Public Document Pack

Audit and Risk Management Committee

Date: THURSDAY, 20 SEPTEMB ER 2012 Time: 11.00am Venue: COMMITTEE ROOM - 2ND FLOOR WEST WING, GUILDHALL Members: Jeremy Mayhew (Chairman) Kenneth Ludlam (External Member) Alderman Ian Luder (Deputy Caroline Mawhood (External Member) Chairman) Jeremy Simons Alderman Nick Anstee Alderman Simon Walsh Nigel Challis Deputy Douglas Barrow (Ex-Officio Hilary Daniels (External Member) Member) Revd Dr Martin Dudley Ray Catt (Ex-Officio Member) Deputy Robin Eve Roger Chadwick (Ex-Officio Member) Oliver Lodge

Enquiries: Julie Mayer tel. no.: 020 7332 1410 [email protected]

Lunch will be served in Guildhall Club at the rising of the Committee

John Barradell Town Clerk and Chief Executive AGENDA

Part 1 - Public Agenda - **please note amended running orde r **

1. APOLOGIES

For decision 2. DECLARATIONS BY MEMB ERS OF ANY PERSONAL OR PREJUDICIAL INTERESTS IN RESPECT OF ITEMS ON THIS AGENDA

For decision 3. STRATEGIC RISK 8 (SR 8) - MANAGING THE CITY CO RPORATION'S REPUTATION Report of the Director of Public Relations For Information

For decision (Pages 1 - 6)

4. STRATEGIC RISK 10 (S R10) - ADVERSE POLITICAL DE VELOPMENTS UNDERMINING THE EFFECTIVENESS OF THE CORPORATION Report of the Remembrancer For Information

For decision (Pages 7 - 10)

Part 2 - Non -Public Agenda

5. EXCLUSION OF THE PUB LIC

That under Section 100(A) of the Local Government Act 1972, the public be excluded from the meeting for the following item on the grounds that it involves the likely disclosure of exempt information as defined in Part I of Schedule 12A of the Local Government Act.

For decision 6. SR8 - MANAGING THE CITY CO RPORATION'S REPUTATI ON Report of the Director of Public Relations For information

For decision 7. SR10 - ADVERSE POLITICAL DE VELOPMENTS UNDERMINI NG THE EFFECTIVENESS OF THE CITY OF LONDON CORPORATION - TO FOLLOW Report of the Remembrancer For information

For decision 8. DUE DI LIGENCE REVIEW

For decision 9. CORPORATE INVESTIGAT ION Report of the Chamberlain For Information

For decision (Pages 11 - 12)

Part 1 - Public Agenda (continued)

10. MINUTES OF THE PREVI OUS MEETING To agree the public minutes and summary of the meeting held on 24 July 2012.

For decision (Pages 13 - 18)

11. OUTSTANDING ACTIONS OF THE COMMITTEE Report of the Town Clerk

For decision (Pages 19 - 22)

12. ANNUAL AUDIT LETTE R Report of the External Auditors For Information

For decision (Pages 23 - 32)

13. AUDIT AND RISK MANAG EMENT COMMITTEE EFFE CTIVENESS REVIEW Report of the Town Clerk For Decision

For decision (Pages 33 - 56)

14. INTER NAL AUDIT REPORTING LINES AND TERMS OF R EFERENCE Report of the Town Clerk and Chamberlain For Decision

For decision (Pages 57 - 68)

15. STAFF DECLARATIONS O F INTEREST AND THE B RIBERY ACT Report of the Town Clerk, Chamberlain and Comptroller and City Solicitor For Decision

For decision (Pages 69 - 76)

16. PUBLIC SECTOR INTERN AL AUDIT STANDARDS 3

Report of the Chamberlain For Decision

For decision (Pages 77 - 158)

17. HEALTH AND SAFETY MA NAGEMENT SYSTE MS Report of the Director of Human Resources For Information

For decision (Pages 159 - 166)

18. HEALTH AND SAFETY - TOP 10 RISK REGISTER Report of the Director of Human Resources For Information

For decision (Pages 167 - 174)

19. CHANGES TO PLANNING PROCESS UNDER THE LO CALISM ACT 2011 Report of Comptroller and City Solicitor and Director of Built Environment For Information

For decision (Pages 175 - 180)

20. RISK MANGEMENT UPDAT E Report of the Chamberlain For Decision

For decision (Pages 181 - 208)

21. INTERNAL AUDIT PLANN ING 2013/14 Report of the Chamberlain For Decision

For decision (Pages 209 - 222)

22. INTERNAL AUDIT UPDAT E REPORT Report of the Chamberlain For Information

For decision (Pages 223 - 244)

23. INTERNAL AUDIT RECOM MENDATIONS FOLLOW UP REPORT Report of the Chamberlain For Information

For decision (Pages 245 - 260)

24. INVESTIGATION ACTIVI TY UP -DATE REPORT Report of the Chamberlain For Information

For decision (Pages 261 - 268)

25. APPOINTMENT OF NON L OCAL AUTHORITY FUNDS AUDITORS Report of the Chamberlain For Decision

For decision (Pages 269 - 272)

26. COMMITTEE WORK P ROGRAMME Report of the Town Clerk.

For decision (Pages 273 - 274)

27. QUESTIONS ON MATTERS RELATING TO THE WORK OF THE COMMITTEE

For decision 28. ANY OTHER BUSINESS T HAT THE CHAIRMAN CON SIDERS URGENT

For decision Part 2 - Non Public Agenda (continued )

29. EXCLUSION OF THE PUB LIC That, under Section 100 (A) of the Local Government Act 1972, the public be excluded from the meeting for the following items on the grounds that they involve the likely disclosure of exempt information as defined in Part 1 of Schedule 12A of the Local Government Act.

For decision 30. MINUTES OF THE PREVI OUS MEETING To agree the non-public minutes of the meeting held on 24 July 2012

For decisio n (Pages 275 - 278)

31. HEALTH AND SAFETY - TOP 10 RISK REGISTER (NON -PUBLIC APPENDIX) Report of the Director of Human Resources For Information

For decision (Pages 279 - 280)

5

32. PUBLICATION OF INFOR MATION ON CITY'S CAS H Report of the Director of Public Relations For Decision

For decision (Pages 281 - 296)

33. CITY'S CASH FINANCIA L STATEMENTS Report of the Chamberlain For Decision

For decision (Pages 297 - 300)

34. PLANNING GOVERNAN CE Report of the Town Clerk and Comptroller and City Solicitor For information

For decision (Pages 301 - 306)

35. QUESTIONS ON MATTERS RELATING TO THE WORK OF THE COMMITTEE

For decision 36. ANY OTHER BUSINESS T HAT THE CHAI RMAN CONSIDERS URGEN T

For decision Part 3 - Confidential Agenda

37. CONFIDENTIAL MINUTES OF THE AUDIT AND RIS K MANAGEMENT COMMITTEE OF 24 JULY 2012 To approve the Confidential Minutes of the meeting held on 24 July 2012

For decision Agenda Item 3

Committee: Date: Item no. Audit and Risk Management 20 September 2012 Subject: Public Strategic risk SR8 - managing the City Corporation's reputation Report of: For Information Director of Public Relations

Summary

This report sets out briefly the background to the management of Strategic Risk No 8 – the management of the City of London Corporation’s reputation. It specifies the nature of the risks, the procedures in place to tackle them and the integral part which this work plays in the implementation of the overall Communications Strategy . Recommendation The Committee is recommended to take note of the contents of this report.

Main Report

Background

1. Like all organisations, the protection and enhancement of its reputation is an integral part of the work of the City of London Corporation. The lead responsibility for this rests with the Director of Public Relations and the Public Relations Office. The overall approach to this work is set out in the Communications Strategy, 2012-15 , approved by the Court of Common Council in April 2012. The relevant section of the Strategy is attached at appendix A. Detailed arrangements are also in place to ensure that this work is carried out in a fully integrated way with all relevant committees and departments, including appropriate regular meetings to review the current position and advise on the best way to handle particular issues, as and when they arise.

Current Position

2. The current entry on the risk register for this risk (SR 8) is attached at appendix B. Various mitigating controls are in place as follows:

i. Work proceeds to implement the focus of the communications work in relation to the services which the organisation provides, as specified in the current Communications Strategy (in addition to the continuing work on financial services issues). Detailed reports Page 1 on the progress with these activities are provided quarterly to the Policy and Resources Committee;

ii. The City Corporation’s retained public affairs consultants, Quiller Consultants Ltd, provide, inter alia, detailed external advice and guidance on the management of reputational risk, through regular discussions with senior Members and officers;

iii. The Director gives the highest priority to ensuring that the staffing arrangements of the PR Office encompass all the necessary skills, knowledge, experience and approach that assists in preparing in advance for possible risks to the reputation of the organisation and handling them effectively as and when they arise. This includes continuously placing the highest priority on the need to keep a close watch on this aspect of the organisation’s work;

iv. The Director ensures regular liaison with Chairmen and Deputy Chairmen of Committees, chief officers and departmental communications representatives (including a regular meeting of the latter) whereby the reputational risks from all policy decisions and other aspects of the organisation’s work can be closely monitored;

v. A “Public Relations Tool Kit” has been prepared for departmental communications representatives and others in departments with a communications responsibility to assist them in this work and help PR staff provide relevant training; and

vi. Each departmental risk register is reviewed carefully on a regular basis, both by the audit and risk management team and PRO staff to make sure that all potential reputational risks are managed appropriately.

3. There are a number of substantial potential and current reputational risks which are set out in the attached entry in the risk register. Detailed plans are in place to monitor and manage each of these risks.

Conclusion 4. This reports sets out briefly the current position on the management of reputational risk within the organisation, which the Committee is asked to consider and note.

Background Papers: City of London Communications Strategy, 2012-15

Appendices: Page 2 Appendix A: Relevant section of the Communications Strategy, 2012-15 Appendix B: Strategic Risk 8, Negative publicity and damage to the City Corporation's reputation.

Contact: Tony Halmos | [email protected] | 020 7332 1450

Page 3 Appendix A Extract from City of London Communications Strategy, 2012 -15.

1.5 Reputation management One of the fundamental purposes of this communications strategy is to set out clearly the strategies for sustaining and enhancing the reputation of the City of London Corporation. Reputation management is integral to an effective communications strategy and it is essential therefore to ensure that it is fully taken into account.

The plan for handling a specific threat to the organisation’s reputation is as follows:

Which strand(s) of Reputational issue / Are there any the strategy does it threat policy implications? affect?

What are the most Which key What are the key appropriate audiences are messages? channels to use? affected?

What City Review of Corporation reputational issue / resources are threat required?

Following these steps will help to ensure that any specific threat to the organisation’s reputation is handled in an appropriate, planned and measured way.

There is always the prospect of threats to the standing, scope of work and responsibilities of the City Corporation from legislative changes or other external sources and this Communications Strategy has been prepared with this in mind.

Following recent high profile challenges to the City Corporation’s reputation, most notably stemming from the protest camp at St Paul’s, two areas in particular have been examined, with a view to improving the previous approach.

First, it is clear that the pressures on all organisations, both public and private, to be more transparent and accountable have grown considerably and will continue to do so. With this in mind, the City Corporation is examining the scope for relevant changes in the way it explains and publicises its governance, its finances and the work it does to support and promote “the City”.

Page 4 Appendix A Second, it has been an integral part of the implementation of this strategy for at least the past two years to increase the communications work undertaken in support of the two non-financial services strands of this strategy and to promote the services which the City Corporation provides both for the Square Mile and across London and the nation. This involves enhancing the recognition of each of these services as part of the overall work of the City Corporation and not simply as separate entities in their own right.

To achieve this most effectively, it is now planned to concentrate for the coming year at least on two areas of service provision, in order to give them the attention and higher profile needed. It has proved less effective to seek to promote specific areas of work by concentrating at the same time, across the board, on all the services provided. This has had the result of detracting from the main message which we are seeking to convey about our role and work on behalf of London and the nation as a whole. The initial two areas on which it is proposed to focus are:

 Supporting London’s communities – all the work which the City Corporation does to support educational and cultural opportunities and economic development, thereby helping to provide jobs and growth and improve the quality of life throughout London. This encompasses, but is not confined to, the work of the Economic Development Office (EDO), City Bridge Trust, Community and Children’s Services, and the relevant work in the Barbican and Guildhall School of Music & Drama, as well as all the work in many other departments which also involves various activities across London.

 Helping to look after London’s heritage and green spaces – all the work which the City Corporation does to look after London and the nation’s heritage and to provide green spaces across the capital and beyond. This encompasses the work of Culture, Heritage and Libraries, Barbican, Museum of London, Open Spaces and Built Environment.

Page 5 Appendix B Risk Supporting Statement SR 8 Risk Owner: Town Clerk / Director of Public Relations Gross Risk R Negative publicity and damage to the City Corporation's reputation. Risk Likelihood Impact Links to: Strategic Aims SA1, SA2 and SA3 and Key Policy Priorities KPP1, KPP2, KPP3, KPP4 and KPP5 4 4

This risk may materialise as a result external factors or failure to manage risk within the operations of the organisation. There will always be an inherent risk around reputation, but the specific threats present at any one time will vary depending on the nature of key projects, internal and external developments or factors. A shortlist of the most significant issues is maintained, updated by the Director Detail of Public Relations on a quarterly basis using information gained from on-going liaison with departments and, in future as risk management becomes embedded, through examination of departmental risk registers. In addition to the shortlist below, there is a broad risk in relation to negative publicity or adverse media comment following failure of service delivery. The likelihood and impact of this is very much dependent upon the circumstances and outcome of the failure.

Specific Issues Mitigating Controls Communications strategy in place Page 6 Working with retained public affairs consultants to improve City Corporation’s ability to respond to communications challenges Experienced media/communications team with the right skills to handle reputation issues. Regular liaison with Committees and departments including through departmental communication representative meetings etc., aiming to ensure the overall reputation of the organisation is kept under close review during all policy deliberations PR Tool kit Examination of departmental risk registers to identify emerging issues (on-going) Summary and Further Action Summary: Shortlist of Key Issues Likelihood Impact Net Risk A Hampstead Heath Hydrology and related issues 2 5 Likelihood Impact Use of the City YMCA 3 2 3 4 London Living Wage 5 3 Control Debate around the transparency and accountability for City's Cash 5 3 Evaluation Adverse comment or publicity on the role and purpose and governance of the City Corporation 3 3 Managing the impact of street works (e.g. Cheapside, renewal of water main) on visitors, residents and 5 3 workers G External website project fails to meet delivery timetable and objectives as a communication tool 1 3 Adverse comment or public perception as a result of the City failing to meet obligations in relation to 3 4 the 2012 Olympics.

Agenda Item 4

Committee(s): Date(s): Item no. Audit & Risk Management 20 September 2012 Subject: Strategic Risk 10 – Adverse Political Public Developments Report of: Remembrancer For Information

Summary

This Report provides this Committee with an overview of Corporate Strategic Risk 10 (SR10) for which the Remembrancer is the risk owner. The report describes the risk and the mitigating controls.

Recommendation To note the contents of this Report.

Main Report

Background

1. SR 10 is defined as “adverse political developments undermining the effectiveness of the City of London Corporation”. Unlike many strategic risks, SR10 encompasses a wide range of risks including those from changes in neighbouring boroughs, London government, national government and the political ‘mood music’ in the media and elsewhere.

2. The march of shared services between London authorities could ultimately lead to a London Government Review aimed at creating larger local authority areas. Such a review was supported by former Mayor Ken Livingstone. While not currently envisaged, this development would be a challenge to the City as a distinct administrative unit. The rationale for maintaining it, and specifically the extent to which the Corporation's activities are not defined by the geographical boundary of the Square Mile, therefore needs to be kept firmly in the consciousness of policymakers and legislators.

3. Recent experiences of the St Paul’s ‘occupy’ protestors, sporadic media antagonism, comments from politicians in the wake of the financial crisis, continued criticism of “the City” and the recently published Green Party manifesto serve as reminders that the political landscape can be erratic.

4. The City Corporation’s constitution and operational capacities could be fundamentally undermined by legislation which failed to acknowledge the City’s unique position. This situation could well arise cumulatively rather Page 7

than through a single piece of legislation. The City depends on legislative exceptions in many fields; securing them ultimately depends on achieving political acquiescence.

Mitigating Measures

5. The impact of the risk is mitigated by the activity of the Office in promoting the wider work of the City Corporation in relation to the support for business and its relevance to many different interests, for example commercial diplomacy, culture, open spaces, health and education as well as in looking after its residents. This activity generates support across the piece and helps condition opinion about the Corporation.

6. Regular contact is maintained with those who advise on and influence policy both at a local and national level, designed to ensure the City’s perspective is understood and acknowledged in the policy development stage. Close contact is maintained with parliamentary bill teams and the Office evaluates primary and secondary legislation relating to the whole matrix of city and City Corporation interests.

7. Where legislation presented to Parliament is unsatisfactory and not subject to agreed changes at official level, amendments are pursued in either House. A close relationship is maintained with selected members of both Houses and with parliamentary public bill and select committees which are regularly provided with briefings on the City Corporation’s position. Select Committee enquiries which might, if acted upon, have adverse effects on the City Corporation constitutionally are given close attention.

8. The Office works closely with departments across the City Corporation, but in particular with PRO, Mansion House and EDO. The Office’s work is overseen by the Policy & Resources Committee. The work of other departments in areas such as media, political contact and research is integral to the delivery of the objective of protecting the City’s interests.

Page 8

Conclusion

9. The mitigating controls are well tested and to some extent change on each occasion they are deployed. They may range from informal discussions with officials to tabling amendments on the floor of the House. They may be operated in conjunction with activity by the Public Relations Office EDO or Mansion House. In other words, the means used to justify the objective – protection of the City’s interests – will depend on the nature of the issue and the circumstances in which it arises.

Appendix 1 – SR10 Adverse Political Developments – Extract from Strategic Risk Register

Contact: Paul Double | [email protected] |

Page 9

Gross Risk R Adverse political developments undermining the effectiveness of the City of London Corporation Links to: all Risk Likelihood Impact Strategic Aims and Key Policy Priorities. 5 5

Owing to its nature and geographical size, the City Corporation is particularly vulnerable to political developments concerning London government. There are two main issues at present; the continuing financial turmoil and fallout from “occupy” is resulting in slanted Detail scrutiny of the City Corporation and the longer term threat to the local authority functions from sharing of services and a consequent London Government review.

Specific Issues Mitigating Controls “Occupy” and the current turmoil in the Promotion of the good work of the City Corporation, City Corporation needs to remain relevant and financial system has provoked unfounded “doing a good job” and be seen as such. This risk has a Low (1) likelihood, but potentially

allegationsPage 10 of undue influence and partial Catastrophic (5) impact. accounts of the City Corporation’s lobbying activities. A review of London government is not currently envisaged but the increased interest in sharing services (and offices) between authorities and Boundary Commission proposals may reinstate earlier suggestions for 5 or 6 “super boroughs”, raising concerns around the viability of a separate administration for the Square Mile.

Summary and Further Action Net Risk A

Likelihood Impact The organisation needs to ensure it is seen as important and relevant across a wide field of activities that are not geographically limited to the Square Mile. Current public affairs activities should be maintained to this end. Any functions 1 5 which may be vulnerable on account of their size if kept as free standing operations need to be identified and the case for Control ameliorating action (e.g. partnerships, shared services) considered. Evaluation G

Agenda Item 9 By virtue of paragraph(s) 3 of Part 1 of Schedule 12A of the Local Government Act 1972.

Document is Restricted

Page 11 This page is intentionally left blank

Page 12 Agenda Item 10

AUDIT AND RISK MANAGEMENT COMMITTEE

Tuesday, 24 July 2012

Minutes of the meeting of the Audit and Risk Management Committee held at Guildhall, EC2 on Tuesday, 24 July 2012 at 1.45pm

Present

Members: Jeremy Mayhew (Chairman) Alderman Ian Luder (Deputy Chairman) Alderman Nick Anstee Nigel Challis Hilary Daniels (External Member) Deputy Robin Eve Oliver Lodge Kenneth Ludlam (External Member) Caroline Mawhood (External Member) Jeremy Simons Deputy Douglas Barrow (Ex-Officio Member) Ray Catt (Ex-Officio Member) Roger Chadwick (Ex-Officio Member)

Officers: Susan Attard - Deputy Town Clerk Daniel Hooper - Town Clerk's Department Julie Mayer - Town Clerk's Department Chris Bilsland - Chamberlain Caroline Al-Beyerty - Chamberlain's Department Suzanne Jones - Chamberlain's Department Paul Nagle - Chamberlain's Department

PART 1 - PUBLIC AGENDA

1. APOLOGIES Apologies were received from the Revd Dr Martin Dudley and Alderman Simon Walsh.

2. DECLARATIONS BY MEMBERS OF ANY PERSONAL AND PREJUDICIAL INTERESTS IN RESPECT OF ITEMS ON THIS AGENDA • Mr Mayhew and Mr Catt declared an interest, in respect of Agenda Item 4, as they are Members of the City Bridge Trust Committee.

• Mr Mayhew made a standing declaration as he had recently become a Senior Adviser to PwC’s Entertainment & Media Consulting Practice.

Page 13 • Alderman Luder declared a personal interest, in respect of an item under discussion during the confidential part of the agenda, as he is a resident of the Barbican Estate.

3. MINUTES The public minutes and non-public summary of the meeting of the Audit and Risk Management Committee held on 14 June 2012 were approved, subject to an amendment showing that Deputy Barrow had not been present.

4. OUTSTANDING ACTIONS OF THE COMMITTEE Members noted the Outstanding Actions list and agreed to discuss related non- public matters at this point. The Non-Public discussion is recorded at Item 18.

RESOLVED: That under Section 100(A) of the Local Government Act 1972, the public be excluded from the meeting on the grounds that it involves disclosure of exempt information as defined in Part I of Schedule 12A, Paragraphs 1, 2 & 3 of the Local Government Act.

Once the Non-Public discussion had concluded, the Committee returned to public session.

5. REVIEW OF GOVERNANCE ARRANGEMENTS IMPLEMENTED IN 2011 Members were reminded that the Court had agreed for a Working Party to be established to undertake a post-implementation review of the revised governance arrangements, agreed in March 2011, after 12 months of their operation, to take stock of how they are working. The Audit and Risk Management Committee were asked to consider whether it wished to make any representations to the Working Party on the new arrangements, in so far as they affect the Committee.

Members made the following comments:

• Having External Members on a Grand Committee is positive. • The Committee has already moved in line with leading public sector bodies and has anticipated many of the changes proposed in the Government’s consultation on Local Public Audit • The existing Audit Review Panel comprises Independent Members i.e. not Members of the Court of Common Council • Future consideration be given to adding a further External Member to the Committee • One Member pointed out that the Standards Committee had a non-City Corporation Chairman and it would be possible to follow this precedent. • Having an External Member as Chairman would, however, have implications on his/her ability to address the Court, but this could be mitigated by having a Court Member and an External Member as either Chairman or Deputy Chairman of the Committee. An open choice of all Members could be presented to the Committee • The Deputy Chairman said that he supported evolutionary change

Page 14 In concluding, the Chairman and Members agreed that they are satisfied with the current working of the Committee, but understood that a natural evolutionary progression would be to appoint a fourth external Member and/or allow external Members to become Deputy Chairman.

RESOLVED: That the summary of this discussion be circulated to Members before being submitted to the Post-Implementation Review.

6. 2011/12 CITY FUND AND PENSION FUND FINANCIAL STATEMENTS, TOGETHER WITH DELOITTE'S REPORT THEREON Members received the City Fund and Pension Funds Financial Statements for the year ended 31 March 2012.

During the discussion, the following queries and issues were raised, which would be shared with the Finance Committee on 25 July 2012:

Crossrail Members noted that the City’s agreed contribution of £200m from City Fund is an example of “an executory contract”; i.e., payment is only due when the other party has provided the works, goods or services. In the case of the Crossrail contribution, if the agreed outcome was not delivered, the City’s contribution would not be payable. The Chamberlain advised that he would seek advice from engineers before authorising the Crossrail payment.

Members noted that the future payment is currently included in the notes to the Financial Statements as a capital commitment. As the payment becomes more certain, the argument would become stronger that the sum be provided for in the Balance Sheet. The Audit and Risk Management Committee indicated its current expectation that the £200m be included in the Balance Sheet with effect from 2012/13.

CoL Pension Fund Deficit Members noted that the total deficit is disclosed in the notes to the Financial Statements, but is not required to be included in the Balance Sheet. The External Auditor advised that this was a common problem in the Public Sector. The Actuary values the entire pension fund and the cost to the employer. The Chamberlain advised that the on-going employers’ contributions are included in revenue expenditure, but information is not available to allocate the Pension Fund Deficit between the various accounts. Members noted that the triennial valuation of the fund would be undertaken as at 31 March 2013.

Valuation of Investment Properties Members noted that Drivers Jonas had been subject to the regular controls and tracking under the protocol agreed with Members and delegated to the Chamberlain.

VAT - partial exemption The Chamberlain explained that Local Authorities can recover exempt input tax, provided the exempt VAT is not more than 5% of the total VAT reclaimed. For the first time, the City’s initial calculation suggests a percentage which exceeds

Page 15 the 5% threshold. Members noted that it is not HMRC’s intention to penalise local authorities who go over the limit only in a particular year. A PWC specialist had been employed to look at the City’s calculation and they are optimistic that it will be below the 5% threshold. The PWC findings would be shared with Deloitte and the Audit and Risk Management and Finance Committees would be kept informed.

RESOLVED: That -

1. the contents of Deloitte’s management letters be considered and noted; 2. the City Fund and Pension Funds Financial Statements be recommended for approval, to the Finance Committee, for the year ended 31 March 2012; and 3. authority be delegated to the Town Clerk, in consultation with the Chairman and Deputy Chairman of the Audit and Risk Management Committee, to approve any material changes to the financial statements required before the signing of the Audit Opinion by Deloitte, which is expected by the end of August or early September.

7. 2011/12 BRIDGE HOUSE ESTATES AND SUNDRY TRUSTS FINANCIAL STATEMENTS, TOGETHER WITH DELOITTE'S REPORT THEREON Members received the annual report and financial statements for Bridge House Estates, for the year ended 31 March 2012.

Members noted that, as it is not anticipated that any of the five bridges will require replacement during the next 50 years, there is no separate reserve for this. Instead, a reserve for repairs, maintenance and major works had been provided, to ensure that the bridges would be properly maintained over the 50 year period.

Documents were tabled splitting the funds of the charity on the face of the Balance Sheet and explaining why Heather Bygrave was not a signatory on the report of the Audit Review Panel.

RESOLVED: That -

1. The contents of Deloitte’s Management Letter were considered and noted. 2. The Annual Reports and Financial Statements for Bridge House Estates and the Sundry Trust Funds be recommended for approval, to the Finance Committee, for the year ended 31 March 2012. 3. Authority be delegated to the Town Clerk, in consultation with the Chairman and Deputy Chairman of the Audit and Risk Management Committee, to approve any material changes to the financial statements required before the signing of the Audit Opinion by Deloitte, which is expected to be by the end of August or early September.

8. LOCAL PUBLIC AUDIT BILL Members noted that the Government had announced its intention to abolish the Audit Commission, privatise its in-house audit practice and put in place new, decentralised arrangements for the audit of local public bodies. The draft Bill

Page 16 had been published and the City Corporation invited to respond. This report provided an overview of the proposals and recommended that the detailed response be submitted under delegated powers.

RESOLVED: That the Committee’s response to the draft Bill be delegated to the Town Clerk, in consultation with the Chairman and Deputy Chairman of the Committee.

9. DECISIONS TAKEN UNDER DELEGATED AUTHORITY - ANNUAL GOVERNANCE STATEMENT The Audit and Risk Management Committee of 14 June delegated Authority to the Town Clerk, in consultation with the Chairman and Deputy Chairman of the Audit and Risk Management Committee, to amend the Annual Governance Statement, for any significant events or developments relating to the governance arrangements that occur prior to the date on which the Statement of Accounts is signed by the Chamberlain. Members noted that this had been actioned.

RESOLVED: That the report be noted.

10. COMMITTEE WORK PROGRAMME Members noted that additions since the last meeting were shown in Italics and the Work Programme would be updated further to the actions from this meeting.

RECEIVED

11. QUESTIONS ON MATTERS RELATING TO THE WORK OF THE COMMITTEE A Member posed a question on the efficiency of procurement cards and proposed a cap, whereby employees pay up to a certain amount on a personal card, with City Corporation procurement cards being used for more expensive purchases. The Chamberlain opposed this view and assured Members that procurement cards were very efficient and abuse was, as far as he knew, non- existent in the City Corporation. Members noted that the 2013 PP2P procurement card review would address any security issues.

12. ANY OTHER BUSINESS WHICH THE CHAIRMAN CONSIDERS URGENT There were no items.

13. EXCLUSION OF THE PUBLIC

RESOLVED: That under Section 100(A) of the Local Government Act 1972, the public be excluded from the meeting for Item 4, on the grounds that it involve the likely disclosure of exempt information as defined in Part I of the Schedule 12A, Paragraphs 1, 2 & 3 of the Local Government Act.

Page 17 PART 2 - NON-PUBLIC AGENDA

SUMMARY OF MATTERS CONSIDERED WHILST THE PUBLIC WERE EXCLUDED

14. NON-PUBLIC MINUTES The non-public minutes of 14 June were approved as a correct record.

15. 2011/12 CITY'S CASH AND CITY'S CASH TRUST FUNDS FINANCIAL STATEMENTS TOGETHER WITH DELOITTE'S REPORT THEREON Members received the City’s Cash and City’s Cash Trust Funds Annual Reports and Financial Statements 2011/12.

16. AUDIT OF NON-CITY FUND ACCOUNTS The Committee considered a report on appointment of Auditors for non-City Fund accounts.

17. QUESTIONS ON MATTERS RELATING TO THE WORK OF THE COMMITTEE There were no questions.

18. MEMBERS' NON-PUBLIC BRIEFINGS: OUTSTANDING ACTIONS LIST The Committee discussed the Outstanding Actions list as listed on the Agenda at Item 4.

19. ANY OTHER BUSINESS THAT THE CHAIRMAN CONSIDERS URGENT AND WHICH THE COMMITTEE AGREE SHOULD BE CONSIDERED WHILST THE PUBLIC ARE EXCLUDED The Committee considered an urgent item of business.

20. CONFIDENTIAL MINUTES The Confidential Minutes of the meeting held on 14 June were approved with matters arising recorded in a separate confidential minute.

The meeting ended at 4.15pm

Chairman

Contact Officer: Julie Mayer tel. no.: 020 7332 1410 [email protected]

Page 18 AUDIT AND RISK MANAGEMENT COMMITTEE - Outstanding Actions

Officer responsible Item Action and target date Progress updates

2011/12 Statement of A report was requested for a future meeting of the Committee, setting out Chamberlain Further to the meeting on Accounts the governance arrangements for City’s Cash assets. 24/7, External Members emailed the Chamberlain The Chamberlain’s response stated that, whether or not the Corporation decides to publish the accounts, it should move towards preparing them on a UK GAAP basis. Report on ARM agenda for

Page 19 20 September.

Risk Register Template Roll-out revised Risk Register before the end of the Year Paul Nagle Strategic Risk Register updated. Additional Risk Scoring Assessments have been requested from strategic risk owners.

Strategic Risk Register Amend the Summary Page to make the closed risks more apparent Matt Lock Contents page lists closed, risks and status (eg managed operationally by Agenda Item11 Chamberlain), closed risks shown as grey text on Summary Risk Register and marked as closed.

OUTSTANDING ACTIONS UPDATE 31 AUGUST 2012 AUDIT AND RISK MANAGEMENT COMMITTEE - Outstanding Actions

Officer responsible Item Action and target date Progress updates

Security and Contingency SR1 Terrorist Attack Officer Group to revisit and attach the appropriate level of probability Matt Lock/Susan Planning Group have Attard produced a revised risk summary was discussed at the SR Core Group on 7 August. The risk has been re-named “SR1 – Failure to Respond to a Terrorist Attack”, to reflect better the nature of the risk. COMPLETE Internal Audit Annual a) Review internal audit report finalisation approach so less time –Chamberlain and a) Change process and Page 20 Report and Opinion between completion of fieldwork and finalisation of audit reports. Head of Audit and update September A&RM Assurance under ‘ outstanding actions’ – b) Head of Audit and Risk Management to review his overall opinion statement with view to including more ‘colour’ for inclusion in the Head of Audit and b) Members emailed 20 AGS. Assurance June 2012 and revision included in AGS approved by Chairman and Deputy Chairman on 28 June. COMPLETE

Bribery Act Chrissie Morgan The Chairman asked the Deputy Town Clerk to identify when Members A draft outline of had been briefed on the implications of the Bribery Act and whether the Town Clerk arrangements was circulated, declarations form had been reviewed in light of this. at the meeting on 24 July,

outlining the level of sign-offs, Item to remain on the ‘Outstanding Actions’ List for further updates the potential risks and what

OUTSTANDING ACTIONS UPDATE 31 AUGUST 2012 AUDIT AND RISK MANAGEMENT COMMITTEE - Outstanding Actions

Officer responsible Item Action and target date Progress updates

action would be taken, based on the level of risk/ grade of the officer. The Monitoring Officer is of the opinion that the measures to be put in place will discharge the Corporation’s obligations under the Bribery Act. Information on Officer obligations is now on the Intranet.

Page 21 The A&RM Committee of 20 September will receive an update report. City Bridge Trust The outcomes would be reported to the Audit and Risk Management Paul Nagle The investigation is Committee in September. A Member sought clarification as to when progressing, with a full report

grants cease to be the property of the City Corporation and this would be to September A&RM. included in the report. Chairman of CBT will be invited to this meeting

Work Programme To be added: • Report on Governance Arrangements for City’s Cash assets (see • Town Clerks To be reported at a future also Statement of Accounts). meeting pending decisions on

• An update on the Comptroller and City Solicitor’s report on the accounting and reporting Planning Governance arrangements

OUTSTANDING ACTIONS UPDATE 31 AUGUST 2012 AUDIT AND RISK MANAGEMENT COMMITTEE - Outstanding Actions

Officer responsible Item Action and target date Progress updates

• On September’s ARM Comptroller Agenda and City Solicitor

Audit of Non-Local Alderman Luder requested that officers look into the scenario where an Caroline Al- Response sent to Chairman Authority Funds Auditor or a candidate for Auditor died, and consider the implications that Beyerty/Edward Wood and Deputy Chairman on 8/8. this would have for the audit. He asked that, if appropriate, measures to It is not necessary to report address this issue be included in the report to the Livery Committee or in on this issue the forthcoming Bill for an Act of Common Council. The outcome of the report to Page 22 the Livery Committee will be reported orally

Review of Governance The summary of the discussion of the A&RM of 24 July to be circulated to Town Clerks Feedback from the Meeting Arrangements Members before being submitted to the Post Implementation Review. on 24/7 included in the draft minutes and sent to Members for comment on 10/8. Forwarded to the Policy Team 17/8.

OUTSTANDING ACTIONS UPDATE 31 AUGUST 2012 Agenda Item 12

City of London Corporation (City Fund) Annual Audit Letter to the Members of the Court of Common Council on the year ended 31 March 2012 Audit

Issued: 11 September 2012 Page 23 Contents

Executive summary 1

1. Introduction 2

2. Financial reporting 3

3. Value for money conclusion 4

4. Grants 4

5. Responsibility statement 6

Appendix 1: Analysis of professional fees 7

Page 24

Executive summary

This letter reports our co nclusions from our audit of the City Fund of the City of London Corporation (“the City” or “the Corporation” ) for financial year ended 31 March 2012. The City Fund is the part of the Corporation which carries out its functions as a local authority, port health authority and police authority. The letter’s main messages are:

City Fund financial statements We issued an unqualified opinion on the City’ s accounts for the year ended 31 March 2012 on 11 September, ahead of the deadline for this of 30 September 2012 .

City ’s local government pension We issued an unqualified opinion o n information in the City’s pension scheme scheme annual report annual report for the year ended 31 March 2012 ahead of the deadline for this.

Value for money conclusion We issued an unqualified conclusion on the City’s arrangements for secu ring value for money during the year ended 31 March 2012.

Whole of Government Accounts Our work on this is in progress. We expect to issue our opinion by the conso lidation return deadline of 5 October.

Grants We undertake work on grant claims and other returns on behalf of the Audit Commission and provide certificates to grant funders on compl iance with aspects of the terms on which funds have been claimed. We will provide a separate, detailed letter to the City in early 2013 on the outcome of this work, but at this point there are no matters which we consider need to be brought to your attent ion.

There are no individually significant recommendations which we wish to bring to Members attention here.

Page 25 Annual Audit Letter 1

1. Introduction

The purpose of this letter

The purpose of this Annual Audit Letter (“Letter”) is to summarise the key issues arising from the wor k that we have carried out during the year.

We have addressed this Letter to the members of the Court of Common Council of the City of London Corporation as it is the responsibility of the members to ensure that proper arrangements are in place for the conduct of its business and that it safeguards and properly accounts for public money.

The Letter will be published on the Audit Commission website at www.audit-commission.gov.uk and should also be posted on the City’s website.

Responsibilities of the Appointed Auditor and the City and scope of our work

This Letter has been prepared in the context of the Statement of Responsibilities of Auditors and Audited Bodies issued by the Audit Commission. This is available from www.audit-commission.gov.uk.

We have bee n appointed as the Corporation’s independent external auditors by the Audit Commission, the body responsible for appointing auditors to local public bodies in England, including local authorities. As your appointed auditor, we are responsible for planning and carrying out an audit that meets the requirements of the Audit Commission’s Code of Audit Practice (“the Code ”). Under the Code, we review and report on:

 the City Fund financial statements;

 the City’s local government pension scheme annual report; and

 whether the City has made proper arrangements for securing economy, efficiency and effectiveness in its use of resources (value for money conclusion) in respect of its local authority functions.

We also provide an assurance report to the National Audit Office on the financial information prepared by the City for consolidation into the Whole of Government Accounts.

It is the responsibility of the City to ensure that proper arrangements are in place for the conduct of its business and that public money is safeguarded and properly accounted for. We have considered how the City is fulfilling these responsibilities.

As an additional responsibility to those set out in the Code, we also undertake grant certification work on behalf of the Audit Commission.

Page 26 2 Annual Audit Letter

2. Financial reporting

Key issues arising from the audit of the accounts

We reported separately to the Audit and Risk Management Committee in July 2012 on the issues arising from our audit and have issued an audit report providing an unqualified opinion on your financial statements for the year ended 31 March 2012 and a conclusion on your value for money arrangements for that year to say that these arrangements are adequate.

We explained in our report to the Audit and Risk Management Committee how we had focused our work on areas which involved more complex accounting judgements and estimation, including the accounting for grants, the valuation of the City’s commercial property estate, segmental reporting, the valuation of the liability to pay future police pensions and bad debt provision levels. We reported our conclusion in each of these areas to the Audit and Risk Management Committee that officers had made reasonable judgements.

Our report also discussed certain significant transactions and disclosures in the accounts. In particular we commented on, and subsequently discussed with the Committee, a note to the accounts which discloses the commitment made by the City Fund to contribute £200 million towards the cost of Crossrail. During our audit of the 2008/9 financial statements we discussed with officers their assessment of the accounting treatment for this item. We concurred with officers that the agreement with the Government, contained within an exchange of letters between the Corporation and the Secr etary of State, is an “executory contract” (contracts under which both parties are still to perform to an equal degree the actions promised by and required of them under the contract). As such it falls outside the scope of International Accounting Standard 37 Provisions, Contingent Liabilities and Contingent Assets (unless onerous). This means that, whilst the transaction has been disclosed as a commitment, a liability has not yet been recognised on the balance sheet pending performance of the undertakings made by the Secretary of State, which include completion of certain works in relation to Crossrail stations.

Our report to the Committee reported on progress on implementing a few recommendations to assist with future financial control and reporting. We noted last year that the VAT partial exemption calculation had not been finalised for the 2009/10 financial year and not prepared in detail for the 2010/11 financial year. This position required judgements to be made as to the likelihood and impact of a breach of the threshold. Full implementation of this recommendation has been delayed due to the loss of a key member of staff. The calculation has been performed by a contractor in 2011/12 with subsequent assistance from an external adviser. The City should ensure that the knowledge gained from this year’s process is adequately captured and utilised in planning for future years and the timetable is again revisited. There were also difficulties last year in preparing information to support the City’s enti tlement to an important grant funding stream and similar delays this year. We recommend that the City Police look at developing its system for compiling costs relating to the activities covered by this grant to improve the support for future claims and to inform any future discussions with the relevant government department over future levels of funding for this activity.

Key issues arising from the audit of the pension scheme accounts within the pension scheme annual report

We reported separately to the Audit and Risk Management Committee in July 2012 on the issues arising from our 2011/12 audit. We also issued an unqualified opinion on the pension scheme accounts within the pension scheme annual report.

Whole of Government Accounts

Whole of Government Accounts (WGA) are commercial-style accounts covering all the public sector and include some 1,700 separate bodies. Auditors appointed by the Audit Commission have a statutory duty under the Code of Audit Practice 2010 to review and report on the whole of government accounts return. Our report is used by the National Audit Office (“NAO”) for the purposes of their audit of the Whole of Government Accounts.

Our work on this is in progress and we expect to issue our opinion in advance of the deadline of 5 October 2012. We will issue our certificate closing the audit as a whole once this has been done.

Page 27 Annual Audit Letter 3

3. Value for money conclusion

The scope of our work

We are required to issue a conclusion on whether we are satisfied that the City has put in place proper arrangements for securing economy, efficiency and effectiveness in its use of resources in respect of its local authority functions. This is known as the value for money conclusion.

Our conclusion is given in relation to the following criteria specified by the Audit Commission:

Specified criteria for auditors ’ VFM conclusion Focus of the criteria for 2012

The organisation has proper arrangements in place The organisation has robust systems and processes to for securing financial resilience. manage financial risks and opportunities effectively, and to secure a stable financial position that enables it to continue to operate for the foreseeable future.

The organisation has proper arrangements for The organisation is prioritising its resources within challenging how it secures economy, efficiency and tighter budgets, for example by achieving cost effectiveness . reductions and by improving efficiency and productivity.

Approach to our work We draw sources of assurance relating to our VFM responsibilities from:  the audited body's system of internal control as reported on in its Annual Governance Statement;  the results of the work of the Commission, other inspectorates and review agencies to the extent that the results come to our attention and have an impact on our responsibilities;  any work mandated by the Commission – of which there was none in 2011/12; and  any other locally determined risk-based VFM work that auditors consider necessary to discharge their responsibilities. Risk assessment Our preliminary assessment was that there were no risks in relation to our VFM responsibilities which required local work to be carried out and we therefore did not identify any risks or additional local studies in our audit plan. We have subsequently carried out a risk assessment, carried out in the period after the year end to take account of the latest refresh of the Medium Term Financial Strategy, as well as the outturn financial and performance information for 2011/12. The risk assessment has involved consideration of common risk factors for local and police authorities identified by the Audit Commission, concluding on whether they represent actual risks for the purpose of our VFM conclusion on the City Fund. We undertook this work through review of relevant documentation, including committee papers and discussion with officers. We also considered whether there were other risks which might be specific to the City Fund. We did this principally through our consideration of what has been reported in the Annual Governance Statement, matters reported by regulators and other matters which have come to our attention from our work carried out in relation to our other Code responsibilities. Overall conclusion On the basis of that work, we confirmed our preliminary assessment that there were no risks which required us to carry out other locally determined work and we have issued an unqualified VFM conclusion.

Page 28 4 Annual Audit Letter

4. Grants

Under Section 28 of the Audit Commission Act 1998, the Commission is responsible for making arrangements for certifying claims and returns in respect of grants or subsidies made or paid by Central Government or a Public Authority to a Local Authority. The Commission, rather than its appointed auditors, has the responsibility for agreeing certification arrangements with the respective grant-giving bodies, principally government departments. The appointed auditor carries out work on individual claims as an agent of the Commission under these arrangements which comprise certification instructions which the auditor must follow.

Our programme is in progress at the time of writing. We will issue a separate Annual Audit Letter in respect of the grants programme in early 2013, following the completion of the programme. At this point there are no matters which we consider need to be brought to your attention.

Page 29 Annual Audit Letter 5

5. Responsibility statement

The Statement of Responsibilities of Auditors and Audited Bodies issued by the Audit Commission explains the respective responsibilities of auditors and of the audited body and in this report is prepared on the basis of, and our audit work is carried out, in accordance with that statement.

This report should be read in conjunction with the "Briefing on audit matters" circulated to you in July 2011 and sets out those audit matters of governance interest which came to our attention during the audit. Our audit was not designed to identify all matters that may be relevant to the City and this report is not necessarily a comprehensive statement of all deficiencies which may exist in internal control or of all improvements which may be made.

This report has been prepared for the City, as a body, and we therefore accept responsibility to you alone for its contents. We accept no duty, responsibility or liability to any other parties, since this report has not been prepared, and is not intended, for any other purpose.

Deloitte LLP Chartered Accountants St Albans

11 September 2012

Page 30 6 Annual Audit Letter

Appendix 1: Analysis of professional fees

The professional fees earned by Deloitte in respect in 2012 are as follows:

Year ended 31 Year ended 31 March 2012 March 2011 £’000 £’000

Fees payable in respect of our work under the Code of Audit Practice in respect of the City Fund 173 179 Fees payable in respect of the certification of grants *53 53

Total fees payable in resp ect of our role as Appointed Auditor 226 232

Non audit fees Property advisory services 88 61

314 293

*Our work in respect of the 2012 grants programme is ongoing and the amount shown above is an estimate only.

The fees receivable in respect of private and voluntary funds and in respect of the local government pension scheme were dealt with in separate reports to the Audit and Risk Management Committee.

In March 2010 Deloitte completed the merger of its practice with that of Drivers Jonas. Drivers Jonas, now Drivers Jonas Deloitte (“DJD”) , has provided property advisory services to the City prior to and after the merger. Part of the amount recorded above was for work contracted by the predecessor firm, Drivers Jonas, and carried out under instructions accepted prior to the merger with Deloitte.

The services are subject to a protocol previously agreed by the Audit and Risk Management Committee.

Page 31 Annual Audit Letter 7

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

© 2012 Deloitte LLP. All rights reserved.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.

Member of Deloitte Touche Tohmatsu Limited Page 32 Agenda Item 13

Committee(s): Date(s): Item no. Audit and Risk Management 20th September 2012 Subject: Public Audit and Risk Management Committee - Effectiveness Review Report of: For Decision Town Clerk

Summary

In June 2010, the then Audit and Risk Management sub-Committee agreed that a review of the effectiveness of the sub-Committee be undertaken. This is best practice identified by the external auditors and by CIPFA. The review was not undertaken at that time as it was overtaken by the wider Committee governance review, so this report proposes that the review is now undertaken. A review would also be a useful vehicle to promote a wider appreciation amongst Members and officers of the Committee’s role. The suggested Terms of Reference are to compare the work of the Committee against its agreed terms of reference and best practice guidance issued by CIPFA. The suggested methodology is for a desk-top review, potentially supplemented by a questionnaire survey of Committee members, relevant officers and service committee chairmen. The output will be a report to this Committee, with decisions on wider dissemination of the report and the timing of future effectiveness reviews to be taken when the draft report is presented to this Committee in December 2012. Recommendations • That Members confirm the decision from June 2010, that a review of the effectiveness of the Audit and Risk Management Committee is undertaken, in accordance with CIPFA guidance; • That Members agree the Terms of Reference for the review; and • That Members decide on the methodology and timing for the review

Main Report

Background 1. In June 2010, the then Audit and Risk Management sub-Committee agreed a recommendation that a review of the effectiveness of the sub-Committee be undertaken. This recommendation was based on an area for improvement identified by the external auditors in their 2009 Use of Resources report. They stated that such reviews were best practice in the private sector and starting to be adopted in the public sector. It is also a Page 33 CIPFA recommendation that such a review is best practice in support of the Annual Governance Statement. The report also noted that a review would be a useful vehicle to promote a wider appreciation amongst Members and officers of the sub-Committee’s role.

Current Position 2. The effectiveness review was not undertaken at that time as it was overtaken by the wider Committee governance review. This report proposes that the review is now undertaken and suggests outline Terms of Reference, and options regarding the methodology for the review.

3. The CIPFA Toolkit for Local Authority Audit Committees (2006) notes that: “From time to time the audit committee should undertake a formal review of its effectiveness ...” [Section 3 – Establishment, operation and duties]. The toolkit also includes an expanded version of a self-assessment questionnaire, originally contained in CIPFA’s 2005 publication “Audit Committees - practical guidance for local authorities”. This expanded version is attached as Appendix 1 to this report.

Terms of Reference 4. The proposed Terms of Reference for the review are to compare the work of the Committee against:

i. The Committee terms of reference as approved by the Court of Common Council; and ii. Best practice guidance issued by CIPFA (as noted in paragraph 3 above).

5. Issues to be covered under (i) would include examining the benefits of reviewing two of the City Corporation’s Strategic Risks in detail at each meeting, and the benefits of the status of the Committee as a Grand Committee. The self-assessment questionnaire at Appendix 2 will form the basis of (ii) above.

Methodology and Timing 6. It is proposed that the review be carried out internally, supported by officers from the Town Clerk’s and Chamberlain’s departments.

7. The approach would be based on a desk-top review, potentially supplemented by a questionnaire survey of Committee members, relevant officers and service committee chairmen. The desk-top review would look at the work undertaken by the Committee and consider whether this work met the work plan set up at the start of the period, whether this allowed the Committee to fulfil its remit, and if not, what additional work needs to be planned. The survey, if used, would supplement this by examining the way in which the Committee operates, linking to the points noted under (i) in paragraph 5 above. Page 34 8. The first meeting of the Audit and Risk Management Committee, as distinct from the previous sub-Committee, was held on 28 th June 2011. For this initial review of effectiveness, it is proposed that the period covered will be from that first meeting until the 2012 summer recess.

9. The output from the review will be a report to this Committee. An example of a report from another London authority includes a brief introductory statement, an explanation of the role of the Committee, the work plans for the period under review and the year ahead, and a short self-assessment against the CIPFA criteria.

10. It is proposed that decisions on wider dissemination of the report and the timing of future effectiveness reviews be taken when the draft report is presented to this Committee in December 2012.

Audit Committee Updates 11. To complement the general guidance relating to Audit Committees referred to above, the CIPFA Better Governance Forum issue periodic Audit Committee Update briefing papers. Issue 7 was circulated to Members in February 2012, and the most recent issue (number 8: June 2012) is attached for Members’ information as Appendix 2 to this report. Members will note a reference on the final page of this update to effectiveness reviews as part of the preparation of an Audit Committee Annual Report.

Background Papers: Report of the Town Clerk and Chamberlain to the Audit and Risk Management th sub-Committee on 29 June 2010: Annual Governance Statement

Publication by CIPFA, 2005: Audit Committees: Practical Guidance for Audit Committees (circulated to Members of this Committee in February 2012)

Publication by the CIPFA Better Governance Forum, 2006: A Toolkit for Local Authority Audit Committees (available from Neil Davies, as below, or at: http://www.tisonline.net/internalaudit/content/A_Toolkit_for_Local_Authority_Audit_Committees_20 06.pdf )

Appendices: 1. Audit Committee self-assessment checklist – extracted from A Toolkit for Local Authority Audit Committees

2. CIPFA Better Governance Forum briefing paper - Audit Committee update number 8

Contact: Neil Davies | [email protected] | 020 7332 3327

Page 35 This page is intentionally left blank

Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44

CIPFA Better Governance Forum briefing paper

Audit Committee Update

– helping audit committees to be effective

Issue 8

Commissioning, procurement and contracting risks

June 2012

Page 45

Introduction

Dear audit committee member,

This issue of Audit Committee Update focuses on some of the risk and control issues arising from commissioning, procurement and contracting. To undertake these essential processes effectively public sector organisation should ensure that they have appropriate governance, risk management and internal control arrangements in place. The article highlights the key risk areas and controls and examines some of the questions the audit committee might wish to raise. We also feature an article on some of the current challenges affecting procurement and commissioning in public bodies by Mohamed Hans of CIPFA’s Procurement and Commissioning Network.

As usual we also feature a round-up of legislation, reports and developments that may be of interest to audit committee members. Whenever I put these issues together I am reminded just how much there is for audit committee members to consider in their role. I hope these briefings help to make that role a little easier!

We have included links to resources and further information on our website. To access these all you need to do is register. Further details on how to do this are at the bottom of the page.

We welcome feedback on these briefing and also any suggestions for future topics. Feel free to contact me and let me know.

Kind regards

Diana Melville Governance Advisor CIPFA Better Governance Forum

[email protected] 01722 349398

Receive our briefings directly This briefing will be sent to all key contacts of organisations that subscribe to the CIPFA Better Governance Forum with a request that it be forwarded to all audit committee members. If you have an organisational email address (for example [email protected]) then you will also be able to register on our website. This will give you access to governance material, guidance documents and you can receive these briefings directly. Visit our website www.cipfanetworks.net/governance or register today.

2 CIPFA Better Governance Forum Page 46 www.cipfa.org.uk/bgf Workshops and training for audit committee members in 2012 from CIPFA

The Influential Audit Committee This new audit committee workshop will address how the audit committee can improve its influence and impact on good governance. Featuring sessions on assurance planning, effective public reporting, improving accountability and evaluating the provision of audit services, the workshop will offer opportunities for discussion, self-evaluation and networking with other public sector audit committee members. 18th July Birmingham, 4th October Further dates & locations will be available in 2013. http://www.cipfanetworks.net/governance/events/

Advanced Audit Committees Have you cracked the basics? This workshop examines the audit committee role in strategic risk management, value for money, counter fraud and treasury management. 26 September Leeds, 22 November London

Essential Skills for Board Members The role of a board member in a public sector body, featuring sessions on corporate governance, decision making, accountability and evaluating board performance. 23 October London http://www.cipfanetworks.net/training/events/#3

In-house training We have many years’ experience in delivering training in -house for Audit Committees. A range of options are available including: Key roles & responsibilities Effective chairing & support for the committee Working with internal and external auditors Corporate governance Strategic risk management Value for money Counter fraud Reviewing the financial statements Treasury management Assurance arrangements Partnership assurance We can also develop bespoke training to meet your needs.

For more information please contact [email protected] or speak to Diana Melville.

3 CIPFA Better Governance Forum Page 47 www.cipfa.org.uk/bgf

Commissioning, procurement and contracting risks – what does the audit committee need to know?

The public sector spends a huge amount of money on goods and services. The range is vast from the routine and relatively simple, such as fuel & equipment, to major construction contracts and complex service contracts for social care. The processes of commissioning, procurement and contracting form a major part of service planning and delivery and often involve specialist input from professional advisors.

From the audit committee’s point of view it is worth understanding some of the key risks associated with this area. The audit committee is unlikely to be involved in the commissioning and procurement processes directly, but has an important role to play in reviewing the management of the risks and ensuring there are appropriate arrangements in place for assurance.

Commissioning – key risks

Ensuring a strategic approach Commissioning of services arises from the strategic planning process and should reflect the vision for the development and delivery of services. Depending on the service the commissioning strategy could be long term and depend on a number of variables outside the direct control of the organisation. For example, commissioning adult social care services will need to take account of likely future demand.

Shared services and partnerships A number of organisations are investigating alternatives to procurement on the open market. Establishing a new form of service delivery involves a number of risks which need careful planning. Sharing the Gain is a CIPFA guide that highlights key areas.

De-commissioning Changes in legislation, in service needs or the end of partnership could result in the need to de- commission a service. Often how this will be achieved is not considered in advance which could result in additional costs.

Procurement – key risks

Value for money There isn’t always an obvious answer to the question of value for money. Should you go for the cheapest cost now or should you consider the whole life of the asset / service being procured? Having a clear objective at the start is very important so that the procurement process can be developed accordingly. Identifying key deliverables and stakeholders’ expectations, and assessing the extent to which these are likely to be achieved by the procurement process at a reasonable cost, is not often undertaken. The end result being a focus on the immediate ‘savings’ realised at the contract award stage, rather than on whether the contract is actually going to deliver throughout its term.

Legal compliance One of the major areas of risk concerns legal compliance. Major procurements will usually require compliance with EU procurement rules. Failure to follow the rules can result in costly legal action and could even result in the contract award being set aside. To avoid this, major procurements should involve appropriate professional advice at an early stage.

Procurement process A number of risks can arise from the procurement process itself. For example a decentralised system could mean that economies of scale are not realised or that procurement is undertaken by

4 CIPFA Better Governance Forum Page 48 www.cipfa.org.uk/bgf inexperienced staff. On the other hand a very centralised system may be inflexible and unresponsive to service needs. Few organisations measure the true cost of procurement.

Fraud There are a number of fraud risks in the procurement process. These could include: bribery of staff to award a contract or disclose advantageous information; collusion between ‘competing’ contractors Invoice fraud to secure payments for goods or services not provided Payment fraud to divert genuine payments to contractors to fraudulent bank accounts. The Annual Fraud Indicator 2012 compiled by the National Fraud Authority estimates that procurement fraud in the public sector amounts to £2.29 billion. A fraud loss tool, developed by the National Fraud Authority, is available on the CIPFA TISonline website to allow English local authorities to estimate their exposure to procurement fraud. CIPFA has produced guidance documents on procurement fraud which can help identify the risks and take appropriate action. Further details are provided in the resource list.

Contracting – key risks

Due diligence and contractor vetting During the contractor evaluation process a proper due diligence process should be undertaken to evaluate the contractor ’s suitability for the service. Advice on suitable financial and other checks is available in a CIPFA guide produced in association with Grant Thornton. It is also important to be aware of risks during the lifetime of the contract, for example is a key contractor experiencing financial difficulties and likely to go out of business?

Contract Management Effective management of the contract and monitoring of performance is essential to ensure that: The service is delivered to the standards expected. Payments are made only for services / goods supplied. Opportunities for improvement are identified. This can be a weak area and the reasons for this could be a lack of suitably experienced staff to properly assess the c ontractor’s performance. Ensuring that adequate and accurate data is collected and evaluated is a key part of the contract management process. There are also risks of collusion between contractor and contract management staff.

Contingency planning In the event of service failure, whether temporary or longer-term, organisations should have contingency plans for the delivery of essential services. This can be difficult if the specialist equipment, knowledge or expertise is not readily available.

Audit Committee Role

There are a number of ways in which the audit committee is likely to review the effectiveness of the organisation ’s management of its commissioning & procurement risks.

Oversight of the control framework. For example whether the organisation has up to date and effective strategies and policies in place. Review of risk registers and major commissioning and procurement risks. Review of governance arrangements over partnerships and shared services. Review of the governance and assurance arrangements for major projects that involve procurement. Review of the internal audit plan and reports. The audit committee should consider the extent to which they cover these risks. The assurances that underpin the Annual Governance Statement are likely to cover commissioning and procurement activity.

5 CIPFA Better Governance Forum Page 49 www.cipfa.org.uk/bgf Wherever procurement and commissioning appears on the audit committee agenda, members of the committee should be seeking assurance that the risks have been fully identified, that controls are in place to manage the risk and that they are effective in practice.

Key questions to ask:

1. Have the major areas of procurement spend been identified and what assurance do we have over those areas?

2. Are policies and strategies to ensure compliance and value for money in place? How effectively do they work in practice?

3. What is the risk from procurement fraud? What steps have we taken to prevent and detect fraud of this type?

4. Are there plans to establish new partnerships, shared services or projects that will involve commissioning or procurement of services? Have the risks been identified and how will we get assurance?

5. Do we have effective arrangements to carry out due diligence checks and monitoring during the lifetime of a contract?

Sources of further information:

Procurement Fraud briefing

Reducing the risks of procurement fraud briefing

Annual Fraud Indicator , from the National Fraud Authority

Due Diligence – A guide to Pre-Qualification Questionnaires

Procurement and Contract Audit Forum , has audit programmes and information to support the audit of procurement. The forum is supported by CIPFA’s Audit Panel and the Better Governance Forum.

CIPFA Procurement and Commissioning Network have resources for procurement professionals.

Diana Melville Governance Advisor CIPFA Better Governance Forum

6 CIPFA Better Governance Forum Page 50 www.cipfa.org.uk/bgf Current developments in procurement & commissioning

The landscape of procurement and commissioning is constantly changing in response to government policy, case law, emerging good practice, risks and service needs. The following areas reflect some of the current developments that public bodies are currently dealing with.

Public Services (Social Value) Act 2012 The Public Services (Social Value) Act became law on 8 th March 2012. Under the Act, for the first time, all public bodies in England and Wales are required to consider how the services they commission and procure might improve the economic, social and environmental well-being of the area.

It applies to all English and some Welsh bodies who will have to comply with the new law, including local authorities, government departments, NHS Trusts, PCTs, fire and rescue services, and housing associations.

The provisions will apply to all public services contracts and those public services contracts with only an element of goods or works. It will not apply to public work contracts or public supply (goods) contracts. However, there is widespread approval for public bodies considering social value in all forms of contracts including support from Nick Hurd, Minister for the Cabinet Office. It is expected that the Act will come into force from January 2013.

Community Right To Challenge On 17 May 2012, in exercise of powers conferred by sections 81 and 235 of the Localism Act 2011, the Secretary of State made the Community Right to Challenge (Expressions of Interest and Excluded Services) (England) Regulations 2012, SI 2012/1313.

They came into force on 27 June 2012. Regulation 3 and Schedule 1 specify requirements for expressions of interest for the purposes of Section 81(1)(b). Regulation 4 and Schedule 2 specify services that are to be excluded for the purposes of Section 81(5), in some cases only until 1 April 2014. The Secretary of State has also issued Statutory Guidance on the Community Right to Challenge.

Abnormally Low Tenders – Your contracts are at risk! The tough economic climate has led to an upsurge in suicide bidding – tendering at silly prices. This worrying practice is demonstrated in the construction industry: a RICS survey of nearly 400 quantity surveyors has shown contractors putting in bids below cost. 20% of tenders submitted during 2010 – 2011 were priced at a “sub -economic level”. Most suicide bids were 10% below cost but some were 40% under!

The findings also s how that more than 50% have seen a client accepting a “sub -economic tender” in the full knowledge it was “potentially unviable”. Construction industry tender prices have fallen by about 15% since the start of the recession and suicide bidding has already caused some contractors to go bust.

Therefore tender with caution and be aware of recent ECJ case law which requires contracting authorities to investigate Abnormally Low Tenders. Failing to do so may put your contract in peril!

For detailed information on these areas contact the Procurement & Commissioning Network.

Mohamed Hans Procurement Advisor [email protected]

7 CIPFA Better Governance Forum Page 51 www.cipfa.org.uk/bgf

Developments you may need to know about:

Local Government (Wales) Measure 2011 – statutory guidance The Welsh Government undertook consultation earlier this year on the statutory guidance to support the implementation of this legislation, including guidance on audit committees (section 85.1). The statutory guidance has now been published. Welsh authorities are required to establish an audit committee and the statutory guidance advises authorities to review the guidance contained in the CIPFA publications “Audit Committees: Practical Guidance for Local Authorities” and “A toolkit for Local Authority Audit Committees” as complimentary to the statutory guidance. The Toolkit is available on the Audit Committee page of the Better Governance Forum website

Welsh audit committees must appoint at least one lay member and up to a third may be lay members. The chair of the committee must not be from the same political group as the executive. The authority should adopt a Statement of Purpose for its audit committee ensuring that the committee is given a prime role in ensuring that effective corporate governance is central to the organisation. Statutory Guidance

National Fraud Indicator The National Fraud Authority publishes an annual indicator of the level of fraud in the UK. The assessment breaks down the total fraud by sector and by major types of fraud. It estimates that the loss to the public sector from fraud is £20.3 billion, of which £14 billion is loss to the tax system. Fraud loss in central government is estimated to be £2.5 billion and the loss to local government £2.2 billion. In addition there is a further loss of £1.6 billion on benefit and tax credit fraud. In local government the areas of the greatest fraud are estimated to be housing tenancy fraud (£900 million) and procurement fraud (£890 million). National Fraud Indicator 2012

Fighting Fraud Locally The National Fraud Authority launched the strategy for local government in April. Its aim is to help local authorities to better protect themselves from fraud and to have in place a more effective fraud response. To improve a local authority’s strategic approach to fraud the National Fraud Authority (NFA) recommends that there should be an annual report to the audit committee on all matters relating to fraud. This should include an assessme nt of the effectiveness of the authority’s fraud response. The NFA wrote to the chairs of all local authority audit committees to make them aware of the strategy. CIPFA has been working with the NFA to develop and extend resources and guidance for counter fraud practitioners and also for those charged with governance. On the Audit Committee page of our website you will find links to the Counter Fraud Standards Managing the Risk of Fraud ( Red Book ) and a checklist for those charged with governance. On CIPFA’s TISonline website there are further resources available in the fraud risk management section. Issue 3 of Audit Committee Update (October 2010) featured articles on counter fraud and the role of the audit committee. It includes two case studies of how local authority audit committees contribute to the fight against fraud.

8 CIPFA Better Governance Forum Page 52 www.cipfa.org.uk/bgf Review of Good Governance Guidance Note A steering group made up of CIPFA, Solace and practitioners is currently updating the Guidance Note that accompanied the Good Governance Framework in 2007. A draft for English local authorities will be released for consultation later this summer with publication due in December 2012. A separate publication is also being developed to support police bodies and reflect the changes happening in that sector. The guidance note will feature new guidance on addressing governance issues that local authorities are facing. Since the governance framework is principles based it can be adapted to reflect changing circumstances and the updated guidance note will facilitate this.

Localism Act – code of conduct Under the Localism Act local authorities are required to put in place new arrangements by 1 st July to fulfil their responsibilities for ethical standards. Two templates have been produced by the DCLG and LGA to guide the development of a local code of conduct. A briefing on the Localism Act is available on the Better Governance Forum website. Example formats for Local Code

Internal Audit Standards Advisory Board and new professional standards for internal audit CIPFA is collaborating with the Chartered Institute of Internal Auditors on a number of professional developments. A new Board was established in March this year to develop new public sector internal audit professional standards. The standards will be published for consultation soon and following the consultation they will be finalised at the end of 2012. The new standards will come into force from April 2013 and will be mandatory for all public sector bodies. It is proposed that a ‘comply or explain’ requirement will be introduced. Audit committees will have an important role to play in monitoring the compliance of the internal audit service against the professional standards and supporting improvement. Details of the consultation will be published on the CIPFA website. An article outlining the work of the Board appeared in Public Finance a few weeks ago.

Appointment of external auditors The Audit Commission concluded the outsourcing of external audits for local government, health, police and other bodies recently. The appointments are all for a five year period. Further details are available on the Audit Commission website . In the Queen’s Speech a bill was announced to take forward the Government’s objective o f local appointment of external auditors. The draft bill is expected to be published for pre-legislative scrutiny later this summer.

Audit Quality Review Programme The Audit Commission publish an annual report of the appointed external auditors for health and local government. The review covers the quality of the audits performed and compliance with regulatory requirements. Audit Quality Review

Local Government Governance Review, Grant Thornton External auditors Grant Thornton have issued a major research report, High Pressure System, reviewing governance arrangements and Annual Governance Statements (AGS) in local authorities. The research included a d esktop review of 200 councils’ 2010/11 AGS comparing them to their best practice criteria. The review found that more could be done to make the AGS more accessible to the public and more effective as an assessment. Areas for improvement included demonstrating what assurance is needed to support the AGS and concluding explicitly where they have received sufficient assurance. 9 CIPFA Better Governance Forum Page 53 www.cipfa.org.uk/bgf The review also includes sections on the contribution of the audit committee to governance, risk management, scrutiny arrangements and counter fraud. Other key documents for public reporting, including the explanatory foreword to the accounts are also assessed. Again a range of practice and quality was identified and there are opportunities to improve the usefulness of the document to the public. High Pressure System

Internal Audit in Central Government The National Audit Office has published a value for money review of internal audit in central government. They conclude that Government is not getting the most out of the £70 million it spends on internal audit because the service does not always focus on the right issues and it is often not of sufficient quality to be useful in decision-making. The report identifies the NAO’s key characteristics of an effective internal audit service. Audit committee members in central government bodies should consider the report and its recommendations. Effectiveness of Internal Audit

Value for money from shared services The National Audit Office (NAO) published a report in March ‘Efficiency and reform in government corporate functions through shared service centres ’. The report focused on shared service arrangements in central government but the key messages are important for any public body planning the implementation of shared service arrangements. NAO report

UK Code of Governance and Audit Committee consultations The Financial Reporting Council has issued consultations on the UK code of governance and on the role of the audit committee. The consultations are not applicable for the public sector but for governance and audit committee practitioners they will be of general interest. Of particular note is the proposal that the audit committee should advise the board on whether the annual report is fair, balanced and understandable and provides the information necessary for users to assess the company’s performance, business model and strategy. Financial Reporting Council

The audit committee cycle

Review of Annual Governance Statements & Financial Statements

Prior to the end of September local authorities must approve their accounts and annual governance statements (AGS). Audit Committees usually play a significant role in reviewing not just the final documents, but reviewing supporting assurances and contributing to the development of the draft documents.

Issue 2 of Audit Committee Update included on article on the audit committee role in reviewing the AGS. For 2011/12 it will now be a requirement to ‘comply or explain’ in the AGS against the CIPFA Statement on the Role of the Chief Financial Officer. Guidance on this is provided in the Application Note .

A webinar is available to view covering the 2011/12 AGS.

Audit annual reports and review of effectiveness The annual report of the Head of Internal Audit, including the opinion on the control environment, is a key document to support the AGS. The report should include: An opinion on the overall adequacy and effectiveness of the organisation’s control environment.

10 CIPFA Better Governance Forum Page 54 www.cipfa.org.uk/bgf Disclose any qualifications to that opinion, together with reasons for the qualification. Present a summary of the audit work from which the opinion is derived, including reliance placed on work by other assurance bodies. Draw attention to any issues the Head of Internal Audit judges particularly relevant to the preparation of the AGS. Compare the work actually undertaken with the work that was planned and summarise the performance of the internal audit function against its performance measures and targets. Comment on compliance with these (CIPFA code of Practice) standards and communicate the results of the internal audit quality assurance programme. Code of Practice for Internal Audit in Local Government, CIPFA Professional standards for internal audit (IIA and CIPFA) require appropriate quality review arrangements to be in place and the results of these reviews should help the audit committee to assess the assurances it receives from internal audit. In addition, the Accounts and Audit Regulations 2011 require local authorities to assess annually the effectiveness of internal audit.

Audit Committee Annual Reports Many audit committees prepare an annual report to demonstrate how they have fulfilled their terms of reference and to account for their performance. Key aspects to consider including are: Committee membership Summary of activity, including key topics, decisions and recommendations. Review of the committee’s effectiveness, including any external assessment results. Development activity undertaken. For example training, networking with other audit committees or peer reviews. Annual reports should be publically available and care should be taken to make them readable and accessible. We are keen to share good examples of annual reports so please send a copy to [email protected] and we will feature it on our website.

Published by:

CIPFA \ THE CHARTERED INSTITUTE OF PUBLIC FINANCE AND ACCOUNTANCY

3 Robert Street, London WC2N 6RL

www.cipfa.org.uk

©2012 CIPFA

No responsibility for loss occ asioned to any person acting or refraining from action as a result of any material in this publication can be accepted by the authors or publisher.

While every care has been taken in the preparation of this publication, it may contain errors for which the publisher and authors cannot be held responsible.

11 CIPFA Better Governance Forum Page 55 www.cipfa.org.uk/bgf

Diana Melville Governance Advisor CIPFA Better Governance Forum 3 Robert Street London WC2N 6RL 01722 349398 [email protected] www.cipfa.org.uk/bgf

Certificate No. 5631/06 12 CIPFA Better Governance Forum Page 56 www.cipfa.org.uk/bgf Agenda Item 14

Committee: Date: Item no. th Audit and Risk Management Committee 20 September 2012

Subject: Public Internal Audit Reporting lines and Terms of Reference Report of: For Decision The Town Clerk and the Chamberlain

Summary

The Committee has previously discussed appropriate reporting arrangements, given both changing expectations and the changed status of the City’s Audit and Risk Management Committee. Following discussion at the June and July 2012 Committee meeting with the Chamberlain and Comptroller and City Solicitor it was agreed that the existing internal audit reporting lines would be codified and confirmed with the Committee.

The codification of internal audit reporting lines have been set out in an expanded internal audit terms of reference (ToR). The internal ToR was last reviewed and agreed in March 2011 by the former Audit & Risk Management sub-committee.

Recommendation: Members are recommended to consider this report and agree the revised internal audit ToR.

Main Report

Purpose of Report

1. The Committee has previously considered a number of reports on its role and ways of working. The Committee has requested proposals on how the internal audit function can be made to be more separate and independent from the finance function. It was agreed at the June 2012 meeting to enhance the current arrangements by codifying the reporting lines.

d:\moderngov\data\agendaitemdocs\7\6\6\ai00008667\$aye444wb.docxPage 57 Existing Arrangements

2. The Committee will be aware of the existing arrangements, under which the City Corporation has charged the Chamberlain, as its Chief Financial Officer (CFO) with the responsibility for managing internal audit. This is the conventional arrangement within local government and reflects the fact that the role of the Chief Financial Officer (CFO) in local government is unique in a number of respects so far as internal audit is concerned. Enhancing the Existing Arrangements

3. Whilst requiring the CFO to manage internal audit has many advantages, it does also have a key risk in that these relationships and interdependencies might compromise internal audit’s independence and objectivity.

4. Consequently, the Chamberlain has always put in place specific arrangements to ensure independence and objectivity.

5. The independence of the internal audit activity is ensured by the dual reporting relationship to management and the Corporation’s most senior oversight group, now the Audit and Risk Management Committee. Specifically, the Head of Internal Audit reports to the Chamberlain for assistance in establishing direction, support, and administrative interface; and typically to the ARM committee for strategic direction, reinforcement, and accountability. The internal auditors have access to records and personnel as necessary, and are allowed to employ appropriate auditing techniques without impediment.

6. To maintain objectivity, internal auditors have no personal or professional involvement with or allegiance to the areas being audited and are expected to maintain an un-biased and impartial mindset in regard to all engagements.

7. However, in undertaking this review, it is clear that it would further improve the current arrangements if all the various protocols and working practices were brought together in to a code of practice setting out such things as:

• Reporting lines to the Committee • Rights of access to members and Chief Officers • Rights of access to records

d:\moderngov\data\agendaitemdocs\7\6\6\ai00008667\$aye444wb.docxPage 58 • Rights to attend meetings • Staffing and resourcing • Audit Planning processes and protocols • Definition of the scope of non-audit work to be undertaken • Consultation processes on draft audit reports • Whistle blowing and fraud detection

Internal Audit Terms of Reference

8. In accordance with best practice and CIPFA guidance, the Internal Audit Section has defined terms of reference, as previously approved by the Audit and Risk Management Sub-Committee. This formal document that defines the purpose of internal audit its authority and responsibility. It establishes the position of internal audit within the organisation; authorises access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. The internal audit Terms of Reference (ToR) were last reviewed in March 2011.

9. The ToR (see Appendix 1) have been reviewed and expanded in certain areas to ensure internal audit reporting lines are clearly codified and all the areas identified at paragraph 7 have clearly addressed.

10. The ToR have also been reviewed against the draft Public Sector Internal Audit Standards (PSIAS). This standard has been developed in collaboration with the Institute of Internal Auditors (IIA) and other relevant Internal Audit Standard Setters (RIASS) such as CIPFA and the Treasury and is currently out to consultation. The PSIAS will soon replace the CIPFA internal audit code of practice which is currently the most applicable standard for the City of London internal audit function. The PSIAS refers to an Audit Charter being established for internal audit, although in local government the term internal audit terms of reference is more commonly used.

11. The main changes to the City of London internal audit terms of reference are as follows:-

• Updating for establishment of grand Audit and Risk Management Committee and job title changes

d:\moderngov\data\agendaitemdocs\7\6\6\ai00008667\$aye444wb.docxPage 59 • Clarification of Head of Audit line management reporting line to Chamberlain with additional professional and managerial support provided by Business Support Director • Codification of Head of Audit access and reporting to Member’s outside of formal Committee meetings and recognition of quarterly liaison meetings with Audit and Risk Management Committee Chairman and Deputy Chairman • Recognition of Chamberlain role in mediating disagreement between Chief Officers and internal audit in first instance on audit review findings • Clarification of how independent assurance on activities managed by Head of Audit and Assurance will be provided to senior management and Audit and Risk Management Committee.

Conclusion

12. The Corporation’s current arrangements are long standing and are founded on the CFO’s duties regarding ‘compliance with the statutory requirements for accounting and internal audit’. Nevertheless, they comply with the most up to date best practice recommendations for local government. 13. The review and confirmation of the internal audit Terms of Reference codifies the independence and objectivity of the operation and reporting of the internal audit function

Contact:

Chris Bilsland Chamberlain [email protected] Tel: 0207 332 1300.

d:\moderngov\data\agendaitemdocs\7\6\6\ai00008667\$aye444wb.docxPage 60 Appendix 1 – with changes highlighted

CITY OF LONDON

INTERNAL AUDIT

TERMS OF REFERENCE

Definition of Internal Audit

Internal Audit is an assurance function that provides an independent and objective opinion to the organisation on the control environment, by evaluating its effectiveness in achieving the organisation’s objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. The control environment comprises the systems of governance, risk management and internal control.

Internal Audit Rationale

The purpose of Internal Audit is to examine the City’s activities through independent and objective reviews of operations, financial systems and internal controls, assessing the reliability and integrity of information, compliance with policy and regulations and the processes for the safeguarding of assets.

Furthermore, it adds value and improves the City’s operations by promoting a robust control environment, best practice in governance and risk management as well as making recommendations for improvements in operating efficiencies. Its work plans are aligned to the Strategic Aims and Key Policy Priorities of the City of London through a thorough risk assessment, understanding of these aims and priorities and continuous engagement with senior management. In the current climate particular emphasis is given to Key Policy Priority 2:

“Seeking to maintain the quality of our public services whilst significantly reducing our expenditure and improving our efficiency”

To achieve this, the Internal Audit section engages with the City’s Corporate and Departmental change programmes, providing expert independent and objective input to emerging issues.

Core activity of the Internal Audit Section will involve the delivery of a programme of audit that utilises a combination of rotation and risk analysis to review all areas of the City’s operations. The Section’s work ethic combines open communication, professionalism, expertise, integrity and trust.

In fulfilment of this, Internal Audit will:

1. Engage with all stakeholders (the Audit and Risk Management Committee and other appropriate Members, the Chamberlain, and all client Chief Officers) to ensure that the internal audit service remains customer-focused and supports the business goals of the City.

Page 61 Appendix 1 – with changes highlighted

2. Conduct a comprehensive, risk-based, audit planning process to ensure that the main risk areas of the City of London’s operations (and external partners, where appropriate) are provided with an appropriate and structured internal audit service to assist in the continuous improvement process. The Head of Audit and Risk Management will report to the Audit & Risk Management Committee on the adequacy of the internal audit resources available to achieve this coverage.

3. Review systems, controls and procedures and, where necessary, make recommendations to ensure that these are both efficient and effective and to monitor the use of resources in pursuit of the defined objectives of the City.

4. Maintain a role in the systems development process, contributing in terms of audit and control requirements.

5. Provide an advisory service to departments with regard to best practice and financial and internal control procedures.

6. Liaise with the City of London’s external auditors and other review agencies in order to maximise the efficiency of audit and scrutiny coverage provided to the City, and minimise the audit and inspection burden.

7. To report the activities of the Internal Audit Section to the Audit and Risk Management Committee and other relevant Service Committee Chairman and Deputy Chairman on a regular basis, including the reporting of internal audit review findings as work is concluded and findings agreed with officers. Where there is disagreement between internal audit and a Chief Officer on the acceptance of significant internal audit recommendations, the Chamberlain will mediate in the first instance prior to the issue being highlighted by internal audit to the Audit and Risk Management Committee.

8. Provide an annual Head of Audit Report and Opinion to the Town Clerk, Chamberlain and Audit and Risk Management Committee on the adequacy of the internal control environment in support of the annual governance statement.

9. In order to satisfy Regulation 6 of the Accounts and Audit Regulations conduct a review of the effectiveness of the City of London internal audit.

Internal audit Reporting lines

The Head of Audit and Risk Management is line-managed by the Chamberlain and has direct reporting lines to the Chamberlain, Town Clerk, Comptroller and City Solicitor, and the Audit and Risk Management Committee Chairman. Additional professional and managerial support is provided by the Chamberlain’s Business Support Director.

In addition to reporting formally to members at Audit and Risk Management Committee meetings, the Head of Audit & Risk Management has access to all members of City of London Committees in the reporting and discussion of internal audit work and will meet quarterly with the Chairman and Deputy Chairman of the Audit & Risk Management Committee.

Page 62 Appendix 1 – with changes highlighted

Expectations:

In pursuit of the above, the Head of Audit and Risk Management has right of access to all records, assets, personnel and premises, including those of partner organisations and the authority to obtain such explanations as he considers necessary to fulfil these responsibilities, including attendance at City of London meetings.

It is incumbent upon Chief Officers to ensure that the Head of Audit and Risk Management is informed of all system changes and major projects.

Non Audit Areas:

Internal Audit is also responsible for the following:

Risk Management - Providing risk management support to the City of London by promoting the consistent use of risk management and ownership of risk at all levels within the City. This will be achieved through the development and review of the risk management framework, including facilitation of the City of London Strategic Risk Register.

Fraud and Corruption - Promoting fraud awareness and maintaining an effective anti-fraud and corruption function, acting as a central function for the investigation of all irregularities and, where criminal investigation is considered appropriate, to liaise directly with the Police and advise departments on such matters. The Section plays a specific anti-fraud and investigation role in relation to Housing Benefit payments, Tenancy Fraud and the investigation of serious whistleblowing concerns raised through the City of London Whistblowing policy.

Where the Head of Audit and Risk Management has non-audit responsibilities, independent assurance as to the adequacy and effectiveness of these arrangements will be provided to senior management and the Audit & Risk Management Committee through periodic external assessment. The findings from these assessments will be reported independently of the Head of Audit and Risk Management to the Business Support Director and Chamberlain initially prior to reporting to Committee.

September 2012

Page 63 This page is intentionally left blank

Page 64 Appendix 1 – with changes tracked

CITY OF LONDON

INTERNAL AUDIT

TERMS OF REFERENCE

Definition of Internal Audit

Internal Audit is an assurance function that provides an independent and objective opinion to the organisation on the control environment, by evaluating its effectiveness in achieving the organisation’s objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. The control environment comprises the systems of governance, risk management and internal control.

Internal Audit Rationale

The purpose of Internal Audit is to examine the City’s activities through independent and objective reviews of operations, financia l sl systems and internal controls, assessing the reliability and integrity of information, compliance with policy and regulations and the processes for the safeguarding of assets.

Furthermore, it adds value and improves the City ’s operations by promoting a robust control environment, best practice in governance and risk management as well as making recommendations for improvements in operating efficiencies. Its work plans are aligned to the Strategic Aims and Key Policy Priorities of the City of London through a thorough risk assessment, understanding of these aims and priorities and continuous engagement with senior management. In the current climate particular emphasis is given to Key Policy Priority 2:

“Seeking to maintain the quality of our public services whilst significantly reducing our expenditure and improving our efficiency ”

To achieve this, the Internal Audit section engage s with the City’s Corporate and Departmental change programmes, providing expert independent and objective input to emerging issues.

Core activity of the Internal Audit Section will involve the delivery of a programme of audit that utilises a combination of rotation and risk analysis to review all areas of the City’s operations. The Section’s work ethic combines open communication, professionalism, expertise, integrity and trust.

In fulfilment of this, Internal Audit will:

1. Engage with all stakeholders (the Audit and Risk Management Sub-Committee and other appropriate Members, the Chamberlain, and all client Chief Officers) to ensure that the internal audit service remains customer-focused and supports the business goals of the City.

Page 65 Appendix 1 – with changes tracked

2. Conduct a comprehensive, risk-based, audit planning process to ensure that the main risk areas of the City of London’s operations (and external partners, where appropriate) are provided with an appropriate and structured internal audit service to assist in the continuous improvement process. The Head of Audit and Risk Management will report to the Audit & Risk Management Committee on the adequacy of the internal audit resources available to achieve this coverage.

3. Review systems, controls and procedures and, where necessary, make recommendations to ensure that these are both efficient and effective and to monitor the use of resources in pursuit of the defined objectives of the City.

4. Maintain a role in the systems development process, contributing in terms of audit and control requirements.

5. Provide an advisory service to departments with regard to best practice and financial and internal control procedures.

6. Liaise with the City of London ’s external auditors and other review agencies in order to maximise the efficiency of audit and scrutiny coverage provided to the City, and minimise the audit and inspection burden.

7. To report the activities of the Internal Audit Section to the Audit and Risk Management Formatted: Indent: Left: 0 cm, Sub-Committee and other relevant Service Committee Chairman and Deputy Chairman Hanging: 0.63 cm on a regular basis , including the reporting of internal audit review findings as work is Formatted: Bullets and Numbering concluded and findings agreed with officers.

8.7. . Where there is disagreement between internal audit and a Chief Officer on the acceptance of significant internal audit recommendations, the Chamberlain will mediate in the first instance prior to the issue being highlighted by internal audit to the Audit and Risk Management Committee.

9.8. Provide an annual Head of Audit Report and Opinion assurance summary to the Town Clerk , and the Chamberlain and Audit and Risk Management Committee on the adequacy of the internal control environment in support of the annual governance statement.

9. In order to satisfy Regulation 6 of the Accounts and Audit Regulations provide a portfolio Formatted: Normal, Justified, Indent: of conduct a review of the effectiveness of the City of London internal audit. Left: 0 cm, Hanging: 0.63 cm, Space After: 12 pt, Numbered + Level: 1 + Numbering Style: 1, 2, 3, … + Start at: Internal audit Reporting lines 1 + Alignment: Left + Aligned at: 0 cm + Tab after: 0.63 cm + Indent at: 0.63 cm Formatted: Font: (Default) Times New 9. evidence for the annual review of the effectiveness of the City’s systems of internal audit. Roman, 12 pt, English (U.K.) Formatted: Font: (Default) Times New The Head of Audit and Risk Management Chief Internal Auditor is line-managed by the Roman, 12 pt, English (U.K.) Chamberlain Exchequer and Business Support Director and has direct reporting lines to the Formatted: Font: Bold Chamberlain, Town Clerk, Comptroller and City Solicitor, and the Audit and Risk Formatted: Space After: 0 pt Management Sub-Committee Chairman . Additional professional and managerial support is provided by the Chamberlain’s Business Support Director. Formatted: Bullets and Numbering

In addition to reporting formally to members at Audit and Risk Management Committee meetings, the Head of Audit & Risk Management has access to all members of City of

Page 66 Appendix 1 – with changes tracked

London Committees in the reporting and discussion of internal audit work and will meet quarterly with the Chairman and Deputy Chairman of the Audit & Risk Management Committee..

Expectations:

In pursuit of the above, the Head of Audit and Risk Management Chief Internal Auditor has right of access to all records, assets, personnel and premises, including those of partner organisations and the authority to obtain such explanations as he considers necessary to fulfil these responsibilities , including .attendance at City of London meetings.

It is incumbent upon Chief Officers to ensure that the Head of Audit and Risk ManagementChief Internal Auditor is informed of all system changes and major projects.

Non Audit Areas:

Internal Audit is also responsible for the following:

Risk Management - Providing risk management support to the City of London by promoting the consistent use of risk management and ownership of risk at all levels within the City. This will be achieved through the development and review of the risk management framework, including facilitation of the City of London Strategic Risk Register.

Fraud and Corruption - Promoting fraud awareness and maintaining an effective anti-fraud and corruption function, suite. Aacting as a central function agency for the investigation of all irregularities and, where criminal investigation is considered appropriate, to liaise directly with the Police and advise departments on such matters. The Section plays a specific anti- fraud and investigation role in relation to Housing Benefit payments , and Tenancy Fraud and the investigation of serious whistleblowing concerns raised through the City of London Whistblowing policy..

Financial Regulations – Updating the Financial Regulations of the City of London and providing advice as to their application. Comment [NP1]: This role is now being led mainly by FSD although internal audi t retain a key advisory role Where the Head of Audit and Risk Management has non-audit responsibilities, independent assurance as to the adequacy and effectiveness of these arrangements will be provided to senior management and the Audit & Risk Management Committee through periodic external assessment. The findings from these assessments will be reported independently of the Head of Audit and Risk Management to the Business Support Director and Chamberlain initially prior to reporting to Committee.

September 24 th February 201 21

Page 67 This page is intentionally left blank

Page 68 Agenda Item 15

Committee(s): Date(s): Item no. Audit and Risk Management Committee 20th September Establishment Committee 27th September

Subject: Public Staff Declaration of Interests and the Bribery Act Report of: For Decision Town Clerk, Chamberlain and Comptroller and City Solicitor Ward (if appropriate): N/A

Summary

This report sets out proposals to strengthen arrangements for identifying and managing the circumstances in which declarations of interest are required in relation to the Bribery Act, and updates the Committees on supporting processes and communications. The proposal is to introduce a tiered approach defined by risk to ensure a proportionate process is put in place. Officers most at risk will need to make an annual declaration, those with some risk a one- off declaration, and those with lower risk will be made aware of the general requirements on an on-going basis. There are no financial implications although there will need to be some staff resources made available to run the process. This strengthening of existing procedures has been proposed as a means of further demonstrating the City’s compliance with the Bribery Act. Recommendations • It is recommended that the Audit and Risk Management Committee (ARMC) and Establishment Committee endorse the proposals set out in paragraphs 4, 5 and 6, and note the associated activities in paragraphs 7,8 and 9. • The ARMC is asked to agree comments to forward to the Establishment Committee whose remit it is to approve policy in relation to managing officers so that they can consider and approve the proposals. • Establishment Committee is asked to approve the proposals in paragraphs 4, 5 and 6, having been made aware of the comments from ARMC and note the associated activities in paragraphs 7 and 8.

Page 69 Main Report

Background 1. In September 2011 a report was presented to ARMC by the Audit section seeking approval to the City’s Anti-Fraud and Corruption Strategy which included an assessment of the requirements of the Bribery Act, and the likely impact on the City of London Corporation. Although the City Corporation has a relatively low risk in relation to the Bribery Act and culturally local authorities have a long tradition of upholding propriety, it is nonetheless sensible to ensure we manage the most likely potential areas of risk. In December 2011 members of the Audit and Risk Management Committee asked for a review of the process for officer declarations of interests and an awareness campaign.

2. Following discussion at the March meeting, a resolution was taken to the Establishment Committee, to ensure that officers’ obligations to declare interests and to identify potential conflicts were captured as soon as possible. This resolution was received by the Establishment Committee meeting on the 27th March 2012. A report was presented to the ARMC in June 2012 setting out a proposal for how the declarations process could be effectively and proportionately managed and updating Members on planned communications to staff.

Current Position

3. Work on the declaration criteria and process, the Code of Conduct development and the supporting communications has continued. This report sets out progress in these areas and seeks ARMC Members’ views, to take to the Establishment Committee, on how to manage the process in relation to employees, such that the Establishment Committee can, within its remit for employment policy, approve the proposed and supported arrangements.

Proposals

Declaration Process

4. At the last ARMC meeting a draft document was discussed which identified groups of officers by level of risk and suggested how we might address awareness raising, and where appropriate how we might capture declarations. The final document, incorporating feedback, is attached at Appendix A.

5. Attached at Appendix B is a draft of the annual / one-off declaration form for category 1 and 2 officers respectively. This will be accompanied by a short test of understanding for category 1 and 2 officers.

Page 70 6. It is estimated that around 50 staff will fall into the category 1 definitions and around 200 staff into category 2. It is proposed that the annual declaration process for category 1 officers be carried out to ally with the accounting close down and financial/related party transactions declarations period. This would cover the financial year period (1 st April to 31 st March). The forms will be sent out and collated by June following the financial year end and held on personnel files. For Category 2 staff, the one-off sign off of understanding is made either at the start of employment for new starters, or at the time we go live with the process for existing employees, and will also be kept on personnel files.

Awareness Raising

7. The Employee Code of Conduct has been revised and includes clearer explanation as to staff obligations to declare potential conflicts of interest. Chief Officers have been consulted on a draft and it is now with the unions for consultation. We are intending to make the Code of Conduct contractual (which requires collective agreement with the unions) which will strengthen the status of the Code. We will be meeting the unions in mid-September to try and reach agreement and a draft of the Code is being presented to the September Establishment Committee.

8. An update on progress since the June ARMC report is provided below:

a. An e-leader article was published to all staff in July, which set out declaration requirements, how to handle potential conflicts of interest and how to deal with gifts and hospitality. A cyclical programme of refresher articles is planned to ensure awareness is maintained over time.

b. The e-leader magazine article will appear in the November edition – in order to spread the messaging out and maintain awareness over time.

c. The viability of a PC screen saver campaign is being scoped to co- incide with the re-launch of the revised Code of Conduct.

d. Staff induction process has been reviewed and an updated policy and checklist is ready to be re-published when the revised Code of Conduct is published so that relevant new employees sign-off that they understand their obligations.

e. The updated Code of Conduct contains detailed information about staff declarations, gifts and hospitality so separate guidance is not required; however, a summary of the Bribery Act and an examples document to help people better understand the practical circumstances in which declarations are required will be published with the revised Code. Page 71 Third parties / Contracts

9. To ensure that no other party carries out any activities on our behalf that would qualify under the Bribery Act, all contracts have a clause which sets out our expectations of conduct in this respect.

Corporate & Strategic Implications 10. This approach will allow us to ensure we are taking a proportionate and proactive approach to managing these risks. A high employee awareness and compliance with Declaration of Interest and Gifts and Hospitality procedures is an important part of the City’s Anti-Fraud and Corruption Strategy with reference to the standards of conduct expected of employees.

Implications 11. There are no financial implications, although there will need to be resources identified to manage the one-off and annual declaration processes.

12. There will need to be a review of the process for declarations by relevant Members who would be covered by the Bribery Act in relation to the activities they carry out on behalf of the City Corporation. This will be undertaken as a separate project and will go to the appropriate Committees for approval.

Conclusion 13. The introduction of this process will enable the City Corporation to take a measured and appropriate response to ensure it can demonstrate a strong commitment to meeting the requirements of the Bribery Act.

Background Papers

th • Declarations of Interest and Bribery Act – June 14 2012 – report to Audit and Risk Management Committee. • Anti-Fraud and Corruption Strategy – September 2011 – report to Audit and Risk Management Committee.

Appendices

Appendix A – Criteria for Categorising Officers in relation to the Bribery Act Appendix B – Annual/One-off Declaration Form Contact: Nicky Johnson | [email protected] | 0207 332 3148 Paul Nagle | [email protected] | 0207 332 1277

Page 72 Bribery Act Appendix A

Officer “Risk” Levels and Actions

This document sets out how we categorise staff for the purposes of the Bribery Act, along with the criteria for assessing risk levels and actions that will be in place to mitigate these risks. Chief Officers will be asked to assess the posts in their department to ensure they identify all posts that meet the criteria.

Category Criteria Compliance requirements Examples of staff in each category

1 (High) • Seniority • Annual sign off on Bribery Act • All Chief Officers • Sphere of influence ( by end of June) • All procurement officers above • High Level of decision • Annual test of understanding grade H (Chamberlain’s making in relation to of Bribery Act Department) contracts (+£20K) or lead • Declaration reported to • All staff involved in facilitating Page 73 contract manager Members annually foreign contracts or dealing with • High autonomy foreign public bodies

2 (Medium) • Placing or managing mid • Annual test of understanding • All procurement officers in the level contracts (between of Bribery Act CLPS £500 and £20K) in value • One-off sign-off of • Any staff managing or monitoring a • Making decisions which will understanding contract between £500 and £20K affect commercial companies in value • Any staff managing or monitoring contract performance • Planners and building control

3 (Low) • All other staff • General awareness • These staff are likely to be open to • Include in induction for new “individual” rather than “corporate” staff bribery • These include officers such as:- • Housing officers • Grants officers

This page is intentionally left blank

Page 74 Appendix B Bribery Act Declaration Form for Officers

Post Title and Grade Department Name Category 1 / 2 Declaration Year

All suspected incidents of bribery should be reported to the City Corporation at the time they occur, using the Whistleblowing procedure. You have a duty to the organisation to report any incidents of suspected bribery, even where a colleague (including a more senior manager) has asked you not to do so.

______

Initial Declaration (Category 1 and Category 2 post holders)

Do you understand that in your role you must not become involved in:

Yes No 1 Practices of bribery, or attempted bribery, being made by you, or being undertaken by other employees or workers 2 Practices of bribery, or attempted bribery being made by third parties, either directly to you or to other employees or workers, or on the City Corporation’s behalf 3 Making or receiving a request to make a facilitation payment or other form of bribery to a foreign official, either to accelerate a routine process or to carry out any other activity in an improper way

______

Annual Declaration (Category 1 posts only)

For officers in Category 1 posts, an annual declaration is required. Since the date of the last declaration you signed, or in the past 12 months if this is your first declaration, have you taken part in any of the following:

Yes No 1 Practices of bribery, or attempted bribery, being made by you, or being undertaken by other employees or workers 2 Practices of bribery, or attempted bribery being made by third parties, either directly to you or to other employees or workers, or on the City Corporation’s behalf 3 Making or receiving a request to make a facilitation payment or other form of bribery to a foreign official, either to accelerate a routine process or to carry out any other activity in an improper way

If the answer to any of the questions is yes, please give details here:

I confirm that the above statements are true to the best of my knowledge, information and belief.

Signed: ______Date: ______Page 75 This page is intentionally left blank

Page 76 Agenda Item 16

Committee(s): Date(s): Item no. Audit and Risk Management Committee 20 th September 2012

Subject: Public Public Sector Internal Audit Standards

Report of: For Decision Chamberlain

Summary

CIPFA is working with the other Relevant Internal Audit Standard Setters to develop a set of internal audit standards applicable to all areas of the UK public sector based on the mandatory elements of the IIA International Professional Practices Framework.

Although it appears that most of the proposals look to be a continuation of existing best practice and therefore should not be contentious, nevertheless there are important areas which need clarification.

A key concern is that, the whole tenor of the proposals should rest on the Key Governance Requirements as set out in the consultation documents. But these appear to be poorly defined and should be exemplified and referred specifically to the law as it applies to local government which is very different from elsewhere in the public sector.

Local authorities should have sufficient freedom to put in place the arrangements that best meet their own requirements. But the norm with standards is to adopt a “comply or explain approach”. Therefore these standards need to define better what the norm is so that local authorities can either demonstrate compliance or explain why they have adopted something different.

It is currently proposed that the new standards are introduced with effect from the 1 st April 2013.

Recommendation: • That the Committee considers this report and agrees that a response to the consultation be submitted based on the issues set out in the report.

Main Report

Background

Page 77 1. CIPFA is working with the other Relevant Internal Audit Standard Setters to develop a set of internal audit standards applicable to all areas of the UK public sector based on the mandatory elements of the IIA International Professional Practices Framework (IPPF).

2. A copy of the Standards, draft Application note for Local Government and Invitation to comment is appended. The deadline for responses to the Standard has been extended to be in line with the response deadline for the draft Application note of the 1st October 201 to enable the Committee to consider the response.

The Proposed Standards

3. Overall, it appears that most of the proposals look to be a continuation of existing best practice and therefore should not be contentious. Nevertheless there are some important areas which need clarification. It will be noted that in parts there is a “central government “interpretation and in order to submit a fully informed response it would be better if there were also more in the way of a “local government” interpretation. The draft Application Note is a welcome acknowledgment that further clarification is needed but, to my reading, this does not go into sufficient detail yet.

4. A key concern is that the whole tenor of the proposals should rest on the Key Governance Requirements. But in these documents, they appear to be insufficiently defined. These need to be exemplified and referred specifically to the law as it applies to local government which is very different from elsewhere in the public sector. In this context, there are two key things to address:

• The responsibility that falls on members for internal audit through the Accounts and Audit Regulations – usually discharged through the Audit Committee; and • The responsibilities that fall on the Chief Financial Officer through the Local Government Finance Act to support the Audit Committee and ensure internal audit is independent and effective – usually discharged by the CFO being given the management responsibility for internal audit.

5. Of course, local authorities should be free to put in place the arrangements that best meet their own requirements. But the norm with standards is to adopt a “comply or explain approach”. Therefore these standards need to define what the norm is so that local authorities can either demonstrate compliance or explain why they have adopted something different. Page 78

6. So far as Audit Committees are concerned, whilst these are not mandatory in local government, as they are elsewhere in the public sector, it is nevertheless an omission that these standards, whilst they define an audit committee do not really carry through into the body of the proposals the importance of its role.

7. Some further initial points for Committee consideration are set out in the remainder of this report.

8. The consultation document defines a role – that of “Chief Audit Executive” - the person in a senior position responsible for effectively managing the internal audit activity. Whilst it is acknowledged that the specific job title that may vary across organisations, the usual form is Head of Internal Audit and it would be better to refer to that well understood and generic job description rather than a title that does not exist.

9. The intent is that the purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter. Definition by “charter” is not normal practice in the City Corporation or indeed across local authorities generally. Ordinarily, these definitions are contained in Financial Regulations, Standing Orders and an Internal Audit Terms of Reference. This seems to be acknowledged in the Application Note.

10. Internal auditors in UK public sector organisations must conform to the Code of Ethics as set out by the Chartered Institute of Internal Auditors. That’s unlikely to be an issue with CIPFA because of the close partnership arrangements between the two institutes, but might be an issue for other CCAB Accountancy bodies. It would be worth knowing whether there has been appropriate consultation. The Application Note does acknowledge the issue.

11. The document explains Organisational independence as being effectively achieved when the chief audit executive reports functionally to the “board” However the examples of functional reporting to the board cut across existing and well defined reporting arrangements across local government generally and this really needs explanation and justification.

12. The definition of the “Board” is itself interesting –

“The highest level of governing body charged with responsibility to direct and oversee the activities and management of the organisation. Typically, this includes an independent group of directors (e.g. a board of directors, a supervisory board or a board of governors or trustees). Page 79 If such a group does not exist, the ‘board’ is the head of the company or agency. ‘Board’ may refer to an audit committee to which the governing body has delegated its authority”

13. This definition doesn’t fit at all easily within a local government structure. The Application Note admits that it might mean the Senior Management Team under the Chief Executive. But it could refer to a cabinet or indeed the full Council. And an audit committee that had delegated responsibilities for directing the management of an organisation risks compromising its important independent role - unless what is meant here is purely governance. Clarification here is necessary.

14. Implementation of these standards once confirmed is not expected to involve considerable work; however some minor revision to the internal audit procedures manual and Terms of Reference is likely to be required.

Conclusion

15. The Committee should welcome the fact that CIPFA is working with the other Relevant Internal Audit Standard Setters to develop a set of internal audit standards applicable to all areas of the UK public sector. It is also appropriate that these standards should be based on the mandatory elements of the IIA International Professional Practices Framework

16. However, whilst most of the proposals look to be a continuation of existing best practice and therefore should not be contentious, nevertheless there are important areas which need clarification.

Page 80

Appendix 1: Public Sector Internal Audit Standards – Invitation to comment Appendix 2: Public Sector Internal Audit Standards

Appendix 3: PSIAS Local Government Application Note – Invitation to Comment Appendix 4: PSIAS Local Government Application Note

Contact: Chris Bilsland Chris.bilsland @cityoflondon.gov.uk | 0207 332 1300

Background Papers:

None

Page 81 This page is intentionally left blank

Page 82 UK Public Sector Internal Audit Standards

Invitation to comment 16 July 2012

Page 83 Contents

INTRODUCTION 2

CONSULTATION QUESTIONS 5

RESPONSE FORM 6

Page1 84 Invitation to comment

1. Introduction

Organisations in the UK public sector are currently covered by different internal audit standards. In the central government and health (NHS) sectors, the standards are based on those issued by the Institute of Internal Auditors (IIA). Other sectors, such as higher education and charity, apply the IIA Standards directly. The local government sector uses CIPFA’s Code of Practice for internal audit in local government in the UK (the Code).

1.1 As organisations work more closely together in formal partnerships and informal arrangements, and internal auditors work across the public sector, the following weaknesses in the current situation have become apparent:

a lack of consistency across the UK public sector and inconsistent update processes for the standards in use

different guidance for different, but related, sectors and

no structure to articulate public sector needs and influence best practice development.

1.2 The collaboration announced by CIPFA and the IIA in May 2011 has led to an agreement between the Relevant Internal Audit Standard Setters 1 (RIASS) to develop a set of internal audit standards applicable to all areas of the UK public sector based on the mandatory elements of the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) - ‘the Public Sector Internal Audit Standards’ (PSIAS) as set out below:

1 The Relevant Internal Audit Standard Setters are: HM Treasury in respect of central government; the , the Department of Finance and Personnel Northern Ireland and the Welsh Government in respect of central government and the health sector in their administrations; the Department of Health in respect of the health sector in England (excluding Foundation Trusts); and the Chartered Institute of Public Finance and Accountancy in respect of local government across the UK.

Page2 85 1.3 To advise them on the development and maintenance of PSIAS the RIASS have established the Internal Audit Standards Advisory Board (IASAB). The Board’s terms of reference and membership are available via http://www.cipfa.org.uk/pt/iasab/index.cfm .

1.4 It is currently proposed that PSIAS will come into force from 1 April 2013 for all sectors, and together with the work of the IASAB, they will provide a:

coherent and consistent public sector internal audit framework coordinated update process, and public sector voice in IIA standard setting.

2. Format of PSIAS

2.1 The IIA Standards are reproduced intact (with the changes proposed in the recent IIA consultation in blue) and public sector requirements and interpretations have been included where the RIASS have concluded that additional public sector- specific detail is needed.

2.2 The overarching principle that the RIASS and IASAB kept in mind when considering all potential public sector interpretations and/or specific requirements was that only the minimum number of additions should be made to the existing IIA Standards.

2.3 The criteria against which potential public sector requirements have been judged for inclusion were agreed as:

where interpretation is required in order to achieve consistent application in the UK public sector

where the issue is not addressed or not addressed adequately by the current IIA Standards, and

where the IIA standard would be inappropriate or impractical in the context of public sector governance (taking into account, for example, any funding mechanisms, specific legislation etc).

2.4 In assessing potential interpretations or requirements against those criteria, the IASAB also considered the

materiality relevance necessity, and integrity of the requirement being proposed (that is, the additional commentary does not cause inconsistency elsewhere).

3. The consultation process

3.1 As PSIAS are new, the RIASS are interested in constituents’ views on all the Standards in the new framework. Consultation questions have been set out in the next section on each Standard, although correspondents need only respond on an exception basis. In order to ensure comments can be properly understood and addressed, the RIASS would prefer respondents to support comments with clear reasons and, where applicable, preferred alternatives.

3.2 Responses to this ITC will be regarded as on the public record unless confidentiality is specifically requested. The RIASS have asked the IASAB

Page3 86 Secretariat to collate and analyses the consultation responses on their behalf. Copies of all correspondence and an analysis of responses will then be provided to the IASAB.

3.3 A copy of the draft PSIAS in pdf format can be downloaded from the CIPFA website http://www.cipfa.org.uk/pt/iasab/index.cfm

3.4 To assist respondents, a response form (in Word format) is provided for questions 6 and 7. We would be grateful if respondents could use this form to respond to the consultation as this will assist the analysis.

3.5 Responses are required by 14 September 2012 and should be sent to:

The Secretary Internal Audit Standards Advisory Board Policy and Technical Directorate CIPFA 3 Robert Street London WC2N 6RL

E-mail: [email protected]

3.6 For ease of handling, e-mailed responses using the Word document form provided are preferred for questions 6 and 7.

Page4 87 Consultation questions

The Relevant Internal Audit Standard Setters (RIASS) are seeking views on the draft PSIAS.

Please respond to the following seven questions, completing the answers to questions 6 and 7 in the Word document form provided.

Question 1 Are there any other areas in the IIA Standards where you believe an additional interpretation or requirement is needed in the PSIAS?

Question 2 Where a sector-specific interpretation or requirement has been included, should this be made applicable in other parts of the public sector and if so, why? (For example, Standard 1110 Organisational Independence.)

Question 3 The implementation timetable is for the PSIAS to come into force on 1 April 2013 for all bodies set out in the Applicability chapter of the PSIAS. Do you know of any potential barriers to full implementation?

Question 4 Standard 2450 Overall Opinions has a public sector requirement box that mandates the chief audit executive to produce an annual report, comprising the annual internal audit opinion; a summary of the work that supports the opinion; and a statement on conformance with the PSIAS and the results of the quality assurance and improvement programme.

Do you think that a ‘conform or explain’ statement is the correct way to demonstrate compliance with the PSIAS?

Question 5 PSIAS applies the mandatory elements of the International Professional Practices Framework (IPPF). Are there other parts of the IPPF or other areas where you believe additional supporting guidance applicable to the whole of the public sector would be beneficial? Please identify these and explain why.

Question 6 Where the RIASS are proposing a public sector requirement or interpretation, do you believe that one is necessary ?

Question 7 Where the RIASS are proposing a public sector requirement or interpretation, is the proposed additional text appropriate? (If not, please suggest amendments.)

Page5 88 PSIAS ITC – Q 6 and 7 RESPONSE FORM

Question 7 Question 6 Where the RIASS are proposing a public Where the RIASS are proposing a public Section Question sector requirement or interpretation, is the sector requirement or interpretation, do you proposed additional text appropriate? believe that one is necessary? (If not, please suggest amendments)

Introduction

Code of Ethics

Standards Page 89 Attribute Standards

1000 Purpose, Authority and Responsibility

1110 Organisational Independence

1120 Individual Objectivity

1130 Impairment to Independence or Objectivity

1210 Proficiency

1312 External Assessments

1322 Disclosure of Non-conformance Question 7 Question 6 Where the RIASS are proposing a public Where the RIASS are proposing a public Section Question sector requirement or interpretation, is the sector requirement or interpretation, do you proposed additional text appropriate? believe that one is necessary? (If not, please suggest amendments)

Performance Standards

2010 Planning

2030 Resource Management

2050 Coordination

2210 Engagement Objectives Page 90 2450 Overall Opinions

Glossary

Assurance Framework

Audit Committee

Governance Statement

International Professional Practices Framework

Overall Opinion

7 Public Sector Internal Audit Standards

Page 91 Table of Contents

Section 1 Introduction 3

Section 2 Applicability 6

Section 3 Definition of Internal Auditing 8

Section 4 Code of Ethics 9

Section 5 Standards 12

Attribute Standards

Purpose authority and responsibility 12

Independence and objectivity 13

Proficiency and due professional care 15

Quality assurance and improvement programme 17

Performance Standards

Managing the internal audit activity 20

Nature of work 23

Engagement planning 25

Performing the engagement 27

Communicating results 28

Monitoring progress 31

Communicating the Acceptance of Risks 31

Glossary 33

2 Page 92 1 Introduction

A professional, independent and objective internal audit service is one of the key elements of good governance, as recognised throughout the UK public sector.

This document is therefore addressed to Accounting Officers, Accountable Officers, board and audit committee members, heads of internal audit, internal auditors, external auditors and other stakeholders such as chief financial officers and chief executives.

Framework overview

The Relevant Internal Audit Standard Setters 1 have adopted this common set of Public Sector Internal Audit Standards (PSIAS) from 1 April 2013. The PSIAS are based on the mandatory elements of the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) as follows:

Definition of Internal Auditing Code of Ethics, and International Standards for the Professional Practice of Internal Auditing (including interpretations and glossary).

The mandatory elements of the IPPF have been interpreted or adapted where necessary for the public sector to create the PSIAS. These requirements for the UK public sector have been inserted in such a way as to preserve the integrity of the text of the mandatory elements of the IPPF.

The overarching principle borne in mind when all potential public sector interpretations and/or specific requirements were considered was that only the minimum number of additions should be made to the existing IIA Standards. The criteria against which potential public sector requirements were judged for inclusion were:

where interpretation is required in order to achieve consistent application in the UK public sector

where the issue is not addressed or not addressed adequately by the current IIA Standards, or

where the IIA standard would be inappropriate or impractical in context of public sector governance (taking into account, for example, any funding mechanisms, specific legislation etc).

At the same time, the following concepts were also considered of each requirement or interpretation being proposed:

materiality relevance necessity, and integrity (the additional commentary does not cause inconsistency elsewhere).

1The Relevant Internal Audit Standard Setters are: HM Treasury in respect of central government; the Scottish Government, the Department of Finance and Personnel Northern Ireland and the Welsh Government in respect of central government and the health sector in their administrations; the Department of Health in respect of the health sector in England (excluding Foundation Trusts); and the Chartered Institute of Public Finance and Accountancy in respect of local government across the UK.

3 Page 93 Wherever reference is made to the International Standards for the Professional Practice of Internal Auditing, this is replaced by the PSIAS. Chief audit executives are expected to report conformance on the PSIAS in their annual report.

Purpose of the PSIAS

The objectives of the PSIAS are to:

define the nature of internal auditing within the UK public sector

set basic principles for carrying out internal audit in the UK public sector

establish a framework for providing internal audit services, which add value to the organisation, leading to improved organisational processes and operations, and

establish the basis for the evaluation of internal audit performance and to drive improvement planning.

Additional guidance is a matter for the RIASS.

Scope

The PSIAS apply to all internal audit service providers, whether in-house, shared services or outsourced.

All internal audit assurance and consulting services fall within the scope of the Definition of Internal Auditing (see section 3). The provision of assurance services is the primary role for internal audit in the UK public sector. This role requires the chief audit executive to provide an annual internal audit opinion based on an objective assessment of the framework of governance, risk management and control. Consulting services are advisory in nature and are generally performed at the specific request of the organisation. The nature and scope of the consulting engagement should aim to improve governance, risk management and control and should contribute to the overall opinion. When performing consulting services the internal auditor should maintain objectivity and not take on management responsibility.

The Code of Ethics promotes an ethical, professional culture (see section 4). It does not supersede or replace internal auditors’ own professional bodies’ Codes of Ethics or those of employing organisations. Internal auditors must also have regard to the Committee on Standards of Public Life’s Seven Principles of Public Life .

In common with the IIA IPPF on which they are based, PSIAS comprise Attribute and Performance Standards. The Attribute Standards address the characteristics of organisations and parties performing internal audit activities. The Performance Standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be evaluated. While the Attribute and Performance Standards apply to all aspects of the internal audit service, the Implementation Standards apply to specific types of engagements and are classified accordingly:

Assurance (A) and Consulting (C) activities.

4 Page 94 The Standards employ terms that have been given specific meanings that are included in the Glossary.

Key governance elements

Within the PSIAS, the term ‘board’ needs to be interpreted in the context of the governance arrangements within each UK public sector organisation, as these arrangements vary in structure and terminology between sectors and from one organisation and the next within in the same sector.

It is also necessary for the chief audit executive to understand the role of the Accounting or Accountable Officer, Chief Financial Officer, chief executive, the audit committee and other key officers or relevant decision-making groups as well as how they relate to each other. Key relationships with these individuals and groups are defined for each internal audit service within its charter.

5 Page 95 2 Applicability

The Relevant Internal Audit Standard Setters for the various parts of the UK public sector are shown below, along with the types of organisations in which the PSIAS should be applied.

SECTOR \ Central Government NHS Local Government RELEVANT INTERNAL AUDIT STANDARD SETTER

CIPFA UK Local authorities, the Office of the Police & Crime Commissioner, constabularies, fire authorities, National Park authorities, joint committees and joint boards in the UK. only Passenger Transport

HM Treasury UK* Government departments and their executive agencies and non- departmental public bodies. This normally excludes public corporations.

Department of England Health Clinical Commissioning Groups NHS Trusts

6 Page 96 Scottish Scotland Scotland Government The Scottish NHS Boards, Special Government, the NHS Boards, NHS Crown Office and Board partnership bodies in the public Service, Executive sector (eg joint Agencies and non- ventures, ministerial Community Health departments, non- Partnerships etc), departmental public NHS Board bodies, the Scottish subsidiaries Parliament Corporate Body and bodies sponsored / supported by the Corporate Body

Welsh Government Wales Wales The Welsh Health Boards and Government, Trusts National Assembly for Wales and Welsh Government sponsored bodies including commissioners.

Northern Ireland Government Assembly: departments, Department of executive agencies, Finance and non-ministerial Personnel (NI) departments, non- departmental public bodies, NI health and social care bodies and other relevant sponsored bodies.

* Unless the body falls under the jurisdiction of the devolved governments.

7 Page 97 3 Definition of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

8 Page 98 4 Code of Ethics

Public sector requirement Internal auditors in UK public sector organisations (as set out in the Applicability section) must conform to the Code of Ethics as set out below. If individual internal auditors have membership of another professional body then he or she must also comply with the relevant requirements of that organisation.

The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control and governance.

The Institute’s Code of Ethics extends beyond the definition of internal auditing to include two essential components:

Components

1 Principles that are relevant to the profession and practice of internal auditing;

2 Rules of Conduct that describe behaviour norms expected of internal auditors. These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.

The Code of Ethics provides guidance to internal auditors serving others. ‘Internal auditors’ refers to Institute members and those who provide internal auditing services within the definition of internal auditing.

Applicability and Enforcement

This Code of Ethics applies to both individuals and entities that provide internal auditing services. For Institute members, breaches of the Code of Ethics will be evaluated and administered according to The Institute’s Disciplinary Procedures. The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or discreditable and therefore, the member liable to disciplinary action.

Public sector interpretation

The ‘Institute’ here refers to the IIA. Disciplinary procedures of other professional bodies and employing organisations may apply to breaches of this Code of Ethics.

9 Page 99 1 Integrity

Principle

The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgement.

Rules of Conduct

Internal auditors:

1.1 Shall perform their work with honesty, diligence and responsibility.

1.2 Shall observe the law and make disclosures expected by the law and the profession.

1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organisation.

1.4 Shall respect and contribute to the legitimate and ethical objectives of the organisation.

2 Objectivity

Principle

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined.

Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgements.

Rules of Conduct

Internal auditors:

2.1 Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation.

2.2 Shall not accept anything that may impair or be presumed to impair their professional judgement.

2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

3 Confidentiality

Principle

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

10 Page 100 Rules of Conduct

Internal auditors:

3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.

3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation.

4 Competency

Principle

Internal auditors apply the knowledge, skills and experience needed in the performance of internal auditing services.

Rules of Conduct

Internal auditors:

4.1 Shall engage only in those services for which they have the necessary knowledge, skills and experience.

4.2 Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing.

4.3 Shall continually improve their proficiency and effectiveness and quality of their services.

11 Page 101 5 Standards

Attribute Standards

1000 Purpose, Authority and Responsibility

The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing , the Code of Ethics and the Standards . The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

Interpretation:

The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority and responsibility. The internal audit charter establishes the internal audit activity’s position within the organisation, including the nature of the chief audit executive’s functional reporting relationship with the board; authorises access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.

Public sector requirement The internal audit charter must also: define the term ‘board’ for the purposes of internal audit activity; cover the arrangements for appropriate resourcing ; define the role of internal audit in any fraud-related work; and include arrangements for avoiding conflicts of interest if internal audit undertakes non-audit activities.

1000.A1 The nature of assurance services provided to the organisation must be defined in the internal audit charter. If assurances are to be provided to parties outside the organisation, the nature of these assurances must also be defined in the internal audit charter.

1000.C1

The nature of consulting services must be defined in the internal audit charter.

1010 Recognition of the Definition of Internal Auditing , the Code of Ethics and the Standards in the Internal Audit Charter

The mandatory nature of the Definition of Internal Auditing , the Code of Ethics and the Standards must be recognised in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing , the Code of Ethics and the Standards with senior management and the board

12 Page 102 1100 Independence and Objectivity

The internal audit activity must be independent and internal auditors must be objective in performing their work.

Interpretation:

Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional and organisational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional and organisational levels.

1110 Organisational Independence

The chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities. The chief audit executive must confirm to the board, at least annually, the organisational independence of the internal audit activity.

Interpretation:

Organisational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:

approving the internal audit charter;

approving the risk based internal audit plan;

approving the internal audit budget and resource plan;

receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters;

approving decisions regarding the appointment and removal of the chief audit executive;

approving the remuneration of the chief audit executive; and

making appropriate enquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.

13 Page 103 Public sector requirement The chief audit executive must report functionally to the board.

Central Government interpretation The Accounting/Accountable Officer should undertake, countersign, contribute to or review the performance appraisal of the chief audit executive.

1110.A1 The internal audit activity must be free from interference in determining the scope of internal auditing, performing work and communicating results.

1111 Direct Interaction with the Board

The chief audit executive must communicate and interact directly with the board.

1120 Individual Objectivity

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

Interpretation:

Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfil his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity and the profession. A conflict of interest could impair an individual’s ability to perform his or her duties and responsibilities objectively.

Public sector requirement Internal auditors who work in the public sector must also have regard to the Committee on Standards of Public Life’s Seven Principles of Public Life , information on which can be found at http://www.public-standards.gov.uk/ .

1130 Impairment to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

Interpretation:

Impairment to organisational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel and properties and resource limitations, such as funding.

14 Page 104 The determination of appropriate parties to which the details of an impairment to independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activity’s and the chief audit executive’s responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the impairment.

1130.A1 Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.

1130.A2 Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a party outside the internal audit activity.

1130.C1 Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.

1130.C2 If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.

Public sector requirement Approval must be sought from the board for any significant additional consulting services not already included in the audit plan, prior to accepting the engagement.

1200 Proficiency and Due Professional Care

Engagements must be performed with proficiency and due professional care.

1210 Proficiency

Internal auditors must possess the knowledge, skills and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities.

Interpretation:

Knowledge, skills and other competencies is a collective term that refers to the professional proficiency required of internal auditors to effectively carry out their professional responsibilities. Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and qualifications, such as the Certified Internal Auditor designation and other designations offered by The Institute of Internal Auditors and other appropriate professional organisations.

15 Page 105 Public sector requirement The chief audit executive must hold a professional qualification (CCAB, CMIIA or equivalent) and be suitably experienced.

1210.A1 The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

1210.A3 Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

1210.C1 The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1220 Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A1 Internal auditors must exercise due professional care by considering the:

Extent of work needed to achieve the engagement’s objectives;

Relative complexity, materiality or significance of matters to which assurance procedures are applied;

Adequacy and effectiveness of governance, risk management and control processes;

Probability of significant errors, fraud, or non-compliance; and

Cost of assurance in relation to potential benefits.

1220.A2 In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.

16 Page 106 1220.A3 Internal auditors must be alert to the significant risks that might affect objectives, operations or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

1220.C1 Internal auditors must exercise due professional care during a consulting engagement by considering the:

Needs and expectations of clients, including the nature, timing and communication of engagement results;

Relative complexity and extent of work needed to achieve the engagement’s objectives; and

Cost of the consulting engagement in relation to potential benefits.

1230 Continuing Professional Development

Internal auditors must enhance their knowledge, skills and other competencies through continuing professional development.

1300 Quality Assurance and Improvement Programme The chief audit executive must develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity.

Interpretation:

A quality assurance and improvement programme is designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics . The programme also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.

1310 Requirements of the Quality Assurance and Improvement Programme The quality assurance and improvement programme must include both internal and external assessments.

1311 Internal Assessments

Internal assessments must include:

Ongoing monitoring of the performance of the internal audit activity; and

Periodic self-assessment s or assessments by other persons within the organisation with sufficient knowledge of internal audit practices.

Interpretation: Ongoing monitoring is an integral part of the day-to-day supervision, review and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses

17 Page 107 processes, tools and information considered necessary to evaluate conformance with the Definition of Internal Auditing , the Code of Ethics and the Standards .

Periodic assessments are conducted to evaluate conformance with the Definition of Internal Auditing , the Code of Ethics and the Standards .

Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.

1312 External Assessments

External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. The chief audit executive must discuss with the board:

The form of external assessments;

The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest; and

The need for more frequent external assessments.

Interpretation:

External assessments can be in the form of a full external assessment, or a self- assessment with independent validation.

A qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organisations of similar size, complexity, sector or industry and technical issues is more valuable than less relevant experience. In the case of an assessment team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified.

An independent assessor or assessment team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organisation to which the internal audit activity belongs.

18 Page 108 Public sector requirement The chief audit executive must agree the scope of external assessments with an appropriate sponsor e.g. the Accounting/Accountable Officer or board as well as with the external assessor or assessment team. The chief audit executive must also communicate the results of external assessments to the sponsor. Progress against any improvement plans, agreed following external assessment, must be reported in the annual report.

1320 Reporting on the Quality Assurance and Improvement Programme

The chief audit executive must communicate the results of the quality assurance and improvement programme to senior management and the board.

Interpretation:

The form, content and frequency of communicating the results of the quality assurance and improvement programme is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing , the Code of Ethics and the Standards , the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the assessor’s or assessment team’s evaluation with respect to the degree of conformance.

1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing

The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement programme support this statement.

Interpretation:

The internal audit activity conforms with the International Standards when it achieves the outcomes described in the Definition of Internal Auditing , Code of Ethics and International Standards .

The results of the quality assurance and improvement programme include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments.

1322 Disclosure of Non-conformance

When non-conformance with the Definition of Internal Auditing , the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the non-conformance and the impact to senior management and the board.

19 Page 109 Public sector requirement Instances of non-conformance must be reported to the board. More significant deviations must be considered for inclusion in the governance statement.

Performance Standards

2000 Managing the Internal Audit Activity

The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organisation.

Interpretation:

The internal audit activity is effectively managed when:

The results of the internal audit activity’s work achieve the purpose and responsibility included in the internal audit charter;

The internal audit activity conforms with the Definition of Internal Auditing and the Standards ; and

The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics and the Standards .

The internal audit activity adds value to the organisation (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management and control processes.

2010 Planning

The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals.

Interpretation:

The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organisation’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organisation. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organisation’s business, risks, operations, programs, systems, and controls.

Public sector requirement The plan must take into account the requirement to produce an annual internal audit opinion, the relative risk maturity of the organisation and the assurance framework.

20 Page 110 Public sector interpretation:

The chief audit executive may produce an audit strategy in addition to risk-based plans. The strategy is the high-level statement of how the internal audit service will be delivered and developed in accordance with the internal audit charter and how it links to the organisational objectives and priorities. It should be sufficiently flexible and kept up to date with the organisation and its changing risks and priorities. The risk-based plan is usually set for a period of one year. It should outline the assignments to be carried out, their respective priorities and the estimated resources needed. The plan should differentiate between assurance and other work.

2010.A1 The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

2010.A2 The chief audit executive must identify and consider the expectations of senior management, the board and other stakeholders for internal audit opinions and other conclusions.

2010.C1 The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value and improve the organisation’s operations. Accepted engagements must be included in the plan.

2020 Communication and Approval

The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.

2030 Resource Management

The chief audit executive must ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan.

Interpretation:

Appropriate refers to the mix of knowledge, skills and other competencies needed to perform the plan. Sufficient refers to the quantity of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimises the achievement of the approved plan.

21 Page 111 Public sector requirement The risk-based plan (or strategy) must explain how internal audit’s resource requirements have been assessed. Where the chief audit executive believes that the level of agreed resources will impact adversely on the provision of the annual internal audit opinion, the consequences must be brought to the attention of the board.

2040 Policies and Procedures

The chief audit executive must establish policies and procedures to guide the internal audit activity.

Interpretation:

The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.

2050 Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimise duplication of efforts.

Public sector requirement The chief audit executive must include in the risk-based plan (or strategy) the approach to using other sources of assurance and any work required to place reliance upon those other sources.

2060 Reporting to Senior Management and the Board

The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues and other matters needed or requested by senior management and the board.

Interpretation:

The frequency and content of reporting are determined in discussion with senior management and the board and depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management or the board.

2070 External Service Provider and Organisational Responsibility for Internal Audit When an external service provider serves as the internal audit activity, the provider must make the organisation aware that the organisation has the responsibility for maintaining an effective internal audit activity.

22 Page 112 Interpretation:

This responsibility is demonstrated through the quality assurance and improvement programme which assesses conformance with the Definition of Internal Auditing , the Code of Ethics and the International Standards .

2100 Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach.

2110 Governance

The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

Promoting appropriate ethics and values within the organisation;

Ensuring effective organisational performance management and accountability;

Communicating risk and control information to appropriate areas of the organisation; and

Coordinating the activities of and communicating information among the board, external and internal auditors and management.

2110.A1 The internal audit activity must evaluate the design, implementation and effectiveness of the organisation’s ethics-related objectives, programmes and activities.

2110.A2 The internal audit activity must assess whether the information technology governance of the organisation supports the organisation’s strategies and objectives.

2110.C1 => moved to 2210.C2

2120 Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Interpretation:

Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:

Organisational objectives support and align with the organisation’s mission;

Significant risks are identified and assessed;

23 Page 113 Appropriate risk responses are selected that align risks with the organisation’s risk appetite; and

Relevant risk information is captured and communicated in a timely manner across the organisation, enabling staff, management and the board to carry out their responsibilities.

The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organisation’s risk management processes and their effectiveness.

Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

2120.A1 The internal audit activity must evaluate risk exposures relating to the organisation’s governance, operations and information systems regarding the:

Achievement of the organisation’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programmes; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures and contracts.

2120.A2 The internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk.

2120.C1 During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks.

2120.C2 Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organisation’s risk management processes.

2120.C3 When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

2130 Control

The internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

2130.A1 The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organisation’s governance, operations and information systems regarding the:

24 Page 114 Achievement of the organisation’s strategic objectives; Reliability and integrity of financial and operational information; Effectiveness and efficiency of operations and programmes; Safeguarding of assets; and Compliance with laws, regulations, policies, procedures and contracts.

2130.C1 => moved to 2220.C2

2130.C1 Internal auditors must incorporate knowledge of controls gained from consulting engagements into the evaluation of the organisation’s control processes.

2200 Engagement Planning

Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing and resource allocations.

2201 Planning Considerations

In planning the engagement, internal auditors must consider:

The objectives of the activity being reviewed and the means by which the activity controls its performance;

The significant risks to the activity, its objectives, resources and operations and the means by which the potential impact of risk is kept to an acceptable level;

The adequacy and effectiveness of the activity’s governance, risk management and control processes compared to a relevant framework or model; and

The opportunities for making significant improvements to the activity’s governance, risk management and control processes.

2201.A1 When planning an engagement for parties outside the organisation, internal auditors must establish a written understanding with them about objectives, scope, respective responsibilities and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.

2201.C1 Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities and other client expectations. For significant engagements, this understanding must be documented.

25 Page 115 2210 Engagement Objectives

Objectives must be established for each engagement.

2210.A1 Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

2210.A2 Internal auditors must consider the probability of significant errors, fraud, non- compliance and other exposures when developing the engagement objectives.

2210.A3 Adequate criteria are needed to evaluate governance, risk management and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management and/or the board to develop appropriate evaluation criteria.

Public sector interpretation In the public sector, criteria are also likely to include value for money.

2210.C1 Consulting engagement objectives must address governance, risk management and control processes to the extent agreed upon with the client.

From 2110.C1 => 2210.C2

Consulting engagement objectives must be consistent with the organisation’s values, strategies and objectives. (NB this has changed as well as moved. It used to say: ‘Consulting engagement objectives must be consistent with the overall values and goals of the organisation.’)

2220 Engagement Scope

The established scope must be sufficient to satisfy the objectives of the engagement.

2220.A1 The scope of the engagement must include consideration of relevant systems, records, personnel and physical properties, including those under the control of third parties.

2220.A2 If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.

26 Page 116 2220.C1 In performing consulting engagements, internal auditors must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether to continue with the engagement.

2220.C2 (from 2130.C1) During consulting engagements, internal auditors must address controls consistent with the engagement’s objectives and be alert to significant control issues.

2230 Engagement Resource Allocation

Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints and available resources.

2240 Engagement Work Programme

Internal auditors must develop and document work programmes that achieve the engagement objectives.

2240.A1 Work programmes must include the procedures for identifying, analysing, evaluating and documenting information during the engagement. The work programme must be approved prior to its implementation and any adjustments approved promptly.

2240.C1 Work programmes for consulting engagements may vary in form and content depending upon the nature of the engagement.

2300 Performing the Engagement

Internal auditors must identify, analyse, evaluate and document sufficient information to achieve the engagement’s objectives.

2310 Identifying Information

Internal auditors must identify sufficient, reliable, relevant and useful information to achieve the engagement’s objectives.

Interpretation:

Sufficient information is factual, adequate and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organisation meet its goals.

27 Page 117 2320 Analysis and Evaluation

Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.

2330 Documenting Information

Internal auditors must document relevant information to support the conclusions and engagement results.

2330.A1 The chief audit executive must control access to engagement records. The chief audit executive must obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

2330.A2 The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organisation’s guidelines and any pertinent regulatory or other requirements.

2330.C1 The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties. These policies must be consistent with the organisation’s guidelines and any pertinent regulatory or other requirements.

2340 Engagement Supervision

Engagements must be properly supervised to ensure objectives are achieved, quality is assured and staff are developed.

Interpretation:

The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. The chief audit executive has overall responsibility for supervising the engagement, whether performed by or for the internal audit activity, but may designate appropriately experienced members of the internal audit activity to perform the review. Appropriate evidence of supervision is documented and retained.

2400 Communicating Results

Internal auditors must communicate the results of engagements.

2410 Criteria for Communicating Communications must include the engagement’s objectives and scope as well as applicable conclusions, recommendations and action plans.

28 Page 118 2410.A1 Final communication of engagement results must, where appropriate, contain internal auditors’ opinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board and other stakeholders and must be supported by sufficient, reliable, relevant and useful information.

Interpretation:

Opinions at the engagement level may be ratings, conclusions or other descriptions of the results. Such an engagement may be in relation to controls around a specific process, risk or business unit. The formulation of such opinions requires consideration of the engagement results and their significance.

2410.A2 Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications.

2410.A3 When releasing engagement results to parties outside the organisation, the communication must include limitations on distribution and use of the results.

2410.C1 Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client.

2420 Quality of Communications

Communications must be accurate, objective, clear, concise, constructive, complete and timely.

Interpretation:

Accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective communications are fair, impartial and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances. Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information. Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy and wordiness. Constructive communications are helpful to the engagement client and the organisation and lead to improvements where needed. Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions. Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action.

2421 Errors and Omissions

If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.

29 Page 119 2430 Use of Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing

Internal auditors may report that their engagements are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing , only if the results of the quality assurance and improvement programme support the statement.

2431 Engagement Disclosure of Non-conformance

When non-conformance with the Definition of Internal Auditing , the Code of Ethics or the Standards impacts a specific engagement, communication of the engagement results must disclose the:

Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved; Reason(s) for non-conformance; and Impact of non-conformance on the engagement and the communicated engagement results.

2440 Disseminating Results

The chief audit executive must communicate results to the appropriate parties.

Interpretation:

The chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and deciding to whom and how it will be disseminated.

2440.A1 The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration.

2440.A2 If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to parties outside the organisation the chief audit executive must:

Assess the potential risk to the organisation; Consult with senior management and/ or legal counsel as appropriate; and Control dissemination by restricting the use of the results.

2440.C1 The chief audit executive is responsible for communicating the final results of consulting engagements to clients.

2440.C2 During consulting engagements, governance, risk management and control issues may be identified. Whenever these issues are significant to the organisation, they must be communicated to senior management and the board.

30 Page 120 2450 Overall Opinions

When an overall opinion is issued, it must take into account the expectations of senior management, the board and other stakeholders and must be supported by sufficient, reliable, relevant and useful information.

Interpretation:

The communication will identify:

The scope including the time period to which the opinion pertains.

Scope limitations.

Consideration of all related projects including the reliance on other assurance providers.

The risk or control framework or other criteria used as a basis for the overall opinion.

The overall opinion, judgment or conclusion reached.

The reasons for an unfavourable overall opinion must be stated.

Public sector requirement The chief audit executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement. The annual report must incorporate: the opinion; a summary of the work that supports the opinion; a statement on conformance with the UK Public Sector Internal Audit Standards and the results of the quality assurance and improvement programme.

2500 Monitoring Progress

The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

2500.C1 The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client.

2600 Communicating the Acceptance of Risks

When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organisation, the chief audit executive must discuss the

31 Page 121 matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.

Interpretation :

The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.

32 Page 122 Glossary

Add Value

The internal audit activity adds value to the organisation (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management and control processes.

Adequate Control

Present if management has planned and organised (designed) in a manner that provides reasonable assurance that the organisation’s risks have been managed effectively and that the organisation’s goals and objectives will be achieved efficiently and economically.

Public sector definition: Assurance Framework This is the primary tool used by a board to ensure that it is properly informed on the risks of not meeting its objectives or delivering appropriate outcomes and that it has adequate assurances on the design and operation of the systems in place to mitigate those risks.

Assurance Services

An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organisation. Examples may include financial, performance, compliance, system security and due diligence engagements.

Board

The highest level of governing body charged with responsibility to direct and oversee the activities and management of the organisation. Typically, this includes an independent group of directors (e.g. a board of directors, a supervisory board or a board of governors or trustees). If such a group does not exist, the ‘board’ is the head of the company or agency. ‘Board’ may refer to an audit committee to which the governing body has delegated its authority.

Public sector definition: Audit Committee The governance group charged with independent assurance of the adequacy of the risk management framework, the internal control environment and the integrity of financial reporting.

Charter

The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority and responsibility. The internal audit charter establishes the internal audit activity’s position within the organisation; authorises access to records, personnel and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.

33 Page 123 Chief Audit Executive

Chief audit executive describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter and the Definition of Internal Auditing , the Code of Ethics and the International Standards . The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The specific job title of the chief audit executive may vary across organisations.

Code of Ethics

The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession and practice of internal auditing and Rules of Conduct that describe behaviour expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services.

The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing.

Compliance

Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.

Conflict of Interest

Any relationship that is, or appears to be, not in the best interest of the organisation. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively.

Consulting Services

Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organisation’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.

Control

Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control Environment

The attitude and actions of the board and management regarding the importance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:

Integrity and ethical values. Management’s philosophy and operating style. Organisational structure. Assignment of authority and responsibility. Human resource policies and practices. Competence of personnel.

34 Page 124 Control Processes

The policies, procedures and activities that are part of a control framework, designed to ensure that risks are contained within the level of risk t hat an organisation is willing to accept .

Engagement

A specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.

Engagement Objectives

Broad statements developed by internal auditors that define intended engagement accomplishments.

Engagement Opinion

The ratings, conclusions or other descriptions of results of an individual internal audit engagement based upon the procedures performed, relating only to those aspects within the objectives and scope of the engagement.

Engagement Work Programme

A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.

External Service Provider

A person or firm outside of the organisation that has special knowledge, skill and experience in a particular discipline.

Fraud

Any illegal act characterised by deceit, concealment or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organisations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.

Governance

The combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organisation toward the achievement of its objectives.

Public sector definition: Governance Statement The mechanism by which an organisation publicly reports on its governance arrangements each year.

35 Page 125 Impairment

Impairment to organisational independence and individual objectivity may include personal conflict of interest, scope limitations, restrictions on access to records, personnel and properties and resource limitations (funding).

Independence

The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.

Information Technology Controls

Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure and people.

Information Technology Governance

Consists of the leadership, organisational structures and processes that ensure that the enterprise’s information technology supports the organisation’s strategies and objectives.

Internal Audit Activity

A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organisation’s operations. The internal audit activity helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.

International Professional Practices Framework

The conceptual framework that organises the authoritative guidance promulgated by The IIA. Authoritative Guidance is comprised of two categories (1) mandatory and (2) endorsed and strongly recommended.

Public sector interpretation Only the mandatory elements apply for the purposes of the PSIAS.

Public sector interpretation: International Standards for the Professional Practice of Internal Auditing The UK Public Sector Internal Audit Standards take the place of the International Standards where applicable.

36 Page 126 Must The Standards use the word must to specify an unconditional requirement.

Objectivity

An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.

Overall Opinion

The overall ratings, conclusions or other descriptions of results provided by the chief audit executive addressing, at a broad level, governance, risk management and control processes of the organisation. An overall opinion is based on the results of a number of individual engagements and other activities for a specific time interval.

Public sector requirement The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.

Risk

The effect of uncertainty on objectives. And effect is a deviation from the expected and may be positive or negative. Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.

Risk Appetite

The level of risk that an organisation is willing to accept.

Risk Management

A process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organisation’s objectives.

Should

The Standards use the word should where conformance is expected unless, when applying professional judgment, circumstances justify deviation.

Significance

The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives.

37 Page 127 Standard

A professional pronouncement promulgated by the Internal Audit Standards Board that delineates the requirements for performing a broad range of internal audit activities and for evaluating internal audit performance.

Technology-based Audit Techniques

Any automated audit tool, such as generalised audit software, test data generators, computerised audit programmes, specialised audit utilities and computer-assisted audit techniques (CAATs).

38 Page 128

Local Government Application Note For the UK Public Sector Internal Audit Standards

Invitation to comment 31 August 2012

Page 129

Contents

INTRODUCTION 3

CONSULTATION QUESTIONS 6

Page2 130

Invitation to comment

1. Introduction

1.1 Organisations in the UK public sector are currently covered by different internal audit standards. In the central government and health (NHS) sectors, the standards are based on those issued by the Institute of Internal Auditors (IIA). Other sectors, such as higher education and charity, apply the IIA Standards directly. The local government sector uses CIPFA’s Code of Practice for internal audit in local government in the UK (the Code).

1.2 As organisations work more closely together in formal partnerships and informal arrangements, and internal auditors work across the public and private sectors, the following weaknesses in the current situation have become apparent:

 a lack of consistency across the UK public sector and inconsistent update processes for the standards in use

 different guidance for different, but related, sectors and

 no structure to articulate public sector needs and influence best practice development.

1.3 The collaboration announced by CIPFA and the IIA in May 2011 has led to an 1 agreement between the Relevant Internal Audit Standard Setters (RIASS) to develop a set of internal audit standards applicable to all areas of the UK public sector based on the mandatory elements of the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) - ‘the Public Sector Internal Audit Standards’ (PSIAS) as set out below:

1 The Relevant Internal Audit Standard Setters are: HM Treasury in respect of central government; the Scottish Government, the Department of Finance and Personnel Northern Ireland and the Welsh Government in respect of central government and the health sector in their administrations; the Department of Health in respect of the health sector in England (excluding Foundation Trusts); and the Chartered Institute of Public Finance and Accountancy in respect of local government across the UK.

Page3 131

1.4 The IIA Standards are reproduced intact in the PSIAS and public sector requirements and interpretations have been included where the RIASS have concluded that additional public sector-specific detail is needed.

1.5 To advise them on the development and maintenance of PSIAS the RIASS have established the Internal Audit Standards Advisory Board (IASAB).

1.6 It is currently proposed that PSIAS will come into force from 1 April 2013 for all sectors, and together with the work of the IASAB, they will provide a:

 coherent and consistent public sector internal audit framework  coordinated update process, and  public sector voice in IIA standard setting.

2. Local Government Application Note

2.1 The Local Government Application Note has been developed by CIPFA primarily to provide guidance to local government organisations that previously fell within the remit of the CIPFA Code of Practice for Internal Audit in Local Government in the UK. However, it has been written so that much of the guidance contained within should be useful and of interest to internal auditors in other parts of the public sector.

2.2 It provides further explanation to the PSIAS and practical guidance on how to apply the Standards, but only where it has been deemed necessary. Please be aware that a full conformance checklist will be included with the final published version of the Application Note.

2.3 As part of the consultation process, CIPFA would welcome feedback on whether the guidance included in the Application Note is helpful, accurate and appropriate. We would also appreciate suggestions on whether there are any areas of the PSIAS where more guidance would be valued.

3. The consultation process

3.1 CIPFA is seeking responses on the detail of the Local Government Application Note. Three consultation questions have been set out in the next section and CIPFA would appreciate it if respondents support comments with clear reasons and, where applicable, suggestions or preferred alternatives.

3.2 Responses to this ITC will be regarded as on the public record unless confidentiality is specifically requested. CIPFA will collate and analyse the consultation responses and the CIPFA Audit Panel will review this analysis in full, together with copies of all correspondence.

3.4 We would be grateful if respondents could use the boxes underneath the questions in the next section of this ITC to respond to the consultation as this will assist the subsequent analysis.

3.5 Please note that there is a separate consultation on the PSIAS which is open until 14 September. The draft PSIAS and Invitation to Comment can be found here: http://www.cipfa.org/Policy-and-Guidance/Consultations/Public-Sector-Internal- Audit-Standards

Page4 132

3.6 Responses are required by 1 October 2012 and should be sent to:

Keeley Lund Policy and Technical Directorate CIPFA 3 Robert Street London WC2N 6RL

E-mail: [email protected]

Page5 133

Consultation questions

Please respond to the following questions in the boxes below.

Question 1

Is the guidance included in the Application Note helpful, accurate and appropriate? If not, please specify why.

Question 2

Are there any areas of the PSIAS where you would welcome further guidance? In particular, please consider the following areas: a. Providing examples and/or expanding the guidance on how to define the ‘board’. b. Definition of Internal Auditing c. Code of Ethics

Page6 134

Question 3

Are there any areas of the PSIAS on which CIPFA could usefully provide training for local government internal auditors?

Page7 135 This page is intentionally left blank

Page 136 Local Government Application Note

For the UK Public Sector Internal Audit Standards

Page 137 Table of Contents

Introduction 3

Attribute Standards 5

Purpose, Authority and Responsibility 5

Independence and Objectivity 7

Proficiency and Due Professional Care 10

Quality Assurance and Improvement Programme 11

Performance Standards 13

Managing the Internal Audit Activity 13

Nature of Work 16

Engagement Planning 17

Performing the Engagement 18

Communicating Results 19

Monitoring Progress 21

Checklist for Conformance with the Standards 22

2 Page 138 Introduction

CIPFA believes that a professional, independent and objective internal audit service is one of the key elements of good governance.

This document is therefore addressed to board and audit committee members, heads of internal audit, internal auditors, external auditors and other stakeholders such as chief financial officers and chief executives.

The UK Public Sector Internal Audit Standards

The Relevant Internal Audit Standard Setters 1 have adopted a common set of Public Sector Internal Audit Standards (PSIAS) from 1 April 2013. The PSIAS are based on the mandatory elements of the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) as follows:

Definition of Internal Auditing

Code of Ethics, and

International Standards for the Professional Practice of Internal Auditing (including interpretations and glossary) as set out below:

1 The Relevant Internal Audit Standard Setters are: HM Treasury in respect of central government; the Scottish Government, the Department of Finance and Personnel Northern Ireland and the Welsh Government in respect of central government and the health sector in their administrations; the Department of Health in respect of the health sector in England (excluding Foundation Trusts); and the Chartered Institute of Public Finance and Accountancy in respect of local government across the UK

3 Page 139 The PSIAS apply to all public sector internal audit service providers, whether in-house, shared services or outsourced.

The mandatory elements of the IPPF have been interpreted or adapted where necessary for the public sector to create the PSIAS. The IIA Standards are reproduced intact and public sector requirements and interpretations have been included where the RIASS have concluded that additional public sector-specific detail is needed.

The overarching principle borne in mind when all potential public sector interpretations and/or specific requirements were considered was that only the minimum number of additions should be made to the existing IIA Standards. It is important for internal auditors to note that interpretations to the PSIAS, whether within the original IIA Standards or additional public sector interpretations , are also mandatory and must be adhered to.

Scope and applicability of this Application Note

The Local Government Application Note has been developed by CIPFA primarily as sector-specific guidance to local government organisations that previously fell within the remit of the CIPFA Code of Practice for Internal Audit in Local Government in the UK.

These are identified in the PSIAS as local authorities, the Office of the Police & Crime Commissioner, constabularies, fire authorities, National Park authorities, joint committees and joint boards in the UK. The guidance also applies to Strathclyde Passenger Transport in Scotland.

However, the Application Note has been written so that much of the guidance contained within should be useful and of interest to internal auditors in other parts of the public sector.

It provides further explanation to the PSIAS and practical guidance on how to apply the Standards, but only where it has been deemed necessary. If internal auditors require further guidance that is not provided in this Application Note, they are advised to refer to other sources of assistance, for example CIPFA’s Tisonline service and the Better Governance Forum.

Key governance elements

Within the PSIAS, the term ‘board’ needs to be interpreted in the context of the governance arrangements within each individual organisation, as these arrangements vary in structure and terminology between sectors and from one organisation and the next within in the same sector. This is especially true within local government, where the role of ‘the board’ can be fulfilled by the cabinet, full council, audit committee, Head of Paid Service, Chief Financial Officer, Chief Executive etc.

In this Application Note, it is still the responsibility of organisations to consider each instance of the term ‘board’ within the PSIAS and decide which committee or individual officer best fits the role in that situation.

4 Page 140 Attribute Standards

Attribute Standards are those that apply to the organisations, for example local authorities, as well as to individual internal auditors who are providing the internal audit services in local government.

Purpose, Authority and Responsibility (covering Standards 1000 and 1010)

The term ‘internal audit charter’ is not well known within local government, amongst non-IIA members. Traditionally, a local government internal activity (or function) would have a Terms of Reference2 setting out the type of content described in Standard 1000 but would be far less likely to have a charter.

As noted in the Introduction, Interpretations in the PSIAS must also be treated as mandatory. The charter is therefore expected to:

define the scope of internal audit activities

establish the responsibilities and objectives of internal audit

establish the organisational independence of internal audit

establish the accountability, reporting lines and relationships between the chief audit executive (CAE) and:

2 the ‘board’ (for example, the audit committee or the Cabinet) 2 those to whom the CAE may report functionally

recognise that internal audit’s remit extends to the entire control environment of the organisation

establish internal audit’s right of access to all records, assets, personnel and premises, including those of partner organisations, and its authority to obtain such information and explanations as it considers necessary to fulfil its responsibilities.

The PSIAS add some additional requirements for the charter that should already be familiar to local government auditors, including:

the general arrangements for appointing staff and the skills required

the role of internal audit (the scope and also limitations) of internal audit in any fraud-related work

the arrangements for avoiding conflicts of interest when carrying out non-audit activities, and

a definition of the term ‘board’ (for the purposes of internal audit activity) or more than one definition, where different committees or other such structures fit the role covered by ‘board’ in different Standards.

2 Often this will be within the Constitution, or some parts may be included in a strategy.

5 Page 141 In local government, the role of the ‘board’ may be satisfied by the audit committee, a scrutiny committee, the cabinet or even full council: it is the responsibility of CAEs and their organisations to decide which group or individual fulfils the definition in each Standard and document this in the internal audit charter.

In English local larger relevant authorities, as defined in section 2 of the Accounts and Audit (England) Regulations 2011, internal auditors must also identify internal audit’s contribution to the review of the effectiveness of the control environment, as set out in those Regulations.

Internal auditors should note that it may be that, with some amendments, an existing Terms of Reference can act as the charter for the purposes of the PSIAS. The CAE should assess whether it covers the points to be included under the PSIAS and make alterations as appropriate so that it fully addresses the areas raised in the PSIAS.

However, CAEs should also investigate the potential opportunity to make an impact in their organisation by drawing up a new internal audit charter.

Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the Internal Audit Charter

It is important to note that the mandatory internal audit Standards for local government in the UK are the Public Sector Internal Audit Standards (PSIAS), incorporating the Definition of Internal Auditing and the Code of Ethics as well as the Attribute and Performance Standards.

As stated in the PSIAS, if individual internal auditors have membership of another professional body then he or she must also comply with the relevant requirements of that organisation, in terms of ethics and codes of conduct.

6 Page 142 Independence and Objectivity (covering Standards 1100, 1110, 1111, 1120 and 1130)

Various aspects of independency and objectivity are covered in Standards 1100 to 1200, including reporting functional lines of the CAE, the relationship between the CAE and the ‘board’ and any impairment to individual internal audit’s objectivity or independence.

Independence

Bearing in mind the guidance set out in the Introduction to the PSIAS, it is up to individual local government organisations to consider carefully which committee or individual fulfils the role as delegated by Council (the board) throughout the Standards, but especially in this section.

Standard 1110 relates to the reporting level of the CAE. In local government, auditors will be familiar with the Head of Paid Service being responsible for ensuring the organisation has the right officers with the appropriate skills/competencies and consequently the appropriate remuneration to implement the policies of the Council as delegated by Council.

The Interpretation to Standard 1110 states that the board should approve the remuneration of the CAE – in local government this could be delegated by Council to the cabinet, audit committee or an officer. This will depend on the form of internal audit provision, for example whether it is an in-house service or is supplied by contractors or a partnership, and the identification of where the CAE is positioned.

In practice, remuneration decisions within individual organisations will depend on the arrangements and delegations from the Council.

There has been a long-standing discussion relating to the positioning of the CAE within local government, often specifically referring to the line management arrangements for that role. Standard 1110, and the public sector requirement, states clearly what is meant by 'functional' reporting of the CAE/internal audit activity and ensures that there is an inherent difference and separation from 'administrative' reporting, i.e. line management of the CAE. Again, this will be influenced by the form of the internal audit provision.

Essentially, functional reporting is that which enables the CAE to ensure that the internal audit activity fulfils its responsibilities. It is different to what is deemed to be administrative reporting, which relates to line management.

The PSIAS do not stipulate an administrative reporting line for local government. Generally, many CAEs are line-managed by the chief financial officer (CFO) within the sector and it is not the intention of the IASAB to alter this arrangement where it is working satisfactorily, although the CAE must not report to or be managed at a lower organisational level than the corporate management team.

However, it is clear in the PSIAS that the functional reporting line is key. The previous local government Code (the 2006 Code) set out that the CAE should have direct access to, and freedom to report in his or her own name and without fear or favour to, all officers and members and particularly to 'those charged with governance'. Standard 1000 expands on this, setting out the relationship between the CAE and the board and this may be a major change for some local government organisations, especially those who have traditionally reported functionally to the CFO as well as administratively.

7 Page 143 The challenge for those organisations will be to:

ensure that the CAE's position in the management structure reflects the influence he or she has on the control environment

provide the CAE with sufficient status to facilitate the effective discussion of audit strategies, plans, reports and action plans with the board

get support to alter reporting arrangements, where necessary, without damaging the working relationship with the CFO.

It will be key to emphasise that the Standard is clear that the CAE must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities and reporting to the board is the generally accepted method of helping to ensure that organisational independence is attained.

This is underlined in Standard 1111 Direct Interaction with the Board.

Objectivity

Reference is provided in the public sector requirement to Standard 1120 to the Nolan Seven Principles of Public Life, which are those standards expected of all public servants, regardless of which sector they work in.

The PSIAS have a narrower definition of ‘conflict of interest’ than was previously set out in the 2006 Code: conflicts of interest, whether real or perceived, are something that should be avoided at all times whereas in the 2006 Code they were something that could be avoided or managed. Local government internal auditors must abide by the PSIAS, as in the other sectors, and therefore must be careful to note this more precise definition particularly as Standard 1130 states that situations where it only appears that impairment to objectivity or independence has occurred, 'appropriate parties’ have to be informed (determined according to each situation).

Standard 1130 describes what constitutes an impairment to independence or objectivity. Internal auditors should also consider the following:

not accepting any gifts, hospitality, inducements or other benefits from employees, clients, suppliers or other third parties (other than as may be allowed by the organisation's own policies)

not using information obtained during the course of duties for personal gain

disclosing all material facts known to them which, if not disclosed, could distort their reports of cones unlawful practice, subject to any confidentiality agreements, and

ensuring compliance with the Bribery Act 2010.

It is important to note that the Interpretation to 1130 also includes ‘restrictions on access to records, personnel and properties and resource limitations, such as funding’. Therefore, the PSIAS incorporate not only potential wrongdoing or other incorrect behaviour but also where impairments are imposed on the internal auditors from an outside influence.

8 Page 144 Standards 1130.A1 and .A2 specifically refer to the situation which arises when either an internal auditor has previously had operational responsibilities or when the CAE has responsibilities for other functions and audits are required in those areas.

It is important to bear in mind that while relationships with management can enhance internal audit’s ability to achieve its objectives, these must not detract from internal audit’s responsibility to report control issues to management and the board.

9 Page 145 Proficiency and Due Professional Care (covering Standards 1200, 1210, 1220 and 1230)

Much of the content in Standards 1200 and following should already be familiar to internal auditors in local government. In addition, reference should also be made to the Statement on the Role of the Head of Internal Audit (CIPFA, 2010), which also states that the CAE must be professionally qualified and suitably experienced.

The CAE should define the skills and competencies for each level of auditor and then periodically assess individual auditors against these predetermined skills and competencies. Any training or development needs that are identified should be included in an appropriate ongoing development programme that is recorded and regularly reviewed and monitored.

In addition, all internal auditors have a personal responsibility to undertake a programme of continuing professional development (CPD) to maintain and develop their competence. This may be fulfilled through requirements set by professional bodies, for example CIPFA’s approach to CPD, or the organisation’s own appraisal and development programme. Auditors should maintain a record of such professional training and development activities.

10 Page 146 Quality Assurance and Improvement Programme (covering Standards 1300, 1310, 1311, 1312, 1320, 1321 and 1322)

Many local government internal auditors may not be familiar with the Quality Assurance and Improvement Programme (QAIP) as set out in the PSIAS. The QAIP has been designed by the IIA to assist in raising standards and applying this across the public sector will bring about consistency in improvement. However, implementing a QAIP in local government should not be an onerous task.

In summary, the Standards require the CAE to develop and maintain a QAIP to enable the internal audit activity to be assessed against the PSIAS (i.e. the Definition of Internal Auditing, the Code of Ethics and the Standards themselves) for conformance.

Standard 1310 is unequivocal in that a QAIP must include both internal and external assessments: internal assessments are both ongoing and periodical and external assessments must be undertaken at least once every five years.

Internal Assessments

The CAE should establish policies and procedures to guide staff in performing their duties and conform to the PSIAS. This may be done in various ways, which include maintaining an audit manual or through the use of electronic audit management systems. The policies and procedures should be regularly reviewed and updated to reflect changes in working practices and standards.

In order to ensure that audit work is carried out to a certain level of quality, the CAE should ensure that audit work is allocated to staff with the appropriate skills, experience and competence. The CAE also should ensure that internal audit staff at all levels are appropriately supervised and work is reviewed throughout all audits to monitor progress, assess quality and coach staff. The extent of supervision will depend on the competence and experience of the individual auditor.

Ongoing performance monitoring may also incorporate the following:

a comprehensive set of targets to measure performance, developed in consultation with appropriate parties. Performance measures should be included in any service level agreement. The CAE should measure, monitor and report appropriately on the progress against these targets

stakeholder feedback, and

an action plan to implement improvements (as the Interpretation to Standards 1300 states that the QAIP is also for assessing the efficiency and effectiveness of the internal audit activity and identifying areas for improvement).

These steps will assist the CAE in carrying out the ongoing monitoring of performance of the internal audit activity.

It is important to remember that the Accounts and Audit (England) Regulations 2011 paragraph 6(3) already requires larger relevant bodies to conduct a review of the effectiveness of its internal audit at least annually.

11 Page 147 The results of the review set out in the Regulations may be amended to evaluate conformance with the PSIAS and hence be considered as a ‘periodic internal assessment’ under the Standards.

The periodic assessment may also review of the activity against the strategy and the achievement of its aims and objectives. The results of this should inform the future strategy.

It should be noted that reference to the International Professional Practices Framework in Standard 1311 must be read as the Public Sector Internal Audit Standards in its entirety, together with this Application Note as guidance.

External Assessments

The requirement for an external assessment to be carried out at least once every five years may be satisfied by either arranging for a ‘full’ external assessment or by undertaking a self-assessment with ‘independent validation’.

Standard 1312 states that the CAE must discuss the format of the external assessments with the ‘board’ and therefore the CAE will have to consider the pros and cons for each type of external assessment before presenting the outcome of such a deliberation to the board. The CAE must also set out the qualifications and independence of the external assessor or assessment team and the PSIAS Interpretation goes into detail as to how an external assessor or assessment team actually demonstrates competence.

Practically, it is likely to be easier for the CAE of a local government organisation to carry out a self-assessment and then obtain an independent person or team to validate that self-assessment. It may be that a programme of peer reviews could be organised via regional audit groups, for example. However, it is crucial that the requirements set out in the PSIAS are met and that arrangements are put in place to avoid conflict of interest and impairment to objectivity.

Disclosure of Non-conformance

It is important to note that although the original IIA Standard 1322 only requires non- conformance with the PSIAS to be disclosed when it impacts the overall scope or operation of the internal audit activity, the additional public sector requirement states that all instances of non-conformance must be reported to the board. This is a stricter requirement for all public sector organisations and not just local government bodies.

12 Page 148 Performance Standards

The Performance Standards are those that not only describe the nature of the internal audit services being provided, but also provide criteria against which the performance of an internal audit function can be measured.

Managing the Internal Audit Activity (covering Standard 2000, 2010, 2020, 2030, 2040, 2050, 2060 and 2070)

The internal audit service’s prime responsibility is to the organisation. However, public sector bodies operate through partnership arrangements with other organisations to achieve their mutual objectives. The internal audit service should therefore take into account the organisation’s need for assurance over the operation of such partnerships as well as its need for assurance over its own risks and controls. See also under ‘minimum level of coverage’.

Planning

The risk-based plan should be sufficiently flexible to reflect the changing risks and priorities of the organisation.

The original IIA Standards only mandate the periodic risk-based plan but the public sector interpretation states that an audit strategy may also be drawn up. This is the high-level statement of how the internal audit service will be delivered and developed in accordance with the terms of reference or charter and how it links to the organisational objectives and priorities. Individual organisations will need to consider the potential benefits of preparing a strategy together with the resources required to do and decide for themselves whether a strategy is desirable.

If an organisation chooses to develop a strategy, it can be presented separately in its own right or integrated into an existing document, such as the business or service plan. It sets the context within which more detailed plans can be developed. The strategy should be kept up to date with the organisation and its changing priorities.

Minimum level of coverage

Risk assessment should not be seen as a way of determining the ‘minimum defensible level of audit’. Each organisation, irrespective of size, needs to form its own view about the level of audit coverage and the optimum resources to be devoted to internal audit. No formula exists that can be applied to determine the minimum level of coverage. Local factors within each organisation will determine the minimum level of coverage for example, the level of assurance provided by other providers. However, as a guide, the minimum level of coverage is the coverage required to give an annual evidence based opinion.

13 Page 149 The development of a risk-based audit plan will also have to consider the following factors:

the requirement to use specialists, e.g. IT or contract and procurement auditors

striking the right balance over the range of reviews needing to be delivered, for example systems and risk based reviews, specific key control testing, benchmarking exercises and/or value for money studies

allowing contingency time to undertake ad hoc reviews or fraud investigations as necessary

the time required to carry out the audit planning process effectively as well as regular reporting to and attendance of the board, the development of the annual report and the CAE opinion.

In local government, it is likely that some of the key risks of the organisation relate to work it is undertaking in partnership. Internal auditors are likely to need to provide assurance that the risks to the organisation of working in partnership are being appropriately managed and also that the risks relating to the partnership itself are being managed. This assurance may be available from work undertaken by others – perhaps other members of the partnership, or an external regulator – or internal auditors may need to obtain this directly for themselves.

In such cases, auditors will need to ensure that they obtain sufficient access to the partnership officers and records to provide the evidence for their work and conclusions. As required by Standard 2050, the CAE should also make arrangements to share information and coordinate their activities with partner organisations to ensure proper coverage and minimise duplication of effort.

It may be that the CAE is also required to provide assurance to those partnerships, but the risks of doing so will need to be managed effectively. The CAE must also have regard to the fact that their fundamental responsibility is to the management of their employing organisation or, if they are not employed by the authority, the body with which they have been engaged to provide internal audit services.

Communication and approval

In accordance with current best practice the audit committee should ' review and assess the annual internal audit work plan '3. The development of the audit plan is the responsibility of the chief audit executive after consultation with senior management and the board, and the board should therefore approve but not direct the audit plan.

Resource Management

'The audit committee should ensure that the function has the necessary resources and access to information to enable it to fulfil its mandate, and is equipped to perform in accordance with appropriate professional standards for internal auditors'. 4

3 Guidance on Audit Committees , FRC, 2010 4 Guidance on Audit Committees , FRC, 2010

14 Page 150 Standard 2030 states that the CAE must ensure that internal audit resources are ‘effectively deployed’ to achieve the approved risk-based plan. As part of the resource management and planning process, audit work, and especially its timing, should be planned in conjunction with management to minimise abortive work and time unless, for example, this might be perceived as jeopardising the ‘challenge’ aspect of internal audit work or where unannounced visits are necessary.

The PSIAS require CAEs not only to explain in the internal audit charter how the internal audit resource requirements will be assessed, but also to bring to the attention of the board any consequences arising where the CAE believes that resource levels will impact on the provision of the annual audit opinion.

Once the planned work has been determined, this should be compared to resource availability and where there is an imbalance between the two, the board should be informed of proposed solutions. Significant matters that jeopardise the delivery of the plan or require changes to the plan should be identified, addressed and reported to the board.

Standard 2050 says that the risk-based plan, or the strategy, must set out the approach to be taken when using other sources of assurance and this is backed up by the public sector requirement to Standard 2010 that states the assurance framework must be taken into account in the plan.

This will entail mapping the assurances prior to the CAE determining whether internal audit staff will conduct the work to derive the required assurance themselves or rely on the assurances provided by other auditors or other assurance providers (for example, health and safety auditors/assessors). Assurance mapping may assist CAEs in this process.

Reporting to senior management and the board

In addition to the annual report (see Standard 2450), the CAE should make arrangements for interim reporting to the organisation in the course of the year. Such interim reports should address emerging issues in respect of the whole range of areas to be covered in the annual report and hence support a ‘no surprises’ approach, as well as assist management in the drafting of the annual governance statement. See below in 2400 for guidance on the public nature of local authority audit work.

In line with the government’s transparency agenda, internal audit reports should, by default, be considered to be in the public domain.

15 Page 151 Nature of Work (covering Standards 2100, 2110, 2120 and 2130)

The PSIAS go into detail on the main areas of which the internal audit activity must contribute to the improvement i.e. governance, risk management and control. The internal audit activity in local government already assists management in informing the annual government statement and Standard 2120 formalises some of the areas already undertaken.

It is important to note that 2110.A1 and 2110.A2 mandate the internal audit activity to focus on ethics and information technology governance of the organisation. However, it is important, especially for smaller organisations, to bear in mind the proportionality of this in conjunction with the risk-based planning process.

16 Page 152 Engagement Planning (covering 2200, 2201, 2210, 2220, 2230 and 2240)

For each engagement, a brief should be prepared, discussed and agreed with relevant managers. The brief should establish the objectives, scope and timing for the assignment and its resource and reporting requirements. Audit work should be undertaken using a risk-based audit approach.

The public sector interpretation to Standard 2210.A3 acts as a reminder that engagement objectives in the public sector should, where appropriate, include value for money criteria – economy, efficiency and effectiveness. This can also include the use of the organisation’s resources such as money, people and assets.

17 Page 153 Performing the Engagement (covering 2300, 2310, 2320, 2330 and 2340)

The primary responsibility for the prevention and detection of fraud lies with management, who are also responsible for the management of fraud risks. In support of this, internal auditors must be alert to the possibility of intentional wrongdoing, errors and omissions, poor value for money, failure to comply with management policy and conflicts of interest when performing their individual audits. They must also have sufficient knowledge to identify indicators that fraud or corruption may have been committed.

At each stage of the audit, auditors should consider what specific work needs to be conducted and evidence gathered to achieve the engagement objectives and support an independent and objective audit opinion.

The CAE must have systems in place to ensure that auditors obtain and record sufficient evidence to support their conclusions, professional judgements and recommendations. Working papers must always be sufficiently complete and detailed to enable an experienced internal auditor with no previous connection with the audit to ascertain what work was performed, to re-perform it if necessary and to support the conclusions reached.

The CAE must also specify how long all audit documentation should be retained, whether held on paper or electronically, while having regard to organisational policy and statutory requirements. He or she should control access to audit documents and should, before releasing them to third parties, obtain the approval of the relevant management.

All audit work should be subject to an appropriate internal quality review process. The CAE must specify the required standard of internal audit documentation and working papers and, through review processes, ensure that those standards are met.

18 Page 154 Communicating Results (covering 2400, 2410, 2420, 2421, 2430, 2431, 2440 and 2450)

In local government, internal auditors operate in the public domain. There will be a variety of external interests in their work, from the organisation's partners in the voluntary sector and other parts of the public sector, to the general public and the 'armchair auditors' the government expects to scrutinise local government activities. Whilst the Data Protection Act protects specific information about individuals, the Freedom of Information Act obliges internal auditors to manage their activities in the expectation that their work will become public knowledge and could be scrutinised by anyone with an interest in doing so.

In addition to the requirements set out in the PSIAS, internal auditors must disclose all material facts known to them which, if not disclosed, could distort their reports or conceal unlawful practice, subject to confidentiality requirements.

The basic aims of every internal audit report should be to:

give an opinion on the risk and controls of the area under review, building up to the annual opinion on the control environment

prompt management to implement the agreed actions for change leading to improvement in the control environment and performance, and

provide a formal record of points arising from the audit and, where appropriate, of agreements reached with management, together with appropriate timescales.

Each report should include the scope and purpose of the audit to help the reader to understand the extent, or limitations, of the assurance provided by the report.

During the course of the audit, key issues should be brought to the attention of the relevant manager to enable them to take corrective action and to avoid surprises at the closure stage. Before issuing the final report, the internal auditor should normally discuss the contents with the appropriate levels of management to confirm the factual accuracy, to seek comments and to confirm the agreed management actions. A draft report is useful for this purpose.

Recommendations should be prioritised according to risk. The recommendations and the resultant management action plans should be agreed prior to the issue of the final report. Any areas of disagreement between the internal auditor and management that cannot be resolved by discussion should be recorded in the action plan and the residual risk highlighted. Those weaknesses giving rise to significant risks that are not agreed should be brought to the attention of a more senior level of management and the board.

The CAE should determine the circulation of audit reports within the organisation, having due regard to their confidentiality and legislative requirements. The recipients of the audit report, i.e. those that have the authority to agree management actions, should be determined when preparing the engagement plan. Internal audit should normally obtain the consent of management, and vice versa, before reports are issued to third parties.

Mechanisms should be in place to ensure that recommendations with a wider impact than the area under review are reported to the right forum and also to ensure that risk registers are updated.

19 Page 155 Overall Opinions

The CAE must provide an annual report to the board timed to support the annual governance statement. This must include:

an annual internal audit opinion on the overall adequacy and effectiveness of the organisation’s governance, risk and control environment

a summary of the audit work from which the opinion is derived (including reliance placed on work by other assurance bodies), and

a comment on conformance with the PSIAS and the results of the internal audit quality assurance and improvement programme.

It should also include:

disclosure of any qualifications to that opinion, together with the reasons for the qualification

disclosure of any impairments (‘in fact or appearance’) or restriction in scope

a comparison of the work actually undertaken with the work that was planned and a summary of the performance of the internal audit function against its performance measures and targets, and

any issues the CAE judges particularly relevant to the preparation of the annual governance statement

progress against any improvement plans resulting from QAIP external assessment.

20 Page 156 Monitoring Progress (covering Standard 2500)

The PSIAS places that responsibility onto the CAE to ensure that management actions have been effectively implemented or, if not, that senior management have accepted the risk of taking action.

The CAE must implement a follow-up process for ensuring the effective implementation of audit results or ensuring senior management are aware of the consequences of not implementing an action point and are prepared to accept the risk of such consequences occurring. The results of this process should be communicated to the Board.

The CAE should develop escalation procedures for cases where agreed actions have not been effectively implemented by the date agreed. These procedures should ensure that the risks of not taking action have been understood and accepted at a sufficiently senior management level.

The findings of audits and follow-up reviews should inform the planning of future audit work.

21 Page 157 CHECKLIST FOR CONFORMANCE WITH THE STANDARDS

[Under development – to be included in the published version]

22 Page 158 Agenda Item 17

Committee(s): Date(s): Item no. Audit & Risk Management Committee 20 th September 2012

Subject: Public Health & Safety Management Systems Report of: For Information Director of HR

Summary

At the March meeting, this Committee reviewed the Strategic Risk relating to Health and Safety (H&S) and asked for a report back on the policy and framework and how this is working and providing assurance, and for it to cover appropriate levels of ownership within service committees.

This report sets out recent progress, the current position and plans for the future. Taking all the elements of the H&S policy and systems effective implementation will ensure compliance with H&S requirements. The improvement activities are focused on facilitating effective systems, implementation and monitoring.

Recommendations • The Committee is asked to note the report and endorse the overall improvements to the H&S framework.

Main Report

Background 1. At the March meeting, this Committee reviewed the Strategic Risk relating to H&S and asked for a report back on the policy and framework and how this is working and providing assurance, and for it to cover appropriate levels of ownership within service committees. This report aims to do this and sets out the City Corporation’s framework for dealing with H&S matters, explains where we are at and what improvement action we have planned for the future.

1 Page 159 2. The City Corporation has had a H&S policy and associated management systems in place for a number of years. In 2010, the Deputy Town Clerk commissioned a strategic H&S gap audit in order to “take stock” of the position with regards to whether the systems were fit for purpose and how H&S was being managed throughout the organisation.

3. The audit identified some areas of good practice, both at departmental level and in terms of corporate systems, and also made some recommendations for improvement. This report sets out the systems currently in place to deliver effective safety management and further planned improvements to allow for active improvement in the level of corporate compliance and accountability.

Current Position 4. The Gap Audit recommended improvement activity in relation to: i. Clearer articulation of responsibilities and better structuring of H&S polices and guidance, along with providing easier access to them to encourage active use ii. Improving the efficacy of monitoring through a more efficient accident recording system, clear measures of performance, and associated risk related auditing iii. Targeting H&S training to ensure maximum benefit and general awareness raising of H&S issues and management

5. We have set about introducing these improvements in the context of the principles of sensible risk management. In other words, we are trying to ensure that the City Corporation does not take H&S to extreme lengths but ensures so far as is reasonably practicable compliance with its statutory requirements. It is intended that the City Corporation follow the ‘sensible risk management’ approach, which is about:-

• Ensuring that employees and the public are properly protected • Ensuring that those who create risks understand that a failure to manage these risks responsibly is likely to have serious consequences and can lead to robust action • Enabling individuals to understand that as well as the right to protection, they also have to exercise responsibility

6. Sensible risk management is not about creating a totally risk free environment, stopping business activities, generating unnecessary paperwork, or spending large amounts of resource where it is not justified.

2 Page 160 7. In order to foster a positive safety culture, safety must be seen as reasonable and balanced against risk. We are endeavouring to position safety as a proactive and supportive corporate mechanism to the overall business.

Safety Management Systems 8. City systems follow the model provided by the Health and Safety Executive (HSE) in their guidance note HSG 65; ‘Successful Health and Safety Management’. The essential features are summarised as follows: -

• Policy • The Organisation to carry it into effect (organisational arrangements) • Planning/Implementation • Measuring Performance/ Auditing/ Checking and Corrective Action • Review of Performance and Feedback

The following sections set out the improvement actions we are taking in each area.

Policy 9. A revised H&S policy has been drafted which more clearly sets out the expectations of the organisation and provides more direction to departments on the implementation of an effective framework from which to manage safety. It also encourages active engagement and accountability throughout the organisation. This policy is going through consultation and will go to Chief Officer Group (COG) and Establishment Committee (which has H&S within its remit) this autumn.

Organisational Arrangements 10. Organisational responsibility and accountability are set out clearly in the revised policy and there are a number of levels at which H&S is discussed, reviewed and monitored already. This section outlines the organisational arrangements in more detail. Members Decisions 11. There is a collective responsibility in H&S legislation for providing leadership and direction, which means that all members and in particular those taking relevant decisions as members of committees have a responsibility for ensuring H&S within the City Corporation. Effective management of H&S is more likely to be achieved where all elected members have a proper understanding of the risks, the systems in place for managing these risks and an appreciation of the causes of any failures.

3 Page 161 12. The revised H&S Policy adequately reflects the strategic role of members. Subsequently, committees need to ensure they fulfil their responsibilities. The revised Policy will highlight the responsibility of members to consider the impact of their decisions upon H&S and also to consider how they proactively encourage their service areas to manage H&S effectively. Guidance is being prepared by the corporate H&S team to inform members about how to consider the impact of their decisions, (in a safety context).

The Town Clerk and Chief Officers Group (COG) 13. The Town Clerk and Chief Executive, in his role as Head of Paid Service, must undertake to ensure appropriate and effective systems are in place to monitor compliance with H&S. The improvement activities and audit regime are designed to ensure we have this in place. This responsibility is shared with the COG which has a collective responsibility under Corporate Manslaughter legislation.

14. Departmental responsibility is delegated to Chief Officers and through them to their Management Teams. As part of the improvement activity, Chief Officers were asked to appoint a lead officer to coordinate and monitor H&S activities within their departments and report to the senior management team. The cross departmental group of leads is now trained to ensure competency and is actively involved in identifying and managing operational H&S issues.

Health & Safety Committee 15. The Committee is an officer/employee representative committee. The Committees’ function is to monitor, advise, direct and make recommendations to COG on matters relating to the overall management of health, safety and welfare throughout the organisation. The Committee meets twice a year (and in between if required).

16. The Committee allows the City Corporation to comply with the requirements of the Safety Representatives and Safety Committee Regulations 1977 (as modified by the Management of Health & Safety at Work Regulations 1992) and the Health & Safety (Consultation with Employees) Regulations 1996.

17. The Committee can delegate appropriate business to managers and/or safety groups departmentally and can require reports of any outcomes. The Committee also receives reports on the meetings of departmental safety groups (all departments are required to have one) to ensure corporate oversight and dissemination of issues raised within one service area or externally where these may have implications for other City Corporation service areas.

4 Page 162 Planning & Implementation 18. H&S has been aligned with the Business Planning Process and there has also been work to ensure that it complements the overall risk management process. Top X reports are included as part of the normal business planning process and are now required by the business planning framework.

19. Top X is the safety risk management system in use. Please see the separate report to the Audit and Risk Management Committee on this system for more detail. The aim of Top X is to identify significant risks, escalate them to an appropriate level, and prompt the development of action plans to minimise their impact. Corporate level Top X issues will be reported to COG regularly for review and are already pro-actively monitored by the H&S Committee which reviews the Top X scoring and progress in managing the issues every 6 months.

20. There has been a major project as part of the improvement plan to update, and make much more accessible, H&S guidance and information via the new intranet site. This has improved the availability and use of information and has reduced duplication at local level. The revised policy and associated guidance once approved and implemented, will ensure a consistent and evidence based process for the development, ratification and distribution of future H&S strategies, policies, procedures and guidance. A staff newsletter covering H&S has been introduced and periodic events have been held to raise the profile of H&S and develop skills and knowledge of how to manage it. It is intended that the intranet site, along with the training and new systems in place, will make safety processes, systems and procedures more accessible and, therefore, more common place.

21. Legislation requires that employees must be given sufficient training to enable them to undertake their work safely and without risk to themselves or others. The City Corporation offers extensive training on a variety of safety topics run centrally and in support of departmental needs on corporate cross cutting issues.

22. The extent of training need is identified through the process of risk assessment and conducting a training needs analysis. As part of our improvement plan we have reviewed take up and utilisation of training. We are encouraging departments to make better use of trained staff and we have developed a module on H&S as part of the foundation programme for managers to ensure managers are trained on their responsibilities and provided with the basic skills and knowledge required, and this is being trialled in the autumn.

5 Page 163 Measuring Performance/ Auditing/ Checking and Corrective Action

23. A new set of Performance Indicators (PIs) has been developed and were discussed at the last H&S Committee. They will now go to COG for approval in October. There are four lead (proactive) indicators and one lag (reactive) indicator. The PIs measure:

PI1: Organisational Arrangements 1a Competence in department 1b Local Effectiveness PI2: Risk Management PI3: Safety Compliance PI4: Training PI5: Accidents

The indicators will be audited and also be used to drive improvement and compliance activity.

24. The Certificate of Assurance (ACA) is an annual report from each Chief Officer to the Town Clerk. It provides an assurance that departments have a safety system in place and that they have carried out, through audit, an assurance process departmentally. Now the ACA process is embedded, planned improvement activity will focus on the top level review at COG and at H&S Committee and further scrutiny provided through audits carried out by the Corporate H&S team to improve or test consistency and reliability.

25. A new accident reporting system has been introduced to make it easier to report accidents and near misses, and to make the process more efficient. The information will then be used to analyse trends and take remedial action. We have also introduced a review process with the insurance section to ensure we identify and action issues arising from claims and also enable us to assist in managing claims more effectively and robustly.

26. On the back of the revised policy and PIs, a new auditing regime, carried out by the corporate H&S teams, is planned. This will audit general compliance and performance and also continue to focus some audits on key risks or themes identified from the TopX process, accident reporting process, etc. This approach has been introduced as part of our improvement plan and has resulted in a number of effective collaborations with departments and innovative solutions to identified risks.

6 Page 164 Review of Performance and Feedback 27. Performance is reviewed through the ACA and Top X processes, and in future this will also be done through the PI mechanism. At officer level, this review is carried out on a day to day basis by the Corporate H&S teams, and more strategically by the H&S Committee and, in future, will be shared directly with COG. An annual report will be provided to the Establishment Committee, which has a remit for H&S matters, and the Audit and Risk Management Committee will be updated via the Strategic Risk Register. Feedback is provided to departments via the H&S Committee system and auditing process.

Conclusion 28. The City had a safety management structure which would allow the Corporation to demonstrate compliance if implemented at all levels; however, it required enhancement to make it work more effectively. A number of actions have been implemented and the next steps are to get the policy approved which brings all of these activities together, and begin the related auditing regime, (in terms of indicative timetable, the policy will be going through the relevant officer groups and Member committees from late Autumn. The audit regime will be planned in from April 2013, to allow departments time to review/implement the key aspects).

29. The priorities for the City Corporation, once these final parts of the framework are in place, are about ensuring people understand their roles and actively participate in the daily operation of the system, training is accessed commensurate with levels of responsibility, and that there is continued communication about hazards and the effective management of them. This can be achieved with commitment and action at all levels.

30. The enhanced Policy and supporting systems set out in this report offer a means of providing the City with a more effective and assured safety management system that will reduce risks to employees and service users as well as safeguard the City against possible legal proceedings.

Contact: Oliver Sanandres | [email protected] | 0207 332 3307 Nicky Johnson | [email protected] | 0207 332 3148

7 Page 165 This page is intentionally left blank

Page 166 Agenda Item 18

Committee(s): Date(s): Item no. Audit & Risk Management Committee 20 th Sept 2012

Subject: Public Health and Safety Top 10 Risk Register Report of: For Information Director of HR

Summary This report was requested for the September Committee meeting in March when the Committee reviewed the Health and Safety (H&S) strategic risk as part of its work plan. The report sets out a brief introduction to the TopX risk management process and then focuses on the Top 10 H&S risks, identifying the nature and character of the risks, together with the mitigating actions agreed and progress to date.

Recommendations • The Committee receives the report

Main Report

Background 1.1 The Top X system is a corporate H&S risk management tool that has been in place at the City Corporation for some time. It is designed to allow proactive management of safety risks and corporate overview of the main risks. It is key to successfully embedding effective H&S risk management within the organisation.

The TopX System

2.1 Departmental managers must carry out risk assessments and maintain safety risk registers for the services they are delivering. Once identified, risks must be analysed based on level of risk, likelihood and consequence and actively managed until they have reached the stage where all reasonably required practicable controls are in place and the risk is tolerated. Where local management are not able to tolerate and/or are unable to control a risk, it must be placed on their Top X register. This is passed up the management structure for resolution. The risk is escalated within the department and ultimately corporately, if required, until it can be managed.

2.2 There are various levels of scrutiny and monitoring. This is a key feature of Top X as it allows a depth of assurance that key uncontrolled risks will be picked up and managed where necessary. This makes it a “living” and meaningful process.

2.3 Twice a year formal returns are made by departments into the central H&S team in Human Resources. The action plans, controls and tolerances are critically analysed which allows them to be ranked according to risk. These are then compiled into a corporate summary (Top X register) of the risks in all departments that potentially carry a corporate impact. 1 Page 167

2.4 The summary is presented to the H&S Committee (a senior officer and employee representative group which meet twice a year in May and November to consider H&S risks and activities at a corporate level) who can review, examine and initiate work streams as necessary to ensure safety risks are proactively managed or tolerated. Chief Officer Group (COG) will also have regular visibility of this list and be able to track progress. Immediate action is taken by the corporate safety team as new risks are identified.

2.5 See Appendix A for the current corporate safety risk register. The information is tabulated for ease and allows the risks to be tracked from each reporting period tracking the risk’s movement; depending on controls implemented by the department. It also presents the overall risk factor and severity through the use of a quantitative scoring system and a colour coding for the risk tolerance.

2.6 It is important to note that the TopX H&S process mirrors the risk management framework as per the Risk Management Handbook. Some of the mechanisms differ due to the specific nature of safety and the clear legislative drivers behind issues but as a process it provides a corporate consistency to our overall risk management processes, and has resulted in the mitigation of a number of complex risks, please see paragraph 3.1 iii and x for some examples.

Current Top 10 Corporate Risks 3.1 This sets out the risks as at the last review in May 2012 (next one due November 2012). All the risks have the potential for serious harm. Many of the risks have been controlled and are due to come off the list at the next review, (noted below and in Appendix A).

Fire Risk in Buildings i. This was a dynamic risk identified within Community and Children’s Services as a result of maintenance work which identified poor quality contractor work in a particular residential block. An emergency work programme was put in place to rectify the issues, which has been completed and has received formal sign off by the relevant Local Authority Building Control Officer. A separate risk, in the same residential block, was identified in that the wireless alarm system had “wireless blind spots”. This matter has been resolved, with a further recommendation that when the alarm system is replaced in the spring of 2013, that this be done with a “hard wired” rather than a “wireless” system.

Reservoir Works ii. This risk covers the works required to large retained water bodies across all Open Spaces; most particularly but not exclusively Hampstead Heath and Epping Forest. The Hampstead Heath flood and water quality project is an element of this risk. It covers issues such as the danger of overtopping, dam failure and flooding; resulting in destruction of property, serious injury or deaths. This requires input at the corporate level with control of contractors and community and stakeholder consultation and engagement. Stakeholder consultations have commenced at both Epping and Hampstead. Committee authorisation has been obtained for the appointment of specialist consultants

2 Page 168 and design teams. For Hampstead, appointments will be finalised in October, presentations by potential Strategic Landscape Architects have been made to the stakeholders and further investigations regarding other potentially affected landowners are on-going.

Fire and Evacuation iii. This risk was identified by the Barbican Centre. With the redundancy of the fire safety team, a new process needed to be introduced before their departure to effectively manage fire evacuations. A new process has been agreed and customer experience staff trained. A test exercise was successfully carried out. The Customer Experience Team are now fully operational and directly managing the Fire Safety Systems for the Centre and Exhibition Halls. The last part of the process was completed mid-August. Monitoring of performances, activations, on-going training and drills will continue by the Customer Experience Management Team supported by the Centre's Fire Management Team. This risk will now come off the Corporate Top X.

Fire Risk in Residential Blocks iv. This was a proactive review by Community and Children’s Services of fire risk based on incidents in other authorities. There were no issues identified. This risk will now come off the Corporate Top X.

Building Maintenance v. Identified by the City Surveyor’s Department, this risk focuses on ensuring contractors are competent and complying with legal requirements. The department have now engaged 2 main contractors for Building Repairs and Lift Maintenance, replacing our existing 350+ contractors. They are also putting in place Frameworks to cover projects and construction which will have pre-vetted suppliers. This has reduced the risk of ensuring our contractors are competent in complying with legal requirements. Those specialist contractors, projects and construction that fall outside of pre-vetted instructions, will be included in a new policy that will include vetting procedure and the control of contractors for day to day on site management, including the following; permits to work, risk assessments, method statements, and safe working. The policy is due to be published at the beginning of October.

Police H&S Risk vi. The City Police identified a risk which will is covered by an appendix in the non-public agenda.

Work at Heights vii. This risk was identified by the Markets and Consumer Protection department. It relates to maintenance, installation and general repairs using ladders, portable towers etc. and roof working. Control measures agreed include ensuring that safety lines are repainted and investigation of a safety system for the roof of one market, ensuring that all contractors comply with the requirements of permits to work, rescue plans completed where required and 2 person working for all high risk work. This is currently being managed and risk-reduced across the department and we believe that these measures now

3 Page 169 mean that, although it remains a risk, all reasonable measures have been taken.

Event Management viii. This matter was raised by Remembrancer’s and covered a range of potential scenarios including breaches of security , food hygiene issues, inadequate 3rd party risk assessments and improper evacuation of guests and staff at events. Mitigating actions include liaising with the Security Superintendent and risks assessing all events. Raising awareness of evacuation procedures, and providing additional training where necessary, ensuring Environmental Services continue with rigorous checks of caterers, and developing a checklist for outside venues. There has been the recent view of evacuation procedures and a protocol has been developed with Surveyor's (who lead) which has resolved the issue.

Fire at Buildings ix. This was identified as a risk by the City Police (CoLP) in relation to a number of potential fire hazards across the Force estate. A fire safety audit and risk assessments for CoLP buildings have been completed and all recommendations have been actioned. All officers and staff are required to undertake fire safety training and compliance is monitored at Directorate and Force H&S meetings. Since March 2012 an additional 47 staff have completed this training. There is weekly testing of fire alarms and Directorates conduct local H&S inspections which includes checks on fire safety equipment. The fire alarm system at Snow Hill has been upgraded with new control panel, sensors and strobe lighting as an alternative warning mechanism for deaf staff members. Installation of new power cables for the Command and Control Room at Wood Street has been completed which has allowed further shut down and testing of electrical systems to be undertaken.

Traffic Management x. This was a risk identified by the Markets and Consumer Protection department. It relates to the movement of cars, lorries and Fork Lift Trucks (FLTs) in common parts. A number of agreed actions include; a review of signage and lighting, regular maintenance of pedestrian walkway and road markings, enforcement of site speed limits, a review and enforcement of a new FLT penalty point scheme, assisting the tenants in developing safer unloading practices, and engaging them to ensure they meet their H&S responsibilities, proposal of traffic calming measures. The FLT strategy was signed off as effective by the HSE (Health and Safety Executive) at Spitalfields when reviewed as part of an investigation. This risk will now come off the Corporate Top X.

4. Conclusion

4.1 The Top X register gives the City Corporation a mechanism for safety risk management at all levels, and has been used to good effect. It allows the City Corporation to demonstrate a proactive process to complement the wider safety management system and practically helps to ensure that foreseeable risks do not go unmanaged. Importantly it sends a strong message on safety

4 Page 170 leadership throughout the organisation and helps to foster a positive safety culture whilst demonstrating proactive safety management at the senior corporate management level.

Appendices Appendix A – The Corporate Safety Risk Register - May 2012

Contact: Oliver Sanandres | [email protected] | 0207 332 3307 Nicky Johnson | [email protected] | 0207 332 3148

5 Page 171 This page is intentionally left blank

Page 172 Appendix A - Corporate Top 10 Risk Register - as at May 2012

Movement from last Top X Risk and Owning Department Top X Nov-10 May-11 Nov-11 May-12 Remarks Fire Risk in Buildings (Isledon House) (Community and Has been controlled since the Children's Services) R R52 R46 last committee Reservoir Works (contractors and processes) - Open Spaces NEW A A46 Fire & Evacuation - Barbican Centre G 40 A34 A50 G44 Fire Risk in Residential Blocks- Community and Children's Services G R39 G39 G39 Building Maintenance - City Surveyors A R38 A38 A38 Communications Issue - City Police G A37 G37 Work at Heights - Markets and Consumer Protection A 38 A34 A34 A34 Page 173 Event Management - Remembrancers A 31 A31 A31 A31 Fire at buildings - City Police G A31 G31 G31

Traffic Management - Markets and Consumer Protection G 45 G35 G30 G30

Key: Numerical figure = Gross Risk (Max score = 60. Scored against 6 factors on a range from 1 - 10; 1 being low risk, 10 being high. The 6 factors are Severity of Injury, Number of People Injured, Confidence in Controls, Defined Standards of Compliance, and Topicality)

Grey shading = Established and on-going controls in place - to fall off register at next Committee

Traffic Lights R-ed - Uncontrolled/Intolerable risk remains A-mber - Controls in process of being established, intolerable risk G-reen - Controls in place. Controlled and tolerable This page is intentionally left blank

Page 174 Agenda Item 19

Committee(s): Date(s): Planning and Transportation Committee 12 June 2012 Audit and Risk Management Committee 20 September 2012

Subject: Changes to Planning process under the Localism Act 2011 Public

Report of: Comptroller & City Solicitor and Director of Built For Environment Information

Summary

Members are asked to note the changes to legislation and to internal arrangements in respect of the Planning process under the Localism Act 2011.

Recommendation : To receive this report.

Main Report

Background

1. The Localism Act 2011 (“the Act”) received Royal Assent on 15 November 2011. The Remembrancer reported to Policy and Resources Committee in January 2012 on key provisions of relevance to the City, and indicated in his report that a separate more detailed report would be prepared for your Committee as the regulations containing details of the new provisions were issued. That is now largely the case, although some remain to be made before the related provisions can be brought into force.

2. This report updates your Committee in more detail on changes to the Planning process introduced by Part 6 of the Act (and clarification of “pre-determination” in section 25 of the Act). The report also advises of changes to internal arrangements to ensure they are consistent with the Localism agenda. Changes specifically affecting the Local Development Framework (“LDF”) are described in more detail in a separate report to your Committee on the LDF timetable.

Statutory Provisions

3. These are summarised in Appendix 1.

Internal Arrangements

4. The City already has arrangements in place which will ensure it can comply with the letter and spirit of most of the new requirements. For example, requirements regarding the publication of certain information to the public (e.g. local

Page 175 development schemes and local development policies pursuant to section 111 and 113 of the Act) are already being met as part of a wider strategy to publish and make available as much information as possible electronically. All documents relating to the LDF and monitoring of it are already available on the City’s web pages. 5. In addition, some requirements relating to the “Neighbourhood Planning” initiatives in the Act may become relevant if there is local interest in them. These might include the designation of Neighbourhood Forums, the requirement to provide technical advice and support to Neighbourhood Forums seeking to draw up Neighbourhood Plans, proposals for Neighbourhood Development Orders or Community Right to Build Orders. It is too early to know their relevance to the circumstances of the City and it is not therefore proposed to make any specific changes to internal arrangements or resource allocation until the implications for the City, if any, become clearer. It is proposed to report further on neighbourhood planning before the recess. The Act also strengthens planning enforcement powers.

6. However, the new provisions have required immediate adjustment to the day to day work of the local planning authority, namely the Pre-application consultation . The new requirement for developers to undertake Pre-application consultation for schemes above a certain threshold (Section 122 of the Act) will have greater implications in the City than in many other authorities, because a significant number of applications in the City relate to applications within the likely threshold. Government consultation indicates that this is likely to be set at 200 dwellings or 10,000 square metres, which would capture a large number of development proposals in the City.

7. The requirement is on developers rather than on the City as local planning authority to undertake pre-application consultation. There is no detailed guidance or regulations at present to indicate how this should be carried out, only a broad requirement that applicants must “publicise proposals in such manner as they reasonably consider likely to bring the application to the attention of the majority of persons who live or occupy premises in the vicinity”. The local planning authority must be satisfied the requirement has been met before determining the application, and the developer is required to demonstrate what account has been taken of the views received. (The existing non-statutory basis for pre-application liaison between developers and the local planning authority remains unchanged as do the requirements for the local planning authority to advertise applications.) It is anticipated this will mean commercial occupiers in particular will have greater involvement in schemes at an earlier stage (in that developers have for a long time been encouraged to involve residential occupiers at an early stage).

8. Adjustments to existing practise have been anticipated in order to accommodate the formal involvement of local stakeholders at an earlier stage, and the opportunity provided to consultees for “collaborative design”. The Government’s “Plain English Guide to the Localism Act” (November 2011) states that “ To further strengthen the role of local communities in planning, the Act introduces a new requirement for developers to consult local communities before submitting

Page 176 planning applications for certain developments. This gives local people a chance to comment when there is still a genuine scope to make changes to proposals ”.

9. To give effect to these aims internal arrangements have been reviewed to ensure that:

9.1 Information about pre-application discussions between the developer and the local planning authority is accessible to local stakeholders who may require it to inform their responses to pre-application consultation (subject to Freedom of Information exemptions such as those relating to commercial interests). 9.2 Local planning authority input into its pre-application meetings with developers includes advice as appropriate from key departments and disciplines whose areas are likely to be affected by the proposals, for example, transportation expertise regarding traffic issues and environmental health expertise regarding potential noise issues. This should ensure that key considerations are available to both the developer and the local community consultees at an appropriate stage. 9.3 It is made clear to prospective applicants that any advice given by officers to developers during pre-application discussions is subject to any planning considerations which may emerge during the pre-application community consultation.

10. The involvement of relevant disciplines in pre-application discussions is already in place. The minuting and filing (on publicly accessible planning files) of non- exempt pre-application meetings and correspondence has been strengthened in preparation for the introduction of the new provisions. The caveats regarding pre-application advice being subject to Freedom of Information, and not pre- judging the outcome of any application, which currently appear on Pre- application Meeting Request Forms, will be strengthened to take account of, and refer to, the new pre-application community consultation requirement.

11. These adjustments respond to the new pre-application community consultation provisions, and the spirit of the Localism Agenda, particularly the aim of full community engagement and collaboration should start at an early stage while there is still “genuine scope to make changes to proposals”. The measures also respond to certain stakeholder feedback provided before the introduction of the changes, which echoed the issues and concerns that the Localism Agenda and above adjustments aim to address. (However, these requirements only apply to certain major schemes. On others developers can only be encouraged to engage with the local community at an early stage.)

12. The Localism Act introduces provisions beyond the planning authority role which apply to all its local authority functions concerning clarification of the “pre- determination” restriction, and changes to local Standards arrangements , including the Code of Conduct. These matters are being reported to the Standards Committee shortly, and will also affect the conduct of Planning Committee. Once new arrangements have been adopted by the Standards Committee it is intended to update the Planning Protocol, and that will be reported to your Committee in due course.

Page 177 Conclusion

13. Members are asked to note the changes to the planning process introduced by the Localism Act 2011 as highlighted in this report.

Contact: Deborah Cluett 020 7332 1677

Annie Hampson 0207 332 1715

Page 178 APPENDIX LOCALISM ACT 2011

The table below summarises the key provisions of the Localism Act which gained Royal Assent on 15 November 2011 Predetermination – Section 25

1. Commencement date: 15 January 2012 The Act aims to clarify the rule on predetermination. The provisions make it clear that councillors have a right to have a preliminary view and can freely discuss and publicise their view and voting intentions as they see fit. However, this is on the basis that councillors must be prepared to listen to all of the arguments and evidence before making their decision. Planning: Plans and Strategies – Part 6 – Section 109

2. The underlying legislation which established regional strategies was repealed on 15 November 2011 ; the provision giving the Secretary of State the power to abolish the strategies themselves also came into force on the same date.

Regional Spatial Strategies are to be abolished and Councils are to be given greater flexibility in relation to the statutory examination of their development plans. Planning: Local Development Schemes – Section 111 and Part 17 Schedule 25

3. Commencement date: 15 January 2012 This introduces a requirement for Local Authorities to publish up to date information direct to the public on local development schemes and removes the requirement to submit such schemes to the Secretary of State. Planning: Development Plan Documents – Section 112

4. Commencement date: 15 January 2012 Introduces a new requirement that when considering a development plan document, the planning inspector must recommend adoption where it would be reasonable to conclude that the document satisfies statutory requirements and can be considered sound. The strict requirement that local planning authorities must implement the inspectors recommendations is removed and local planning authorities are given the power to withdraw a development plan document at any time before its adoption. Planning: Information about local development schemes – Section 113

5. Commencement date: 15 January 2012 This section requires local authorities to publish information about the implementation of their local development schemes and local development policies direct to the public at least once yearly instead of sending a report to the Secretary of State. Community Infrastructure Levy (CIL) – Section 114-115

6. Section 114 (the process of approval for charging schedules) commenced on 17 November 2011 Reporting requirements in relation to the CIL (a charge for development) are reduced and the Secretary of State will have the power to require local authorities to pass CIL onto other bodies.

Page 179 Neighbourhood Planning – Sections 116-121

7. The provisions allowing the Secretary of State to make regulations on the neighbourhood planning provisions before they are brought into force commenced on 15 November 2011 ; as did the provision allowing the Secretary of State to provide advice and assistance (including financial assistance) and in respect of allowing regulations to be made to provide for the imposition of charges by local authorities in relation to their neighbourhood planning functions.

The Act introduces a new right for communities to draw up a ‘neighbourhood development plan’. Areas that do not have a parish council can form a neighbourhood forum (with at least 21 members who can be residents and/or business occupiers) to decide on local planning issues. Local planning authorities will be required to provide technical advice and support as neighbourhoods draw up their plans. Planning: Pre-application Consultation – Section 122

8. The part within Section 122 enabling the making of requirements in development orders about consultation in relation to applications for planning permission commenced on 15 November 2011 .

Developers will be required to engage local communities in the pre-application consultation on major schemes (within a centrally determined threshold) and to show how they have been taken into account.

9. Planning Enforcement – Section 123 Local planning authorities will have the power to decline retrospective planning applications once an enforcement order has been served. The Act also creates a “Planning Enforcement Order” which will allow local authorities to take enforcement action against a planning breach even where the standard time limits have expired (if there has been concealment).

10. Nationally Significant Infrastructure Projects – Sections 128-142 National infrastructure decisions are transferred from the infrastructure Planning Commission to the Secretary of State.

11. Planning Local finance considerations – Section 143

Commencement date: 15 January 2012 This section adds local finance considerations (defined as either a grant from Government or sums received in payment of the Community infrastructure Levy) as a matter to which the local planning authority must have regard when determining a planning application.

Page 180 Agenda Item 20

Committee(s): Date(s): Item no. Audit and Risk Management Committee 20th September 2012 Subject: Public Risk Management Update Report of: For Decision Chamberlain

Summary

This report presents the latest Strategic Risk Register for Members’ consideration. Members are asked to note the updated supporting statements for each strategic risk. It should be noted that no risks have been added to the Strategic Risk Register since the previous report to the Audit and Risk Management Committee at the June 2012 Committee. Recent amendments to the strategic risk register include the addition of control evaluation ratings which indicate the adequacy of current controls for each risk. Furthermore, officers will note that the register now discerns between inherent (gross) and residual (net) risk assessments and includes references to the appropriate City Corporation Strategic Aims and Key Policy Priorities. The net risk assessments for ‘Financial Stability (SR3)’, ‘Planning Policy (SR4)’ and ‘Project Risk (SR6)’ have decreased slightly but have retained the ‘Amber’ status. The net risk assessment for ‘Adverse Political Developments (SR10) has been re-evaluated downwards from ‘Red’ to ‘Amber’ status. The net risk assessment for ‘Public Order and Protest (SR13)’ has been re-evaluated as having a residual risk of ‘Green’. Your attention is also drawn to the risks below, which are due for detailed consideration by the Committee and for which separate reports are on the Committee agenda. SR8 Reputation Risk (AMBER) – Director of Public Relations SR9 Health and Safety Risk (AMBER) – Director of HR SR10 Adverse Political Developments (RED) - Remembrancer Reappointment of the Risk and Assurance Manager position has been successful. Sabir Ali will be starting on the 17 th September. Recommendations Members are asked to: • Review and approve the Strategic Risk Register. • Note the new control evaluations, with added gross and net risk scores.

Page 181 Main Report

Background

1. The strategic risk register was last formally reviewed by the Audit and Risk Committee on 14 th June 2012, by Chief Officers on 22 nd May 2012 and by the Strategic Risk Management Group on 7 th August 2012.

2. Following proposals agreed at the previous Audit and Risk Management Committee, and discussed with Chief Officers on 22 nd May 2012, the strategic risk register now includes a control evaluation for each risk and assessments are recorded for both inherent (gross) and residual (net) risks.

3. In accordance with the established risk framework, all risks have been reviewed and updated by the City’s respective risk owners.

4. The Strategic Risk Register was considered by the Chief Officers Summit Group on the 10 th September 2012.

Current Position

5. The updated strategic risk register is appended to this report for review. The position of each risk has been recently revised by the responsible risk owner and the risk assessments have been updated accordingly. Members will note the new fields which are summarised below. Internal Audit has provided advice to risk owners to ensure that the new information is consistently applied.

• Control evaluations: The risk owner’s assessment of the adequacy of controls in place. Robust and effective mitigating controls are denoted as ‘Green’, controls which require improvement or are not yet fully implemented are recorded as ‘Amber’, and risks which are inadequately controlled are evaluated as ‘Red’. This element has been incorporated into the register in order to provide officers and members with an indication of the effectiveness of the City’s current controls.

• Gross and net risks assessments : Risks are now calculated by likelihood and impact pre- and post- mitigation. Gross risks indicate the extent of the risk inherited by the City. Conversely, net (or residual) risk is calculated based on the impact and likelihood of the risk being realised when the City’s controls are considered. Both the gross and net risk scores are calculated by the risk matrix enshrined in the Risk Management Handbook.

• Strategic Aims and Key Policy Priorities:

Page 182 Each risk refers to the relevant Strategic Aims and Key Policy Priorities of the City, as recorded in the Corporate Plan 2012-16. These references have been added to highlight the impact that realised risks may have on the City’s ability to achieve its strategic objectives.

6. The majority of risks have retained their previous risk assessments and none have been calculated as being of greater risk to the City since the previous review cycle. The main changes to the City’s strategic risks are summarised below:

• SR3 ‘Financial Stability’: Likelihood has increased from ‘Possible’ to ‘Likely’; Impact has reduced from ‘Major’ to ‘Minor’, resulting in a net reduction in risk score from 18 to 12. The major movement here has been the requirement for the identification of additional budget savings from 2013/14 which will move the budget forecast position from modest deficits into modest surpluses. The risk has retained its Amber status.

• The risk has retained its Amber status.

• SR4 ‘Planning Policy’: Likelihood has decreased from ‘Possible’ to ‘Unlikely’; Impact has remained ‘Moderate’, resulting in a net reduction in risk score from 13 to 10. The risk has retained its Amber status.

• SR6 ‘Project Risk’: Likelihood has decreased from ‘Possible’ to ‘Unlikely’; Impact has remained ‘Moderate’, resulting in a net reduction in risk score from 13 to 10. The risk has retained its Amber status.

• SR10 ‘Adverse Political Developments’: Likelihood has decreased from ‘Possible’ to ‘Rare’; Impact has remained ‘Catastrophic’, resulting in a net reduction in risk score from 22 to 14. This has resulted in its risk status being reduced to ‘Amber’ which reflects officers assessment of the risk in the current political climate.

• SR13 ‘Public Order and Protest’: Likelihood has decreased from ‘Possible’ to ‘Rare’; Impact has decreased from ‘Major’ to ‘Moderate’, resulting in a net reduction in risk score from 18 to 6. This risk has therefore been downgraded from Amber to Green. Discussion with the risk owner identified that this reduction in assessment is not a result of a decrease in the external, inherent risk of public disorder but the result of a different approach in assessment. The previous assessment, calculated shortly after the London riots, was based on the likelihood and impact of a similar event occurring. The assessment is now correctly based on the risk of the City failing to adequately respond to such an event. To illustrate the current risk profile, the strategic risks Page 183 have been plotted on the risk assessment matrix in accordance with current impact and likelihood assessments (Appendix 2). Members will note that risks have been plotted according to the net risk score.

7. The risk management framework continues to identify strategic risks in accordance with the definition established in the Risk Management Handbook:

Strategic risks are those that are identified as having an impact on the achievement of the City Corporation’s Strategic Aims or Key Policy Priorities. One or more of the following four criteria must apply:  The risk relates directly to one or more of the Strategic Aims or Key Policy Priorities.  A departmental risk that has significant impact on multiple operations if realised.  The risk has been identified as present for a number of departments.  There are concerns over the adequacy of departmental arrangements for managing a specific risk.

8. Members are asked to note the updated supporting statements for all risks, in particular SR8 ‘Reputation Risk’, SR9 ‘Health and Safety Risk’ and SR10 ‘Adverse Political Developments’. These risks are to be considered in detail within separate reports on this agenda. Officers should note that SR9 ‘Healthy and Safety Risk’ is being reviewed again following feedback from the March Committee.

9. SR1 has been renamed to ‘Failure to Respond to a Terrorist Attack’ in order to more accurately capture the nature of the City’s risk.

Cyclical Review of Strategic Risks

10. A structured approach to reviewing the City’s strategic risks has been adopted in order to promote full coverage and review. The following schedule has been prepared by the Strategic Risk Management Group Core Team for submitting risks for consideration by the Audit & Risk Management Committee:

Forthcoming reviews: Date SR3 Financial Stability 12 th December 2012 SR4 Planning Policy 5th February 2013 SR5 Flooding in the City 5th February 2013 SR8 Reputation Risk 20 th September 2012 SR9 Health and Safety Risk (second review) 20 th September 2012 SR10 Adverse Political Developments 20 th September 2012 SR11 Pond Embankment Failure (follow-up 12 th December 2012 Page 184 review) SR6 Project Risk (routine 2 nd review) 5th March 2013 SR2 or Supporting the Business City (routine 5th March 2013 SR1 2nd Review) or Failure to Respond to a Terrorist Attack (to be confirmed)

Completed reviews: Date SR1 Failure to Respond to a Terrorist Attack 14 th June 2012 SR2 Supporting the Business City 14 th June 2012 SR6 Project Risk 14 th December 2011 SR9 Health and Safety Risk 7th March 2012 SR11 Pond Embankment Failure 22 nd February 2012 SR13 Public Order and Protest 14 th December 2011

Closed reviews: Date SR7 Major IS Failure N/A SR12 Industrial Action N/A

11. This risk review programme concludes at the March 2013 Committee. The forward review schedule is currently being developed for the 2013/14 period and will be reported to the December 2012 Committee.

Strategic Risk Management Group Core Team 12. The SRMG Core Team met on 7 th August 2012. The main areas of discussion and agreed actions were as follows:

 There is the expectation that Chief Officers will introduce new risks into the existing framework as they are identified.

 It was proposed that SR13 ‘Public Order and Protest’ should be removed from the strategic risk register.

 It should be clarified that the scope of SR8 ‘Reputation Risk’ extends to the City’s role as a Police Authority.

 Greater detail for SR3 ‘Financial Stability’ will be requested by the next cycle of Chief Officer and Member review.

13. The Chief Officers Summit Group subsequently reviewed the Strategic Risk Register on the 10th September. It was agreed at that meeting that SR13 ‘Public Order and Protest’ should be retained on the register.

Page 185 Risk Management Handbook

14. Risk owners have received advice to assist their understanding and completion of the new risk register. In order to embed this understanding, there is the intention to update the Risk Management Handbook with the definitions and descriptions for control evaluations, and gross and net risk assessments.

Conclusion

15. The risk register continues to be actively reviewed and updated by risk owners in line with the requirements stipulated by the Risk Management Handbook.

16. Members are asked to consider and approve the latest strategic risk register appended to this report. Background Papers:

Risk Management Handbook

Appendices: APPENDIX 1 Strategic Risk Register APPENDIX 2 Strategic Risk Profile Contact: Paul Nagle | [email protected] | 02073321227

Page 186

City of London Corporation

Strategic Risk Register 11 th September 2012

Contents Page

Guidance Notes 1 Summary Risk Register 2 Risk Supporting Statements SR1 Failure to Respond to a Terrorist Attack 7 SR2 Supporting the Business City 8

Page 187 SR3 Financial Stability 9 SR4 Planning Policy 10 SR5 Flooding in the City 11 SR6 Project Risk 12 SR8 Reputation Risk 13 SR9 Health and Safety Risk 14 SR10 Adverse Political Developments 15 SR11 Pond Embankment Failure 16 SR13 Public Order and Protest 17 Risk Assessment Framework 18 Closed Risks (detailed extracts not included) Status SR7 Major IS Failure Managed operationally by Chamberlain SR12 Industrial Action Corporate oversight maintained by Director of Corporate HR

Owned By Chief Officers' Group Version City Corporation Strategic Risk Register 2012 – 9 Administered By SRMG/Paul Nagle Date 11/09/2012 Guidance Notes The following Guidance notes have been prepared to assist users of this document.

1. Risk Register Headings:

Heading Description Risk No. Unique reference for the risk. Risk Details Description of the risk. Gross Risk Assessment of the risk before taking into account any existing mitigating controls, Likelihood and Impact having been assessed against the risk assessment framework. Risk Owner/Lead Officer Officer responsible for the management of specific risks and key tasks associated with the mitigation of these. Existing Controls Controls in place to mitigate the risk. Net Risk Assessment of the risk having taken into account the mitigating controls in place. Risk Status & Direction Overall status of Red, Amber or Green calculated in accordance with the assessment of Likelihood and Impact, having applied the risk assessment matrix.

Page 188 Planned Action Details of further action required to mitigate the risk to an acceptable level. Control Evaluation An assessment of the adequacy of controls in place

2. Likelihood, Impact and Risk Status:

Likelihood and Impact Risk Status High risk, requiring constant monitoring and deployment of robust R KEY 1 2 3 4 5 control measures. Almost Medium risk, requiring at least quarterly monitoring, further mitigation Likelihood Rare Unlikely Possible Likely A Certain should be considered. Low risk, less frequent monitoring, consideration may be given to Impact Insignificant Minor Moderate Major Catastrophic G applying less stringent control measures for efficiency gains.

3. Control Evaluation:

Control Evaluation: R: Existing controls are not satisfactory A: Existing controls require improvement/Mitigating controls identified but not yet implemented fully G: Robust mitigating controls are in place with positive assurance as to their effectiveness

1

Summary Risk Register

Gross Risk Net Risk Risk Risk Owner/ Control Risk Details Existing Controls Risk Status Planned Action No. Likelihood Impact Lead Officer Likelihood Impact & Evaluation Direction * City Corporation City Police proactively works ineffectively managing the risk of with related parties to terrorism. Disaster respond appropriately Town Clerk/ recovery/contingency Maintain existing SR1 following a terrorist 4 5 Commissioner 1 5 A G plan in place, includes ↔ controls attack to restore of Police responsibilities under service delivery and the Civil assist business Contingencies Act. recovery. City Corporation does not support effectively Economic the business city Development Office

Page 189 which suffers a major Town Clerk/ engaged in a competitive Director of programme of work to Maintain existing SR2 5 4 3 4 A G disadvantage in its Economic support and enhance ↔ controls position as the world Development the business city, in leader in international accordance with the financial and business EDO Business Plan. services.

2 KEY 1 2 3 4 5 Control Evaluation: Likelihood Rare Unlikely Possible Likely Almost Certain R: Existing controls are not satisfactory Impact Insignificant Minor Moderate Major Catastrophic A: Existing controls require improvement/Mitigating controls identified but not yet implemented fully * Direction relates to change in assessment since last review (up/down/no change) G: Robust mitigating controls are in place with positive assurance as to their effectiveness

Summary Risk Register

Gross Risk Net Risk Risk Risk Owner/ Control Risk Details Existing Controls Risk Status Planned Action No. Likelihood Impact Lead Officer Likelihood Impact & Evaluation Direction * Reducing investment income and central government grants or unexpected Medium term financial requirements for planning. Efficiency significant Additional resilience Board and Efficiency expenditure results in to be developed and Performance Corporation being Chamberlain/ from savings SR3 4 4 Sub-Committee 4 2 A G unable to maintain a Town Clerk ↔ realised through established to balanced budget and PP2P and further scrutinise progress in maintain healthy saving reviews. implementing 12.5% reserves on City's savings. Cash & City Fund significantly impacting Page 190 on service delivery levels. City Corporation not seen to, or unable to, Lobbying and significantly influence participation in general planning consultation policy or transport City Planning Maintain existing SR4 3 3 exercises, regular 2 3 plan decision makers Officer A ↔ controls G monitoring/ discussion in London, leading to at Summit Group and lack of capacity of Chief Officers' Group. system to service the City.

3 KEY 1 2 3 4 5 Control Evaluation: Likelihood Rare Unlikely Possible Likely Almost Certain R: Existing controls are not satisfactory Impact Insignificant Minor Moderate Major Catastrophic A: Existing controls require improvement/Mitigating controls identified but not yet implemented fully * Direction relates to change in assessment since last review (up/down/no change) G: Robust mitigating controls are in place with positive assurance as to their effectiveness

Summary Risk Register

Gross Risk Net Risk Risk Risk Owner/ Control Risk Details Existing Controls Risk Status Planned Action No. Likelihood Impact Lead Officer Likelihood Impact & Evaluation Direction * Participation in pan- City Corporation does London consortia with not adequately other Lead Local address the impact of Director of the Flood Authorities. Maintain existing SR5 a major flood on the 2 4 Built Contingency plan in 2 3 A A ↔ controls City in relation to Environment place, in accordance businesses, roads, with Civil transportation, etc. Contingencies Act responsibilities. Projects Sub- Strategic Risk Commissioning and Committee providing Register to be delivery of large scrutiny over project populated on an on- scale, high profile or risk. Project going basis with prestigious projects or Relevant Chief Management Toolkit "Top X" project Page 191 SR6 events proves to be 3 4 2 3 A G Officer under development, ↔ risks. inadequate, resulting will include risk Development of in reputational, management model in requirement s for organisational and accordance with City Post Project financial problems. Policy. Appraisal. Major failure in information systems leading to significant disruption to IS Security Policy, business, inability to investment in SAN Risk Closed 22/02/2012 SR7 meet legal or Risk Closed Chamberlain and Disaster regulatory Recovery managed on an operational level requirements, effect arrangements. on health and safety, financial or reputational loss.

4 KEY 1 2 3 4 5 Control Evaluation: Likelihood Rare Unlikely Possible Likely Almost Certain R: Existing controls are not satisfactory Impact Insignificant Minor Moderate Major Catastrophic A: Existing controls require improvement/Mitigating controls identified but not yet implemented fully * Direction relates to change in assessment since last review (up/down/no change) G: Robust mitigating controls are in place with positive assurance as to their effectiveness

Summary Risk Register

Gross Risk Net Risk Risk Risk Owner/ Control Risk Details Existing Controls Risk Status Planned Action No. Likelihood Impact Lead Officer Likelihood Impact & Evaluation Direction * Communications On-going work with Strategy in place, PR Consultants to Negative publicity and experienced improve City Town Clerk/ damage to the City media/communication Corporation’s ability SR8 4 4 Director of 3 4 A G Corporation's s team, Departmental ↔ to manage Public Relations reputation. Communication increasingly Representatives challenging meetings, PR Toolkit. reputational issues. Major failure of health Strategic Risk and safety Officer Health and Register to be procedures resulting Health and Safety Committee in populated with the in a fatality in an Safety operation, monitoring corporate "Top X" SR9 accident on City of 4 4 Committee/ key H&S issues and 3 3 A↔ health and safety A London Corporation Relevant Chief having oversight of Page 192 risks. Revised premises or to a Officer the Health and Safety policy to be put member of the City of Top X risks. forward for approval London workforce. The organisation Promotion of the good needs to ensure it is Adverse political work of the City seen as important developments Corporation, City and relevant across undermining the A ↓ SR10 5 5 Remembrancer Corporation needs to 1 5 a wide field of effectiveness of the G remain relevant and activities that are City of London “doing a good job” not geographically Corporation. and be seen as such limited to the Square Mile. . On-going monitoring Major project Flooding caused as a of water levels, Director of Open initiated to upgrade result of pond emergency action SR11 3 5 Spaces/ City 3 5 R↔ the pond A embankment failure plan, public Surveyor embankments, not at Hampstead Heath consultation, project yet delivered. management.

5 KEY 1 2 3 4 5 Control Evaluation: Likelihood Rare Unlikely Possible Likely Almost Certain R: Existing controls are not satisfactory Impact Insignificant Minor Moderate Major Catastrophic A: Existing controls require improvement/Mitigating controls identified but not yet implemented fully * Direction relates to change in assessment since last review (up/down/no change) G: Robust mitigating controls are in place with positive assurance as to their effectiveness

Summary Risk Register

Gross Risk Net Risk Risk Risk Owner/ Control Risk Details Existing Controls Risk Status Planned Action No. Likelihood Impact Lead Officer Likelihood Impact & Evaluation Direction * Industrial/employee High level impact action resulting in analysis, Director of Risk Closed SR12 significant or severe Risk Closed arrangements/policy 07/03/2012 Corporate HR disruption to service communicated to all managed on an operational level delivery. staff. Failure to respond Monitor and review appropriately to Major Incident Plan in light of lessons SR13 issues resulting from 4 4 Town Clerk and Disaster 1 3 G ↓ learned from recent G public order and Recovery Plan issues protest.

Page 193

6 KEY 1 2 3 4 5 Control Evaluation: Likelihood Rare Unlikely Possible Likely Almost Certain R: Existing controls are not satisfactory Impact Insignificant Minor Moderate Major Catastrophic A: Existing controls require improvement/Mitigating controls identified but not yet implemented fully * Direction relates to change in assessment since last review (up/down/no change) G: Robust mitigating controls are in place with positive assurance as to their effectiveness

Risk Supporting Statement SR1 Risk Owner: Town Clerk/ Commissioner of Police

Gross Risk R City Corporation works ineffectively with related parties to respond appropriately following a terrorist attack Risk to restore service delivery and assist business recovery. Likelihood Impact Links to: Strategic Aims SA1 & SA2 and Key Policy Priority KPP3 4 5

This risk has a number of components for the City Corporation resulting from its role as an employer, Local Authority and the Police Authority for the square mile. The risk from the policing perspective (operational policing) is managed by the Commissioner of Police, the remaining elements cover a range of operational areas e.g. disaster recovery/business continuity, Detail building management, employee and community safety. The City Corporation also has responsibility under the Civil Contingencies Act 2004 to its businesses and residential communities to support them in the aftermath of a terrorist attack. The specific issues are outlined below.

Specific Issues Mitigating Controls Specific locations are potential targets Iconic sites within the City have been assessed by the Security Services and plans concerning Page 194 (areas/buildings in the City and City these are regularly exercised. Corporation assets) Generic Emergency Management Plan and Disaster Recovery/Business Continuity Arrangement are in place and are regularly exercised. Guidance and support is provided to businesses and residents. Employee/community welfare (visitors, There is regular liaison with and support provided to businesses and strategies are in place to residents and workers) respond to concerns or incidents. Public/business confidence in the City as Other relevant mitigations: a safe environment Safety/evacuation plans in place for City of London Corporation’s corporate premises.

Summary and Further Action Net Risk A The City of London Police undertakes a range of activity with other agencies (Met Police, Home Office, MI5) to disrupt Likelihood Impact terrorist activity. The Home Office Current Threat Level is Substantial (Terrorist attack is a strong possibility) therefore it is essential that the City Corporation undertakes a level of planning and exercising to ensure that, together with its 1 5 partner agencies, it is ready to lead the recovery phase of the emergency response to an incident. This risk relates Control specifically to the City Corporation’s ability to mitigate the impact of terrorist attack through its role as the lead for Evaluation coordinating the activities of its service departments and other public services to restore the business and residential infrastructure. The planning and exercising has been tested regularly in preparation for the Olympic Games the G evidence from this work is that it is unlikely that the City Corporation would fail to respond appropriately to a terrorist attack.

7

Risk Supporting Statement SR2 Risk Owner: Town Clerk/Director of Economic Development

Gross Risk R City Corporation does not support effectively the business city which suffers a major competitive Risk disadvantage in its position as the world leader in international financial and business services. Likelihood Impact Links to: Strategic Aims SA1 & SA3 and Key Policy Priorities KPP1 & KPP3 5 4

Should the City Corporation provide ineffective support the business city, there is a danger this will lead to a reduction in business activity in the City, lower income and engagement with CoL. The City Corporation may seek to influence the likelihood Detail of this risk materialising, with a lesser degree of influence over the impact. To a significant extent, the primary purpose of the Economic Development Office is to manage this risk.

Specific Issues Mitigating Controls Domestic and EU tax and regulation

Crisis over and other issues which Page 195 pose a major threat to the maintenance of Programme of work of the EDO to maintain City's competitiveness and CoL's role (ref. EDO the City’s reputation Business Plan) International Regulatory Strategy Group established, a primary function of which is to identify, assess and respond to regulatory issues. Robust policy, media and political response to industry developments affecting public perception of the City as a whole. Role of Lord Mayor as ambassador for the Business City

Role of Policy and Resources Committee in promoting the City Summary and Further Action Net Risk A Likelihood Impact The controls in place reduce the likelihood of this risk materialising from 5 to 3. At any given time there are a number of 3 4 issues that could undermine the City's position as a world leader in international financial and business services. Control Specific issues will be refreshed at each review with appropriate mitigation. Evaluation G

8

Risk Supporting Statement SR3 Risk Owner: Chamberlain/Town Clerk

Reducing investment income and central government grants or unexpected requirements for significant Gross Risk R expenditure results in Corporation being unable to maintain a balanced budget and maintain healthy Risk Likelihood Impact reserves on City's Cash & City Fund significantly impacting on service delivery levels. Links to: Strategic Aim SA2 and Key Policy Priority KPP2 4 4

To a large degree, this risk has already been realised, the organisation is now in the process of managing the impact of Detail reductions in funding and negating the impact on reserves. Two significant projects are underway to build resilience against further financial pressures and additional savings being identified .

Specific Issues Mitigating Controls n/a Scrutiny of efficiency proposals by the Efficiency Board and Efficiency and Performance Sub- Committee. Work with London Councils and direct engagement with Central Government. Independent assurance work undertaken by Internal Audit regarding efficiency proposals. Page 196

Summary and Further Action Net Risk A Likelihood Impact The overall strategy is now to make additional savings and efficiencies to not only balance the budget, but to generate 4 2 surpluses to offer some protection should the financial position deteriorate. Based on current forecasts the objectives Control the risks have now reduced. Evaluation G

9

Risk Supporting Statement SR4 Risk Owner: City Planning Officer

Gross Risk A City Corporation not seen to, or unable to, significantly influence general planning policy or transport plan Risk decision makers in London, leading to lack of capacity of system to service the City. Likelihood Impact Links to: Strategic Aim SA1 and Key Policy Priority 3 3 3

This risk links closely with SR2, supporting the business city and SR8 reputation risk. A key objective of the City of London's planning function is to provide a planning strategy that is sympathetic to the needs/wishes of developers, balanced with the requirements of legislation, wider planning strategy for London and the interests of existing City businesses and residents. Detail Maintaining an environment where large companies may develop office accommodation suitable to be used as global headquarters and lobbying to improve transport infrastructure is critical to the City maintaining its status as the leading financial and business centre. At a point in time there will be a number of different issues that may lead to this risk being realised, as part of the on-going review of this risk, these specific threats will be identified and assessed.

Specific Issues Mitigating Controls Page 197 Relaxation of rules relating to change of Engagement with policy makers as part of the consultation process (closes 11/9/2012). use from hotels to residential and relating Revision of City’s development plan policies to mitigate the local effects of national policy to temporary change of use. changes. Listed building status - restricting the Regular monitoring/discussion at Summit Group and Chief Officers' Group. ability to redevelop key areas of the City Right to Light issues Regular monitoring/discussion at Summit Group and Chief Officers' Group, thorough consultation on proposed developments, sensitive design. Member representation at London Councils.

Summary and Further Action Net Risk A The effect of any one of the above issues materialising as an isolated occurrence is likely to be moderate, although the Likelihood Impact cumulative effect of multiple instances relating to one or more of the above would be more significant - the controls in 2 3 place are robust, although this should be subject to continued monitoring. It is anticipated that, following the rejection of the English Heritage bid to "list" the Broadgate development, a number of other post war developments will be Control identified for preservation. Evaluation G

10

Risk Supporting Statement SR5 Risk Owner: Director of the Built Environment

Gross Risk A City Corporation does not adequately address the impact of a major flood on the City in relation to Risk businesses, roads, transportation, etc. Likelihood Impact Links to: Strategic Aim SA2 and Key Policy Priority KPP3 2 4

There are three elements to this risk; river flooding, surface water flooding and an inadequate response to flooding. While river flooding is unlikely, a significant area south of Thames Street would be affected by it, compounded by the fact that flood water would remain trapped behind the river defences. Surface water/sewer flooding is a more likely scenario, with London's drainage Detail system lacking the capacity to accommodate prolonged, intense rainfall. Responsibility for the sewer network lies with Thames Water not the City, although the City has overall responsibility for co-ordination of flood risk as a Lead Local Flood Authority. Strategic Flood Risk Assessment Review 2012 has confirmed that surface water flooding would be restricted to relatively few, small areas in the Fleet Valley and the Thames Riverside, with most of the City unaffected.

Specific Issues Mitigating Controls Page 198 River Flooding unlikely (2) severe (4) Main defence provided by Environment Agency through Thames Barrier and river wall impact defences, proven reliability over the past 30 years. Latest research shows that the Barrier will remain effective until around 2060-70. Surface water flooding rare (1) mino r (2) Partnership working with pan-London bodies, surrounding boroughs, Thames Water and impact Environment Agency to reduce the risk and mitigate its effects. Restrictions over building design and use in high risk areas through planning controls. Further modelling work is being undertaken for areas at high risk of surface water flooding and feasibility studies are planned for further mitigation measures. Inadequate response to flooding unlikely Contingency plan in place, CoL has responsibilities under the Civil Contingencies Act. (2) minor (4) impact

Summary and Further Action Net Risk A Likelihood Impact While it is not possible for the City to mitigate the risk of flooding, it is possible to minimise the impact of such an 2 3 incident through robust contingency planning. The City has responsibilities under the Flood Risk Regulations 2009 and Flood and Water Management Act 2010, culminating in a flood risk management plan for areas which are at significant Control risk of flooding, to be in place by June 2015. Evaluation A

11

Risk Supporting Statement SR6 Risk Owner: Relevant Chief Officer

Gross Risk A Commissioning and delivery of large scale, high profile or prestigious projects or events proves to be Risk inadequate, resulting in reputational, organisational and financial problems. Likelihood Impact Links to: Strategic Aims SA1, SA2 and SA3 and Key Policy Priorities KPP2 and KPP4 3 4

A Project Management Working Party reviewed arrangements across the City and implemented a set of procedures in October 2011 with the aim of standardising approach as far as reasonably practical to do so for capital, supplementary revenue and major revenue projects. The project management arrangements are beginning to improve consistency of delivery and once fully Detail embedded the organisation (led by the Projects Sub-Committee) will be better placed to obtain assurance that project risk is being managed appropriately. These arrangements do not cover all projects, generally exceptions will relate to revenue expenditure and change programmes, risks emerging from these projects are expected to be captured within departmental risk registers.

Specific Issues Mitigating Controls Page 199 To be populated with the details of high Projects Sub-Committee reviews all projects at a high level on a periodic basis via programme risk projects as the PM Toolkit becomes reports which provide a status of ‘red’, ‘amber’ or ‘green’ with all projects rated ‘red’ and ‘amber’ embedded and the required level of reported more frequently. The Sub-Committee provides scrutiny of individual proposals and analysis is available. project management to ensure value for money is achieved. Designation of Project Sponsors and individual establishing individual project boards to provide Further risks to be identified from scrutiny and oversight. Departmental Risk Registers as the To be populated with detail relevant to risks as identified. requirements of the Risk Management Handbook are embedded.

Summary and Further Action Net Risk A Likelihood Impact At present, this risk relates to the arrangements in place to manage projects and project risk. As the Project 2 3 Management Toolkit and Risk Management Handbook are embedded, this will evolve to capture specific high risk projects, or significant risks within projects. Control Further Action: Development of requirements for Post Project Appraisal, learning lessons from experience. Evaluation G

12

Risk Supporting Statement SR8 Risk Owner: Town Clerk/ Director of Public Relations

Negative publicity and damage to the City Corporation's reputation. Gross Risk R Risk Links to: Strategic Aims SA1, SA2 and SA3 and Key Policy Priorities KPP1, KPP2, KPP3, KPP4 and Likelihood Impact KPP5 4 4

This risk may materialise as a result external factors or failure to manage risk within the operations of the organisation. There will always be an inherent risk around reputation, but the specific threats present at any one time will vary depending on the nature of key projects, internal and external developments or factors. A shortlist of the most significant issues is maintained, Detail updated by the Director of Public Relations on a quarterly basis using information gained from on-going liaison with departments and, in future as risk management becomes embedded, through examination of departmental risk registers. In addition to the shortlist below, there is a broad risk in relation to negative publicity or adverse media comment following failure of service delivery. The likelihood and impact of this is very much dependent upon the circumstances and outcome of the failure.

Specific Issues Mitigating Controls

Page 200 Communications strategy in place Working with retained public affairs consultants to improve City Corporation’s ability to respond to communications challenges Experienced media/communications team with the right skills to handle reputation issues. Regular liaison with Committees and departments including through departmental communication representative meetings etc, aiming to ensure the overall reputation of the organisation is kept under close review during all policy deliberations PR Tool kit Examination of departmental risk registers to identify emerging issues (on-going) Summary and Further Action Summary: Shortlist of Key Issues Likelihood Impact Net Risk A Hampstead Heath Hydrology 2 5 Likelihood Impact Use of the YMCA 3 2 3 4 London Living Wage 5 3 Control Debate around the transparency and accountability for City's Cash 5 3 Evaluation Adverse comment or publicity on the role and purpose and governance of the City Corporation 3 3 Managing the impact of street works (e.g. Cheapside, renewal of water main) on visitors, 5 3 residents and workers G External website project fails to meet delivery timetable and objectives as a communication tool 1 3 Adverse comment or public perception as a result of the City failing to meet obligations in 3 4 relation to the 2012 Olympics. 13

Risk Supporting Statement SR9 Risk Owner: Health and Safety Committee/Relevant Chief Officer

Gross Risk R Major failure of health and safety procedures resulting in a fatality in an accident on City of London Risk Corporation premises or to a member of the City of London workforce. Likelihood Impact Links to: Strategic Aims SA2 and SA3, and Key Policy Priority KPP2 4 4

Corporate oversight of health and safety risk is maintained by Corporate Human Resources, an officer Health and Safety Committee is in operation, chaired by the Deputy Town Clerk. A health and safety risk management system is in place, with Detail consistent reporting and review mechanisms, ensuring that the key risks identified across the organisation are escalated accordingly. The committee monitors progress to address significant issues as they arise. For the purpose of maintaining the Strategic Risk Register, a shortlist of the most significant current health and safety risks will be maintained.

Specific Issues Mitigating Controls Enhanced Corporate Health & Safety Policy in place to meet legal requirement

Page 201 Policy in consultation. Due for approval Corporate Training is in place and effective in late autumn. Assurance possible but Health & Safety working groups in operation will be improved by implementation of Top X being reported – further work on content improvement planned new policy and associated audit regime. Accidents reported and investigated via a new system (Reactive system) Departmental Competencies Improved and departmental H&S committees being monitored Summary and Further Action Net Risk A Since the Health & Safety Gap Audit was commissioned by the Deputy Town clerk in 2010, an action plan has been put in place to Likelihood Impact review the H&S systems across the Corporation of London to ensure H&S Compliance. The plan commenced in August 2010 and since then many improvements have been made to the CoL’s safety management systems. Many practical systems have been 3 3 reinvigorated or implemented and are working, such as Top X, departmental safety co-ordinator forums, and a departmental Control safety competency review. Key to the successful implementation and delivery of a holistic safety management system based on Evaluation proactive and reactive procedures is a review of Corporate Governance processes and the H&S Policy. This process has involved detailed consultation but a revised policy will be going through the officer and member approval processes in late autumn, with a A view to implementation at the end of 2012.

14

Risk Supporting Statement SR10 Risk Owner: Remembrancer

Gross Risk R Adverse political developments undermining the effectiveness of the City of London Corporation Links to: Risk Likelihood Impact all Strategic Aims and Key Policy Priorities. 5 5

Owing to its nature and geographical size, the City Corporation is particularly vulnerable to political developments concerning London government. There are two main issues at present; the continuing financial turmoil and fallout from “occupy” is Detail resulting in slanted scrutiny of the City Corporation and the longer term threat to the local authority functions from sharing of services and a consequent London Government review.

Specific Issues Mitigating Controls “Occupy” and the current turmoil in the Promotion of the good work of the City Corporation, City Corporation needs to remain financial system has provoked unfounded relevant and “doing a good job” and be seen as such. This risk has a Low (1) likelihood, but allegations of undue influence and partial potentially Catastrophic (5) impact. Page 202 accounts of the City Corporation’s lobbying activities. A review of London government is not currently envisaged but the increased interest in sharing services (and offices) between authorities and Boundary Commission proposals may reinstate earlier suggestions for 5 or 6 “super boroughs”, raising concerns around the viability of a separate administration for the Square Mile.

Summary and Further Action Net Risk A Likelihood Impact The organisation needs to ensure it is seen as important and relevant across a wide field of activities that are not geographically limited to the Square Mile. Current public affairs activities should be maintained to this end. Any 1 5 functions which may be vulnerable on account of their size if kept as free standing operations need to be identified and Control the case for ameliorating action (e.g. partnerships, shared services) considered. Evaluation G

15

Risk Supporting Statement SR11 Risk Owner: Director of Open Spaces/ City Surveyor

Gross Risk R Major Flooding caused as a result of pond embankment failure at Hampstead Heath Risk Likelihood Impact Links to: Strategic Aim SA3 and Key Policy Priority KPP4 3 5

If there were to be failure of the pond embankments during a major storm, and no warning was given, the number of lives at risk on the Hampstead chain would be in the region of 400 and on the Highgate chain would be around 1000. This would also result in inundation and damage to local properties, roads and the railway lines towards Kings Cross. Detailed analysis has identified that dam crests are not Detail currently able to cope with the level of overtopping expected to occur as a result of such a storm, increasing the risk of erosion and dam failure. The City of London Strategic Flood Risk Assessment 2012 with new surface water modelling, identified 4 areas of risk in the City from upstream run-off (including Hampstead Heath).

Specific Issues Mitigating Controls Insufficient warning given of flooding Telemetry system installed and managed by the City Surveyor as an integral part of the on-site Emergency Action Plan for reservoir dam incidents enabling early warning where pre-determined water

Page 203 levels at key ponds in both the Hampstead and Highgate chains of ponds are breached. (City Surveyor/Director of Open Spaces) Inadequate response to dam overtopping Emergency Action Plan for on-site response in place. Discussions on-going with Camden Council about their responsibility for preparing an off-site Emergency Action Plan. (City Surveyor/Director of Open Spaces) Sensitivities of the local community regarding The City has undertaken extensive consultation with local stakeholders about why this public safety the natural aspect of the Heath project is required. The City has established a Stakeholder Group to enable key groups to contribute to the detailed design of the scheme and has appointed a dedicated officer to manage consultation. (Director of Open Spaces) Hampstead Heath, Highgate Wood and Queens Park Committee actively engaged with local community. Non delivery of project to upgrade pond On-going monitoring by Project Board and Projects Sub Committee (City Surveyor) embankments (includes slippage from agreed timetable and budget)

Summary and Further Action Net Risk R Likelihood Impact A project has been initiated to upgrade the pond embankments, but until such time that this project is completed (2014/15) there 3 5 remains a risk of flooding downstream. Responsibility for the delivery of this project rests with the City Surveyor and in relation to the City's reputation, day to day management of the ponds and the community welfare aspects of this risk, the Director of Open Control Spaces. Evaluation A 16

Risk Supporting Statement SR13 Risk Owner: Town Clerk Gross Risk R City Corporation does not manage effectively negative impacts arising from Public Order and Protest, Risk leading to a loss of confidence in the organisation. Links to: Strategic Aims SA1 and SA2, and Key Likelihood Impact Policy Priority KPP3 4 4

This risk has a number of components for the City Corporation resulting from the roles as an employer, a Local Authority and as the Police Authority for the square mile. The risk from the policing perspective (operational policing) is managed by the Commissioner of Police, the remaining elements cover a range of operational areas e.g. disaster recovery/business continuity, Detail building management, employee and community safety. The City Corporation also has a responsibility under the Civil Contingencies Act 2004 to its businesses and residential communities to support them in the aftermath of violent Public Order and Protest. This risk is directly linked to SR2 (Supporting the Business City), SR3 (Financial Stability) and SR8 (Reputation Risk), assessment of SR13 may lead to reassessment of these risks. Specific Issues Mitigating Controls The City of London Police and the City Corporation, as Planned protest marches in or near the City that, although peaceful, interrupt the Category 1 responders (as designated by the Civil

Page 204 daily life of the City by their presence. Contingencies Act 2004) have statutory responsibilities Planned protest marches that become disorderly or violent whether in the City or to warn and inform and prepare for any major incident, elsewhere that adversely affect business, property or communities for which the whatever the cause. City Corporation has a statutory or corporate responsibility. These responsibilities are delivered through the Static protests whether peaceful or disorderly that adversely impact on the daily Major Incident Plan and Disaster Recovery/Business life of the City or adversely affect business, property or communities for which Continuity Plans for both organisations. the City Corporation has a statutory or corporate responsibility. The City Corporation has worked with the Crime Spontaneous or organised outbreaks of civil disorder that adversely impact on Prevention Association to produce guidance for City the daily life of the City or adversely affects business, property or communities business to mitigate the impact of protest. This guidance for which the City Corporation has a statutory or corporate responsibility. has been distributed across the City. Summary and Further Action Net Risk G Likelihood Impact Many of the controls operated by the City Corporation are designed to reduce the impact of protest whether peaceful or violent. For peaceful protest, we send advisory messages and updates that allow City businesses and residents to plan 1 3 for disruption. If the protest or public order issue becomes violent, major incident and Business Continuity plans provide Control the framework for incident management, support to businesses and residents and long term recovery. Recent civil Evaluation unrest across the world and particularly in London highlights the risk of public order or protest affecting the City. G

17

Risk Assessment Framework

LIKELIHOOD

ALMOST RARE UNLIKELY POSSIBLE LIKELY CERTAIN

CATASTROPHIC 14 20 22 24 25

MAJOR 11 17 18 21 23

IMPACT MODERATE 6 10 13 16 19

MINOR 3 5 8 12 15

Page 205 INSIGNIFICANT 1 2 4 7 9

Likelihood Indicators Rare Robust mitigating controls in place, the risk may occur only in exceptional circumstances, (e.g. not likely to occur within a 10 year period or no more than once across the current portfolio of projects). Unlikely Adequate mitigating controls in place, the risk may occur in remote circumstances (e.g. risk may occur once within a 7-10 year period or once across a range of similar projects). Possible Reasonable mitigating controls in place, but may still require improvement . External factors may result in an inability to influence likelihood of occurrence (e.g. risk event could occur at least once over a 4-6 year period or several times across the current portfolio of projects). Likely Mitigating controls are inadequate to prevent risk from occurring, the risk may have occurred in the past (e.g. risk event could occur at least once over a 2-3 year period or several times across a range of similar projects). Almost Mitigating controls do not exist or are wholly ineffective to prevent risk from occurring. The risk has Certain occurred recently or on multiple past occasions (e.g. risk event will occur at least once per year or within a project life cycle). 18

Risk Assessment Framework

Impact Description Indicators Insignificant An event where the impact can be easily absorbed without  No real impact on service delivery. management effort.  Short term loss up to £5k , adverse variances across one or more budget subjective, although largely on target or within total budget.  Very minor injuries.  No sustained reputational damage, does not result in adverse media comment.

Minor Impact can be readily absorbed although some management  Disruption on a divisional/business unit level, Impact on service delivery of little/no input or diversion of resources from other activities may be concern to stakeholders. required. The event would not delay or adversely affect a key  Short term loss of up to £10k , or adverse budget variance of up to 10%. operation or core business activity.  Slight injuries.  Minimal localised reputational damage with minor short-term adverse media comment, early recovery possible.

Moderate An event where the impact cannot be managed under normal  Serious disruption to service delivery from one department, affecting an isolated group operating conditions, requiring some additional resource or Senior of customers, short term impact on the environment. Management input or creating a minor delay to an operation or  Short term loss of £100k , or adverse budget variance of 10-25%. core business activity.  Major/serious injuries.  Breach of regulation/law leading to sanctions or legal action Page 206  Local adverse media comment/public perception, possible medium/long-term impact .

Major Major event or serious problem requiring substantial  Serious disruption to service delivery from more than one department, affecting a management/Chief Officer effort and resources to rectify. Would range of customers, recovery possible in the short term. adversely affect or significantly delay an operation and/or core  Sustained loss of £5-10m , or short term loss in excess of £1m , or adverse budget business activity or result in failure to capitalise on a business variance of 25-50%. opportunity.  Single fatality /medium-term impact on quality of life.  Serious breach of regulation/law causing intervention/sanctions/legal action  Short-term adverse media comment on a National level with prolonged comment on a local level leading to long-term damage and a general loss of confidence .

Catastrophic Critical issue causing severe disruption to the City of London,  Catastrophic impact on service delivery across the organisation, protracted recovery requiring almost total attention of the Leadership Team/Court of period , possibly requiring organisational structure or process change. Common Council and significant effort to rectify. An operation or  Sustained loss in excess of £10m per annum or adverse budget variance of greater core business activity would not be able to go ahead if this risk than 50%, inadequate resources to fund essential operations. materialised.  Multiple fatalities /long-term impact on quality of lives or permanent impact on the environment  Substantial breach of regulation/law resulting in prosecution of directors/Corporation  Substantial adverse media comment on an International/National level, with long-term impact that may threaten the City Corporation’s ability to continue to operate as a service provider .

The descriptors above are indicative of likely outcomes/materiality measures at each impact level, this table has been developed to assist in ensuring that risk is considered and assessed within the appropriate context. As part of the assessment process, due consideration must be given to the lifetime of a risk; the project lifecycle or duration of the activity, whether this is a one off or recurring activity and the general proximity of the risk.

19

Strategic Risk Profile August 2012 APPENDIX 2

SR1 CATASTROPHIC SR11 SR10

SR2 MAJOR SR8

MODERATE SR13 SR4 SR5 SR6 SR9 Page 207 IMPACT IMPACT MINOR SR3

INSIGNIFICANT

ALMOST RARE UNLIKELY POSSIBLE LIKELY CERTAIN

LIKELIHOOD

Red/High Amber/Medium Green/Low KEY: Risk Risk Risk

This page is intentionally left blank

Page 208 Agenda Item 21

Committee: Date: Item No. Audit & Risk Management Committee 20 th September 2012 Subject: Public Internal Audit Planning 2013/14 Report of: For Decision Chamberlain

Summary

The purpose of this report is to provide the Committee an overview and opportunity to comment on the strategic internal audit plan for 2013/14 prior to the development of the more detailed Annual audit plan for 2013/14.

The City’s Internal Audit Section provides an independent review function to provide assurance on the design and effectiveness of the City’s governance, internal control and risk management environment. To ensure this is done in an effective way, there is a 5 year Strategic Plan which provides the basis for the Annual Audit Plan. This internal audit role is a central element of the City’s Corporate Governance framework, as the internal audit work and Head of Internal Audit opinion is a key input to the published Annual Governance Statement and focus for the work of the Audit & Risk Management Committee. The internal audit function is continually aiming to focus its activities and approach according to the assurance requirements of the City. This has entailed undertaking more strategic reviews, increased focus on VFM and efficiency, and working much closer with senior management so its work is more focused on those areas where internal audit can provide added value to the organisation. To support this focus, internal audit has taken on responsibility for the corporate risk management support function and supports the efficiency and performance review work of the officer Efficiency Board and member Efficiency & Performance Sub-Committee (EPSC).

The combining of the internal audit function and the corporate risk management support role is assisting the City of London in developing a more integrated risk and assurance management approach with clearer linking of internal audit and other assurance activity to the key strategic and departmental risks faced by senior management. The development of more consistent Departmental Risk Registers following the roll-out of the Risk Management Handbook will assist in the review and development of

Page 209 internal audit plans.

The indicative allocation of internal audit resources by audit theme and Department is set out in Appendix 2 of this report. Appendix 3 provides information on Departmental spend and income with commentary on factors which impact on the audit resources allocation.

Areas of emphasis within internal audit cyclical risk based work are the implementation of PP2P including the establishment of the new City of London Procurement Service, major projects including the new project management arrangements, reviewing the impact of the Strategic Finance Review on Financial Management and focusing on new commissioning, partnerships and large service contract management arrangements in Departments.

In addition to the above areas of emphasis from internal audit’s cyclical risk based plans, it is also intended for internal audit to focus on anti-fraud controls, information governance, IS Strategic review, management information, Management Information and changes arising from the Localism Agenda. Member’s observations on these areas are sought as well as suggestions as to other areas of focus that could be considered for risk assessment as part of detailed audit planning process over the next few months.

Internal audit will commence its main annual audit planning process in October, by having detailed discussions with Chief Officers with view to producing a detailed operational audit plan to present to Chief Officers Group in January 2013 and seeking Audit & Risk Management Committee approval at the February 2013 meeting. This report sets out the resource availability and proposed deployment of audit resources for the anticipated 2914 days available from the 14.6 internal audit section staff.

Recommendation The Audit and Risk Management Committee note the report.

Main Report

The role of internal audit 1. Internal Audit is an assurance function that provides an independent and objective opinion to the organisation on the control environment, by evaluating its effectiveness in achieving the organisation’s objectives. It

Page 210 objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. The control environment comprises the systems of governance, risk management and internal control. 2. The Internal Audit section reviews the operations of all services the City provides, and also supplies the internal audit service to the Museum of London and London Councils under a SLA. It does so in accordance with its Terms of Reference which reflect statutory and professional requirements. Implementation of the audit plan helps the City of London maintain “a sound system of internal control which facilitates the effective exercise of that body’s functions and which includes arrangements for the management of risk” (Accounts and Audit Regulations 2011).Proper practices are defined in the 2006 CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom, which is the professional basis for the operation of the Internal Audit section. 3. Internal audit adds value and improves the City’s operations by promoting a robust control environment, best practice in governance and risk management as well as making recommendations for improvements in operating efficiencies. To achieve this, the Internal Audit section engages with the City’s Corporate and Departmental change programmes, providing expert independent and objective input to emerging issues. Internal Audit Planning Process 4. Annually, internal audit conducts a comprehensive risk-based audit planning process to ensure that all areas of the City of London’s operations (and external partners, where appropriate) are provided with an appropriate and structured internal audit service to assist in the continuous improvement process. 5. The result of this process is an updated 5 year Audit Strategic Plan 2013-18 which provides the starting basis for the Annual operational audit plan. Whilst many other organisations adopt a 3 year rolling strategic plan, a 5 year plan is still considered most appropriate for the City of London, reflecting a desire for a cyclical coverage of all the main auditable areas of the City’s diverse operations. 6. The principles of risk management are applied throughout the planning process in that the allocation of resources to each audit is considered against the assessed likelihood, frequency and impact of individual risks. The internal audit risk assessment methodology was reviewed last year so that it is aligned to the management handbook assessment criteria and takes into account financial materiality, reputational risk, current control effectiveness, whether there have been structural, process or system changes and the risk of loss, fraud or abuse of powers.

Page 211 7. The Internal audit risk assessment which drives the allocation of resources is undertaken at a detailed system level rather than at departmental level. This is because it is necessary to assess the wide variety of risks and system that exist with each Department to ensure an appropriate coverage. Appendix 3 provides an analysis of the indicative audit days allocation by Department with details of expenditure, income and staffing budgets along with a brief commentary on the factors which drive the audit coverage in each department, of which the level of expenditure and income is only one factor. 8. Whilst the strategic and annual audit plans are initially compiled using risk to assess the areas needing coverage, Chief Officer views are being sought on the focus and scope of audit activity so planned work is more focused on those areas, where internal audit can provide added value to the organisation. 9. Reference is made to Department risk registers in developing the audit plans. Following the roll-out of the Risk Management handbook it is intended to place increased reliance on these risk registers in informing risk assessments for audit planning purposes. 10. Linkages to the Strategic Risk Register will be demonstrated when the detailed annual audit plan is presented in February 2013. 11. External Audit will be consulted on the content of the 2012/13 operational internal audit plan and a number of financial control areas of planned internal audit work are expected to be of particular interest to them in arriving at their own audit opinion on the published financial statements of the City. 12. Resource assumptions are based upon an audit section complement of 14.6 FTEs consisting of one Head of Audit & Risk Management, four Audit Managers, one Risk & Assurance Manager, eight auditors and one fraud investigator. The assumptions behind this resource analysis are set out in Appendix 1. Whilst the internal audit section has benefited from being at full complement over the last 2 years, some turnover is now considered to be more likely and succession planning particularly for specialist IS and Contract and procurement auditors a key consideration. Should vacancies arise then, it is intended to use the allocated internal audit budget to purchase additional audit resources to deliver the audit plan. Indicative Allocation of Internal Audit Resources 13. The overall allocation of time from the estimated 3,238 days available is as follows, with further detail of the indicative audit review coverage set out in Appendix 2. Members will observe that Appendix 2 analyses internal audit coverage by both audit theme (e.g. Compliance, Financial

Page 212 Management, Operational Systems) and Departments, giving the indicative % allocation of resources allocated in each case.

Internal Audit Work allocations Days % - Main Audit Review Work (further indicative analysis by Department and Theme in Appendix 2) – (1,483 days) - Recommendation follow-up – (100 days)

- 2012/13 carry forward provision – (150 days)

- Museum of London & London Council SLA – (145 days) 1,878 58%

Corporate Risk Management support 128 4.0% Anti-Fraud & Corruption - investigations and pro-active 249 7.7% prevention and policy development Advice & Guidance - on risk & controls 171 5.3% Efficiency Board/EPSC Support 40 1.2% Audit Planning & Reporting – engagement with senior 115 3.6% management, External Audit and detailed update reporting to Members Member Committee Support – attendance and support to Audit & 52 1.6% Risk Management Committee, and six other Risk/Audit focused committees Audit Development – includes further development in use of 124 3.8% audit automation and new audit techniques, external networking Training 130 4% Other staff absences 103 3.2% Admin Support - staff monitoring/meetings/time recording 248 7.7% Total 3,238

14. Individual audit reviews within the operational audit plan will be prioritised as either ‘Essential’, ‘Highly Desirable’ or ‘Desirable’. As risks and priorities change during the year, additional high priority work can be added to the audit work programme, with lower ‘desirable’ work displaced as necessary. 15. Detailed internal audit planning for 2013/14 will commence in October through a risk review of the audit universe and audit planning consultation with Chief Officers in order to produce an updated 5 year Audit Strategy and Audit plan for the 2013/18 period. It is planned to present this Audit Strategy and annual audit plan to the Chief Officers Group in January 2013 and seek Audit & Risk Management Committee approval at the February

Page 213 2013 Committee meeting for the annual audit plan. The Committee may wish to suggest areas of audit focus, for risk assessment and consideration as part of the detailed audit planning process. 16. Current and future audit plans are regularly reviewed in year with changes made as a result of emerging risks and requests for assurance work or audit support from senior management or Members. Changes to audit plans are reported to the Audit & Risk Management Committee via the regular internal audit update report. The forward audit work programmes will be reviewed on a quarterly basis and the main audit reviews planned for the next quarter reported to the Committee within the internal audit update report.

2013/14 Areas of audit emphasis within routine audit work 17. The following areas of audit emphasis for next year’s cyclical internal audit plan have been identified as follows. 18. PP2P and Central Procurement Function:- assurance work in this major efficiency saving area for the City will continue. The operation of the new City of London Procurement Service will be reviewed, including the deployment of new technology and procurement methods (e.g. E-market place) for trading with suppliers. Further work to that already undertaken on the PP2P performance payments and governance over the PP2P project partner is also planned. 19. In addition, organisational compliance with new PP2P requirements will be assessed through either a thematic review or including specific PP2P audit objectives within already planned expenditure reviews. 20. Major Projects:- implementation of new project management arrangements will be considered, including review of overall arrangements and through specific major project reviews. 21. Strategic Finance Review:- responsibilities and the organisation of teams providing financial management services were re-organised during 2011/12, audit work will continue to focus on the impact of the new Financial Management arrangements and whether any risks have materialised through changes in the control environment. 22. Commissioning, Partnerships and major service contracts:- Adoption of new commissioning, partnerships and major service contract management arrangements, particularly within Community and Children Services and Built Environment Departments, will be reviewed.

Page 214 Further areas of possible audit focus 23. In addition to above areas of emphasis from internal audit’s cyclical risk based plans, the following additional areas have been identified for internal audit focus. Member’s observations on these areas are sought as well as suggestions as to other areas of focus that could be considered as part of detailed audit planning process over the next few months. 24. Anti-Fraud Controls – internal audit work programme is planned to include a number of dedicated anti-fraud control reviews to support the Anti-Fraud and Corruption pro-active plan. 25. Information Governance: –Work would support the new officer Information Management Governance Board. Likely focus would be security over sensitive and confidential information held electronically and on-paper records. 26. IS Strategic Review:- Future IS service infrastructure options are currently being re-considered following the centralisation of IS resources in phase 1. Internal audit plans to keep a watching brief over this area, and review how key projects risks will be mitigated. 27. Management Information: - The production of reliable and timely management information for decision making will be a key consideration in a number of routine audit reviews. Additional thematic work on the use and reliability of performance information is being considered. 28. Localism Agenda:- impact of this key government agenda and impact on Departmental City services will be considered and appropriate areas for audit review identified in liaison with Chief Officers. Efficiency and VFM 29. Internal audit will as part of its routine audit work review key control areas, where changes in staffing and processes have resulted from the implementation of efficiency savings, to ensure adequate controls continue to be applied. 30. In addition, the internal audit function will be continuing to support the work of the Officer Efficiency Board and Member Efficiency & Performance Sub-Committee through undertaking forensic efficiency and performance reviews. Work in supporting the corporate income generation project is also expected. 31. VFM and efficiency review challenges will continue to be built into each audit review where feasible. We would also plan to identify other audit reviews with a primary VFM focus.

Page 215 Conclusion 32. The City of London has a wide range of differing Departments, institutions and services. The Audit Strategy remains to still provide reasonable assurance on key control risks in each department through cyclical coverage, coupled with a focus on efficiency and other corporate review areas, including Management Information, Partnerships and Commissioning, Anti-Fraud controls and key change projects e.g. CLPS.

Appendix 1 – Internal audit resource assumptions Appendix 2 – Indicative internal audit resource allocations by Theme and Department Appendix 3 Audit Planning 2013/13 - Indicative Department resource allocation with Budgets and Commentary

Contact Officer: Paul Nagle Head of Audit & Risk Management 020 7332 1277 [email protected]

Page 216 Appendix 1

Internal Audit Resource Assumption DETAILED ANALYSIS OF AVAILABLE DAYS IN 2013/2014

Total %

Gross Days (52 weeks) – 14.6 FTE’s 3796

Less: uncontrollable days Bank Holidays (7 days) 103 Annual Leave 455

Net Available days 3238 100.0%

Admin Support General (e.g. time recording/staff meetings/staff monitoring) 233 7.2% MK super user 15 0.5% Other Absences 103 3.2% Audit Training 73 2.3% Corporate Training 17 0.5% CIPFA & IIA Training 40 1.2% 481 14.9%

Days Available for direct audits and support work 2757 85.1%

Audit Support & Development

Risk Management Corporate Risk Management 128 4.0% ad hoc on-demand support/advice (risks and controls) 167 5.2% Chamberlain Business Continuity Support 4 0.1%

Anti-Fraud & Corruption Fraud investigations 175 5.4% Pro-active fraud & prevention 74 2.3%

Audit Planning & Reporting Audit Planning 49 1.5% Audit Plan progress reporting 51 1.6% External Audit Liaison/co-ordination 15 0.5%

Efficiency & Performance Review support to Efficiency Board/EPSC 40 1.2%

Audit Development Continuous improvement 65 2.0% Audit policy, research and development 56 1.7% Audit intranet 3 0.1%

Page 217 Member Support COL Audit Committee 28 0.9% GSMD Audit Committee 6 0.2% London Councils - Audit Committee 6 0.2% Museum of London - Audit Committee 6 0.2% Police Performance & VFM Committee 3 0.1% Barbican Centre Risk/Finance Committee 3 0.1% 879 27.1%

AVAILABLE FOR PROJECTS:- 1878 58.0%

Page 218 Appendix 2 - 2013/14 Internal Audit Plan - City of London audit resource allocation by Theme and Department (audit days)

Department Compliance Project & Contract,Proc Corp.Gov.Performance & VFM & Efficiency Management Financial Gov. and Sys Info Systems Operational Total (%) Total

Corporate 5 100 20 120 90 5 340 22.9% Barbican Centre 5 35 35 40 20 135 9.1% Built Environment 20 20 40 80 5.4% Central Criminal Court 5 10 15 1.0% Chamberlains 10 20 90 85 205 13.8% City Police 45 15 30 90 6.1% City Surveyor 55 5 10 33 103 6.9% CLFS 5 20 25 1.7% CLS 5 20 25 1.7% CLSG 5 20 25 1.7% Community and Children's Services 5 20 30 55 110 7.4% Comptroller and City Solicitor 5 15 20 1.3% Culture, Heritage & Libraries 5 20 20 45 3.0% Economic Development Office 5 5 10 0.7% Guildhall School of Drama & Music 5 20 25 50 3.4% Mansion House 5 5 0.3% Markets and Consumer Protection 5 5 30 20 60 4.0% Open Spaces 40 35 20 95 6.4% Remembrancer's Office 5 5 0.3% Town Clerks 10 10 10 10 40 2.7%

Total 175 250 35 155 405 225 238 1483

Total (%) 11.8% 16.9% 2.4% 10.5% 27.3% 15.2% 16.0%

Honorary Audit 15 2012/13 carry forward 150 Recommendations follow-up 100 Museum of London - SLA 110 London Councils - SLA 35

Total including SLAs 1893

Page 219 This page is intentionally left blank

Page 220 Appendix 3 - Audit Planning 2013/13 - Indicative Department resource allocation with Budgets and Commentary

Department Gross Gross Employees Audit Commentary Expenditure Income Costs Days £000's £000's £000's Barbican Centre 41,717 19,231 12,662 135 Several standalone systems and processes, which require separate assurance and are unique to the Arts Centre operation. Significant capital/contract management activity, separate IS/IT arrangements Guildhall School Music & 19,705 12,394 11,281 50 Several standalone systems and processes, key operational areas are Drama fee income, professor contracts, school also has separate IS/IT arrangements. Financial Management arrangements are shared with the Barbican Centre Central Criminal Court 4,015 3,592 400 15 Rolling programme of activity, Employee risk and facilities management arrangements main areas of focus Chamberlain's Dept 20,006 5,076 14,990 205 Focus on main Financial Systems and key financial stewardship

Page 221 processes City Solicitors 4,007 4,007 3,294 20 Areas of focus mainly limited to Departmental Financial management.Legality and regularity of City processes considered through other Departmental assurance areas e.g. Contract audit reviews.

City Surveyor's 81,296 147,490 13,536 103 Key operational risks relating to investment income properties and operational property management subject to cyclical coverage. City of London School 14,377 13,046 8,509 25 Focus is mainly on Financial Management, periodic review of ICT and Schools Income City of London School for Girls 11,825 10,259 6,823 25 Focus is mainly on Financial Management, periodic review of ICT and Schools Income City of London Freemen's 15,119 12,807 7,656 25 Focus is mainly on Financial Management, periodic review of ICT and School Schools Income DCCS 56,976 47,678 11,794 110 DCCS has large number of different operations and responsibilities areas, although often the size of service is small, none to the less the operational risks can be very high. Area is also subject to external inspections. New commissioning approaches to service delivery to be considered. Built Environment 50,781 26,482 11,157 80 Assurance focused on some key operational systems, e.g. highways, waste, building control fees. Department Gross Gross Employees Audit Commentary Expenditure Income Costs Days Culture, Heritage and Libraries£000's 21,415£000's 6,596£000's 10,134 45 A number of discrete services which require periodic coverage, covering tourist attractions, library services, and art gallery with high value assets.

Mansion House 5,573 240 1,826 5 Financial Management focus, Facilities Management and some compliance work focused on high value assets, includes annual plate review. City Police 102,061 40,339 71,938 90 Main area of assurance work relates to City of Police employee controls, premises costs and operations, and key cost control areas (e.g. translators fees, compensation costs). Operational risk and controls are subject to regular coverage by Police Constabularly Inspectorate which also consider Police HQ areas, e.g. information system controls over National Database use. Page 222 Town Clerks Department (incl. 17,825 1,697 15,971 50 Coverage of some key cororate systems, e.g. HR, Business & EDO) Performance Management arrangements, and smaller policy Departments where assurance focus is Financial management and grants controls (e.g. EDO/City Bridge Trust) Open Spaces 23,960 10,679 13,950 95 Periodic review of Financial Management, employee controls, facilities management. Periodic compliance visits to each site, inluding focus on some leisure/visitor facilities. Markets and Consumer 60 Compliance reviews covering all City Markets, Consumer protection Protection offices, Central Admin and controls over income collection from traders. 29,182 20,857 10,987 Remembrancer's 5 Focus on income and expenditure controls and budgetary controls 7,221 1,944 1,525 issues. Corporate 340 Major cross cutting reviews, considering risks, systems and process which are operated across all Departments 1,483 Agenda Item 22

Committee(s): Date(s): Item no. Audit & Risk Management Committee 20 th September 2012

Subject: Public Internal Audit Update Report Report of: For Information Chamberlain

Summary This report provides an update on internal audit activity since the last Audit & Risk Management Committee on the 14 th June 2012. The outcomes from the eight main audit reviews finalised since the last audit update report are reported and significant risk issues highlighted. The following report resulted in Amber assurance rating which indicates there are significant audit findings which require mitigation and focused action by management. Although this is an amber assurance report, in view of the policy impact of this strategy, the Chamberlain will be monitoring the implementation of the various recommendations:-

- Community & Children’s Services – Affordable Housing

Satisfactory progress has been made in progressing the 2012/13 audit work programme. Performance in Finalisation of audit reviews following issue of draft reports has improved over this period, with 100% of audit reviews being finalised within 5 weeks of the issue of the draft report.

Recommendation i. It is recommended that the update is noted.

Page 223 Main Report

Key audit findings

1. Since the last update to the Audit & Risk Management Committee 3 months ago, eight main audit reviews have been finalised. One of these reviews resulted in an Amber assurance rating for which the headline issues and consideration of impact is analysed in Table 1 . A further review of PP2P – Initial Post Implementation review is also included in this table. It should be noted that whilst four of the six recommendations for this review were rated amber priority, they had already been fully implemented at the time the internal audit report was finalised and therefore the overall assurance level for this review was green-substantial assurance. Further details of these two reports are provided in Appendix 1 .

Table 1 – Key Audit Report Headlines Assurance Impact

(details of recommendations. in brackets) Level (H/M/L)

Community & Children’s Services: Affordable Housing (1 Red, 3 Amber High Amber, 4 Green)

Materiality: As a provider of social housing the City of London is required to develop additional affordable housing units as well as achieve targets set by Central Government in relation to the restructure of the social housing rents system. The purpose of the review was to evaluate progress towards meeting external targets. An Affordable Housing Strategy is in place but requires further development to ensure that recent legislative changes are reflected and that there is a clear long term strategy to meet these obligations

Management Response: The Department has provided agreement to all recommendations raised; all of which are scheduled to be implemented by April 2013. In order to address the red recommendation, management have responded that the new HRA Asset Management strategy currently being developed will include opportunities for the provision of affordable housing to be completed in the spring of 2013. A report is being prepared for the 20 September 2012 meeting of the Housing Sub Committee outlining the current affordable housing options that are being pursued and options for future schemes.

Page 224 Chamberlain’s Department: PP2P – Initial Post Implementation Green High Review (4 Amber, 2 Green)

Materiality: PP2P (or Procure to Pay) is one of the City’s Strategic Reviews and aims to introduce modern procurement techniques into the City and make substantial cashable savings (estimated at £29.6 million) over a five year period. Now in its second year, the project is now focused on the implementation of the City of London Procurement Service (CLPS), as well as on-going identification of Target Savings.

This review established that there was good progress in Year One of the project, key milestones had been completed in accordance with the plan, including the establishment of governance arrangements, processes for identifying Source Projects and the introduction of the e- marketing software.

Four amber priority recommendations have already been implemented in the areas of improving liaison between Heads of Finance and internal audit, reviewing the savings calculation applied to reductions in Departmental Budgets and undertaking saving calculation assessments on a timely basis.

Management Response: Four amber and two green priority recommendations were agreed with management. With the exception of one remaining green priority recommendation which will be completed by 30th September 2012, all other recommendations have been implemented.

2. In addition to highlighting these key issues arising from recent internal audit work, the six internal audit reviews identified in Table 2 have been finalised and reported over the last three months with a Green Assurance rating. Audit report summaries from these reviews have recently been circulated separately to the Audit & Risk Management Committee and the Chairman and Deputy Chairman of the relevant Service Committee. The detailed full internal audit report can be provided to members of this Committee on request.

Table 2 – Green Assurance Audit Reviews Red Amber Green Total recs. recs. recs. Barbican Centre: Income Collection and Banking - - 4 4

Chamberlain’s Department: - - 4 4

Page 225 Table 2 – Green Assurance Audit Reviews Red Amber Green Total recs. recs. recs. Corporate Procurement Card Management

Main Accounting (General Ledger, Accounts Payable, Accounts Receivable) - - 4 4

Town Clerk’s Department: Printing - - 9 9

Remembrancer’s Department: Operational Expenditure - - 4 4

Open Spaces: Cemetery and Crematorium Income and Expenditure - - 11 11

Audit Work Delivery

3. Work in commencing delivering of the 2012/13 plan is progressing satisfactorily. Details are given below of the position as at Friday 17th August in Table 3 below.

Table 3 - Current Not Draft Final/ % Audit Plan Planning Fieldwork Plan Started Report Complete completion Progress

Full Reviews 114 66 9 22 7 10 8.7%

Spot /Mini- 72 21 4 6 1 15 20.8 reviews

Irregularity 6 0 0 4 2 0 - investigations

A&I/support 23 7 1 8 n/a 7 30.4% reviews

Total 215 94 14 40 10 32 14.8%

Page 226 4. Since the 2012/13 audit plan was agreed at the 22 nd February 2012 Audit & Risk Management Committee, there have been a number of changes which have been agreed with management. The reasons for changes since the last report to the Committee in June are detailed in Appendix 2. Audit plan changes have been agreed over the last 3 months as a result of audit planning meetings with senior management and re-assessment of audit priorities, resources and suitable timing of audit work.

5. The following main reviews are at draft reporting stage and will be reported to the Committee shortly:-

Department Review Built Environment: Off-Street Parking Income Systems Chamberlains: iTrent Strategy/Security/Operations City of London Police: Value for Money Review Community & Play Centre’s Provision Children’s Services Open Spaces Sports Provision

6. Details of main audit reviews planned for the next audit quarter (June 2012 to September 2012) are provided at Appendix 3.

7. Analysis of audit days delivered for the 2012/13 planning period is provided in Appendix 4.

Internal Audit Section Performance

8. The following Key Performance Indicators are used for monitoring the Internal Audit section. Performance against these indicators is set out in the table below. Where targets have not been achieved further comments on corrective action is provided after the table.

Performance Measure Target 2012/13 Performance completion of audit plan 90% of planned audits Satisfactory completed to draft report completion of audit issued stage by end of plan plan for this time in review period (31st March year. 2013) –

% recommendations target 95% 98% - target accepted exceeded

Page 227 Performance Measure Target 2012/13 Performance timely production of draft 80% of draft reports issued 67% - target not report within 4 weeks of end of achieved (April – fieldwork August 2012). – (see note below)

timely agreement and issue 80% of final reports 100% - target of final report (including agreed achieved management action plan) issued within 5 weeks of issue of draft report customer satisfaction through key question on 100% post audit surveys – target 90%

% of audit section staff – target 75% 73% -further with relevant professional professional training qualification plans in place for 2012/13.

9. Timely production of draft report - performance in issuing draft reports over this period has dropped below target level due to delays in the internal audit draft report review process caused by a surge of audit reports being concluded concurrently. Action has been taken to smooth the review process so this should not re-occur.

10. Timely agreement and issue of final report - performance in finalising Internal Audit work has improved. An escalation process through the Business Support Director has been confirmed with the Audit & Risk Management Chairman for delayed audit report responses. Internal audit team performance measures are in place to ensure management comments in response to draft audit reports are responded to promptly. An increased emphasis on agreeing draft audit recommendations at audit exit meetings has been adopted to assist with the timely completion of audits.

11. Detail of the utilisation of internal audit time resource is provided in Appendix 2 .

Page 228 Development of the Internal Audit Section

12. The new audit automation software (MK) is now being used to track the implementation of all red and amber priority recommendations.

13. Auditor skills and personal development is a key focus for the section. Particular attention is being given to the sharing of skills and expertise more widely within the team, particularly in specialist audit areas where succession planning is a key consideration.

Conclusion

14. Internal Audit work continues to identify improvement areas for management. Internal audit’s overall opinion on the City’s internal control environment is that it remains adequate and effective.

Head of Audit & Risk Management Background Papers: 2012/13 Internal Audit Plan

 Appendix 1 - Audit Report Summaries  Appendix 2 – 2012/13 Audit Plan Changes  Appendix 3 – Next Quarter internal audit planned reviews  Appendix 4 – Audit Resource Analysis

Contact: Paul Nagle 020 7332 1277 [email protected]

Page 229 This page is intentionally left blank

Page 230 APPENDIX 1 – Amber Moderate Assurance and PP2P Internal Audit Review Outcomes

Audit: Community & Children’s Services – Affordable Housing – Moderate Assurance Amber (1 Red, 3 Amber, 4 Green priority recommendations) Audit Scope: Audit Findings: Management Response: To evaluate progress toward The review found that an Affordable Housing Strategy A total of eight recommendations were made as part of the meeting external (government) is in place but requires further development to ensure review; one of which is red priority, three amber priority targets for the delivery of that recent legislative changes are reflected and that and four green priority recommendations; all of which affordable housing, examining there is a clear long term strategy to meet these were accepted by the Department. One red, one amber and the controls in place to monitor obligations. It was noted that a variety of methods to one green recommendation are due for implementation by and manage performance against meet affordable housing targets have been included the end of April 2013; the remaining five recommendations strategy. Consideration will also within the current Strategy although we consider that will be fully implemented by December 201 2. be given to the extent to which these merit further development

Page 231 the strategy seeks to secure A red priority recommendation was made and agreed in value for money in proposed The affordable housing scheme is subject to an order to address the lack of direction and clear action plans projects. appropriate means of scrutiny in the form of the Section associated with the status of the current strategy. A new 106 Working Party. Control could be strengthened in HRA Asset Management strategy is currently being this area if progress on delivery of the overall strategy developed which will include opportunities for the was provided to Members at regular intervals; this may provision of affordable housing to be completed in the also facilitate Member ‘buy-in’ on specific housing spring of 2013. A report is being prepared for the 20 projects at a much earlier stage. September 2012 meeting of the Housing Sub Committee outlining the current affordable housing options that are Additionally the 30 year housing business plan should being pursued and options for future schemes. be linked to the Strategy and include the expected revenue costs and income associated with developing Although this is an amber assurance report, in view of the additional housing units. An amber priority policy impact of this strategy, the Chamberlain will be recommendation has been raised in order to mitigate the monitoring the implementation of the various risk of the housing business plan not reflecting the on- recommendations. going revenue costs and income associated with the development of additional housing units.

At the time of audit a project prioritisation matrix has been developed to a draft stage to aid in the assessment of proposed affordable housing projects and we consider that this will further enhance the scheme when implemented. The current housing demand is determined from waiting list data in terms of the number of individuals and the property types required. Scope exists to better gauge future housing need to ensure that the most appropriate housing is developed.

Suitable arrangements are in place to monitor and report upon the progress of individual affordable housing related projects. Improvements could be made to the

Page 232 reporting on the overall delivery of the Affordable Housing Strategy, supported by the development of performance indicators.

At the time of the audit a rents policy had not been developed by the Housing team and we consider this to be an area for improvement. We are advised that consultation is on-going with the Mayor of London’s office in relation to affordable rents levels within the City. The City of London historically calculates rents using the National Housing Rents formula; therefore a rents policy has not previously been established. Through discussions with the Department it was established that a rents policy is in the process of being developed as part of the move to the self-financing model for the City’s housing estates. Audit: Chamberlain’s Department – PP2P – Initial Post Implementation Review - Green Assurance (4 Amber, 4 Green priority recommendations) Audit Scope: Audit Findings: Management Response: The objectives of this review This review established that there was good progress in Four amber and two green priority recommendations were to assess the adequacy of Year One of the project, key milestones had been were agreed with management. The one remaining governance arrangements, with completed in accordance with the plan, including the green priority recommendation will be completed by particular emphasis on the establishment of governance arrangements, processes 30th September 2012. It should be noted that whilst management of the partnership for identifying Source Projects and the introduction of four of the six recommendations for this review were with Accenture and reports to the e-marketing software. rated amber priority, they have already been fully Members on progress. It also Sound governance processes are in place, with the implemented and therefore the overall assurance included an examination of the Category Boards identifying sourcing projects, Heads of level for this review is green-substantial assurance. processes for making payments Finance confirming the accuracy of baseline costs and to Accenture, including the target savings, with the Joint Review Board Chaired by calculation of fees in accordance

Page 233 the Chamberlain signing off budget reductions. with the contract specification. Discussion with Heads of Finance concerning the In addition, the Chamberlain scrutiny of Enabled Savings (those savings where requested that the control reductions in departmental budgets have been implications of the e-marketing calculated) highlighted the usefulness of being aware of software were considered. other efficiency review activity. For example, Internal Audit support work on Highways Repairs and Maintenance, Recruitment Advertising and non- compliance with the Commensura contract. Whilst it was accepted that Accenture undertook the detailed research and negotiations for securing savings, more information was available to Heads of Finance in determining the extent of Accenture’s input. An amber

priority recommendation has been agreed for the Head of Audit & Risk Management to notify Heads of Finance of any internal work which relates to the scrutiny of Enabled Savings for immediate PP2P Review – continued implementation. It was also recommended that consideration should be given to reducing departmental budgets on an average spend basis rather than the current calculation based on specific volumes, since this might reduce departmental disagreement over the amounts that are taken from their expenditure estimates. This amber priority recommendation was considered but it was decided that

it was more accurate and therefore more appropriate to consider each departmental saving individually.

Each Head of Finance is allocated savings areas to scrutinise and it was the view of some officers that these needed to be shared in good time so that consultation on Page 234 the impact on departmental budgets can be assessed. It was recommended that time-scales should be set for all identified savings areas to be examined. This amber priority recommendation was accepted and has now been implemented.

It was also noted that some of the projects being

considered by Accenture have been included within the Internal Audit Plan 2012/13. To avoid duplication of work and the subsequent inefficient use of resources, an amber priority recommendation was agreed for the Business Support Director to liaise with the Head of Audit & Risk Management on the savings projects within the PP2P Programme so that internal audit plans and the scope of reviews can be deleted or amended as appropriate. This will be included within the agenda for

regular one-to-one meetings. PP2P Review - continued It was accepted that there was some general misunderstanding amongst project stakeholders about the relationship between fees paid to Accenture and savings resulting from revised procurement methods. This conclusion has been addressed by greater information included within the regular project update reports made to the Finance Committee concerning the relationship between saving and fees, as well as graphic information concerning the project break-even point (currently estimated as being achieved in month 30 of the project).

It was evaluated that the control environment for the e- Page 235 marketplace software posed no additional risks to the City, since current procurement processes operated via CBIS Purchase Orders and Accounts Payable will still apply. It was, however, agreed that an IS Internal Audit review of the risks of security posed by shared access to ProcServe with third party suppliers is warranted. The Business Support Director has agreed to commission such a review to be completed by 30th September 2012.

This page is intentionally left blank

Page 236 Audit Update Report – Appendix 2

2012/13 Audit Plan Changes since June 2012

1 –Reviews Cancelled/Deferred

Department Main Review Days Deferred/ Reason Cancelled No additional reviews cancelled/deferred since last report

Page 237

Audit Update Report – Appendix 2

2 – Additional Work

Review Priority Days Reason Car Park Income and Monitoring (Tower Hill) High 20 Further review of controls in relation to income collection and monitoring at the Tower Hill car park following the identification of control risks during a previous review. Building Management System Medium On- Consultancy advice on the development of the BMS going following a request from the City Surveyors Department Barbican Podium (Beech Gardens Waterproofing) High 5 Request received to investigate the estimated cost of works, fees and staff time. City Bridge Trust – Due Diligence Arrangements High 12 Review of due diligence and monitoring arrangements for grants issued by the City Bridge Trust; undertaken as a result of recent investigation work. Page 238 Sir John Cass Private Fund Accounts – Verification Medium 10 Independent verification of accounts required prior to sign- (2010/11 and 2011/12) off.

Note: does not include changes to Museum of London and London Councils audit plan Appendix 3 - Main Internal Audit Reviews commencing next Quarter – 1st October – 31 st December 2012

Department/Area Outline Scope Planned Fieldwork Start date Community & Children’s Review of the close-down arrangements for the Home Care Service to ensure that the October 2012 Services / Home Care Team City's interests are safeguarded. Community & Children’s Evaluation of the arrangements for contract management of the reablement service, with October 2012 Services / Occupational particular focus on the provision of therapy. Therapy Community & Children’s To review the arrangements for administering personal budgets related to client support September 2012 Services / Individual Budgets plans and evaluate the key controls in place. (Adult Social Care) Central Criminal Court / Evaluation of controls over supplies and services spend including consideration of November 2012 Income & Expenditure arrangements to ensure that VFM is achieved. The adequacy of arrangements for the Page 239 calculation, collection, and banking of grant and other income will also be evaluated. Corporate Wider / Data Evaluation of both central and departmental arrangements to ensure compliance with the November 2012 Quality corporate policy, including sample checking of a range of performance data for accuracy. Open Spaces / Financial Evaluate financial management arrangements, considering whether there is an appropriate December 2012 Management link with business objectives, performance management and risk management. Review the processes in place to assist the achievement of VfM. Markets & Consumer The chief component of income is from the provision of pest control services (£82k in October 2012 Protection / Environmental 2011/12). The review will examine the adequacy of controls in respect of income Health Income processing, looking at the extent to which income is maximised. Will also include review of pricing policy and debt recovery. Barbican Centre / Stocks & There are a number of stores operating across the Centre, for example set and scenery November 2012 Stores materials, technical equipment, and tools and machinery. This review will examine the arrangements for the purchase, recording, security and disposal of items held within stores. It will also consider how appropriate the current level of stocks are, given the Centre's level of activity. Chamberlains / PP2P The PP2P contract with Accenture is now in its second year and set to deliver significant November 2012 savings on procurement of goods and services for the City. On-going progress with this project will be examined in accordance with scope requested by the Chamberlain. Department/Area Outline Scope Planned Fieldwork Start date Built Environment / The City's transport and commercial waste collection service were transferred to an October 2012 Enterprise Services Contract external partner during 2011. The management of the newly outsourced arrangements, Arrangements including the treatment of equipment, plant and vehicles will be examined as part of this review. Remembrancers / Functions The Remembrancer manages the use of the Great Hall for both in-house and external December 2012 & Guildhall Lettings functions. This includes maintenance of a list of approved caterers and provision of technical equipment. The setting of fees and charges, the collection and banking of income controls will be examined. Guildhall School / Professors The Principal is currently undertaking a radical overhaul of the way in which professors October 2012 Contracts are paid for the hours that they work, both contact and non-contact. These new arrangements will be finalised and introduced during the Summer Term 2012. The new contract arrangements for professors will be examined, including monitoring

Page 240 arrangements for teaching/non-teaching hours. City of London Freemans The Freemen's School covers extensive buildings and grounds which require constant November 2012 School / Premises improvement and maintenance. A capital works programme is in place complimented by Expenditure revenue expenditure. Control of the procurement and payment of premises related expenditure, including utility payments and green energy initiatives will be examined. Culture, Heritage & Libraries The department requires a wide range of items to support delivery of its library and November 2012 / Supplies & Services cultural services. This review will examine the control of the procurement, payment and asset management aspects will be examined. City of London Police / The City Police requires a wide range of items to support delivery of its policing plan. December 2012 Supplies & Services This review will examine the control of the procurement, payment and asset management aspects will be examined. Corporate Wide / Equality The City of London is committed to promoting equal opportunities to all its stakeholders. October 2012 Standards To this extent the Town Clerk seeks to achieve "Excellent" status in accordance with the Equalities Standard. This review will compare the City's equalities evidence to the requirements of the Equalities Standard Barbican Centre / Cost This review will examine the City's procedures for monitoring and control of the cost of September 2012 Monitoring projects, the process of updating of budgets and cost reports, and the governance arrangements in place to ensure adequate reporting and authorisation of cost overruns. Department/Area Outline Scope Planned Fieldwork Start date City Surveyor / Cost This review will examine the City's procedures for monitoring and control of the cost of November 2012 Monitoring - Operational projects, the process of updating of budgets and cost reports, and the governance Properties arrangements in place to ensure adequate reporting and authorisation of cost overruns. Corporate Wide / Project This review will look at the level of departmental compliance with the new project December 2012 Management (New Gateways management gateways and other procurement procedures. and Procedures) Corporate Wide / Tendering This review will examine the City's methods of inviting, vetting, reviewing and notifying October 2012 & Due Diligence firms in respect of tender invitations. The review will evaluate the extent to which departmental procedures comply with legislative requirements and consider whether sufficiently comprehensive management information is produced in the most timely, efficient and effective way. City Surveyor / Small Works This review will examine the City's procedures for the letting of orders and the inspection December 2012 Page 241 of small revenue works prior to payment. An evaluation will be made of the procedures for initiating works, selecting a contractor, agreeing rates, inspecting the works and controlling costs. Consideration will also be given to the distribution of orders among eligible contractors and the completion of works prior to payment. Barbican Centre / Business Will assess Barbican DR plans being based on Barbican strategic objectives and stated October 2012 Continuity Plan need compared to benchmark leading practice. Barbican Centre / ICT This being an annual review as requested by the Barbican Committee following the Strategy, Security & 2011/12 review. The objectives of the audit exercise are to establish and assess: - Operation • Adequacy of the strategy in providing the operational service required. • Responsibility to ensure that tasks have been properly assigned. • Configuration to ensure it provides a sound operational and secure setting. • Logical access controls to ensure a secure management frameworks. • Operational and housekeeping procedures • Resilience. Additionally to incorporate a second follow-up on ICT review (department request). Chamberlains / Local Area Scope being confirmed Network ICT Strategy, Department/Area Outline Scope Planned Fieldwork Start date Security & Operation Chamberlains / Wide Area Scope being confirmed Network ICE Strategy, Security & Operation Chamberlains / E-commerce Scope being confirmed Box Office

Page 242 st th Appendix 4 – Internal Audit Resource Analysis (1 April to 17 August)

Plan Budget Budget to Actual to Date (Days) Date (Days) (Days)

Gross Days 3900 1500 1500 Uncontrollable Days Bank Holidays 150 75 75 Annual Leave 469 180 183

Net Available Days 3281 12 45 12 42 Days available for direct audits and support work Available for Projects Main Reviews/Spot Checks 1719 615 341 Follow-up's 124 48 45 2011 Plan C/fwd 50 50 295 1893 53 4 668

Risk Management Corporate Risk Management 128 49 36 Ad hoc on-demand support/advice (risks & controls) 175 67 33 Chamberlain Business Continuity Support 6 2 7 Anti -Fraud & Corruption Fraud Investigations 175 67 80 Pro-active fraud & prevention 74 29 26 Audit Planning & Reporting Audit Planning & Reporting 49 19 15 Audit Plan progress reporting 51 20 49 External Audit Liaison/Co-ordination 15 6 5

Efficiency & Performance Review Support to Efficiency Board/EPSC 40 15 16 Audit Development Continuous Improvement 66 25 27 Audit policy, research and development 60 23 18 Audit intranet 3 1 3 Member Support COL Audit & Risk Management Committee 28 11 13 GSMD Audit & Risk Management Committee 6 2 1 London Councils - Audit Committee 6 2 1 Museum of London - Audit Committee 6 2 1 Police Performance & VFM Committee 3 1 1 Barbican Centre Risk/Finance Committee 4 2 1

895 34 3 33 3 Admin Support General (e.g. time recording/staff meetings/staff monitoring) 240 92 129 MK Audit Automation Software 15 6 21 Other Absences* 105 40 60 Audit Training 75 29 4 Corporate Training 18 7 8 CIPFA & IIA Training 40 15 6 493 18 9 22 8 * sickness /medical appointments/City volunteering Page 243 This page is intentionally left blank

Page 244 Agenda Item 23

Committee(s): Date(s): Item no. Audit & Risk Management Committee 20 th September 2012

Subject: Public Audit Recommendations Follow-up Report of: For Information Chamberlain

Summary This report provides an update on the implementation of audit recommendations by management since the last update provided to the Audit & Risk Management Committee on the 14 th June 2012. Six formal audit review follow-ups have been concluded since the June Committee with 64% of recommendations implemented at the time of follow-up. Details of these recommendations are provided in Appendix 1 . There were ten amber recommendations identified as not having been implemented at time of formal audit follow-up, five of which relate to the Sir John Cass School. Two further Amber recommendations relate to the Guildhall Art Gallery Collection. Further contact is being made with these recommendation owners to agree new deadlines for the full implementation of these recommendations, as internal audit was not aware until undertaking the formal follow-up reviews that these recommendations had not been fully implemented. Three further amber recommendations relate to the Police Business Continuity Planning review where full implementation was not evident, internal audit is being kept suitably informed of progress. Cumulative performance in the implementation of audit recommendations over the last 24 months has been monitored with 81% of audit recommendations confirmed as implemented when formal audit follow-ups were undertaken. Where red and amber priority recommendations were still be implemented at the time of audit follow-up further updates have been sought from management to confirm the implementation of red and amber priority recommendations. At the end of August 2012 there are no outstanding red priority actions from reviews previously concluded and reported to this Committee. Management status updates on all agreed red and amber actions is provided in Appendix 2. In addition to the 30 amber open actions

Page 245 there are 167 open green actions as at August 2012. Recommendation That the Committee note the report

Page 246 Main Report

Formal Audit Follow-ups 1. Details of the six audit review follow-ups conducted since the 14 th June 2012 update to the Committee are set out in Appendix 1 , along with comments on where internal audit recommendations were yet to be implemented. At time of formal audit follow-up for these six reviews, 64% of all categories of recommendations were implemented.

2. Ten amber recommendations had not been implemented at time of formal audit follow-up, including five amber recommendations relating to the Sir John Cass – Primary School Delegated Expenditure and Income review. Of these four had been partially implemented (use of CBIS purchase orders, checks on banking of school dinner income, school dinner income debt recovery and maintenance of the school's furniture and equipment inventory) and one amber priority recommendation relating to income reconciliations had not been implemented. Full implementation of these recommendations would have reduced the risk of loss of school dinner income, school equipment and poor budgetary control.

3. Two amber recommendations from the audit review of the Guildhall Art Gallery Collection have not been implemented according to original timescales. At the time of reporting, new deadlines for the implementation of these recommendations are to be agreed. The recommendations relate to the return of free loans of Art Work to Livery Companies and preparing a revised standard loan contract. Further contact is being made with these recommendation owners to agree new deadlines for the full implementation of these recommendations, as internal audit was not aware until undertaking the formal follow-up reviews that these recommendations had not been fully implemented.

4. Three amber recommendations relating to the Police Business Continuity Planning review are yet to be fully implemented. The Emergency Planning and Business Continuity Team (EPBCT) are reviewing departmental plans and reporting back to departments where the relevant information has not been found together with deadline dates for plans to be reviewed again. The Police state that it has not been possible to plan a major exercise because of commitments for The Queen's Jubilee and Olympic Games. There are, however, exercises scheduled following completion of the Olympic Games in September 2012 which are expected to complete by December 2012. Internal audit is being kept informed of progress in this area.

Page 247 5. Cumulative performance in the implementation of audit recommendations has been monitored over the last 24 months and reported to the Audit and Risk Management Committee. As at August 2012 cumulative performance in the implementation of audit recommendations when formal audit follow- ups were undertaken over the last 24 months is as follows:-

Implementation at time of audit Not follow-up Red Amber Green categorised* Total Recommendations Agreed 4 117 381 14 516 Recommendations Implemented 3 86 313 14 416

% implemented 75% 74% 82% 100% 81%

* Recommendations predate RAG rating process.

6. Where red and amber priority recommendations were still be implemented at the time of formal audit follow-up, further updates have been sought from management to confirm the implementation of red and amber priority recommendations. The one red priority recommendation that was not implemented at formal follow-up stage, reported to the March 2012 Committee was implemented subsequently. At the end of August 2012 there are no outstanding red priority actions from reviews previously concluded and reported to this Committee.

Red and Amber Priority Recommendations Status 7. In addition to this formal audit follow-up process, internal audit obtains status updates from recommendation owners on a quarterly basis for any open red or amber priority recommendations. The outcome from these status checks are reported in Appendix 2 and summarised in the following table. The table shows there are no open red priority actions with 31 amber priority actions open from internal audit work reported previously to Committee.

Page 248 Audit Actions Progress to agreed timescales Implementation due in Status based on future Management reports

Open Progressing Action Revised next 3 Next 3 More Actions according to slipped, Date to months to 6 than 6 original new be months months agreed target agreed timescales dates agreed

Red ------actions

Amber 30 7 23 - 20 5 5 actions

Total 30 7 23 - 20 5 5

Red and Amber Priority Recommendations Status

8. The majority of recommendations owners are keeping internal audit updated on any delays in implementing recommendations prior to any agreed target dates being passed. All live red and amber recommendations are now being tracked through the new MK audit automation software which is assisting with a more pro-active approach to audit recommendation follow-up and reporting.

Conclusion 9. There is evidence of timely completion of most agreed audit recommendations. Internal audit work focused on obtaining status update information from management of open recommendations in addition to formal audit follow-up reviews will assist in ensuring appropriate management attention is given to completing agreed audit actions.

Head of Audit & Risk Management

 Appendix 1 – Recent formal audit follow-up reviews  Appendix 2 – Red and Amber actions status update

Page 249  Appendix 3 – Audit Follow-up process and recommendation priority definitions

Contact: Paul Nagle Head of Audit & Risk management 020 7332 1277 [email protected]

Page 250 Recommendations Recommendations Appendix 1 Audit Follow-ups June 2012 to August 2012 Agreed Implemented

Main Report Follow up Assurance Department Audit Review R A G Tot R A G Tot Exception Comments Finalised Date level

5 amber recommendations yet to be fully implemented in relation to use of CBIS purchase Sir John Cass orders, checks on banking of school dinner income, Foundation Primary school dinner income debt recovery and DCCS School - Delegated Feb-11 Jul-12 Amber 0 6 15 21 0 1 8 9 maintenance of the school's furniture and Budget Income and equipment inventory. 7 green recommendations Expenditure also not fully implemented yet.

The remaining green recommendation has been partially implemented. Whilst sample testing established that most leavers had returned their Security & Facilities security passes, there was on incidence where the Barbican Centre Jul-11 Jun-11 Green 0 0 2 2 0 0 1 1

Page 251 Management card had not been returned, but had been deactivated. The procedure was subsequently reinforced by e-mails to Centre line managers.

Of the remaining three green recommendations, one has been partially implemented since the inventory of permanent equipment spread sheet has been given password access but some cells are still not protected against overwriting. The two Markets and Animal Reception Consumer Jul-11 Aug-11 Green 0 0 14 14 0 0 11 11 remaining recommendation concern banking Centre Protection arrangements and the need to make more frequent visits to the bank, although it is understood that with current staffing numbers and low cash income the low risk of cash loss outweighs the additional admin.

Page 1 of 3 Recommendations Recommendations Appendix 1 Audit Follow-ups June 2012 to August 2012 Agreed Implemented

Main Report Follow up Assurance Department Audit Review R A G Tot R A G Tot Exception Comments Finalised Date level

Police Officers are not fully completing the Notification of New Deposits forms with crime and case numbers and have been reminded to do this and will be reviewed again by Internal Audit as part of a routine spot check review by the end of Quarter 2. Whilst reconciliations of the suspense Defendants' Funds- City Police Dec-10 Jun-12 Green 0 0 3 3 0 0 1 1 account were prepared by the Director of Financial Bank A/cs Services up until December 2011, at the time of this follow-up review no further reconciliations had been undertaken. This will be the focus of a routine Internal Audit spot check to be completed by the end of Quarter 2. Page 252 Work is in progress to implement the outstanding recommendations. Two amber recommendations are related to loans and the Curator is currently writing to those Livery companies who have free loans for the return of these works. In addition, the Culture, Heritage Guildhall Art Gallery Nov-10 Aug-12 Green 0 3 11 14 0 1 10 11 City Solicitor is preparing a revised standard loan and Libraries Collection & Shop contract so that all terms and conditions of loans are consistent. A member of the department's staff has yet to be assigned the task of undertaking mid- year spot checks.

Page 2 of 3 Recommendations Recommendations Appendix 1 Audit Follow-ups June 2012 to August 2012 Agreed Implemented

Main Report Follow up Assurance Department Audit Review R A G Tot R A G Tot Exception Comments Finalised Date level

The Emergency Planning and Business Continuity Team (EPBCT) are reviewing departmental plans and reporting back to departments where the relevant information has not been found together with deadline dates for plans to be reviewed again.The EPBCT state that it has not been Business Continuity City Police Sep-11 Aug-12 Amber 0 11 1 12 0 8 1 9 possible to plan a major exercise because of Planning commitments for The Queen's Jubilee and Olympic Games. There are, however, exercises scheduled following completion of the Olympic Games in September 2012. Page 253

Page 3 of 3 This page is intentionally left blank

Page 254 12/13 Audit Plan and Follow-up Report - Appendix 1

Audit Actions Status - based on Management Planned Open Red & Amber Actions reports Open Red Implementation date & Amber Revised Revised Main Report Assurance <3 3 - 6 > 6 Department Audit Review R A Comments On target Dates to be Finalised level mths mths mths agreed agreed

A revised implementation timescale of 12/10/12 has been provided in respect of the amber priority Building Management recommendation. Work is in progress, firewall router protection devices are being installed on all City Surveyor May-10 Amber 0 1 1 1 System system PCs. To date they been successfully installed on 13 BMS terminals, leaving just one terminal and the three server PCs to complete.

Implementation of the two amber priority recommendation is understood to be in progress. A Draft Golf Course Recovery Plan has been compiled which links to new complementary responsibility-based agreements for the three Golf Clubs. The Plan will go to November EFCC, with a contract tender exercise to follow. Arrangements for a contained vehicle wash-down area to Control Of Pollution Regs Open Spaces Chingford Golf Course Aug-10 Amber 0 2 1997 standards has been progressed. Trials of chemical-based herbicides and wormicides, which 2 1 1 are capable of bioremediation have been successful. Environment Agency Consents have been secured for a closed system reed bed filtration system, which is more cost effective than recirculation or tankage scheme. The reed bed system has been tendered and an order for £29k complete build placed in July 2011. Completion is scheduled for March 2013. Page 255 A revised implementation date of 30/09/12 has been provided in respect of the outstanding amber priority recommendation. The recommendation related to the use of a combination of electronic service request forms and challenge e-mails to reduce the volume of spam e-mails. The client has Town Clerk's Contact Centre Feb-11 Green 0 1 advised that "E forms" have been devised and are ready to be added to the new Website in place of 1 1 the existing email addresses. We understand that work has been completed on identifying where existing email addresses currently appear on the Website so that these can be replaced by the E forms.

Of the five oustanding amber priority recommendations, four are considered to have been partially Sir John Cass School – implemented. Progress has been made in respect of the use of purchase ordering, spot-checking of DCCS Mar-11 Amber 5 5 5 Delegated Budget banking, debt recovery arrangements and inventory maintenance. We are advised that reconciliations will be undertaken going forwards between amounts passed for billing and invoices raised.

Implementation of the two amber priority recommendations is linked to the requirementsof the Hutton Chamberlain's Pensions - Corporate Jun-11 Amber 0 2 report which have yet to be made statutory. The legislation is intended to be made by 01/4/2013 with 2 2 Department Responsibility implementation anticipated by 01/4/2014.

Report going to ARMC and Establishment Committee in September 2012 - confirming new procedures being introduced in relation to Declaration of Interests and Bribery Act. Updated staff code Town Clerk's Declarations Jun-11 Green 0 1 1 1 of conduct with much greater guidance is due to be presented to Estab Committee for approval in September.

1 of 3 12/13 Audit Plan and Follow-up Report - Appendix 1

Audit Actions Status - based on Management Planned Open Red & Amber Actions reports Open Red Implementation date & Amber

Follow-up testing indicated that three amber priority recommendations are outstanding. Progress is anticipated as follows: It has not been possible to plan a major desktop exercise because of commitments for the Queen's Jubilee Celebrations and Olympic Games in July 2012. There are, Business Continuity City Police Sep-11 Amber 0 3 however, exercises scheduled following completion of the Olympic Games in September 2012. 3 3 Planning Progress has been made in reviewing departmental business continuity plans and reporting back to departments where the relevant information has not been found together with deadline dates for plans to be reviewed again.

The two amber priority recommendations have been only partially implemented. Some action has been taken to remind users of policy but the risk has not yet been addressed as there's no definitive Chamberlain's Server Virtualisation Nov-11 Amber 0 2 record of where and how virtualisation security settings are reviewed. Training has not yet been 2 2 Department Security provided, a project brief for the upgrade of the virtualisation software has been prepared which includes training provision, but this is yet to be approved.

A revised implementation date of 30/10/12 has been provided for the outstanding amber priority CLSG Fee Income Feb-12 Green 0 1 1 1 recommendation to reconcile the income system to the banking system. Page 256

The outstanding amber priority recommendations relating to corporate and financial considerations of Corporate Review Business Planning Mar-12 Amber 0 2 business planning are in progress and are expected to be implemented on target by the end of 2 2 October 2012.

The outstanding amber priority recommndation is in progress and relates to the Finance & Administration Officer and Policy & Performance Officer meeting monthly to discuss the arrears Culture, Heritage Governance and Financial position and agree action. The client has advised as follows: The Finance & Admin Officer left the Mar-12 Green 0 1 1 1 and Libraries Management CoL in June, but discussions had taken place on a monthly basis. A Performance Management Officer has now taken up the restructured post. Monthly 1-2-1's have already begun and a specific Aged Debt meeting took place on 19 July.

Four amber priority recommendations were confirmed as being outstanding at the time of formal follow- up and revised implementation timescales have been provided; these range from the end of ICT strategy, security and September 2012 to March 2013. The delay in implementation of the recommendation relating to GSMD Apr-12 Amber 0 4 4 1 2 1 operations operational cover is due to unavailability of budget until 2013

2 of 3 12/13 Audit Plan and Follow-up Report - Appendix 1

Audit Actions Status - based on Management Planned Open Red & Amber Actions reports Open Red Implementation date & Amber

Of the three outstanding amber priority recommendations, one is on target for implementation by the end of September 2012 and revised implementation dates have been agreed for the remaining two: CDM regulations have been discussed at team meetings and the core competency criteria for contractors included where appropriate in tender documentation. Progress has been made in respect of one recommendation whereby the Construction Design letter and accompanying document sent to residents who are planning works to their flats contains health & DCCS Apr-12 Amber 0 3 1 2 1 2 Management Regs safety information and advice. It is proposed to revise the section in the residents’ handbook regarding health & safety and also include similar details in the Housing website by December 2012. Further refresher training is to be identified and arranged for relevant officers by December 2012

Markets and The outstanding amber priority recommendation is relates to the procurement of new Car parking IS Consumer Markets Car Parks Apr-12 Green 0 1 systems.The replacement of the pay on foot equipment will not take place until next year; the 1 1 Protection procurement process is expected to commence in early 2013.

Contractor's Final The outstanding amber priority recommendation for the Chamberlain’s Department to introduce final Page 257 Corporate May-12 Amber 0 1 1 1 Accounts accounts verification guidance is on target for implementation by the 30th September 2012. CLS Fee Income May-12 Green 0 1 A revised timescale for implementation of 31/10/12 has been provided in respect of the amber priority 1 1

Total 0 30 7 23 0 20 5 5

3 of 3 This page is intentionally left blank

Page 258 Internal Audit Recommendations Follow-up Report – Appendix 3

Internal Audit Follow-up Process As part of the section’s standard operating procedures, all main audit reviews are subject to a formal audit follow-up exercise to evaluate the progress of management in the implementation of recommendations between six to twelve months after the main audit. These reviews will look to verify the evidence of action taken and may involve some transaction testing where compliance issues were a concern in the original audit review. The details of these reviews are set out in Appendix 1 . Where it was considered that recommendations were not implemented at time of first audit follow-up, a further follow audit will be scheduled depending on the residual risk posed by uncompleted actions.

In addition to this formal audit follow-up process, internal audit obtains status updates from recommendation owners on a quarterly basis for any open red or amber priority recommendations. The outcome from these status checks are reported in Appendix 2 .

Audit recommendations are prioritised and categorised as follows.

Category Definition Target Timescale for taking action A serious issue for the attention of senior 1 month or Red - management and reporting to the appropriate more priority Committee Chairman. Action should be initiated urgently as immediately to manage risk to an acceptable level. appropriate A key issue where management action is required to Less than 3 Amber - manage exposure to significant risks, action should months priority be initiated quickly to mitigate the risk. An issue where action is desirable and should help to Less than 6 Green - strengthen the overall control environment and months priority mitigate risk.

Page 259 This page is intentionally left blank

Page 260 Agenda Item 24

Committee(s): Date(s): Item no. Audit and Risk Management Committee 20 th September 2012

Subject: Public Investigation Activity Up-date Report Report of: For Information Chamberlain

Summary

The pro-Active Anti-Fraud and Investigation Report to this Committee in June 2012 provided Members with a strategic pro- active anti-fraud plan, detailing a programme of activity for the coming financial year. Members agreed to receive a six monthly progress report against this plan, with investigation activity up-date reports presented to intervening Committees. This report provides Members with a summary of our Investigation activity since June 2012; it also provides Members with details of notable investigation outcomes, and positive publicity. Recommendations Members are asked to note; • The summary of the sections investigation activity since our last report in June 2012, notable investigation outcomes; and • The positive publicity following a successful housing benefit fraud prosecution.

Main Report

Background

1. In our last report in June 2012, Members were provided with a forward looking plan, detailing our programme of proactive Anti-Fraud activity, along with noteworthy investigation outcomes. At Committee in June 2012 it was also agreed that Members would be provided with a six monthly progress report against this plan, with investigation up-date reports made to the intervening Committees.

2. This report summarises our investigation activity during the past quarter, and provides Members with details of notable investigation outcomes.

Investigation Activity Summary

3. The following table details investigation activity in the current financial year, giving the number of cases closed and number of cases subject to investigation across all disciplines; it also details investigation activity Page 261 over the past two financial years for comparison. Corporate fraud investigations are in the main reactive, initiated following referral and owing to the seriousness of matters involving employee conduct and potential cash losses, such investigations are prioritised above all other investigation activity. Detailed summaries in respect of housing benefit fraud and housing tenancy fraud caseloads are shown as Appendix 1 and 2 respectively.

Investigations Caseload 2012/13 2011/12 2010/11 to date total total Closed Live Benefit Fraud 16 14 43 33 Housing Fraud 4 11 21 19 Corporate Fraud: Theft 1 3 3 5 Cheque Fraud 0 0 2 2 Employee Conduct 1 1 6 0 Total 22 29 75 59

Notable Outcomes

4. Housing Benefit Fraud – A former City of London housing tenant, Stephen White pleaded guilty of six counts of benefit fraud at Camberwell Green Magistrates court on 9 th August 2012. The case was jointly investigated with the DWP, and it was found that Mr White had been sub-letting his City of London flat to his sister, whilst living with his ex-wife in Ramsgate, Kent. As a result of his deception, Mr White had been overpaid housing benefit amounting to £6,741 and Income Support amounting to £8,169. During sentencing Mr White was given a 26 week custodial sentence, suspended for 12 months. In addition he was made the subject of a curfew between the hours of 7pm and 7am for a period of 12 weeks and was fitted with an electronic tag to ensure compliance. Mr White was also ordered to pay £500 towards prosecution costs. There is an agreement in place to repay the housing benefit overpayment. A press release was issued by the City’s Public Relations Office in relation to this case, which has been publicised by the Thanet Times newspaper.

5. Housing Benefit Fraud – A City of London housing tenant, Nikki Rosenbloom, pleaded guilty to two counts of benefit fraud at Westminster Magistrates court on 4 th July 2012. In this case, identified via the City’s involvement in the Audit Commission’s National Fraud Initiative exercise, the joint investigation with the DWP found that Miss Rosenbloom had failed to declare employment with the Royal Borough of Kensington & Chelsea. As a result of her actions Miss Rosenbloom had been overpaid housing & council tax benefit amounting to £2,889 and Income Support amounting to £2,063. During sentencing Miss Page 262 Rosenbloom was given a community punishment order, and must undertake 50 hours of un-paid work within the next 12 months. The overpaid benefit is currently being recovered from her on-going entitlement.

6. Housing Tenancy Fraud – The section received an allegation that a City of London social housing tenant of Middlesex Street Estate had committed housing tenancy fraud. Investigations found that the tenant had furnished the City Corporation with false information on many occasions, which led to her being awarded social housing; namely that she was living in a bedsit with two young children, when all along she had been the proprietor of a suitable property for her and her family in a neighbouring London Borough. The City Corporation successfully gained possession of this property, which has now been let to a family in need of social housing. The case is currently being considered for criminal proceedings.

Corporate Investigations

7. Members are asked to refer to the non-public appendix of this report for information relating to a sensitive corporate investigation, currently being undertaken by the section.

Conclusion

8. This report presents Members with a summary of our Investigation activity during the past quarter; it also provides Members with details of notable investigation outcomes.

9. Positive publicity continues to be gained following successful investigations into housing benefit and housing tenancy fraud investigations, with one successful prosecution recently subject to publication in the Thanet Times.

10. Internal investigations continue to be a priority for the internal audit section because of the risk of loss of public money or assets and the reputational damage resulting from inappropriate employee conduct. Feedback from departments involved is very positive and action is taken by them to improve management controls to prevent recurrence of similar irregularities.

Page 263

Background Papers:

Appendices

Appendix 1: Housing Benefit Fraud Caseload Summary Appendix 2: Housing Tenancy Fraud Caseload Summary Appendix 3:Corporate Investigation – on the non public agenda

Contact: Chris Keesing | [email protected] | 020 7332 1278

Page 264 Appendix 1 – Housing Benefit Fraud Caseload Summary as at August 2012

Housing Benefit Fraud Case Referrals April 2012 - April 2011 - April 2010 - Date March 2012 March 2011 Referrals Received in current year 11 25 20 Cases carried over from previous years 1 20 18 17 Total 31 43 37 Comprising Cases currently under investigation 10 12 15 Cases referred to DWP solicitors 0 2 2 Cases referred to City Solicitors 3 4 0 Cases subject to benefit entitlement re-assessment 2 2 1 Cases subject to Admin Penalty Action 0 0 0 2 Total number of live cases 15 20 18 Successful prosecutions 2 3 3 Page 265 Successful Cautions 1 1 0 Successful Admin Penalties 0 1 3 Cases where fraud proven but no further action taken 4 3 0 Cases closed with no further action 9 15 13 Total number of closed cases 16 23 19

Total 31 43 37

Total value of HB/ CTB overpayments relating to the £31,094 £70,558 £33,889 3 sanctioned cases above Notes: 1 Previous year’s data shows the position at year end, and is provided for comparative purposes. Cases carried over from previous years do not represent live cases in the current reporting year. 2 Total claim base approximately 1100 individuals 3 Total value of benefit payments per annum circa £5.7m

This page is intentionally left blank

Page 266 Appendix 2 – Housing Tenancy Fraud Caseload Summary as at August 2012

Housing Tenancy Fraud Case Referrals April 2012 April 2011 to April 2010 to to Date March 2012 March 2011 Referrals received in current year 4 12 13 Cases carried over from previous years 1 11 9 7 Total 15 21 20

Cases currently under investigation 11 11 9 Cases closed with no further action 3 6 4 Cases with Comptroller & City Solicitor 0 0 0 Page 267 Cases where possession order granted 0 0 0 Cases where successful possession gained 2 1 4 7 Total 15 21 20

Value where successful possession gained 3 £18,000 £72,000 £126,000 1 Previous year’s data shows the position at year end, and is provided for comparative purposes. Cases carried over from previous years do not represent live cases in the current reporting year. 2 Cases where successful possession has been gained will be considered for criminal action where suitable, and where offences committed are serious enough to warrant proceedings under the Fraud Act 2006. 3 Successful possession gained value of £18,000 per property sourced from Audit Commission value of national average temporary accommodation costs to Local Authorities for one family.

This page is intentionally left blank

Page 268 Agenda Item 25

Committee(s): Date(s): Item no. Audit and Risk Management Committee 20 September 2012 Subject: Non-Public Appointment of Non- Local Authority Funds Auditors Report of: For Information The Chamberlain NOT FOR PUBLICATION

By virtue of paragraph 7 of Part 1 of Schedule 12A of the Local Government Act 1972.

Summary

The non-local authority funds will be re-tendered in 2013. This report outlines possible governance arrangements for the Committee’s consideration and updates members on the revised procurement timetable. Recommendations That Members • Consider the proposal to establish an independent audit appointment panel as outlined in paragraphs 2-4 or decide on alternative governance arrangements for the procurement process; and • Note the proposed timetable in appendix 1.

Main Report

Background 1. The March Audit and Risk Management Committee resolved that the audit of non-local authority funds be re-tendered in 2013, with a contract term co-terminus with the end of Audit Commission regime (now clarified to be 2016/17). In July, the Audit and Risk Management Committee resolved that tenders for the audit of the non-local authority funds be sought using an open procurement procedure, subject to a representative of the successful firm being elected as an Auditor of Chamberlain’s and Bridgemasters’ Accounts, before the contract is awarded.

Proposed governance arrangement 2. The proposed governance structure currently being legislated for auditor appointment in local authorities is to establish an independent audit appointment panel. It would make sense to adopt the same governance procedures for the non-local authority funds for the following reasons:

• Our procurement arrangements reflect those of a Local Authority;

Page 269 • Members have decided to align the procurement of audit for local authority and non-local authority funds in 2017- so this would be an early adoption of the local authority arrangements; and • The EU views the City Corporation, regardless of fund, as one single public authority.

3. If Members accept this proposition, guidance on the establishment of independent audit appointment panels is that there be a majority of independent members, with the Chairman being an independent member. The independent members have been sounded out informally, and have expressed their willingness to serve, if asked.

4. The appointment of a Panel of five members would therefore seem a sensible way forward, composing of three independent members- one of whom would serve as Chairman and two City Corporation members. Members might consider that the City Corporation members should be the Chairman and Deputy Chairman of the Audit and Risk Management Committee. However, the Deputy Chairman has had discussions with the City Solicitor and in view of his relationships with a number of prospective candidate firms, although it is not felt there is an actual conflict, it would be better if the Deputy Chairman stood back from the appointment process in order to avoid any possible issues

5. Members are invited to consider this proposal or to suggest alternative governance arrangements for the procurement process.

Proposed tender process 6. The overall process is likely to take 6 months from starting the preparatory work on the invitation to tender documents to contract award. The relevant timescales, deliverables and key milestones were reported to the June Audit and Risk Management Committee, but have been adjusted to reflect the open tender approach. The revised timescales and deliverables are shown in Appendix 1.

Background Papers:

Appendices Auditor Appointment process and timeline- City’s Cash and Bridge House Estates

Contact: Caroline Al-Beyerty Financial Services Director [email protected] 0207 332 1164

Page 270 Appendix1: Auditor Appointment process and timeline- City’s Cash and Bridge House Estates Amendments from previous closed tender process are highlighted Date Stage Comment 1 October- Preparation Develop Tender documentation, to include: 30 • Outline of work required- audit scope November • Evaluation criteria: e.g. price, quality, 2012 presentation to Independent Audit Appointment Panel. • Contractor Information and Business Questionnaire. • Information about the City of London • Tender process and timeframes

1 December Expression Issue contract notice in official journal of the EU 2012 of interest Issue PQQ on request 12 IAAP Agree Tender evaluation criteria with December consultation: Independent Audit Appointment Panel 2012 * 16 January PQQ Deadline for return of PQQs 2013 30 January ITT Issue ITT to selected suppliers 2013 14 February Last date for submission of questions 2013 21 February Last date for response to questions 2013 1 March Deadline for return of tenders 2013 5 March Presentation to Independent Audit Appointment 2013* Panel 6-15 March Evaluation Scoring of tender proposals against criteria 2013 Clarifications Agreement with the Independent Audit Appointments Panel; consultation with the Audit & Risk Management Committee. 11 April Appointment Decision of CoCo; Award decision letters issued 2013 Award of contract 12-22 April Alcatel ( mandatory standstill )period 1 May 2013 Contract Inception, although bulk of the audit work would be carried out May – July 2014. *suggested dates match ARM Committee dates Page 271 This page is intentionally left blank

Page 272 Agenda Item 26

Audit and Risk Management Work Programme 2012/13

(Additions since the last meeting shown in italics)

Date Items Thurs 20 Sep • Internal Audit Progress Report 2012 • Internal Audit Planning 2013/14 • Internal audit recommendations follow-up report • Anti-Fraud & Investigation Update report (Quarterly, as set out on the Outstanding Actions List) • City Bridge Trust • Risk Management Update • Strategic Risk 8 – Reputation Risk • Strategic Risk 10 – Adverse Political Developments • Audit & Risk Management Committee Effectiveness Review • Health and Safety Policy Framework (update from the Outstanding Actions List) • Publication of City Cash • Internal Audit Reporting Lines and Terms of Reference • Planning Governance Weds 12 Dec • Deloitte's Annual Audit Letter on the City Fund and Pension 2012 Fund Financial Statements • Deloitte's annual audit plan for City Fund Financial Statements including agreement of the audit fee • Deloitte's annual audit plan for the Pension Fund Financial Statements including agreement of the audit fee • Deloitte's annual audit plan for the Non Local Authority Funds including agreement of the audit fee • Update on Hampstead Heath Hydrology (and then at 9 monthly intervals – update from Outstanding Actions List) • Internal Audit Progress Report • Internal audit recommendations follow-up report • Anti-Fraud & Investigation Update report • Risk Management Update • Strategic Risk 3 – Financial Stability

Page 273 Tues 05 Feb • Internal Audit Plan – 2013/14 2013 • Risk Management Update • Strategic Risks SR4 – Planning Policy and SR5 – Flooding in the City • Independent review of the Risk Management Strategy and Handbook

Tues 05 Mar • Deloitte's Annual Grant Certifications Letter 2013 • Internal audit update report • Internal audit recommendations follow-up report • Anti-Fraud & Investigation Update report • Annual Governance Statement – Methodology • Strategic Risk – SR6 – Project Risk • Strategic Risk – SR1 – Supporting the Business City or SR2 – Failure to respond to a terrorist attack - tbc

Tues 25 June • Head of Internal Audit Annual Report and Opinion 2013 • Annual Governance Statement • Risk Management Update Tue 23 Jul 2013 • Audited 2012/13 City Fund and Pension Fund Financial Statements together with Deloitte's report thereon • Audited 2012/13 Bridge House Estates and Sundry Trusts Financial Statements together with Deloitte's report thereon • Audited 2012/13 City's Cash and City's Cash Trust Funds Financial Statements together with Deloitte's report thereon

Page 274 Agenda Item 30 By virtue of paragraph(s) 3 of Part 1 of Schedule 12A of the Local Government Act 1972.

Document is Restricted

Page 275 This page is intentionally left blank

Page 278 Agenda Item 31 By virtue of paragraph(s) 3 of Part 1 of Schedule 12A of the Local Government Act 1972.

Document is Restricted

Page 279 This page is intentionally left blank

Page 280 Agenda Item 32 By virtue of paragraph(s) 3 of Part 1 of Schedule 12A of the Local Government Act 1972.

Document is Restricted

Page 281 This page is intentionally left blank

Page 284 By virtue of paragraph(s) 3 of Part 1 of Schedule 12A of the Local Government Act 1972.

Document is Restricted

Page 285 This page is intentionally left blank

Page 296 Agenda Item 33 By virtue of paragraph(s) 3 of Part 1 of Schedule 12A of the Local Government Act 1972.

Document is Restricted

Page 297 This page is intentionally left blank

Page 300 Agenda Item 34 By virtue of paragraph(s) 3 of Part 1 of Schedule 12A of the Local Government Act 1972.

Document is Restricted

Page 301 This page is intentionally left blank

Page 304 By virtue of paragraph(s) 3 of Part 1 of Schedule 12A of the Local Government Act 1972.

Document is Restricted

Page 305 This page is intentionally left blank

Page 306