Agenda item

Internal Audit Progress Report


(a)       That the report be accepted; and


(b)       That Members are assured that the remedial actions identified on GDPR have and will, if implemented, address the control weaknesses identified.


The Internal Audit Manager presented the update on progress of the Internal Audit department including changes to the audit plan, action tracking and investigations.  As requested at the recent facilitation workshop, an overview of audit assurances was now included within this report.


Since June 2018, three ‘Amber Red’ or ‘Some’ assurance opinions had been issued for Pension Administration, the Joint Corporate Procurement Unit and Payroll.  Due to concerns from the Chair and Vice-Chair about outstanding actions on the latter, the Senior Manager, Human Resources & Organisational Development and Employment Services Manager were in attendance to provide a further update.


The Senior Manager gave assurance that good progress had been made on the actions since the report was produced.  She explained that many of the actions consisted of multiple elements of which most had been completed and that the Payroll team had allowed for a period of testing to satisfy themselves that actions were robust and effective, before formally signing off.  She went on to report on further improvements achieved by consolidating databases into one.


Sally Ellis explained that the concerns had arisen from some issues outstanding from the 2016/17 audit, particularly those with financial implications, and that it would be helpful for the Committee to be notified of completion dates.  The Employment Services Manager advised that the two which remained outstanding related to documented procedures and performance indicators.  Good progress had been made on both and the due date had been extended until the end of March 2019 to ensure that outcomes were acceptable for the next audit.


The Chief Executive spoke about significant workload implications in Payroll to deal with changes in recent years.  He said that officers would agree on realistic completion dates and advise the Chair and Vice-Chair accordingly.


During the period, one ‘Red’ or ‘Limited’ assurance opinion had been issued for General Data Protection Regulations (GDPR).  The audit had been undertaken in March 2018 in preparation for implementing the new regulations in May.  The Senior Auditor summarised the aim of the new regulations on which compliance had been addressed through five work-streams.  She gave assurance that implementation across the Council had been prioritised by Chief Officers and Senior Managers, with progress underway on action plans for each portfolio.  A range of positive actions had been taken including the appointment of a dedicated Compliance Officer and the key role of the Information Governance team, together with extensive training and communications to the workforce.  The overall audit opinion reflected the uncertainty in relying on third party suppliers to give assurance that their systems complied with GDPR.


The Chief Officer (Governance) provided an update on actions to address each of the audit findings, as set out in the separate report on the agenda.  On the capability of externally provided software systems holding personal data to meet the obligations of GDPR, 61 were now either fully compliant or in the process of doing so, whilst work was continuing on the remaining seven which were viewed as low risk.  Good progress was also reported on the review of forms to clarify the use of personal data.


The Chief Executive spoke about the valuable contribution of the audit work in making significant progress to meet the scale of the GDPR regulations.


The Internal Audit Manager advised that the audit had also been beneficial in helping to identify potential efficiencies which could be explored in the future.


Councillor Peers raised a concern over the security of Members’ payslips placed in pigeonholes in Member Services, particularly outside working hours.  The Chief Officer said that whilst other options had been explored, the current practice of posting out sealed printed payslips was more cost-effective.  During discussion, he suggested that Members sharing the concerns may prefer to collect their payslips in person from the officers in Member Services.


In summarising the remaining sections of the progress report, the Internal Audit Manager explained that to reduce duplication on action tracking updates, those which were overdue and over six months were shown in Appendix G.  A separate update would be included in the next progress report on those actions which were not overdue but had a longer period since the original due date.


Councillor Dolphin questioned the level of capacity at Flintshire Connects centres to cope with demand, particularly during lunchtime periods.  The Chief Executive said it was not possible to comment on the example given on that particular day and that any concerns should be raised with the Chief Officer (Governance) for follow-up if required.  In response to concerns on Planning Enforcement, he suggested that any performance issues be referred to the Environment Overview & Scrutiny Committee.  He agreed to pursue an update on progress with the final version of the legal agreement for the Greenfield Valley Trust.


The Internal Audit Manager advised that the report reflected the priority ratings issued at the time of the audit and would remain unchanged during the action tracking process.


On Planning Enforcement, Councillor Peers said it was important for the audit to keep track of referral dates and not allow them to reach the expiry date when they could be written off.  In acknowledging the issues, the Chief Executive agreed to liaise with the Planning team and schedule an update report for the Committee.


The Chair asked that this topic also be considered by the newly formed Audit and Scrutiny Liaison Committee.


On the Operational Plan 2018/19, the Internal Audit Manager highlighted changes including the deferral of work on two areas where there was no current requirement.


The Chief Executive spoke about an increase in demand for advisory work by the Internal Audit team which was proving to be of value, as demonstrated in the testing of Method Statements on recent budget reports.




(a)       That the report be accepted; and


(b)       That Members are assured that the remedial actions identified on GDPR have and will, if implemented, address the control weaknesses identified.

Supporting documents: