was closed in July and no new plan has been put in place as per the proposed mitigating action in the Cabinet report (09.07.15).

17

18

Testing completed on training records has revealed some inconsistencies and incompleteness of the training records held.

The sign up form and support plan used for the gathering of information do not contain a declaration for the customer to confirm that the information is factual and that the onus is on them to ensure the Council have the most up to date information

No income monitoring is being undertaken to ensure the cost of providing the service is covered and that charges to customers are appropriate

3. Action Plan


Action Officer


1. Only 2 out of 9 officers have current safeguarding training (required every 3 years) to the appropriate level.

Officers are not equipped to recognise possible safeguarding issues. The Council do not fulfil their legal and statutory duties.

1. Management monitor safeguarding training as part of the Personal Review process to ensure individuals have the appropriate level of current training.

Medium This will be discussed in the current round of Personal Reviews (Sep – Dec 2017). Arrangements will be made for Officers to complete the appropriate level of Safeguarding training, which will be monitored by the Team Leader to ensure it is kept up to date.

Lifeline Team Leader

Dec 2017

2. The recent communications and marketing plan was not completed and was closed in July and no new plan has been put in place as per the

Income is not maximised.

2. A revised communication and marketing plan is put in place to include actions where there is a particular marketing

Medium A revised communications and marketing plan will be discussed and agreed with the Communication Team


Dec 2017

18

19


Officer Responsible

Action Date

proposed mitigating action in the Cabinet report (09.07.15).

needs based on the monitoring undertaken (for example, the decline in income from supported tenants).

and then implemented.

3. Testing completed on training records has revealed some inconsistencies and incompleteness of the training records held.

The appropriate procedures and policies may not be followed putting customer at risk.

3.1. Procedures are put in place to ensure training documentation is complete, with all aspects completed and completion dates recorded. 3.2 Management review training documentation to ensure it is fit for the purpose intended and version control in put in place

Medium

Low

Training documentation will be updated and completed. Updated training documentation will be reviewed and signed off by Management.

Lifeline Team Leader Principal Officer – Customer Engagement Older Persons Services

Nov 2017 Feb 2018

4. The sign up form and support plan, used for the gathering of information, do not contain a declaration for the customer to confirm that the information is factual and that the onus is on them to ensure the Council have the most up to date information.

Should an incident occur the Council may be held liable if inappropriate action was taken based on the information provided

4. A declaration is added to the support plan and sign up form to make it clear that the onus is on the customer to keep us informed of any relevant changes.

Low The support plan and lifeline agreement will be updated to include the declaration.


Dec 2017

5. No income monitoring is being undertaken to ensure

Actual income is lower than

5. Management consider monitoring income to

Low We will work with Finance to produce a

Principal Officer –

Jan 2018

19

20


Officer Responsible

Action Date

the cost of providing the service is covered and that charges to customer are appropriate.

estimated and the costs of the service are not met.

ensure income received covers the cost of the service going forward, in line with the risk management actions in the Cabinet report (09.07.15).

report on the income for the service to support the regular monitoring of income.

Customer Engagement Older Persons Services

20

21

Management of Open Spaces Contract 2017/18

1. Background

The Council currently has in place a contract for the Management of Open Spaces, incorporating the green spaces and engineering services. The contract was awarded to Quadron Services Limited (who were taken over by idverde UK in 2016) and commenced on 1st April 2014. It was awarded for a period of ten years with the option of two extension periods, each of five years. The budgeted contract cost for 2017/18 is £1,404,523. The contract is monitored by staff within the Cleansing and Open Spaces service of the Neighbourhoods and Community Wellbeing Directorate.

2. Executive Summary 2.1 Overview

ASSURANCE RATING –MODERATE ASSURANCE


Assurance

Internal Audit can give moderate assurance to those charged with governance. Whilst there are no serious weaknesses in the internal control environment within the areas reviewed, there is a need to further enhance controls and to improve the arrangements for managing risks.

Based on the audit work undertaken during the review, contract management procedures, arrangements to ensure payments due under the terms of the contract and procedures for issue and authorisation of variations were found to be satisfactory. It was however identified that there are inadequate arrangements in place for monitoring the contractor’s performance against agreed Local Performance Indicators (LPIs). This is due to a lack of an interface between the contractor’s Performance Monitoring System and LAGAN, the Council’s Customer Relationship Management (CRM) system.

21

22

The quality of the data available for monitoring of LPIs cannot be relied upon and therefore the penalties that potentially should have been incurred for exceeding thresholds set for LPIs have not been calculated and enforced and potential income due from penalties is not being collected.

Corporate Significance The area reviewed has been rated as being of HIGH corporate significance, on the basis of:

General risk of financial loss greater than £100,000



2.2 Key Findings


There is a signed contract held by Legal Services and electronic copies are maintained by the service.

Monthly Contract Management meetings are held with representatives from the Council and the contractor, the meetings are minuted and any actions arising are documented and followed up at subsequent meetings.

The contractor provides a monthly contract report which includes Health and Safety information, performance management data, details of compliments and complaints, details of the work programme, funding applications and volunteering partnerships.

Arrangements are in place to ensure that payments due under the terms of contract for the basic contract price are correctly calculated, authorised and paid.

Adequate procedures are in place for issuing variations and associated payments are correctly calculated and authorised in accordance with the schedule of rates in the contract.

However, from the work undertaken during the review, we have also identified the following areas where there is scope for improvement to ensure that the system operates more effectively and efficiently:

Procedures are in place for the verification of reported performance for Key Performance Indicators (KPIs) back to the contractor’s summary records and supporting source data. However, audit testing of the KPI figures for April 2016 and October 2016 identified a number of issues and areas where the procedures could be strengthened. The following issues were identified:

22

23

- KPI 1 Percentage of successful inspections - the April 2016 reported performance (86%) did not agree to the supporting records provided by the contractor (82% against a target of 84%).

- KPI 1 Percentage of successful inspections and KPI 4 Percentage of successful Health and Safety inspections - It was not possible to check reported performance back to source data as the inspection record sheets were not being retained by the contractor.

- KPI 2 Number of volunteering hours worked - The reported performance for October 2016 did not agree to the supporting records, the discrepancies were due to timing differences.

- KPI 3 Percentage of satisfied customers – It was not clear from the supporting summary spreadsheet how performance had been calculated.

- KPI 8 Number of Resident/ Customer Champions trained and active - The figures are not verified to supporting records.

- KPI 9 No. of apprentices - the April 2016 reported performance (6 apprentices) did not agree to the supporting records (5 apprentices). It is not explicit within the contract whether the measure and target relate to apprentices at the end of the year, average throughout the year, maximum at any point during the year etc. Whether the KPI target for the year is achieved or not is therefore subjective. Similarly, this is also the case for KPI 8 and the number of Number of Resident/ Customer Champions trained and active.

Due to the lack of an interface between LAGAN (the Council’s Customer Relationship Management System) and the contractor’s systems there are inadequate arrangements in place for the monitoring of Local Performance Indicators (LPIs) and therefore expected levels of service as set out within the contract may not be achieved.

The current process requires a considerable amount of administrative time and therefore is not considered to be efficient and does not necessarily provide assurance that sub-standard performance is rectified within the specified timescales. Review of the spreadsheets that record completion dates for tasks identified that there are issues with the quality of the data recorded on them and the process is not operating effectively to enable performance to be monitored for the LPIs. From the data captured on the spreadsheets it is not possible to accurately determine whether thresholds for service failures have been exceeded. When the contract was awarded it was anticipated that there would be an IT interface between LAGAN and the contractor’s CRM, to enable timely transfer of information and the updates relating to case completion to be automated. This requirement is included in the contract documentation.

23

24

Discussions with the service and review of the minutes from the contract monitoring meetings identified that the interface is yet to be developed. Initially the contractor was asked to put development work on hold to allow for a LAGAN upgrade to be implemented. The Programme Manager advised that subsequent to that, although there are on-going discussions with the contractor regarding an interface with LAGAN, input is required from the LAGAN Development Team to fulfil this requirement and due to prioritisation of other projects the interface work has been put on hold.

Schedule 5 of the contract sets out of the weekly penalty per point for ‘service failures above the set threshold for each

LPI associated with the contracted tasks. As detailed above the arrangements for monitoring of the LPIs are inadequate due to a lack of an interface between LAGAN and the contractors’ systems. The quality of the data (accuracy and completeness) in respect of timeliness of completion of individual jobs raised in response to LAGAN cases cannot be relied upon and therefore the penalties that potentially should have been incurred for LPIs have not been calculated and enforced. Therefore potential income due from penalties is not being collected.

3. Action Plan


Action Officer


1. Procedures are in place for the verification of reported performance for Key Performance Indicators (KPIs) back to the contractor’s summary records and supporting source data. However, audit testing of the KPI figures for April

Poor performance and non-achievement of performance targets may not be identified.

1. Management should agree and document the approach to be adopted for verification of the reported performance for each of the KPIs. The approach should include frequency of checks, the sampling methodology to be applied and the rationale for this and clarification of what constitutes

Medium A protocol will be developed outlining the methodology for calculating each of the KPIs – Effort to be proportional to the impact each of the KPIs have for the Council. The protocol will be developed by March 2018 so that it can be implemented from April 2018 for year 5 of the contract.

Head of Cleansing and Open Spaces, Programme Manager and Contracts Manager.

March 2018

24

25

2016 and October 2016 identified a number of issues and areas where the procedures could be strengthened.

achievement of targets where this is not explicit within the contract. The approach should then be consistently applied.

The Service will request input from Audit to ensure that any proposals are proportionate and adequate.

2. Due to the lack of an interface between LAGAN (the Council’s Customer Relationship Management System) and the contractor’s systems there are inadequate arrangements in place for the monitoring of Local Performance Indicators (LPIs) and therefore expected levels of service as set out within the contract may not be achieved.

Expected levels of service as set out within the contract are not achieved and substandard performance is not rectified.

2. Management should ensure that the interface between LAGAN and the contractor’s CRM is developed and put in place by the contractor in order to meet contractual obligations.

Medium The lack of interface has been raised since the upgrading of the Council’s CRM system (LAGAN). The work required is currently being scheduled in to the Customer Experience service’s work programme. The interface project is to be scheduled by the end of March 2018 This project will start by assessing the scope and specific requirements for developing the interface. Decisions will be made based on the outcome of the assessment. There is ongoing conversation between

Head of Cleansing and Open Spaces

March 2018

25

26

the Head of Cleansing and Open Spaces and the Head of Customer Experience.

3. The arrangements for monitoring of the LPIs are inadequate due to a lack of an interface between Lagan and the contractors’ performance monitoring system. The quality of the data (accuracy and completeness) in respect of timeliness of completion of individual jobs raised in response to Lagan cases cannot be relied upon and therefore the penalties that potentially should have been incurred for LPIs have not been calculated and

Potential income due from penalties is not being collected.

3. Procedures should be put in place to ensure that penalties arising in respect of performance against LPIs are calculated and deducted from payments in accordance with the terms of the contract.

Medium As per response to recommendation 2 above.

Head of Cleansing and Open Spaces

March 2018

26

27

enforced.

27

28

APPENDIX C

SUMMARY OF FINAL IT REPORTS ISSUED

Key ICT Controls 2016-17

1. Background

In accordance with the annual ICS audit plan an audit was undertaken to provide assurance that Key IT Controls are operating effectively at Charnwood Borough Council. This audit was undertaken by Leicestershire County Council (working for and in conjunction with Charnwood Borough Council Internal Audit) covering the period 1 April 2016 to January 2017. The audit focuses on key in scope applications these are:-

Operating System/ Network

Agresso (Financials)

iTRENT (Payroll/ HR)

2 Executive Summary

2.1 Overview

ASSURANCE RATING: SUBSTANTIAL

CORPORATE SIGNIFICANCE: HIGH

Assurance Internal Audit can give moderate assurance to those charged with governance. Whilst there are no serious weaknesses in the internal control environment within the areas reviewed, there is a need to further enhance controls and to improve the arrangements for managing risks.

28

29

Although important recommendations to bring about improvements have been made, none of these have a ‘high’ priority rating

signifying a particularly serious control weakness has been identified.


The area reviewed has been rated as being of high corporate significance, on the basis of:



Direct link to identified strategic risks 2.2 Key Findings

We are pleased to report that the procedures in place incorporate the following examples of good practice for the sample of connections tested as part of the review:

There is now a formal ICS Strategy in place

There is a centralised list of all key applications and associated Systems Administrators

There is a formal Information Security Risk Assessment process (RIS1) in place to assess information and technical risks in key applications and ICS solutions

Antivirus and malware protection is operating as intended

PSN services sit on a separate part of the ICS network

Independent Penetration Tests have been undertaken and action has been taken to address the recommendations

Backups are being run to schedule and any errors are being detected and resolved

New Starters are being set up on the network and key applications promptly and with line manager approval

Leavers are being promptly removed from the network and key in scope systems

A process is in place to ensure privilege user accounts for Agresso and iTRENT are based on business need

29

30

The IT Service Delivery Manager has confirmed that ICS and the Agresso and iTRENT Systems Administrators are not able to make direct changes to application code for the two in scope applications

However, from the work undertaken during the review, we have also identified the following areas where there is scope for improvement to ensure that the system operates more effectively and efficiently and with more robust controls:

Appraisal reviews to highlight development and training needs have not been undertaken for ICS staff

SOCITM surveys are no longer being completed and ICS Performance Indicators for 2016/17 have not been reported to Management.

The new Service Manager tool, currently does not provide user satisfaction information

There is no operational ICS risk register at present. This area has been highlighted within previous audits.

The ICT Infrastructure Policy has been updated; however there are other ICS polices e.g. Information Security Policy etc. that are in need of a review and update.

There is no on-site generator, so it has to be ordered in externally. If there is an outage this could take time which could mean services and systems may remain unavailable until a generator is sourced or power is restored and there is no guaranteed delivery time. An on-site generator would mean that the generator would automatically activate during the power outage leading to more seamless continuity of services. At the time of the audit a generator and maintenance plan was in the process of being procured.

There are some users who are registered home workers who have not logged on remotely for a significant period. These need to be reviewed and access removed where it is no longer required.

Controls need to be tightened in respect of the guest Wi-Fi e.g. at present the connectivity is not time limiting and the generic password has not been changed for over a year.

There is a scheduled batch on iTRENT called “Workflow Audit Cleardown” to run monthly, however this has not been run since May 2014.

30

31

Initial testing was undertaken when the DR link was set up with Leicester City Council, however a full end to end DR test should be considered

Network password controls have been amended to follow latest NCSC guidance, however the password controls have been over relaxed

614 accounts have not been logged into for over 90 days which needs to be reviewed to see if any of these accounts can be disabled.

No system testing information was documented and retained for the upgrade to the new service desk tool.

Call information (e.g. service requests, change requests, incident information) has not been migrated onto the new service desk management tool and the old system was decommissioned in a month and a half of the old system being made live.

Change requests are no longer assigned an impact and priority score like they were previously when SupportWorks was in use. This functionality is available in the new system.

3. Action Plan


Officer Responsible

Action Date

1. Appraisal reviews to highlight development and training needs have not been undertaken for ICS staff.

Staff may not be sufficiently trained to undertake ICS related tasks.

Senior Management should ensure that appraisal reviews are undertaken for all ICS staff.

L Agreed – appraisals undertaken.

N/A N/A – Action Completed

2. SOCITM surveys are no longer being completed and ICS Performance Indicators for 2016/17 have not been reported to Management. It is

ICS Performance may not be monitored and any problems in performance may not be resolved promptly.

ICS should agree with Senior Management a suite of ICS performance indicators that should be regularly reported to management and how ICS will be monitored against

L Performance indicators are in place and now being put onto Spotlite


31

32


Officer Responsible

Action Date

important that a mechanism exists to report on ICS performance to management.

these.

3.The new Service Manager tool, currently does not provide user satisfaction information.

ICS performance is not monitored and lack of service improvement as a result.

ICS should configure the new ‘Service Manager’ tool to capture user satisfaction data.

L Now added in and will be in place by May

ICT Service Delivery Manager

May2017

4. There is no operational ICS risk register at present. This area has been highlighted within previous audits.

Key ICS related risks may not be managed e.g. mitigating controls may not be implemented. Furthermore key ICS risks may not feature on the Strategic and Corporate risk registers.

Consideration should be given to developing an operational ICS risk register to include risks specific to CBC ICS.

L Agreed – will be considered with the Head of Customer Experience.


5. The ICT Infrastructure Policy has been updated, however there are other ICS polices e.g. Information Security Policy etc. that are in need of a review and update.

Inadequate protection from organisational policies.

ICS should ensure that the ICS policies dated 2015 are reviewed and updated where required

L Agreed ICT Service Delivery Manager

Dec 2017

6. There is no on-site generator, so it has to be ordered in externally. If there is an outage this could take time which could mean

It may take time to get a generator on site if it has to be ordered externally leading to services and systems being unavailable in the meantime.

Consideration should be given to purchasing an onsite generator for ICS now that funding has been approved.

L Agreed – Action completed, on site generator is in operation.

N/A – Action Completed


32

33


Officer Responsible

Action Date

services and systems may remain unavailable until a generator is sourced or power is restored. An on-site generator would mean that the generator would automatically activate during the power outage leading to more seamless continuity of

services.

7. There are some users who are registered home workers who have not logged on remotely for a significant period. These need to be reviewed and access removed where it is no longer required.

Financial costs of providing remote access to users. Unauthorised access to CBC systems.

ICS should determine timescales for the removal of users registered as homeworkers who have not logged onto the system using their tokens for a significant period and ensure that these users are removed from the system.

L Not agreed – Users are required to apply and be approved for homeworking and to confirm agreement and understanding of the Mobile Working policy. Annual sign up to the Mobile Working Policy is being introduced from this year.

N/A N/A

8. Controls need to be tightened in respect of the guest Wi-Fi e.g. at present the connectivity is not time limiting and the generic

Wi-Fi password easily compromised. Unauthorised access.

ICS should ensure that

controls are strengthened

around access to the guest

Wi-Fi.

L Agreed ICT Service Delivery Manager

April 2018

33

34


Officer Responsible

Action Date

password has not been changed for over a year.

9. There is a scheduled batch on iTRENT called “Workflow Audit Cleardown” to run monthly, however this has not been run since May 2014.

Tasks may not be run. Consequences of not running the batch are unknown.

A decision should be made

on whether this bug should

be fixed or whether this

batch run should be made

inactive if it is no longer in

use subject to dialogue

with the software vendor.

L Agreed – the issue has been resolved.



10.Initial testing was undertaken when the DR link was set up with Leicester City Council, however a full end to end DR test should be considered

Financial and reputational costs associated with service unavailability as a result of systems being unavailable.

A full end to end DR test should be considered to ensure that key systems, applications and data can be recovered in the event of a disaster.

L Agreed This will be tested in 2017/18


February 2018

11. Network password controls have been amended to follow latest NCSC guidance; however the password controls have been over relaxed.

Unauthorised access to the network through weak password controls.

Consideration should be

given to re-introducing

more stringent password

controls. Once this has

been undertaken, the

Information Security Policy

should be updated to

reflect this. If a decision is

taken to use the new more

relaxed password

configurations any

L Not agreed- reasons have been explained to the Auditor.

N/A N/A

34

35


Officer Responsible

Action Date

associated risks should be

formally accepted and

signed off by Senior

Management.

12. 614 accounts have not been logged into for over 90 days which needs to be reviewed to see if any of these accounts can be disabled.

Unauthorised access to the network.

A review should be undertaken of the accounts that have not been logged into for 90 days and also the accounts that have never been logged into, to determine if any of these accounts can be disabled.

L Agreed. ICT Service Delivery Manager

Jan 2018

1. 13. No system testing information was documented and retained for the upgrade to the new service desk tool.

2.

Areas to be tested may have been missed. Issues may not have been resolved System may not meet requirements

For future upgrades and system implementations within ICS, testing undertaken should be formally documented.

L Agreed. ICT Service Delivery Manager

Ongoing – no specific

implementation date

3. 14. Call information (e.g. service requests, change requests, incident information) has not been migrated onto the new service desk management tool and the old system was decommissioned in a month and a half of the old system being made live.

Unable to track call details if there was an issue with a recent call (say in the last 6 months).

Consideration should be

given to establishing

timescales for the

decommissioning of old

systems.

L Agreed – timescales will be established on a system specific basis.



15. Change requests are no longer assigned

Urgent changes may not be prioritised.

Consideration should be given to introducing an

L Not agreed – facility not within the service desk

N/A N/A

35

36


Officer Responsible

Action Date

an impact and priority score like they were previously when SupportWorks was in use. This functionality is available in the new system.

The level of impact a change may have may not be considered.

impact and priority score to each of the change requests.

system but priority considered for each case on an individual

36

37

Software Compliance 2016-17 1 Background

Software Asset Management (“SAM”) is a business practice involving the managing and optimisation for the purchase, deployment, maintenance, utilisation and disposal of software applications within an organisation. ITIL (IT Infrastructure Library) best practice defines SAM as:- “All of the infrastructure and processes necessary for effective management control and protection of software assets throughout all stages of their lifecycle”. The aim of SAM is to reduce IT costs and limit business and legal risk relating to the ownership and use of software while maximising IT response and end user productivity.


2.1 Overview

ASSURANCE RATING: MODERATE

CORPORATE SIGNIFICANCE: MEDIUM

Assurance Internal Audit can give moderate assurance to those charged with governance. Whilst there are no serious weaknesses in the internal control environment within the areas reviewed, there is a need to further enhance controls and to improve the arrangements for managing risks.

37

38


The corporate significance of this audit has been assessed as MEDIUM on the basis of:

General risk of financial loss between £10,000 and £100,000 Potential cases of fraud or corruption up to £10,000 Service failures would have moderate impact on customers Risk of moderate reputational damage (local press) Direct link to identified corporate/operational risks

2.2 Key Findings


The software maintenance lifecycle is documented within the Information Security Policy

Quarterly reconciliations are undertaken by Phoenix Ltd for the Microsoft Licences

The use of VDI prevents users being able to upload software onto their workstations

Controls are in place for installation of software onto VDI

Users are logged out after a period to prevent duplicate VDI sessions running as the licence works on the number of concurrent connections rather than the number of installs.

However, from the work undertaken during the review, we have also identified the following area where there is scope for improvement to ensure that the system operates more effectively and efficiently:

The Information Security Policy does not contain any information on the removal and disposal of software.

Software information is not recorded on the Hornbill Service Desk Management System.

There are discrepancies in the Microsoft licence reconciliation undertaken by Phoenix Ltd that need to be investigated.

38

39

Licence information for applications were difficult to locate or were not available at the time of the audit.

Reconciliation of licence entitlement vs the quantity in use/ number of installs is not undertaken for applications

3. Action Plan


Officer Responsible

Action Date

1. The Information Security Policy does not contain any information on the removal and disposal of software.

Inadequate protection from organisational policies.

Consideration should be given to including a section on the removal and disposal of software within the Information Security Policy.

Low Agreed – a section will be included in the policy.


December 2017

2. Software information is not recorded on the Hornbill Service Desk Management System.

Over/under utilisation of licences may go undetected

ICT Services should consider the feasibility of holding software licence header information within the Hornbill Service Desk Management System

Low Agreed. We will be holding header information regarding software in Hornbill/Service Manager (e.g. licence entitlement, licence conditions, etc).


April 2018

3. There are discrepancies in the Microsoft licence reconciliation undertaken by Phoenix Ltd that need to be

Breach of licencing agreement

The anomalies highlighted from the reconciliation undertaken for the Microsoft licences by Phoenix Ltd should be investigation and action should be taken to rectify the issues identified.

Medium This will be addressed by the Software review Audit scheduled for November. The results are likely to be in place for April 2018


April 2018

39

40


Officer Responsible

Action Date

investigated.

4. Licence information for applications were difficult to locate or were not available at the time of the audit.

Breach of licencing agreement

Licence agreements for all applications should be located and retained by the relevant sections or if feasible this information should be maintained centrally.

Medium This will be addressed with the ICT Users group as different service areas are responsible for their own software contracts/budgets

ICT Service Delivery Manager/ ICT User group

May 2018

5.Reconciliation of licence entitlement vs the quantity in use/ number of installs is not undertaken for applications

Over/under utilisation of licences may go undetected

Consideration should be given as to whether a process for the reconciliation of application licences should be undertaken on an ad-hoc basis

Low Agreed. Will be undertaken in conjunction with Recommendation 2.


June 2018

40

Appendix D Follow Ups: Recommendations Not Implemented By the Agreed Date as at 30th September 2017

Audit Observation Recommendation

Priority Agreed Action Agreed

Date

Responsible Officer Comments

Payment Card Industry – Data Security Standard (PCI-DSS)

1. The Roles and Responsibilities for PCI DSS compliance have not been formally approved.

1.1 Consideration should be given to the ICT Steering Group being tasked with formally approving the Roles and Responsibilities for PCI DSS Compliance.

Low The roles and responsibility will be agreed between the Head of Customer Experience and the Director of Corporate Services.

June 17 Revised to Sept 17, Dec 17.

Head of Customer Experience

Oct 2017- Partially Implemented. The ICT Steering Group will be requested to give approval at their next meeting to be held late November/early December. Action date deferred to December 2017

3. The responsibility for completing the SAQ assessments has not been formally assigned.

3.1 The responsibility for the completion and submitting of SAQ’s should be formally assigned and approved by the ICT Steering Group.

Low The assignment of this role will be discussed and agreed between the Head of Customer Experience and the Director of Corporate Services. The role will then be assigned to an individual.

June 17 Revised to Sept 17, Dec 17.

Head of Customer Experience

Oct 2017 – Partially implemented. Explanation as for Rec.1 above.

41

42

Governance and Ethics 2017-18

4. Whilst identifying processes, systems and documentation that can be used to demonstrate good governance a number of observations were made and issues were identified in respect of the quality of some of the evidence available.

4. Management should review the table of observations and issues included within this report and determine appropriate action required to address the concerns. In particular the key documents and information published on the website should be reviewed to ensure that the most current and up to date versions are made available.

Medium

The key documents on the website will be reviewed and updated where required.

Sept 17 Revised to Dec17

Head of Strategic Support

October 2017 - Partially Implemented. Some of the issues identified and key documents specifically highlighted in the report as requiring updates have been addressed. There is information published on the website under the publication scheme, in particular policies and procedures that require review by service areas to ensure that they are the current versions. The Communications Manager will request that CMT review the documents that relate to their areas and provide

42

43

updates as appropriate so that changes can be made to the website. The due date has therefore been deferred to December 2017.

43

AUDIT COMMITTEE - - Charnwood Borough Council COMMITTEE – 28TH November 2017 Report of the Head of...

Documents

Transcript of AUDIT COMMITTEE - - Charnwood Borough Council COMMITTEE – 28TH November 2017 Report of the Head of...